Quantum Key Distribution: Advantages, Challenges and Policy

Victor Lovic Department of Physics Imperial College London [email protected] Abstract

The prospect of quantum computing threatens the security of modern encryption methods, putting our private communications at risk. With experts predicting the development of powerful quantum computers as early as the end of the decade, the urgency of transitioning to ‘quantum-safe’ communications is apparent. There are two classes of solutions available: post-quantum cryptography (PQC), which refers to communication algorithms designed to be safe against quantum computers, and quantum key distribution (QKD), a new technology with unique advantages and challenges. These solutions are not mutually exclusive, and this review argues that they are in fact complementary solutions to the threat of quantum computing. However, QKD has received criticism for being a less practical solution than PQC. This review makes the case for QKD and argues that it offers significant advantages which are not adequately recognised. I conclude that the development of QKD would benefit from increased government support and I provide policy recommendations for how to best support it.

Since the first theoretical developments in the Introduction 1980s, quantum computers have quickly become a reality. Major investments from government research budgets and private companies have led to Quantum computing is a new technology which the development of the first iteration of quantum promises to perform certain computations much computers, comparable perhaps to the first (clas- faster than any modern supercomputer. Accel- sical) computers built nearly 70 years ago using erated drug discovery and better climate models vacuum tubes. This rapid progress is cause for are just two examples of applications which will alarm since when a sufficiently powerful quantum benefit from the capabilities of quantum comput- computer is developed, our standard encryption ers. On the flip side, quantum computers will methods will become inadequate and our com- also be able to break most methods of encryption munications insecure. Moreover, not only are used today, putting our private communications our future communications under threat, our cur- at risk. Quantum Key Distribution: Advantages, Challenges and Policy rent communications are too: modern encryption which we call the ‘key’. To encrypt a message, methods rely on what is known as ‘public-key’ Alice replaces each letter with another letter a cryptography. The word ‘public’ points to the fixed number of positions down the alphabet, de- fact that information encrypted in this way can termined by the value of the key. To decrypt be recorded and stored by anyone. This opens the message, Bob simply reverses the process, the possibility for an eavesdropper to record our replacing each letter by that found the same num- private, encrypted communications and wait for ber of positions up the alphabet. While modern a sufficiently powerful quantum computer to be- cryptography has advanced a great amount, it come available and use it to decrypt them in the is still based on the same principle: two com- future. Since we require certain communications municating parties agree on a secret number, or to remain private for long periods of time, we key, which they use to encrypt and decrypt their must make the transition to quantum-safe forms communications. This type of cryptography is of communications well in advance of the devel- known as ‘symmetric-key’ cryptography because opment of quantum computers. This is especially the same key is used for encrypting and decrypt- true since transitioning to ‘quantum-safe’ forms ing messages. The problem with symmetric-key of communications could take many years. cryptography is that Alice and Bob need to agree on a secret key before communicating. This re- Fortunately, alongside the development of quan- quires them to either meet in person or use a tum computers, there has been ongoing research trusted courier, neither of which are practical into alternative, quantum-safe communication solutions for securing the vast amount of infor- methods. Broadly speaking, two distinct classes mation that is nowadays sent over the internet. of solutions are available, known as post-quantum The solution to this problem, only developed in cryptography (PQC) and quantum key distribu- the 1970s, is known as ‘public-key’ cryptography. tion (QKD). This review gives an overview of both In public-key cryptography, the keys that are technologies but will focus on the advantages and used to encrypt and decrypt the communications challenges presented by QKD. I argue that QKD, are different, but mathematically related. The being a truly novel technology, is poorly under- key which is used to encrypt messages is made stood and in need of a defence. It has significant public, while the key used to decrypt messages advantages which are not adequately recognised is kept private. In this way Bob can send Al- and there has been tremendous progress in ad- ice his public key, which can be seen by anyone, dressing the practical challenges of making it a for her to encrypt her messages with. She can useful and cost-effective solution. The review then send her encrypted message to Bob and, cru- is structured as follows: Section 2 introduces cially, only he will be able to decrypt it, since only public-key cryptography and why quantum com- he has the corresponding private key. Since the puting poses a threat to private communications; keys are mathematically related, it is important Section 3 introduces PQC and QKD as poten- that no eavesdropper is able to figure out the pri- tial solutions to this threat; Section 4 makes the vate key given the public key. The mathematical case for QKD and finally Section 5 discusses the problem for doing this needs to be ‘intractable’, outlook of both technologies and provides policy that is, very difficult and time-consuming. For recommendations. example, the mathematical problem that guar- antees the security of the widely used public-key RSA protocol is factoring: the process of finding Cryptography and Quantum the prime factors of a large number. It would Computers take modern computers thousands of years to factor the public keys used in RSA encryption, which is why the communications are considered Cryptography has been used for centuries. An secure. If an eavesdropper was able to quickly early example is the so-called Caesar cipher used, factor large numbers, then they would be able to as the name suggests, by the ancient Romans. break RSA encryption since they could extract The Caesar cipher works as follows: two people the private key from the public one. Although who want to communicate, conventionally called there are good reasons to think that factoring Alice and Bob, privately agree on a secret number,

