Royal Holloway Series 2011 Quantum key

distribution: HOME

HOW DOES Awesome or pointless? QKD WORK? QKD NETWORK APPLICATIONS

Some believe the advent of quantum computing will reduce the COMMERCIAL PROSPECTS time taken to solve cryptographic algorithms so dramatically that they will no longer provide effective security. Sheila Cobourne CONCLUSION and Dr. Carlos Cid explain how Quantum Key Distribution could provide a solution.

1 Royal Holloway Series 2011 Quantum key distribution: Awesome or pointless?

INTRODUCTION This uses the quantum properties of light sent ryptography is one of the success along a specialised channel (quantum channel) stories in the information security and existing laser, fibre-optic and free-space world. Properly implemented cryp - transmission technologies can support this. tography allows sensitive informa - QKD’s security is based on the laws of quantum tion (such as credit card details) to physics alone, rather than hard mathematics, and Cbe transmitted through a potentially is unbreakable. However, some analysts do not insecure environment like the Internet. It provides see the need for QKD, as existing non-quantum HOME the essential security services of confidentiality, (classical) cryptographic systems are secure HOW DOES integrity and authentication for millions of day- enough. (The security guru Bruce Schneier has QKD WORK? to-day transactions. called quantum cryptography “as awesome as it However, some of the most popular types of is pointless,” so no prizes for guessing where he QKD NETWORK cryptography rely on the difficulty of solving hard stands on the issue!) APPLICATIONS

mathematical problems to provide security This article describes quantum key distribution, COMMERCIAL against attack: it is believed that the advent of its strengths and weaknesses, its place within PROSPECTS quantum computing will reduce the time taken cryptography, and whether it is actually needed at to solve these problems so dramatically, that they all. It will also identify potential applications and CONCLUSION will no longer provide an effective security commercial prospects of QKD. But, fear not, no method. quantum physics or mind-boggling mathematics All is not lost, though — a totally new tech - will be used! Of necessity, technical terms are nique, quantum cryptography, is waiting in the needed throughout the report, so some basic wings. This harnesses the laws of quantum cryptography will be explained in the next section, mechanics, along with quantum computing before proceeding on to a discussion of QKD itself. power, to provide information security. Since quantum computing is still in its infancy, this is still largely a theoretical area, but one type of CRYPTOGRAPHY BASICS quantum cryptography is achievable with today’s Cryptography is generally used when communi - 2 technology — Quantum Key Distribution (QKD). cating parties wish to exchange information over Royal Holloway Series 2011 Quantum key distribution: Awesome or pointless? an insecure channel. Within the cryptographic secure way of distributing keys uses a trusted community, these communicating parties are courier to physically transport a key in a tamper- conventionally called Alice and Bob: it is assumed proof medium (such as a smart card). However, that messages and information sent between if the courier is actually untrustworthy he or she them could be subject to eavesdropping by an can change or damage the key in transit, and the adversary called Eve. (Alice, Bob and Eve aren’t procedure fails. necessarily human, by the way — they could also be PCs or software.) Cryptography could not HOME Keys are a fundamental element of cryptogra - function without keys, but HOW DOES phy. They are special pieces of data that are care - QKD WORK? fully generated for use in the encryption and it is a major challenge to decryption of sensitive information. It is essential QKD NETWORK that the keys are kept secret. This is related to the ensure that the correct key APPLICATIONS well-known Kerckhoff’s principle, which states is available to Alice and Bob COMMERCIAL that the security of a cryptographic system PROSPECTS should not rely on the secrecy of the algorithm at the right time. used for encryption and decryption, but rather CONCLUSION on the secrecy of the key. Different security levels can be achieved by Cryptography could not function without keys, classical cryptography. Computational security but it is a major challenge to ensure that the exists where a system is theoretically breakable correct key is available to Alice and Bob at the by trying every possible key — the brute-force right time. There are several approaches to attack — but the computational effort required to overcome this problem: a key can be generated do so is so time-consuming and expensive that it centrally and sent to Alice and Bob when needed is not economically viable for an attacker to per - (key distribution) or Alice and Bob could gener - form the attack. Unconditional or perfect security ate a key between themselves (key establish - exists in cases when, even if an attacker has ment or key agreement). However, no existing infinite resources at their disposal, the system 3 method is 100% secure. For example, a very still cannot be broken. Royal Holloway Series 2011 Quantum key distribution: Awesome or pointless?

