Quantum Technologies: Threats & Solutions to Cybersecurity Bruno Huttner ID Quantique & Cloud Security Alliance, Quantum-Safe Security Working Group NIAS2017; Mons, Oct. 2017
ID Quantique Company Profile Founded in 2001 Geneva, Switzerland By 4 quantum physicists from the University of Geneva 60 employees in CH, including 30 engineers/scientists Develops technologies and products based on quantum physics within 3 business units: Photon Counting & Instrumentation Quantis Quantum Random Number Generator Quantum-Safe Security Performs R&D, production, professional services, integration, support Clients : Governments / Banks / Gaming Industry / Universities / IT Security 2017 ID Quantique SA, Switzerland page 2
Outline The quantum threat to cybersecurity Need for quantum-safe security The tools: o Quantum Key Generation o Quantum-Resistant Algorithms o Quantum Key Distribution Practical implementations of QKD The future of QKD Summary 2017 ID Quantique SA, Switzerland page 3
The THREAT: QUANTUM COMPUTERS 2017 ID Quantique SA, Switzerland page 4
Principles of Quantum Computing Computation with Qubits. Main difference: build coherent superposition of states But a measurement always gives one of the two states only 2017 ID Quantique SA, Switzerland page 5
Classical Computing 2017 ID Quantique SA, Switzerland page 6
Computing with Quantum States Create superpositions Generate interferences Measure one possible outcome 2017 ID Quantique SA, Switzerland page 7
The Quantum Computer Behaves like a massively parallel computer. Solves problems in much fewer steps. Opportunity: some intractable computations become feasible. Threat: break current public key cryptographic primitives (DH, RSA, ECC ) This is why Quantum Computing is now discussed in Information Security. 2017 ID Quantique SA, Switzerland page 8
Status of Cybersecurity The hacker s point of view today and after the Quantum Computer 2017 ID Quantique SA, Switzerland page 9
When NSA goes Public In the current global environment, rapid and secure information sharing is important to protect our Nation, its citizens and its interests. Strong cryptographic algorithms and secure protocol standards are vital tools that contribute to our national security and help address the ubiquitous need for secure, interoperable communications. IAD will initiate a transition to quantum resistant algorithms in the not too distant future. Our ultimate goal is to provide cost effective security against a potential quantum computer. 2017 ID Quantique SA, Switzerland page 10
Timeline for the Quantum Computer Large-scale quantum computing is 10-15 years away 1 in 7 chance of crypto primitives being affected by quantum attacks in 2026 1 in 2 chance by 2031. Estimates by Prof. Michele Mosca Institute for Quantum Computing (at ETSI/IQC workshop 09/2017) 2017 ID Quantique SA, Switzerland page 11
What is at risk? Data at rest All current Public Key cryptosystems Data in transit 2017 ID Quantique SA, Switzerland page 12 Two requirements: Authentication Confidentiality
Short aside: Blockchains Blockchain Hash functions Public key crypto Blockchains today are not Quantum-Safe! 2017 ID Quantique SA, Switzerland page 13
Timing issues Transaction time Time Authentication requirement Confidentiality requirement Future possible attacks Cybersecurity systems should guarantee confidentiality for a long time 2017 ID Quantique SA, Switzerland page 14
Trust levels for PKIs Current PKI s o Confidentiality for 15 years: LOW o Authentication today: HIGH o Authentication in 15 years: LOW Next Gen PKI s (new algorithms) o Which algorithm to choose? o What can we deploy today? o Long-term security? 2017 ID Quantique SA, Switzerland page 15
All links are NOT born equal! Safety has to be adapted to the communication links. 2017 ID Quantique SA, Switzerland page 16
The SOLUTION: QUANTUM SAFE CRYPTO 2017 ID Quantique SA, Switzerland page 17
So What do we do now? Need to expand our toolbox, with different Quantum-Safe tools: o Quantum Key Generation o Quantum Resistant Algorithms o Quantum Key Distribution 2017 ID Quantique SA, Switzerland page 18
THE TOOLS (1): QUANTUM KEY GENERATION 2017 ID Quantique SA, Switzerland page 19
Random Numbers in Cryptography 1 1 0 1 0 0 0 1 1 1 0 1 1 0 0 1 0 1 1 1 0 1 0 1 0 1 1 1 0 1 0 1 0 1 1 0 1 1 1 0 1 0 2017 ID Quantique SA, Switzerland page 20 1 1 1 0 1 0 1 0 0 0 1 1 Random numbers are used at the source of ALL crypto systems But : they are are difficult to produce. Computer programs are deterministic. Computers cannot produce random numbers without special hardware. And: it is impossible to prove randomness of a finite sequence a posteriori. Possible only to test the statistical properties of the random numbers. When generating random numbers, understanding the method used is critical.