2 Cambridge Journal of Science & Policy, Vol 1 (2020), Issue 2 Quantum Key Distribution: Advantages, Challenges and Policy

really is an intractable problem, there remains Computing (IQC) at the University of Waterloo, the possibility that a mathematical or technolog- predicts a 50% chance of quantum computers ical breakthrough will allow us to quickly factor breaking RSA encryption by 2032 [4]. His col- large numbers. Indeed, in 1994, the physicist league Matteo Mariantoni, also professor at IQC, Peter Shor showed that quantum computers will believes that a quantum computer capable of be able to quickly factor large numbers and de- breaking RSA encryption could be built by 2030 code other mathematical encryptions currently [5]. In many cases, private information needs used in public-key cryptography. A white paper to be kept secret for several years. For exam- published by the European Telecommunications ple, census data in the UK is required to remain Standards Institute (ETSI) states that undisclosed for 100 years [6] and it is easy to understand why health records, government com- [m]ost of the public-key cryptog- munications, and other sensitive data have similar raphy that is used on the Inter- secrecy lifespans. If predictions about the devel- net today is based on algorithms opment of quantum computers are correct, then that are vulnerable to [attacks by these types of data are already at risk of being a quantum computer]. These in- hacked by a future quantum computer. To make clude public-key algorithms such matters more urgent, transitioning to quantum- as RSA, ECC, Diffie-Hellman safe forms of communication could require several and DSA [1]. years, so it is apparent that we must start this transition now. This means that, in a future with sufficiently advanced quantum computers, currently used public-key cryptography is at risk. And not only are our future communications at risk: quantum Two Solutions computers threaten our current communications too. Public keys, by definition, can be recorded Fortunately, scientific research has not focused and stored by anyone, along with the encrypted solely on building quantum computers, but also messages. In this way an eavesdropper could on developing quantum-safe communications, record encrypted private communications and cor- such as PQC and QKD. responding public keys and wait for a sufficiently We saw that the security of public-key cryptog- powerful quantum computer to become available. raphy is based on the intractability of certain They could then use the quantum computer to mathematical problems. For the most widely solve the mathematical encoding problem, obtain used public-key protocols, quantum computers the private key, and decrypt the communications. could quickly solve these intractable problems, This is known as ‘retrospective decryption’ and all rendering the communications insecure. However, public-key cryptography protocols are susceptible the possibility exists that other mathematical to this attack [2]. problems will remain intractable, even to quan- So how long will it take for sufficiently power- tum computers. This is what motivates research ful quantum computers to become available? A into PQC. PQC refers to cryptographic proto- leader in the quantum computing race, Google cols which are thought to be secure even against CEO Sundar Pichai, speaking at the 2020 World quantum computers. In this way, the threat of Economic Forum in Davos, claimed that quantum computing is averted by exchanging the cryptographic protocols we use with ones that In a five to ten year time frame, are based on mathematical problems which are quantum computing will break intractable even to quantum computers. encryption as we know it today [3]. PQC is a very appealing solution since it is based on the same principles as the cryptographic meth- This is arguably an overly optimistic outlook from ods we use today. Transitioning to quantum-safe a tech-company executive, but predictions coming communications using PQC could involve little from academia are also sobering. Michele Mosca, more than a software update to our computers. Physics professor at the Institute for Quantum And there are already many proposed PQC proto-

