sign in sign up
<<
Home , DARPA Quantum Network, Quantum cryptography, Quantum technology

market study market INSTITUTE FOR COMPUTING FOR QUANTUM INSTITUTE quantum

» 2014 market study & business opportunities assessment BY D R .

T HOMAS HOMAS J ENNEWEIN ,

A SSOCIATE SSOCIATE P ROFESSOR ROFESSOR &

E RIC C HOI ,

S ENIOR T ECHNICAL A SSOCIATE 1. executive summary 1

2. introduction 3

2.1. Relevance and Implications of 3 2.2. About the Institute for 4

3. overview of 5

3.1. Inherent Vulnerabilities of Conventional Cryptography 5 3.2. Quantum Cryptography and Quantum Distribution (QKD) 6 3.3. Examples of Terrestrial QKD Implementations 11 3.4. Satellite-Based QKD: The Quantum Space Race 18

4.market overview 23

4.1. Financial Cost of Information Security Breaches 23 4.2. Current Market for IT Security and 25 5. competitive landscape 29

5.1. Current Commercial Vendors 29 5.2. Recent Commercial Market Activity 37 6.market potential 39

6.1. Discussion of Market Potential 39 6.2. Quantum Cryptography 41 6.3. Market Segmentation 43 6.4. Satellite-Based QKD 43

7. conclusion 45

8. endnotes 47

9.appendices 50

9.1. Appendix A: List of Acronyms 50 9.2. Appendix B: Acknowledgements 53 1. executive summary

There is a serious threat to the current cryptographic systems upon which modern information and communications technology depends. Most current encryption techniques are based upon assumptions of mathematical complexity that are actually not proven. Therefore, a sudden or unexpected algorithmic innovation could immediately compromise many modern security systems. In the longer term, quantum computers will be able to quickly solve the mathematical problems upon which most current key establishment methods are based, rendering them useless. Only systems based on quantum cryptography can offer long-term data security. Since quantum cryptography relies upon fundamental laws of physics rather than mathematical assumptions, it will never be threatened by new I algorithms or more powerful computers. (QKD) QUANTUM FOR NSTITUTE establishes highly secure keys between distant parties by using single to transmit each bit of the key. Since photons behave according to the laws of they cannot be tapped, copied or measured without leaving tell-tale signs of observation. Such systems provide the peace of mind knowledge that any eavesdropping can be immediately detected and addressed.

Quantum key distribution is not science fiction, but a day reality. A C number of companies are currently selling commercial QKD systems, and OMPUTING several other firms offer related products and services. QKD has attracted the attention of high technology firms such as Alcatel-Lucent, Raytheon, HP, IBM :

and . Terrestrial QKD networks using fibre optic cables or free-space U atmospheric transmission are in operation today for both research and niche NIVERSITY OF commercial applications such as secure bank transactions and data transfers. Due to some fundamental physical constraints, a complementary solution would be required to cover distances beyond a few hundred kilometers. Light W

signals inevitably attenuate as they are transmitted through fibre optic cables, ATERLOO and conventional signal amplifiers cannot be used because they would compromise the quantum mechanical phenomena upon which QKD depends for the detection of eavesdropping. Free-space atmospheric QKD links are limited to line-of-sight, subject to local geographical constraints and ultimately 1 the curvature of the Earth. The only way to offer long-distance QKD services with current technology is to use satellites as complementary trusted nodes bridging the distance between geographically dispersed QKD ground networks, for example, between cities or continents. Teams in Canada, Europe, the U.S., , China and other nations are currently engaged in a “Quantum Space Race”, vying to be the first to demonstrate QKD from space. The winning team would not only claim a historic scientific accomplishment but would also be the front-runner to seize a potentially lucrative future business opportunity. Currently, the market for quantum cryptography is estimated to be on the order of $30-million. Over the long-term, as regulatory requirements for quantum-resistant are expected to become enacted, it is anticipated that the market will grow significantly. IQC estimates the potential overall global market for quantum cryptography could reach $23-billion within twenty years. Satellite-based QKD for long-distance secure key distribution would be a subset of this overall quantum cryptography market. Such a service could be implemented with either a constellation of low Earth orbit (LEO) microsatellites or hosted payloads aboard geostationary (GEO) satellites. IQC estimates a potential global market for satellite-based QKD of up to $382-million per year within the next two decades.

2 2.introduction

2.1. RELEVANCE AND IMPLICATIONS OF QUANTUM INFORMATION

Each force of Nature that humanity has harnessed has had a lasting impact on society. Fire, steam, electromagnetism and the splitting of atomic nuclei represent the most compelling examples. What could be the next force of nature that we can harness? What forces remain untamed? Quantum theory was discovered at the beginning of the 20th Century and is used to describe the behaviour of atoms, molecules, photons (quanta of light) and their constituents. As a better understanding of this domain was I developed, we have often been left perplexed about the seemingly paradoxical QUANTUM FOR NSTITUTE behaviour of nature at the atomic scale: particles that cannot be pinpointed because of the ; photons and atoms that act as if they are in two places at the same time; the interchangeability of particles and waves. For most of the 20th Century, these phenomena were thought to be only curiosities. Over the last 25 years, however, physicists and chemists started to develop better technologies with which to explore the intricacies of the

quantum domain. They were able to demonstrate that indeed Nature behaves C precisely as this theory predicts. A great of thought and experiment has OMPUTING been applied attempting to understand the phenomena presented by quantum mechanics. :

Ironically, it is quantum mechanics that poses both the greatest threat to U NIVERSITY OF conventional cryptography and the best means of securing it. Today, most encryption technologies are based on unproven assumptions of mathematical complexity. There is a significant likelihood that practical quantum computers will be able to solve these problems, and this is too significant to W

ignore. Quantum cryptography, however, which relies upon the same ATERLOO fundamental physical laws, will deliver long-term data security, never to be threatened by new algorithms or increased computational power.

3 2.2. ABOUT THE INSTITUTE FOR QUANTUM COMPUTING The mission of the Institute for in Canada and has allowed the Quantum Computing (IQC), a institute to gain important know- research institution located at the how that is leading to collaborations University of Waterloo, is to with other universities and aggressively explore and advance organizations including the application of quantum Communications Security mechanical systems to a vast array Establishment Canada (CSEC), the of relevant information processing Canadian Space Agency (CSA) and techniques. The idea for founding a the University of Calgary. Since large-scale quantum information 2010, IQC has been working with program in Waterloo was a result of partners in government and discussions among founder and industry to advance concepts for former co-CEO of BlackBerry Mike demonstrating long-distance Lazaridis, the University of Waterloo quantum key distribution via Earth- and Professor Michele Mosca, and orbiting satellite (see Section 3.4.1). the founding Executive Director of the Perimeter Institute for Figure 1 – IQC Executive Director, Professor Raymond Laflamme Theoretical Physics, Howard Burton. IQC was officially established in October 2002 and has since built an international reputation as a leader in quantum information science and technology. The Institute is devoted to interdisciplinary research bridging foundational issues to technology development through both theoretical and experimental investigations. The main themes of research are quantum computing, communications and sensors. IQC is strongly involved in the standardization of quantum key distribution systems within the European Telecommunications Standards Institute (ETSI). The Institute operates a free-space quantum link test-bed that can transfer entanglement and cryptographic keys between buildings on the campus of the University of Waterloo (see Section 3.3.1). This is a double-link configuration, where the entangled pairs are sent along two different paths of about 1.3 km in length. IQC’s test system is unique 4 3. overview of quantum

cryptography

3.1. INHERENT VULNERABILITIES OF CONVENTIONAL CRYPTOGRAPHY

A serious catastrophe is looming that threatens to compromise the current cryptographic systems upon which the information and communications technology (ICT) infrastructure of the modern world depends. It is cryptography that allows us to leverage a relatively small amount of physical security and trust in order to be able to use the wider untrusted ICT infrastructure in a practical manner with reasonable assurances of privacy and security. Reliable cryptography is absolutely fundamental both to the global I economy and to our daily lives. Section 4.1 describes the financial cost of QUANTUM FOR NSTITUTE information security breaches. Most current encryption technologies are based on public key cryptography that uses assumptions of computational complexity such as the difficulty to factor the product of two prime numbers back into the original primes, or discrete logarithms and elliptical curve schemes. For example, it is estimated that it would take a century for a conventional computer to break 1024-bit

1 C

RSA. There are, however, a number of problems: OMPUTING • The assumption of mathematical complexity behind the factoring large numbers, discrete logarithms or “elliptic curve” schemes is actually not proven. A sudden or :

unexpected algorithmic innovation would comprise many modern security U

systems. NIVERSITY OF • Peter Shor discovered 20 years ago that quantum computers will break prime factoring and discrete-logarithm based cryptographic systems. Fortunately, there were no quantum computers at the time. The prevailing scientific consensus,

however, is that practical and widespread quantum computing capabilities will W

likely be available within the next 10 to 25 years.2 When this happens, most ATERLOO current encryption methods will be rendered useless. • Current cryptographic systems are not “future-proof”. Many organizations need to secure data over the long-term, for example, for 20 years or more. An unexpected 5 innovation in conventional algorithms or the advent of quantum computers would not only compromise contemporary data security but would also make historical records vulnerable. With regard to the specific threat of the quantum computer, one may ask if this is really something that needs to be a concern at the present time. This depends on three variables x, y and z: • x is the number of years that cryptography must remain unbroken, i.e. how long are you supposed to protect health information, or national security information, or trade secrets? • y is the number of years it will likely take to replace the current system with one that is quantum-safe or not based on unproven assumptions of mathematical complexity • z is the number of years it will take to break the current encryption tools, using quantum computers or otherwise If x + y > z, then there is a problem right now and immediate action needs to be taken. This means that for the latter part of those y years, we will have to either stop doing business or continue to use the current tools with the knowledge that they will be compromised in z years.3 Neither of these are desirable options and near-term alternatives are essential, if only to protect against unexpected algorithmic advances. These alternatives should also be quantum-safe in order to provide protection against the imminent threat posed by quantum computers. There are two possible complementary solutions. The first are “post-quantum” or “quantum resistant” techniques, which are new codes and protocols based on “NP complete problems” for which there are currently no known quantum algorithms capable of breaking these schemes. While post-quantum methods would not require a lot of new hardware and could be deployed quickly on existing ICT infrastructures, the inherent vulnerability of being based on unproven mathematical assumptions remains. Quantum cryptography is the other solution. To date, quantum mechanics is possibly the most thoroughly tested model of the Universe that has been devised by science. For data security over the long-term only systems based on quantum cryptography, to the extent of our current best understanding of the laws of physics, are secure against both conventional and quantum computers. This is due to the fact that quantum cryptography relies upon fundamental laws of physics rather than assumptions of mathematical complexity, and hence will never be threatened by innovative algorithms or increased computational power.

3.2. QUANTUM CRYPTOGRAPHY AND QUANTUM KEY DISTRIBUTION (QKD)

This section presents a brief high-level overview of quantum cryptography and quantum key distribution (QKD) intended for general audiences. Readers 6 seeking a more rigorous discussion are encouraged to consult the scientific literature.

