Fortunately preparations are well in hand to fix the Internet before large scale quantum computers can break it. But even in 2020, sensitive data intercepted and stored is already vulnerable to future attack. Companies must act to ensure they are not caught-out by the coming transition. In the longer term, the tantalising promise of the Quantum Internet beckons.
Time to act
Despite the many very positive applications quantum computers will find, the one that most people hear first is less welcome. When a large enough quantum computer is available we know it will be able to use Shor’s algorithm to break the current public key cryptographic protocols on which Internet and corporate network security currently relies. Worse, data intercepted and stored today is already vulnerable to decrypt by this future threat. The vast majority of existing blockchain platforms also have vulnerabilities. Company boards should already feel accountable for long-term sensitive business data from 2020 that is later compromised in this way.
When quantum computers large enough to realise this threat will be built has been the subject of much speculation, but little certainty. Where businesses need a single ‘reasonable worst case’ date to prepare against, Fact Based Insight continues to suggest 2027, though it’s important to emphasise that the ‘most likely’ date is perhaps 2035 or beyond.
Businesses need to consider their own specific security challenges and the potentially significant time it will take them to transition to quantum safe arrangements. Parallel investments in technologies such as 5G networks, the Internet of Things and blockchain also need careful consideration.
For more background read Quantum Safe Cryptography – waiting to save the world.
For the impact on Blockchain read Quantum enhanced blockchain – sooner than you think.
Post-Quantum Crypto – on track
Development of new maths-based cryptographic protocols thought to be resistant to quantum attack has been underway since 2006 and with renewed vigour since 2016 through an evaluation and standardisation process led by NIST. Of 69 candidates for ‘round 1’ evaluation 21 were broken or significantly attacked. 26 candidates have continued for ‘round 2’ evaluation during 2019-20 and this process remains on track . The various protocols have different strengths and weaknesses. Importantly, typical key and signature sizes are likely to be significantly increased compared to present day solutions. These may not be simple ‘drop-in’ replacements for existing algorithms.
NIST has resisted the calls from some quarters to accelerate the announcement of interim standards, instead reflecting the general view in the expert community that further work on security validation is required. Round 3 evaluations will run 2020-21. Draft standards are expected to be posted for public comments around 2022, final standards around 2024.
Early Movers – A variety of companies have undertaken real world trials or introduced pilot products. Google have tested NTRU-HRSS and SIKE for Internet TLS (the former performing better). Amazon have announced support for BIKE and SIKE for connections to AWS. Due to the experimental nature of these algorithms, in all cases the implementations provide a dual-lock by combining the PQC algorithm with a proven existing algorithm (e.g. DH). Other tech majors are actively involved with particular algorithms such as Microsoft (FrodoKEM, SIKE, Picnic, qTESLA) and IBM (CRYSTALS). DigiCert offer a certificate test suite based on CRYSTALS. ISARA, the leading startup specialising in this area, opened is first European office.
Quantum Random Number Generators – on sale now
Almost all crypto systems make heavy use of random numbers, but conventional sources offer only pseudo-randomness or are potentially subject to bias. Correctly configured, quantum processes offer a source that is immutably random. Many early players in the quantum crypto sector such as IDQ, QuintessenceLabs and QuantumCTek already offer QRNG devices as part of their product suite. The profile of this sector took a significant step upwards in 2019 when SK Telecom announced it had protected its new 5G authentication centre with IDQ QRNG devices.
Such devices are also a natural early spinoff from technologies being developed for more advanced quantum applications. Many quantum startups have identified the QRNG market as a potential source of early revenue while more advanced products are developed. It’s therefore no surprise to see this offering feature in the product roadmaps of KETS, CQC, Bra-Ket and others. Hardware certification is set to be a key battleground in this market. In 2019 ITU-T published X.1702, the first quantum specific standard for QRNG architecture.
Quantum Key Distribution – starting to mature
QKD offers a physics-based alternative for one important aspect of communications security – the secure exchange of encryption keys. Following it’s dramatic demonstration from space by China’s Micius satellite in 2017, activity around the world continues to accelerate.
