Royal Holloway Series 2011 Quantum key distribution: HOME HOW DOES Awesome or pointless? QKD WORK? QKD NETWORK APPLICATIONS Some believe the advent of quantum computing will reduce the COMMERCIAL PROSPECTS time taken to solve cryptographic algorithms so dramatically that they will no longer provide effective security. Sheila Cobourne CONCLUSION and Dr. Carlos Cid explain how Quantum Key Distribution could provide a solution. 1 Royal Holloway Series 2011 Quantum key distribution: Awesome or pointless? INTRODUCTION This uses the quantum properties of light sent ryptography is one of the success along a specialised channel (quantum channel) stories in the information security and existing laser, fibre-optic and free-space world. Properly implemented cryp - transmission technologies can support this. tography allows sensitive informa - QKD’s security is based on the laws of quantum tion (such as credit card details) to physics alone, rather than hard mathematics, and Cbe transmitted through a potentially is unbreakable. However, some analysts do not insecure environment like the Internet. It provides see the need for QKD, as existing non-quantum HOME the essential security services of confidentiality, (classical) cryptographic systems are secure HOW DOES integrity and authentication for millions of day- enough. (The security guru Bruce Schneier has QKD WORK? to-day transactions. called quantum cryptography “as awesome as it However, some of the most popular types of is pointless,” so no prizes for guessing where he QKD NETWORK cryptography rely on the difficulty of solving hard stands on the issue!) APPLICATIONS mathematical problems to provide security This article describes quantum key distribution, COMMERCIAL against attack: it is believed that the advent of its strengths and weaknesses, its place within PROSPECTS quantum computing will reduce the time taken cryptography, and whether it is actually needed at to solve these problems so dramatically, that they all. It will also identify potential applications and CONCLUSION will no longer provide an effective security commercial prospects of QKD. But, fear not, no method. quantum physics or mind-boggling mathematics All is not lost, though — a totally new tech - will be used! Of necessity, technical terms are nique, quantum cryptography, is waiting in the needed throughout the report, so some basic wings. This harnesses the laws of quantum cryptography will be explained in the next section, mechanics, along with quantum computing before proceeding on to a discussion of QKD itself. power, to provide information security. Since quantum computing is still in its infancy, this is still largely a theoretical area, but one type of CRYPTOGRAPHY BASICS quantum cryptography is achievable with today’s Cryptography is generally used when communi - 2 technology — Quantum Key Distribution (QKD). cating parties wish to exchange information over Royal Holloway Series 2011 Quantum key distribution: Awesome or pointless? an insecure channel. Within the cryptographic secure way of distributing keys uses a trusted community, these communicating parties are courier to physically transport a key in a tamper- conventionally called Alice and Bob: it is assumed proof medium (such as a smart card). However, that messages and information sent between if the courier is actually untrustworthy he or she them could be subject to eavesdropping by an can change or damage the key in transit, and the adversary called Eve. (Alice, Bob and Eve aren’t procedure fails. necessarily human, by the way — they could also be PCs or software.) Cryptography could not HOME Keys are a fundamental element of cryptogra - function without keys, but HOW DOES phy. They are special pieces of data that are care - QKD WORK? fully generated for use in the encryption and it is a major challenge to decryption of sensitive information. It is essential QKD NETWORK that the keys are kept secret. This is related to the ensure that the correct key APPLICATIONS well-known Kerckhoff’s principle, which states is available to Alice and Bob COMMERCIAL that the security of a cryptographic system PROSPECTS should not rely on the secrecy of the algorithm at the right time. used for encryption and decryption, but rather CONCLUSION on the secrecy of the key. Different security levels can be achieved by Cryptography could not function without keys, classical cryptography. Computational security but it is a major challenge to ensure that the exists where a system is theoretically breakable correct key is available to Alice and Bob at the by trying every possible key — the brute-force right time. There are several approaches to attack — but the computational effort required to overcome this problem: a key can be generated do so is so time-consuming and expensive that it centrally and sent to Alice and Bob when needed is not economically viable for an attacker to per - (key distribution) or Alice and Bob could gener - form the attack. Unconditional or perfect security ate a key between themselves (key establish - exists in cases