Business must act now to secure itself against the security threat posed by future quantum computers. Fortunately new quantum-resistant maths-based crypto is on track to protect businesses that act promptly. To understand the growing momentum behind additional physics-based quantum security, it’s necessary to appreciate its unique enduring security promise and the long term direction in which this sector is heading. It’s increasingly clear that one day the world will have an entanglement based Quantum Internet.
Quantum computers will have many positive impacts on business and society, but one is less welcome. When a large enough quantum computer is available we know it will be able to break the current public key cryptography on which Internet and corporate network security depends. Worse, data intercepted and stored today is already vulnerable to decrypt by this future threat.
Much activity is underway worldwide to address this threat. Including the new maths-based quantum-resistant protocols of PQC, and the physics-based approaches of quantum cryptography, especially QRNG and QKD.
However to understand this rapidly evolving sector we also have to look at the shape of an even more important emerging future technology – the Quantum Internet.
Time to act
The current threat posed by future quantum computers should not be confused with the day-to-day travails of cyber security:
Michele Mosca (IQC and evolutionQ) – “This is a threat we haven’t faced before in the modern era”;
Eric Schmidt (former Google CEO) – “I STRONGLY RECOMMEND business should act now. We know that foreign powers are already busy recording everything. It is their plan, 10 years from now, to decrypt everything”;
John Prisco (Safe Quantum & industry veteran) – “The COVID-19 crisis has meant that for many 2020 was a lost year to prepare”.
Q-day – Multiple reputable quantum hardware firms now have roadmaps to produce ‘one million qubit’ machines by the end of this decade (review). Strictly speaking such devices are likely still too small to break our best current Internet standards (20 million qubits in 8 hours is a detailed estimate for one leading architecture ). Moreover, these plans are unlikely to proceed without setback. 2035 or beyond still seems the most likely date for our security to be compromised . However, some qubit and error correcting technologies retain the potential for disruptive breakthroughs. A ‘Manhattan project’ by a major nation state could significantly accelerate timelines.
Where businesses need a single ‘reasonable worst case’ date to prepare against, Fact Based Insight continues to suggest 2027.
Jiuzhang – Should China’s recent quantum supremacy demonstration , make us re-evaluate our assumed timelines? Fact Based Insight thinks not. Jian-Wei Pan’s achievement is a notable scientific and engineering success (whatever way disputes about the maths turn out), but it’s not been done on a readily scalable technology platform. More subtly, it comes as a massive present on the eve of the CCP’s 100th birthday. If China did have a more advanced secret programme, wouldn’t we have seen a hint of that tech leaking out to help make sure this present really was delivered on time? USTC will have a lot more to say along the future quantum journey, but we already knew that.
Post-Quantum Crypto on track
Development of new maths-based cryptographic protocols thought to be resistant to quantum attack has been underway since 2006. This has been formalised since 2016 through an evaluation and standardisation process led by NIST. This focusses on standardising new quantum-resistant digital signature (DS) and key encapsulation mechanism (KEM) protocols.
Jargon – In general we need protocol primitives for initial authentication, exchange of an encryption key, and then message encryption. Today we might use RSA 2048 + ECDH 256 + AES 128. In general terms we need to upgrade to PQC DS + PQC KEM + AES 256.
NIST PQC process – Round 1 evaluated 69 candidates of which 21 were broken or significantly attacked. Round 2 carried forward 26 candidates of which 8 suffered attacks (typically of a more minor nature, forcing them to adopt more conservative/less efficient parameters or pointing simply to relative immaturity). Round 3 is completing the evaluation of 7 finalists through 2021. Draft standards are expected to be posted for public comments in 2022, final standards in 2024 . Fact Based Insight believes that we should be reassured that scrutiny is doing its job. The final selections will be sound choices.
Now that the NIST finalists have emerged, we can get a much clearer picture of the tools that will be available in the medium term PQC landscape .
