Quantum Key distribution

Quantum Cryptography and Quantum Key Distribution

Traditional cryptography relies on mathematical principles, meaning its security hinges on the resources available to an adversary to solve a mathematical problem or execute a brute-force attack. Even if these resources are unavailable today, the "intercept and store now, decrypt later" threat remains, as previously explained. Quantum cryptography, in contrast, leverages the laws of physics rather than mathematical complexity to provide security. In theory, quantum cryptography can remain secure regardless of an adversary's processing power or mathematical innovations, representing a significant paradigm shift in cryptography.

It's easy to confuse quantum cryptography with QRC because both offer resilience against future algorithmic and computational advancements, including quantum computers. However, they differ fundamentally: quantum cryptography necessitates specialized equipment to exploit quantum physics and cannot run on existing traditional computers. Quantum cryptography is a subset of quantum communication, as it utilizes the same underlying quantum principles.

While sometimes used synonymously with quantum cryptography, quantum key distribution (QKD) is a specific application. QKD enables two remote parties to establish a secret key through a dialogue over public channels, with the crucial guarantee that any attempt to observe the key in transit would be detected – a security feature absent in traditional cryptographic methods (US NSA, n.d.; ANSSI, n.d.; UK NCSC, 2020; BSI, 2021). In practice, encrypted data is transmitted as conventional bits over the network, while the secret key is transmitted (but not measured and retained) as quantum states of light (OFCOM, 2021) using specialized equipment (e.g., single photon detectors) via fiber optic or satellite links. Because information is encoded in quantum states, any eavesdropping attempt would inevitably alter the value of some qubits, introducing detectable errors for the sender and recipient (ETSI, 2015). Therefore, QKD provides confidentiality and integrity but not availability (ANSSI, n.d.). Furthermore, the "no-cloning" principle of quantum physics prevents eavesdroppers from copying qubits transmitted in an unknown state (BSI, 2021; ETSI, 2015). This implies that any attempt to exploit vulnerabilities in transmitters or receivers would have to occur in real-time, as there's no way to save the information for later decryption using more powerful technologies (ETSI, 2015).

QKD could also be used without symmetric cryptography to provide communication security independent of an adversary's computational power. However, the data rate in such scenarios is typically 1,000 to 1,000,000 times lower than when using symmetric encryption, making this option impractical for most applications (ANSSI, n.d.).

Unlike quantum computing, QKD is feasible with today's technology (BSI, 2021). Several fiber-based and free-space QKD networks have been deployed or are under construction globally. A review of recent and ongoing large-scale deployments identified projects in Canada, China, Europe, India, Italy, Japan, Korea, Spain, the Russian Federation, the United Kingdom, and the United States, alongside standardization efforts by CEN-CENELEC, ETSI, IEEE, ITU-T, ISO/IEC JCT-1, CCSA, and BSI. These organizations had collectively published 22 standards as of 2022 and were developing 20 more (Stanley et al., 2022).

Nevertheless, several cybersecurity agencies have expressed significant reservations about the potential of QKD and quantum computing to meet security expectations and compete with QRC algorithms. The primary concern is that the engineering required to balance communication needs and security requirements has extremely tight error tolerances, making the security of QKD and quantum computing highly dependent on implementation quality rather than solely on the laws of physics (US NSA, n.d.). While the theoretical security of QKD rests on physical laws, its practical security depends on the degree of perfection in its technical implementation, specifically the extent to which potential adversaries can exploit deviations of real-world quantum cryptography systems from theoretical requirements, for example, in the transmitters or receivers (ETSI et al., 2018). Evaluations by cybersecurity agencies indicate that achieving such a high degree of perfection is far from easy and inexpensive, significantly limiting the number of potential use cases.

Cybersecurity agencies, including the US National Security Agency (NSA), the UK NCSC, the French ANSSI, and the German BSI, have highlighted the following additional concerns regarding QKD:

