Progress in quantum key distribution (QKD) has been rapid over the last few years. In the light of current research progress, how far away is the first commercial roll-out of quantum key distribution? How would the current information security landscape change due to QKD and quantum computation? In this article, we discuss the future of cryptography, the current progress in QKD commercialisation, the reasons why companies would want to buy into QKD and how current security aspects will change in a world where quantum computers are available.
Research into cryptographic systems that are harder to break using a quantum computer is ongoing. The security that current public key systems like RSA and ECC rely upon is based on the difficulty of solving a particular mathematical problem. The premise of quantum-safe cryptography research is to rely on mathematical problems that are harder to break using a quantum computer. These problems are called trapdoor functions because working from one set of values to a solution is easy while working backwards from the solution to the set of values it was derived from is tough to do. For RSA and ECC, it is possible to use an algorithm to narrow down the set of values that a solution was generated from. Such an algorithm speeds up reversing the trapdoor function and allows quantum computers to find the starting set of values rapidly, making RSA and ECC unusable in the presence of quantum computation.
The new set of quantum-safe cryptography systems that are proposed rely on a more stringent test of difficulty: finding the set of values that the trapdoor solution was generated from should be as hard to guess correct as it would be to solve. Given that the chances of guessing a large number correct are practically zero, the chances of calculating the solution would be practically zero. If there is no algorithm to speed up the process, finding the solution would reduce to guessing all possible solutions and testing whether the guess is correct. Such a problem can be sped up by a quantum computer using Grover’s algorithm, but not by much. Therefore, it is likely that these new public key algorithms would be secure from breaking using quantum computation.
There is still a possible problem, however, and that is that the implementation of the new cryptographic systems must also be resilient against classical attacks. Thus far the amount of research that has gone into breaking new public key cryptographic systems is significantly less than what RSA and ECC have undergone. It is still possible that, like RSA and ECC, it is discovered that some algorithm exists to accelerate reversal of the trapdoor function of these new cryptographic systems. Once an algorithm is found, it may be feasible to attack the system with a classical computer. Alternatively, the algorithm can be used to allow the power of a quantum computer to weaken the security of the new cryptographic system significantly.
While quantum safe cryptography may exist, there is a very real possibility that these systems could be broken once they are deployed. Should a means to break their security be found, all communications with that scheme would be vulnerable, including stored past communications. The safer choice would be to use a provably secure scheme such as QKD. QKD derives its security from a principle in physics, and therefore, the only way to break its security is to break the laws of physics. The specific principle is called the Heisenberg uncertainty principle. The Heisenberg uncertainty principle states that it is impossible to measure both the position and momentum of a quantum state exactly. If it is impossible to measure a state perfectly, then it is impossible to copy that state perfectly. Hence, when encoding information in a quantum state, it is not possible to intercept communications without the communicating parties knowing about it. QKD uses this principle to distribute symmetric encryption keys securely.
If Alice and Bob are to establish a secure communication channel, there needs to be a way for Alice to verify whether she really is communicating with Bob or whether Eve is pretending to be Bob. While standard authentication methods can be used to get around this problem, quantum authentication does exist (Gottesman & Chuang, 2001). Bob needs to prove his identity by signing his communications so that Alice can verify his signature using his public key. Therefore, signing is a requirement for secure QKD. The security requirements for authentication are less, however. If a signing protocol is broken, then all the keys would need to be revoked and a new protocol used. Breaking the protocol in no way compromises past communications because such authentication does not involve the transmission of sensitive information.
Various quantum-safe signatures have been devised. Signatures only require the verifier to confirm that the signer is in possession of a secret. It is not necessary to use a trapdoor function to do so. The signer can use a combination of secret keys to generate a public key. Knowledge of one of the secrets that generated the public key would be sufficient to verify that the signer is the same person who generated the public key. The public key would have to be verified by a certificate authority of course. Other trapdoor-function based signing algorithms are also possible, although these have a different set of security criteria.
Research is being done at present to extend the range and increase the data rate of QKD systems, and to integrate these systems with existing information security solutions. One of the reasons for the range limitation of QKD is because quantum repeaters don’t currently exist. Quantum repeaters should be able to improve the signal to noise ratio of the communication medium to ensure that the signal can travel much larger distances, but quantum computation principles are required to construct a quantum repeater. Furthermore, the possibility of using satellites as part of the QKD infrastructure to extend the range of QKD networks significantly is being investigated. Initial results are promising, the point-to-point range of fibre optic lines is 400 km at present for research systems while satellite communications could make this intercontinental.
