Quantum Key Distribution Meets Post-Quantum Cryptography



While the technology world awaits NIST’s latest “post-quantum” cryptography standards this summer, a parallel effort is underway to also develop cryptosystems that are grounded in quantum technology—what are called quantum-key distribution or QKD systems.

As a result, India, China, and a range of technology organizations in the European Union and United States are researching and developing QKD and weighing standards for the nascent cryptography alternative. And the biggest question of all is how or if QKD fits into a robust, reliable, and fully future-proof cryptography system that will ultimately become the global standard for secure digital communications into the 2030s. As in any emerging technology standard, different players are staking claims on different technologies and implementations of those technologies. And many of the big players are pursuing such divergent options because no technology is a clear winner at the moment.

According to Ciel Qi, a research analyst at the New York-based Rhodium Group, there’s one clear leader in QKD research and development—at least for now. “While China likely holds an advantage in QKD-based cryptography due to its early investment and development, others are catching up,” says Qi.

Two different kinds of “quantum secure” tech

At the center of these varied cryptography efforts is the distinction between QKD and post-quantum cryptography (PQC) systems. QKD is based on quantum physics, which holds that entangled qubits can store their shared information so securely that any effort to uncover it is unavoidably detectable. Sending pairs of entangled-photon qubits to both ends of a network provides the basis for physically secure cryptographic keys that can lock down data packets sent across that network.

Typically, quantum cryptography systems are built around photon sources that chirp out entangled photon pairs—where photon A heading down one length of fiber has a polarization that’s perpendicular to the polarization of photon B heading in the other direction. The recipients of these two photons perform separate measurements that enable both recipients to know that they and only they have the shared information transmitted by these photon pairs. (Otherwise, if a third party had intervened and measured one or both photons first, the delicate photon states would have been irreparably altered before reaching the recipients.)

“People can’t predict theoretically that these PQC algorithms won’t be broken one day.” —Doug Finke, Global Quantum Intelligence

This shared bit the two people on opposite ends of the line have in common then becomes a 0 or 1 in a budding secret key that the two recipients build up by sharing more and more entangled photons. Build up enough shared secret 0s and 1s between sender and receiver, and that secret key can be used for a type of strong cryptography, called a one-time pad, that guarantees a message’s safe transmission and faithful receipt by only the intended recipient.

By contrast, post-quantum cryptography (PQC) is based not around quantum physics but pure math, in which next-generation cryptographic algorithms are designed to run on conventional computers. And it’s the algorithms’ vast complexity that makes PQC security systems practically uncrackable, even by a quantum computer. So NIST—the U.S. National Institute of Standards and Technology—is developing gold-standard PQC systems that will undergird tomorrow’s post-quantum networks and communications.

The big problem with the latter approach, says Doug Finke, chief content officer of the New York-based Global Quantum Intelligence, is PQC is only believed (on very, very good but not infallible evidence) to be uncrackable by a fully-grown quantum computer. PQC, in other words, cannot necessarily offer the ironclad “quantum security” that’s promised.

“People can’t predict theoretically that these PQC algorithms won’t be broken one day,” Finke says. “On the other hand, QKD—there are theoretical arguments based on quantum physics that you can’t break a QKD network.”

That said, real-world QKD implementations might still be hackable via side-channel, device-based, and other clever attacks. Plus, QKD also requires direct access to a quantum-grade fiber optics network and sensitive quantum communications tech, neither of which is exactly commonplace today. “For day-to-day stuff, for me to send my credit card information to Amazon on my cellphone,” Finke says, “I’m not going to use QKD.”

China’s early QKD lead dwindling

According to Qi, China may have originally picked QKD as a focal point of their quantum technology development in part because the U.S. was not directing its efforts that way. “[The] strategic focus on QKD may be driven by China’s desire to secure a unique technological advantage, particularly as the U.S. leads in PQC efforts globally,” she says.

