The world needs better cyber security, more so now than ever because of the current threat posed by future quantum computers. A wealth of new techniques are emerging to meet the diverse needs of users. However, to fully appreciate the emerging competitive dynamics and government actions in this sector, we also have to understand the long-term technological revolution that many believe will one day lead to the creation of the Quantum Internet.
Our digital world is already under siege from a host of bad actors. These existing threats are now joined by one on a completely different level. When a large enough quantum computer is available, we know it will be able to break the current public key cryptography on which Internet and corporate network security depends. Worse, data intercepted and stored today is already vulnerable to decrypt by this future threat.
Much activity is underway worldwide to address this threat, including the new maths-based quantum-resistant protocols of PQC, and the physics-based approaches of quantum cryptography, especially QRNG and QKD. New technology is also reinvigorating the traditional technique of out-of-band key delivery.
However, quantum communications ultimately promises many other benefits. Once we can reliably share quantum entanglement between remote locations, we know how to use this to radically extend the power of quantum computers and to offer other novel capabilities.
In parallel, nanosatellite technology is opening up new horizons for cyber security solutions and challenges. In the longer-term space based distribution promises to accelerate the realisation of entanglement networking and blur the distinction between traditional use cases.
To appreciate the challenges and commercial opportunities we have to understand the interplay between these three deep tech segments – cryptography, quantum technology and space. Fact Based Insight believes their relationship is profoundly synergistic.
An immediate threat
Eric Schmidt (former Google CEO) puts it succinctly – “I STRONGLY RECOMMEND business should act now. We know that foreign powers are already busy recording everything, and it is their plan, 10 years from now, to decrypt everything”.
Q-day – The most authoritative survey of expert opinion on when a future quantum computer will be able to threaten current cryptographic protocols is published by Michele Mosca and the Global Risk Institute .
Where businesses need a single ‘reasonable worst case’ date to prepare against, Fact Based Insight continues to suggest 2027, which builds-in the possibility of a national state undertaking a ‘Manhattan style’ project. It’s important to note though that a more likely date is 2035 or beyond.
For a specific review of hardware status also read Quantum Hardware Outlook 2022.
It’s important to realise that this threat is of a completely different scale and nature to the day-to-day cyber security threats we normally face. A systemic failure of our cyber security would be unprecedented. Failure to prepare is likely to be viewed increasingly dimly both by sector regulators and by insurance underwriters.
Fact Based Insight apologies in advance to companies where we do not use terminology in the same way as in their marketing material. It has become a significant issue across the sector that market-oriented communications are using, stretching and in some cases abusing technical words. Potential clients are confused. This article continues our efforts to place different techniques in context.
Crypto Jargon – A fully deployed crypto system is complex. However, a useful high-level model has four principal components: Entropy, Authentication, Key Agreement, and Message Encryption. See illustrative examples below:
|Case||Entropy Source||Authentication||Key Agreement||Message Encryption|
|Internet Today||Hash DBRG||RSA 2048||ECDH 256||AES 128|
|Full PQC||CSPRNG||PQC DS||PQC KEM||Symmetric|
|QRNG PQC||QRNG||PQC DS||PQC KEM||Symmetric|
|In-Band QKD||QRNG||PQC DS||QKD||Symmetric|
Post-Quantum Cryptography reaches an inflection point
Development of new maths-based cryptographic protocols thought to be resistant to quantum attack has been underway since 2006. Since 2016 NIST has been leading an evaluation process focussed on standardising new quantum-resistant digital signature (PQC DS) and key encapsulation mechanism (PQC KEM) protocols.
NIST PQC process – Round 1 evaluated 69 candidates of which 21 were broken or significantly attacked. Round 2 carried forward 26 candidates of which 8 suffered attacks (some complete breaks, some minor). Round 3 has completed the evaluation of 7 finalists, one suffered a significant attack. NIST is expected to announce early in 2022 which protocols will be used as the basis of new standards. Drafts are due to be posted for public comments in 2022 and finalised in 2024.
KEM/Public-key encryption finalists: NTRU, CRYSTALS-KYBER, SABER and Classic McEliece. The first three are structured lattice based schemes, offering a good security/performance trade-off making them suitable as a replacement for Internet security. NIST will finally standardise just one of these. Classic McEliece has a very different profile offering very short ciphertext size but incredibly long public keys (262 kilobytes!). Importantly it is a completely different code-based scheme that has survived attack for over 30 years.
Digital Signature finalists: FALCON, CRYSTALS-DILITHIUM, Rainbow. Again, the first two are structured lattice based schemes, and NIST will finally standardise just one. Rainbow, a multivariate scheme, increases the diversity of finalists though very large key sizes make it unsuitable as a general purpose algorithm. Rainbow suffered another blow when work from UK Leuven reduced its ostensible security forcing its authors to adjust their parameters model.
Alternative KEM candidates: BIKE is an efficient structured code-based scheme and a potential backstop for the Internet if structured lattice based schemes fail. HQC is another code-based scheme with worse performance but possibly stronger security. SIKE is isogeny based and has good bandwidth properties, but high processing overheads. NTRU Prime is a structured lattice based scheme, but one that depends on a different structure assumption (notably avoiding decryption failures and cyclotomics). FrodoKEM is an unstructured lattice based scheme, suffering a big performance hit but offering a very strong security promise.
Alternative DS candidates: GeMSS is another multivariate based scheme and has also been affected by security concerns. Picnic is a symmetric crypto based scheme offering much stronger security. SPHINCS+ is another symmetric hash-based scheme, offering perhaps the strongest PQC signature of all.
While most would now prefer a quick and clean end to the selection process, this remains a difficult balancing act for NIST.
Structured lattice crypto has long been seen by many as a leading contender in the NIST process. By design it is a trade-off between security and performance. The NIST process has weighed these requirements and any schemes selected will almost certainly form the core future routine security deployments.
Lattice-based Cryptography – First introduced in 1996, this family of techniques is based on the computational difficulty of problems defined on lattices. In its strongest implementations security proofs can show their equivalence to the worst-case hardness of the shortest vector problem. This reduces to solving the hidden subgroup problem for the dihedral group, for which there is no known efficient classical or quantum attack.
