With the rise of quantum computing, classical cryptographic algorithms like RSA are no longer adequate to protect our data. Hence, organizations must update their computing assets that use any classical cryptographic algorithms to then use the new post-quantum cryptography (PQC) algorithms, namely perform a migration on the assets' cryptographic algorithms from classical into PQC (i.e., PQC migration).
The Crypto Agility Risk Assessment Framework (CARAF) helps organizations evaluate the risks of their assets in the context of post-quantum cryptography (PQC) migration. We start from Phase 0 that involves creating an inventory of all computing assets using cryptographic algorithms: this becomes the input to CARAF (see ① above). For each asset, CARAF assesses crypto agility – how easily the asset can transition to PQC, and risk level – the asset’s importance and need for PQC protection. CARAF includes three phases to guide migration decisions for each asset – click the links below to explore each phase:
- Phase 1: Crypto Agility Measurement. In this phase, CARAF uses binary and numerical questions to evaluate an asset’s crypto agility based on its cryptographic components.
- Phase 2: Risk Estimation. In this phase, CARAF also provides another set of binary and numerical questions to estimate the risk level for the asset.
- Phase 3: Migration Recommendation. Based on crypto agility and risk estimate scores from phases 1 and 2, CARAF provides a migration recommendation for each asset: migrate, phase out, or accept risk.
At the output of Phase 3, CARAF will add a migration recommendation for every asset in the list (see ② above). Based on the recommendation, actions differ depending on whether the asset is first-party or third-party (see ③ above).
We have created a CARAF calculator (you can download the raw file as an Excel sheet) that performs the risk assessment on each asset in an asset inventory. Please review CARAF phases before using the calculator. Then, watch the video below to get started.
CARAF.Calculator.Demo.mp4
- NIST: Migration to Post-Quantum Cryptography Quantum Readiness: Cryptographic Discovery
- CSCC: The Engineer Who Cried Quantum
- ATIS: Strategic Framework for Crypto Agility and Quantum Risk Assessment
- NCS/IBM: Managing Risks and Opportunities for Quantum Safe Development
- GSMA: Guidelines for Quantum Risk Management for Telco
- FSISAC: Preparing for a Post-Quantum World by Managing Cryptographic Risk
- NCTA: Understanding Quantum-Safe Timelines and Deployments
We welcome all kinds of contributions to this repository! Please have a look at CONTRIBUTING.md for further information and guidelines.
The list of maintainers of this GitHub repository is available in MAINTAINERS.md. Please consider becoming a maintainer! 😃
Roadmap information is available in ROADMAP.md.
Chujiao Ma, Luis Colon, Joe Dera, Bahman Rashidi, Vaibhav Garg, CARAF: Crypto Agility Risk Assessment Framework, Journal of Cybersecurity, Volume 7, Issue 1, 2021.
More reading materials on PQC are available here.