3.2.1. Overview of Cryptographic Theory Cryptography, which is derived from the Greek words kryptós (“hidden” or “secret”) and graphein (“to write”), is the study and practice of techniques for encoding and decoding messages in order to render them unintelligible to all but the intended receiver. The two primary forms of cryptographic systems are secret key (symmetric) and public key (asymmetric). In symmetric cryptosystems, a single secret key is used both by the sender to encrypt the message and the receiver to decrypt it. One of the most common symmetric key algorithms is the Advanced Encryption Standard (AES), which is a standard that was established by the U.S. National Institute of Standards and Technology (NIST) in 2001. A drawback of symmetric cryptosystems is the need for both parties to do a secure initial exchange of one or more secret keys prior to initiating message exchange. Public key or asymmetric cryptography uses two separate keys, one public (open) and one private (secret). The open public key is used by the sender to encrypt a message or verify a , and the secret private key is used by the recipient to decrypt a message or create a digital signature. These key pairs are linked mathematically, based upon computational relationships that are assumed to be extremely difficult to solve such as the prime product factorization, discrete logarithms and elliptic curve schemes. Public key encryption allows users to communicate securely over an open channel without having to agree on a key beforehand. This “distributed I trust” is essential to the success of Internet applications such as electronic QUANTUM FOR NSTITUTE commerce, however, as discussed in Section 3.1 public key cryptography is inherently vulnerable to increasing computational power or unexpected algorithmic advancements. An unconditionally secure or “perfect” is one that cannot be compromised even with unlimited time and computational power. The standard example of a perfect cryptosystem is a type of symmetric C

cryptography called the Vernam or one-time pad (OTP). In this OMPUTING technique, each bit or character of a message is encrypted by combining it with a corresponding bit or character from a random secret key (the pad) using modular addition. If each key is used only once (one-time), is truly :

U

random and unpredictable and is at least as long as the message itself, then NIVERSITY OF the resulting encryption will be impossible to break. A number of practical problems, in particular, the need to constantly generate new keys and for those keys to be as long as the messages themselves, have

prevented OTP from widespread use. For example, the encryption and W transmission of a multi-gigabyte message over a non- would ATERLOO first require the transmission of an OTP key of the same size over a bandwidth limited secure channel. Symmetric cryptography algorithms such as AES

7 achieve practicality by using long but finite length secret random keys, however, there are a number of challenges that need to be addressed. First, it is not possible for conventional computers to generate truly random numbers. The random number functions in most programming languages are not suitable for cryptography, and even those that are suitable employ some methodologies whose security is unproven. Random numbers generated deterministically by conventional computers are more correctly described as “pseudo-random”. Second, the security of AES and other symmetric schemes is only as good as the security of the itself. Even today, for many financial, military and diplomatic applications, secret keys are often delivered manually using a trusted human courier. While the image of a briefcase handcuffed to a courier has been made famous by many spy movies, modern digital storage media such as USB sticks or DVDs are often used to carry secret keys from one place to another in a less conspicuous manner. Distributing keys in this manner is expensive, inconvenient and poses a significant security risk. In addition to the risk of compromise during transit (for example, a pickpocket swiping, copying and replacing the pad), there is no guarantee that the couriers themselves can be trusted. Anyone who manages to copy or steal the key would be able to decrypt the messages effortlessly, thereby defeating the purpose of encryption. Both of these problems can be solved by quantum mechanics. Contrary to Newtonian or “classical” physics, quantum physics is fundamentally non- deterministic by nature. Quantum random number generators (QRNG) exploit the intrinsic randomness of phenomena such as radioactive decay or photonic transmission and reflection to generate true random numbers. These devices are available commercially from companies like ID Quantique (see profile in Section 5.1.1) and have application in numerical simulations and the gaming industry as well as cryptography. Quantum key distribution (QKD) solves the key exchange security problem. As described in Section 3.2.2, QKD establishes highly secure keys between distant parties by using single photons (or similarly suitable quantum objects) to transmit each bit of the key. Since single photons behave according the laws of quantum mechanics they cannot be tapped, copied or directly measured without leaving tell-tale signs of manipulation. The huge benefit for users of such systems is the peace of mind of knowing that any attack, manipulation or copying of the photons can be immediately detected and addressed. Since many symmetric encryption algorithms are resistant to known attacks by quantum computers, addressing the emerging threats described in Section 3.1 will not require all of the current foundational blocks of data security to be replaced. QKD can be used to generate the private keys in a symmetric encryption algorithm such as AES. It would thus be deployed as a complementary technology that enhances and gradually replaces public key cryptography systems. Most of the current AES and (DES) key management schemes will still be relevant when augmented by QKD. Another interesting property of quantum key distribution is “”, which implies that one could use some of the key generated 8 by QKD to authenticate the messages in the next round of QKD with a negligible decrease in security. Thus, it is possible to continue QKD more or less indefinitely, having started only with a relatively short authentication key. Even if the original authentication keys are revealed after the first QKD exchange, the subsequent keys from QKD remains information theoretically secure.4 By contrast, conventional public key exchange schemes do not have this feature. Although one could employ a protocol in which a new key is transmitted encrypted under the old key, an eavesdropper who logs all communications and subsequently breaks the first key can read all future communications. With QKD, new session keys are completely independent of all prior keys and messages.

3.2.2. Principle of Quantum Key Distribution Quantum mechanics is a set of scientific principles that describes the behaviour of energy and matter on the scale of atoms and subatomic particles. Rather than relying on unproven assumptions of mathematical complexity, the security of quantum key distribution (QKD) is derived from these fundamental and demonstrated scientific principles. Instead of human couriers with handcuffed briefcases or USB sticks, QKD uses a stream of single photons to transmit the encryption key. According to Heisenberg’s Uncertainty Principle, there is a fundamental limit to the precision with which the position and momentum of a particle can be known simultaneously. For example, the more precisely the position of a particle is determined the less precisely its momentum can be known, and vice versa. The related observer effect means that the very act of measuring a particle I

such as a photon will inevitably affect some characteristic of that particle. It is QUANTUM FOR NSTITUTE therefore impossible to make a perfect copy of a , a principle known as the no-cloning theorem. A number of QKD protocols have been devised. The BB84 protocol, which was developed by Charles Bennett and in 1984, is based on the no- cloning theorem. To illustrate the technique, consider two parties “Alice” and “Bob” who wish to exchange a secret key between them. C

Alice transmits a stream of random binary bits as single photons and encodes OMPUTING the values of 0 or 1 as a quantum state (for example, ) in two different non-overlapping bases (for example, rectilinear and diagonal). The encoding base of each transmitted photon is also selected randomly. For each :

U

received photon, Bob randomly chooses a measurement base and records the NIVERSITY OF observed polarization of that photon. If Bob happens to measure a given photon in the same base in which it was originally transmitted by Alice, he will get the same value. Otherwise, a random polarization will be measured.

When the transmission is complete, Bob contacts Alice over an authenticated W conventional communications channel (in order to prevent “man in the middle” ATERLOO attacks) and they compare the sequence of receiver measuring bases Bob had used versus the transmitter encoding bases that Alice had used. Since they are only talking about the measurement bases and not the actual transmitted 9 values, this “base reconciliation step” could take place over a public or unsecured channel. keep the photon measurements (bits) where both had used the same bases and discard the rest. The shared encryption key is generated from these bits. To check for the presence of an eavesdropper “Eve”, Alice and Bob then compare a random subset of the remaining bit string. By the laws of quantum mechanics, any attempt by Eve to tap into the transmission or copy the bits will result in detectable errors in Bob’s measurements. If the error rate exceeds a certain threshold, Bob and Alice can discard the compromised key and try again either at a later time or through a different . Devised by Artur Eckert in 1991, the E91 protocol is an alternative QKD scheme that involves a trusted third-party “Charlie” with an entangled photon source. Charlie gives Alice and Bob each a quantum state in an entangled pair and their key is created using consecutive measurements of this pair. The key exchange then proceeds exactly as BB84 except that in the basis reconciliation step Alice and Bob both compare their measurement bases instead of comparing Alice’s encoding bases to Bob’s measurement bases. The next year Bennett and Brassard published the BBM92 protocol as a follow- up to E91 in which it was proven that it is not necessary for Charlie to be trusted because Alice and Bob can perform a “” on their measurements to confirm shared entanglement. For example, a pair of photons may be entangled in such a way that their polarizations are opposite to each other. By the laws of quantum mechanics, the polarization of one of these photons is indeterminate until it is observed. This act of observation, however, will automatically determine the polarization of the other entangled photon even if the pair is physically separated. Austrian physicist Erwin Schrödinger introduced the term entanglement, which was later referred to by Albert Einstein as “spooky action at a distance”. QKD can also be implemented using continuous variables (CV-QKD) carried by weak optical signals.5 The light fields will have intrinsic noise in their phase and amplitudes due to quantization of the field, which enables Alice to encode the phases for signals that are indistinguishable to Eve, as is the case for some of the polarisation states used in the BB84. CV-QKD has can be implemented using standard telecom components such as sources, phase modulators and regular photo diodes, however, at larger transmission losses the system becomes less efficient than single photon based QKD.

10 3.3. EXAMPLES OF TERRESTRIAL QKD IMPLEMENTATIONS

Using the QKD protocols described in Section 3.2.2, cryptographic keys can be transmitted photonically either across fibre optic cables or through free-space. Summarized here are a few selected examples of many QKD systems and networks that have been implemented for research and experimental purposes as well as some niche commercial applications. It is not an exhaustive list. See Section 5.1 for profiles of current commercial vendors of quantum cryptography products and services. Fiber optic cable is a convenient channel for QKD, as they can be acquired relatively cheaply and do not have requirements on the local landscape like free- space links, however, silica glass is not a perfect transmitter so fiber optic cables suffer from exponential losses over the length of the fiber. For the best-case ultra- low loss fiber, the power of any light is reduced by half in its output after approximately 16 km. In addition, telecom fibers are often optimized for minimizing attenuation for a wavelength of 1550 or 1310 nm whereas detectors typically have the best detection efficiency in the visible spectrum, leading to a performance trade-off between these technologies. To a lesser extent, polarization and chromatic dispersion can also affect the quantum signals, which lead to further errors. QKD can be also done between any two points with direct line-of-sight using free-space links. Unlike fiber links, free-space experiments do not suffer from losses exponential in distance, although they do suffer in turbulence, dispersion and scattering. Free-space experiments can cross much larger distances than fiber links, but they are often difficult to achieve, as it is difficult to find two large I telescopes separated at a long distance with a direct line of sight. At the moment, QUANTUM FOR NSTITUTE the distance record for free-space QKD on the ground is 144 km, which was done between two observatories in the Canary Islands.6 C OMPUTING :

U NIVERSITY OF W ATERLOO

11 3.3.1. Institute for Quantum Computing IQC operates a free-space quantum link test-bed that can transfer entanglement and cryptographic keys between buildings on the campus of the University of Waterloo (see Figure 2). This is a double-link configuration in which the entangled photon pairs are sent along two different paths each about 1.3 km in length. IQC’s test system is unique in Canada and has attracted collaborative projects with other universities and institutions including the Canadian Space Agency (CSA), Communications Security Establishment Canada (CSEC) and the University of Calgary. As described in Section 3.4.1, IQC is also actively pursuing satellite-based QKD.