Structured Lattices – To fit into the performance requirements for most routine deployments (Internet and normal business use) cryptographers are typically proposing the use of ‘structured’ lattices. These trade off theoretical security to reduce key sizes and improve processing speeds.
Some prominent voices have flagged concerns. Pointing out that those not close to the process may not understand the true balance of risk.
The NTRU Prime team (a protocol on the NIST ‘alternative’ list) have been forthright in their views “The lattice-based KEMs under consideration within the NIST PQC Project are much more risky than commonly acknowledged”. The NTRU Prime team point to the specific defensive advantages of their approach (a different type of structured lattice).
Other voices point out that NTRU Prime aren’t a neutral party. The question that weighs most heavily with Fact Based Insight is how much has the NIST process been able to stimulate genuine quantum cryptanalysis? Most of the attacks that have succeeded have been due to innovation with classical approaches (for example saturation, sieving, minrank). It’s understandable that these have been the first angle to address, but it’s a limitation on what it’s been possible to achieve.
Arguments over patent rights are also playing an unwelcomely large role in the final selection process. This is an issue where feelings often run high in the community.
Patents – CRNS, the French National Centre for Scientific Research, continues to assert that two NIST structured lattice finalists, Kyber and SABER, fall within the scope of its patents (US 9094189B, EP 2537284). The Kyber and SABER teams (themselves both with French leadership/strong participation) dispute this claim on mathematical grounds. However, the question isn’t about the maths, it’s about how a future patent court might rule, a legal rather than a scientific question.
Negotiations between NIST and CRNS to settle this matter have stalled over cost. A casual business observer might expect an easy negotiated resolution. However anyone with familiarity of the PQC Forum will know that feelings run high over these matters in the crypto community, the vast majority of whose work has been supplied IP-free into this process. Some go as far as to argue that paying anything to CNRS would set a bad precedent, particularly as they feel that the patent does not apply on technical grounds. Ironically, it’s two French-heavy entries in the NIST process that stand to lose most. A letter signed by 60 members of the community has been sent to CRNS asking it to change its position .
The bottom line is that any uncertainty over potential future litigation would be a big barrier for commercial deployments. A more subtle issue is that if NIST’s final selection is seen to be completely driven by non-technical concerns, it may undermine its support in the community. An idea popular with some is to standardise multiple structured lattice KEM approaches.
Fears of backdoors – Few think NIST would knowingly approve a protocol with a backdoor or known vulnerability. But how easily might the intelligence community (NSA, GCHQ, DGSE or others) have manipulated the process, or simply failed to share knowledge of a secretly known vulnerability? Many believe this has happened in the past, though NIST has since significantly strengthened its processes .
Dustin Moody (NIST) emphasises “NIST alone is making the decision and has kept the NSA out of our standardization process. We accept comments from them, as we accept comments from any important stakeholder.”
Fact Based Insight just doesn’t see what more NIST could realistically have done. How much you weight this concern probably correlates with other aspects of your worldview. China has already run and completed its own PQC selection process.
In reality all of the groups involved in these arguments believe in the great potential of lattice crypto. How are we to judge the status of the community’s work?
A cyrpto old-hand, not directly involved in a PQC submission but with long experience in government intelligence, comments “The PQC debate has a number of vocal players. Some of the data presented has been self-serving in my opinion. I believe NIST sees through it all. That said, they will have to justify their decisions based on the community submissions and reports, not their internal opinions.”
Fact Based Insight believes that everyone needs to draw a line under the lack of civility that has been on display in the PQC Forum . Disunity risks confusing the business community and slowing adoption of a great technology. Fact Based Insight believes NIST has run a difficult process well, and to a challenging schedule. It’s long been clear that NIST’s decisions would have to trade-off risk for implementability and the ability to move to migration in good time. We believe business should have confidence in following its recommendations.
Diversity of problem class matters
Corporate users seeking strong PQC with different performance trade-offs will have to wait longer for additional PQC standards to be forthcoming. The continued evaluation of alternatives in NIST’s PQC Round 4 will help to plug this gap.
Diversity matters because this is still a developing field. If a future weakness is discovered in one protocol or family of protocols we need alternatives ready to hand.
We can count on structured lattice crypto now forming the base of a new generation of Internet security standards. It’s very much a positive that, despite early fears, we have protocols that can function in this way. However, it should be noted that this ‘best case’ outcome depends on a relatively narrow path.
A specific concern is that there is still no general-purpose Internet-compatible alternative to digital signature schemes based on structured lattices. This represents a potential single point of failure with respect to novel quantum or conventional attacks. NIST has confirmed that it will release a call-for-proposals to the PQC community seeking specifically to fill this gap.
Migration is an even bigger challenge
Businesses must naturally show caution in rolling out any of these new approaches before formal standards are complete. Nevertheless, knowledge of the protocols selected for standards documentation is set to be an inflection point for activity.
The internet is a wild and diverse place. Not all protocols and hardware, especially old hardware and old applications will function smoothly with the new larger key sizes and processing overheads required. Migration preparation and testing will be a challenging concern for many companies. For the ever-growing profusion of IoT devices there will remain a dangerous temptation to postpone action on security performance in favour of lower weight and power options.
The NIST NCCoE has now initiated a ‘Migration to PQC’ project to help companies plan and execute this transition. This is itself a crucially important step. The majority of hacks today attack vulnerabilities in the implementation not the underlying protocols. A rushed or ill thought through migration to quantum safe protocols could actually worsen this situation.
Overall our understanding of crypto security has moved on in the last twenty years. Rather than a destination, we now more clearly realise that security is a journey. Most companies will put crypto agility at the heart of the systems they now want to build.
Crypto boom time – PQC migration activities promise to be great business for cybersecurity service providers.
Majors such as IBM, Microsoft and Atos have been closely involved in the NIST PQC process. A number of specialist companies have positioned themselves to help with implementation of algorithms in the NIST suite, including PQShield, PQSecure, CrypotoNext, ISARA and others.
Quantropi offers its own proprietary PQC solution QiSpace. This includes MASQ, its own multivariate PQC KEM, and its proprietary ‘quantum permutation pad’ technology . This is inspired by the structure of quantum calculations but implemented on classical processors. This is used as the basis for its symmetric encryption QEEP, and to provide pseudo-QRNG.
Business adopters planning to start work on their post-quantum migration strategies may wish they had begun to act sooner. Expert resource is a scarce commodity and is set to become more so.