There are a number of companies that offer QKD hardware at present; these include ID Quantique, MagiQ Technologies, SeQureNet, and QinetiQ. In addition, Quintessence Labs is in the process of developing a second generation QKD network that relies on continuous variable QKD to increase the secure channel data rate. The systems offered by these companies rely on communication on standard fibre optic lines and in many cases use a different frequency band for quantum communications to ensure simultaneous data and QKD connections on the same line. Therefore, QKD works by using existing fibre optic infrastructure.
ID Quantique has deployed several QKD networks in recent years. In 2007 their Cerberus QKD system was used in elections in Switzerland. In 2009, they started an almost two-year project that ended in 2011 called the Swissquantum project to test the long-term reliability of their QKD system. In 2010, this same system was deployed for the Soccer World Cup held in South Africa. QKD-as-a-Service was launched in 2011 and uses the Cerberus system to secure communications in a metropolitan area network (MAN) with connection distances up to 30 km. Some implementations have reached up to 100 km distances (Quantique, 2012).
MagiQ Technologies currently offer a product called QPN security gateway, which is a QKD implementation using the single photon emission principle. The system allows for communication over a standard fibre optic line while multiplexing QKD with classical communication channels on the same fibre line. The stated range is 100 km or 140 km with additional security measures (MAGIQ Technologies, n.d.).
SeQureNet currently has a second-generation QKD system that works up to 80 km. The intended application of this system is for pilot testing of QKD interoperability, research investigation and QKD development. Their system is more limited in range and communicates at 100 bit/sec at 80 km and 10 kbit/sec at 20 km.
Qinetiq has stated their intention to operate a QKD network in London for research and testing purposes. Their aim is to develop a network solution that could protect data across the UK (SECOQC, 2009). Quintessence Labs are in the process of developing a continuously variable QKD system that increases the data rate of first-generation single photon systems. It remains to be seen how well these second generation products perform given that there are still some engineering and research limitations to overcome (Lance & Leiseboer, 2014).
First-generation QKD hardware is still being investigated for the security of their implementation. Attacks on QKD systems rely on exploiting imperfections in the hardware to weaken the security of the system. Many of the proposed attacks are intended for a research platform provided by ID Quantique that uses the BB84 protocol. The security weakness that is relied on is the inability of the system to detect light generated by an attacker, even if this light is of much higher intensity than what Alice would conceivably emit (Nitin Jaina, Birgit Stiller, Imran Khana, Dominique Elser, 2015).
While QKD is in principle provably secure, it should be remembered that, in practice, it is only the cost of gaining access to secure information that protects information. QKD systems are highly likely to make the cost of breaking its security much higher than the value of the information, and, therefore, practical QKD systems are very likely to be considered secure.
This contrasts with public key cryptography in that, while the cost of gaining access to the information sent by classic encryption is likely to be high, the assumptions of its security is weaker than that for QKD. So, while both QKD and quantum resistant algorithms can provide security from quantum computation, QKD is at present thought to be a lasting solution to the security problem, while with quantum resistant algorithms there is a risk of information exposure because of a lack of security proof. Industries where this risk is not acceptable will find the security offered by QKD highly attractive.
The question remains to be answered how these developments will affect the current state of Information security. Security companies would have to adapt to the new security climate to ensure that they can continue to provide good consulting for clients. The form that commercial QKD systems are taking is to package these systems in a key management solution that ensures the security of encryption keys by keeping them in a secure hardware module for use in communicating over conventional channels. These modules would offer high security, but in the long term, pervasive use of QKD in both internal and external networks would yield a much more complex security network to audit.
QKD would not mitigate the common security flaws in web applications, neither would it mitigate any other software flaws inherent in mobile devices or elsewhere. There would, however, be a requirement to ensure the conventional security of infrastructure and applications that are linked to QKD systems due to the higher-value targets that the associated hardware and software would represent. If a company has internal and external QKD systems, this would be an indication for attackers where the most valuable data resides.