when, even if an attacker has ment or key agreement). However, no existing infinite resources at their disposal, the system 3 method is 100% secure. For example, a very still cannot be broken. Royal Holloway Series 2011 Quantum key distribution: Awesome or pointless? The One-Time Pad (OTP) is a method for detection equipment for each piece of quantum achieving perfect security of encryption, provided information sent, Bob’s measurements will either that it uses a key that is randomly generated, as be perfectly correct, or a completely random value. long as the message and is used only once. How - This is a direct consequence of quantum physics. ever, OTPs have immense practical difficulties: The sending and receiving of quantum information generating long, truly random keys is problematic; is the only quantum part of QKD: everything that distributing the keys to recipients is a logistical follows is done using conventional technology, and nightmare; sender and receiver have to be totally is called classical post-processing. HOME synchronized to make sure that the same keys are Alice and Bob then use a secure classical com - HOW DOES used for the same message; and ensuring keys munications channel to compare Alice’s informa - QKD WORK? are never re-used is a challenging task. For this tion sent with Bob’s information received, and reason, OTPs are currently seldom used in prac - they decide which measurements will be used to QKD NETWORK tice, but as will be seen in this report, when com - generate the secret key. This potential key material APPLICATIONS bined with quantum key distribution they become is subjected to standard error-correcting routines, COMMERCIAL a much more realistic option. and then compressed in a process known as PROSPECTS Now the terminology is clearer, a brief descrip - privacy amplification. The next phase, however, tion of quantum key distribution follows - where is the most important: authentication. Quantum CONCLUSION the cryptographic and quantum world meet. key distribution is vulnerable to Man-in-the-Mid - dle attacks, where an attacker not only controls communications between Alice and Bob but HOW DOES QKD WORK? impersonates Alice to Bob and vice versa. Despite its name, quantum key distribution is Authentication is essential to ensure information a key establishment method which creates key is being transferred between the correct parties. material by using the quantum properties of light Once all the classical post-processing has been to transfer information from Alice to Bob. successfully completed, the key that has been Alice sends some quantum information to Bob established can be used by Alice and Bob in along a specialised quantum channel, such as a classical encryption. 4 fibre optic link. Depending on how he sets his If Eve attempts to intercept the initial quantum Royal Holloway Series 2011 Quantum key distribution: Awesome or pointless? communication, she will always be detected erty of quantum key distribution is that a rela - thanks to the effects of quantum mechanics: a tively short input can be used to generate per - higher than expected number of errors will occur fectly secure random key material ever after, as in Bob’s measurements. Alice and Bob can then follows. A secret key is shared between Alice abandon the key and try again at a different time and Bob to authenticate the very first quantum when Eve has retreated, cursing the laws of exchange: it has been shown that using part of physics. A key established via quantum key distri - the output of this QKD session to authenticate bution simply cannot be compromised by Evil Eve. the next QKD session means that this second HOME round is also perfectly secure. QKD can there - HOW DOES Alice and Bob can then fore be run almost continuously without loss of QKD WORK? abandon the key and try security, and the short initial key can be expand - ed: each new QKD session key is independent QKD NETWORK again at a different time of all previously used keys, so this reduces the APPLICATIONS number of ways a malefactor can attack the COMMERCIAL when Eve has retreated, system. PROSPECTS cursing the laws of physics. Additionally, security provided by QKD is future proofed: it means that even if a cryptographic CONCLUSION A point to remember is that all key material system is broken at some unspecified future time, produced by quantum key distribution is stored previous messages sent through it remain secure. on conventional equipment, and used in classical The unconditional security of QKD systems has encryptions: quantum computers are needed to been mathematically proven: even in the face of store information in quantum form, and they are an adversary with infinite supplies of time and not available using current technology. processing power, the security simply cannot be broken. And, of course, Eve is forced to pack up her WHAT ARE QKD’S STRENGTHS? eavesdropping kitbag and head for the hills, Quantum key distribution is a particularly good howling in frustration because she will always 5 method for producing long random keys.