Quantum Cryptography offers a growing toolset
Quantum technology also offers new tools for cybersecurity. This includes helping meet the threat posed by future quantum computers, but also more commonplace current threats. As we shall see later, it also promises new future-oriented capabilities.
To understand these possibilities, we will have to look at the unique properties offered by quantum randomness, how this is enabling new out-of-band crypto solutions and the additional unique promises of quantum key delivery. We’ll see that in its strongest use cases, quantum cryptography doesn’t seek to compete with conventional maths-based cryptography, but instead to complement and enhance it.
Quantum randomness is a big deal
Random numbers are a basic building block for all crypto systems. They also find use in gaming and data science applications. Conventional systems typically use maths-based pseudo random number generators combined with some hardware randomised seed value. Quite separately from any future threat from quantum computers, vulnerabilities in these algorithms or their implementations have been a recurring theme. Famous examples include vulnerabilities in Taiwan’s ‘citizens smart card’ database and the Reductor malware attack. A significant proportion of RSA digital certificates in use across the Internet today are thought to be vulnerable to attack in this way .
Entropy bulls argue that upgraded randomness is a useful and cost-effective enhancement in its own right. It’s also a timely issue to address as part of a wider quantum safe migration strategy. The most security conscious also note that the security proofs for lattice crypto protocols place significant weight on high quality randomness as a basic input . Bears argue that there are other priorities and question how the case to spend extra money can be made.
Quantum Randomness – random measurement outcomes are intrinsic to quantum mechanics. Indeed, quantum systems are the only things we know in nature that exhibit true randomness.
Basic QRNG devices are an early revenue opportunity for many quantum sector players. A range of devices have reached the market. These typically offer increased performance over other sources of physical randomness, as well as an improved underlying promise that their outputs are truly random.
IDQ, QuantumCTek and QuintessenceLabs all market slot mounted QRNG solutions. Startup Quside is marketing a FPGA based product. KETS has emphasised the demonstration of its prototypes in low SWaP environments. Toshiba has demonstrated an impressive random number rate of 4 Gbps from its new integrated crypto chip .
IDQ have been an early leader in miniaturised QRNG for embedded applications. SK Telecoms has sold over 450,000 Samsung Galaxy A Quantum smart phones, containing IDQ’s Quantis QRNG chip. This success has been followed up by the launch of the updated Samsung Galaxy Quantum 2. The Quantis-enabled Vsmart Aris 5G is being marketed in the US. Quantis is also finding its way into a number of embedded applications, including use alongside PUF chips for IoT authentication.
QuantumCTek and China Telecom have also piloted a ‘quantum encrypted’ mobile phone solution. While media reports seem to overstate the technology deployed, Fact Based Insight speculates that this is based on sim-distributed quantum random numbers and a symmetric crypto based smartphone app.
In the first wave of QRNG implementations we must trust the manufacturer that their chip is doing what they say it is. As a minimum, industry adopters expect recognised assurance and certification processes. ITU-T X.1702 is an initial recommendation (some would say more a basic definition) for QRNG architectures. The UK NPL is leading AQuRand, a UKRI funded project to define assurance processes for QRNGs . However the QRNG market is beginning to look crowded (there are seven commercial participants in the UK project alone). Competitive differentiation on size, weight, power, random bit rate and cost, will also be joined by that on more advanced features.
Advanced protocols – Quantum randomness is not a loose concept. We can carry out real-time statistical tests to verify that a device is behaving in a uniquely quantum way (for example violating Bell’s inequalities). This opens the door for quantum devices to self-certify that they are producing true quantum randomness. More advanced protocols can enable the operator to certify the quantum random numbers at time of use (so they don’t need to trust the device manufacturer). In its fullest form we may be able to conduct protocols remotely and openly, to form publicly certified quantum random numbers .
X.1702 identifies two classes of QRNG device based on how delivery of the specified entropy is verified: QES1 – by monitoring that implementation imperfections are within tolerance; QES2 – by measuring the signature of a quantum process . The latter case, a continuous self-certification of quantum randomness, is a significantly more stringent test.
Cambridge Quantum’s SaaS product, Quantum Origin, is the first QRNG offering to implement strong QES2-style entropy verification. Formerly known as Ironbridge, Cambridge has demonstrated its integration with the IBM Key Protect suite as a source of cryptographic keys and more recently conducted a proof-of-concept PQC VPN deployment with Fujitsu and quantum safe blockchain with IDB Lab and Tec de Monterrey. Quantum Origin currently runs on Honeywell H-series quantum computers, but can run on any general-purpose quantum computing hardware. (Cambridge and Honeywell have just completed their merger to form Quantinuum).
A quantum computer may seem like a very expensive way to produce random numbers. However entropy verification is a valid differentiator for gold-standard applications. The future of this type of service will likely be specialised low-cost dedicated devices, but those are not yet in production. This service is available now.
New entrant Quantum Dice has plans to pursue a chip-scale solution, emphasising the advanced self-certification offered by its DISQ protocol. Anametric are also well positioned here. Fact Based Insight expects them to emphasise an advanced protocol approach specifically tailored to the needs of PQC. Other entrants we can expect to hear more from include Nu Quantum and Quaid.
QRNGs are often underappreciated as a leading quantum technology. But this is changing. Lawrence Gasman (President of Inside Quantum Technology) points out that a quantum chip finding its way into a ubiquitous consumer device such as a mobile phone is a massive deal for the whole sector. Equally, the ability to add value to quantum random numbers via private and perhaps even public certification may be one of the first true commercial applications for specialised quantum computers.
Out of band key delivery
If I don’t want to trust public key infrastructure, a natural alternative is to find some other way to deliver shared secret keys across locations.
TLS handshake – the Internet (and much corporate security) is currently built on the TLS handshake. This uses public key infrastructure to authenticate users and allow them to agree a shared secret key. For convenience and flexibility this is all done ‘in-band’, within the same communications channel over which data will be sent.
On the other hand, if I deliver keys ‘out-of-band’, that is separately to the communications channel that will be used for data, then I have significantly complicated the challenge for any attacker, and in particular for harvest-now-decrypt-later attacks.
