A new quantum network has been launched in the UK and quantum initiatives are underway at telecom players SK Telecom, BT, Telefónica and Huawei – the world is starting to prepare in earnest for the advent of large scale quantum computers.
Quantum computers promise to bring a remarkable range of benefits to industry and society. However, one adverse consequence will be to render obsolete the current public key cryptography standards upon which we depend for internet ecommerce and routine cyber security.
For a lot of companies the impact starts now. If sensitive data is intercepted and stored today, then it can be decrypted at a future date when a sufficiently powerful quantum computer becomes available.
The world needs quantum safe cryptography. There are two main areas of development:
- Post quantum cryptography – new conventional maths-based cryptographic algorithms resistant to attack by quantum computers.
- Quantum cryptography – physics-based alternatives that rely of the unique properties of quantum mechanics to provide security. Initial technologies reaching market include quantum random number generation (QRNG) and quantum key distribution (QKD).
Many organisations need to plan their way through these developments: businesses with long-term sensitive data and assets to protect; existing and new entrant cyber security service and equipment providers; corporate, private equity and venture capital investors.
A wide variety of activity is underway.
Post quantum cryptography – a strong start
In the US, NIST is managing a global collaborative evaluation of the best available post quantum cryptography (PQC) protocols. This process has enjoyed strong engagement from around the world, with teams from 25 countries represented. The recent NIST PQC workshop, co-located with the PQCrypto 2018 conference in Fort Lauderdale reviewed 56 separate presentations (27)(28).
This work is currently dominated by academic institutions, however many commercial companies are already taking part, both majors such as Microsoft, IBM, Google, Intel, Cisco, Toshiba and Phillips, and also specialists such as ISARA, SecureRF, and PQ Solutions. The process is open to protocols where commercial patents apply.
Overall, out of 82 original submissions, 64 algorithms remain in the running, based on a variety of underlying mathematical approaches. Testing will find some of these proposals vulnerable to attack by quantum or conventional means but it is likely that many will survive this challenge. However the complexity of this evaluation is unprecedented in the crypto community and much work remains.
These new techniques typically come at the expense of significantly larger key sizes and (in some cases) processing times than today’s protocols. They may not offer simple ‘drop-in’ upgrades to current security software. It is not yet known the extent to which further optimisations can mitigate these concerns. Informally, lattice based PQC algorithms seem to remain at the fore and while processing time does not seem to be an issue, increased key size may pose a significant difficulty.
The nature of the promised security is also challenging to exactly specify. Becoming comfortable with the security of a new algorithm against conventional attacks has historically taken the crypto community years (and even then been subject to revision). For ‘known’ quantum attacks mathematical security proofs can be used to analyse vulnerabilities. However the realistic operational capabilities of future quantum computers are difficult to assess. It is also quite possible that new routes of quantum attack will be discovered in the future. PQC algorithms are likely to offer a high security promise, but not a perfect one.
Timescale will also be a concern for some. The current process envisages screening down the number of contenders during 2018/19, holding a second NIST PQC workshop in Aug 2019, selecting algorithms in 2020/21 and publishing draft standards 2022-2024. Software and firmware suppliers will then have to update their products (1-2 years?). Users will then have to implement and rollout these upgraded security arrangements (1-2 years?).
If you believe that quantum computers may offer a practicable breach in current security as soon as 2027, then that is very close for comfort. Businesses must ask – is their board comfortable that sensitive data intercepted before they complete their transition could be compromised by a future quantum attack?
Quantum cryptography- this time it’s different
“During recent years quantum cryptography has been the object of strong activity and rapid progress, and it is now extending its activity into pre-competitive research and into commercial products. Nevertheless, the fact that Quantum Key Distribution (QKD) could be an interesting cryptographic primitive is often considered with scepticism by classical cryptographers”
This is not a quote from the recent quantum network launches in the UK or Spain. These words were written at the end of the EU’s SECOQC project, which from 2004-08 developed the Vienna QKD network (29).
SECOQC was not the first field demonstration of QKD. In 2004 the US DARPA Quantum Network in Cambridge Massachusetts connected Boston University, Harvard University and BBN Technologies (now part of Raytheon). Indeed quantum cryptography was first conceived by North American researchers.
Other metropolitan quantum networks have followed over the years. In 2009 the SwissQuantum network in Geneva provided a testbed for equipment from ID Quantique (IDQ). In 2010 the Tokyo QKD network provided a testbed for Toshiba. Australian government and defence links have driven the development of QuintessenceLabs’ products, including a successful QKD demonstration in Melbourne in 2010.
