The cyber world is embattled. Can a new quantum unicorn ride to the rescue? A novel solution is seeking to harness the power of three deep tech disciplines – quantum, crypto and space. What are the strengths and weaknesses of this new approach?
The world needs a cyber security reboot
The digital world is already under siege from bad actors seeking to gain access to our systems and data. Kaseya, SolarWinds, Microsoft Exchange, DarkSide, REvil and others have already made headlines in 2021, and more will follow. To compound the problem, we know that future quantum computers will one day, perhaps not so far away, be able to break the current public-key cryptography on which the Internet and much of government and corporate network security depends. Worse, data intercepted and stored today is already vulnerable to decrypt by this future threat!
When will a quantum computer large enough to break current security protocols be available? Where businesses need a single ‘reasonable worst case’ date to prepare against, Fact Based Insight continues to suggest 2027.
The world needs better cryptography and it already needs to be quantum-safe. Much activity is underway worldwide to meet this need, including the new maths-based quantum-resistant protocols of PQC, and the physics-based approaches of quantum cryptography, especially QRNG and QKD.
Crypto Jargon – Cryptographic systems seek to keep our communications secure. They need sources of true randomness, entropy, to provide numbers our adversaries cannot guess; protocols for authentication to protect messages from tampering; techniques for shared secret key agreement; and methods for encryption to keep our messages confidential.
Private-key (symmetric) cryptography – Both parties must start-out sharing the same secret key. Existing protocols are weakened, but not broken by the threat from quantum computers. We can compensate by moving to larger key sizes. AES 256 is considered quantum-safe, NIST even see AES 128 as being acceptable for some time to come .
Public-key (asymmetric) cryptography – Public keys can be shared freely, while each user retains a secret key. The tremendous flexibility this unlocks is central to the convenience of the modern Internet. Unfortunately, algorithms in common use today such as RSA and ECDH are known to be completely broken by future quantum computers.
Post Quantum Cryptography – New maths-based protocols based on the computational complexity of problems that are hard even for a quantum computer. NIST has been championing a standardisation process for new protocols: PQC DS (digital signature) and PQC KEM (key encapsulation mechanism). It is currently on track to release draft standards for public comment in 2022/23 .
Quantum Cryptography – Quantum states exhibit intrinsic uncertainty; this is the basis for QRNG. Measurement collapses the quantum state, so quantum states cannot be cloned; thus an eavesdropper cannot simply copy and store quantum communications and remain undetected, this is the basis for basic QKD. Quantum states can be entangled regardless of distance; this unlocks more advanced QKD protocols and wider capabilities in networked quantum computing.
The debate about the relative merits of PQC and quantum cryptography has been vigorous. Fact Based Insight believes that PQC is clearly the preferred option we can adopt now for Internet and ‘normal’ business applications. However, PQC and quantum cryptography are also complementary in a layered defence when higher levels of enduring security are desired and the use case supports the additional cost.
For Fact Based Insight’s in-depth view see Quantum safe cryptography – the big picture – Fact Based Insight.
A central challenge for quantum solutions is the additional hardware typically required and the delicate nature of the signals that need to be exchanged. Where current quantum tech can’t quite carry the load we end up having to ‘trust’ some conventional parts of the architecture.
Current QKD technology is limited in its range. When used over optical fibres, commercial ranges are now up to about 150km . Technology on the horizon may extend this to perhaps 500km . Further extending this in fibre requires a type of device, a quantum repeater, that does not yet exist. Most repeater design concepts require quantum memory, a technology still in its infancy.
The work-around used in long distance QKD today, is to use ‘trusted nodes’ to mediate the key formation process. This can work well, as in China’s 4600km national QKD network . However, the quantum security guarantee only extends to the network links. The key is exposed at the nodes.
Satellites are another promising approach for the delivery of quantum keys. One approach based on P&M QKD allows the satellite to mediate the formation of keys between two locations anywhere on the globe. However, in the absence of quantum memory, the satellite is again acting as a trusted node. Exploiting quantum entanglement means that more advanced forms of QKD will remove the need to trust the satellite, but without quantum memory even this will only work when both ground locations are simultaneously within view of the satellite. Again, range is compromised.
In short, when working with current QKD technology on anything beyond short point-to-point links, we have to work with trusted nodes.
