Harnessing quantum tech to add unbreakable security to the internet
With today’s standard internet, packets of data are sent via networks and reassembled at the other end. For added protection, those packets are almost always secured through encryption and public-key cryptography (PKC), which is where a shared key is distributed to the sender and receiver to encrypt the message or communication.
However, when code-breaking quantum computers do emerge, which are not as far away as we think, breaking the PKC that we rely on for secure communications over the internet will become a whole lot easier.
That’s where the idea of making communications and the entire internet quantum-proof has started to gain traction, but we now have two schools of thought emerging in this area: Post-Quantum Cryptography (PQC) and Quantum Cryptography – mainly Quantum Key Distribution (QKD). So, what are they, what are their appropriate usages, and how can they be best used to add unbreakable security to the internet?
QKD – an emerging technology, but does it work?
As opposed to sending packets of data over the internet, QKD technology is a hardware-based approach that uses fundamental quantum mechanics to facilitate communication with an early warning system should there be any interception. It does this by sending an entangled (by which I mean the inherent connections between quantum bits, or qubits) light particle or ‘photon’ down a fibre-optic line and between two nodes, holding back the particle that’s linked to it.
This makes a connection for sending data, meaning if a bad actor tries to meddle with that connection, it is immediately obvious. Why? In layman’s terms, the technology makes it easy to find out whether a third party has eavesdropped on the qubits during the transmission, since the intruder would have caused the key to change simply by looking at it.
QKD technology is in its very early stages and there are some clear benefits. By creating a quantum channel that guarantees communication cannot be successfully intercepted without detection, the technology will become incredibly useful in high-security, bespoke network links between nodes (typically data centres).
However, this benefit also has its main limitation. QKD relies on building new communications infrastructure, making it costly and difficult to scale, as well as being impractical for ‘last mile’ secure connectivity. Most reputable experiments so far have sent keys across relatively short distances using dedicated fibre-optic cables, but if we are to create a secure network in which multiple senders and multiple receivers could exchange communications on a global scale (just like we have today), we are in for an expensive and time-consuming journey. And with the Y2Q (the point in time where quantum computer’s capabilities exceed those of classical computers) looming, we need solutions that can be efficiently and cost-effectively deployed.
There are also still security concerns with QKD that are often overlooked. For example, QKD can only tell if there is a Man-In-The-Middle (MITM) interception when photons are disturbed, but you cannot tell where, how many and who is listening in. If someone is going to put a tap along the 150km high grade clear fibre optic cable, it will be very difficult to locate and weed out those taps quickly.
In summary, QKD is one aspect of future-proofing our communications and activities over the internet. However, as an infrastructure-heavy technology that’s more reflective of bespoke network links between two already secured locations, it is unlikely that it will be easily available to everyone beyond highly sensitive applications where secrecy needs to be guaranteed under all circumstances, and where the parties communicating are already in fixed locations where authentication is not an issue.
Catering to wider use cases: QKD and PQC in tandem
If we want to secure a global, IP networked world that can share even more information over longer distances to more people, we will likely need a more agile approach that quantum-proofs all our data that flows over the internet. That’s where PQC technology comes in.
In short, PQC is a software-based approach that uses new algorithms that, unlike current PKC algorithms such as RSA, are not based upon factoring large prime numbers. The National Institute of Standards and Technology (NIST) is currently finalising the new standard algorithms for PQC, and is due to reach a decision early next year.
The primary reason why PQC will be needed is scalability. A potential quantum attack introduces a much broader set of vulnerabilities, such as video conferencing, email exchange and employees working from home, which all require further wired or wireless connectivity. To achieve an end-to-end quantum-safe environment and beyond securing the link between two already secured optical nodes over a relatively short distance, PQC can quantum-proof our intrinsically IP-networked world.
There are also significant security benefits. For example, the McEliece cryptosystem has successfully resisted more than 40 years of attacks and cryptanalysis. It is also a likely candidate for the algorithms that NIST chooses, making it a core way we can secure our communications against a future quantum attack.
As a software-based technology, it can also use the same hardware infrastructure as today’s digital networks and will not suffer from any such limitations, while also being compatible with any medium of digital communication including electrical wires, radio waves, and, of course, optical networks. This significantly reduces any new and costly infrastructure outlay that will be needed.
Hybridisation is the key to keeping all our communications secure
Securing our future communications and activities on the internet will likely require a hybridised approach: QKD being deployed to protect the major dedicated links over very short distances, while using PQC to connect any wired or wireless networks or devices from these nodes, securing a global, IP networked world.
The current internet is a playground for hackers and cybercriminals with “harvest now and decrypt later” attacks already taking place. We ought to start taking quantum-proofing our communications more seriously before quantum computers create havoc.