QKD is an incomplete solution: It lacks a built-in mechanism to authenticate the source of the QKD transmission (US NSA, n.d.). This absence of authentication leaves QKD vulnerable to physical man-in-the-middle attacks, where an adversary can establish separate shared secret keys with two parties who believe they are communicating directly with each other (UK NCSC, 2020). Consequently, parties must rely on asymmetric cryptography or pre-shared keys for authentication (US NSA, n.d.). However, integrating QKD systems with asymmetric authentication mechanisms introduces further complexities, and using pre-shared keys increases the operational costs of QKD networks (BSI, 2021).
QRC offers comparable security with advantages: The security benefits offered by QKD can be achieved by QRC, which is less expensive, better understood, doesn't require specialized hardware, and can provide authentication (US NSA, n.d.; UK NCSC, 2020).
QKD requires specialized and inflexible hardware: QKD necessitates dedicated equipment, such as a specific fiber optic connection or a physically managed free-space transmitter, making it difficult to integrate with existing network infrastructure. Furthermore, this hardware often lacks the flexibility for upgrades or security patches (US NSA, n.d.), is expensive, and raises concerns about digital sovereignty in regions without manufacturers, such as the European Union (BSI, 2021).
QKD has limited range and scalability challenges: Fiber-based QKD has a restricted communication range. Extending this range increases infrastructure costs and insider threat risks while not providing end-to-end security. QKD over fiber requires direct point-to-point links and cannot tolerate active network devices like switches, routers, and optical amplifiers, thus limiting the communication distance. The maximum achievable distance is constrained by signal loss, which increases exponentially with distance. Currently, fiber-based QKD is limited to approximately 100 kilometers (ANSSI, n.d.; BSI, 2021). While trusted relays could extend the range, they also increase costs and security risks (US NSA, n.d.). Quantum repeaters, based on quantum entanglement, could overcome this limitation but are unlikely to be available in the near future (BSI, 2021). Greater distances are possible using satellite links (ANSSI, n.d.), but these are costly and more susceptible to availability attacks (BSI, 2021).
QKD increases the risk of denial-of-service attacks: The very sensitivity to interception that ensures transmission confidentiality also elevates the risk of denial-of-service attacks (US NSA, n.d.).
Side-channel attack vulnerabilities are not fully understood: Numerous side-channel attacks on QKD systems have been demonstrated over the years. QKD devices are highly technical, making it crucial to prevent all known side-channel attacks, thoroughly investigate devices for their resistance, and continue research on unknown side-channel attacks (BSI, 2021). Notably, QKD equipment has not been comprehensively analyzed using standardized methodologies like Common Criteria (ANSSI, n.d.), although BSI has initiated work in this area in partnership with ETSI (BSI, 2021).

More broadly, the practical security of QKD relies on the limited security of the specialized hardware and engineering design required for its operation, rather than on the unconditional security derived from fundamental laws of physics (US NSA, n.d.). The inherent difficulty in perfectly implementing QKD means that attackers could induce abnormal behavior in the equipment to compromise security (ANSSI, n.d.). The gap between the theoretical security promised by quantum physics and real-world implementations is significant. Several attacks exploiting hardware vulnerabilities in commercial QKD systems have been documented (ANSSI, n.d.; US NSA, n.d.).

In summary, the NSA considers QRC a more cost-effective and easier-to-maintain solution than QKD. It does not support the use of QKD or quantum computing to protect communications in US national security systems and does not anticipate certifying or approving any QKD or quantum computing security products for use by national security system customers unless current limitations are overcome (US NSA, n.d.). Similarly, while acknowledging ongoing research and assurance efforts, the UK NCSC does not endorse the use of QKD for government or military applications and advises against sole reliance on QKD for business-critical networks, particularly in critical national infrastructure sectors. The NCSC encourages the adoption of QRC over QKD to address the quantum threat (UK NCSC, 2020). ANSSI views QKD as an interesting research area warranting further investigation but considers it not yet sufficiently mature for full operational deployment. It is currently at a distinct disadvantage compared to software-based cryptography and is most reasonably used in conjunction with symmetric encryption to secure communication between fixed, relatively close locations connected by optical fiber (ANSSI, n.d.). French authorities currently do not recommend allocating operational budgets to QKD. BSI acknowledges QKD as a potential alternative if QRC is broken by future algorithmic advances and welcomes research in underlying technologies like quantum networking. However, BSI believes numerous issues and limitations need resolution before QKD can be recommended as a security-critical technology for practical applications. Its use is currently mainly conceivable in experimental contexts for restricted use cases where practical limitations are less significant, or in a hybrid mode combined with traditional and quantum-resistant key agreement techniques (BSI, 2021). The Australian Signals Directorate also underscores the practical limitations of QKD and does not support its use for secure communications as of 2023 (ACSC, 2023). The Canadian Cyber Centre noted in 2021 that QKD is not a replacement for current cryptography applications but could be a future secure communication method (Canadian Centre for Cyber Security, 2021).

Page updated

Google Sites

Report abuse