KEM/Public-key encryption finalists: CRYSTALS-KYBER, NTRU, SABER and Classic McEliece. The first three are structured lattice based schemes, offering a good security/performance trade-off making them suitable as a ‘drop-in’ replacement for Internet security. NIST will finally standardise just one of these. Classic McEliece has a very different profile offering very short ciphertext size but incredibly long public keys (262 kilobytes!). Importantly it is a completely different code-based scheme that has survived attack for over 30 years.
Digital Signature finalists: CRYSTALS-DILITHIUM, FALCON, Rainbow. Again, the first two are structured lattice based schemes, and NIST will finally standardise just one. Rainbow, a multivariate scheme, increases the diversity of finalists but again very large key sizes make it unsuitable as a general purpose protocol.
The prominence of protocols from the structured lattice crypto family in plans for future Internet compatible standards is understandable. However a diversity of approach on underlying security assumptions is also desirable, to serve other performance/security use cases and to provide a backstop should one protocol, or a whole family of protocols be undermined by a novel quantum or conventional attack. NIST has therefore also identified 8 ‘alternative candidates’ for further study and development.
Alternative KEM candidates: BIKE is an efficient structured code-based scheme and a potential backstop for the Internet if structured lattice based schemes fail. HQC is another code-based scheme with worse performance but possibly stronger security. NTRU Prime is a structured lattice based scheme, but one that depends on a different structure assumption. FrodoKEM is an unstructured lattice based scheme, suffering a big performance hit but offering a very strong security promise.
Alternative DS candidates: GeMSS is a multivariate based scheme offering a backstop to Rainbow. Picnic is a symmetric crypto based scheme offering much stronger security. SPHINCS+ is another symmetric hash-based scheme, offering perhaps the strongest PQC signature of all.
The NIST process has progressed strongly and to plan. It’s very much a positive that, despite early fears, we have PQC options that promise to be relatively ‘drop-in’ replacements for current Internet protocols.
There are still challenges. Corporate users seeking strong PQC with different performance trade-offs will have to wait longer for additional PQC standards to be forthcoming. NIST envisage a further round of evaluation for promising alternative candidates. In addition, there is no general-purpose Internet-compatible alternative to digital signature schemes based on structured lattices. This represents a potential single point of failure with respect to novel quantum or conventional attacks. NIST has called on the PQC community to work to fill this gap .
Quantum cryptography today
Random numbers are a basic building block of almost all crypto systems. QRNG is the most basic quantum cryptographic technique built on intrinsic quantum uncertainty. This enhances security even in otherwise conventional systems (though it doesn’t in itself make a system proof against quantum attack). Commercially devices have been available in niche applications for some years.
Quantum entropy – QRNG constitutes an early revenue opportunity for startups with wider quantum ambitions. Established providers such as IDQ, QuantumCTek and QuintessnseLabs have been joined by new entrants. CQC have already demonstrated how their product integrates with IBM Key Protect and IBM’s suite of PQC protocols . Qrypt have partnered with Quside to integrate the latter’s quantum entropy source within an enterprise ready package . KETS have demonstrated their chip scale solution . The ITU-T has defined initial standard X.1702 for what can call itself a QRNG .
IDQ and its strategic partner SK Telecom secured an eye-catching landmark in 2020 by placing a miniaturised QRNG chip on a Samsung mobile phone. IDQ have also signed up VinSmart and hint at other mobile phone manufactures soon to follow.
Samsung Galaxy A Quantum – Launched in South Korea based on a custom edition of the Samsung Galaxy A71 5G, this smart phone includes a 2.5mm2 QRNG chip from IDQ. This is used to strengthen security in identification, payment and cryptocurrency services offered by SK Telecom.
National programmes are strongly backing these initiatives. IDQ and Quside are benefiting from help from the QT Flagship QRANGE project to help miniaturise this technology. KETS has benefited from the UK NQTP ISCF AQuaSec project and can point to successful trials in demonstrations for Airbus and Thales. The UK NQTP AQRNG project has recently been launched led by the respected UK NPL to tackle the important task of assurance. Customers need to know a QRNG device does what it claims.
Quantum key distribution
Quantum technology can also be used to securely share encryption keys between two parties. In its simplest ‘prepare-and-measure’ form, QKD depends only on quantum uncertainty and the principle of quantum superposition. This already allows a security guarantee of a completely different type to conventional maths-based systems.
