This article originally appeared on Inside Quantum Technology.
Quantum technology has the potential to revolutionize our approach to the most difficult problems of our time: from drug discovery, to broad impacts in defense and intelligence systems, and even in areas we haven’t yet imagined. However, the same computing power unlocked by quantum technology also poses potentially catastrophic cybersecurity vulnerabilities.
Securing your data in the Quantum Age
It’s not a matter of when quantum technology will break our existing security protocols, but how we can best prepare ourselves to meet the challenges of quantum technology as it reaches its full potential and beyond. Given the complexity and scale of upgrading these types of cyber systems, organizations in need of secure network communication solutions should begin taking steps toward quantum-readiness now. Transformations of this magnitude require years of steady, focused implementation, but it’s hard to know what steps to take while the technology is still emerging.
Public Key Encryption
Our current networked systems and the applications they enable (from online banking to protecting sensitive medical data to water and electricity management) rely heavily on what's called public key cryptography or public key infrastructure. Broadly speaking, there are two types of public key encryption in use every day: symmetric encryption and asymmetric encryption. Many of these public key protocols are rendered unsecure by a cryptographically-relevant quantum computer.
In symmetric encryption, when two parties on a network want to communicate, they do so using a pre-shared secret key. This key is only known to the two parties that want to communicate. As an example, Alice wants to send a message to Bob. In a symmetric encryption scheme, Alice will encrypt her message using the secret key into some ciphertext. That ciphertext is then sent over to Bob. When Bob receives this ciphertext from Alice, he can decrypt it back into plaintext using that same pre-shared secret key. In this scenario using symmetric encryption, there's only one key involved, but it is pre-shared. It’s kept secret for the two parties that want to communicate.
Symmetric encryption is used for what's sometimes called “bulk” encryption or decryption - it can be used to send large amounts of data. The ciphertext is quite small relative to the data size. We can do this very quickly. The key lengths are comparatively small at 128 bits or 256 bits. There's a single key for encryption and decryption.
In asymmetric encryption, there are two keys. Each party on the network has what's called a public key. This public key is advertised to the world. Anyone can see it. Each party also has their own private, secret key. Using asymmetric encryption in our example, Alice will use Bob's public key to encrypt her message into the ciphertext. That ciphertext is then sent over to Bob, and Bob can decrypt that data using Bob's secret key. There is no pre-shared key between Alice and Bob, and only Bob is able to decrypt the data. Anyone else who has access to that ciphertext will not be able to read it or decrypt it, unless they have Bob's secret key. The security of asymmetric encryption relies on the assumption that no adversary can decipher Bob’s private key from his public key in a practical timeframe. Today, this assumption is based on the hardness of certain mathematical problems.
In asymmetric encryption, the ciphertext is quite large compared to the data size. It takes more compute resources, it's slower, and the key lengths are much longer - in the range of 1000s of bits. The most common asymmetric encryption is the 2048-bit RSA key. In this setup, two keys are used for encryption and decryption.
Symmetric encryption and asymmetric encryption can also be used together in what's called hybrid cryptosystems. The way that many modern networks operate today is through using asymmetric encryption, like RSA or Diffie Hellman, to do the secret key exchange. That shared secret key can then be turned around and used as the symmetric key for the bulk encryptions. Some examples of these hybrid cryptosystems are PGP, SSH, SSL, and TLS.
Critical security vulnerabilities
Symmetric encryption protocols and some hash functions are susceptible to quantum attack, but they’re not completely broken. Some of these are presumed secure to quantum attacks.
Asymmetric encryption protocols, which are the most popular and integrated into most of our systems today, will actually be fully broken by the advent of a cryptographically-relevant quantum computer. Protocols such as RSA, Diffie Hellman, and elliptic curve cryptography are all vulnerable.
Documents, messages, web certificates, software, financial transactions can all be forged with the advent of a cryptographically-relevant quantum computer. Because of the implications of Shor's and Grover's, secret keys are exposed in the clear, and adversaries will be able to read whatever you're receiving. Internet traffic will no longer be secure.
This has implications right now, due to what's called Harvest Now Decrypt Later attacks: an adversary today can harvest and collect encrypted data. This data can't be accessed today, but as soon as a sufficiently powerful quantum computer comes into play, they'll be able to recover and decrypt all of that data. Any sensitive data that's being encrypted right now is vulnerable to quantum attack at a later date.
