Quantum key distribution

Created:  04 Oct 2016
Updated:  04 Oct 2016
This white paper describes our current position on quantum key distribution (QKD). QKD is an approach to key distribution that relies on the properties of quantum mechanics to provide security.

Executive summary

Specifically, this paper:

  • explores the limitations of QKD systems, including security concerns
  • makes the case for research into developing post-quantum public key cryptography as a more practical and cost-effective step towards defending real-world communications systems from the threat of a future quantum computer
     
Note
QKD is distinct from post-quantum public key cryptography, which is based on classical mathematical problems that are hard to solve even in the presence of quantum computers.

Fundamental limitations of QKD systems

QKD is a 30-year-old technology with claims of unconditional security, guaranteed by the laws of physics. However, there are a number of restrictions inherent to realworld commercial QKD systems, including:

QKD does not address large parts of the security problem

QKD protocols address only the problem of agreeing keys for encrypting data. Ubiquitous on-demand modern services (such as verifying identities and data integrity, establishing network sessions, providing access control, and automatic software updates) rely more on authentication and integrity mechanisms — such as digital signatures — than on encryption.

QKD technology cannot replace the flexible authentication mechanisms provided by contemporary public key signatures. QKD also seems unsuitable for some of the grand future challenges such as securing the Internet of Things (IoT), big data, social media, or cloud applications.

Commercial QKD systems have a number of practical limitations

The two major functional limitations of commercial QKD systems are the relatively short effective range of transmission, and the fact that BB84* and similar proposals are fundamentally point-to-point protocols. This means that QKD does not integrate easily with the Internet, or with the mobile technologies, apps and services that dominate public and business life today.

*A quantum key description scheme developed by Charles Bennett and Gilles Brassard.

Some researchers are trying to solve these problems by integrating QKD with classical (that is, non-quantum) network devices, such as ‘trusted nodes’. But this immediately invalidates any claimed guarantee of security based solely on the laws of quantum mechanics, and introduces an array of new concerns about the security properties of the ancillary network devices.

QKD systems are unlikely to be cost-effective

Hardware is relatively expensive to obtain and maintain. Unlike software, hardware cannot be patched remotely or cheaply when it degrades or when vulnerabilities are discovered.

As device-independent QKD is still a long way from being a commercial proposition, each time a new vulnerability is announced in public, potentially compromised QKD devices will need to be recalled to the vendor (or an engineer sent out to apply an upgrade in the field).

QKD security

Any real-world QKD system will be built from classical components, such as sources, detectors and fibres, and potentially ancillary classical network devices, any of which may prove to be a weak link.

A number of attacks have been proposed and demonstrated on deployed QKD systems that subvert one of more of these hardware components, enabling the secret shared key to be recovered without triggering an alarm.

Denial of service (DoS) attacks that interfere with the paths carrying the QKD transmissions also seem potentially easier with QKD than with contemporary Internet or mobile network technologies. Since QKD devices typically abort a key establishment session when they detect tampering, this makes it difficult to recommend QKD for contexts where DoS attacks are likely to be attempted.

Consequently, QKD seems to be introducing a whole new set of potential avenues for attack that are not yet well understood. At this point in time there is very little research in the UK into the vulnerabilities of real-world QKD systems.

Note
We would like to encourage such research in order to build up a body of knowledge of how to attack and defend commercial QKD systems.

We would also like to encourage more research into how to accurately assess the security of real-world devices that operate imperfectly, and the development of methods for quantifying and validating the security claims of real-world QKD systems.

Although QKD claims to provide guaranteed security, its responsible use must not introduce new vulnerabilities into real-world systems. This means that communication systems involving QKD should be designed with fail-safe mechanisms that continue to operate securely, even if the quantum part becomes compromised.

Alternatives to QKD

There is renewed interest in academia and in industry in developing ‘quantum-safe’ or ‘post-quantum’ (classical) public key mechanisms as next generation, drop-in replacements for current public key schemes such as RSA, DSA, and ECDH, which potentially become insecure if large-scale quantum computers are ever developed. Post-quantum public key cryptography has a history dating back over 30 years and has generated proposals to address a much wider range of challenges than simple key establishment.

There is an emerging consensus that the best practical approach to quantum security is to evolve current security applications and packet-based communication protocols towards adopting post-quantum public key cryptography. Software or firmware implementations of post-quantum cryptography should be easier to develop, deploy and maintain, have lower lifecycle support costs, and have better understood security threats than QKD-based solutions.

Given that QKD addresses only the encryption part of the security problem, real-world QKD systems will still be reliant on public key mechanisms for device and user authentication, and for supporting infrastructure requirements such as software updates. So, research into post-quantum public key cryptography is necessary for future quantum-safe networks, regardless of QKD.

Direction

For all the practical, business and security reasons given above, at this point in time we:

  • do not endorse QKD for any government or military applications
  • advise against replacing any existing public key solutions with QKD for commercial applications

The UK should continue its research and development of QKD systems. But this should be balanced by a growing body of practical QKD vulnerability research, and accompanied by the development of methods for quantifying and validating the security claims of real-world QKD systems. Responsible innovation should be accompanied by independent validation.

Our advice is unlikely to change until:

  • commercial standards for QKD have been established, building on the experience gained from practical vulnerability research and incorporating quantifiable security validation methods
  • the full life cycle support costs for commercial QKD systems are much better understood

We encourage research into developing post-quantum public key cryptography as a more practical and cost-effective step towards defending real-world communications systems against the threat of a future quantum computer.

We do not see the need to upgrade current systems as urgent, though a transition to post-quantum public key cryptography will be necessary. A steady and considered upgrade process will allow time for researchers to reach a consensus as to the best postquantum protocols for various applications.

Summary

QKD:

  • has fundamental practical limitations
  • does not address large parts of the security problem
  • is poorly understood in terms of potential attacks

By contrast, post-quantum public key cryptography appears to offer much more effective mitigations for real-world communications systems from the threat of future quantum computers.

Topics

Was this information helpful?

We need your feedback to improve this content.

Yes No