Quantum computers could undermine almost all of the encryption protocols that we use today. Though quantum computers are still quite some way from being practical, usable machines, once they become so, we could be looking at a whole new world when it comes to online privacy — one in which even the strongest encryption can be broken.
By harnessing quantum super-positioning to represent multiple states simultaneously, quantum-based computers promise exponential leaps in performance over today’s traditional computers. Quantum computers shall bring power of massive parallel computing i.e. equivalent of supercomputer to a single chip. They shall also be invaluable in cryptology and rapid searches of unstructured databases. Quantum algorithms can break current security by reverse computing private keys may only take days or hours.
In 1994, Peter Shor of Bell Laboratories showed that quantum computers, a new technology leveraging the physical properties of matter and energy to perform calculations, can efficiently solve each of these problems, thereby rendering all public key cryptosystems based on such assumptions impotent. Thus a sufficiently powerful quantum computer will put many forms of modern communication—from key exchange to encryption to digital authentication—in peril.
There are two approaches. One is post-quantum cryptography, which is a new set of standard of classical cryptographic algorithms, and the other is quantum cryptography, which uses the properties of quantum mechanics to secure data. Both may have a place in the future of secure communication, but they work fundamentally differently.
Quantum cryptography is an emerging technology in which two parties may simultaneously generate shared, secret cryptographic key material using the transmission of quantum states of light. Quantum key distribution utilizes the unique properties of quantum mechanical systems to generate and distribute cryptographic keying material using special purpose technology. Quantum cryptography uses the same physics principles and similar technology to communicate over a dedicated communications link. Published theories suggest that physics allows QKD or QC to detect the presence of an eavesdropper, a feature not provided in standard cryptography.
One of the technology proposed for post quantum scenario is Quantum cryptography or Quantum key distribution that is assumed hackproof. A unique aspect of quantum cryptography is that Heisenberg’s uncertainty principle ensures that if Eve attempts to intercept and measure Alice’s quantum transmissions, her activities must produce an irreversible change in the quantum states that are retransmitted to Bob. These changes will introduce an anomalously high error rate in the transmissions between Alice and Bob, allowing them to detect the attempted eavesdropping.
Toward its practical realization, tremendous progress has been made during the past decades. Metropolitan QKD networks have been successfully deployed and is going to be a continental scale. To provide information theoretically secure keys to real applications securely and seamlessly, an efficient key management system and application program interfaces have been developed. For the QKD device itself, high-speed and stable operation is critical. By employing the ultrafast optical communication devices, high-speed QKD systems stably operated at GHz-clock frequency is realized in the installed fiber networks.
However there is an increasing understanding that the security of a QKD system relies not only on theoretical security proofs, but also on how closely the physical system matches the theoretical models and prevents attacks due to discrepancies. These side channel or hacking attacks exploit physical devices which do not necessarily behave precisely as the theory expects. As such there is a need for QKD systems to be demonstrated to provide security both in the theoretical and physical implementation.
For the QKD technology to be widely adopted, critical requirements are security certification, test-and-measurement method, security criteria for implementation, and countermeasures against the side channels. Moreover, those should be acceptable for non-experts.
Any real-world QKD system will be built from classical components, such as sources, detectors and fibres, and potentially ancillary classical network devices, any of which may prove to be a weak link. Current QKD systems cannot meet the theoretical security of the original QKD protocol, leading to security issues with the systems, called ‘quantum hacking,’ with much work with these issues being done at the Quantum hacking lab, led by Dr. Vadim Makarov.
The most critical vulnerability is that current technology and hardware does not meet the conditions specified in the QKD protocol. These hardware ‘non-idealities’ include on-demand single photon emitters, lossless photonic channels between sender and receiver, perfect photonic detectors, and perfect alignment of bases throughout the system, says Jeffrey Morris who serves as the Sergeant Major of the Army Cyber Institute. It is also possible to jam quantum network by blinding a photon detector with a strong pulse, that could present an opportunity to hack photons the user is not aware are arriving.
