Should Quantum Key Distribution be Used for Secure Communications? | Agence nationale de la séc

dbn9981 2020-10-30

展开全文

Quantum Key Distribution (QKD) presents itself as a technology functionally equivalent to common asymmetric key agreement schemes that are used in nearly all secure communication protocols over the Internet or in private networks. The defining characteristic of QKD is its alleged superior secrecy guarantee that would justify its use for high security applications. However, deployment constraints specific to QKD hinder large-scale deployments with high practical security. Furthermore, new threats on existing cryptography, and in particular the emergence of universal quantum computers, can be countered without resorting to QKD, in a way that ensures the future of secure communications. Although QKD can be used in a variety of niche applications, it is therefore not to be considered as the next step for secure communications.

For another point of view on this topic with similar arguments, the reader may consult the white paper of the National Cyber Security Centre (UK) ^[3].

This technical position paper does not aim to explain how QKD works; it focuses on what services it can provide and what are the security properties obtained as a result.

Similarly, this position paper does not address the topic of quantum communications in general, or networks aiming to transport quantum states. These are mostly prospective topics, unlike QKD.

Finally, this position paper does not aim to assess the opportunity of R&D investments in the fields of QKD, quantum communications, or related topics such as quantum computing. Indeed, such potentially disruptive investments support European scientific and technical excellence and contribute to the development of its strategic autonomy.

What is Quantum Key Distribution?

Quantum Key Distribution is a family of methods based on physical principles, unlike classical cryptography which has mathematical foundations, which enables two peers to build a common secret (a key) through a dialogue taking place on public channels. Two channels are required:

the “quantum channel”: a communication channel with properties controlled at the physical level. It is usually an optical fiber or an atmospheric link with direct line of sight; on this channel, for QKD to work, optical losses and noise cannot be too high, but more importantly, there must be no device interacting with the information exchanged;
a regular digital network link.

As with any method aimed to produce a common secret between two peers, each peer must ensure that it communicates with its intended peer and not with a third party that impersonates it. For this, it is sufficient to authenticate communications on the digital network link.

When a QKD system is operational, it produces common secret bits between its endpoints at a variable rate, generally between a few kilobits/sec., and a few megabits/sec.

The capacity of QKD to produce a common secret stems from its ability to detect eavesdropping on the quantum channel using quantum effects (to understand how this works, see for instance an introductory description of some classical QKD protocols including the first one, BB84 ^[7]), then to bound the amount of information that an eavesdropper may have obtained about the data exchanged on the quantum channel, and to adapt the secret rate accordingly. When an active device relays data on the quantum channel, the secret rate is zero, because it is indistinguishable from an eavesdropping device. Any device reconstructing the signal on this channel is therefore incompatible with QKD. This includes networking devices (switches, routers, …) and optical amplifiers. This is why QKD requires direct point-to-point links for the quantum channels.
The bound on tolerable losses on the quantum channel induces a bound on the maximal distance between endpoints. A 20dB loss limit, which is fairly typical for QKD, corresponds to 100Km of optical fiber in perfect condition with no intermediate connection. Because of poor fiber condition, losses incurred by connections, or suboptimal fiber path, real-world distance at this loss level may be much shorter. Larger distances may be crossed using satellite QKD links, which require dedicated hardware in space.

What are the uses of QKD?

QKD is usually promoted as a means to build secure communications, i.e. communications that ensure message confidentiality and integrity.

Secure communications are massively used today; they are built in any web browser communicating over the Internet, they enable to connect physically separate corporate networks, or mobile devices to private networks. Inside networks, they are used to protect machine-to-machine or service-to-service communications.

Secure communications are created in a two-step process: in a first step, a key agreement uses an asymmetric cryptographic mechanism (based on RSA or a variant of the Diffie-Hellman scheme) to authenticate peers and build a common secret between them; in a second step, this common secret or key is used to ensure message confidentiality and integrity through symmetric cryptography mechanisms (for instance based on the standardized algorithm AES).

