What Is Wrong with Quantum Cryptography That the World’s Largest Intelligence Agencies Discourage Its Use

Quantum cryptography does not exist. What everyone understands when the term “quantum cryptography” is mentioned is actually the quantum key distribution (QKD). And this is precisely what I want to talk to you about today: what it is and why some of the world’s largest intelligence agencies have pointed out that it is far from solving our confidentiality problems.

The Key to Perfect Security Lies in Quantum Mechanics

Quantum key distribution aims to solve all the problems of Vernam’s encryption: create random keys as long as the message to be encrypted without any attacker being able to intercept them. Let’s see how.

You will remember from the physics lessons at school that light is an electromagnetic radiation composed of a jet of photons. These photons travel vibrating with a certain intensity, wavelength and one or many directions of polarization. If you are a photography enthusiast, you will have heard of polarising filters. Their function is to eliminate all but one of the directions of oscillation of light, as explained in the following figure:

Now you enter the physics laboratory and send out one by one photons which may be polarised in one of four different directions: vertically (|), horizontally (–), diagonally to the left (\) or diagonally to the right (/). These four polarisations form two orthogonal bases: on the one hand, | and –, which we will call the base (+); and, on the other, / and \, which we will call (×).

Your photon receiver uses a filter, for example, vertical (|). It is clear that vertically polarised photons will pass as they are, while horizontally polarised photons, and therefore perpendicular to the filter, will not pass.

Surprisingly, half of the diagonally polarised ones will pass through the filter vertically and will be reoriented vertically! Therefore, if a photon is sent and passes through the filter, it cannot be known whether it was vertically or diagonally polarised. Similarly, if it does not pass, it cannot be confirmed to be horizontally or diagonally polarised. In both cases, a diagonally polarised photon may or may not pass with equal probability.

We already have the strands to build a quantum key distribution system, but without computers or quantum algorithms. Remember: quantum cryptography does not exist

Quantum Distribution of Keys Using Polarised Photons

Suppose Alice and Bob want to agree on a random encryption key as long as the message, n bits long. First, they need to agree on a convention to represent the ones and zeros of the key using the polarisation directions of the photons, for example:

State/Base	+	x
0	_	\
1	|	/

In 1984 Charles Bennet and Gilles Brassard designed the following method to get the totally random n bits key to the recipient without the need for other distribution channels:

1. Alice sends Bob a random sequence of 1’s and 0’s, using a random choice between the + and × bases.
2. Bob measures the polarisation of these photons using randomly the + and × bases. Of course, since he has no idea which bases Alice used, half the time he will be choosing the wrong base. Also, some photons will not have reached her because of errors on the line.
3. Alice uses any insecure communications channel and tells Bob which polarisation base she used for each photon she sent, + or ×, although she does not tell him which particular polarisation. In response, Bob tells Alice in which cases he has hit the correct polarisation and therefore received the 1 or 0 without error. Both remove the bits that Bob received with the wrong bases, leaving a sequence on average 50% less than the original, which is the key to a 100% safe random tape.

And how can an intruder be detected? Alice and Bob randomly select half the bits of the key obtained and publicly compare them. If they match, then they know that there has been no mistake. They discard those bits and assume that the rest of the bits obtained are valid, which means that a final key of n/4 bits length has been agreed. If a considerable part does not match, then either there were too many random transmission errors, or an attacker intercepted the photons and measured them on his own. In either case, the whole sequence is discarded, and it must be started again. As it has been observed, if the message is n bits long, it will have to be generated and sent on average 4n interlaced photons.

And couldn’t an attacker measure a photon and send it back without it being noticed? Impossible! According to the non-cloning theorem, an identical copy of an arbitrary unknown quantum state cannot be created. If the attacker measures the state of a photon, it will no longer be a quantum object, but a classical object of a defined state. If he sends it back once it has been measured, the receiver will correctly measure the value of that state only 50% of the times. Thanks to the key matching mechanism above described, the presence of an attacker on the channel can be detected. In the quantum world, you cannot observe without leaving a trace.