Trusted nodes are not necessarily a practical problem. In a national network they would most often map on to existing telecom network exchanges, already tightly controlled locations. For some this is actually a positive feature: host governments may see it as an opportunity to enforce ‘lawful intercept’ provisions. On the other hand, some potential end users and net freedom proponents baulk at this compromise in information privacy. For others, it’s the security of long-range remote links, perhaps to an embassy or factory abroad, that’s most important. Here the security of trusted nodes may seem even more problematic.
Security Proofs – It’s important to keep in mind that many terms have a specific technical meaning in the context of academic cryptography. If I have a completely untrusted node, it can be actively trying to cheat, lie to or otherwise deceive the honest users and operators of the system; it can operate in perfect co-ordination with other malicious attackers. Different levels at which the information and influence of adversaries can be bounded can also be defined.
Arqit aims high
In 2021 one particular quantum-safe security startup has challenged the conventional quantum model. Arqit recently achieved quantum unicorn status by completing a SPAC-assisted NASDAQ flotation with a valuation of $1.4b. At the heart of its plans is a new satellite-based quantum crypto system with the eye-catching claim that it can offer global reach while removing the need for the satellite to be a trusted node, and that any end-nodes can benefit from quantum keys without the need for any special hardware.
Federated Quantum System – Arqit are leading a consortium including BT, Sumitomo Corporation, Northrop Grumman, Leonardo, QinetiQ Space, qtlabs and Honeywell that is seeking to provide Arqit’s quantum encryption technology to Western-allied government customers. FVEY partners are an early target, and in an announcement co-hosted at the G7 Leaders Conference in Cornwall Arqit confirmed the initial involvement of the US, UK, Japan, Canada, Italy, Belgium and Austria. The FQS concept is carefully designed to appeal to sensitive national security users who prefer a private instance of the system rather than a managed solution .
Founded in 2017, Arqit have been involved in a number of projects as part of the UK NQTP, notably leading the £3m UKRI project on Next Generation Satellite QKD. The senior team includes a wealth of satellite and defence programme expertise, together with top-notch cyber security experts. The first satellites are to be integrated and tested at the UK National Satellite Test Facility in Harwell and are expected to launch on Virgin Orbits’ LauncherOne from Newquay in Cornwall in 2023. However, early adopters can already benefit from the system operating in an all-terrestrial mode.
Arqit’s novel approach
Arqit’s system has three main novel components .
ARQ19 – this satellite protocol allows shared root quantum keys to be formed anywhere in the world with a suitable ground station
QuantumCloud – this data centre software orchestrates the use of those keys across a network protected by symmetric maths-based cryptography
DSCC – this Distributed Secure Communications Cryptography protocol is a lite-weight solution to allow network end points to create an initial symmetrically protected channel (probably via a PSK), and limitless session or group keys
This isn’t the typical QKD approach. Daniel Shiu, Arqit Chief Cryptogrpher, describes it as “quantum-enabled symmertric crypto”. The satellite is a global source of shared quantum random numbers which are transmitted privately because of the uncertainty introduced by local random choices of measurement basis. Key formation is handled on the ground by the data centres and users across a conventional network protected by a novel form of maths-based symmetric cryptography. An important feature is that the secret keys are never themselves directly transmitted over any network link. This recreates the benefits of traditional out-of-band key delivery techniques, greatly complicating the practical logistics of any malicious attacks.
ARQ19 starts off a lot like a conventional QKD protocol, but with a twist. The satellite sends a randomly encoded quantum signal to each of Alice (RA) and Bob (RB), plus just enough additional classical information to Bob (RAꚚRB) that allows Alice and Bob to then complete a QKD-style reconciliation of their measurements via a conventional communication channel (including sifting, error correction and entropy amplification). This allows a shared secret key to be formed. The satellite never sees the final secret key, and therefore doesn’t need to be ‘trusted’.
However, if someone has access to the satellite, and could also see the reconciliation information exchanged by Alice and Bob, then they could also recreate the secret key. In other words, Alice and Bob need to perform their reconciliation over a confidential channel (not just an authenticated channel as in conventional QKD). If I already have such a channel, why do I want to form a new key? That’s because I want to refresh the entropy in the system. However, this complicates analysis of the use cases where ARQ19 adds value and how it might be attacked by a malicious party. Fact Based Insight believes the system could have great potential, but its full pros and cons are more nuanced than can be conveyed in a simple headline.
