Quantum Computers and Post-Quantum Security: How the Swiss Payment Transactions System Is Protecting Itself

As the saying goes, “All roads lead to Rome.” Imagine you had to check every possible route to Rome in order to find the quickest one. A typical computer would check one route after another before arriving at a good solution. Quantum computers handle the problem differently: They check all possible routes simultaneously and are thus quicker to find the fastest route to Rome. For solving more complex tasks, this means a huge gain in efficiency, but how do quantum computers work?

Such powerful technology holds great opportunities, but risks as well. The opportunity side includes, for example, portfolio structures, more precise risk simulations, more efficient settlement processes, and faster analysis and recognition of fraud patterns.

On the dangers side there’s data security: Cryptographically Relevant Quantum Computers (CRQC) are able to mathematically crack certain widely used encryption methods, particularly asymmetric cryptography such as Rivest-Shamir-Adleman (RSA) or elliptic curves. This means that data that is intercepted and saved today could be decrypted within a couple years if it isn’t protected with quantum-proof methods promptly. We will return to the topic of “Harvest now, decrypt later” further on.

In simplified terms, current cryptography – the methods with which information is encrypted so that only authorized parties can read it – can be divided into two categories:

• Symmetrical Method (e.g. Advanced Encryption Standard, AES): The sender and recipient of data use the same secret key.
• Asymmetrical Method (e.g. RSA, elliptic curves): Use both a public and a private key for, among other things, key exchange, digital signatures, and certificates.

Quantum computers constitute a particular threat to asymmetric encryption methods. These methods are based on mathematical problems that conventional computers can solve only through massive amounts of computational effort, but for which quantum algorithms offer significantly more efficient solutions. The impacted asymmetrical methods include RSA or methods based on the prime factorization of very large numbers or on discrete logarithms. The symmetrical method of encryption is, however, considered more impenetrable: Its security can generally be ensured through the use of longer keys, so that most often an adjustment rather than a full replacement is required.

Post-Quantum Cryptography (PQC) addresses precisely this problem: It involves new hybrid cryptography methods designed to be quantum proof. Various committees and federal agencies, such as the National Institute of Standards and Technology (NIST), have already standardized specific PQC algorithms such as FIPS 203 (ML‑KEM) for key exchange, as well as FIPS 204 (ML‑DSA) and FIPS 205 (SLH‑DSA) for signatures. Proceeding promptly with the switch to these standards is strongly recommended.

Even if “fully mature” quantum computers are being developed, there is already pressure to take action. This is partly due to the principle of “harvest now, decrypt later”: Hackers can copy encrypted data such as payment transactions, trading transactions, or archived files today, store it for the time being, and decrypt it later with quantum means.

In concrete terms, this means:

• Long-term data worth protecting (e.g. personal financial data, transaction histories) should already be secured in such a way that it remains confidential even in a quantum world.
• The transition to PQC is a multi-year process since many systems, protocols, and certificate-chains are involved: Those who start early reduce risks and avoid hectic emergency conversions.

SIX operates central financial market infrastructures such as stock exchanges and the payment transactions system, and is thus a key player when it comes to secure data exchange.

There are three critical aspects regarding preparation for quantum technology:

• Crypto Inventory and Roadmap
  Critical infrastructure operators such as SIX analyze where cryptographic techniques are implemented within their systems, from interfaces, through to protocols and hardware security modules. The objective is a step-by-step migration that incorporates the regulatory requirements, industry recommendations (e.g. SwissBanking, and national cyber authorities) and international standards (NIST-PQC).
• Develop Crypto-Agility
  The systems are analyzed with regard to crypto-agility in order to allow a smoother replacement of cryptographic components in the future. At the same time, preparations are being made to enable the adoption of new PQC algorithms, which may initially be deployed in hybrid mode alongside existing traditional algorithms where appropriate, with a transition to full implementation anticipated over time.
• Practical Tests with Quantum Computing
  Financial institutions and infrastructure providers are experimenting in parallel with real quantum resources in the Cloud to learn where quantum algorithms are actually worthwhile. This generates practical knowledge that can be incorporated later in productive services for market participants.

Currently, systems with a limited number of qubits and a high susceptibility to error dominate, whereby real advantages are only selective. In practice, hybrid approaches are effective: Traditional algorithms carry the robust foundation, and quantum methods provide targeted support with optimization and simulation.

Quantum computers won’t make everything faster, but they will make solving certain structural, molecular, and encryption problems significantly more efficient. Even today, it’s possible to experiment with different hardware via Cloud access. It is expected that error-corrected systems will have a broad impact – until then, their utility will increase incrementally.

The ongoing standardization of post-quantum cryptography through the NIST creates a clear technical reference framework for the future use of quantum-proof algorithms. Christian Bühler adds his thoughts, “We absolutely have to get to grips with PQC and quantum computing right away, create awareness, develop expertise, and define the corresponding PQC roadmap ahead. Given that NIST has already declared a number of standard methods as no longer recommended for 2030, and assessed them as no longer permitted effective 2035, we have to act proactively starting now.

Besides the risks discussed, there are also a number of opportunities. Thanks to the performance capability of quantum computers, we can expect more efficient processes, more precise decisions, for example with risk assessments, and more generally strong potential for innovation and competitive advantages in a number of sectors.”

It is advisable to monitor developments in quantum computing as well as in the field of post-quantum cryptography closely, to analyze one’s own cryptographic landscape, and to plan in advance, and in good time. A gradual, risk-based approach can help in doing so.