Quantum Key Distribution: Advantages, Challenges and Policy Communication | Editorial | Invited contribution | Perspective | Report | Review Victor Lovic Department of Physics Imperial College London [email protected] Abstract The prospect of quantum computing threatens the security of modern encryption methods, putting our private communications at risk. With experts predicting the development of powerful quantum computers as early as the end of the decade, the urgency of transitioning to ‘quantum-safe’ communications is apparent. There are two classes of solutions available: post-quantum cryptography (PQC), which refers to communication algorithms designed to be safe against quantum computers, and quantum key distribution (QKD), a new technology with unique advantages and challenges. These solutions are not mutually exclusive, and this review argues that they are in fact complementary solutions to the threat of quantum computing. However, QKD has received criticism for being a less practical solution than PQC. This review makes the case for QKD and argues that it offers significant advantages which are not adequately recognised. I conclude that the development of QKD would benefit from increased government support and I provide policy recommendations for how to best support it. Since the first theoretical developments in the Introduction 1980s, quantum computers have quickly become a reality. Major investments from government re- search budgets and private companies have led to Quantum computing is a new technology which the development of the first iteration of quantum promises to perform certain computations much computers, comparable perhaps to the first (clas- faster than any modern supercomputer. Accel- sical) computers built nearly 70 years ago using erated drug discovery and better climate models vacuum tubes. This rapid progress is cause for are just two examples of applications which will alarm since when a sufficiently powerful quantum benefit from the capabilities of quantum comput- computer is developed, our standard encryption ers. On the flip side, quantum computers will methods will become inadequate and our com- also be able to break most methods of encryption munications insecure. Moreover, not only are used today, putting our private communications our future communications under threat, our cur- at risk. Quantum Key Distribution: Advantages, Challenges and Policy rent communications are too: modern encryption which we call the ‘key’. To encrypt a message, methods rely on what is known as ‘public-key’ Alice replaces each letter with another letter a cryptography. The word ‘public’ points to the fixed number of positions down the alphabet, de- fact that information encrypted in this way can termined by the value of the key. To decrypt be recorded and stored by anyone. This opens the message, Bob simply reverses the process, the possibility for an eavesdropper to record our replacing each letter by that found the same num- private, encrypted communications and wait for ber of positions up the alphabet. While modern a sufficiently powerful quantum computer to be- cryptography has advanced a great amount, it come available and use it to decrypt them in the is still based on the same principle: two com- future. Since we require certain communications municating parties agree on a secret number, or to remain private for long periods of time, we key, which they use to encrypt and decrypt their must make the transition to quantum-safe forms communications. This type of cryptography is of communications well in advance of the devel- known as ‘symmetric-key’ cryptography because opment of quantum computers. This is especially the same key is used for encrypting and decrypt- true since transitioning to ‘quantum-safe’ forms ing messages. The problem with symmetric-key of communications could take many years. cryptography is that Alice and Bob need to agree on a secret key before communicating. This re- Fortunately, alongside the development of quan- quires them to either meet in person or use a tum computers, there has been ongoing research trusted courier, neither of which are practical into alternative, quantum-safe communication solutions for securing the vast amount of infor- methods. Broadly speaking, two distinct classes mation that is nowadays sent over the internet. of solutions are available, known as post-quantum The solution to this problem, only developed in cryptography (PQC) and quantum key distribu- the 1970s, is known as ‘public-key’ cryptography. tion (QKD). This review gives an overview of both In public-key cryptography, the keys that are technologies but will focus on the advantages and used to encrypt and decrypt the communications challenges presented by QKD. I argue that QKD, are different, but mathematically related. The being a truly novel technology, is poorly under- key which is used to encrypt messages is made stood and in need of a defence. It has significant public, while the key used to decrypt messages advantages which are not adequately recognised is kept private. In this way