Out-of-band key delivery is nothing new in high security applications (think of hard drives full of random numbers being delivered in diplomatic briefcases). Modern technologies are offering new ways to make this process much more efficient. Out-of-band solutions do not have to use techniques from quantum cryptography. However, in the wave of new solutions now reaching market we are often seeing their incorporation, either now or as a future upgrade path option.
Quantum Xchange has been an early mover, actively marketing its Phio TX solution for the on-demand distribution of out-of-band keys which are ephemeral (no key storage is required). The Phio TX Hive supports various delivery mechanisms including a cloud-based VPN. It can be implemented now using only techniques from conventional cryptography; however it also offers an upgrade path for multiple future quantum cryptographic options. Quantum Xchange emphasise that such logical decoupling and flexibility is necessary for full future crypto agility. They have successfully completed a proof of concept installation with Verizon, and a satellite-based demonstration linking a marine vessel and high sensitivity locations in US and Australia.
In a field where maths-based and physics-based cryptographers have often seemed at loggerheads, this area has also seen notable direct innovation on hybrid systems. These combine physics-based QRNG with advanced maths-based techniques that promise to distribute secretly shared random numbers at scale globally.
Qrypt leverage a mesh of QRNG beacons (selected to be more geopolitically disparate than any one authority could compromise). The BLAST protocol allows any two clients to secretly agree shared segments of these random numbers to securely extract shared random numbers. This agreement protocol is simple enough that it can be mediated by the most secure PQC available (for example, Frodo KEM). But it can also generate a large volume of key material allowing it to provide practical support even for OTP encryption. Because these random numbers are formed at a different time and via different channels to later data transmission, harvest now decrypt later attacks are rendered significantly more difficult.
Arqit proposes a network of satellites to distribute shared quantum random numbers via a quantum-downlink between any two ground stations. Symmetric cryptography protects the reconciliation of these numbers into cryptographic keys. Crucially the random numbers never pass over the terrestrial channel, and so delivery is fully out-of-band and also protected by the physical quantum properties of the downlink. Arqit’s QuantumCloud orchestrates the use of these keys to protect data centre and user end-point nodes in a network protected by fully symmetric crypto. Clients can explore a terrestrial implementation of the system now. The first satellites are expected to launch in 2023.
The FVEY partners are investigating the potential of a private instance of Arqit’s system, the Federated Quantum System, to meet their requirements. Interest from several NATO-aligned governments was announced at the 2021 G7 meeting in Cornwall UK. These include the US, UK, Japan, Canada, Italy, Belgium and Austria . This builds on the work that Arqit has been doing on wider quantum cryptography applications supported by UKRI.
Security and innovation are not easy bed-fellows. Early adopters should look for references to established and coming standards (e.g. NIST); publication of protocols and security proofs in reputable journals/repositories (e.g. IACR); proof of concept demonstrations at blue-chip clients, particularly where the involvement of national programmes and or national labs have allowed independent expert engagement.
Quantum key distribution reaches maturity
Quantum technology can also be used to provide a quantum channel between two locations. The non-classical properties of quantum signals can be exploited to provide new tools for secret key distribution.
Quantum channel – QKD can be implemented as an in-band or out-of-band solution. In either case its unique security claims are based on the fact that quantum states cannot be cloned. An eavesdropper simply cannot copy and store a quantum signal without being detected.
P&M QKD – in its simplest ‘prepare-and-measure’ form, QKD depends only on quantum uncertainty and the principle of quantum superposition. This allows a security guarantee completely different to that offered by conventional maths-based systems. Real world systems may still have vulnerabilities, however, the no-cloning theorem means that OKD can only be attacked in real-time during transmission, and so can be used to provide a uniquely enduring security promise. Almost all commercial QKD systems available today implement some variation of this technique.
Entanglement QKD – the most advanced forms of QKD directly employ quantum entanglement. This allows us to significantly increase the security promise by removing the trust we must place in the manufacturer and operator of intermediate equipment.
Security proofs – a subtle advantage of QKD over many other types of physical layer defence is the degree to which its security can be formally and mathematically analysed. In its strongest implementations, QKD can be shown to offer information theoretic security.
Trusted nodes – we don’t yet have robust quantum repeaters to extend the range of natively-quantum signals. We therefore rely on trusted nodes to act as relays, a potential weak point in the security.
In the past, the main disadvantages of QKD were the relative immaturity and very high cost of early systems. This is now much less true. Today range, key rate and how flexibly the quantum connection can be routed over conventional infrastructure have become the crucial considerations.
QKD deployments vary markedly around the world.
China hosts by far the world’s largest operational QKD network. The original 2000km longitudinal backbone connects metropolitan QKD networks in Beijing, Hefei, Jinan and Shanghai; Jinan being the largest with 50 end-nodes. The network uses 700+ fibre links and 32 trusted node relay stations. The secure key rate is thought to be in the range 20-30kbs . The Chinese installation is increasingly mature and has been secured against a long list of 28 known potential physical attacks . 700km of an additional transverse backbone is already complete between Hefei and Wuhan, with an additional 360km under construction and 2200km proposed .
QuantumCTek is the quantum unicorn that provides the hardware for China’s growing quantum networks. Its share price is down from its 2020 highs, but has been broadly stable in 2021 and remains at over a 400% premium on its initial offer price. It advertises backbone QKD products QKD-PHA300 (50kbs@10db-loss, max range 100km) and QKD-POL1250 (80kbs@10db-loss, max range 100km). This success reflects strong order prospects and the very positive tone of government support for quantum technology.
SK Telecom have extended their LTE/5G backbone QKD implementation to over 330km, including the Sungsoo (Seoul) – Dunsan (Daejeon) – Taepyeong core network hubs using 5 trusted node stations. SK Broadband and IDQ have secured the contract to build a 2000km QKD network serving 48 government organisations in South Korea.
IDQ are an early mover in the quantum comms sector. Swiss based, they have offered commercial QKD systems since 2007. Their newly launched Cerberis XG QKD (2kbps@12dB-loss nominal range 50km, 80km possible) emphasises ease of deployment and operation. SK Telecom has taken a strategic stake in IDQ.
BT and Toshiba have announced a joint project to build and trial a commercial QKD network in London (including London Docklands, the City and the M4 corridor). This builds on their experience working together within the UK Quantum Network testbed and in a point-to-point commercial solution for the UK NCC . Toshiba have also established a testbed in US with Chicago Quantum Exchange, and in Japan with the NICT. It is partnering with Singapore-based SpeQtral to serve potential clients in Southeast Asia.