Methods being deployed today to mitigate security risks from classical and quantum threats
Post Quantum Cryptography (PQC)
PQC replaces the currently in-use classical security algorithms that will be broken by quantum computers, with classical security algorithms that are designed to be quantum safe. These new security algorithms are based on math problems that are believed to be difficult for both classical and quantum computers to solve. PQC is a purely classical solution, and it can be deployed over the classical internet. That means it’s comparatively quick and easy to implement, and for this reason is thought of as a good short-term solution. However, PQC algorithms are not proven to be information-theoretically secure. PQC algorithms could be broken in the future by quantum or even classical computers. This isn't just a theoretical issue with PQC. Two promising PQC algorithm candidates, RAINBOW and SIKE, were broken by regular classical computers – not even supercomputers were required to crack them. RAINBOW was cracked in less than a weekend and SIKE was cracked basically in a single hour. Lack of provable security makes PQC a risky long-term solution.
Quantum Key Distribution (QKD)
Quantum Key Distribution, or QKD, typically refers to prepare-and-measure quantum key distribution protocols that run on and are enabled by prepare-and-measure quantum networks known as QKD networks. This is a physics-based solution, relying on the properties of superposition and measurement. You can use these quantum properties to always detect the presence of an eavesdropper. Because of this, you can use quantum information to establish a key that you're sure has not been intercepted. In theory, or at the protocol level, this is fully information-theoretically secure regardless of the computational power of any adversary. However, there are implementation vulnerabilities such as with using trusted relay nodes, which make this less secure in practice. To use QKD to distribute a key between distant nodes, you'll need to use trusted relay nodes. The “trusted” part of this term is misleading. Trusted relay nodes are not nodes you can trust, but nodes that you must trust. If they become compromised, your key will become compromised as well. QKD networks also require the deployment of additional resources, such as QKD devices, and potentially additional optical fiber. QKD networks only support the single purpose of key distribution. An ideal solution would not have implementation vulnerabilities, and would have multi-purpose applications that enable more than just key distribution.
Quantum Secure Communication (QSC)
Quantum Secure Communications, or QSC, is used to refer to the entanglement-based quantum security protocols that run over and are enabled by entanglement-based quantum networks. This is a physics-based solution, relying on the property of entanglement. Similarly to QKD protocols, you can use these quantum properties to detect the presence of an eavesdropper. You can use this quantum information to establish a key that you're sure has not been intercepted. Not only does this work great in theory, or at the protocol level, it also addresses many of the vulnerabilities of QKD networks at the implementation level. The use of entanglement in QSC allows us to overcome many of such issues that plague QKD, such as trusted relay nodes. In QSC, entanglement-based quantum teleportation is used to distribute quantum information to endpoints on the network, and the quantum information is never exposed on the network itself. QSC runs over entanglement-based quantum networks, which are multi-purpose networks. The QSC security schemes have been around for many decades, just waiting for the hardware technology to develop to the level they can actually be used. The technology is developing fast, entanglement-based quantum networks are popping up all around North America and the world. Some of these networks have actually been able to test and run QSC.
One popular proposed solution is to use PQC and QSC together. PQC is a good short-term solution with fewer constraints to global implementation, and we're going to need the provable security and value of QSC long-term. Using a hybrid PQC / QSC solution together will be at least as strong as each solution on its own. A hybrid solution can only be compromised if both the PQC and QSC algorithms involved are compromised
Benefits of entanglement-based secure networks
Quantum Secure Communication (QSC) enabled by entanglement-based quantum networks, is an important and effective countermeasure to the looming quantum threat. The implementation of QSC is secure in part because of quantum teleportation, which allows us to communicate quantum information between users of a network without that quantum information ever being exposed on the network. This means that even if a midpoint of the network is compromised, the quantum data will not be compromised.
QSC is an excellent value. With Quantum Secure Communication, the same entanglement-based networks that enable this solution will enable advancements in quantum computing, sensing, and future distributed quantum applications. QSC is implementable near-term. The security schemes exist and have been verified; entanglement-based quantum networks that are capable of running these schemes exist and are being built today. For more details about the examples explored here, see the on-demand webinar Real World Quantum Network Deployments.
For additional information or for any questions you may have about quantum networking or the content of this article, contact Mike Gaffney at firstname.lastname@example.org or 571.340.1786.