QKD pros and cons – QKD provides keys ‘secured by the laws of physics’; this is complementary to traditional maths-based approaches. QKD can only be attacked at the time of transmission, and so can be used to provide a uniquely enduring security promise. Its main disadvantages are the extra hardware it requires and associated cost; the relatively immature state of the market and the real world hardware vulnerabilities that could introduce. In early devices secret key rates are modest and range is limited to 70-90km before a trusted node must be used to relay the protocol.
A growing number of companies now offer QKD systems on a commercial basis.
QuantumQTek provide the hardware for by far the world’s largest operational network. The original 2000km Beijing-Shanghai longitudinal backbone is being extended with 5500km of additional links currently under construction. 700km of an additional transverse backbone is already complete between Hefei and Wuhan, with an additional 360km under construction and 2200km proposed .
QuantumCTek turned heads in 2020 recording the largest first day jump of any Chinese IPO at 924%. The price has since settled back to trade at a still healthy 650% premium on the issue price. This success reflects strong order prospects and the very positive tone of government support for quantum technology.
IDQ and its strategic partner SK Telecom have deployed pilot commercial installations in South Korea, including notably the Seoul-Daejeon section of SK Telecom’s LTE and 5G networks , and a 40km section of KEPCO’s power control network . Together they have secured the contract to build a 2000km QKD network serving 48 government organisations in South Korea .
IDQ have had a remarkable 2020. It’s a timely reminder to the wider quantum sector of how rapidly things can move when an innovative business with great technology and expertise is combined with the hitting power of a large strategic partner.
The long awaited launch of a commercial QKD system from Toshiba has further energised the sector. The entrance of a blue-chip tech manufacturer would be a notable milestone in its own right, but the specs on offer are also very impressive. Depending on configuration, these promise a factor of 10-20 improvement over previously available secret key rates.
Toshiba’s research pipeline is also notably strong, with the TF QKD protocol invented by its research group in Cambridge promising to extend practical QKD to ‘inter-city’ distances of up to 500km .
Toshiba is targeting a 25% share of what they expect to be a $12b market by 2030. In the UK it has worked closely with BT on successful initial user trials using the commercial market standard Openreach fibre product .
In Europe, the EuroQCI initiative has brought together 25 EU states, the Commission and the ESA with the specific aim of building a pan-European secure quantum communication infrastructure . OpenQKD has established 14 testbed centres across Europe to demonstrate use cases. These include core areas such as the telecoms backbone and cloud datacentres, but also thought provoking applications such as smart grid, e-health and e-government .
How quickly clients can be won over remains to be seen. Quantum Xchange has been trialling its quantum-safe key distributions solutions Phio QK (multi-point QKD) and Phio TX (a drop-in solution offering out-of-band & PQC keys) for the last two years with a particular focus on the New York financial, telecommunications and government sectors. The company is now leading with Phio TX as its main entry level offer, reflecting the greater ease of client adoption. QKD keys remain available as an upgrade.
An old argument
Mathematicians and physicists have argued for years over the respective merits of PQC and QKD. The debate was brought into sharp relief in 2020 by much anticipated interventions by the US NSA and the UK NCSC (part of GCHQ) . Both were critical of the readiness of QKD to play a role in real world security systems. The NSA emphasised concerns about the practical vulnerabilities of early QKD systems, while the NCSC appeared to put aside its earlier concerns on practical vulnerability and instead focussed on the question of authentication in the overall protocol stack.
The QKD community has provided a polite public response . But in private many physicists cry foul and point out that these organisations are both stalwarts of the maths-led cryptographic establishment. On the other hand, too many physics-led groups are guilty of overlooking the merits of PQC, itself a great new technology. Unfortunately efforts to simplify the discussion often lead to the comparison of ‘apples and oranges’.
For Fact Based Insight’s detailed analysis of these questions read Quantum Safe Cryptography – the big picture.