Work has also continued at LANL, Columbus (Battelle) and Boston (MIT). However in the last decade, US leadership in practical quantum cryptography has waned. Original pioneers such as MagiQ Technologies have found their growth elsewhere.
The new Vienna circle
The list of SECOQC collaborators shines a light on the root of many present day initiatives: Nicolas Gisin, a leading swiss physicist and co-founder of IDQ; Andrew Shields, now leading Toshiba’s involvement with the UK Quantum Network; Momtchil Peev, now Huawei Quantum Communication project leader; Norbert Lütkenhaus, now a leading figure in Canada’s IQC and CTO of quantum security specialist evolutionQ; Tim Spiller, director of the UKNQT’s Quantum Communications Hub; John Rarity, another leading figure in the UKNQT programme; and Anton Zeilinger, quantum information pioneer at IQOQI and now president of the Austrian Academy of Sciences.
Vienna’s influence extends further. One of Zeilinger’s PhD students in 1999 was Jian-Wei Pan. After returning full time to China in 2008, Pan became a key architect of China’s remarkable rise to the forefront of quantum communications technology.
China’s Sputnik moment
China indisputably leads the world in terms of practical quantum cryptography. In 2017, the QUESS mission aboard the Micius satellite achieved the world’s first demonstration of space-to-ground QKD.
This is not an isolated success. China has also commissioned a 2000km optical fibre QKD backbone between Beijing and Shanghai, by far the longest such link in the world. Metropolitan QKD networks operate in Beijing, Shanghai, Jinan, Heifei and Wuhan. Users include the Industrial and Commercial Bank China (ICBC), the Bank of Communications (BoCom), Beijing Rural Commercial Bank, Alibaba Cloud and the Chinese government (13).
Founded in 2009 by Jian-Wei Pan, QuantumCTek is the company at the forefront of further commercialising the product suite underpinning this network.
A highlight of the launch of the new network in September 2017 was a quantum-encrypted teleconference between Beijing and Vienna, locations separated by 7,600km and far beyond the distance achievable by any other current QKD demonstration. In a nice footnote to history the person receiving the call in Vienna was the President of the Austrian Academy of Sciences, Anton Zeilinger.
Growing commercial momentum
China’s dramatic progress has in itself reinvigorated political interest in the west. In addition though, there are very practical reasons why a renewed focus on quantum safe cryptography is now timely.
Back in 2008 in Vienna, quantum computers were still a speculative future technology. Many experts still doubted whether a practical device could ever be built. Today prototype processors are a reality and it is only a matter of time before a large scale machine is developed.
Early quantum technologies were also a poor competitor in the cybersecurity landscape. Hardware was bespoke and unproven; network topologies were inflexible and range limited; side channel security vulnerabilities were routine and unexplored. Ultimately the output secure key rates were low and costs very high.
Today, a number of companies such as IDQ, QuantumCTek and QuintessenceLabs have well established QRNG offerings, to which startups like KETS Quantum Security are seeking to add (4). These devices have a unique proposition versus traditional pseudo random number generator (PRNG) software, though formal assurance and certification processes have not yet caught-up.
Maturing technology has also brought QKD to the verge of true commercial viability for a range of priority applications in security conscious sectors. Commercial interest is rapidly building and a new wave of startups has formed. Many high tech organisations are growing their R&D investment, including major telcos and equipment providers.
SK Telecom strategic stake in ID Quantique
At the start of 2018, SK Telecom significantly strengthened their previous involvement in quantum technology by taking a strategic stake in IDQ, currently the only true ‘off-the-shelf’ commercial QKD provider in the west.
SK Telecom first established its own quantum technology lab in 2011, and in 2017 it developed the world’s smallest (5x5mm) QRNG based on know-how licensed from IDQ.
The new investment of $65million gives SK Telecom a controlling stake in IDQ. Its existing quantum lab will become part of IDQ. Fact Based Insight believes the South Korean giant will continue to look to IDQ for technical leadership in this sector. The scope of future work will go beyond quantum cryptography to also address emerging opportunities in quantum sensing.
Telefónica, Huawei, UPM field trial
Announced on June 14 2018, this trial connects three sites in the Madrid metropolitan area using Telefónica’s commercial optical network infrastructure, and software controlled QKD devices developed by the Huawei Research Lab in Munich. Universidad Politécnica de Madrid (UPM) provided the know-how to integrate the QKD, SDN and NFV modules.