True Random Number Generator based on Quantum Physics Physical Random Number Generator exploiting a phenomenon described by quantum physics: 0 0 1 1 0 1 Provably random Advantages Speed. Simple process that can be modelled influence of environment can be ruled out. Photons Live monitoring of elementary components possible to detect total failure. Source of photons Semi-transparent mirror 1 Instant full entropy. 2017 ID Quantique SA, Switzerland page 21
QRNGs today And a new QRNG chip soon! 2017 ID Quantique SA, Switzerland page 22
THE TOOLS (2): QUANTUM RESISTANT ALGORITHMS 2017 ID Quantique SA, Switzerland page 23
Quantum-Resistant algorithms Name of method Application Resilience against Quantum Computer RSA Encryption, signature No ECC Encryption, signature No AES Encryption Widely believed Hash-based Authentication Widely believed Lattice-based (NTRU) Code-based (Mc Eliece) Encryption; signature Encryption Believed Believed Multivariate polynomials Encryption; signature Uncertain so far High level of confidence Under investigation 2017 ID Quantique SA, Switzerland page 24
Post-Quantum PK Algorithms: Pros & Cons Pros Cons Direct replacement of current PKs No proof of security Keep all infrastructure Not yet well-studied May be easily adapted to security protocols Interesting approach: hybrid systems, e.g. RSA + NTRU Resilience against QC not proven Might be only a temporary solution Probably the easiest to implement and most appealing solution Use for medium security levels But concerns about long-term security 2017 ID Quantique SA, Switzerland page 25
THE TOOLS (3): QUANTUM KEY DISTRIBUTION 2017 ID Quantique SA, Switzerland page 26
The scenario: Symmetric Cryptography Eve Message Message Scrambled Message Alice Bob Secret Key Secret Key Secret key distribution methods: Trusted courier ( ) Public key cryptography (not quantum-safe today ) Quantum key distribution 2 7 2017 ID Quantique SA, Switzerland page 27
Quantum Key Distribution (QKD): Basic idea Scrambled Message Alice Bob Symmetric Cryptography Secret Key Secret Key Fragile! 2017 ID Quantique SA, Switzerland page 28
QKD: Pros & Cons Pros Based on different principle (physics) Not impacted by QC Provable security of transmission Real-time eavesdropping possible only Adds one layer of security Cons Need physical infrastructure Limited distance between nodes (to date) Only part of the solution: Needs conventional crypto to use the key (e.g. symmetric key encryption); And post-quantum Authentication More complicated and costly to implement Useful for high-level and long-term security 2017 ID Quantique SA, Switzerland page 29
A Quantum-safe transmission scheme Scrambled Message Alice Bob AES encryption Secret Key Secret Key Fragile! Ingredients: QKD for key distribution AES for encryption Hash-based signature scheme for authentication (e.g.: Merkle scheme) 2017 ID Quantique SA, Switzerland page 30
PRACTICAL IMPLEMENTATIONS OF QKD 2017 ID Quantique SA, Switzerland page 31
Practical systems: IDQ s Cerberis Quantum Key Distribution Servers 2017 ID Quantique SA, Switzerland page 32 3 2 Cerberis QKD Server launched 2006 - Used in multiple mission critical installations in government & financial sectors since 2007 QKD Blade launched Oct 2015 - Integrated into ATCA network devices - Other form factors possible (ETSI) - Building block for Trusted Nodes (2 blades linked by a trusted controller in scalable networks)
Quantum-Enabled Network Encryption: Today Local Area Network Local Area Network xwdm Quantum Channel Dark Fiber or multiplexed Multiple deployments in the banking and government sectors in Europe 2017 ID Quantique SA, Switzerland page 33
State of the Art: Long Distance QKD 2017 ID Quantique SA, Switzerland page 34
Implementation: Encryption in Default Mode Key exchange interoperable for all encryptors State-of-the-art FIPS approved key management RSA-2048 or ECC for public key agreement AES 256 CTR or GCM mode for high-speed data encryption AES Master and session keys, with session key updated up to once per minute Fully automatic set and forget High quality key material generated by IDQ s Quantum True Random Number Generator (selected encryptors) May be upgraded to QKD Public Key Agreement Session Key Agreement Encryption Internal or external CA Master Key Session Key 2017 ID Quantique SA, Switzerland page 35
36 Implementation: Encryption with QKD Dual Key Agreement Internal or external CA Quantum keys are based on high quality entropy (encryption key) from provably random QRNG. Quantum Key is mixed with the standard AES session key. Advantages: - Maintains existing encryptor certifications (eg. FIPS, CC). - Generates ''super session key which guarantees forward secrecy. - Eavesdropping protection. Quantum Key Distribution (QKD) Quantum Key Public Key Agreement Master Key Session Key Agreement Session Key Bit-by-bit XOR Encryption Super Session Key 2017 ID Quantique SA, Switzerland page 36