Fact Based Insight finds the row ironic. PQC is clearly the preferred option we can adopt now for conventional Internet and ‘normal’ business applications. However PQC and QKD are also clearly complementary in a layered defence when higher levels of enduring security are desired and the business case supports the additional cost.
QKD has the unique appeal that, so long as the initial key formation is not compromised, it cannot be attacked later by any means. Indeed, real-time PQC DS techniques are an attractive fit with QKD allowing a well-balanced and flexible overall protocol to be formed, while retaining an enhanced enduring security promise .
The debate moves on
More recently the long term technology context has changed in an important way. Government technology programmes have one-by-one realised how central the quest to build the future Quantum Internet is to securing wider economic advantage from the ongoing quantum revolution.
Quantum technology programmes in China and the UK have long emphasised the importance of quantum networking. The EU Quantum Flagship has adopted as its long-term vision ‘building the Quantum Internet in Europe’. In 2019 the US launched its own National Quantum Initiative. In 2020 it was much more specific in launching ‘A strategic vision for America’s Quantum Networks and then a blueprint strategy for the development of a national Quantum Internet’ . Most recently the UK government’s strategic spending review singled out investment in quantum technologies for cryptography as a key priority .
The Quantum Internet will come with gold standard QRNG and QKD built in. Anyone failing to exploit the opportunity presented by early QRNG and QKD technology to build their ecosystem risks making an epic blunder.
An entangled world
The fundamental resource of the Quantum Internet is quantum entanglement. Entanglement is at the heart of distributed quantum computing, a key enabler in the quantum revolution. Stephanie Wehner (co-ordinator of QIA a QT Flagship project) also likes to emphasise its more subtle features – maximal coordination (a new frontier for timing and sensing) and inherent privacy (the holy grail of cyber security).
Entanglement is very different to the data packets we are used to. It’s not even the same category of thing. We don’t send it from A to B, we create it between A and B. It can’t be copied and it’s inevitably consumed in use. Many concepts from conventional digital networks won’t carry over.
The key challenge is how to generate entanglement between network nodes on demand. While this was originally a question of scientific enquiry confirming the foundations of quantum mechanics, it has now become a very real engineering challenge: how to extend the range over which entanglement can be shared; how to manage entanglement as a network resource?
Satellite connections by-pass the range limits we face when working with coherent quantum signals in optical fibre networks.
China’s Micius satellite first captured world headlines in 2017 with its world-first demonstration of prepare-and-measure QKD from space. In 2020 improved ground station optics have allowed Micius to demonstrate another world first – entanglement based QKD between two widely separated ground stations. The secret key rate achieved is a tiny 0.12 bps but this is still a striking proof of principle demonstration .
A new paradigm – This is very different to conventional technology. The magic of quantum entanglement removes the need to trust the satellite (its designer, manufacturer or operator) when establishing a secure key.
Though perhaps obscure to the popular imagination, clock synchronisation is increasingly important in applications as diverse as network operations, financial services and navigation. Existing methods rely on GPS/GNSS signals and are vulnerable to spoofing. China has also used Micius to demonstrate the initial elements of a protocol for satellite-based secure time delivery . Clock synchronisation is seen as an early use case for China’s planned national quantum network.
Quantum communications with a satellite isn’t easy. Current approaches are limited to night-time operation, clear skies and short passes from satellites in low earth orbit. These factors would limit the commercial viability of satellite QKD. China is working to address these problems and a range of satellite projects around the world are now also racing to catch-up.
National quantum technology, space programmes and increasingly international collaboration are helping to accelerate the development of the supply chains necessary to push this technology forward.
SpeQtre (formerly known as QKD Qubesat) this joint mission between UK and Singapore is set to get into space in 2021. It builds on the 2020 mission, SpooQy-1 that successfully completed an in-orbit test of CQT’s entangled photon source. CQT is itself a product of Singapore’s early investment in quantum sector R&D.
QEYSSat – This Canadian led mission is due to launch 2022. The recent UK Canada quantum technology programme agreement allows for satellite technology co-operation and has enabled a UK consortium to provide a downlink QKD sources for this mission in an initiative led by Craft Prospect and Univ. Waterloo).
