Quantum Key Distribution: Is it as secure as claimed and what can it offer the enterprise? – The Register

Feature Do the laws of physics trump mathematical complexity, or is Quantum Key Distribution (QKD) nothing more than 21st-century enterprise encryption snake oil? The number of QKD news headlines that have included unhackable, uncrackable or unbreakable could certainly lead you towards the former conclusion.

However, we at The Reg are unrelenting sceptics for our sins and take all such claims with a bulk-buy bag of Saxa. What this correspondent is not, however, is a physicist nor a mathematician, let alone a quantum cryptography expert. Thankfully, I know several people who are, so I asked them the difficult questions. Here's how those conversations went.

I can tell you what QKD isn't, and that's quantum cryptography. Instead, as the name suggests, it's just the part that deals with the exchange of encryption keys.

As defined by the creators of the first Quantum key distribution (QKD) protocol, (Bennett and Brassard, 1984) it is a method to solve the problem of the need to distribute secret keys among distant Alice and Bobs in order for cryptography to work. The way QKD solves this problem is by using quantum communication. "It relies on the fact that any attempt of an adversary to wiretap the communication would, by the laws of quantum mechanics, inevitably introduce disturbances which can be detected."

Quantum security expert, mathematician and security researcher Dr Mark Carney explains there "are a few fundamental requirements for QKD to work between Alice (A) and Bob (B), these being a quantum key exchange protocol to guarantee the key exchange has a level of security, a quantum and classical channel between A and B, and the relevant hardware and control software for A and B to enact the protocol we started with."

If you are the diagrammatical type, there's a nifty if nerdy explanatory one here.

It's kind of a given that, in and of themselves, quantum key exchange protocols are primarily very secure, as Dr Carney says most are derived from either BB84 (said QKD protocol of Bennett and Brassard, 1984) or E91 (Eckert, 1991) and sometimes a mixture of the two.

"They've had a lot of scrutiny, but they are generally considered to be solid protocols," Dr Carney says, "and when you see people claiming that 'quantum key exchange is totally secure and unhackable' there are a few things that are meant: that the key length is good (at least 256 bits), the protocol can detect someone eavesdropping on the quantum channel and the entropy of the system gives unpredictable keys, and the use of quantum states to encode these means they are tamper-evident."

So, if the protocol is accepted as secure, where do the snake oil claims enter the equation? According to Dr Carney, it's in the implementation where things start to get very sticky.

"We all know that hardware, firmware, and software have bugs even the most well researched, well assessed, widely hacked pieces of tech such as the smartphone regularly has bug updates, security fixes, and emergency patches. Bug-free code is hard, and it shouldn't be considered that the control systems for QKD are any different," Carney insists.

In other words, it's all well and good having a perfected quantum protocol, but if someone can do memory analysis on A or B's systems, then your "super secure" key can get pwned. "It's monumentally naive in my view that the companies producing QKD tech don't take this head on," Dr Carney concludes. "Hiding behind 'magic quantum woo-woo security' is only going to go so far before people start realising."

Professor Rob Young, director of the Quantum Technology Centre at Lancaster University, agrees that there is a gap between an ideal QKD implementation and a real system, as putting the theory into practice isn't easy without making compromises.

QKD connections can be blocked using a DDoS attack as simple as using a pneumatic drill in the vicinity of the cable

"When you generate the states to send from the transmitter," he explains, "errors are made, and detecting them at the receiver efficiently is challenging. Security proofs typically rely on a long list of often unmet assumptions in the real world."

Then there are the hardware limitations, with most commercially implemented QKD systems using a discrete-state protocol sending single photons down low-loss fibres. "Photons can travel a surprising distance before being absorbed, but it means that the data exchange rate falls off exponentially with distance," Young says.

"Nodes in networks need to be trusted currently, as we can't practically relay or switch quantum channels without trusting the nodes. Solutions to these problems are in development, but they could be years away from commercial implementation."

This lack of quantum repeaters is a red flag, according to Duncan Jones, head of Quantum Cybersecurity at Cambridge Quantum, who warns that "trusted repeaters" are not the same thing. "In most cases this simply means a trusted box which reads the key material from one fibre cable and re-transmits it down another. This is not a quantum-safe approach and negates the security benefits of QKD."