One question is to what extent the new Arqit system can match the security claims of the other main quantum-safe security approaches. It certainly doesn’t offer the same in-band deployment flexibility as the new public-key infrastructure promised by PQC. However, that’s not Arqit’s target market – its plans put emphasis on those high sensitivity customers that probably never trusted public-key infrastructure anyway .
But how does it stack up against QKD based security? A central feature emphasised by proponents of QKD is that it provides ‘everlasting security’. Attackers act first in real-time and naturally any security system is seeking to protect against this. However QKD makes a stronger claim: unless the key formation process is compromised in real-time, it cannot be attacked later by computational (or any other) means.
At first glance, the Arqit system does not do this. If an attacker has access to the satellite and can intercept & store the encoded reconciliation communications then they can attempt to break the security later. However, comparing overall protocol implementations reveals a more subtle situation.
Assessing end-to-end security
Analysing end-to-end crypto system security is a complex task. As a simplification, it’s generally useful to look at four main sub-components: the entropy source, authentication, key agreement and message encryption.
|Case||Entropy Source||Authentication||Key Agreement||Message Encryption|
|1||Internet Today||Hash DRBG||RSA 2048||ECDH 256||AES 128|
|2||Full PQC||Hash DRBG||PQC DS||PQC KEM||Symmetric Crypto|
|3||QRNG PQC||QRNG||PQC DS||PQC KEM||Symmetric Crypto|
|4||In-Band QKD||QRNG||PQC DS||QKD||Symmetric Crypto|
|5||Arqit FQS||Global QRNG||PSK||Symmetric Crypto||Symmetric Crypto|
|6||PSK QKD||QRNG||PSK||QKD||Symmetric Crypto|
|7||ITS QKD||QRNG||PSK||QKD||One Time Pad|
For example, for an internet application today (1), I might use Hash DRBG for pseudo random numbers, RSA 2048 for digital signatures, ECDH 256 to form session keys and AES 128 for message encryption.
A full PQC protocol set (2), and the flexibility it retains as an ‘all maths’ solution will almost certainly be the preferred option we can adopt over the coming years for Internet and ‘normal’ business applications. Low cost, compact QRNG devices are already available as an upgrade to this basic solution (3).
On the other hand, a full QKD implementation offers the unique claim that when deployed in conjunction with one-time-pad encryption (7), it can provide information theoretic security (security never vulnerable to computational attack). However low QKD key rates make this attractive for only the highest sensitivity, low data rate, applications.
QKD can also be combined with a PQC Digital Signature (4) to offer a streamlined fully in-band solution. More typically, ‘PQC vs QKD’ debates are comparing these pragmatic deployments (2 vs 4). The authentication security provided by the PQC DS only has to hold in real-time during key formation, but a potential weak spot for the all-maths solution is that the PQC KEM can be intercepted, stored and attacked at leisure after key formation (perhaps when greater computing resources are available or new algorithmic weaknesses have been discovered). QKD prevents this kind of attack, and thus delivers ‘everlasting security’.
However, when this claim is discussed, it is often implicit that we are still relying on symmetric crypto for the final message encryption. This could in principle also be attacked, it’s just that most experts don’t see it as vulnerable in the same way: quantum computers are expected to weaken but not completely break existing symmetric algorithms provided we used large enough key sizes (AES 256 is considered quantum safe). The Arqit solution could be seen as just making more extensive use of that same symmetric crypto.
More generally symmetric cryptography relies on the enduring security of one-way functions. For a discussion of the implications see Quantum safe cryptography – the big picture – Fact Based Insight.
In practice we can fall into the trap of putting too much focus on just the theoretical strength of the security system. In practice the majority of hacks exploit bugs in the implementation or vulnerabilities of the operators. Physical layers of security and physical vulnerabilities, together with prudent data and key handling arrangements can be equally important in the real world. Respected authorities such as the NSA and NCSC have cautioned against the adoption of current QKD technology for these reasons . The sector is responding by creating recognised standards and certification processes .
The reader will probably agree with Fact Based Insight that this isn’t easy stuff. A high-level comparison such as this can’t settle the matter of how, in detail, Arqit’s approach (5) compares to claims made for typical QKD proposals (4 or 6). Here Fact Based Insight would normally be guided by the technical literature and in particular presentations and discussions at academic conferences.