Cambridge Journal of Science & Policy, Vol 1 (2020), Issue 2 3 Quantum Key Distribution: Advantages, Challenges and Policy

cols; currently there is active research into testing they would inevitably introduce a disturbance in and validating these new protocols. The National the key, which Alice and Bob could detect. Cru- Institute for Standards and Technology (NIST) in cially, quantum mechanics and these two prop- the USA is currently hosting a competition [7] to erties of quantum information are fundamental identify the most promising PQC protocols with theories in physics. This makes QKD resilient to the intention of establishing new standards for any future advances in mathematics or technology quantum-safe communications. After reducing since, unlike public-key cryptography, it does not the initial pool of 69 candidate protocols down make any assumptions about the intractability to 26, they have now entered the second phase of of certain mathematical problems, or about the this process, during which the remaining candi- technology available to potential eavesdroppers. dates will be further examined with the aim of In practice, QKD consists of using hardware like drafting the final standards for PQC in 2022. lasers and specialised electronics to send single photons through optical fibres between Alice and The downside is that public-key PQC protocols Bob. Making the transition from our current en- are still vulnerable to retrospective decryption cryption methods to QKD would therefore require and future advances in mathematics or technology much more than a software update. that might render them insecure. The possibility remains that mathematical problems that we once Clearly there are pros and cons to each solution. thought intractable, even for quantum computers, PQC offers quantum-safe communications based turn out not to be. on the same cryptographic principles used today. QKD provides unique advantages at the Quantum key distribution (QKD) is a fundamen- cost of requiring large changes in infrastructure tally different approach to quantum-safe com- and hardware. munications, based on the principles of physics rather than on the use of intractable mathematical problems. QKD solves the same problem as The Advantages and Chal- public-key cryptography: it allows two parties (Alice and Bob) to establish a secret key between lenges of QKD them. The key can then be used with symmetric- key cryptography to communicate securely. In The National Cyber Security Centre (NCSC) in QKD, Alice and Bob communicate using single the UK released a white paper on QKD in 2016 particles of light, called photons. Photons obey ‘[making] the case for research into developing the laws of quantum mechanics, which is the post-quantum cryptography as a more practical physical theory that describes the behaviour of and cost-effective step [than QKD] towards de- very small objects, like single atoms, or photons. fending real-world communication systems from When we use single photons to carry information, the threat of a future quantum computer’ [8]. we call that information quantum information, They followed this up with a report in 2020 re- which has different properties to classical infor- iterating that they ‘[do] not endorse the use of mation. Quantum information has two unique QKD for any government or military applications’ properties that make QKD secure: citing the ‘specialised hardware requirements of QKD’ as a reason [9]. In light of this criticism, 1. It is impossible to make exact copies of and the fact that QKD is a truly novel technology, quantum information. I argue that the advantages of QKD are poorly 2. It is impossible to measure or observe understood and the practical challenges are over- quantum information without introduc- stated. In what follows, I will outline the unique ing a disturbance and changing it in some advantages offered by QKD, as compared to PQC, detectable way. and then address the main issues regarding the practicality of this technology. In this way, if Alice sends Bob a secret key using quantum information carried by photons, she can First, QKD offers future-proof communications. be sure that: 1. no eavesdropper is able to copy This does not mean that a QKD system will and store that information and 2. if an eavesdrop- never be hacked, but rather that communications per tried to measure or observe the secret key, secured via QKD cannot be hacked after the com-