Figure 2 – IQC’s Free-Space Quantum Link Test-Bed

12 3.3.2. Canary Islands The current distance record for a free-space QKD implementation is 144 km, which was achieved in 2006 between two of the Canary Islands under the Quantum Information and Quantum Physics in Space (QIPS) program funded by the European Space Agency (ESA).7 As shown in Figure 3, the link was established between the islands of La Palma and Tenerife, the latter being the location of ESA’s Space Debris Telescope at the Teide Observatory which was used as an optical ground station to receive the single photons. Dr. Thomas Jennewein of IQC was one of the co-investigators for this experiment. One of the significant outcomes of this investigation was to demonstrate that quantum links between orbiting satellites and the Earth are feasible (see Section 3.4).

Figure 3 – Distance Record for Free-Space QKD Between Canary Islands I NSTITUTE FOR QUANTUM QUANTUM FOR NSTITUTE C OMPUTING :

U NIVERSITY OF W ATERLOO

13 3.3.3. QKD with Airborne Platforms In 2012, a team led by Sebastian Nauerth of Ludwig-Maximilians-Universität and Florian Moll of DLR proved the feasibility of QKD using the BB84 protocol over a distance of 20 km between an optical ground station and an airplane moving at 290 km/h.8 These results are representative of typical communication links to satellites or other high-altitude platforms. In March 2014, IQC was awarded a Flights for the Advancement of Science and Technology (FAST) grant from the Canadian Space Agency (CSA) to conduct an end-to-end airborne demonstration of QKD between a receiver payload on a stratospheric balloon and a mobile transmitter on the ground. A Chinese group had reported the demonstration of downlink QKD using a transmitter on a balloon, however, the IQC team’s project will address the more innovative and difficult challenge of demonstrating uplink QKD with the receiver on the balloon, thereby establishing the feasibility of stratospheric QKD up to a moving airborne platform.

3.3.4. Los Alamos National Laboratory Los Alamos National Laboratory has been operating a QKD network with a hub-and-spoke topology since 2011. Provided the central hub is secure, the network as a whole remains secure. In 2007, a team of researchers from Los Alamos and the National Institute of Standards and Technology (NIST) set a distance record of 148.7 km for QKD over a fibre optic cable, using the BB84 protocol described in Section 3.2.2.

14 3.3.5. DARPA In 2003, the U.S. Department of Defense started backing several quantum cryptography experiments as part of a $20.6-million quantum information initiative at the Defense Advanced Research Projects Agency (DARPA).9 As shown in Figure 4, DARPA developed a has been running in since 2004. This network was developed in partnership with Raytheon BBN Technologies, and University. The secure key rate is 500 bps and the average length of the links is 10 km. See the profile of BBN Technologies in Section 5.1.6 for more information.

Figure 4 – The DARPA Quantum Network I NSTITUTE FOR QUANTUM QUANTUM FOR NSTITUTE

3.3.6. SECOQC One of the first computer networks protected by QKD was implemented in 2008 at the Based on Quantum Cryptography (SECOQC) conference in Vienna, Austria. This network used 200 km of fibre C

optic cable to connect six locations across Vienna and the town of Sankt OMPUTING Pölten located 69 km to the west. It had a secure key rate of more than a dozen kilobits per second. The objectives of the European Union funded

SECOQC project were to standardize QKD technology through a cross- :

U

platform interface allowing the integration on various QKD systems into a NIVERSITY OF single network and demonstrate one-time pad encrypted telephone communication. W 3.3.7. SwissQuantum ATERLOO The main goal of the SwissQuantum network (see Figure 5), which was installed in the Geneva metropolitan area in March 2009, was to validate the 15 reliability and robustness of QKD in continuous operation in a field environment over an extended period of time. Led by the University of Geneva with the participation of CERN, ID Quantique and other partners, the three- node network accumulated over 45,000 hours of operation time between March 2009 and January 2011 and successfully demonstrated stable key distributions despite interruptions caused by external factors such as power outages and air conditioning failures.

Figure 5 – The SwissQuantum QKD Network (2009-2011)

3.3.8. QKD Network The Tokyo QKD Network was inaugurated on the first day of the 2010 Updating Quantum Cryptography and Communications (UQCC) conference and involved an international collaboration between numerous partners including NTT, Toshiba and ID Quantique (see company profiles in Section 5.1). Some demonstrated commercial applications included secure QKD videoconferencing and a QKD smart phone

3.3.9. Examples of Commercial Application In 2013, the Battelle Memorial Institute installed a commercial QKD system built by ID Quantique between their headquarters in Columbus, Ohio and another office in nearby Dublin. Details can be found in Section 5.2. Past examples of commercial application include the world’s first bank transfer using QKD, which was undertaken in Vienna, Austria in 2004 by the research group of Dr. at the Vienna Institut für Experimentalphysik in collaboration with the Quantum Technologies group of Dr. Christian Monyk at ARC Seibersdorf Research GmbH. The bank transfer was initiated by Vienna’s mayor Dr. Michael Häupl and executed by the director of the Bank Austria Creditanstalt Dr. Erich Hampel. Encrypted information was sent via fibre optic 16 cable between Vienna City Hall and the Bank Austria Creditanstalt branch office “Schottengasse” using the one-time pad technique described in Section 3.2.1. QKD technology provided by the company ID Quantique (see profile in Section 5.1.1) was used by the Swiss canton of Geneva to transmit ballot results from polling stations to a data centre in the capital, a distance of 100 km, in the national election of October 2007. For this application, the issue was not confidentiality but integrity, making sure that no one could connect to the link and change the values of the vote counting. The system (see Figure 6) was installed in September 2006 and operated continuously for more than seven weeks prior to the Election Day in October 2007. It has subsequently been used five more times in subsequent elections and remains available for future utilization. Another ID Quantique customer is Siemens IT Services and Solutions B.V. in the Netherlands, which uses QKD to secure communications between a pair of data centres in The Hague and Zoetermeer.

Figure 6 – Use of Quantum Cryptography During the October 2007 Swiss National Election I NSTITUTE FOR QUANTUM QUANTUM FOR NSTITUTE C OMPUTING :

U NIVERSITY OF W ATERLOO

17 There are currently four companies offering complete turn-key commercial QKD systems: ID Quantique, MagiQ Technologies, QuintessenceLabs and SeQureNet. Several other companies offer related products and services or have active research programs. Profiles of these companies can be found in Section 5.1.

3.4. SATELLITE-BASED QKD: THE QUANTUM SPACE RACE

Ground-based QKD networks such as the examples described in Section 3.3 have a number of commercially viable applications. There are, however, some fundamental physical constraints that would require the implementation of a complementary solution for distances beyond a few hundred kilometers. Even with the best-case ultra-low attenuation fibre optic cables, light will suffer exponential signal losses as well as polarization and chromatic dispersion as it is transmitted through the material. Conventional signal amplifiers cannot be used because doing so would effectively constitute an observation of the quantum state of the single photons, thereby invalidating the very quantum mechanical techniques upon which QKD depends for the detection of attack or manipulation. Losses for free-space QKD within the atmosphere are significantly reduced, however, these links are limited to line-of-sight and are therefore subject to geographical constraints such as local landscape and ultimately the curvature of the Earth.

Figure 7 – Satellite Trusted Node to Bridge Terrestrial Networks Over Long Distances

18 In the absence of practical quantum repeaters, Earth orbiting satellites represent the only way using current technology to provide complementary long-distance QKD services. Satellites would be used as complementary trusted nodes to bridge the distance between geographically dispersed QKD ground networks, for example, between cities or continents as shown in Figure 7. Even with quantum repeaters, however, there would still be role for satellites as the most optimistic quantum repeater protocols would still only facilitate distances up to about 1,000 km.10

Key transfers through space could be accomplished by either a constellation of low Earth orbit (LEO) microsatellites or a geostationary (GEO) satellite. At the present time, the technology has not yet been demonstrated and there are no companies offering satellite-based long-distance QKD services. An article in Physics World magazine11 describes the “Quantum Space Race” that is now underway for the first team to successfully demonstrate long-distance QKD from space. The winning team would not only claim a historic first-in-the-world scientific Figure 8 – QEYSSat Model (Bottom) and Key accomplishment but would also be the front- runner to seize a potentially lucrative future Transfer with Optical Ground Station (Top) business opportunity. Descriptions of some of the current leading contenders in the Quantum Space Race are provided in the following sections, and an estimate of the future market potential for satellite-based QKD is given in Section 6.4. I 3.4.1. Institute for Quantum QUANTUM FOR NSTITUTE Computing For the past four years, a proposed microsatellite mission called QEYSSat (Quantum EncrYption and Science Satellite) that could demonstrate long-distance QKD

from space has been advanced by IQC and its C OMPUTING partners through a series of technical studies funded initially by Defence Research and :

Development Canada (DRDC) and U NIVERSITY OF subsequently by the Canadian Space Agency (CSA). The high- level mission objectives are maintained by a CSA chartered W

Core User Team chaired by ATERLOO QEYSSat principal investigator Dr. Thomas Jennewein whose membership includes other IQC researchers as well as 19 representatives from the Perimeter Institute, DRDC, Communications Security Establishment Canada (CSEC) and a number of Canadian and international universities. IQC commenced a CSA-funded technical risk retirement project in October 2013 to develop and demonstrate a compact prototype quantum key distribution receiver (QKDR) that has the required form, fit and function suitable for the proposed QEYSSat spacecraft. In March 2014, IQC was awarded a grant from the CSA to conduct an end-to-end airborne demonstration of QKD between a modified QKDR payload on a stratospheric balloon and a mobile transmitter on the ground as further risk retirement. The QEYSSat program has achieved a level of technical maturity to the point of Phase A readiness and is currently believed to be ahead of competing projects in the , Europe and China. IQC has also collaborated with the Space Flight Laboratory (SFL) at the University of Toronto to develop a preliminary design for a rapid and low-cost QKD demonstration mission using a nanosatellite platform.

3.4.2. Los Alamos National Laboratory The first demonstration of QKD over practically significant distances was performed in 2002 by Richard Hughes, Jane Nordholt, Derek Derkacs and Charles Peterson of Los Alamos. This team successfully conducted QKD over a 10 km range during both day and night-time conditions and were able to use the experimentally achievable parameters (such as air-mass extinction, background optical noise and achievable optical quality) to infer that free- space QKD to satellites is feasible. The team headed by Richard Hughes and Beth Nordholt pioneered the concept of satellite-based QKD and conducted several other ground-breaking theoretical and experimental studies. U.S. Patent US005966224A for “Secure Communications with Low Orbiting Spacecraft Using Quantum Cryptography” was granted to Hughes and his team in 1999. As discussed in Section 3.3.4, Los Alamos has been operating a terrestrial QKD network with a hub-and-spoke topology since 2011.

3.4.3. European Space Agency Starting in 2001, the European Space Agency (ESA) supported a number of studies on quantum physics in space including “Quantum Communications in Space” (2001), “Accommodation of a Quantum Communication Transceiver in an Optical Terminal” (2004) and “Quantum Information and Quantum Physics in Space” (2005). The latter program culminating in the record-setting 144 km horizontal free-space QKD link between the Canary Islands of La Palma and Tenerife that was described in Section 3.3.2, which demonstrated that quantum links between orbiting satellites and the Earth are feasible. In 2008, researchers led by Dr. Paolo Villoresi of the University of Padua demonstrated single photon exchange (albeit not true QKD) between the Matera Laser Ranging Observatory in Italy and the Japanese Ajisai geodetic 20 satellite in medium Earth orbit (MEO) at altitude of 1,485 km (see Figure 9). The satellite-to-Earth quantum channel was simulated by reflecting attenuated laser pulses off the optical retro-reflectors on the surface of Ajisai. Although Villoresi’s experiment did not implement a QKD protocol, it did show the feasibility of sending and receiving single photons between a satellite and an optical ground station on the Earth. QEYSSat principal investigator Dr. Thomas Jennewein of IQC was a co-investigator on all of these European activities. Thomas Scheidl and Rupert Ursin of the Institute for and Quantum Information at the Austrian Academy of Sciences have submitted a proposal called Space-QUEST ( for Space ExperimenTs) for consideration by the European Life and Physical Sciences in Space Program of ESA. As shown in Figure 9, Space-QUEST would conduct space-to-ground quantum communications tests from the International Space Station (ISS), simultaneously distributing entangled photon pairs to separated locations on Earth to demonstrate QKD and perform fundamental quantum physics experiments.