Arqit’s press claims have caused consternation in some parts of the QKD community. Established QKD players like QuantumCTek, IDQ or Toshiba have regularly published technical papers and spoken at academic conferences subjecting their work and claims to in-depth scrutiny; mainstream PQC players have taken part in the gruelling NIST PQC standardisation process. Arqit have impeccable maths-based cryptographers on staff, but they haven’t yet published technical papers beyond their patents or defended their work in academic peer review. Now that Arqit have completed their float, Fact Based Insight would welcome that changing.
Whatever the final technical analysis, Fact Based Insight believes Arqit are to be congratulated. In a debate where maths-based and physics-based cryptographers have more often seemed at war than in collaboration, Arqit have brought forward a solution involving an innovative combination of both disciplines. Oh, and are putting the system in space to boot!
Deep tech convergence
Perhaps more than any other development in the quantum safe sector to date, Arqit’s new product announcements illustrate the challenge facing quantum-safe early adopters in evaluating the best way forward for their own organisations: how to get the right advice when solutions are combining techniques from not one but three different deep tech areas?
SPAC based flotations are controversial in some investment circles. However, Fact Based Insight understands how difficult it would have been to explain Arqit’s proposition to a traditional IPO audience. Engagement with the open academic sector has a crucial role to play, but it’s also understandable that companies want to maximise the lifetime of patent protection as they race to get to market.
Arqit’s inventive use of quantum randomness is unlikely to be the end of the story. Randomness has many other uses. One example is its role at the heart of blockchain technologies, not just their underlying crypto but also their consensus protocols. Traditional proof-of-work blockchains may be too energy profligate to survive the climate crisis. An important replacement technology, proof-of-stake, is currently held back by the difficulty of providing the public randomness it requires for efficient operation. Innovative ways of securely distributing global shared randomness could be just the start of a big thing.
Arqit won’t have the Quantum Internet to itself. For a discussion of wider competitors in this sector see Fact Based Insight – Quantum Internet Outlook 2021.
Actions for business
Businesses must plan ahead on how they will respond to this coming major cybersecurity transition. In some cases immediate action is required.
- If you have classes of data that must remain confidential even after the advent of large-scale quantum computers, you need to consider measures that protect against data being intercepted and stored today for later decrypt when a sufficiently large quantum computer becomes available.
- If you have investment programmes in assets or products with long expected life-cycles, you need to ensure that they have post-quantum robust upgrade paths. Remember that authentication protocols are normally at the heart of secure upgrades, but it’s those protocols that need to change.
- Make sure your internal security team and network of vendors is building preparatory skills now. For most common applications, businesses should be happy to observe the NIST PQC process and engage with national initiatives such as the NCCoE’s Migration to PQC project. Remember though that rolling out changes across a large organisation can take years and appropriately skilled resources will be in increasing demand. Be ready to move promptly to avoid being caught out.
- For businesses with stronger security requirements, you should be working with your security vendors to review the portfolio of options and transition paths appropriate to you. Leverage modest amounts of money spent with innovators and startups. Seek opportunities to turn an early response into a differentiating factor for your brand.
- For businesses with the strongest security requirements, becoming early adopters of the techniques offered by quantum cryptography should be considered an option as an additional layer of security. Such solutions can offer a unique security promise for long-term (10 yrs+) and very long-term (50-100 yrs+) data security.
- Any early adopter of new security technology should pay particular attention to three factors: What certification against relevant standards has the hardware/algorithms I am installing actually achieved? What upgrade paths will realistically be available? What is my fall-back level of security and action plan if a vulnerability is suddenly uncovered?
- The business case for early adoption should be carefully considered. What could be achieved by spending the same money on conventional security strengthening measures? Where possible full deployment should come only after standards have been finalised.
Investors should recognise the growing convergence of different Deep Tech sectors.
- Quantum technology and advanced cryptographic technology can offer more than the sum of their parts when combined in novel combinations to address real world use cases. Question those that see this as an ‘us’ or ‘them’ battle.
- In a wider context, quantum technology is centrally placed in terms of the other Deep Tech markets it directly touches. Examples include, Photonics, Crypto, Space, Advanced Materials, Biotech, AI and others.
- Look for opportunities where companies have assembled the right skill set to work deeply within their own competences, but also the right partners to form solutions across discipline boundaries.
- Look for companies to actively manage their engagement with the wider community, including academic hubs, national programmes and quantum industry association to validate and continually refresh their ideas.
- Realising value also requires an understanding of the market. Look for companies that build-in real world use case experience in their wider senior team.