The quantum technology employed is continuous variable QKD (CV QKD). This is a variation of the more established discrete variable QKD (DV QKD) more commonly discussed. CV QKD proponents point to higher expected key rates over metropolitan network distances, the convenience of relying on conventional rather than single photon detectors and more seamless compatibility with common telecoms technology such as DWDM. Conversely DV QKD proponents point to its advantage as distances increase and its greater maturity, including in the security proofs associated with this technology.
Fact Based Insight has not yet seen details of the key rates achieved by the Madrid trial, however recent publications from groups in Vienna and Shanghai using similar CV QKD technology indicated key rates of about 3Mb/s up to 40km (13). These experiments also demonstrate closure of the most serious security loophole in previous CV QKD implementations (a common local oscillator reference signal that was vulnerable to intercept). However a practical consequence of the relative immaturity of security analysis around this technology makes moving from raw symbol rates to secure key rates non-trivial and subject to caveat.
At this stage the Madrid team chooses to emphasise the flexibility and commercial compatibility of their solution. Interoperation with technologies like SDN and NFV are key features to have demonstrated. Operation of QKD within an SDN context has been reported before, but only for key management and consumption, not key distribution. Full details of exactly what Telefónica are able to implement remains to be seen.
UK Quantum Network
The Cambridge Metropolitan arm of the UK Quantum Network was formally launched on June 13 2018, though it has been operating for some months across three sites in Cambridge. It leverages the existing Cambridge Granta fibre backbone and Toshiba QKD equipment, with the Cambridge University Engineering Department driving integration.
The network demonstrates the combined operation of the quantum channel with conventional data simultaneously running within a single fibre – a feature anticipated to be crucial to managing the cost of implementation in commercial settings. The initial configuration uses Toshiba DV QKD hardware running their T12 variant of the decoy BB84 protocol. Toshiba use intensity modulated weak laser sources to generate de facto single photons, and phase encoding with their active stabilisation technology to reduce noise due to environmental fluctuations. Detection is via their self-differencing APD technology which operates at room temperature. WDM is supported to combine quantum, auxiliary and data channels on a single fibre (13).
Consistent operation has been achieved for over 6 months. High secure key rates of around 3Mbps are routinely achieved even in combination with 200Gbps of conventional data. ADVA Optical Networking AES encryptors are used to process conventional data traffic, interfaced with the Toshiba QKD equipment for key replenishment. This uses standard REST protocols to emphasise the commercial flexibility of the set-up.
Over the coming months the UK Quantum Network will be expanded with long distance links to London, Reading and finally to its sister metropolitan loop in Bristol. The network leverages the UK’s NDFIS, and is very much aimed at demonstrating the commercial deployability of QKD without the need for new dedicated fibre links. When completed it will be the longest QKD network outside of China, and arguably the most sophisticated example of combined metro, access and backbone quantum networking.
A spur will connect the network to project partner BT’s lab at Adastral Park in Martlesham. Since 2016 BT has included QKD technology in its Financial Services customer showcase. In 2017 it showed QKD at DSEI (a leading defence and security event). It will use the new link to extend the demonstration of potential applications.
The UK Quantum Network is part of the work of the Quantum Communications Hub within the UKNQT programme. Other work of the hub concerns technology that will ultimately link to such networks: short-range free space QKD systems, QKD-on-a-chip modules and next generation quantum communication technologies.
Australian Department of Defence
Australian QKD efforts are also continuing to move forward. Last year the Australian Department of Defence expanded their investment in QuintessenceLabs’ developing capabilities. This initiative aims to protect defense and other critical Australian government systems and enhance the resilience of defence networks. Previous fibre optic tests with Melbourne-based Telstra already demonstrated coexisting conventional and quantum signals. The new A$3.26m investment will focus both on increasing throughput and overall performance, as well as extending capability beyond fibre optic networks to ‘free space’ QKD.
Trusted nodes, satellites and drones
An important limitation of current optical fibre based QKD is its range between trusted relay nodes. At such nodes, currently technology does not allow quantum security to be guaranteed. Instead we must rely on the physical security and integrity of the device (and the legal jurisdiction within which it is hosted).
Current commercial and near-commercial systems are limited to about 100km between trusted nodes. Research testbeds have achieved greater distances of about 250km over ultralow-loss fibre and using expensive cryogenically cooled detectors. Using a central device in the advanced MDI QKD configuration, the accepted distance record has been 404km achieved by USTC in 2016. Recent results published by Toshiba in Nature show an improved range of 500km (sufficient for example to direct link many European capitals). However this is an early stage for this new variation of the technology. The security of the Toshiba implementation is disputed by the Chinese group.