In particular, she points to ramped up efforts to use satellite uplinks and downlinks as the basis for free-space Chinese QKD systems. Citing as a source China’s “father of quantum,” Pan Jianwei, Qi says, “To achieve global quantum network coverage, China is currently developing a medium-high orbit quantum satellite, which is expected to be launched around 2026.”

That said, the limiting factor in all QKD systems to date is their ultimate reliance on a single photon to represent each qubit. Not even the most exquisitely-refined lasers and fiber optic lines can’t escape the vulnerability of individual photons.

QKD repeaters, which would blindly replicate a single photon’s quantum state but not leak any distinguishing information about the individual photons passing through—meaning the repeater would not be hackable by eavesdroppers—do not exist today. But, Finke says, such tech is achievable, though at least 5 to 10 years away. “It definitely is early days,” he says.

“While China likely holds an advantage in QKD-based cryptography due to its early investment and development, others are catching up.” —Ciel Qi, Rhodium Group

“In China they do have a 2,000-kilometer network,” Finke says. “But it uses this thing called trusted nodes. I think they have over 30 in the Beijing to Shanghai network. So maybe every 100 km, they have this unit which basically measures the signal… and then regenerates it. But the trusted node you have to locate on an army base or someplace like that. If someone breaks in there, they can hack into the communications.”

Meanwhile, India has been playing catch-up, according to Satyam Priyadarshy, a senior advisor to Global Quantum Intelligence. Priyadarshy says India’s National Quantum Mission includes plans for QKD communications research—aiming ultimately for QKD networks connecting cities over 2,000-km distances, as well as across similarly long-ranging satellite communications networks.

Priyadarshy points both to government QKD research efforts—including at the Indian Space Research Organization—and private enterprise-based R&D, including by the Bengaluru-based cybersecurity firm QuNu Labs. Priyadarshy says that QuNu, for example, has been working on a hub-and-spoke framework named ChaQra for QKD. (Spectrum also sent requests for comment to officials at India’s Department of Telecommunications, which were unanswered as of press time.)

“A hybrid of QKD and PQC is the most likely solution for a quantum safe network.” —Satyam Priyadarshy, Global Quantum Intelligence

In the U.S. and European Union, similar early-stage efforts are also afoot. Contacted by IEEE Spectrum, officials from the European Telecommunications Standards Institute (ETSI); the International Standards Organization (ISO); the International Electrotechnical Commission (IEC); and the IEEE Communications Society confirmed initiatives and working groups that are now working to both promote QKD technologies and emergent standards now taking shape.

“While ETSI is fortunate to have experts in a broad range of relevant topics, there is a lot to do,” says Martin Ward, senior research scientist based at Toshiba’s Cambridge Research Laboratory in England, and chair of a QKD industry standards group at ETSI.

Multiple sources contacted for this article envisioned a probable future in which PQC will likely be the default standard for most secure communications in a world of pervasive quantum computing. Yet, PQC also cannot avoid its potential Achilles’ heel against increasingly powerful quantum algorithms and machines either. This is where, the sources suggest, QKD could offer the prospect of hybrid secure communications that PQC alone could never provide.

“QKD provides [theoretical] information security, while PQC enables scalab[ility],” Priyadarshy says. “A hybrid of QKD and PQC is the most likely solution for a quantum safe network.” But he added that efforts at investigating hybrid QKD-PQC technologies and standards today are “very limited.”

Then, says Finke, QKD could still have the final say, even in a world where PQC remains preeminent. Developing QKD technology just happens, he points out, to also provide the basis for a future quantum Internet.

“It’s very important to understand that QKD is actually just one use case for a full quantum network,” Finke says.

“There’s a lot of applications, like distributed quantum computing and quantum data centers and quantum sensor networks,” Finke adds. “So even the research that people are doing now in QKD is still very, very helpful because a lot of that same technology can be leveraged for some of these other use cases.”

From Your Site Articles

Related Articles Around the Web