3.4.4.NICT Figure 9 – The Matera-Ajisai Demo (Top) and the Proposed Space-QUEST Experiment (Bottom) The National Institute of Information and Communications Technology (NICT) of Japan have described plans for a quantum transceiver on a microsatellite based on their small optical transponder assembly (SOTA). This system has a dedicated pulsed I

laser source for testing a channel for a QUANTUM FOR NSTITUTE quantum communication link from space-to-ground, however the transmission will be much too powerful for actual QKD. Japanese researchers are also planning a small quantum experiment on a laser communication spacecraft named C

SOCRATES (Space Optical OMPUTING Communications Research Advanced Technology Satellite) that is scheduled

for launch later this year. :

U NIVERSITY OF W ATERLOO

21 3.4.5. Chinese Academy of Sciences In June 2013, Dr. Pan Jian-Wei and a team from the University of Science and Technology of China in Hefei revealed the results of an experiment in which they successfully sent single photons on a round trip to an orbiting satellite, then detected those same photons back on Earth. Interestingly, the group claimed to have used a German satellite called CHAMP (Challenging Minisatellite Payload) that was deorbited in 2010, meaning that Pan’s team has purposely elected not to publicize the outcome of the experiment for at least three years.12 Building on this success, the Chinese Academy of Sciences has announced plans to launch a Quantum Science Satellite before the end of the decade that will transmit entangled photon pairs to ground receivers. This satellite would demonstrate several technologies including quantum key distribution, entanglement distribution and . The China National Space Administration (CNSA) has budgeted $554-million towards funding five scientific satellites over the coming years, including the Quantum Science Satellite. This is a new direction for China, which has in the past launched more than 100 satellites but until now only one for dedicated scientific experiments. If the Quantum Science Satellite13 succeeds, China intends to deploy a fleet of spacecraft that could make global quantum communication a reality. Potential users would include commercial banks and China's armed forces.14

22 4. market overview

This section is a top-down overview of the general information security market. It should be noted that money spent on encryption and security technologies are not necessarily interchangeable with quantum cryptography because many products deal with the complexity of things such as key management and security policy, of which encryption is only one part. The purpose of this section is to illicit some market questions that should be considered when evaluating the commercialization of quantum cryptography.

4.1. FINANCIAL COST OF INFORMATION I SECURITY BREACHES QUANTUM FOR NSTITUTE

On March 10, 2014, National Security Agency (NSA) whistleblower Edward Snowden addressed the attendees of South by Southwest Interactive Austin via videocast from Russia. The image was choppy and the audio was muddy because the signal was being routed through multiple proxies in the interest of security, but the conference attendees nevertheless found the presentation compelling. Snowden’s revelations have led companies such as Google and C

Yahoo to bolster their security measures, which is helping to protect online OMPUTING data from being watched by governments and other prying eyes. Encryption is effective unless the keys are compromised, Snowden said, and “that’s going to continue to be the case until our understanding of math and physics changes :

15 U

on a fundamental level.” NIVERSITY OF The Snowden affair has brought the issue of information security and cybercrime to the forefront of public consciousness and discourse. Cybercrime is a complex problem to solve, and it is growing at an exponential rate. Yet,

most large businesses today continue to run on security technology and W infrastructure built 20 years ago. Unfortunately, the information security ATERLOO landscape is indeed set to change at a very fundamental level. Practical and widespread quantum computing capabilities will most likely be available within the next 10 to 25 years,16 and with it, the ability to readily break current 23 RSA or ECC cryptosystems. Even without the threat posed by quantum computers, the financial cost of information security breaches today can be devastating: • Legal fees, class action lawsuits and public relations costs • Regulatory fines and victim notification for state disclosure laws • Service downtime, breach investigations, lost customers and lost revenue • Credit monitoring services and other free goods and services to retain customers • Brand damage and loss of stakeholder confidence According to the Ponemon Institute, in 2010 malicious attacks were the root cause of 31% of data breaches, up from 24% in 2009 and 12% in 2008. About 85% of all U.S. companies have experienced data breaches, however, the actual figure is probably higher because many companies do not currently have the ability to detect exposed information. The Privacy Rights Clearinghouse estimated that security breaches compromised more than 500 million U.S. records since 2005, and again those are just the reported events. According to the Identity Theft Resource Center, at least 662 data breaches occurred in the U.S. in 2010, exposing more than 16 million records. Nearly two-thirds of those breaches exposed Social Security numbers, and 26% involved credit card or debit card data. The majority of these attacks were malicious hacks or insider theft. Since 2005, it is estimated that security breaches have compromised more than 500 million U.S. records. CSO magazine’s 2011 CyberSecurity Watch Survey found that 81% of U.S. respondents experienced a security event during the preceding 12 months, compared with 60% in 2010, while 28% of respondents saw an increase in the number of security events as compared with the previous year. In the United Kingdom, a survey found that 94% of respondents ranked “protecting personal information” as their top concern, equal to their concerns about crime, and two-thirds said they would avoid interacting with firms that they knew had lost confidential information.17 Dr. Cedric Jeannot, the CEO of I Think Security, estimates the average cost of a data breach to an enterprise is $5.5-million and malicious cyber activity costs the U.S. economy as much as $100-billion a year.18 Attacks against computer data and systems, identity and intellectual property theft, and the perpetuation of online financial fraud incur a global estimated cost of between $70-billion and $400-billion a year according to new data recently released by the Centre for Strategic and International Studies (CSIS).19 An earlier 2004 study analyzed 225 security breaches and found that security breaches of firm data were associated on average with a loss of 2.1% of the firm’s market value, or around $1.65-billion of market capitalization, within two days of the announcement.20 In the medical sector, a 2010 report found that U.S. health organizations may have to spend $834.3-million in total costs to address violations of the Health Insurance Portability and Accountability Act (HIPAA).21 The following representative case studies are summarized from the Sophos State of Data Security Report (2011)22 and highlight how data security incidents have a serious effect on organizations:

24 • Massachusetts General Hospital – The oldest and largest hospital in New England drew a $1-million fine from the U.S. Department of Health and Human Services (HHS) for losing 192 patient medical records. This violation of the HIPAA Privacy Rule cost the hospital approximately $15,000 per patient file. • BP – An employee lost a laptop containing data on 13,000 oil spill claimants during “routine” business travel. The laptop included unencrypted names, Social Security numbers, addresses, phone numbers and birthdates of people who had filed claims related to the Deepwater Horizon accident. About 12,000 laptops are lost every week at U.S. airports alone, or approximately one every 50 seconds. • Epsilon – The marketing services provider fell victim to a massive data breach that compromised email address data belonging to many of the world’s biggest brands. Epsilon is the largest provider of permission-based email marketing and sends more than 40 billion emails a year on behalf of 2,500 brands, including Kroger, Marriott Rewards and Ritz Carlton Rewards. • Nationwide Building Society – The U.K. Financial Services Authority (FSA) fined the company nearly £1-million for lax security procedures and controls that led to the exposure of the personal details when a company laptop containing confidential records for nearly 11 million customers was stolen. In addition to the substantial fine, the company had to bear the cost of notifying the millions of people whose records were stolen.

4.2. CURRENT MARKET FOR IT SECURITY AND ENCRYPTION

Table 1 summarizes the worldwide IT security products market for the period from 2009 to 2017 as compiled by International Data Corporation (IDC).23 I Worldwide market sizes and trends are provided for 2009 to 2012, and a five- QUANTUM FOR NSTITUTE year growth forecast for this market is shown for 2013 to 2017. According to IDC, the worldwide IT security products market achieved a revenue level of $29.8-billion in 2012. This market is forecasted to reach $42-billion in 2017, representing a compound annual growth rate of 7.1% from 2012 to 2017. The largest security products market segment in 2012 was endpoint security, which is driven primarily by consumer spending. At the end of the IDC forecast

period, endpoint security is expected to continue to be the largest market, C however, network security is expected to be a very close second. As discussed OMPUTING in Section 6.3, over the long-term the steady-state segmentation of the quantum cryptography market is expected to approximate that of the current :

IT security market. U NIVERSITY OF One important subset of the IT security product market that is relevant to discussions of quantum cryptography is the global encryption software market. As shown in the chart from TechNavio24 in Figure 10, the global encryption software market was valued at $1.2-billion in 2010 and is expected W

to reach $2-billion in 2014, representing a compound annual growth rate ATERLOO (CAGR) of 13%.

25 Table 1 – Worldwide IT Security Product Revenues by Segment (Source: IDC)

Revenues 2009 2010 2011 2012 2013 2014 2015 2016 2017 by segment ($M USD)

Endpoint $7,016.8 $7,352.2 $7,676.4 $8,085.6 $8,608.2 $9,166.5 $9,758.9 $10,373.0 $11,007.1

Network $6,574.4 $6,990.2 $7,435.1 $7,936.0 $8,445.7 $8,972.8 $9,461.0 $10,097.4 $10,671.1

Messaging $2,754.9 $2,305.4 $2,414.0 $2,476.5 $2,622.2 $2,787.6 $2,964.3 $3,139.4 $3,320.6

Web $1,516.8 $1,692.8 $1,913.6 $1,990.5 $2,121.3 $2,266.1 $2,417.3 $2,569.9 $2,728.7

Identity and $3,348.5 $3,598.5 $4,018.8 $4,418.3 $4,859.7 $5,331.7 $5,842.6 $6,376.2 $6,927.1 Access Management

Security and $2,875.8 $3,365.3 $3,832.6 $4,191.5 $4,603.5 $5,030.6 $5,495.5 $5,979.0 $6,473.4 Vulnerability Management

Other $694.8 $698.4 $724.8 $729.5 $760.6 $792.5 $828.7 $868.5 $911.5

$24,782.0 $26,002.8 $28,015.3 $29,827.9 $32,021.2 $34,347.8 $36,768.3 $39,403.4 $42,039.5

The main drivers of the global encryption software market are growing regulatory compliance requirements for data security imposed by governments, the increasing adoption of mobile devices and the high financial cost of data loss (see Section 4.1). These factors are driving end-users to continuously adopt improved IT security and data encryption solutions, so the global encryption software market should continue to grow at a healthy rate. This is good news for the future quantum cryptography market, which will be driven by similar regulatory and financial factors over the long-term as the need for cryptosystems resistant to quantum computing becomes increasingly important over the coming years. As shown in the chart from TechNavio in Figure 11, the Americas currently account for the majority of the market share for encryption software at 49%. The tightening of government regulations and the high frequency of data loss is leading to the increasing demand for encryption software from different sectors, particularly in the United States. Europe, the Middle East and Africa (EMEA) follow with a current market share of 34%. Like the U.S., increasing security breaches are prompting European companies to increase their IT security budgets, and the growing frequency of cyber-attacks against European Union government infrastructures is driving the public sector to also adopt improved encryption software solutions. The Asia-Pacific (APAC) region currently has a market share of 17%. Although its present share of the encryption software market is today relatively small, some of the countries in the region such as and South Korea are expected to make significant investments in the near future. In the Association of South East Asian Nations (ASEAN) area, countries such as Vietnam and 26 Figure 10 – Global Encryption Software Market 2010–2014 (US$ Billions). Source: TechNavio Analysis