The UK Quantum Network will use trusted nodes, just as China’s Beijing-Shanghai link uses such nodes to extend end-to-end security over 2000km. The Micius satellite is also a trusted node, but one with a global reach.
However Micius itself is a relatively large (and costly) science platform. Its sun synchronous orbit allows just one 8 minute pass per ground station per night. Global competition is now hotting up to find the optimal way to deliver QKD from space in the medium term (30).
Recent experiments include:
- Tiangong-2 (China) – demonstrating a nanosatellite compatible QKD payload
- SOCRATES (Japan) – microsatellite-to-ground quantum communications using the SOTA laser
- LAGEOS (Italy) – photon reflection experiments at medium earth orbit
- Alphasat (Germany) – signal test within quantum limits using conventional hardware in geostationary (high) orbit
- SPEQS (Singapore) – entangled photons on a standard CubeSat nanosatellite
Key upcoming projects include:
- QEYSSat (Canada) – a microsatellite seeking to demonstrate ground-to-space quantum communication
- QUBE (Germany) – a CubeSat nanosatellite space-to-ground QKD mission
- CQuCoM (UK-led consortium) – a CubeSat nanosatellite space-to-ground mission
- NanoBob (France/Austria) – a CubeSat nanosatellite ground-to-space QKD mission
- QuSAT (Swiss) – a simplified scheme for cost effective quantum-enhanced communications (rather than full QKD)
While routine commercial QKD to/from orbit is still some way off, commercial ventures are increasingly involved in these developments, from major players such as OHB System to startups such as Altyn, Clyde Space and InfiniQuant (22).
Drone based QKD is another increasingly active area of development. KETS Quantum Security and IDQ are working with Airbus on a trial system. In the US, the Univ. of Illinois and Ohio State Univ. are collaborating on a similar demonstration. Drones offer not only flexibility, but by reaching a higher altitude they are also able to communicate through more stable less turbulent air, improving range and key rates.
A complex equation
Businesses and investors face the challenge of planning their path through this rapidly evolving sector. A central question is what variations of the underlying technology offer advantages now and which are likely to find general and niche applications in the short, medium and long term. A more subtle challenge is how to obtain balanced advice about the alternatives.
Maths vs physics
The maths-based solutions of PQC will almost certainly retain significant implementation cost and flexibility advantages in the short and medium term. However this must be weighed against a number of factors:
- The physics-basis of QKD is a natural complement to the maths-basis of conventional cryptogrphy, offering the benefit of a layered defence for high security applications.
- If vulnerability in a PQC algorithm were discovered, a hostile party/government might keep the discovery secret to maximise the time for which it could be exploited.
- Uniquely, eavesdropping attempts on a quantum channel can be reliably detected. Not only does this have obvious immediate advantages, it also acts to protect the system against general future technological advances by preventing ‘intercept and store’ attacks.
- Securing sensitive data via QKD could become a useful marketing feature (particularly for industries sensitive to a ‘shock’ to public confidence during the development of practical quantum computing)
In the long term, the relative cost advantage of different approaches is less clear. The development of quantum computing will, some believe, ultimately lead to a Quantum Internet built to transfer quantum data between quantum cloud computing nodes. With such a network in place, using anything other than quantum cryptography would seem perverse.
Businesses and investors in security conscious sectors need to evaluate these new options within their overall data security and business strategies. However, achieving a balanced evaluation of options poses some subtle challenges.
Mathematicians vs physicists
The UK is home to GCHQ. This anchors the UK’s leading cyber security and cyber warfare capabilities. However it also serves to highlight the disagreements that exist beneath the surface of different disciplines.
GCHQ has been at the heart of maths-based cryptography since its inception. Indeed the first public key cryptography algorithm was discovered by a GCHQ mathematician, Clifford Cocks, in 1973 (but not declassified until 1997). Today GCHQ operates the NCSC to advise business on cyber security issues. Search the NCSC site today and you will find its advice on quantum safe cryptography published in Nov 2016. It recommends against QKD for “most real-world communication systems”. Similarly the Dutch NCSC has issued advice in Aug 2017 that waiting for PQC is preferable to QKD. In the US, the NSA cast its Aug 2015 plan purely in terms of transition to alternative PQC algorithmic approaches.
Mathematics and physics share perhaps the oldest ‘special relationship’ in intellectual life. However evaluating the relative merits of PQC and QKD can expose differences of perspective.