4 Cambridge Journal of Science & Policy, Vol 1 (2020), Issue 2 Quantum Key Distribution: Advantages, Challenges and Policy

munication has happened: either the hacking outside the scope of this review, the quantum happens in real-time or it does not happen at internet has applications not just for secure com- all. With QKD, cryptographic keys are never munications but also for ‘secure access to remote made public and, as described in the previous quantum computers, more accurate clock syn- section, QKD keys are impossible to copy and chronisation and scientific applications such as store. This is an important advantage over our combining light from distant telescopes to im- current, and any future, public-key cryptography prove observations.’ [11]. A QKD infrastructure methods, including those based on PQC. With will serve as the foundation for such a quantum public-key cryptography there is always the pos- internet. sibility that encrypted messages and public keys The main arguments against QKD revolve around are stored by an eavesdropper and decrypted at practicality. QKD is based on hardware, like a future date when, through advances in technol- lasers used to send photons through optical fi- ogy or mathematics, the communication protocols bres, while PQC is based on software, algorithms become insecure. QKD is the only known solu- much like the ones we currently use, which could tion to this retrospective decryption. QKD is run on our computers without modification. Ob- therefore particularly suited to securing commu- viously, as suggested by NCSC, PQC is the more nications with long secrecy lifespans that must ‘practical and cost-effective solution’. However, remain undisclosed for many years. Promising there has been tremendous progress in the past 20 use cases for QKD include the storage of financial years towards addressing the practical challenges and customer data by large institutions, the han- that come with implementing QKD in the real dling of private health records, including human world. Here, I will address potential concerns and genome data, and the protection of government give a sense for how far the technology has come. and military communications [10]. A central challenge in implementing QKD over Second, theoretical QKD protocols have been long distances and at high communications rates proven to be perfectly secure, while no such proof is the ‘transmission loss’ in optical fibres: approx- is available for PQC. PQC relies on assumptions imately nine out of ten photons are lost for every about the intractability of certain mathematical 50km of fibre they travel. In conventional com- problems. But we have seen how developments munications this problem is easily solved: optical in technology like quantum computing can un- signals can be amplified at regular distance inter- dermine these assumptions. With QKD we do vals using ‘repeaters’, allowing us, for example, to not need to rely on such assumptions, and we say send signals from Europe to the American conti- that QKD is ‘unconditionally secure’. This is not nent through underwater optical fibres. However, to say that QKD systems are perfectly secure, the process of amplifying an optical signal can just that the underlying theory is. It is then still be thought of as making extra copies of the pho- important to make sure that the physical systems tons to counteract the transmission losses. We that implement the theoretical QKD protocols do saw that quantum information cannot be copied, not inadvertently introduce any vulnerabilities, which makes it challenging to develop repeaters which might be exploited by an eavesdropper1. for quantum information. Although it is an active The study of these ‘implementation security’ vul- area of research, currently QKD cannot rely on nerabilities is an active area of research that is quantum repeaters to send quantum information bringing QKD systems closer to achieve an ideal over long distances. This means that the range of perfect security. of QKD is limited and that there is a trade-off Lastly, I argue that investing into the develop- between distance and the communication rate: ment of QKD promises benefits that go well be- the longer the distance between Alice and Bob, yond just securing our private communications. the fewer photons sent by Alice will reach Bob, In the long run, we can envision a ‘quantum inter- slowing the communication rate. net’, which is a network of quantum computers Much of the research in QKD has been devoted connected via QKD links. While the details are to increasing the distance and communication

1It should be pointed out that practical implementations of PQC can also introduce security vulnerabilities in the communication system.