The One-Time Pad (OTP) is a method for detection equipment for each piece of quantum achieving perfect security of encryption, provided information sent, Bob’s measurements will either that it uses a key that is randomly generated, as be perfectly correct, or a completely random value. long as the message and is used only once. How - This is a direct consequence of quantum physics. ever, OTPs have immense practical difficulties: The sending and receiving of quantum information generating long, truly random keys is problematic; is the only quantum part of QKD: everything that distributing the keys to recipients is a logistical follows is done using conventional technology, and nightmare; sender and receiver have to be totally is called classical post-processing. HOME synchronized to make sure that the same keys are Alice and Bob then use a secure classical com - HOW DOES used for the same message; and ensuring keys munications channel to compare Alice’s informa - QKD WORK? are never re-used is a challenging task. For this tion sent with Bob’s information received, and reason, OTPs are currently seldom used in prac - they decide which measurements will be used to QKD NETWORK tice, but as will be seen in this report, when com - generate the secret key. This potential key material APPLICATIONS bined with quantum key distribution they become is subjected to standard error-correcting routines, COMMERCIAL a much more realistic option. and then compressed in a process known as PROSPECTS Now the terminology is clearer, a brief descrip - privacy amplification. The next phase, however, tion of quantum key distribution follows - where is the most important: authentication. Quantum CONCLUSION the cryptographic and quantum world meet. key distribution is vulnerable to Man-in-the-Mid - dle attacks, where an attacker not only controls communications between Alice and Bob but HOW DOES QKD WORK? impersonates Alice to Bob and vice versa. Despite its name, quantum key distribution is Authentication is essential to ensure information a key establishment method which creates key is being transferred between the correct parties. material by using the quantum properties of light Once all the classical post-processing has been to transfer information from Alice to Bob. successfully completed, the key that has been Alice sends some quantum information to Bob established can be used by Alice and Bob in along a specialised quantum channel, such as a classical encryption. 4 fibre optic link. Depending on how he sets his If Eve attempts to intercept the initial quantum Royal Holloway Series 2011 Quantum key distribution: Awesome or pointless? communication, she will always be detected erty of quantum key distribution is that a rela - thanks to the effects of quantum mechanics: a tively short input can be used to generate per - higher than expected number of errors will occur fectly secure random key material ever after, as in Bob’s measurements. Alice and Bob can then follows. A secret key is shared between Alice abandon the key and try again at a different time and Bob to authenticate the very first quantum when Eve has retreated, cursing the laws of exchange: it has been shown that using part of physics. A key established via quantum key distri - the output of this QKD session to authenticate bution simply cannot be compromised by Evil Eve. the next QKD session means that this second HOME round is also perfectly secure. QKD can there - HOW DOES Alice and Bob can then fore be run almost continuously without loss of QKD WORK? abandon the key and try security, and the short initial key can be expand - ed: each new QKD session key is independent QKD NETWORK again at a different time of all previously used keys, so this reduces the APPLICATIONS

number of ways a malefactor can attack the COMMERCIAL when Eve has retreated, system. PROSPECTS cursing the laws of physics. Additionally, security provided by QKD is future proofed: it means that even if a cryptographic CONCLUSION A point to remember is that all key material system is broken at some unspecified future time, produced by quantum key distribution is stored previous messages sent through it remain secure. on conventional equipment, and used in classical The unconditional security of QKD systems has encryptions: quantum computers are needed to been mathematically proven: even in the face of store information in quantum form, and they are an adversary with infinite supplies of time and not available using current technology. processing power, the security simply cannot be broken. And, of course, Eve is forced to pack up her WHAT ARE QKD’S STRENGTHS? eavesdropping kitbag and head for the hills, Quantum key distribution is a particularly good howling in frustration because she will always 5 method for producing long random keys. A prop - be found out. Royal Holloway Series 2011 Quantum key distribution: Awesome or pointless?