Toshiba currently lead on QKD range and performance. They provide a ‘Long Distance’ solution (300kbps@10db-loss @ and nominal range of 120km, though it can operate with marginal performance out to 175km); and a ‘Multiplexed’ system that has the advantage of allowing multiplexed customer data in C-band (40kb/s @10db-loss and a nominal range of 70km.)
How well BT and Toshiba succeed in London will be very interesting to see. Quantum Xchange spent 2 years trialling its Phio QX (QKD) solution in New York before moving its strategy to lead with Phio TX. The effort in London will benefit from the significantly higher capabilities of the latest generation Toshiba QKD kit and the client reach of BT. Will this be enough to make the difference?
Speaking at QCrypt 2021, Andrew Shield (Toshiba) pointed out that ‘National fibre OKD networks can already be realised today’. For compact countries such as the UK, existing telecom network core nodes are typically located in major cities. These locations are already tightly controlled locations suitable for trusted node implementations (and are already used as such today). UKQuantum, the UK Quantum Industry Group, has recommended to government that a UK Quantum Communications Infrastructure be created. The initial backbone proposed would link 6 major metropolitan centres over a five-year rollout .
In Europe, all 27 EU states have joined the EuroQCI initiative with the specific aim of building a pan-European secure quantum communication infrastructure. ESA are co-ordinating the space segment of EuroQCI (though the UK and Canada are members of ESA, they are excluded from EuroQCI participation) . OpenQKD has established 14 testbed centres across Europe to demonstrate a variety of use cases. These include core areas such as the telecoms backbone and cloud datacentres, but also thought-provoking applications such as smart grid, e-health and e-government (the UK has involvement in OpenQKD via the Cambridge testbed) .
VeriQloud are developing an interesting variation on standard QKD technology. Qline is a form of P&M QKD that introduces intermediate nodes on a single run of fibre. Each intermediate node can use simplified hardware to modify the quantum signal. Any pair of nodes can form a shared secret key without having to trust any other node. This works only over relatively short ranges but promises to offer cost advantages where many users can be served via a single short run of fibre . A prototype of the system has been prepared for deployment on the Berlin OpenQKD testbed.
Elsewhere in the world, Russia and Australia are notably active in QKD development.
QRate, a Russian startup, offer the QKD312 (50kbps@12db-loss, nominal range 30km max 120km). Their equipment is the basis of a testbed network in Moscow between NUST MISiS and MTUCI.
QuintessenceLabs, an Australian based cyber security specialist, offer the qOptica 100. This uses CV-QKD (in contrast to the DV-QKD employed by the other systems discussed above). CV-QKD offers higher theoretical efficiency, however current implementations operate at significantly lower clock speeds than DV-QKD, so key rates and ranges are currently shorter in practice. Quintessence don’t release a secret key rate for qOptica. (As a comparison academic field trials of CV-QKD have demonstrated 6kbps@12db-loss ). QV-QKD proponents point to increased compatibility with standard optical components and advantages in daylight, free-space QKD. We can expect further progress with this technology.
XT Quantech are a Chinese startup also offering CV-QKD technology. They claim key rates of 25kpb@10db-loss.
Despite having been early pioneers of the technology, the US is notably absent from P&M QKD, instead choosing to emphasise entanglement-based technology.
Qubitekk is a US startup leveraging their entangled photon source technology to offer the Quantum DataLoc. This uses entanglement QKD to offer a unique security promise, though range is currently limited to 1km. This seems a difficult technology to work with today. However, as we shall see, this approach has a long-term horizon.
Toshiba currently has a powerful initiative in the terrestrial QKD market. Their current generation of kit has the highest performance over fibre links of any system available. Their research pipeline is also notably strong, with the TF-QKD protocol invented by its UK research group promising to extend practical QKD to ‘inter-city’ distances of up to 500km . Toshiba have also just leveraged the UKRI AQuaSec project to announce a chip-scale solution that combines QRNG and QKD capabilities in a photonic chip. Secure key rates are impressive (470kbps@10km) .
KETS are another early mover in chip-scale QRNG and QKD solutions. Prototypes are now at the card/rack stage and KETS were another partner in the AQuaSec project. KETS’ founders still hold the secure key rate record for their early demonstrator chip (916kbps@20km using an off-chip laser source and SNSPD) .
We can expect Chinese players to provide stiff competition in the TF-QKD market .
Standards are multiplying
As with any technical field, and in particular with cryptography, we can expect standards to play a key role in winning business confidence: for assurance testing as to how a device was manufactured, as a basis for certification by a recognised body (such as a National Lab or test facility); for accreditation that a particular level of assurance and certification is adequate for the business purpose; to facilitate user acceptance testing that the system is practical for real world operation.
ITU-T published recommendations include:
X series (Data networks, security) – X.1702, X.1710, X.1712, X.1714
Y series (Internet, next gen.) – Y.3800, Y.3801, Y.3802, Y.3803 and Y.3804
(Also FG-QIT4N a focus group on quantum information technology for networks ).
ETSI published group specifications include:
GS QKD 015, GS QKD 014, GS QKD 012, GS QKD 011, GS QKD 008
GS QKD 016 is expected soon, this ‘protection profile’ is an important link to ISO/IEC certification processes.
ISO/IEC has a number of activities underway:
JTC 1/SC 27 (IT security techniques) working on CD 23837 part 1 & 2
(Also JTC 1/WG 14 (Quantum Computing) working on AWI 4879
A challenge for QKD threatens to be not a lack of standards, but that there is a complicated overlapping set of activities. This is a burden on participants (particularly startups). It is also open to the perception that geopolitics is influencing the direction of development. This latter concern has led to NIST announcing a study of the effects of China’s prominent participation in many international standard setting bodies .
Maths vs physics tension rumbles on
Mathematicians and physicists have argued for years over the respective merits of PQC KEM and QKD. The NSA and the UK NCSC (part of GCHQ) have both warned against early adoption of QKD technology . The community has offered a polite response . In private many physicists cry-foul of the maths-led crypto establishment. But some groups have also been guilty of hype and ignoring the strengths of PQC.
