The applications running on the Internet today rely on a combination of symmetric and asymmetric encryption for security.
The asymmetric protocols are typically used for authentication and key establishment. Examples of such protocols include RSA, RSA-EC, DSA, DH, and DHEC.
The security of these protocols relies on the assumption that it would take even the most powerful classical computers thousands of years to solve certain mathematical problems (e.g. factoring large numbers or computing a discrete logarithm).
Shor’s Algorithm: Challenging classical assumptions
The assumption that these protocols were difficult to crack was held with confidence until 1994, when MIT professor, Peter Shor, showed that a quantum computer could break the encryption with ease. Using Shor’s algorithm, a large-scale quantum computer can solve the mathematical problems underlying existing encryption protocols in minutes.
Once a sufficiently large and reliable (fault-tolerant) quantum computer exists that can run Shor's algorithm, security as it is deployed on the internet today will be broken. The quantum computer will be able to decrypt all traffic without needing the keys.
How QKD works
Quantum key distribution (QKD) offers a solution to this problem by relying only on the laws of quantum physics to distribute keys instead of the complexity of mathematical problems for encryption.
Two communicating parties can use QKD to agree on a secret key, which can then be used for standard encryption algorithms like AES. The secret key bits are encoded as quantum states into individual photons that are sent over optical fibers or across free space (e.g. satellites).
There are many different QKD protocols, each with their own pros and cons. But they all rely on a quantum phenomenon that is called the collapse of the wave function. If an attacker tries to steal the key by observing photons as they fly across the fiber, the laws of quantum physics dictate that this will inevitably cause the photons to change. These changes, and hence the presence of an attacker, can be detected. Once the presence of an attacker is detected, the key is not used since it is deemed unsafe.
QKD systems have been commercially available for several years now.
It can be mathematically proven that the QKD protocols are unbreakable by both classical and quantum computers.
Nevertheless, critics of QKD (which includes, notably, the NSA) point to the following challenges:
- Side-channel attacks: While QKD is provably secure from a theoretical point of view, several attack vectors have been discovered for actual QKD products. There are side-channel attacks, not because the theory is incorrect, but because the actual product implementations are sometimes flawed. As one concrete example, actual products often use weak coherent pulse lasers, which are cheaper, but which sometimes send multiple photons instead of a single photon as assumed by the security proof. This gives rise to the so-called photon number splitting (PNS) attack where the attacker can observe the secret qubits without being detected. The European Telecommunication Standards Institute (ETSI) has published a list of known attacks.
- Complexity: The complexity of QKD protocols further increases vulnerabilities. In addition to processing qubits, the protocols require classical post-processing algorithms to analyze the statistics of the noise and detect the presence of an attacker. Each of these steps is highly complex, introducing additional security risks.
- Deployment: QKD requires new equipment to be deployed. The existing telco fibers can often be reused, but new quantum-enabled endpoints and relay stations need to be deployed.
- Authentication: QKD requires two parties to authenticate each other. There are several approaches, each with its own set of challenges. Pre-shared keys, refreshed with QKD-produced keys, can be used, but this is fragile. Existing protocols or post-quantum cryptography (PQC) can be used, but this of course loses some of the advantage of QKD. Luckily, authentication risk is not retro-active.
- Special purpose: Today’s implementations of QKD have generally used networks purpose-built to run QKD. As a classical analogy, the plain old telephone service (POTS) network at the end of the 20th century was a special-purpose network that only provided voice service. It has now been replaced by voice-over-IP (VOIP) which is just one of many services running over the general-purpose Internet.
QKD promises to protect internet communication by offering protection with the laws of physics. Early QKD hardware is already commercially available. While current technology faces several challenges, methods have been proposed to bring practical quantum secure communication into reality. For instance, Entanglement as a Service (EaaS) networks overcome a number of these challenges by distributing entanglement directly. In addition, EaaS networks support the broad range of quantum network applications, such as clustered quantum computing and quantum sensing.
To stay up to date about the latest developments in each of these network technologies, please sign up for the Aliro newsletter in the footer of this page. Please reach out to firstname.lastname@example.org if you have any questions or comments about this post.