WHAT ARE QKD’S WEAKNESSES? human deficiencies — a password written on a Quantum key distribution sounds almost too Post-it note stuck to a screen, for example — good to be true, and yet there has been no mass than by cryptographic attack. stampede to implement it on a large scale. There Also, despite rumours of its imminent demise, are a number of technical weaknesses, but the it’s not all doom and gloom in the classical arena. crux of the matter is — do we really need it? Admittedly, cryptography-killing mathematical Technical weaknesses appear when the practi - advances could happen at any time, regardless calities of QKD implementation are assessed: of quantum computing developments. But when HOME quantum channels can only work over a limited quantum computers’ spectacular processing HOW DOES distance; information currently can’t be trans - capabilities render some schemes unusable, QKD WORK? ferred fast enough to provide adequate service other types of algorithm will remain secure by levels; quantum optic equipment is vulnerable to simply increasing the length of the key. There are QKD NETWORK attack; and an expensive new infrastructure will also new cryptographic methods under develop - APPLICATIONS be needed to support quantum processing. ment, which are immune to quantum processing COMMERCIAL But the real issue — the $64,000 question — advances. PROSPECTS is whether QKD is actually necessary. There are Is the promise of perfect security a big enough classical equivalents to all the functions it pro - business imperative to warrant the expense of CONCLUSION vides, and introducing quantum key distribution, specialised equipment and infrastructure? Classi - with its associated perfect security, does not cal cryptography provides more than adequate necessarily increase the overall protection of a security, so the benefits of QKD are really system. As Bruce Schneier states “[s]ecurity is unclear: should pragmatism win over theory? a chain: it’s as strong as its weakest link”. It is Examining some of the proposed practical appli - possible to build an insecure system using strong cations may shed some light on this dilemma. cryptography, whilst believing that the overall security level is as strong as the cryptographic mechanism used. Classical cryptography is an QKD NETWORK APPLICATIONS extremely strong defence mechanism. If a security A networked solution suggests itself because of 6 system fails, it is much more likely to be through the technical restrictions on quantum channels. Royal Holloway Series 2011 Quantum key distribution: Awesome or pointless?

Quantum channels only function over a limited “closed” because only authorised parties with distance, and amplification of the quantum infor - appropriate equipment can overcome the barriers mation signal won’t be possible until quantum to joining. This is in marked contrast to the freely computers are available. Joining many “Alice- available, “open” network that is the Internet, Bob” QKD paths into a quantum network extends where anyone with a PC and a phone connection the range of the quantum information transfer, can join in the online fun. and this has been tested practically: the EU-fund - ed SECOQC project operated one such network The closed nature of QKD HOME as a field trial in Vienna in 2008. A classical key HOW DOES management infrastructure was designed to sup - networks suggest that they QKD WORK? port this network’s quantum capability, including are best suited to high secu - unconditionally secure classical authentication of QKD NETWORK each quantum link to prevent man-in-the-middle rity, controlled environments, APPLICATIONS attacks. COMMERCIAL Several manufacturers took part in the SECO - where only users who are PROSPECTS QC project, including idQuantique and Toshiba, known and trusted can use testing a range of commercially available equip - CONCLUSION ment and quantum transfer techniques. Most them. exceeded the SECOQC performance objectives for both key generation rates and the distance the The closed nature of QKD networks suggest quantum signal could travel — a very encouraging that they are best suited to high security, con - start for a new technology. trolled environments, where only users who are Along with specialised quantum generation and known and trusted can use them. But QKD, when measurement equipment, a quantum channel combined with OTPs or other existing cryptogra - and a conventional communications channel, phy can result in very long-term security. This Alice and Bob need to pre-share an authentica - may be useful in organisations such as Govern - tion key before they can attempt quantum key ment and Intelligence agencies or businesses 7 distribution. This means QKD networks are with long-term strategic trade secrets which need Royal Holloway Series 2011 Quantum key distribution: Awesome or pointless? to be kept confidential. used immediately at the quantum ATM or stored Another application arena for QKD may be in securely on the quantum token for later use. Closed Electronic Data Interchange systems Once a key has been used in a transaction, it is (EDI), such as the SWIFT and CHAPS systems, deleted from the quantum token, so the quantum which are used for high value banking transactions. top-up procedure needs to be repeated at intervals: Quantum key distribution has already been used to i.e. the key is a consumable. safeguard financial transactions; in 2004, money This method could potentially be used in both was transferred between Vienna City Hall and anti-skimming procedures and online banking HOME Bank Austria Creditanstalt — a donation of ¤3,000 applications. HOW DOES from the Mayor of Vienna to the Univer sity of Skimming attacks are used to steal card and QKD WORK? Vienna. PIN data at bank ATMs. If a key generated in a quantum top-up process is used immediately at QKD NETWORK the quantum ATM to encrypt a PIN via a one- APPLICATIONS