Fact Based Insight finds the row ironic. PQC is clearly the preferred option we can adopt now for conventional Internet and ‘normal’ business applications. However, PQC and QKD are also clearly complementary, both to allow us to form new flexible in-band protocols and as a layered defence when higher levels of enduring security are desired. Making sure the business case supports the additional cost of QKD is an important consideration. Here QKD must also face-up to cost-based competition from conventional out-of-band solutions.
For a full discussion of these issues please read Quantum safe cryptography – the big picture
The NCSC’s new emphasis on a principles-based approach to the assurance of security technologies may be a constructive way move beyond old quarrels . The debate is also widening to include other voices. The UK’s telecoms sector regulator, Ofcom, has taken the first steps to engage in this area .
Space brings its own new potential
Space technology is going through its own revolution. Large satellites are giving way to cost effective constellations of nanosatellites. New launch options are becoming available. Opportunities exist for LEO, MEO and GEO deployments, each bringing different trade-offs between regional versus global coverage, and ultimately what user base costs can be shared across. In the longer-term unique opportunities exist at the Earth-Moon Lagrange points and the Moon itself.
Satellite links can be used to extend the reach of near-term quantum cryptography applications. However, they also offer a potential way to accelerate the delivery of more advanced protocols that depend on the distribution of quantum entanglement.
Satellite QKD hots up
Sending quantum signals from satellite nodes is inherently attractive. The thickness of the atmosphere is only c.10km and the quantum signal travels with much lower loss in the vacuum of space. This sector is also benefiting from significant investment for classical optical comms.
Earth-Moon – estimated 80dB-loss for 400,000km (10cm transmitter and 1m receiver @ 1550nm). This is the same loss as for just 270km of optical fiber (0.3dB-loss/km).
Indicative parameters for P&M QKD (from Qtlab)
– LEO-to-ground 130kbps (1.2GHz, Tx 13cm Rx 80cm, < 30 deg elevation);
– GEO-to-ground 1kpbs (1.2GHz, Tx 60cm, Rx 120m, 30 deg elevation)
There are important other reasons for wanting to investigate satellite QKD. Security conscious users are often most concerned about links to remote global locations: the type of location they couldn’t reach via intermediate trusted nodes. On the other hand, they might feel comfortable with their satellite acting as a trusted node.
China pioneered quantum space technology with their Micius satellite. However, this was a large 640kg research satellite using 560W of power; the required ground station was 10 tons, used 60kW and was expensive to maintain. Initiatives around the world are racing to develop more scalable and cost-effective platforms for satellite QKD.
Micro Quantum Satellite – China plans to have a 100kg micro satellite in LEO by end-2021, rising to 2 satellites and 10 ground stations in 2022. They are targeting quick-to-erect 100kg 300W ground-stations. Field trials have already been conducted in Beijing, Shanghai and Chongqing.
ROKS – a UK mission aiming to demonstrate a QKD downlink in 2022. Partners include Craft Prospect and Fraunhofer.
QEYSSat – this Canadian led mission is due to launch 2022 with the main aim of demonstrating a quantum uplink to the satellite. As part of the UK-Canada quantum technology programme agreement, a UK consortium including Craft Prospect is providing an additional downlink source.
Speqtre (formerly known as QKD Qubesat) – this joint QKD testbed mission between UK and Singapore is being built by ISISPACE. Its date to get into space has now moved back beyond 2023. It builds on the 2020 mission, SpooQy-1 that successfully completed an in-orbit test of CQT’s entangled photon source.
The UK Quantum Communications Hub is pursuing a separate in-orbit demonstration (IOD) of QKD from a CubeSat to a UK-based ground station, with a planned launch in 2024.
QKDSat – A project by Arqit and the ESA plans to launch two satellites using Virgin Orbits’ LauncherOne from Newquay in Cornwall in 2023 to support their QuantumCloud service. The satellites will be integrated and tested at the UK National Satellite Test Facility in Harwell. Further FQS satellites may follow.
SAGA – an ESA planned mission to demonstrate entanglement based QKD, and can expect to build on existing European progress. The QUBE, a German mission, is expected to launch June 2022. Nanobob, a French mission, is also expected in 2022. Qtlabs are co-ordinating mission design and technology selection. This is the principal space segment of EuroQCI, tight collaboration can be expected with the Quantum Flagship.
Conventional out-of-band satellite solutions, such as Quantum Xchange’s 2021 proof-of-concept are also set to expand.
A significant opportunity in constellation design is allowing costs to be shared across users worldwide. An optical ground station might cost about €1M now, but perhaps only a few €100k when manufactured in larger numbers. A dedicated quantum satellite might cost €100m, however a commercial satellite service to lease (similar perhaps to Arqit’s FQS proposal) might cost €25m pa. including satellite, mission control and 100 receivers . Such costs are not insignificant, but not prohibitive for governments or major security conscious companies.
A debate has started about the distance/cost trade-off for fibre vs satellite QKD. Satellite kit seems expensive, but can span large distances and the costs can be shared. Fibre installations seem cheaper, but the costs mount up with distance. Satellite enthusiasts Qtlab see the trade-off occurring at as little as 200km, IDQ at 1500km, Toshiba at 10,000km .
A stepping stone to entanglement distribution?
Beyond this, satellites may be one of the first areas where we can deploy entanglement based QKD; removing the need to trust the satellite so long as both ground stations are simultaneously in view. Speaking at ICQT 2021 Feihu Xu (USTC) speculated that a practical terrestrial quantum repeater might still be 10 years away. Using a satellite is an alternative, USTC have demonstrated entanglement distribution using a satellite over 1120km .
Indicative parameters for Entanglement QKD (from Qtlab)
– LEO-to-ground: 25bps (1GHz pair rate, Tx 13cm, Rx 80cm, < 30 deg elevation)
– GEO-to-ground: 0.1bps (1GHz pair rate, Tx 60cm, Rx 120m, 30 deg elevation)
Importantly, satellite systems may accelerate the deployment of practical entanglement-based links. These would then have many other uses.
Future quantum networks are on the horizon
The exponential pull of quantum networking
Discussion of network security has naturally led us from post-quantum cryptography, to quantum random numbers, to protocols for creating quantum-secured cryptographic keys. But the potential of quantum networks does not stop there. For proponents taking the long view, these aren’t even the main benefits.