A number of attacks have been proposed and demonstrated on deployed QKD systems that subvert one of more of these hardware components, enabling the secret shared key to be recovered without triggering an alarm. Researchers at the Massachusetts Institute of Technology (MIT) have taken advantage of a phenomenon known as “photon entanglement,” wherein a single photon has two interdependent states. By measuring one state they were able to accurately forecast the other state and decode a photon cipher without alerting the receiving photon detector that it been hacked.
Denial of service (DoS) attacks that interfere with the paths carrying the QKD transmissions also seem potentially easier with QKD than with contemporary Internet or mobile network technologies. Since QKD devices typically abort a key establishment session when they detect tampering, this makes it difficult to recommend QKD for contexts where DoS attacks are likely to be attempted. Other issues with current QKD systems are their slow key generation rate and limited range. The “unconditionally secure” system needs one bit of key for each bit of data, but current QKD systems generate key material far too slowly for this form of encryption.
Thus In practice, quantum networks has its vulnerabilities which researchers need to address before it can be claimed that they hack proof. As QKD-based systems get more and more deployed, testing those systems becomes more and more important. Although QKD claims to provide guaranteed security, its responsible use must not introduce new vulnerabilities into real-world systems. This means that communication systems involving QKD should be designed with fail-safe mechanisms that continue to operate securely, even if the quantum part becomes compromised.
QKD does not address large parts of the security problem
QKD protocols address only the problem of agreeing keys for encrypting data. Ubiquitous on-demand modern services (such as verifying identities and data integrity, establishing network sessions, providing access control, and automatic software updates) rely more on authentication and integrity mechanisms — such as digital signatures — than on encryption.
QKD technology cannot replace the flexible authentication mechanisms provided by contemporary public key signatures. QKD also seems unsuitable for some of the grand future challenges such as securing the Internet of Things (IoT), big data, social media, or cloud applications, according to white paper by UK Government’s National cyber security center.
Commercial QKD systems have a number of practical limitations
The two major functional limitations of commercial QKD systems are the relatively short effective range of transmission, and the fact that BB84 and similar proposals are fundamentally point-to-point protocols. This means that QKD does not integrate easily with the Internet, or with the mobile technologies, apps and services that dominate public and business life today.
The desire to reduce costs and increase robustness in real-world applications has motivated the study of coexistence between QKD and intense classical data traffic in a single fiber. Previous works on coexistence in metropolitan areas have used wavelength-division multiplexing, however, coexistence in backbone fiber networks remains a great experimental challenge, as Tbps data of up to 20 dBm optical power is transferred, and much more noise is generated for QKD.
Some researchers are trying to solve these problems by integrating QKD with classical (that is, non-quantum) network devices, such as ‘trusted nodes’. But this immediately invalidates any claimed guarantee of security based solely on the laws of quantum mechanics, and introduces an array of new concerns about the security properties of the ancillary network devices.
Cost-effectiveness of QKD
Hardware is relatively expensive to obtain and maintain. Unlike software, hardware cannot be patched remotely or cheaply when it degrades or when vulnerabilities are discovered. Until device-independent QKD is commercially available, each time a new vulnerability is announced in public, potentially compromised QKD devices will need to be recalled to the vendor (or an engineer sent out to apply an upgrade in the field).
Canadian and US researchers have taken an important step towards enabling quantum networks to be cost-effective and truly secure from attack. The experiments, by the team from the University of Calgary, the California Institute of Technology and the National Institute of Standards and Technology, Colorado, prove the viability of a measurement-device-independent quantum key distribution (QKD) system, based on readily available hardware.
NSA does not recommend the usage of quantum key distribution and quantum cryptography
Quantum key distribution and Quantum cryptography vendors—and the media—occasionally state bold claims based on theory—e.g., that this technology offers “guaranteed” security based on the laws of physics. Communications needs and security requirements physically conflict in the use of QKD/QC, and the engineering required to balance these fundamental issues has extremely low tolerance for error. Thus, security of QKD and QC is highly implementation-dependent rather than assured by laws of physics. Although we refer to QKD only to simplify discussion below, similar statements can be made for QC.
NSA does not recommend the usage of quantum key distribution and quantum cryptography for securing the transmission of data in National Security Systems (NSS) unless the limitations below are overcome.