QKD can replace the use of asymmetric key agreement schemes to produce the common key, which is then used in symmetric schemes to protect messages. In this scenario, the secret key rate of QKD does not limit the data rate of secure communications, since a short key (typically 128 or 256 bits) enables the protection of large volume of messages. However, this combination still depends on computational cryptographic mechanisms (i.e. mechanisms whose security depends in principle on the computing power of an adversary).

QKD can also be used without symmetric cryptography to provide communication security independently of an adversary’s computational power. In that case, message confidentiality is provided by the one-time-pad encryption scheme which uses one bit of key to protect each bit of message. Similarly, message integrity can be provided by schemes that are immune to computational attacks. In that scenario, the data rate is limited by the key rate of QKD, typically to values between 1,000 and 1,000,000 times lower than what can be obtained with symmetric schemes. The very low resulting data rate is unsuitable for most applications.

Finally, QKD is sometimes described as being able to protect data at rest. This is a misnomer: in fact, data is encrypted using means unrelated to QKD and a key, then this key is transported to some storage space distinct from the data storage space, possibly after having been split in several parts with the help of a secret sharing scheme. It is therefore more an application of QKD-assisted secure communications, than a distinct QKD functionality.

Are there new services provided by QKD? Where can it be used?

As seen in the previous paragraph, all services provided by QKD can also be provided by existing technologies. Setting aside for a moment its security properties, the right question about QKD use-cases is therefore: what subset of current uses of secure communications can reasonably be provided by QKD, in light of its practical limitations?

Beyond limitations related to the quantum channel (range, incompatibility with active devices), the mere fact that QKD requires specific hardware puts it at a distinct disadvantage in all cases where cryptography is implemented in software. This prevents it from providing end-to-end security for instance between virtualized environments or between software services.

The most reasonable use for QKD is to provide, together with symmetric encryption, communication security between fixed locations that are sufficiently close to each other and connected by an optical fiber.

What threats does QKD protect against? Why is it a debated issue?

The main advantage of QKD is to be immune to computational attacks aimed at recovering the secrets produced. In current key negotiation schemes using asymmetric cryptography, an adversary looking to obtain the negotiated secret has all the information it needs to do so, but must solve some mathematical problem to succeed. The resolution of this problem with the best methods known today requires an amount of computation that is completely unrealistic, even taking into account optimistic estimates of the increase of the available computing power in the next decades. However, there is no proof that current methods cannot be improved significantly; better techniques may make this problem solving feasible. To put it differently, there is no proof that current key negotiation schemes are robust against any adversary with unknown capacities or knowledge.

This problem, which is an old one in the history of computer science and mathematical cryptography, has taken a new turn with current research about universal quantum computers. It is indeed proven that such a machine, if it were to be built, would solve much more efficiently than current computers the mathematical problems associated with asymmetric key negotiation methods used today (factorization of large integers for RSA, the discrete logarithm problem for Diffie-Hellman), to the point of making these methods totally insecure. It is not expected however that the existence of a universal quantum computer would threaten significantly the security of symmetric cryptography. This is what motivates the discourse legitimizing the switch from asymmetric key negotiation to QKD; all the more so if one is concerned about the long-term security of data exchanged today, which requires taking into account the threat of quantum computers before it becomes a reality.

As we shall see, taking into account this threat without QKD is possible.
It is also important to point out first that QKD immunity to attacks is not absolute:

While theoretically QKD protocols are not vulnerable to mathematical attacks, in practice it is very difficult to implement them perfectly. Moreover, an attacker may be able to cause QKD devices to operate abnormally. The deviations from the theoretical protocol, provoked or not, are then likely to compromise security to the point that they lead to practical attacks. This problem, while similar to the problem of side-channels for classical cryptography, is nevertheless specific to QKD and has led to several cryptanalyses of commercial QKD equipment (see for instance [5] for one of the first articles on this topic or [6] for more recent work);
In addition, QKD devices may have weaknesses unrelated to the quantum protocol used: for example, software vulnerabilities or leakage of secrets by electromagnetic radiation. These issues, which are routinely explored for cryptographic equipment, have seen little scrutiny so far in the case of QKD; a thorough and standardized analysis of QKD products, e.g. following the methodology of Common Criteria ^[4], is necessary before using it to protect sensitive data.