China – still the undisputed leader in practical QKD deployment. In 2019, commercial use of the 2000km Beijing-Jian-Hefei-Shanghai QKD backbone has continued with users such as banks ICBC and CMBC and the Xinhau news agency. Trials are underway for its use in the Chinese customs systems and the ERP systems of import/export companies. A Wuhan-Hefei link is already under construction and a Beijing-Guanzhuo link is in planning . In Korea, SK Telecoms deployed IDQ QKD hardware within its backbone network (initially the major Seoul-Daejeon section).
Europe – OPENQKD launched seeking to link existing European centres of QKD activity such as the Cambridge, Madrid, Geneva and Poznan. Going even further, 19 countries signed up to support the QCI initiative to study the operational deployment of QKD in Europe. In 2019 the UK Quantum Network hosted a series of future pointing demonstrations: long-term operation of shared quantum/data channels over commercial grade fibre; extension of the network to the BT-led tech cluster at Adastral Park; demonstrations of QKD on the UK 5G testbed. The UK is collaborating with Singapore’s CQT on satellite based QKD. The SpooQy-1 CubeSat mission successfully launched to test underlying components.
US – progress in 2019 continued to be spearheaded by commercial players: Quantum Xchange has piloted point-to-multipoint commercial QKD installations in New York. One time pioneers MagiQ, who had for some time been quiet about quantum cryptography, are now again actively marketing a QKD solution. Qubitekk targeted utility grid protection.
Rest of the world – Toshiba, NEC, NICT and leading Japanese universities are collaborating on a Quantum secure cloud (with medical and personal genome data being a particular target application). QuintessenceLabs, assisted by funding from the Australian Department of Defence, is developing its own CV QKD technology. The IQC is developing the Open QKD Network project, to provide a layered framework for the incorporation of QKD into conventional communications systems. KNRTU-KAI demonstrated a 143km inter-city link in Russia.
In principle QKD offers perfect security. However in the past, real-world concerns about side-channel attacks targeting implementation weaknesses have undermined this claim. China has been active in seeking to test and resolve such vulnerabilities and in promoting work on hardware standards that will reassure potential customers .
Old arguments and agile solutions
Early movers in the quantum safe crypto market typically emphasise the need to understand specific requirements and to respond in a way that meets the immediate need while also allowing future flexibility.
In the past mathematicians and physicists have often talked past each other in arguing the respective merits of PQC and QKD. Increasingly the debate is slowly coming together, the key question being when does the business case justify the cost of QKD as an additional complementary layer of protection?
PQC experts still make a strong case. The maths-based crypto community has been dealing with real-world security concerns for many years. Many will question whether the issues addressed by QKD are a top priority. Could money spent on QKD be better spent on other security measures?
The QKD community does seem to agree that cost has been an issue for many applications. The AQuaSeC consortium, including Toshiba and KETS, is targeting the realisation of a single chip solution able to simultaneously support existing DH, PQC and QKD solutions. Andrew Shields (Toshiba) thinks such a ‘triple lock’, could be a compelling proposition if delivered at the right price. The EU’s UNIQORN consortium has similar plans.
Quantum Xchange are offering an interesting hybrid solution Phio TX. This uses out-of-band key delivery to improve immediate resilience, while offering an upgrade path to QKD where that is merited. So far they have 6 pilots in operation, predominantly with commercial customers, and anticipate 40 customers by end-2020.
Strategic partnerships – Collaborative working is accelerating across the sector: Thales is collaborating with ISARA (PQC) and IDQ (QRNG & QKD) to offer its clients crypto-agile solutions now; Leading hardware security module provider Utimaco is collaborating with Microsoft, evolutionQ and ISARA; Cryptonext Security has teamed up with KETS to offer its PQC library over the latter’s QRNG chips (notably both companies share a common quantum focused investor Quantonation).
The Quantum Internet
In the long term, the outcome of this battle may depend on the path taken elsewhere in the wider quantum technology sector. The EU Quantum Flagship has now articulated its own vision ‘to build the Quantum Internet in Europe’ as a long term 20-25 year goal that unifies the overall programme .
The familiarity of these individual words should not obscure how radical a vision this is. Quantum states are very different to conventional data.
When we network conventional computers their combined power scales linearly;
… when we entangle networked quantum computers their power scales exponentially .