SAGA is an ESA planned mission to demonstrate entanglement based QKD, and can expect to build on existing European progress. QUBE (Germany) is due to launch end-2020, and NanoBob (France) now expected to launch 2022. Tight collaboration can be expected from the QT Flagship.
ROKS is an example of a space programme funding the discovery phase for potential further in-orbit demonstration of a QKD downlink in 2022. Partners include Craft Prospect and Fraunhofer.
ViSatQT is another good example of how national programmes help. This UK NQTP ISCF project led by Airbus seeks to establish the technology supply chain and road map for next generation satellite QKD technology. This builds on the previous successful demonstration of low SWaP drone based QKD by Airbus and project partner KETS, plus pulling in other relevant ecosystem startups Nu Quantum, Craft Prospect and SME Archangel Lightworks. That these startups exist to take part, is itself thanks to the previous work of the NQTP.
On the ground
Ground based technology has also been making rapid strides. A notable highlight in 2020 was the demonstration of entanglement sharing as a resource in a multi-node network.
Univ. of Bristol demonstrated an 8 node network with entanglement sharing between any pair of nodes. This is a striking achievement for the UK Quantum Comms Hub, and particularly notably for the leading role played by the engineers, not just the physicists.
UNIQORN, a QT Flagship project, has developed the q-ROADM technology required for flexibly switched SDN entanglement sharing. (Working with the Bristol group, it also provides a practical illustration of how the QT Flagship can add value working alongside a national quantum tech programmes such as the UK NQTP).
Another challenge is extending the range over which entanglement can be shared in optical fibre. This requires a new category of device, a quantum repeater. Such technology has close links to the development of quantum memory and small quantum processors. It is still in its infancy though great strides are being made in technology demonstrations around the world.
QIA, a QT Flagship project, has been spearheading work on multi-node entanglement for quantum repeaters (NV centres in diamond, neutral atoms and trapped ion systems are all being investigated). A recent highlight has been the demonstration of world record entanglement storage & retrieval efficiency (85% using a photon/neutral atom system).
Harvard has demonstrated another precursor technology for quantum repeaters. This uses a silicon-vacancy diamond device. The diamond memory allows the secure relay of the quantum state (in this case used to extend the range of an MDI-QKD experiment).
The seed point of the nascent US Quantum Internet, the Argonne Quantum Loop is a 52 mile entangled photon testbed. This has been used to demonstrate a combination of Qubitekk’s rack mounted entangled photon source and Quantum Opus’ single photon detectors. Qubitekk are unique among current QKD entrants in seeking to commercialise an entanglement-based QKD system.
Beyond the ordinary
Realising a true Quantum Internet is still a long, long way off. However, as with the conventional Internet, choices and standards built-in at the start may end up having long term influence. Understanding the future use cases now may help us make better decisions. Interesting long term work is already in progress.
Blind quantum computation – Work at the Univ. of Boston points to a new ‘succinct’ protocol. This promises to significantly simplify the quantum state required to be sent from the client. The ability to perform computations on the cloud without allowing others (even the operator of the server) to know anything about what you are calculating is set to be even more important in the quantum era.
One-time programs – UNIQORN has completed a proof-of-principle demonstration of probabilistic one-time program execution. The conventional Internet is great at dissemination content, but not so good at protecting IP. This quantum protocol hints at a new suite of tools with potential application in software licensing, one-time delegation and electronic voting.
Hand-held devices – The UK Quantum Comms Hub has been developing technology for consumer ‘ATM style’ QKD devices. This has now been demonstrated in ‘hand held’ format allowing contactless transfers of the quantum information via LiFi. This is an enabling technology to bring the Quantum Internet right into future smart devices. Applications include secure contactless payment, access control and digital signatures.
Tim Spiller (Director EPSRC Quantum Comms Hub) summarises the overall perspective “At the very shortest distances quantum communications need to be hand-held for flexibility; around and between cities fibre networking can be leveraged; and for the very longest distances satellite links are required. A future worldwide Quantum Internet will need to combine all these”. It’s no wonder that Spiller’s programme is working at all these scales. Increasingly others are too.