In the short term a key driver for short-distance quantum networking will be the desire to coherently connect local quantum processors (for example between dilution fridges or trapped ion racks). However, the essential benefit of such combinations isn’t limited by distance.
When we network conventional computers their power scales linearly. When we entangle quantum computers their power scales exponentially. The gap in power between independent and unified quantum processors may underpin a strong investment case for building a true entanglement-based Quantum Internet.
Peter Rohde (UTS & author of The Quantum Internet) points out that the standard circuit model of quantum computing may not give us the best intuition of how natural this may be. Instead, he points to the equivalent graph state model to help us see more clearly that it need not be hard to distribute a quantum calculation across nodes.
Continuing progress on advanced cryptographic protocols
The field of quantum communications also offers a host of advanced cryptographic protocols that promise to expand what is possible with conventional maths-based techniques .
Stephen Wiesner 1942-2021 – the father of key ideas that paved the way for the modern field of quantum information and in particular quantum cryptography died this year. His paper on Conjugate Codes, written in the late 1960’s but only published in 1983 paved the way for what we now know as qubits .
Work in recent years has seen a steady stream of progress both on more practical protocols and on experimental demonstrations:
|Oblivious transfer (with noisy memory)|
– an important primitive
|Bit commitment (with signalling constraints) |
– an important primitive
|24-hour relativistic bid commitment|
|Quantum data locking |
– potential to replace OTP encryption with exponentially shorter key sizes
|Quantum digital signatures |
– quantum protocols for authentication and non-repudiation
|Experimental demonstration over 102km|
|Quantum money |
– unforgeable, verifiable tokens (digital money, blockchain etc)
|Semi-device independent protocol |
S-money uses signalling constraints to avoid the need for quantum memory . Initial experimental results were demonstrated in 2021
|Universal blind quantum computing|
– secure quantum computing on the cloud
|Protocol for ‘succinct’ blind quantum computing|
|One-time programs (with probabilistic assumptions)|
– software licensing, one-time delegation, electronic voting
|Proof-of-principle demo of one-time programs|
– leader election, consensus protocols
|Protocol for secure weak coin flipping (each party has a preferred outcome)|
|Quantum position verification|
– proof of geographic position
|New loss tolerant protocol (unentangled attacked)|
|Secure Clock Sync |
– precise, unspoofable synchronisation of remote clocks
|Experimental demonstration over 7km of fibre|
|Zero-knowledge proofs |
|NP-proof verification demonstrated using a photonic processor|
NP Proof Verification – In 2021 a team from CNRS, Univ. of Edinburgh and QC Ware have implemented a real-world demonstration of NP proof verification where the prover gains only limited knowledge about the solution they are being asked to verify. This uses a simple two-mode optical setup (equivalent to a 1 qubit computer). This is a quantum variation of a well-studied tool in classical cryptography, zero knowledge proofs. This doesn’t have an immediate application, but is likely to find use as a primitive in the future Quantum Internet for functions such as identification, authentication and blockchain. It’s doubly interesting as a reminder that ‘quantum advantage’ in communication protocols can be based on even a 1 qubit device.
Quantum Blockchains is a Polish startup. They provide an interesting future looking example of the innovation that may be possible by combining the techniques of PQC with quantum-enhanced protocols .
Even today some clients are already seeking on-premise installations of quantum computers because of data privacy concerns. Blind quantum computing offers the tools to completely and efficiently meet privacy concerns in a cloud computing environment. Fact Based Insight believes that one day we will wonder how we ever operated without it.
A breakthrough for networked quantum sensors?
A further possibility is to connect quantum sensors to the quantum network. This full-strength vision of a Quantum Internet of Things received a significant boost in 2021. Work including Caltech and Google has demonstrated that there is an exponential advantage in learning the properties of quantum states, if we first complete pre-processing in a quantum computer before applying classical machine learning.
Learning from experiments – Caltech and Google’s work asks us to consider the Google Sycamore processor in two parts. In the first its qubits represent the output of some hypothetical physics experiment (or the output of a series of quantum sensors). Our task is to learn some property of this state (to investigate the physics of the experiment, or to read out our network of sensors). The rest of the quantum processor performs entangling operations on these inputs before passing the output to a classical machine learning routine. This setup is able to learn properties of the state in exponentially fewer trials than any classical algorithm can manage.
A striking feature is that the exponential advantage doesn’t depend on the input states being pre-entangled in any way. This is contrary to what we might have expected, and makes implementing such a setup look much easier than we might otherwise have expected.
These new results could lead to short-term opportunities for new analysis approaches in fundamental physics experiments. In the medium and long-term it opens interesting possibilities for what might be achieved with networked quantum sensors.
Entanglement networks emerge from the lab
Quantum entanglement is usually discussed first in general introductions to quantum computing, or as an enabler for advanced forms of QKD. However, its role is much wider than just these applications. Entanglement is the crucial consumable resource of the future Quantum Internet.
Quantum state teleportation – If we have shared entanglement between locations A and B then we can use it to transfer any arbitrary qubit from A to B simply by sending a simple classical signal. This works regardless of distance.
Quantum repeaters – this emerging technology seeks to extend the range at which we can share quantum entanglement. Typical repeater designs require quantum memory (itself a field only now emerging from the lab) . More recently alternative memory-less approaches have been proposed based on photonic graph states .
Increasingly impressive entanglement network demonstrations have been taking place around the world. These are increasingly breaking out of the pure physics domain to address practical questions of engineering.
USTC China have demonstrated entanglement of quantum memories at 22km . They have also demonstrated the use of photonic cluster states as an alternative to matter-based quantum memory .
In 2020 the Univ. of Bristol, a partner in the UK Quantum Comms Hub, demonstrated entanglement distribution on an 8 node network . UNIQORN, a Quantum Flagship project, demonstrated q-ROADM technology that will be required for flexibly switched entanglement sharing . This year a team at Heriot-Watt Univ. demonstrated entanglement based quantum conference key agreement between four nodes . QuTech have gone a notable step further by demonstrating entanglement swapping through an intermediate node to form a 3 node quantum network. .