SHORT RANGE QUANTUM time pad, perfect security can be achieved. Eaves - COMMERCIAL KEY DISTRIBUTION APPLICATIONS dropping of the quantum top-up will always be PROSPECTS Another implementation approach concentrates detected, and perfect security cannot be broken, on very short range QKD, where a quantum “Alice so skimming will become impossible. CONCLUSION module” is held on a portable token/smart card Online banking fraud is increasing, not because (a “quantum token”) and a quantum “Bob mod - bank systems are easy to break into — they are ule” is fixed into a permanent structure such as a not. Instead, online banking users are targeted to bank ATM (“quantum ATM”). They communicate get them to reveal security information. Examples via free-space quantum optic technology (i.e. include “phishing” emails which trick the user there is no fixed fibre optic link between them), into revealing secret password details or active and use classical authentication methods to keep attacks which redirect unsuspecting users to the man-in-the-middle at bay. malicious websites which harvest their data. A “quantum top-up” procedure uses this equip - Some banks have implemented authentication ment to generate keys via QKD: these keys schemes using “something you know” (a PIN) 8 (sometimes called “quantum secrets”) can be and “something you have” (a dedicated card Royal Holloway Series 2011 Quantum key distribution: Awesome or pointless? reader for a Chip and PIN bank card). Using a COMMERCIAL PROSPECTS suitable reader, this approach could be adapted For a technology to become successful commer - to use keys stored on a quantum token. As keys cially, it must solve a business problem, save are deleted from the token once they have been money or make an existing procedure more used, this limits the number of times the token streamlined. There will be applications where could be used before a visit to a bricks-and-mortar QKD could be ideal — replacing trusted couriers bank facility is necessary to perform a quan tum or in high security environments for example — top-up procedure. and others where the benefits are not so clear — HOME Another method of authentication (used widely e.g. anti-skimming and online banking. In all HOW DOES in Germany) is the Transaction Authorisation cases, extensive (and expensive) infrastructure QKD WORK? Number (TAN) scheme. TANs are 6 digit numbers is needed to allow the technology to work. issued to bank customers, to be used to authenti - QKD NETWORK APPLICATIONS cate transactions online in conjunction with a Research and development PIN. TANs can be supplied on printed lists, or COMMERCIAL sent to the customer’s mobile phone (Mobile continues to increase the PROSPECTS TAN or mTAN). However, there are security weaknesses: for example, criminals are paying efficiency and reduce the CONCLUSION high prices for old Nokia 1100 mobile phones cost of the equipment needed which can be re-programmed to use someone else’s phone number, and hence receive their for quantum key distribution. mTANs. Using a suitable reader, the keys stored on Research and development continues to a quantum token could be used in authentica - increase the efficiency and reduce the cost of the tion via a TAN system. The quantum top-up equipment needed for quantum key distribution. procedure is very similar to other methods For example, in 2009, Toshiba Research Labs of obtaining TAN lists from banks — i.e. in a developed a new photon detector: this allows separate stage, independent of the online faster transfer rates along longer quantum chan - 9 transaction. nels to be achieved. Andrew Shields of Toshiba Royal Holloway Series 2011 Quantum key distribution: Awesome or pointless? commented that it “means we could have 8,000 the general public, ease of use will be paramount. users and the technology starts to become very QKD anti-skimming benefits will be gained with - useful”. Commercially available products such as out any extra effort on the part of the user; how - idQuantique’s Cerberis have been designed to fit ever, the use of keys from a quantum token in into existing fibre-optic networks, to provide both online banking is less convenient than present QKD and classical encryption which achieve the systems, and would require a culture shift in highest security levels. MagiQ’s QPN Security usage for the U.K market. Unlike a Chip and PIN Gateway is advertised as being suitable for use card, which can be used whenever it is needed HOME in the military, intelligence, financial and disaster (funds allowing!), a quantum token uses up its HOW DOES recovery arenas. There is clearly a confidence in keys every time a transaction is done, and QKD WORK? the QKD equipment supplier world that there is requires regular replenishing via a quantum a market for their goods. top-up procedure. There may be times when QKD NETWORK the quantum token is unusable if there are no APPLICATIONS Compliance regulations, such keys left on it. COMMERCIAL However, in other countries (e.g. Germany) PROSPECTS as BASEL and Sarbanes-Oxley, where the TAN system of authentication is in require companies to protect use, the consumer experience is different. As CONCLUSION procedures already exist for TANs, introducing their data from threat. a quantum top-up stage (assuming equipment and infrastructure is in place) would be a Compliance regulations, such as BASEL and replacement process rather than an addition, Sarbanes-Oxley, require companies to protect and hence may be more acceptable to users. their data from threat. This may lead to increased Ultimately the business decision whether to pressure on organisations to use the most up-to- adopt this new technology will boil down to a date security technologies such as QKD. Building cost/benefit analysis. Costs are measured in hard systems that are future-proofed is highly desirable: cash and working hours for personnel: benefits QKD can play its part here, too. however can be intangible as well as squarely 10 With regard to portable applications aimed at aimed at the balance sheet. There may be reputa - Royal Holloway Series 2011 Quantum key distribution: Awesome or pointless? tional advantages for an organisation if they up-to-date techniques, they will gain a degree of adopt QKD technology: implementing the kudos as an early adopter — this intangible bene - newest, coolest technology makes a business fit may be seen as a means to competitive advan - seem cutting-edge. On the other hand, introduc - tage. Deploying quantum tokens and ATMs ing an immature new security technology could requires a huge investment in infrastructure: it is be detrimental to corporate image if it does not debatable whether this could be justified finan - work as well as expected and leaves the organisa - cially. QKD networks are, therefore, most suited tion open to attack. to high security environments where costs may HOME Does new technology necessarily equate to not be a stumbling block. HOW DOES better technology? The benefits of quantum key QKD WORK? distribution may only be marginal for some appli - Deploying quantum tokens cations: it may be that the large corporate invest - QKD NETWORK ment required for QKD infrastructure, equipment and ATMs requires a huge APPLICATIONS and education could be better spent developing COMMERCIAL less radical technologies to solve the same busi - investment in infrastructure: PROSPECTS ness issues. it is debatable whether this CONCLUSION Business decisions are never easy! could be justified financially.