Cambridge Journal of Science & Policy, Vol 1 (2020), Issue 2 5 Quantum Key Distribution: Advantages, Challenges and Policy

rate. Over the past two decades, there has been can be mass-produced at low cost and with ex- great progress on this front: record distances for tremely small footprints. Chip-based QKD will QKD have increased roughly tenfold from around lower costs and allow for easier integration with 50km to current state-of-the-art demonstrations conventional computers and communication sys- reaching distances over 500km [12]. These im- tems. provements are due to advances in the QKD hard- A testament to how far QKD has come are the ware as well as to the development of newer and many field-deployments of QKD networks around more efficient theoretical protocols. For longer the world. Most impressive is the 2000km long distances QKD needs to rely on repeaters. We QKD link (using trusted nodes) between Shang- saw that quantum repeaters are not yet available, hai and Beijing in China [15]. This project in- but by linking several QKD systems one after cluded the first demonstration of QKD performed the other we can achieve a similar result. The via a satellite, connecting cities in China and drawback is that at every link, or node, the secret Austria. Other countries including the UK [16], key is revealed. Therefore, we need to ensure that Switzerland [17], Austria [18] and Japan [19] have no eavesdropping can occur at these nodes. Un- also established prototype QKD networks. Most til quantum repeaters become available, trusted recently the ‘OpenQKD’ project, a collaboration nodes will be the main solution for long distance between 38 partner universities and companies, QKD. was launched in September 2019. With EU fund- Communication rate is another parameter where ing, the collaboration aims to ‘raise awareness QKD falls short compared to classical communi- of the maturity of QKD’ as a technology and cations. Current classical optical communications ‘lay the foundation for a pan-European quantum deliver speeds on the order of 100Gbit/s, whereas network’ [20]. QKD communications achieve rates in the range The challenges point nonetheless to the fact that of Mbit/s (100,000 times less). QKD is only used QKD will at first find applications in sectors deal- to distribute the secret keys used for encryption ing with especially sensitive information, which and not the private communications themselves, needs to be kept secret for many years. Less sen- so the communication rate requirements for QKD sitive communications can benefit from the high are lower. However, increasing the communica- speeds and low cost of PQC that we have come to tion rate of QKD is ‘arguably the most pressing expect from our current communication methods. task in order to widen the applicable areas of QKD and PQC can be seen as complimentary QKD technology’ [13]. solutions for building quantum-safe communica- QKD secured communications require specialised tion systems, together covering the whole range hardware and will undoubtedly cost more to de- from low cost and high speed, to long-term high- velop than the PQC alternative. As QKD moves security applications. Indeed the NCSC [9], the out of the lab and towards commercialisation and Blackett review [10], industry, and academia [2] real-world use, cost-effectiveness is becoming an agree that QKD and PQC should continue to be increasing focus of QKD research efforts. Two researched in parallel. results are particularly promising: first, it has been demonstrated that QKD can be performed on the same optical fibres and at the same time as Outlook and Policy Recommen- high-traffic classical communications [14]. QKD signals are so faint that there is no negative con- dations sequence for other users of these fibres. In this way QKD can make use of existing optical fibre ETSI cites a ‘perception of non-urgency’ as a bar- networks, removing much of the need for expen- rier to the adoption of quantum-safe communica- sive new optical fibre connections. Second, QKD tions [1]. This perception means that currently components are being integrated onto semicon- there are no strong financial incentives for de- ductor chips similar to the ones used in computers veloping quantum-safe communications, in stark and mobile phones. By leveraging advances in contrast to quantum computing. For this rea- semiconductor device manufacturing, QKD chips son, investments into quantum technologies, the so-called ‘quantum gold rush’, have been mostly