A large-scale QKD deployment creates other security issues.

Can QKD be deployed on a large scale? What level of protection can it provide?

The range limitations of QKD (or the need to use satellites to overcome them), its point-to-point nature, and its dependence on the physical characteristics of the channels it uses, make its large-scale deployment extremely complex and costly. More importantly, in the absence of a direct line connecting two points which need to negotiate a common key, users are led to negotiate keys in sections along a path composed of several QKD links, which requires trust in the intermediate nodes of the communication and is a major regression compared to current end-to-end key negotiation methods. The alternative of directly linking all nodes that need to communicate is not feasible in practice except for small networks, both in terms of the number of terminations and geographical extension.

While the use of satellites extends the range of QKD, it does not generally allow end-to-end information protection unless both ends of the communication have their own satellite ground infrastructure; it is also based on the assumption that each satellite is itself a trusted node, which implies that the risk of computer intrusion in satellites is completely eliminated.

Beside QKD, what are the alternatives to current key negotiation mechanisms?

The threat of quantum computers has been taken into account by the cryptographic community for many years. New “quantum-safe” asymmetric algorithms are being standardized (mainly through the competition organized by the NIST ^[1]) to replace those vulnerable to quantum computing. Candidates are already available today, and over the next decade, significant efforts will be devoted to their deployment in secure communications software products and libraries. This will not require any significant functional alteration of the services using these algorithms.

As with current asymmetric mechanisms, unless there is major theoretical breakthrough, we will not have any absolute proof of robustness for these new mechanisms. Rather, the confidence in such mechanisms will be the result of efforts made to uncover their weaknesses and to study the underlying mathematical problems.

Regarding asymmetric encryption and key agreement algorithms, the ANSSI recommends the use of quantum-safe schemes as soon as possible whenever there is a need for long-term security (10 years or more). In such a case, during an intermediate period lasting several years which may extend beyond the conclusion of the NIST competition, the ANSSI advises not to use these new “quantum-safe” mechanisms alone, but rather to combine them with current mechanisms in order to avoid any security regression linked to immature designs.

Regarding asymmetric signature schemes, there is less need to replace current algorithms now. Indeed, unlike encrypted messages, signatures cannot be attacked retroactively. Besides, there already exist signature schemes built from well-established primitives that are little affected by quantum computers (see for instance [8]). These schemes, while not a complete replacement of existing ones, are suitable for some use-cases.

The details of these recommendations, which implementation requires expertise in the area of cryptography, go beyond the scope of this position paper.

In a hypothetical world without asymmetric key negotiation, a functionality equivalent to QKD could be built from purely symmetric mechanisms that are little affected by quantum computers (publication [2] provides an example of a protocol that could be used). Large-scale use of this type of solution would make secure communication products return to what they were before the widespread use of asymmetric mechanisms: complex and costly, requiring centralized management of secrets, and therefore used only by States and large organizations. But being compatible with existing networks, they would nevertheless be easier to deploy than their QKD-based counterparts.

The point of View of the ANSSI

Security guarantees provided in principle by QKD come with significant deployment constraints which reduce the scope of the services offered and compromise in practice QKD security assurances, particularly in scenarios where communications travel through a network of interconnected QKD links. While the use of QKD on point-to-point links can nevertheless be considered as a defense-in-depth measure to complement conventional cryptographic techniques, the cost incurred should not jeopardize the fight against current threats to information systems.