CONCLUSION There are applications that need the perfect The overall conclusions that can be drawn from security a one-time pad encryption can offer: this study are somewhat mixed. since quantum key distribution is good at creating Commercial success for a technology occurs the required long random keys from a short input, when its benefits to an organisation outweigh its OTPs could therefore become a more practical costs. Benefits can be tangible (e.g. money saved) option. or intangible (e.g. reputational benefits). For Had QKD been a mature technology when Chip example, an intangible benefit could be gained and PIN systems were introduced in 2006, it 11 if an organisation thinks that by using the most would have been a relatively easy (although more Royal Holloway Series 2011 Quantum key distribution: Awesome or pointless? costly) task to include quantum processing mod - and consequences of adopting a “good enough” ules in the Chip and PIN readers to provide quan - route rather than a “perfect” one have to be tum top-up capability. Or, if quantum computers managed as part of an organisation’s overall were currently sophisticated enough both to risk portfolio. endanger the security levels provided by mathe - matically intractable cryptography and to provide Eventually there will come a fully-functioning quantum networks, then QKD could provide an excellent method of key estab - time when the performance HOME lishment in a quantum computing environment. and cost differences between HOW DOES Unfortunately, neither of these scenarios is true, QKD WORK? so quantum key distribution has arrived in the conventional and quantum commercial sphere both too early and too late — networks will be negligible QKD NETWORK the right technology, at the wrong time. APPLICATIONS

Research efforts continue to make quantum and the implementation COMMERCIAL equipment faster, more effective and cheaper. decisions can be based on PROSPECTS Eventually there will come a time when the per - formance and cost differences between conven - security issues alone. CONCLUSION tional and quantum networks will be negligible and the implementation decisions can be based Although absolute confidence in quantum key on security issues alone. distribution may be slightly misplaced at the The main problem QKD faces is that all poten - moment, it is most certainly an area that merits tial application areas identified for it have existing further research. Bruce Schneier’s description — classical methods of achieving very good security “awesome [but] pointless” — is not 100% true. levels. It would be a brave executive indeed who “Awesome” ? Definitely. Using quantum mechanics attempts to justify the costs of installing expen - to provide unconditional, eavesdropper-proof sive new equipment and changing existing sys - security is awesome by any standard. “Pointless” ? tems so that extremely good security can be Not totally. QKD can co-exist peacefully alongside 12 upgraded to (claimed) perfect security. The cost classical cryptographic methods, not replacing but Royal Holloway Series 2011 Quantum key distribution: Awesome or pointless? enhancing them. Used in carefully selected appli - cations in this way, quantum key distribution could have a viable commercial future awaiting it.

ABOUT THE AUTHORS

Sheila Cobourne has a background in HOME systems analysis and worked in multi-national HOW DOES oil companies and financial organisations before QKD WORK? taking an extended career break to raise a family. During this time she also studied part-time for an QKD NETWORK MBA and MSc in Mathematics. APPLICATIONS

Introduced to cryptography though mathematics, COMMERCIAL she became interested in the wider area of informa - PROSPECTS tion security, which led to her taking the MSc at Royal Holloway. CONCLUSION Sheila is currently applying to do a doctorate at Royal Holloway. Her research interests include smart cards, cryptography and the human aspects of information security.

Dr Carlos Cid received his PhD in Mathematics from the University of Brasilia, Brazil in 1999. He joined the Information Security Group at Royal Holloway in October 2003 and has a broad interest in the area of information security, in 13 particular cryptography.