Specifically, this paper:
- explores the limitations of QKD systems, including security concerns
- makes the case for research into developing post-quantum public key cryptography as a more practical and cost-effective step towards defending real-world communications systems from the threat of a future quantum computer
Note: QKD is distinct from post-quantum public key cryptography, which is based on classical mathematical problems that are hard to solve even in the presence of quantum computers.
Fundamental limitations of QKD systems
QKD is a 30-year-old technology with claims of unconditional security, guaranteed by the laws of physics. However, there are a number of restrictions inherent to realworld commercial QKD systems, including:
QKD does not address large parts of the security problem
QKD protocols address only the problem of agreeing keys for encrypting data. Ubiquitous on-demand modern services (such as verifying identities and data integrity, establishing network sessions, providing access control, and automatic software updates) rely more on authentication and integrity mechanisms — such as digital signatures — than on encryption.
QKD technology cannot replace the flexible authentication mechanisms provided by contemporary public key signatures. QKD also seems unsuitable for some of the grand future challenges such as securing the Internet of Things (IoT), big data, social media, or cloud applications.
Commercial QKD systems have a number of practical limitations
The two major functional limitations of commercial QKD systems are the relatively short effective range of transmission, and the fact that BB84* and similar proposals are fundamentally point-to-point protocols. This means that QKD does not integrate easily with the Internet, or with the mobile technologies, apps and services that dominate public and business life today.
*A quantum key description scheme developed by Charles Bennett and Gilles Brassard.
Some researchers are trying to solve these problems by integrating QKD with classical (that is, non-quantum) network devices, such as ‘trusted nodes’. But this immediately invalidates any claimed guarantee of security based solely on the laws of quantum mechanics, and introduces an array of new concerns about the security properties of the ancillary network devices.
QKD systems are unlikely to be cost-effective
Hardware is relatively expensive to obtain and maintain. Unlike software, hardware cannot be patched remotely or cheaply when it degrades or when vulnerabilities are discovered.
As device-independent QKD is still a long way from being a commercial proposition, each time a new vulnerability is announced in public, potentially compromised QKD devices will need to be recalled to the vendor (or an engineer sent out to apply an upgrade in the field).
Any real-world QKD system will be built from classical components, such as sources, detectors and fibres, and potentially ancillary classical network devices, any of which may prove to be a weak link.
A number of attacks have been proposed and demonstrated on deployed QKD systems that subvert one of more of these hardware components, enabling the secret shared key to be recovered without triggering an alarm.
Denial of service (DoS) attacks that interfere with the paths carrying the QKD transmissions also seem potentially easier with QKD than with contemporary Internet or mobile network technologies. Since QKD devices typically abort a key establishment session when they detect tampering, this makes it difficult to recommend QKD for contexts where DoS attacks are likely to be attempted.
Consequently, QKD seems to be introducing a whole new set of potential avenues for attack that are not yet well understood. At this point in time there is very little research in the UK into the vulnerabilities of real-world QKD systems.
Note: We would like to encourage such research in order to build up a body of knowledge of how to attack and defend commercial QKD systems.
We would also like to encourage more research into how to accurately assess the security of real-world devices that operate imperfectly, and the development of methods for quantifying and validating the security claims of real-world QKD systems.
Although QKD claims to provide guaranteed security, its responsible use must not introduce new vulnerabilities into real-world systems. This means that communication systems involving QKD should be designed with fail-safe mechanisms that continue to operate securely, even if the quantum part becomes compromised.
Alternatives to QKD
There is renewed interest in academia and in industry in developing ‘quantum-safe’ or ‘post-quantum’ (classical) public key mechanisms as next generation, drop-in replacements for current public key schemes such as RSA, DSA, and ECDH, which potentially become insecure if large-scale quantum computers are ever developed. Post-quantum public key cryptography has a history dating back over 30 years and has generated proposals to address a much wider range of challenges than simple key establishment.
There is an emerging consensus that the best practical approach to quantum security is to evolve current security applications and packet-based communication protocols towards adopting post-quantum public key cryptography. Software or firmware implementations of post-quantum cryptography should be easier to develop, deploy and maintain, have lower lifecycle support costs, and have better understood security threats than QKD-based solutions.
Given that QKD addresses only the encryption part of the security problem, real-world QKD systems will still be reliant on public key mechanisms for device and user authentication, and for supporting infrastructure requirements such as software updates. So, research into post-quantum public key cryptography is necessary for future quantum-safe networks, regardless of QKD.
For all the practical, business and security reasons given above, at this point in time we:
- do not endorse QKD for any government or military applications
- advise against replacing any existing public key solutions with QKD for commercial applications
The UK should continue its research and development of QKD systems. But this should be balanced by a growing body of practical QKD vulnerability research, and accompanied by the development of methods for quantifying and validating the security claims of real-world QKD systems. Responsible innovation should be accompanied by independent validation.
Our advice is unlikely to change until:
- commercial standards for QKD have been established, building on the experience gained from practical vulnerability research and incorporating quantifiable security validation methods
- the full life cycle support costs for commercial QKD systems are much better understood
We encourage research into developing post-quantum public key cryptography as a more practical and cost-effective step towards defending real-world communications systems against the threat of a future quantum computer.
We do not see the need to upgrade current systems as urgent, though a transition to post-quantum public key cryptography will be necessary. A steady and considered upgrade process will allow time for researchers to reach a consensus as to the best postquantum protocols for various applications.
- has fundamental practical limitations
- does not address large parts of the security problem
- is poorly understood in terms of potential attacks
By contrast, post-quantum public key cryptography appears to offer much more effective mitigations for real-world communications systems from the threat of future quantum computers.