Everything Looks Good on Paper, But the Intelligence Agencies Are Not Convinced

You have already seen in a very, very simplified way how (inappropriately named) quantum cryptography works. Unfortunately, it is often advertised as the panacea of cryptography: “the secure encryption that the laws of physics make unbreakable” or “the encryption that hackers could never break”.

Yes, yes, with the equations in hand, everything looks very nice and easy. The problem is that these equations must jump from the board to the Real World™. And here, ladies and gentlemen, is where the problems begin. Recently, some of the largest intelligence agencies in the world have expressed their doubts about QKD and discouraged its use. Let’s see why.

In the US, for example, the NSA identified the following practical drawbacks:

• Quantum key distribution is only a partial solution to our cryptography problems. Don’t forget that QKD generates key material to be used as a cipher sequence with Vernam cipher or as a key for classical cipher algorithms such as AES. As you well know, confidentiality is one thing and authentication is another thing. How do you know that the key material you are receiving comes from the legitimate source and not from an impostor? QKD does not provide a mean of authenticating the source of the QKD transmission, so there is no choice but to resort to asymmetric cryptography or pre-loaded keys to provide such authentication. In other words, quantum cryptography requires the asymmetric cryptography that quantum computing was supposed to crush.
• Quantum key distribution requires a special purpose equipment. To deploy it, special optical equipment is needed for either fibre optic or free space communications. In the protocol stack, QKD is a link layer service, which means that it cannot be implemented in software or as a service in a network. And it cannot be easily integrated into existing network equipment. Since QKD is hardware-based, it also lacks flexibility for updates or security patches.
• Quantum key distribution triggers infrastructure costs and internal threat risks. QKD networks often require the use of trusted repeaters, which is an additional cost for secure installations and an additional security risk from internal threats. These limitations remove at a stroke many cases of use.
• Ensuring and validating quantum key distribution represents a major challenge. Unlike the hype proclaimed by marketing, the real security provided by a QKD system is far from the unconditional theoretical security of the laws of physics, but rather the more limited security that can be achieved by hardware and engineering designs. However, the flaw tolerance of cryptographic security is in many orders of magnitude, smaller than in most physical engineering scenarios, making it very difficult to validate. The specific hardware used to perform QKD can introduce vulnerabilities, which results in several well publicized attacks against commercial QKD systems. I strongly recommend reading the black paper of quantum cryptography, which is short and quite affordable, to understand its real implementation problems.
• Quantum key distribution increases the risk of denial of service. Do you remember how the presence of an intruder could be detected because the number of key errors increased and ended up being discarded? Sensitivity to eavesdropping as a theoretical basis for QKD security claims can become its own downfall: denial of service is a significant risk for QKD.

And if you think the NSA has gone bonkers, read what they think in the UK:

• Since QKD protocols do not provide authentication, they are vulnerable to Man-in-the-middle attacks in which an adversary can agree to individual secret keys being shared with two parties who believe they are communicating with each other.
• QKD requires specialized and extremely expensive hardware. More than expensive. Extremely expensive!
• The distances over which QKD can transmit keys are currently modest, on the order of a few thousand kilometres with very delicate experimental prototypes, far from being commercially viable.
• QKD is used to agree on keys, but not to digitally sign information. Cryptography goes far beyond symmetrical encryption.

If We Do Not Use Quantum Cryptography, How Do We Protect Ourselves from Quantum Computers?

For most of the Real World™ communications systems, post-quantum cryptography (PQC) will provide an antidote to quantum computing that is more effective and efficient than QKD. While it is still early for most organisations to start deploying PQC, there is one thing everyone should do: facilitate the transition of their cryptographic infrastructure to one that is agile, i.e. one that allows algorithms, key lengths, etc. to be changed in a relatively easy way. When the algorithm and lengths are wired into the code, the cost and complexity of change in the event of an incident can be overwhelming.

In short, if you want to invest in cryptography, forget about quantum and start being crypto-agile. Whether computers arrive or not, if you are crypto-agile you will be prepared for classic problems, quantum problems and whichever is thrown at you.