Normally mathematics provides proofs, while physics offers theories to be tested by experiment. However in matters of cryptography, the current situation is oddly reversed. The security of modern maths-based cryptography (including all proposed forms of PQC) ultimately rests only on conjectured computational difficulty. Physics-based QKD theoretically offers perfect security as long as the laws of quantum mechanics hold. Indeed even if a future theory one day replaces quantum mechanics, we are already able to rule out the obvious ways that might compromise QKD (10).
A balanced evaluation and strategy for quantum safe cryptography is certainly possible. However experience seems to show that those with a mathematical background tend to favour the maths based solutions of post quantum cryptography, while physicists tend to see the merits of QKD. Crucially many existing cyber security professionals naturally come from a maths-based background. Businesses need to understand where their current advice is coming from, and the unintended biases it may contain.
Neither are physicists above reproach. Explaining quantum concepts is difficult, but experts can too easily omit the caveats and overstate the security promise of real world equipment. Many press releases on QKD technology fail to make mention of the PQC alternative or physical hardware vulnerabilities. Almost all conferences and expert groups are siloed between the two fields (the ETSI Quantum Safe Workshops and the work of the Cloud Security Alliance being welcome exceptions) (4).
The UK Government’s Blackett review on quantum technologies recommends a balanced approach and, in particular, that work continues with funding for joint initiatives which bridge these divides. It seeks that regulation should not be a barrier to the commercialisation of quantum technologies. In particular the NPL and NCSC are mandated to collaborate in an evaluation of QKD on the UK Quantum Network and to partner with other bodies to issue accreditation certificates (1). This matters as many security conscious customers, particularly in the public sector, will require formal NCSC certification.
The NCSC have representation on the Quantum Communication Hub’s external advisory board. However any active involvement with the UK Quantum Network is not yet obvious to the public. Announced work currently only relates to the assurance and certification of QRNG devices, a worthy but limited step. However if this collaboration can be made to work it will provide a unique, powerful and difficult to replicate strength to the UK’s quantum ecosystem.
Actions for Business
Fact Based Insight believes that for most common applications, businesses should be happy to observe the NIST PQC process and be ready to adopt solutions from the suite of protocols it will recommend.
However for sensitive applications, some will need to move sooner. Businesses need to assess their exposure, particularly relative to others operating in their sector.
- Is there an accepted standard in our industry for how long sensitive data must remain confidential, including where it is intercepted and stored by a third party for later decrypt?
- Are competitors engaged in trials of quantum safe encryptions technologies? Are they making marketing claims on security?
- How do these threats overlay with regulatory standards? Financial Services will be affected by this, and especially the Fintech segment. Healthcare is also a sector with sensitive issues to explore.
- Are investments underway in long lived physical devices with a long expected lifecycle, such as Internet of Things deployments or smart vehicles? Oil & Gas, Automotive & Logistics and Aerospace & Defence are all sectors where businesses will find themselves impacted.
Businesses need to understand and assess their high level transition plans.
- How long will it take for our organisation to transition to quantum safe security arrangements?
- Are these matters being raised with key suppliers during procurement processes, particularly in terms of the availability of future upgrade paths (RFIs & RFPs)?
- Where remote systems or embedded devices are being deployed, has consideration been given to their future upgrade to quantum safe operation, and
- Is our business vulnerable to a ‘shock’ to public confidence in conventional ecommerce or data security and how would we respond? Even where our own plans are strong, could key employees respond quickly with the right messages to reassure customers and investors? Fintech companies and in particular companies with blockchain involvement should be prepared to offer ‘fire drill’ responses.
- Do we understand the balance of advice provided by our advisers and expert teams across ‘maths’ and ‘physics’ approaches to security.
Existing service providers and equipment manufacturers need to be ready for the threat of new entrants.
- What new entrants are preparing products or services that might be disrupt our existing value chain position?
- Do our teams and our technology partners have access to the right balance of expertise across these new areas?
- Are we ready to engage with our customers to ensure that we are seen as a reliable and value adding partner during this transition?
Investors should seek opportunities in this now rapidly developing field.
- Large companies should consider establishing quantum-dedicated groups. Others may seek to buy-in expertise from established midsized quantum businesses to strengthen the leadership to their existing efforts.
- A steady stream of startup opportunities are emerging as spinoffs from academia. National programmes are increasingly in place to offer a favourable environment for investment and co-working with these opportunities.
- As leaders emerge from the NIST PQC starndardisation process, expertise is likely to be scarce in leading protocols. Academic spinoff opportunities are also likely here. In some cases patent rights may apply.