Real implementation: Practical QKD in Government & Public Administration Geneva (Switzerland) uses QKD to guarantee confidentiality & integrity of data during federal & cantonal elections. Downtown Geneva Working since October 2007. Geneva Government Data Center Central Vote Counting Station 4 km Ballots Mail Votes Cerberis QKD Solution 2017 ID Quantique SA, Switzerland page 37
Real Implementation: QKD in Data Center Interconnect European banks secure critical links between bank headquarters and Data Recovery Centers, and inside MAN. Data Centre or DRC Dedicated quantum channel Headquarter s o All digital assets of bank pass over DRC link. Supports AES 256 bit key exchange every hour, with additional quantum key buffer. Quantum channel: o Either on dedicated dark fibre (up to 100km). o Or multiplexed with data over single fibre (up to ~30 kms). DWDM Site A Passiv e DWD M Multiplexed quantum channel Data links Data links Data & SC Data+SC+Q C DWDM Site B Passiv e DWD M 2017 ID Quantique SA, Switzerland page 38
ROADMAP FOR QKD QKD for Access Networks Trusted Nodes for long-distance QKD Free Space QKD with satellites Global QKD Network based on Quantum Memories 2017 ID Quantique SA, Switzerland page 39
2017 ID Quantique SA, Switzerland page 40 4 0 QKD for Access Network: one Bob, many Alices Site A1 Site A2 WDM NETWORK (MAN or WAN) Data link & SC Data link & SC Site B WDM ALICE WDM QC BOB Site A3 ALICE Optical switch WDM ALICE
Long distance QKD with Trusted Nodes Cambridge Exchange Ipswich Exchange Cambridge University BT Labs Adastral Park Testbed between BT Labs at Adastral Park and Cambridge University 2017 ID Quantique SA, Switzerland page 41 Adva FSP 3000
What about longer links: The Chinese Quantum Backbone 2017 ID Quantique SA, Switzerland page 42
2017 ID Quantique SA, Switzerland page 43 4 3 A Global Network Based on Free Space QKD Free Space QKD QKD links with LEO satellites LEO acts as a trusted node to transport the key to the necessary location. Free space QKD is moving out of the lab & into industry Chinese have launched a QKD satellite in August 2016 and QKD system in space station in September. Worldwide interest at the academic/government level IDQ feasibility studies for practical systems (Eurostars and Swiss Space Office)
The first QKD in Space experiments again in China! QKD satellite Launched: 15/08/2016 2017 ID Quantique SA, Switzerland page 44 QKD in Chinese Space station Launched: 15/09/2016
Global QKD Network based on Quantum Memories: A world-wide QKD infrastructure Build a QM infrastructure Each node exchanges QMs with the others Customers come to any node to recharge their QMs (similar to bank notes and ATM infrastructure) 2017 ID Quantique SA, Switzerland page 45
Summary The risk on cyber-security caused by the Quantum Computer has become real Need new solutions now Improve key quality with QRNG s Quantum Resistant Algorithms and QKD should be used together to provide Quantum- Safe security QKD can and should be used today to improve security on high-value links requiring long-term security No risk, only adds one (very different) layer of security World-wide QKD now feasible 2017 ID Quantique SA, Switzerland page 46
2017 ID Quantique SA, Switzerland page 47 For more information http://www.idquantique.com
Announcement: Winter school on Quantum Cybersecurity ID Quantique is proud to announce its 10 th Winter School Topic: The coming of age of Quantum Cyber Security; Date: Saturday, January 20 th, to Friday, January 26 th, 2017; Location: Les Diablerets, Switzerland; Some confirmed speakers: Charles Bennett; Gilles Brassard; Artur Ekert; Nicolas Gisin; Michele Mosca Come, learn and have fun with us! Contact: ws@idquantique.com 2017 ID Quantique SA, Switzerland page 48
2017 ID Quantique SA, Switzerland page 49 EXTRA SLIDES
QKD example: the BB84 protocol 2017 ID Quantique SA, Switzerland page 50
QKD: Proof of Security 4 assumptions: 1. Alice and Bob operate in a protected environment 2. Public channel is authentified 3. Eve cannot use the QC to probe Alice and Bob s setup 4. QC only carries quantum states within the pre-defined Hilbert space Proof of security 2017 ID Quantique SA, Switzerland page 51
Global QKD Network based on Quantum Memories: 1. Building blocks 1. Generate and store entangled states in quantum memories source 2. Distribute entangled memories A 1 B 1 A 2 B 2 entangled memories Physical distribution channel A 1 B 1 3. Teleport states upon request A 1 Classical communication channel B 1 B 2 B 2 2017 ID Quantique SA, Switzerland page 52
Global QKD Network based on Quantum Memories: 2. Implementation Alice Issuing Authority 2 Issuing Authority 1 Issuing Authority 3 2017 ID Quantique SA, Switzerland page 53 Bob exchange memories teleport states