Furthermore, the interface with QKD systems is likely to be different to existing systems. Knowledge of the issues particular to QKD would be required to enable a thorough review of a company’s information security that involves QKD systems. The security posture of companies would have to change from using long-term deployment of public key infrastructure to an agile drop-in system where protocols can be revoked and replaced rapidly. Such agility is required given that the security of quantum-safe cryptography is likely to be less sure given the short transition times from existing protocols. NIST may choose to withdraw existing security standards as soon as ten years from now, by which time fully tested alternative systems would need to be deployed (Chen et al., 2016). Regardless of the withdrawal of current standards, the existence of provably secure systems like QKD makes an argument for transitioning sooner rather than later: therefore, starting within the next five years.
Apart from providing strategic consulting work on integrating existing information security systems with quantum-safe cryptography and QKD systems, there will be an important requirement for government-level security on deployed quantum computers once they become available. The reason for this is that it is likely that once usable quantum computers become available, criminals will attempt to target these quantum computers to gain control over them to use them for nefarious purposes. One use would be to break the cryptography of stored communications of encrypted sensitive data. Locking down these quantum computers would be paramount to prevent the malicious use of these powerful computers. Providing such security would only be possible if the higher-level concepts behind quantum computation are properly understood so that consultants would know what to test for. Such work would already be required within 8-12 years as these systems are prepared for commercial use.
While quantum-safe cryptography does exist, quantum computation and classic cryptanalysis still pose a threat to the continued security of new cryptographic protocols. Communication using such protocols exposes the user to the risk of the protocols being compromised and, in so doing, exposing the secret information that was communicated even long after the transmission occurred.
QKD relies on a property of physics to secure the transmission of information. Highly secure communications are possible by using the QKD channel to transmit symmetric keys. Symmetric keys have much higher and proven quantum and classical attack resilience. Furthermore, the fact that RSA and ECC cryptography is not provably secure makes QKD a safer option even without the existence of quantum computation. There is no reason other than trust in the academic community to suspect that classical public key protocols have not already been broken and that highly secretive decoding of internet traffic is currently being performed. QKD systems can prove security based on scientific principles as long as implementation flaws are controlled.
There are a number of commercial QKD systems available at present. These systems allow for secure distribution of symmetric keys to protect sensitive information. Continued research will extend the range of these systems to intercontinental communications and allow secure data transmission across the globe.
While attacks on QKD research systems are known, practical systems use higher security bounds than research systems, thus making a practical attack on QKD implementations extremely costly. The existence of attacks on some QKD systems does show the need for the knowledgeable use of the systems, however. The security risks associated with existing public key systems for communication of highly sensitive information is high at present due to the likelihood of adversaries storing communications for later decoding using a quantum computer. For industries where this risk is not acceptable, QKD systems are likely to provide a long-term solution with peace of mind.
The security requirements in a quantum world are set to increase rapidly. Security knowledge of both classical and quantum systems would be required to ensure the security of information.
Chen, L., Jordan, S., Liu, Y.-K., Moody, D., Peralta, R., Perlner, R., & Smith-Tone, D. (2016). Report on Post - Quantum Cryptography Report on Post - Quantum Cryptography, 1–15. Retrieved from http://csrc.nist.gov/publications/drafts/nistir-8105/nistir_8105_draft.pdf
Gottesman, D., & Chuang, I. (2001). Quantum Digital Signatures. arXiv.org, quant-ph(0105032v2), 8. http://doi.org/10.1038/ncomms2172
Lance, A., & Leiseboer, J. (2014). What is Quantum Key Distribution ( QKD )?
MAGIQ Technologies. (n.d.). MAGIQ QPN 8505 Security Gateway. Retrieved from http://www.magiqtech.com/Products_files/8505_Data_Sheet.pdf
Nitin Jaina, Birgit Stiller, Imran Khana, Dominique Elser, C. M. and G. L. (2015). Attacks on practical quantum key distribution systems (and how to prevent them). Contemporary Physics, 00(June). http://doi.org/10.1080/00107514.2015.1063233
Quantique, I. (2012). Understanding Quantum Cryptography. ID Quantique White Paper.
SECOQC. (2009). AboveNet and QinetiQ partner to make network based quantum cryptography a reality. Retrieved fromhttps://www.qinetiq.com/media/news/releases/Pages/abovenet.aspx