There has been a significant amount of investment in quantum technologies in the UK. A key proponent of this research has been the EPSRC-funded National Quantum Technologies Programme which established four Quantum Hubs in various universities around the country[1]. One of these Hubs is the “Quantum Communications Hub” located with one of our neighbours at the University of York.
With quantum computers capable of breaking RSA encryption being predicted to be available as soon as 2030[2], research at the Quantum Communications Hub has never been more crucial. This is because such quantum computers may render many of the protocols we use to encrypt data today (such as RSA) insecure. This could have disastrous consequences in many areas of society. For example, the secrecy of a business’ new developments is of the utmost importance for protecting their Intellectual Property. It is therefore critical that a robust framework for securing our information in a post-quantum computer world is established before it is too late.
One of the key technologies that many scientists believe will be needed to overcome this impending security problem is quantum key distribution (QKD)*. As opposed to conventional cryptographic techniques such as RSA which rely on the difficulty of solving certain mathematical problems, QKD provides information-theoretical security that is guaranteed by the laws of physics. In other words, QKD is provably secure. Furthermore, unlike conventional cryptography where encrypted information could be stored for many years until a powerful enough quantum computer comes of age and is able to decrypt the data, QKD is the only cryptographic method that can keep data secret indefinitely (it is not dependent on future advances in technology). In other words, QKD provides future-proof long-term security. This is particularly important for data that needs to remain confidential for many years (such as health records and government secrets).
The security of QKD relies on two fundamental principles of quantum mechanics. One of these principles being the no-cloning theorem which precludes copying of an unknown quantum state, the other principle being the inability to measure a quantum state without somehow disturbing the state. In fact, it is the inevitability of these disturbances that provides the underlying framework for the fundamental security in QKD.
The most well-known QKD protocol is the Bennett-Brassard 1984 (BB84) protocol[3]. In this protocol, a sender (Alice) sends photons to a receiver (Bob) that have been randomly encoded with a polarisation state selected from one of two orthogonal basis sets. In BB84 these basis sets are referred to as ‘rectilinear’ (including horizontal and vertical polarisation states) and ‘diagonal’ (including 45⁰ and 135⁰ polarisation states). After sending the encoded photons to Bob, Bob then randomly chooses one of the two basis sets to measure the incoming encoded photons. Thereafter Alice and Bob publicly announce which basis set they used for each photon before discarding any data where they hadn’t used the same basis set. This leaves Alice and Bob with a sifted key. From the sifted key Alice and Bob can compute a Quantum Bit Error Rate (QBER) which allows them to decide whether to continue or abort the communication session. In particular, if the QBER is above a certain threshold, this indicates there may have been an eavesdropper (Eve) on the communication channel interfering with the photons sent from Alice to Bob. In other words, Eve may have some information about the sifted key. Alice and Bob can therefore abort the session before communication of any confidential data takes place. If the QBER is low enough however, Alice and Bob can be confident that Eve, if present at all, only has a small amount of information about the sifted key. Alice and Bob can thereafter perform error correction (which corrects errors in the sifted key) and privacy amplification (which further reduces the information Eve has about the key) on the sifted key to create a final shared secret key (of which Eve has negligible information about even if she is present). The final key can then be used to secure their communications.
As noted above, BB84 is the most well-known QKD protocol. However, over the past few decades there have been a number of other protocols proposed by scientists. Some of these protocols make use of the phenomenon of quantum entanglement. For example, shortly after the proposal by Bennett and Brassard, in 1991 Ekert proposed a protocol that utilised Einstein-Podolsky-Rosen (EPR) pairs (i.e. pairs of entangled photons)[4]. This protocol is known as E91. In E91 Alice receives a photon from a first entangled EPR pair and Bob receives a photon from a second entangled EPR pair. The other photons are sent to a central node. Then, by performing a Bell state measurement on the photons, Alice and Bob are able to detect the presence of Eve. This is because any interference by Eve will disturb the entangled states and this disturbance can be measured by Alice and Bob. If Alice and Bob are confident that Eve is not present, they can then prepare a secret key and share information securely.
After the two initial proposals of BB84 and E91, the first practical demonstration of the QKD concept was in 1992 when Bennett’s group successfully performed QKD over 32.5cm of free space[5]. Since then, there has been vast improvements in the transmission distance and the achievable secure key rates. For example, in free space implementations, recent satellite-based QKD experiments have now shown remarkable transmission distances of 1200km in China[6] and 7600km between China and Austria[7]. Meanwhile, in optical fibre implementations similar increases in the transmission distances have been achieved and most recently a transmission distance of around 500km has been achieved using ultra-low-loss optical fibres[8]. In addition to the long transmission distances, secure key rates of over 10 Mbits/s have now been demonstrated[9]. It is thus clear that the practicality of QKD is improving year on year.