2

1.5

1

0.5

0 2010 2011 2012 2013 2014

Indonesia are expected to experience strong growth of over 15%. The reasons for this high growth are two-fold. First, as with the other geographical regions growth, in Asian countries will be driven by increasing public and private sector IT security spending. Furthermore, since most of these countries currently have a low adoption rate, as a percentage the growth rate is therefore expected to increase rapidly. I NSTITUTE FOR QUANTUM QUANTUM FOR NSTITUTE Finally, the chart from TechNavio25 in Figure 11 also shows the current encryption software market by end-user segmentation. The major adopters of encryption software solutions are large enterprises and various government departments. Since industries such as financial services and retail as well as critical government departments such as health, finance and defense are among the most targeted destinations for cyber-attacks, they are the most prominent users at 48% of the total market. Other government departments C

follow large enterprises at 22% of the total market, with agencies of the United OMPUTING States and European Union governments being the most prominent adopters of encryption software solutions. :

The mid-market segment, which includes small/medium-sized enterprises U (SMEs), follow next at 20% of the total market. Not only are these companies NIVERSITY OF now coming under the same regulatory purview as large enterprises, but SMEs are often relatively more dependent on Web access, email and instant messaging (IM) for sales, marketing and business communications. Cyber-

attacks against SMEs have also been growing. The remaining 10% of the W market consists of small businesses, non-profits, educational institutions and ATERLOO others. Amongst these, educational institutions and small business are the strongest adopters of encryption solutions. As with SMEs, small businesses are heavily dependent on Web access, email and IM for communication. This is 27 resulting in the high adoption of email and IM encryption solutions among small businesses. Over the long-term, the steady-state segmentation of the quantum cryptography market is expected to approximate that of the current encryption market (see Section 6.3).

Figure 11 – Encryption Software Market by Geography (Top) and End-User (Bottom). Source: TechNavio Analysis

APAC Others 17% 10% EMEA Mid-market 34% 20% Large Enterprises 48%

Government Departments 22% Americas 49%

28 5. competitive landscape

5.1. CURRENT COMMERCIAL VENDORS

Four companies currently offer complete turn-key commercial QKD systems: ID Quantique, MagiQ Technologies, QuintessenceLabs and SeQureNet. Several other companies offer related products and services or have active research programs. Other commercial QKD activities are described in Sections 3.3.9 and 5.2. At the present time, there are no companies offering satellite-based long-distance QKD services. I

5.1.1. SeQureNet SarL QUANTUM FOR NSTITUTE

23, avenue d’ltalie • 75013 , www.sequrenet.com

Paul Jouguet – Chief Executive Officer Sébastien Kunz-Jacques – Chief Technical Officer

Romain Alléaume – Principal Scientist C OMPUTING Established in 2010, SeQureNet is a -off from the quantum information team of Telecom ParisTech. The company sells encryption products that employ continuous variable quantum key distribution (CVQKD) for high security network services and practical applications. Areas :

of expertise include continuous variable quantum key distribution, cryptography and network U

security. Building on the work done on continuous variables prototypes during the SECOQC NIVERSITY OF and SEQURE research projects, SeQureNet brings CVQKD to the market through turnkey software and hardware products and services that are aimed at both the academic and the IT security markets.

W ATERLOO

29 5.1.2. ID Quantique SA

Chemin de la Marbrerie, 3 • 1227 Carouge / Geneva , www.idquantique.com

Grégoire Ribordy – Chief Executive Officer Kelly Richdale – Vice President, Sales and Marketing (Network Encryption) Antonio Matteo – Manufacturing Manager Patrick Trinkler – Vice President, Engineering

ID Quantique SA (IDQ) was founded in Geneva, Switzerland in 2001 by four scientists who anticipated the important forthcoming impact of quantum physics on information technology. The company initially operated as a small university spin-off with an initial investment of 100,000 CHF. In late 2003, IDQ raised €1-million from i2i, a venture capital fund based in Luxemburg, which allowed the company to accelerate its growth. The company sells quantum encryptors, which are packaged with traditional enterprise-level encryptors. IDQ’s best-selling product is a quantum random number generator with a USB interface. This type of device is often purchased by organizations that require non-deterministic random number generators for their cryptographic primitives, as well as online casinos. Also popular are IDQ’s single photon detector modules and QKD research stations, which are primarily sold to research laboratories. IDQ has customers in more than 60 countries and maintains close ties with academic institutions by participating in several Swiss and European R&D programs and has played a leading role in projects such as the SwissQuantum QKD testbed. The company currently has 20 employees and three business units (scientific instrumentation, random number generator, network encryption). A pair of QKD systems has a list price of $82,000.26

5.1.3. MagiQ Technologies Inc.

11 Ward Street • Somerville, MA 02143 www.magiqtech.com

Bob Gelfond – Founder and Chief Executive Officer Audrius Berzanskis – Chief Operating Officer Andrew Hammond – Vice President, Business Development Michael LaGasse – Vice President, Engineering

Founded in 1999, MagiQ Technologies Inc. is a privately-held quantum information processing (QIP) company. In 2003, MagiQ launched its QKD product commercially. The company currently offers quantum cryptography on the hardware product side rather than the service side. Its areas of expertise include fiber optics, high-speed electronics and RF, acoustics, active feedback, FPGAs and software. Products for commercial applications include advanced quantum communication, single photon sources, quantum data deciphering and encryption, single photon detectors, fibre optic sensors, tunable and interferometers. The company is planning to commercialize simple quantum optical operations, algorithms for multi- processors and an interface between quantum communication and . Its current customers are primarily American government agencies including the U.S. Navy, the U.S. Army, DARPA and NASA. A QKD system from MagiQ costs between $70,000 to $100,000.27

30 5.1.4. QuintessenceLabs Inc

Suite 23, Physics Building #38, Science Road Australian National University • Acton, ACT Australia www.quintessencelabs.com

Peter Shergold – Chairman of the Board Vikram Sharma – Founding Director and Chief Executive Officer

QuintessenceLabs is a spinoff of Australian National University, incorporated in 2006 to commercialize new information security systems premised on the practical application of advanced quantum physics. It is working to develop quantum cryptographic technology to enable secure communication of sensitive information. Researchers at QuintessenceLabs were awarded the 2006 Eureka Prize for Scientific Research for an entry entitled “Inventing Australia’s Own Unbreakable Code with Quantum Physics”. In March 2014, QuintessenceLabs was named by the Australian Information Industry Association (AIIA) as that country’s most innovative small company.

5.1.5. Alcatel-Lucent SA

3, avenue Octave Gréard • 75007 Paris, France www.alcatel-lucent.com

Michel Combes – Chief Executive Officer Philippe Guillemot – Chief Operating Officer I Philippe Keryer – Chief Strategy and Innovation Officer QUANTUM FOR NSTITUTE Federico Guillén – President, Fixed Networks Tim Krause – Chief Marketing Officer

Alcatel-Lucent SA was formed in 2006 through the merger of Alcatel and Lucent Technologies. The company provides end-to-end solutions including mobile, fixed and integrated broadband access, enterprise and carrier IP technologies, and other related services to support government, enterprises and service providers in delivering video, voice, and data communication services to clients. Its subsidiary Bell Labs has been working on

novel architectures to enable large capacity quantum communications networking. The goal C of this work is to achieve quantum communication networks that have the required capacity OMPUTING and compatibility with existing fiber optic data networks. Bell Labs’ expertise in integrated optics is critical for implementing the low-loss optical components that would be required for quantum transmission. :

U NIVERSITY OF W ATERLOO

31 5.1.6. Raytheon BBN Technologies

10 Moulton Street • Cambridge, MA 02138 www.bbn.com

Ed Campbell – President Steve Milligan – Chief Technologist Susan Wuellner – Vice President, Human Resources

BBN Technologies was acquired by Raytheon in October 2009. The company develops advanced networking, cyber security, immersive learning technologies, information and knowledge technologies, quantum information processing technologies and sensor systems for government and business customers. Under DARPA sponsorship, BBN Technologies collaborated with and Harvard University to develop, build and operate one of the world’s first QKD networks. This DARPA Quantum Network, which became operational in 2003, deploys 24×7 quantum cryptography to offer high security for a range of standard Internet traffic flows including streaming video, e-commerce and web browsing. BBN Technologies continues to work on new hardware, software and network protocols for quantum cryptography as well as high-speed detectors, cryptographic systems and defenses against “quantum hacking” techniques.

5.1.7. HP Laboratories

1501 Page Mill Road • Palo Alto, CA 94304 www.hpl.hp.com

Martin Fink – Chief Technology Officer and Director of HP Labs Chandrakant Patel – Senior Fellow and Chief Engineer

HP Labs is the exploratory and advanced research group for Hewlett-Packard, with responsibility for taking new technologies from prototype to market-ready commercialization for the next generation of products and services while pushing the frontiers of fundamental science. Areas of strategic focus include cloud security and information optimization as well as key areas such as mobility, content and printing, sustainability and future computing platforms and capabilities. HP Lab’ Quantum Information Processing (QIP) Group, a part of the Information and Quantum Systems Laboratory, is associated with research on quantum cryptography. At present, the QIP Group is focused on developing improved QKD technologies and to creating new applications of quantum cryptography. Some of the applications being developed include authentication systems capable of preventing impersonation and enabling secure remote auctions. In 2007, HP Labs collaborated with researchers at the to develop a functional prototype of a portable quantum secure device.