6 Cambridge Journal of Science & Policy, Vol 1 (2020), Issue 2 Quantum Key Distribution: Advantages, Challenges and Policy

directed to the latter [21]. Large technology com- mation Technology and Security profes- panies like Google, Microsoft and IBM are invest- sionals by the Cloud Security Alliance ing in their own research efforts. Companies, not found that ‘most respondents do not be- countries, are leading the race in quantum com- lieve there is an existing solution to the puting. In this context, government support for quantum computing threat’ [25]. the development of quantum-safe communications • Clarify the unique advantages of- is crucial. I argue that PQC is well supported, fered by QKD as compared to PQC. while QKD could benefit from increased support QKD is particularly suited to securing and investment. communications with long security lifes- There are already many proposed PQC protocols, pans and it is complementary to PQC. mostly coming from academia. What is needed In response to the recent NCSC white now is to test and validate these protocols. This paper, a commentary by the QKD in- work has been taken up by standards bodies. dustry and academic community states As mentioned earlier NIST is planning to con- that ‘wherever possible QKD should be clude its effort in this direction in 2022. In 2015 used in tandem with [PQC]’ and that ETSI established the Quantum Safe Cryptogra- ‘an approach suggesting a need to choose phy Working Group to assess and recommend between QKD and [PQC] is based on a PQC protocols. They recently held their sev- false dichotomy’ [2]. enth ‘Quantum Safe Cryptography Workshop’, • Involve the NCSC in key pro- bringing together academic and industry part- grammes for the development and ners. Additionally, companies like Google [22], standardisation of QKD. The QKD Microsoft [23] and Amazon [24] are already work- community commentary explicitly wel- ing towards integrating PQC protocols into their comes direct involvement from the NCSC services. This all contributes to a positive outlook in the development of new standards for for PQC. QKD [2]. The ETSI QKD Industry Spec- The perception of non-urgency, the practical chal- ification Group [26] works to ensure the lenges inherent to QKD, and a lack of awareness future interoperability of diverse QKD of its unique advantages make commercialising systems and that these systems are im- QKD challenging. Government support for this plemented in a safe manner. Involvement technology is crucial, not least since government by the NCSC would ensure these stan- and military applications are cited among the first dards meet the requirements of the Cyber use cases for QKD. I propose the following policy Assessment Framework. recommendations to support the development of • Engage in early trials of QKD for QKD, with a UK focus: government and military applications. Government and military have • Raise awareness of the threat long-term security needs that QKD is of quantum computing to private well suited to address. Direct involve- communications and the available ment in early trials will support the de- solutions. This is especially important velopment of QKD and ensure QKD sys- for industries and sectors with long-term tems meet the needs of this specialist security needs, which are particularly sector. vulnerable to retrospective decryption, like government, military, and healthcare. • Continue funding research address- The NCSC provides practical cyber secu- ing the practical challenges of rity guidance through its Cyber Assess- QKD. This funding can be seen as an ment Framework. This framework should investment, eventually paid off by the be updated to account for the threat of reduction in cost and by the increase quantum computers, especially to com- in performance of real-world QKD sys- munications with long secrecy lifespans. tems. Progress in QKD research shows Awareness of the available solutions is no signs of stopping, with novel theo- equally important. A survey of Infor- retical protocols designed on a regular

Cambridge Journal of Science & Policy, Vol 1 (2020), Issue 2 7 Quantum Key Distribution: Advantages, Challenges and Policy

