Toward a Common Understanding of Cryptographic Agility -- A Systematic Review
Christian Näther, Daniel Herzinger, Jan-Philipp Steghöfer, Stefan-Lukas Gazdag, Eduard Hirsch, Daniel Loebenberger
TL;DR
This paper addresses the lack of a unified understanding of cryptographic agility by conducting a systematic literature review that maps existing definitions into six dimensions, derives a canonical definition, and clarifies its relationship to cryptographic versatility and interoperability. It develops a four-category canonical framework (excluding Context and Drivers) and demonstrates its applicability with a real-world Open Quantum Safe Nginx example, highlighting how agility, versatility, and interoperability interact in practice. The work discusses the practical relevance, trade-offs with complexity, and the need for context-specific assessment, proposing terminology and a targeted approach to crypto migrations such as PQC. By providing a reproducible methodology and a transparent taxonomy, the paper lays a foundation for consistent terminology and future research on cryptographic agility across diverse contexts and assets.
Abstract
Cryptographic agility is gaining attention due to its crucial role in maintaining cryptographic security in a rapidly evolving technological landscape. However, despite its increasing importance, the term cryptographic agility remains vaguely defined and there is no clear consensus on its exact meaning. This lack of clarity poses a challenge since the need for agility becomes more urgent as new cryptographic vulnerabilities and advanced computing threats emerge, emphasizing the need for a systematic approach to clarify and refine the notion on cryptographic agility. In this paper, we systematize the concept of cryptographic agility by providing three research contributions. First, we review current definitions across academic and gray literature, identifying six distinct categories to differentiate every aspect within the definitions. Second, we synthesize these insights to establish a comprehensive, canonical definition of cryptographic agility. Third, we explore the relationship between cryptographic agility and the related concepts cryptographic versatility and interoperability. In our discussion, we examine the relevance of cryptographic agility, highlight its trade-offs with complexity, assess its individual applicability, and illustrate its various contexts by offering an additional application-specific definition. Our work provides a new perspective on cryptographic agility and related concepts, based on systematical research to clarify and enhance its future use.