32 5.1.8. IBM

New Orchard Road • Armonk, NY 10504 www.ibm.com

Virginia Rometty – Chairman, President and Chief Executive Officer Erich Clementi – Senior Vice President, Global Technology Services Jon Iwata – Senior Vice President, Marketing and Communications John Kelly – Senior Vice President, Director of IBM Research Robert LeBlanc – Senior Vice President, Software and Cloud Solutions Group Steven Mills – Senior Vice President and Group Executive, Software and Systems Tom Rosamilia – Senior Vice President, Systems and Technology Group

IBM is a global technology company with operations in over 170 countries. The company develops and sells software and systems hardware and a broad range of infrastructure, cloud and consulting services. Its four growth initiatives are business analytics, cloud computing, growth markets and Smarter Planet. Areas of research focus include nanotechnology (including atomic-scale storage), fundamental science, human-computer interaction and health care infomatics. The company has also made significant R&D investments in quantum information and expects to commercialize quantum cryptography in the near future. IBM Research on Quantum Information is focused on exploring the fundamental physical limits of communication and computation, developing experimental quantum computers, implementing real-world long-distance quantum cryptography and understanding the role of quantum physics in information theory. The company’s research centre at Almaden has developed a quantum cryptography system focused on typical telecom optical fiber, detectors and lasers. A next generation system is configured for operation over an optical fiber network covering a distance of up to 10 km. I 5.1.9. Nippon Telegraph and Telephone (NTT) Corporation QUANTUM FOR NSTITUTE

3-1, Otemachi 2-chome Chiyoda-ku, Tokyo • 100-8116, Japan www.ntt.co.jp

Satoshi Miura – Chairman of the Board

Hiroo Unoura – President and Chief Executive Officer C Hiromichi Shinohara – Executive Vice President OMPUTING

Nippon Telegraph and Telephone (NTT) is a Japanese telecommunications firm that provides fixed and mobile voice related services, IP/packet communications services, :

telecommunications equipment, system integration and other telecommunications-related U services in Japan. It offers regional communications services including intra-prefectural NIVERSITY OF communications and related ancillary services, long-distance and international communications services, mobile communications services and data communications services such as system integration and network system services. NTT has demonstrated a QKD system over a fibre optic network that succeeded in establishing a secure key rate of 12 bits/ sec over a distance of 200 km. In 2009, NTT employed differential phase shift quantum key W distribution (DPS-QKD) to attain a key rate of over 1 Mbit/sec, and a year later, the company ATERLOO tested the achievements of its DPS-QKD by employing a 90 km loop-back experimental optical fiber network between Otemachi and Koganei in Tokyo. These experiments demonstrated a constant secure key distribution with a 2kbit/sec generation rate. 33 5.1.10. QinetiQ Group PLC

Cody Technology Park, Ively Road Farnborough, Hampshire • GU14 OLX, United Kingdom www.qinetiq.com

Leo Quinn – Chief Executive Officer David Mellors – Chief Financial Officer Mike Howarth – Operations Director Sanjay Razdan – Managing Director, Space/IP Jeremy Ward – Managing Director, C4ISR

QinetiQ Group PLC is a U.K.-based company engaged in the supply of technical support, training, test and evaluation, and know-how to government and commercial customers in the global security, aerospace and defense markets. The company has a long-standing presence in the quantum cryptography field, being one of the first to demonstrate the practicability of quantum cryptography over optical fiber link in 1993. In 2002, the company successfully established a free-space QKD link of 23 km, and three years later delivered a free-space quantum cryptography system to BBN Technologies as part of the Quantum Network initiative funded by DARPA. QinetiQ started a partnership with AboveNet, a major provider of IP and fibre optic connectivity solutions, in 2009. The partnership would exploit an advanced cryptography solution to offer high security for communications intended to realize quantum cryptography across optical networks.

5.1.11. Nucrypt LLC

1840 Oak Avenue, Suite 212S • Evanston, IL 60201-3697 www.nucrypt.net

Prem Kumar – Founder and Former Chief Executive Officer Gregory Kanter – Chief Executive Officer

Nucrypt is an Illinois-based company that sells compact polarization-entangled photon sources and measurement devices. The company was founded in 2003 and is an outgrowth of research initially performed at the Centre for Photonic Communication and Computing at Northwestern University. Nucrypt holds a patent on a quantum-noise based QKD system and also develops other technologies including secure radio frequency communication systems, sources of entangled light and high-resolution photonic assisted analog-to-digital converters.

34 5.1.12. Toshiba

1-1, Shibaura 1-chome Minato-ku, Tokyo • 105-8001, Japan www.toshiba.co.jp

Atsutoshi Nishida – Chairman of the Board Norio Sasaki – Vice Chairman of the Board

Toshiba was founded in 1875 and today operates a global network of more than 500 consolidated companies with over 200,000 employees worldwide. The company is at the forefront of quantum information R&D and is currently seeking commercial partners to further develop applications for quantum cryptography. Toshiba’s Quantum Information Group (QIG) is led by Dr. Andrew Shields and is actively researching the application of quantum physics to information technology. The group developed a quantum key server capable of generating approximately one hundred 256 bit keys every second over a fiber optic network spanning a distance of 120 km. In 2005, the company employed quantum cryptography to relay video and voice over a secure optical fiber network, demonstrating the feasibility of single photon encryption over commercial networks. Two years later, researchers at Toshiba Europe in the United Kingdom claimed to have successfully integrated “decoy photons” into quantum signals for secure QKD. These decoy pulses are arbitrarily scattered within the quantum cryptographic signal and are intended to reduce the chance of the pulses containing multiple photons and thereby enable easy detection of attacks during data transmission. The decoy method also allows the use of more power laser pulses, which should increase both the bit rate and the transmission distance. Toshiba achieved a transmission rate of 5.5 kbits/sec over a distance of 25 km. Toshiba has undertaken several field trials for its QKD networks, including the SECOQC network in Vienna. The SECOQC collaboration was aimed at developing protocols and hardware for operational QKD networks and was in operation from 2004 to 2008. In 2010, Toshiba deployed its QKD technology demonstrator at Tokyo's National Institute of Information and Communications Technology (NICT). This system was capable of operating I over long distances exceeding 120 km using standard telecom fibres. QUANTUM FOR NSTITUTE C OMPUTING :

U NIVERSITY OF W ATERLOO

35 5.1.13. Oki Electric Industry Company Ltd.

1-7-12 Toranomon Minato-ku, Tokyo • 105-8460 Japan www.oki.com

Hideichi Kawasaki – President Naoki Sato – Senior Executive Vice President Sei Yano – Executive Vice President

Founded in 1881, Oki Electric is best known for its manufacturing and sales of products, technologies, software and solutions for telecommunications systems and information systems, including IT services distribution services related to these businesses. In 2012, the Japanese company partnered with Dr. Shuichiro Inoue of the Institute of Quantum Science at Nihon University to build and test a prototype commercial polarization entangled photon source designed to be part of a future QKD system. The entangled photon source is based on cascaded nonlinear optical effects using a proprietary periodically poled lithium niobate (PPLN) ridge-waveguide device and can operate at room temperature using conventional optical communications bands. Transmission tests using this source with standard optical fibers successfully transmitted quantum entangled photon pairs over a distance of 140 km, demonstrating the feasibility of next generation QKD systems covering metropolitan areas.

5.1.14. Universal Quantum Devices

295 Hagey Boulevard, 1st Floor, West Entrance Waterloo, Ontario • N2L 6R5 Canada www.uqdevices.com

Thomas Jennewein – Chief Executive Officer Raymond Laflamme – Chief Strategy Officer Steve MacDonald – Chief Financial Officer

Universal Quantum Devices (UQD) is a spin-off company from the Institute for Quantum Computing (IQC) at the University of Waterloo that offers highly specialized quantum measurement devices for use in sophisticated optics labs around the world. UQD has provided devices to laboratories in Asia, Australia and North America. The instruments are intended for use in the measurement of entangled photon sources, the implementation of quantum cryptography systems in both free-space and fibre-optics, and for photon correlation experiments with quantum dots. Devices offered by UQD can be utilized for experiments in high count rate entanglement sources, multi-photon experiments such as optical quantum computing, quantum cryptography with single and entangled photons, feed- forward experiments including gated detectors and triggered optical modulators, and time correlated fluorescence.

36 5.2. RECENT COMMERCIAL MARKET ACTIVITY

In March 2013, Doug Fregin and IQC founding supporter and current board member Mike Lazaridis established Quantum Valley Investments (QuantumValleyInvestments.com), a $100-million private fund to support the commercialization of breakthrough technologies and applications in quantum information science headquartered in Waterloo, Ontario. IQC executive director Dr. Raymond Laflamme and former Canadian Space Agency astronaut and president Dr. Steve Maclean are on the QVI scientific advisory committee. Lazaridis has reportedly spent over $250-million investing in quantum computer research efforts in Waterloo and has worked to raise about $750- million over the last twelve years for quantum computing innovation from both investor and government sources of capital.28 He and Fregin believe that in the same way discoveries at Bell Labs led to commercialization opportunities that created Silicon Valley, so will the breakthroughs that occur at IQC, the Perimeter Institute for Theoretical Physics and the Waterloo Institute for Nanotechnology likewise lead to transformative commercialization opportunities. As discussed in Section 6.1, the current market for quantum cryptography is estimated to be on the order of $30-million but in the long-term is expected to grow substantially to tens of billions of dollars as the need for cryptosystems resistant to quantum computing becomes increasingly important over the coming years. Despite its current relatively modest size from a financial standpoint, there is already significant commercial activity in the quantum cryptography market. A privately held start-up company called GridCOM Technologies secured

funding in April 2013 from Ellis Energy Investments to develop quantum I NSTITUTE FOR QUANTUM QUANTUM FOR NSTITUTE encryption technology for protecting the U.S. electrical grid from cyber terrorism. For a monthly subscription fee, wired and wireless devices can access GridCOM’s quantum key server over the Internet to receive incorruptible keys that are used in performing symmetric key encryption. The company claims that no specialized hardware or dedicated optical fibers are required on the device side and no significant data latency is introduced by the technique, which is an important requirement for grid compatibility. In

September 2013, GridCOM was awarded an Energy Innovations Small Grant C OMPUTING (EISG) from the California Energy Commission’s Public Interest Energy Research (PIER) program. GridCOM plans to install and operate their first prototype in the greater San Diego area before the end of 2014, and thereafter :

offer their services to other regions of the United States. U NIVERSITY OF In October 2013, QWave Capital invested $5.6-million in the Swiss QKD company ID Quantique (see profile in Section 5.1.1). The details of the deal have not been disclosed, however, in a statement QWave said that it invested

$4.5-million in the company’s business and spent another $1.1-million on W

buying out the shares of ID Quantique’s other shareholder. QWave was ATERLOO founded by the senior partner of venture fund Runa Capital, Sergei Belousov and a number of other partners. The $30-million fund specializes in financing

37 start-ups developing quantum computers, new materials and sub-micron transistors. Concurrent with the QWave investment, ID Quantique partnered with the Battelle Memorial Institute to install the commercial QKD protected network in the United States. Using ID Quantique hardware and fiber optic lines installed between Battelle’s headquarters in Columbus, Ohio and another office in Dublin, Ohio and hardware from ID Quantique, the institute is now able to transmit sensitive information such as financial data and intellectual property in a highly secure fashion. The line between Columbus and Dublin was installed in October 2013. In the next few years, all Battelle locations in central Ohio will be connected to the network and by 2015 its offices in Washington, D.C. will also be connected. Quantum cryptography has even caught the attention of U.S. defense and aerospace giant Lockheed Martin, which has partnered with Australia’s QuintessenceLabs to develop QKD-based information security solutions for their respective national markets. QuintessenceLabs’ second generation QKD technology is supposed to be user-friendly and integrate seamlessly with current communications infrastructures to provide one-time pad encryption in real-time. In March 2014, QuintessenceLabs was named by the Australian Information Industry Association (AIIA) as that country’s most innovative small company.