- Quantum key distribution is only a partial solution. QKD generates keying material for an encryption algorithm that provides confidentiality. Such keying material could also be used in symmetric key cryptographic algorithms to provide integrity and authentication if one has the cryptographic assurance that the original QKD transmission comes from the desired entity (i.e. entity source authentication). QKD does not provide a means to authenticate the QKD transmission source. Therefore, source authentication requires the use of asymmetric cryptography or preplaced keys to provide that authentication. Moreover, the confidentiality services QKD offers can be provided by quantum-resistant cryptography, which is typically less expensive with a better understood risk profile.
- Quantum key distribution requires special purpose equipment. QKD is based on physical properties, and its security derives from unique physical layer communications. This requires users to lease dedicated fiber connections or physically manage free-space transmitters. It cannot be implemented in software or as a service on a network, and cannot be easily integrated into existing network equipment. Since QKD is hardware-based it also lacks flexibility for upgrades or security patches.
- Quantum key distribution increases infrastructure costs and insider threat risks. QKD networks frequently necessitate the use of trusted relays, entailing additional cost for secure facilities and additional security risk from insider threats. This eliminates many use cases from consideration.
- Securing and validating quantum key distribution is a significant challenge. The actual security provided by a QKD system is not the theoretical unconditional security from the laws of physics (as modeled and often suggested), but rather the more limited security that can be achieved by hardware and engineering designs. The tolerance for error in cryptographic security, however, is many orders of magnitude smaller than in most physical engineering scenarios making it very difficult to validate. The specific hardware used to perform QKD can introduce vulnerabilities, resulting in several well-publicized attacks on commercial QKD systems.2
- Quantum key distribution increases the risk of denial of service. The sensitivity to an eavesdropper as the theoretical basis for QKD security claims also shows that denial of service is a significant risk for QKD.
NSA views quantum-resistant (or post-quantum) cryptography as a more cost effective and easily maintained solution than quantum key distribution. For all of these reasons, NSA does not support the usage of QKD or QC to protect communications in National Security Systems, and does not anticipate certifying or approving any QKD or QC security products for usage by NSS customers unless these limitations are overcome.
Alternatives to QKD
There is renewed interest in academia and in industry in developing ‘quantum-safe’ or ‘post-quantum’ (classical) public key mechanisms as next generation, drop-in replacements for current public key schemes such as RSA, DSA, and ECDH, which potentially become insecure if large-scale quantum computers are ever developed. Post-quantum public key cryptography has a history dating back over 30 years and has generated proposals to address a much wider range of challenges than simple key establishment.
Post-quantum cryptography is classical cryptography that stands up to the attacks of a large quantum computer. It does not use any quantum properties. It doesn’t need any specialized hardware. It’s based on hard mathematical problems, just like the cryptography we have today. However, post-quantum cryptography avoids using integer factorization and discrete log problems to encrypt data. We already know that these problems are vulnerable to algorithms run on a quantum computer.
All of these post-quantum cryptography algorithms would not need any quantum hardware to encrypt data. They base the encryption on new mathematical problems that are not vulnerable to known quantum computing attacks. And of course, we have to make sure that while it stands up to (known) quantum computing attacks, it also holds against supercomputers.
There is an emerging consensus that the best practical approach to quantum security is to evolve current security applications and packet-based communication protocols towards adopting post-quantum public key cryptography. Software or firmware implementations of post-quantum cryptography should be easier to develop, deploy and maintain, have lower lifecycle support costs, and have better understood security threats than QKD-based solutions.
Given that QKD addresses only the encryption part of the security problem, real-world QKD systems will still be reliant on public key mechanisms for device and user authentication, and for supporting infrastructure requirements such as software updates. So, research into post-quantum public key cryptography is necessary for future quantum-safe networks, regardless of QKD.
Quantum-resistant algorithms are implemented on existing platforms and derive their security through mathematical complexity. These algorithms used in cryptographic protocols provide the means for assuring the confidentiality, integrity, and authentication of a transmission—even against a potential future quantum computer. The National Institute of Standards and Technology (NIST) is presently conducting a rigorous selection process to identify quantum-resistant (or post-quantum) algorithms for standardization1. Once NIST completes its selection process, NSA will issue updated guidance through CNSSP-15.