QuTech employed three NV Diamond nodes (each cooled to 4K), with each node containing one qubit used for communication. The middle node also uses an additional memory qubit. Though only a lab-scale demonstration (nodes were separated by 30m and 2m) this setup replicates key functions of a quantum repeater. This reminds us that applications in quantum communications are set to leverage hardware platforms that don’t always require extreme mK cooling.
Argonne National Lab and Univ. of Chicago have successfully entangled photons over a 80km network. This is being extended to Fermilab to form a three-node 130km testbed. This network has served as a demonstration testbed for entangled photon sources from Qubitekk.
Brookhaven National Lab and Stony Brook Univ. are developing a network testbed focussed on developing quantum repeaters. Interference effects have been demonstrated over 160km (the longest quantum network in the US today). Plans exist to extend the network to New York City.
Qunnect is a notable early spin-off with patented quantum memory technology based on atomic vapour cells. This promises room temperature deployment and optical fibre compatibility. Memory times are already reported in the 100’s of microseconds range. This could open the door to true quantum repeaters and other quantum internet protocols.
MARQI – a University of Maryland led consortium has received NSF funding to develop quantum networking solutions. This promises to combine well with Maryland’s strong links to the trapped ion community.
A significant aspect of QuTech’s recent 3-node network demonstration was that it also deployed a full software stack. A variety of players are now launching quantum network simulation products.
Quantum Network Explorer – QuTech have now launched the QNE and associated SDK to allow other interested parties to access their network for education, research and development purposes.
Aliro Quantum – a US startup offer Q.Network to tackle the network stack question. Their hardware agnostic quantum network design and simulation platform is allowing them to tackle the forward looking question of how EaaS can help clients with security, computing, and position, navigation & timing issues.
NodeQ – a UK startup offering software for quantum network design and optimisation. Leverages the founder’s work with the UK Quantum Comms hub and deep theoretical pedigree in this area.
EvolutionQ – this Canadian startup offer BasejumpQDN for quantum network design. An initial focus is helping clients avoid vendor lock-in with a single QKD supplier. EvolutionQ’s strength in maths-based cryptography complements well with this offering.
Many would recognise momentum that IBM seized in the quantum computing domain due to its early provision of the IBM Quantum Experience, and promotion of early standards such as OpenQASM. Does a similar opportunity exist for the Quantum Internet stack?
A strategic debate
On the journey to build the Quantum Internet, investors, companies and governments are faced with a complex maze of possibilities where three great deep tech sectors overlap and interact: crypto, quantum and space. It’s a challenge to avoid being locked into any one technology or narrow field of expertise. It’s a challenge to evaluate the trade-off of short, medium and long term revenue opportunities; doubly so when we consider the interplay of economic vs geopolitical factors that will likely influence the development of the wider sector.
The debate is complicated by overlapping and often loose terminology. Some are focussed on how to deploy quantum safe cryptography on the current Internet. Some are focussed on building ‘prepare & measure’ quantum networks using trusted nodes to form a quantum-enabled Internet. Others envision the true entanglement-based Quantum Internet. If we inhale at full strength this ultimately also includes quantum sensors and we have a Quantum Internet of Things.
A particularly prominent point in the strategic debate is how important the intermediate steps are in winning the race to build an entanglement-based end goal? Some companies clearly see their early engagement with QRNG and QKD as a stepping stone to allow them to engage and grow through this process. Others will seek to jump straight to the entanglement-ready phase of development based on differentiated technology. As business strategies both are valid, though investors need to be clear about the profile they are building within their portfolio.
For governments, Fact Based Insight believes the choice looks different. Governments care about the security of their digital infrastructure, but they also care acutely about capturing their share of the economic benefits across the quantum value chain. Is the best approach to encourage an ecosystem to develop based around near-term opportunities, or to seek to by-pass these by focussing on more academic research targeting the longer-term goal? If your current concern is the race over quantum computing hardware, your Copernicus moment may be to see that computing’s just part of winning out on the Quantum Internet of Things.
A review of the research activities of Jian-Wei Pan’s influential USTC group should leave careful observers in no doubt. China sees its current dominance in early QKD networks as a stepping stone to a future fully entangled network. The role of EuroQCI and the QIA within the EU’s Digital Europe Programme seems to embody the same vision. The US seems more inclined to focus directly on the goal of entanglement. Interestingly the US’s FEVY partners have notably strong positions in early quantum network activities including Canada, Australia and in particular the UK.
From such decisions large consequences ultimately flow.
To watch in 2022
- NIST PQC decision – which PQC protocols will proceed to standardisation?
- NIST PQC Round 4 – what alternative schemes will continue for additional study? What new digital signature schemes will enter the process?
- QRNG smart phones – will this segment continue to grow? This could be big news.
- QRNG feature fight – in an increasingly crowded segment, expect competition on cost, random bit rates, SWaP and advanced protocol features.
- Quantum Xchange – with its out-of-band concept established, what client uptake will we see?
- Qrypt – will we see a flagship installation of this interesting new approach?
- Arqit – will we see more details and a security proof reach the public domain?
- Toshiba & BT – will we hear about pilot customers for QKD in London?
- IDQ – where next after South Korea?
- Chip scale QKD – watch as chips from Toshiba and KETS take the battle to new frontiers.
- OpenQKD – watch out for proof of concept demonstrations for a wide variety of use cases across of European testbed locations.
- EuroQCI – will project awards under the Digital Europe Programme give us more indication of how this initiative will proceed?
- UKQCI – will the UK commit to the rollout of a national quantum comms infrastructure?
- Satellite QKD – with multiple satellites due to launch; which will win the race to demonstrate nanosat QKD?
- International standards – watch out for conclusions from the US study into the growing role of China in international standards setting.
- Assurance processes – watch QRNG assurance as a test case for new thinking from NPL and NCSC.
- Entanglement networks – watch out for progress from leading research hubs such as the USTC, UK Quantum Comms Hub, QuTech, Q-NEXT/Argonne National Lab, Brookhaven National Lab, MARQI/Univ. of Maryland, CQT/Purdue Univ. and others.
- Advanced protocols – watch out for emerging interest in advanced protocols. Secure clock sync and blind quantum computing on the cloud could be ones to watch.
- Quantum Flagship – what support will the influential Quantum Internet Alliance secure in the next round of Horizon Europe project grants?
- Network stack – which platform will grab a lead for quantum network simulation?