38 6. market potential

6.1. DISCUSSION OF MARKET POTENTIAL 6.1.1. General Considerations To get a sense of how the quantum cryptography market may develop over time, a comparison with the historical uptake of conventional cryptography could be considered: • Phase 1 – Governments, militaries and research institutions • Phase 2 – Financial institutions and large companies

• Phase 3 – Public utilities and small/medium enterprises (SMEs) I NSTITUTE FOR QUANTUM QUANTUM FOR NSTITUTE • Phase 4 – Other users Section 3.3 provided examples of terrestrial QKD implementations by governments, militaries and research institutions. As described in Section 3.3.9, the world’s first bank transfer using QKD was undertaken in Austria in 2004. European banks remain leaders in the transition process to quantum- safe encryption technologies. Most financial institutions and large companies

still conduct cryptographic key management in a very labour intensive manner. C Teams of human couriers are employed to do key exchanges manually using OMPUTING tamper resistant hardware security module (HSM) boxes that cost between $20,000 and $80,000 each. Keys are typically changed daily or every couple :

of hundred transactions, whichever comes first, and master keys are usually U changed every couple of years. In general, financial institutions are fairly NIVERSITY OF conservative and information security is driven by regulation and compliance. Over the next two decades, it is expected that international regulatory frameworks will drive network security and encryption stakeholders to take

active steps in implementing quantum resistant cryptosystems, of which W quantum cryptography will be a significant component. ATERLOO NIST (National Institute of Standards and Technology), ETSI (European Telecommunications Standards Institute) and others have begun to look at quantum-safe cryptography and paths to migrate the current set of 39 39 cryptographic tools to quantum-safe ones. The establishment of standards and procedures for certification will be crucial for the widespread acceptance of QKD devices. In the short-term, acceptance could be gained by having QKD complement rather than replace conventional cryptography. For example, a hybrid system could use both conventional public key cryptography and QKD in parallel, in which the final key is a mixture of the conventional and quantum keys. A certification laboratory like NIST or ETSI would be able to assess such a hybrid system and give it a stamp of approval that it is compliant with current standards because QKD cannot make the solution any weaker than the public key element alone. A hybrid system would give users the option of using QKD with the regulatory peace of mind that there will always at least be the conventional cryptography element that has been certified as secure.29 ID Quantique (see profile in Section 5.1.1) has employed this strategy through its partnership with an Australian firm Senetas. In addition to certification, other near-term considerations for market acceptance include the number of use cases and the cost of implementation. Currently, the only application for QKD is the encryption of links between two parties. The identification of other applications would significantly advance the development of the market and reduce implementation costs through economies of scale. For example, consider the representative implementation costs of one QKD link versus four links. The single link would require two QKD key generators and two encryptors, one at each end. For illustrative purposes, assume that an encryptor costs $30,000 each and a QKD system costs $50,000 each. Hence, for a single link the total cost would be $160,000 of which the “quantum premium” is more than 100% (i.e. the QKD element more than doubles the total cost). On the other hand, in a system of four links there would need to be eight encryptors but still only two QKD systems. In this case, the total cost would be $340,000 of which the “quantum premium” would be less than 50%. As an additional general consideration, there is a saying that “people don’t want drills, they are really buying holes”. While the “quantumness” of the product or service is important, at the end of the day what people really want is a solution to a problem rather than just being provided with a “cool” technology. For marketing quantum cryptography, the message should be, “If you need a strong key, here is a new and better approach.” Ultimately, customers really only want to know the details and benefits of the solution, and of course, the price.

6.1.2.Considerations for Satellite-Based QKD In Section 3.3, it was explained that while ground-based QKD networks have a number of commercially viable applications, there are fundamental physical constraints that would require the implementation of a complementary solution for distances beyond a few hundred kilometers. Earth orbiting satellites represent the only way using current technology to provide complementary long-distance QKD services, in which they would serve as complementary trusted nodes to bridge the distance between geographically 40 dispersed QKD ground networks. There is another benefit of satellite-based QKD to be considered with respect to regulatory compliance. Banks and other financial institutions are required to back-up their data for disaster recovery purposes. In Europe the recommended minimum distance is 50 km, however, this is increasingly considered as too short. The requirement in the United States is 250 km, the rationale being that a broad area disaster like an earthquake or tornado in one location should not affect the backup site. American banks are not planning new backup data centres at the increased distance mandate. This represents a significant business opportunity for commercial satellite-based QKD. For such a service to be competitive, however, it would have to cost much less than the comparable terrestrial fibre optic solution (if and where the latter is technically feasible). The cost of “dark” (unlit or unused) fibre for the quantum channel has been a major challenge for terrestrial QKD to date, on the order of $15,000 per month for deployed lengths of 50 km or greater.30

6.2. QUANTUM CRYPTOGRAPHY

IQC’s long-term estimate of the overall market potential for quantum cryptography is shown in Figure 12. A twenty year horizon was selected to reflect the prevailing scientific consensus that practical and widespread quantum computing capabilities will most likely be available within the next 10 to 25 years,31 and with it, the ability to readily break RSA or ECC cryptosystems. Hence, the long-term market potential estimate is based on the assumption that over the next two decades international regulatory frameworks will drive network security and encryption stakeholders to take I active steps in implementing quantum resistant cryptosystems, of which QUANTUM FOR NSTITUTE quantum cryptography will be a significant component. All financial values in this and the following sections are expressed in 2013 U.S. dollars. Financial values without citation are IQC internal estimates.

Figure 12 – IQC Long-Term Estimate of Quantum Cryptography Market Potential C OMPUTING :

U NIVERSITY OF W ATERLOO

41 International Data Corporation (IDC) had estimated a quantum cryptography market of $30-million in 2008.32 Of course, that year turned out to be the start of the worldwide financial crisis, and for the time being quantum cryptography remains a niche application with users primarily in research institutions and governments. For these reasons, IQC estimates that the current market for quantum cryptography has remained at approximately the same order of magnitude. Over the long-term, however, as regulatory requirements for quantum resistant cryptosystems are expected to become more prevalent over the next two decades, it is reasonable to expect that the market potential for quantum cryptography should grow significantly. IQC estimates a potential global market of up to $23-billion by the end of the forecast period. As a comparative reference, the global market for conventional network security services was estimated at $10-billion in 2008,33 and the global market for conventional communications encryption was estimated at $20-billion in 2013.34 Global Industry Analysts forecasted a global quantum cryptography market of up to $1-billion by 2018,35 and Icon Group International predicted a market of up to $1.2-billion for that same year. 36 IQC believes these estimates to be overly optimistic in the near-term and does not foresee the global market for quantum cryptography exceeding a billion dollars within the current decade. Over the long-term, however, IQC believes the market potential for quantum cryptography will experience very significant growth as regulations mandating quantum resistant cryptosystems are expected over the next twenty years.

Figure 13 – IQC Long-Term Estimate of Quantum Cryptography Market by User Segment

42 6.3. MARKET SEGMENTATION

To get an indication of how the quantum cryptography market may develop over time, the historical uptake of conventional cryptography could be examined. As discussed in Section 6.1, it is foreseen that the market for quantum cryptography will evolve over the forecast period in the following manner: • Phase 1 – Governments, militaries and research institutions • Phase 2 – Financial institutions and large companies • Phase 3 – Public utilities and small/medium enterprises (SMEs) • Phase 4 – Other users Following this phased timeline and assuming that adoption by each market segment follows a Bass diffusion model, IQC’s long-term estimate of the market potential for quantum cryptography by user segment is shown in Figure 13. As discussed in Section 4.2, the market segmentation for the global encryption software market in 2012 was 48% large enterprises, 22% government departments, 20% mid-market and 10% other users. The IQC forecast model assumes that over the long-term the steady-state segmentation of the quantum cryptography market will approximate that of the current encryption market. I 6.4. SATELLITE-BASED QKD QUANTUM FOR NSTITUTE

As discussed in Section 3.4, while ground-based QKD systems have a number of commercially viable applications, there are some fundamental physical constraints that would require the implementation of a complementary solution for distances beyond a few hundred kilometers. In the absence of practical quantum repeaters, the only way to offer long-distance QKD services is by using satellites as complementary trusted nodes to bridge the distance C

between geographically dispersed QKD ground networks, for example, OMPUTING between cities or continents. Even with quantum repeaters, however, there would still be a role for satellites as the most optimistic quantum repeater

37 : protocols would still only facilitate distances up to about 1,000 km. The U

distance benefits of satellite-based QKD would also help banks and other NIVERSITY OF financial institutions comply with regulations pertaining to the physical distance requirement between primary and backup data sites, as discussed in Section 6.1.2.

Figure 14 shows the estimated market potential for satellite-based QKD. Since W ATERLOO satellites would only be used to cover long-distances between nodes of terrestrial fibre networks, the IQC forecast model assumes that the steady- state market share of satellite-based QKD as a proportion of the overall market for quantum cryptography estimated in Section 6.1 will approximate that of 43 the current worldwide market for satellite communications as a proportion of the overall global telecommunications industry. If low Earth orbit (LEO) microsatellite platforms are utilized, an initial QKD satellite constellation could be developed and launched in approximately five years. Key transfers could also be done by geostationary (GEO) satellites. Finally, it is expected that the initial users of satellite-based QKD will be predominantly from governments, militaries, financial institutions and large companies. Based on these assumptions, IQC estimates a potential global market for satellite-based QKD of up to $382-million per year by the end of the forecast period.

Figure 14 – IQC Estimate for Satellite-Based QKD Market Potential

44 2. conclusion

For over a decade, the Institute for Quantum Computing (IQC) has been aggressively exploring and advancing the application of quantum mechanical systems to a vast array of relevant information processing techniques, particularly as they apply to quantum computing, communications and sensors, and of course cryptography. Since its discovery at the beginning of the 20th Century, researchers around the world have been working on how to harness quantum mechanics for the benefit of humanity, in the manner that chemical, electromagnetic and nuclear phenomena became understood and utilized in past centuries. It is quantum mechanics that, ironically, poses both the greatest threat to conventional cryptography and the best means of securing it. Within the next I two decades, it is expected that practical quantum computers will be able to QUANTUM FOR NSTITUTE routinely and quickly solve the mathematical problems upon which most current encryption methods are based, rendering them useless. Quantum cryptography, relying upon the same fundamental laws of physics, promises to provide long-term data security that will never to be threatened by new algorithms or increased computational power. Quantum key distribution (QKD) is not science fiction. It is a present day

reality, and one that has the potential to be a significant business opportunity. C Several major firms including Alcatel-Lucent, Raytheon, HP, IBM, QinetiQ and OMPUTING Toshiba are either actively researching QKD or are already offering related products and services. A number of start-ups are selling commercial end-to- :

end QKD systems, and several terrestrial QKD networks using fibre optic U cables or free-space atmospheric transmission are operating today for both NIVERSITY OF research and niche commercial applications. Due to fundamental physical constraints, however, a complementary solution is required for distances beyond a few hundred kilometers. Free-space W

atmospheric QKD links require line-of-sight and are subject to local ATERLOO geographical constraints and ultimately the curvature of the Earth. Using satellites as complementary trusted nodes to bridge geographically dispersed QKD networks is the only way with current technology to provide long- distance QKD services. 45 A new “Quantum Space Race” is on, with teams in Canada, Europe, the U.S., Japan, China and other nations vying to be the first to demonstrate QKD from space. The winning team would not only claim a historic scientific achievement but would also be the front-runner to seize a potentially lucrative future business opportunity. The current market for quantum cryptography is relatively modest, however, it is expected to grow significantly over the long- term as regulatory requirements for quantum-resistant cryptosystems are expected to become enacted. Within twenty years, IQC estimates the potential overall global market for quantum cryptography could reach $23-billion within twenty years. Satellite-based QKD for long-distance secure key distribution, using either a constellation of low Earth orbit (LEO) microsatellites or hosted payloads on geostationary (GEO) satellites, would be a subset of this overall quantum cryptography market. IQC estimates a potential worldwide market for satellite-based QKD of up to $382-million per year within the next two decades. The quantum revolution is on. Quantum information science is moving from the realm of research to the world of business. The need, the science, the technology, and the business opportunity are there for those who wish to seize it.