Some dedicated QKD systems are in fact already commercially available from companies such as ID Quantique and Toshiba. Additionally, QKD has also been implemented to encrypt communications in several real-world implementations such as the Swiss elections in 2007 and the South African football World Cup in 2010. More recently, in China an unprecedented large-scale quantum network which covers more than 2000km and has more than 700 QKD links has now been developed between Shanghai and Beijing using both ground-based and satellite-based stations[10].
There have also been significant advances in terms of the underlying security proofs of QKD when using real-world devices (i.e. non-idealised devices with imperfections). These security considerations have helped scientists to understand and try to close any side-channel attacks available to so-called ‘quantum hackers’. Many of these side-channels involve the sources and detectors of the photons used for the communicating the key information.
For example, one problem is that many practical devices generate single photons by attenuating a laser beam such that there is a high probability that the number of photons in any single pulse is one. However, unfortunately this type of photon source suffers from the fact that there is a finite probability that some pulses will have more than one photon in them. This imperfection in the source can be exploited by Eve in a so-called photon number splitting (PNS) attack where Eve splits any of the multi-photon pulses and stores a photon from them for herself that can be measured later to obtain information about the key exchanged between Alice and Bob. To help overcome the PNS attack, a key development is the decoy state method which was originally proposed in 2003[11]. In the decoy state method, in addition to sending non-decoy states, Alice prepares and sends to Bob decoy states (states with different pulse intensities). After Bob measures the states sent by Alice, post processing allows them to establish which states were the non-decoy states. In employing the PNS attack on the decoy states however, Eve inevitably changes the rates at which non-decoy and decoy states are detected by Bob. This disturbance allows Alice and Bob to spot the presence of Eve. The decoy state method significantly increases the performance of practical QKD by helping to close this source-based side-channel. Because of this, the decoy state method is applied in many practical QKD scenarios such as the large-scale 2000km Shanghai-Beijing quantum network discussed above.
Following the development of the decoy state method, quantum hackers turned their attention to other possible fragilities of the QKD system. One of these fragilities is the use of untrusted relays in the QKD network which can be accessed and therefore exploited by Eve (i.e. detector-based side-channels). In order to help overcome this problem, an important protocol that has been developed is measurement device independent QKD (MDI-QKD)[12]. It is believed that MDI-QKD can remove all detector side-channels. MDI-QKD is similar in concept to the E91 protocol discussed above but is ‘time-reversed’. In other words, the Bell state measurements of the EPR pairs are performed by Alice and Bob before the measurement at a central node as opposed to E91 where Alice and Bob’s measurements are performed after the measurement at the central node. The MDI-QKD protocol is considered an important development for practical QKD implementations which may consist of many untrusted relays (e.g. the Shanghai-Beijing quantum network has hundreds of untrusted relays). More recently an adaptation of the MDI-QKD method has also been proposed known as twin-field QKD (TF-QKD)[13] and is thought to help increase the secure transmission distance when using MDI-QKD, further advancing the practicality of the QKD system.
As demonstrated by the recent 2000km QKD network between Beijing and Shanghai, it is evident that we are coming closer and closer to the realisation of a global QKD network. However, there are a number of challenges that remain to be solved. For example, to further increase the limits on transmission distance in QKD, scientists believe that a possible solution is a so-called quantum repeater (where a quantum signal can be re-generated without disturbing the state). However, whilst there has been a significant amount of research on such devices, to date there are no practical developments that would facilitate implementation of quantum repeaters in a practical QKD network. It is also important that before any QKD system is employed on a global scale, the fundamental security claims must be vigorously assessed and validated. There is ongoing research in this regard. There are also challenges regarding the practical implementation of low-cost QKD devices with a small size, weight and power (SWaP) footprint. Currently, chip-based QKD seems to be the most promising solution to help solve these problems. There are also issues that need to be addressed in terms of standardisation of QKD protocols, hardware and software before QKD can be widely employed.
Thus, whilst we have come a long way since the original proposal for QKD back in 1984, there are still a number of outstanding issues that need to be addressed. Thus, the race to develop a global QKD network before the realisation of practical code-cracking quantum computers is still well and truly on. One thing that remains in little doubt is that a global QKD network is going to be one of the fundamental data security needs of the future but the security of our data now hinges on how long it takes us to get there.
For any further information please contact us at docketing@secerna.co.uk.
References
1. UK National Quantum Technologies Programme
2. RSA-braking Quantum Computers by 2030?
3. BB84
4. E91
5. First Experimental QKD Demonstration
6. Free space QKD transmission distance over 1200km
7. Free space QKD between China and Austria
8. QKD transmission over 500km on optical fibre
10. China's 2000km QKD network
12. MDI-QKD
13. TF-QKD
*footnote
In actual fact, there are two main types of QKD, discrete-variable QKD (DV-QKD), where key information is encoded on individual photons, and continuous-variable QKD (CV-QKD), where, instead of using individual photons, key information is encoded in the quadratures of the electromagnetic field (i.e. phase and amplitude).