Then there's the motorway junction conundrum. Over to Andersen Cheng, CEO at Post-Quantum, to explain. Cheng points to problems such as QKD only telling you that a person-in-the-middle attack has happened, with photons disturbed because of the interception, but not where that attack is taking place or how many attacks are happening.

"If someone is going to put a tap along your 150km high-grade clear fibre-optic cable, how are you going to locate and weed out those taps quickly?" Cheng asks.

What if an attacker locates your cable grid and cuts a cable off? Where is the contingency for redundancy to ensure no disruption? This is where the motorway junction conundrum comes in.

"QKD is like two junctions of a motorway," Cheng explains. "You know car accidents are happening because the road surface is being attacked, but you do not know how many accidents have happened or where or who the culprit is, so you cannot go and kick the offenders out and patch up the road surface."

This all comes to the fore when Anderson insists: "QKD connections can be blocked using a DDoS attack as simple as using a pneumatic drill in the vicinity of the cable."

Sally Epstein, head of Strategic Technology at Cambridge Consultants, throws a couple of pertinent questions into the "ask any QKD vendor" ring.

Quantum-safe cryptography, coupled with verifiable quantum key generation, is an excellent approach to the same problem and works perfectly today

"1. Supply chain: There is a much greater potential for well-funded bad actors to get into the supply chain. How do they manage their supply chain security?

"2. Human fallibility: There are almost certainly exploitable weaknesses in the control software, optical sub-assemblies, electronic, firmware, etc. What penetration testing has the supplier conducted in terms of software and hardware?"

Professor Young thinks that QKD currently offers little return on investment for your average enterprise. "QKD can distribute keys with provable security metrics, but current systems are expensive, slow and difficult to implement," he says.

As has already been pointed out, security proofs are generally based on ideal cases without taking the actual physical implementation into account. This, Young says, "troubles the central premise of using QKD in the first place."

However, he doesn't think that the limitations are fundamental and sees an exciting future for the technology.

Because QKD technology is still maturing, and keys can only be sent across relatively short distances using dedicated fibre-optic cables, Jones argues that "only the biggest enterprises and telcos should be spending any money on researching this technology today."

Not least, he says, because the problems QKD solves are equally well addressed through different means. "Quantum-safe cryptography, coupled with verifiable quantum key generation, is an excellent approach to the same problem and works perfectly today," Jones concludes.

Professor Andrew Lord, head of Optical Network Research at BT, has a less pessimistic outlook.

"Our trial with NCC in Bristol illustrates a client with a need to transmit data which should remain secure for many years into the future," Lord told The Reg. "QKD is attractive here because it provides security against the 'tap now, decrypt later' risk, where data could be stored and decrypted when a quantum computer becomes available."

The UK's National Cyber Security Centre (NCSC) has gone on the record to state it does not endorse the use of QKD for any government or military application, and the National Security Agency (NSA) in the US has reached the same conclusion.

Jones of Cambridge Quantum says he completely agrees with the NCSC/NSA perspectives because the "first generation of quantum security technologies has failed to deliver tangible benefits for commercial or government applications."

Young goes further: "Both NCSC and NSA echo the views of all serious cryptographers with regards to QKD, and I am in complete agreement with them."

So what needs to change to make QKD solutions relevant to enterprises in the real world? Lord admits that the specialised hardware requirements of QKD does mean it won't be the best solution for all use cases, but foresees "photonic-chip based QKD ultimately bringing the price down to a point where it can be integrated into standard optical transmission equipment."

Dr Carney adds: "In closing, all this leaves us with the biggest misunderstanding about QKD vs classical key exchange; in classical key exchange the mathematics that makes Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) or your favourite Post-Quantum Cryptography (PQC) key exchange secure is distinct and independent of the physical channel (the classical channel) that is being used for the protocol.

"On a QKD system, the mathematics is in some way intrinsically, and necessarily, linked to the actual physicality of the system. This situation is unavoidable, and we would do well to design for and around it."

More:

Quantum Key Distribution: Is it as secure as claimed and what can it offer the enterprise? - The Register