46 3. endnotes

1. Corker, D., Ellsmore, P., Abdullah, F., Howlett, I. “Commercial Prospects for Quantum Information Processing”, Quantum Information Processing Interdisciplinary Research Collaboration, 1 December 2005. 2. Schlosshauer, M., Kofler, J., Zeilinger, A. “A Snapshot of Foundational Attitudes Toward Quantum Mechanics”, Stud. Hist. Phil. Mod. Phys. 44, 222-230 (2013). 3. M. Mosca, G. Lenhart, M. Pecen (editors), Proceedings of “1st Quantum-Safe-Crypto Workshop”, Sophia Antipolis, September 26-27, 2013. 4. Stebila, D., Mosca, M., Lütkenhaus, N., “The Case for Quantum Key Distribution”, arXiv: 0902.2839v2 [quant-ph] 2 Dec 2009. 5. Warwick P. Bowen, Nicolas Treps, Ben C. Buchler, Roman Schnabel, Timothy C. Ralph, I Hans A. Bachor, Thomas Symul and Ping Koy Lam, “Experimental Investigation of QUANTUM FOR NSTITUTE Continuous Variable Quantum Teleportation”, arXiv:quant-ph/0207179v1, 31 Jul 2002. 6. R. Ursin, F. Tiefenbacher, T. Schmitt-Manderbach, H. Weier, T. Scheidl, M. Lindenthal, B. Blauensteiner, T. Jennewein, J. Perdigues, P. Trojek, B. Ömer, M. Fürst, M. Meyenburg, J. Rarity, Z. Sodnik, C. Barbieri, H. Weinfurter and A. Zeilinger. “Entanglement-Based Quantum Communication Over 144 km”, Nature Physics 3, 481-486 (2007). 7. Ibid. C OMPUTING 8. Nauerth, S., Moll, F., Rau, M., Fuchs, C., Horwath, J., Frick, S., Weinfurter, H. “Air-to- Ground Quantum Communication”, Nature Photonics 7, 382–386 (2013).

9. “Better Encryption Techniques Spur Fiber Research”, Communications Today, 16 July :

U

2003. NIVERSITY OF 10. N. Sinclair, E. Saglamyurek, H. Mallahzadeh, J. A. Slater, M. George, R. Ricken, M. P. Hedges, D. Oblak, C. , W. Sohler, and W. Tittel. “A Solid-State Memory for Multiplexed Quantum States of Light with Read-Out on Demand”, arXiv:1309.3202v1

[quant-ph], 13 September 2013. W ATERLOO 11. T. Jennewein, B. Higgins. “The Quantum Space Race”, Physics World, March 2013.

47 12. Alba, D., “China Unveils Secret Quantum Communications Experiment”, IEEE Spectrum, 13 June 2013, http://spectrum.ieee.org/tech-talk/aerospace/satellites/ china-unveils-secret-quantum-communications-experiment 13. Mann, A., “The Race to Bring Quantum Teleportation to Your World”, Wired, 3 October 2012, http://www.wired.com/wiredscience/2012/10/quantum-satellite- teleportation/all/ 14. “A New Dawn for China’s Space Scientists”, Science, Volume 336, 29 June 2012, pp. 1632-1633. 15. McCracken, H., “SXSW: Edward Snowden Has No Regrets About NSA Leaks”, Time, 10 March 2014, http://time.com/18691/edward-snowden-talks-privacy-and-security-at- sxsw-interactive/ 16. Schlosshauer, M., Kofler, J., Zeilinger, A. “A Snapshot of Foundational Attitudes Toward Quantum Mechanics”, Stud. Hist. Phil. Mod. Phys. 44, 222-230 (2013). 17. The State of Data Security: Defending Against New Risks and Staying Compliant, Sophos Security Report 5.11v1.dNA, 2011. 18. “Rethinking Data Security in a Cloud-Based World”, Watch, Issue 3, 2013. 19. “Battling the Cyber Threat”, Watch, Issue 3, 2013. 20. Cavusoglu, H., Mishra, B., Raghunathan, S. (2004). “The effect of internet security breach announcements on market value: Capital market reactions for breached firms and Internet security developers”, International Journal of Electronic Commerce, 9, 70–104. 21. Nicastro, D. (2010, August 12). “HIPAA breaches near $1-billion”, HealthLeaders Media, 10 April 2011, http://www.healthleadersmedia.com/content/ TEC-255015/HITRUST- HIPAA-Breaches-Near-1-Billion 22. The State of Data Security: Defending Against New Risks and Staying Compliant, Sophos Security Report 5.11v1.dNA, 2011. 23. Kolodgy, C.J. et al, “Worldwide IT Security Products 2013-2017 Forecast”, IDC Report #245102, December Rev2013. 24. “Global Encryption Software Market: 2010-2014”, TechNavio Insights Report, 2012. 25. Ibid. 26. Graham-Rowe, D. “Quantum Cryptography for the Masses”, MIT Technology Review, 28 August 2009, http://www.technologyreview.com/news/415073/quantum- cryptography-for-the-masses/ 27. Stix, Gary. “Best-Kept Secrets”, Scientific American, January 2005, Volume 292, Issue 1, pp.78-83. 28. Wilkinson, K., “How Mike Lazaridis Plans to Turn Waterloo into the Silicon Valley of Quantum Computing”, Canadian Business, 9 November 2013. 29. “Bringing to the Marketplace”, Presentation by Grégoire Ribordy (CEO of ID Quantique) at the Institute for Quantum Computing, 9 August 2011.

48 30. “Bringing Quantum Technology to the Marketplace”, Presentation by Grégoire Ribordy (CEO of ID Quantique) at the Institute for Quantum Computing, 9 August 2011. 31. Schlosshauer, M., Kofler, J., Zeilinger, A. “A Snapshot of Foundational Attitudes Toward Quantum Mechanics”, Stud. Hist. Phil. Mod. Phys. 44, 222-230 (2013). 32. Corker, D., Ellsmore, P., Abdullah, F., Howlett, I. “Commercial Prospects for Quantum Information Processing”, Quantum Information Processing Interdisciplinary Research Collaboration, 1 December 2005. 33. “Quantum Cryptography: A Market at an Embryonic Stage”, Asian Technology Information Program, ATIP Document ID 071306R, 13 June 2007. 34. “QWave Invests $4.5M in Quantum Encryption Developer ID Quantique”, Russia & CIS Business & Investment Weekly, 18 October 2013. 35. “Quantum Cryptography: A Global Market Report”, Global Industry Analysts Inc., MCP-1812, June 2013. 36. Parker, P.M. The 2013-2018 World Outlook for Quantum Cryptography, Icon Group International, ISBN 1-114-88185-6, 2012. 37. N. Sinclair, E. Saglamyurek, H. Mallahzadeh, J. A. Slater, M. George, R. Ricken, M. P. Hedges, D. Oblak, C. Simon, W. Sohler, and W. Tittel. “A Solid-State Memory for Multiplexed Quantum States of Light with Read-Out on Demand”, arXiv:1309.3202v1 [quant-ph], 13 September 2013. I NSTITUTE FOR QUANTUM QUANTUM FOR NSTITUTE C OMPUTING :

U NIVERSITY OF W ATERLOO

49 9. appendices

9.1. APPENDIX A: LIST OF ACRONYMS

AES Advanced Encryption Standard AIIA Australian Information Industry Association APAC Asia Pacific ASEAN Association of South East Asian Nations BB84 Bennett and Brassard 1984 (QKD protocol) BBM92 Bennett, Brassard and Mermin 1992 (QKD protocol) BBN Bold, Beranek and Newman (Raytheon subsidiary) BP British Petroleum CEO Chief Executive Officer CERN Conseil Européen pour la Recherche Nucléaire CHAMP Challenging Minisatellite Payload CNSA China National Space Administration CRYPTREC Cryptography Research and Evaluation Committee (Japan) CSA Canadian Space Agency CSEC Communications Security Establishment Canada CSIS Centre for Strategic and International Studies CV-QKD continuous-variable quantum key distribution DARPA Defense Advanced Research Projects Agency DES Data Encryption Standard DPS-QKD differential phase shift quantum key distribution DVD digital video disc 50 E91 Eckert 1991 (QKD protocol) ECC elliptic curve cryptography EISG Energy Innovations Small Grant EMEA Europe, the Middle East and Africa ESA European Space Agency FAST Flights for the Advancement of Science and Technology FPGA field programmable gate array FSA Financial Services Authority (United Kingdom) GEO geostationary Earth orbit HSM hardware security module HHS Health and Human Services HIPAA Health Insurance Portability and Accountability Act ICT information and communications technology IDC International Data Corporation IDQ ID Quantique SA IM instant messaging IP Internet protocol ISS International Space Station IT information technology

IQC Institute for Quantum Computing I NSTITUTE FOR QUANTUM QUANTUM FOR NSTITUTE LEO low Earth orbit LLC limited liability corporation NASA National Aeronautics and Space Administration NICT National Institute of Information and Communications Technology (Japan)

NIST National Institute of Standards and Technology C OMPUTING NSA National Security Agency NTT Nippon Telegraph and Telephone :

U

NP nondeterministic polynomial time (complexity class) NIVERSITY OF OTP one-time pad PIER Public Interest Energy Research

PLC private limited company W ATERLOO PPLN periodically poled lithium niobate QEYSSat Quantum Encryption and Science Satellite QIP Quantum Information Processing 51 QIPS Quantum Information and Quantum Physics in Space QKD quantum key distribution QRNG quantum random number generator QUEST Quantum Entanglement for Space Experiments R&D research and development RF radio frequency RSA Rivest, Shamir and Adleman SECOQC Secure Communication based on Quantum Cryptography SEQURE Symmetric Encryption with Quantum key Renewal SOCRATES Space Optical Communications Research Advanced Technology Satellite SFL Space Flight Laboratory SME small/medium-sized enterprises SOTA small optical transponder assembly U.K. United Kingdom UQCC Updating Quantum Cryptography and Communications Conference UQD Universal Quantum Devices U.S. United States USB universal serial bus UTIAS University of Toronto Institute for Aerospace Studies

52 9.2. APPENDIX B: ACKNOWLEDGEMENTS

The authors of this study gratefully acknowledge the contributions of the following:

Sharilyn Allen, Communitech Lucas Armstrong, MaRS Market Intelligence Gillian Clinton, Clinton Research Dr. Audrey Dot, Institute for Quantum Computing Nabil Fahel, Communitech Dr. Brendon Higgins, Institute for Quantum Computing Catherine Holloway, Institute for Quantum Computing Dr. Thomas Jennewein, Institute for Quantum Computing Dr. Raymond Laflamme, Institute for Quantum Computing Joe Lee, MaRS Market Intelligence Dr. Vadim Makarov, Institute for Quantum Computing Bridget Moloney, University of Waterloo Dr. Michele Mosca, Institute for Quantum Computing Brian Neill, Independent Reviewer Matthew Rosato, COM DEV Ltd . I NSTITUTE FOR QUANTUM QUANTUM FOR NSTITUTE C OMPUTING :

U NIVERSITY OF W ATERLOO

53 D OCUMENT N O .

IQC-QPL-R-1403001

200 UNIVERSITY AVENUE WEST, WATERLOO, ON CANADA N2L 3G1 | IQC.UWATERLOO.CA