Many would like to anticipate the killer use-cases for the Quantum Internet. History teaches us only that these won’t be something we’ve thought of yet…but that our children will think are obvious.
To watch in 2021
- NIST PQC Round 3 – Expect a single DS and KEM for Internet and general use to emerge. Both will be based on structured lattice based cryptography. Expect the process to remain on track for draft standard in 2022.
- NIST PQC Round 4 – Watch out for further details of an additional round of NIST evaluation. Protocols on NIST’s list of alternative candidates may emerge for future standardisation against specialist strong PQC use cases.
- QRNG smart phones – Will this grow beyond a specialist feature for niche users? If it proves a low-cost add-on and an attractive marketing point to a wider audience it could prove to be the first big breakout success of the quantum economy era.
- QRNG features – In the wider QRNG market expect to see competition on usable entropy rate (currently QuintessenceLabs qStream leads with 1Gbps); on SWaP (KETS has dev boards available for its chip scale solution); and increasingly on vertification (CQC point to the self-verification features of its Ironbridge offering). IDQ retains first mover advantage in this market segment. Customers need to know a QRNG device does what it claims. Watch out for assurance testing.
- Blue-chip QKD – Big names such as Toshiba, SK Telecom, BT, Deutsche Telecom, Telefónica, Orange and Verizon are increasingly active in commercialising this technology. Watch out for real progress on commercial penetration.
- CV QKD systems are also now available from XT Quantech and QuintessenceLabs with their own unique benefits. Watch out for future generations of this technology coming down the line: TF QKD, MDI QKD and more advanced entanglement based approaches.
- Chinese Satellite QKD – China’s next QKD first is set to be a satellite-to-ship demonstration. Watch out for what this tells us about ground station deployability. Watch out as details emerge on China’s plan for a constellation of QKD satellites. An initial vision is of a network of 3-5 QKD Nanosats serving 100+ clients within 5 years.
- Satellite OKD pack – Watch the progress unfold: QUBE (Germany) due to launch end-2020. SpeQtre (formerly QKD Qubesat, UK & Singapore) due to launch 2021. NanoBob (France) now expected to launch 2022. QEYSSat (Canada & UK) is due to launch 2022. ROKS discovery phase funded for potential in-orbit test of QKD downlink in 2022.
- ESA SAGA – Watch out for emerging details of ESA’s planned mission to demonstrate entanglement based QKD.
- NASA entangled – Will NASA announce a satellite-based entanglement distribution project?
- OpenQKD testbeds – 14 centres across Europe, from Madrid to Geneva to Poznan are hosting testbeds for QKD fieldtrials and user engagement. Watch out for eye-catching demonstrations and signs of user engagement.
- Ground-based entanglement – Bristol intend to demonstrate a 19 node fully entangled network over a 100km x 30km area. Watch out for this to feel like engineering rather than physics.
- Argonne loop – Set to be the seed point for the US national quantum network. Watch out for its initial extension to Fermilab and what this may tell us about timescales for its rollout across all of the DOE’s 17 national labs.
- Quantum Internet simulators – Watch out for tools from QIA and Aliro Quantum that help us simulate, understand and therefore plan future quantum networks.
- Quantum Blockchain simulator – Startup Quantum Blockchains is targeting the creation of next generation distributed ledger technology. Still some way off, watch out for an initial simulator product that allows potential partners to explore what this technology could offer. Quantum tech could offer new solutions to the traditional blockchain trilemma.
- Patent EP 2537284 – Via CRNS, the French government owns a patent that broadly impacts structured lattice based PQC protocols. Expect NIST and CRNS to cut a deal to remove any economic impediment to the adoption of new PQC protocols.
- Structured Lattice-Based crypto – It’s great that this family of protocols can provide ‘drop-in’ replacements for current Internet security. However, it’s disconcerting that the NIST PQC process has not been able to identify any alternatives outside this family for use as general purpose PQC digital signatures. The additional ‘structure’ in these lattices allows them to have relatively small key sizes, but it is also a potential security vulnerability. Any hint of an exploit for such structure would be very disruptive.