basis and proof-of-principle experiments c 2020 The Author(s). Published by the Cambridge moving to real-world demonstrations [27]. University Science & Policy Exchange under the With continued investments we can ex- terms of the Creative Commons Attribution License pect the great progress of the past two http://creativecommons.org/licenses/by/4.0/, decades to continue. which permits unrestricted use, provided the original • Invest in a backbone QKD network. author and source are credited. QKD is limited in range, therefore establishing long distance connections between cities, and eventually countries, will re- References quire a large financial effort. An established backbone QKD network will make [1] European Telecommunications Standards it easier for companies and individuals Institute, “Quantum safe cryptography to connect, widening the market and de- and security: An introduction, ben- mand for QKD. A backbone QKD net- efits, enablers and challenges,” ETSI work will serve as the foundation for a fu- White Paper No. 8, June 2015. [On- ture quantum internet, with applications line]. Available: https://www.etsi.org/ that go beyond just secure communica- images/files/ETSIWhitePapers/ tions, increasing its value. QuantumSafeWhitepaper.pdf [2] Quantum Communications Hub, “Commu- nity Response to the NCSC 2020 Quantum Conclusion Security Technologies White Paper,” Is- sue 1.1, May 2020. [Online]. Available: There is an urgent need to transition the world’s http://bit.ly/NCSC2020Response communication systems to quantum-safe meth- [3] H. Boland, “Quantum computing could ods. This review made the case for quantum key end encryption within five years, distribution as a solution. QKD is: says Google boss,” The Telegraph, • future-proof: communications secured by Jan 2020. [Online]. Available: https: QKD cannot be retroactively hacked; //www.telegraph.co.uk/technology/2020/ 01/22/googles-sundar-pichai-quantum- • based on provably secure theoretical pro- computing-could-end-encryption/ tocols; [4] M. Mosca, “Cybersecurity in an era with • a building block towards a future quan- quantum computers: will we be ready?” tum internet. IEEE Security & Privacy, vol. 16, no. 5, pp. 38–41, 2018. The past 20 years of research and development in the field of QKD have helped to address the [5] NIST, “Report on Post-Quantum Cryp- practical challenges of implementing QKD sys- tography,” April 2016. [Online]. Avail- tems in the real-world. Proof of this are the many able: https://nvlpubs.nist.gov/nistpubs/ir/ demonstrations of quantum networks around the 2016/NIST.IR.8105.pdf world. Together, PQC and QKD can be used to [6] UK Office for National Statistics, “About secure our communications even in the presence the census,” September 2018. [Online]. of quantum computers. Government support for Available: https://www.ons.gov.uk/ QKD in particular is crucial while the technology census/censustransformationprogramme/ moves from research and development to commer- aboutthecensus cialisation. Sectors with long-term security needs, including government and military, stand to ben- [7] NIST, “Post-Quantum Cryptography,” efit from the unique advantages of QKD. The January 2017. [Online]. Avail- policy recommendations provided will support able: https://csrc.nist.gov/Projects/Post- the development of this technology and ensure Quantum-Cryptography that the long-term security needs of government, [8] NCSC, “Quantum Key Distribu- military and other sectors are met. tion,” November 2016. [Online]. Avail-

8 Cambridge Journal of Science & Policy, Vol 1 (2020), Issue 2 Quantum Key Distribution: Advantages, Challenges and Policy