Whenever we network two remote locations we create a security vulnerability;
… when we use coherent quantum links we have inherent security .
When we outsource sensitive business calculations we must trust our cloud service provider;
… when we use quantum links we can perform ‘blind’ computing with zero overhead .
When we network n conventional sensors their fidelity scales as √n;
… when we entangle n quantum sensors, and if we can defeat loss and noise, their fidelity scales as n .
China is also pursuing this goal. Speaking in Shanghai, Zhao Yong (President, QuantumCTek) said “Though the quantum communication industry is still in infancy, its potential is being increasingly recognised. We are preparing for a take-off in the near future.”
To watch in 2020
NIST Round 3 – Expect the PQC candidate algorithms selected for round 3 to be announced May/June. Evaluations will run 2020-21. Expect issues such as performance and IP rights to come to the fore.
Patent EP 2537284 – Via CRNS, the French government owns a patent that broadly impacts many attractive ‘small key’ code-based and lattice-based PQC protocols. Will NIST and CRNS cut a deal to remove any economic impediment to the adoption of such solutions?
Structured Lattice-Based crypto – A strength of the NIST process is the diversity of PQC approaches it continues to consider. However only the ‘structured’ lattice-based protocols have the combination of performance and signature/key size that promise a measure of ‘drop-in’ compatibility with existing Internet protocols. Some worry the additional ‘structure’ in these lattices is also a potential security vulnerability. Watch out for angst over how to address these concerns.
Randomness in the market – Expect new QRNG devices from players such as KETS, CQC, Bra-Ket and others. These will seek to compete with established offerings from IDQ, QuintessenceLabs and QuantumCTek on cost, bitrate and compliance with an increasingly dizzying array of standards. The current generation of devices don’t offer a device-independent model of randomness, so device-specific assurance testing will be required. Expect entropy.
Standards vs standards – Early quantum safe adopters will want systems that meet recognised standards. Watch out for the continuing work from both industry-led bodies such as ETSI, and government-led bodies such as ITU-T and ISO. Expect growing tension. Already China, the US and Russia all want to ‘co-chair’ the new ITU-T focus group on quantum information technology.
Satellite QKD missions – A successful conclusion to the current SpooQy-1 mission will be a milestone in de-risking future missions such as the QKD Cubesat planned for 2021. Other QKD related missions due to launch in 2020 include NanoBob (France) and QUBE (Germany). Watch space become increasingly central to wider plans for this technology.
2nd generation QKD on the map – Current deployments use 1st generation DV QKD systems. Research is hotting up on the next generation of the technology. Demonstrations already show promise for CV QKD, TF QKD, MDI QKD and more advanced entanglement based approaches. Most commercial devices are probably still 2-3 years away. Will QuintessenceLabs be the first to market with a CV QKD based system?
UK Quantum Comms Hub – Phase 2 of the UK programme is expected to continue work on the UK Quantum Network, ‘consumer QKD’ standards and assurance, while adding new themes in CV QKD, entanglement, components and multiple complementary cubesat missions. Watch out for hybrid technologies that merge PQC and QKD.
Lawful intercept in Europe – Views differ as to whether governmental authorities, where lawfully authorised, should be able to intercept and read private communications. Current QKD trusted node technology bakes in this possibility, but research groups around the world are working to overcome this current technical limitation. Expect initiatives such as QCI to bring European views on this to a head. Will the EU seek to set another international data-law precedent?
NCSC on Quantum Safe Cryptography – Will the highly respected UK NCSC issue updated guidance on quantum safe cryptography? Its previous advice now dates from long ago in 2016 when it was heavily critical of QKD and cautioned on premature transition to new algorithms. We can expect it to remain cautious, but the nuances of any new advice will be picked-over by potential early adopters both in the UK and more widely.
US NQI 5-year strategic plan – The US was a pioneer of early QKD before moving its focus onto PQC. The scope of the NQI very much includes quantum communications. The 5-year strategic plan is due out by March. What emphasis will it put on QKD?
QuantumCTek IPO – This leading quantum startup plans to raise $43m in an initial public offering on the Shanghai stock exchange. This is set to make it the first listed pure-play quantum technology company anywhere in world. No Western capitalists have yet grown so bold.