Why We Must Act Now to Establish Standards for Quantum Security
Quantum computing could soon emerge from research labs to handle practical workloads such as simulating complex processes or performing cryptographic calculations that are beyond the reach of current supercomputers. While this is all very exciting it poses serious issues for the security of many systems. Quantum computers could easily break current state of the art cryptography, so data encrypted today will become an easy target for quantum hackers of the future.
Cheap mass storage enables cyber criminals to harvest vast quantities of encrypted data and simply wait until they have the firepower to expose its secrets. Data protection regulations require organisations to maintain data confidentiality for periods of several years, so this is a serious threat.
Information-security techniques such as quantum key distribution (QKD) could provide an answer. QKD establishes cryptographic keys by sending and detecting light signals, in addition to using conventional data about measurements and settings. Interference with quantum communications can be detected and – unlike conventional cryptography - security is not based on assumptions about the compute resources available to adversaries. All of this helps protect information against future algorithmic and computing advances.
However, these strong security principles are only one part of the solution. The other is implementation, which must be handled correctly to prevent exposing vulnerabilities through behaviour such as information leakage. If leakage can be kept low, security can be maintained using a technique called “privacy amplification”. In addition, hardware and protocols can be modified to reduce information leakage and thwart side-channel and active attacks. In the future, quantum correlations could be used to test the hardware of a real system.
Due to the complexity of techniques such as these, standardization is important to ensure secure implementation. It is essential not only to define countermeasures that can ensure the security of a QKD setup, but also to establish best practices for operating QKD systems that will minimise the risk of inadvertently opening a door to attackers. Certification authorities can also rely on standards to assess the security level of QKD products.
To address the standardization issues, which also include verifying security assumptions and ensuring quantum products are implemented properly, as well as developing a suitable certification process, ETSI established an Industry Specification Group (ISG) for QKD comprising experts from scientific, industrial, and commercial organisations. National certification and information security agencies are also involved.
The sheer power that quantum computing will place in the hands of legitimate users and their adversaries means standards, such as those being created and led by ETSI, are vital if we are to keep important data and essential systems safe in the future.
[A longer variant of this piece was published by the SC Magazine. For those who want to dive into more detail, check out the ETSI white paper on Implementation Security of Quantum Cryptography.]