able: https://www.ncsc.gov.uk/whitepaper/ chert, E. Diamanti, M. Dianati, J. Dynes quantum-key-distribution et al., “The SECOQC quantum key distri- [9] ——, “Quantum Security Technologies,” bution network in Vienna,” New Journal of March 2020. [Online]. Available: https: Physics, vol. 11, no. 7, p. 075001, 2009. //www.ncsc.gov.uk/pdfs/whitepaper/ [19] M. Sasaki, M. Fujiwara, H. Ishizuka, quantum-security-technologies.pdf W. Klaus, K. Wakui, M. Takeoka, S. Miki, [10] UK Government Office for Science, “The T. Yamashita, Z. Wang, A. Tanaka et al., quantum age: technological opportunities,” “Field test of quantum key distribution in November 2016. [Online]. Available: the Tokyo QKD Network,” Optics express, https://assets.publishing.service.gov.uk/ vol. 19, no. 11, pp. 10 387–10 409, 2011. government/uploads/system/uploads/ [20] “OpenQKD,” September 2019. [Online]. attachment_data/file/564946/gs-16-18- Available: https://openqkd.eu/ quantum-technologies-report.pdf [21] E. Gibney, “The quantum gold rush,” Nature, [11] S. Wehner, D. Elkouss, and R. Hanson, vol. 574, no. 7776, pp. 22–24, 2019. “Quantum internet: A vision for the road [22] K. Kwiatkowski, “Towards Post-Quantum ahead,” Science, vol. 362, no. 6412, 2018. Cryptography in TLS,” The Cloud- [12] J.-P. Chen, C. Zhang, Y. Liu, C. Jiang, fare Blog, June 2019. [Online]. Avail- W. Zhang, X.-L. Hu, J.-Y. Guan, Z.-W. Yu, able: https://blog.cloudflare.com/towards- H. Xu, J. Lin et al., “Sending-or-Not-Sending post-quantum-cryptography-in-tls/ with Independent Lasers: Secure Twin-Field [23] Microsoft, “Post-Quantum TLS.” [Online]. Quantum Key Distribution over 509 km,” Available: https://www.microsoft.com/en- Physical review letters, vol. 124, no. 7, p. us/research/project/post-quantum-tls/ 070501, 2020. [24] A. Hopkins, “Post-quantum TLS now sup- [13] E. Diamanti, H.-K. Lo, B. Qi, and Z. Yuan, ported in AWS KMS,” Amazon Web Services “Practical challenges in quantum key distri- Security Blog. [Online]. Available: https: bution,” npj Quantum Information, vol. 2, //aws.amazon.com/blogs/security/post- no. 1, pp. 1–12, 2016. quantum-tls-now-supported-in-aws-kms [14] K. Patel, J. Dynes, I. Choi, A. Sharpe, [25] Cloud Security Alliance, “Quantum- A. Dixon, Z. Yuan, R. Penty, and A. Shields, Safe Security Awareness Survey,” “Coexistence of high-bit-rate quantum key January 2018. [Online]. Available: distribution and data on optical fiber,” Phys- https://cloudsecurityalliance.org/artifacts/ ical Review X, vol. 2, no. 4, p. 041010, 2012. quantum-safe-security-awareness-survey/ [15] J. Qiu et al., “Quantum communications leap out of the lab.” Nat., vol. 508, no. 7497, pp. [26] ETSI, “Quantum Key Distribution.” [On- 441–442, 2014. line]. Available: https://www.etsi.org/ technologies/quantum-key-distribution [16] J. Dynes, A. Wonfor, W.-S. Tam, A. Sharpe, R. Takahashi, M. Lucamarini, A. Plews, [27] S. Pirandola, U. L. Andersen, L. Banchi, Z. Yuan, A. Dixon, J. Cho et al., “Cambridge M. Berta, D. Bunandar, R. Colbeck, D. En- quantum network,” npj Quantum Informa- glund, T. Gehring, C. Lupo, C. Ottaviani tion, vol. 5, no. 1, pp. 1–8, 2019. et al., “Advances in quantum cryptography [preprint],” arXiv, 2019. [17] D. Stucki, M. Legre, F. Buntschu, B. Clausen, N. Felber, N. Gisin, L. Henzen, P. Junod, G. Litzistorf, P. Monbaron et al., “Long-term performance of the SwissQuan- tum quantum key distribution network in a field environment,” New Journal of Physics, vol. 13, no. 12, p. 123001, 2011. [18] M. Peev, C. Pacher, R. Alléaume, C. Bar- reiro, J. Bouda, W. Boxleitner, T. Debuiss-

Cambridge Journal of Science & Policy, Vol 1 (2020), Issue 2 9 Quantum Key Distribution: Advantages, Challenges and Policy

About the Author

Victor is a PhD student in the Department of Physics at Imperial College London. His research is in the ﬁeld of quantum cryptography, investi- gating the security of quantum key distribution and quantum random number generation. He is interested in the potential of emerging technologies to change the world, in good or bad ways, and thinks that good policymaking is key to ensuring good outcomes and mitigating any risks. Previ- ously, Victor studied Physics at the University of Glasgow.

Conﬂict of interest The Author declares no conﬂict of interest.

10 Cambridge Journal of Science & Policy, Vol 1 (2020), Issue 2