Bob can send Al- and there has been tremendous progress in ad- ice his public key, which can be seen by anyone, dressing the practical challenges of making it a for her to encrypt her messages with. She can useful and cost-effective solution. The review then send her encrypted message to Bob and, cru- is structured as follows: Section 2 introduces cially, only he will be able to decrypt it, since only public-key cryptography and why quantum com- he has the corresponding private key. Since the puting poses a threat to private communications; keys are mathematically related, it is important Section 3 introduces PQC and QKD as poten- that no eavesdropper is able to figure out the pri- tial solutions to this threat; Section 4 makes the vate key given the public key. The mathematical case for QKD and finally Section 5 discusses the problem for doing this needs to be ‘intractable’, outlook of both technologies and provides policy that is, very difficult and time-consuming. For recommendations. example, the mathematical problem that guar- antees the security of the widely used public-key RSA protocol is factoring: the process of finding Cryptography and Quantum the prime factors of a large number. It would Computers take modern computers thousands of years to factor the public keys used in RSA encryption, which is why the communications are considered Cryptography has been used for centuries. An secure. If an eavesdropper was able to quickly early example is the so-called Caesar cipher used, factor large numbers, then they would be able to as the name suggests, by the ancient Romans. break RSA encryption since they could extract The Caesar cipher works as follows: two people the private key from the public one. Although who want to communicate, conventionally called there are good reasons to think that factoring Alice and Bob, privately agree on a secret number, 2 Cambridge Journal of Science & Policy, Vol 1 (2020), Issue 2 Quantum Key Distribution: Advantages, Challenges and Policy really is an intractable problem, there remains Computing (IQC) at the University of Waterloo, the possibility that a mathematical or technolog- predicts a 50% chance of quantum computers ical breakthrough will allow us to quickly factor breaking RSA encryption by 2032 [4]. His col- large numbers. Indeed, in 1994, the physicist league Matteo Mariantoni, also professor at IQC, Peter Shor showed that quantum computers will believes that a quantum computer capable of be able to quickly factor large numbers and de- breaking RSA encryption could be built by 2030 code other mathematical encryptions currently [5]. In many cases, private information needs used in public-key cryptography. A white paper to be kept secret for several years. For exam- published by the European Telecommunications ple, census data in the UK is required to remain Standards Institute (ETSI) states that undisclosed for 100 years [6] and it is easy to understand why health records, government com- [m]ost of the public-key cryptog- munications, and other sensitive data have similar raphy that is used on the Inter- secrecy lifespans. If predictions about the devel- net today is based on algorithms opment of quantum computers are correct, then that are vulnerable to [attacks by these types of data are already at risk of being a quantum computer]. These in- hacked by a future quantum computer. To make clude public-key algorithms such matters more urgent, transitioning to quantum- as RSA, ECC, Diffie-Hellman safe forms of communication could require several and DSA [1]. years, so it is apparent that we must start this transition now. This means that, in a future with sufficiently advanced quantum computers, currently used public-key cryptography is at risk. And not only are our future communications at risk: quantum Two Solutions computers threaten our current communications too. Public keys, by definition, can be recorded Fortunately, scientific research has not focused and stored by anyone, along with the encrypted solely on building quantum computers, but also messages. In this way an eavesdropper could on developing quantum-safe communications, record encrypted private communications and cor- such as PQC and QKD. responding public keys and wait for a sufficiently We saw that the security of public-key cryptog- powerful quantum computer to become available. raphy is based on the intractability of certain They could then use the quantum computer to mathematical problems. For the most widely solve the mathematical encoding problem, obtain used public-key protocols, quantum computers the private key, and decrypt the communications. could quickly solve these intractable problems, This is known as ‘retrospective decryption’ and all rendering the communications insecure. However, public-key cryptography protocols are susceptible the possibility exists that other mathematical to this attack [2]. problems will remain intractable, even to quan- So how long will it take for sufficiently power- tum computers. This is what motivates research ful quantum computers to become available? A into PQC.