Considerations on Quantum-Based Methods for Communication Security
aa r X i v : . [ c s . CR ] A ug Considerations on Quantum-BasedMethods for Communication Security
Jeffrey Uhlmann
Dept. of Electrical Engineering & Computer ScienceUniversity of Missouri-Columbia
Abstract —In this paper we provide an intuitive-level discussionof the challenges and opportunities offered by quantum-basedmethods for supporting secure communications, e.g., over anetwork. The goal is to distill down to the most fundamentalissues and concepts in order to provide a clear foundationfor assessing the potential value of quantum-based technologiesrelative to classical alternatives. It is hoped that this form ofexposition can provide greater clarity of perspective than istypically offered by mathematically-focused treatments of thetopic. It is also hoped that this clarity extends to more generalapplications of quantum information science such as quantumcomputing and quantum sensing.
Index Terms —Communication Security; Cryptography; One-Time Pad; Quantum Computing; Quantum Information;Quantum-Key Distribution; Quantum Networks; Quantum Sens-ing; QKD.
I. I
NTRODUCTION
Quantum-based technologies exploit physical phenomena thatcannot be efficiently exhibited or simulated using technologiesthat exploit purely classical physics. For example, a quantumsensor may use quantum phenomena to probe a system todiscern classical and/or quantum properties of the system thatcannot be directly measured by classical sensing technologies.Quantum computing, by contrast, generalizes the classical unitof information, the bit , in the form of a quantum bit, or qubit ,and exploits quantum computational operators that cannot beefficiently simulated using classical Boolean-based operators.Secure quantum-based communication protocols haveemerged as among the first practical technologies for whichadvantages over classical alternatives have been rigorouslydemonstrated. As will be discussed, however, these advantagesrely on a set of assumptions about the capabilities of potentialadversaries (hackers) as well as those of the communicatingparties. Because the quantum advantage can be lost ifthese assumptions are relaxed, the utility of quantum-basedcommunication must be assessed based on the assumedscenario in which it will be applied.In the next section we discuss scenarios in which classicalcryptography can facilitate unconditionally secure communi-cations. We then discuss a more general class of communi-cation scenarios in which classical methods cannot provide
Presentation to the National Academy of Sciences, Quantum Sensing andCommunications Colloquium, Washington, DC, August 23, 2018. unconditional guarantees of security but may offer practicallysufficient ones. We then provide a high-level description ofhow special properties of quantum systems can be exploitedto enlarge the range of scenarios for which unconditional com-munication security can be achieved. This provides context forrealistically examining how the tantalizing theoretical featuresof quantum-based approaches to communication security maytranslate to practical advantages over classical alternatives.II. S
ECURE C OMMUNICATIONS
Suppose two parties, Alice and Bob, know they will haveneed for unconditionally secure communications at varioustimes in the future. If they determine that they are unlikelyto communicate more than a total of n bits before the nexttime they meet then they can create a sequence of random bits,referred to as a one-time pad (OTP), and each keep a copy foruse to mask their messages.For example, a week later Alice can contact Bob usingwhatever unsecure communication medium she chooses, e.g.,phone or email, and then send her k -bit private messageencrypted by performing an exclusive-or (XOR) of it withthe first k bits of the OTP. Upon receipt of the encrypted k-bit message, Bob will simply invert the mask by applying thesame XOR operation using the first k bits of the OTP.Even if an eavesdropper, Eve, is able to monitor all com-munications between Alice and Bob, she will not be ableto access the private information (i.e., original plain-textmessages) without a copy of their OTP. Thus, the OTP protocoloffers unconditional security against eavesdropping, but itsuse is limited to parties who have previously established ashared OTP. The question is whether a secure protocol can beestablished between two parties who have never communicatedbefore. III. P UBLIC K EY E NCRYPTION
At first glance it appears that there is no way for Aliceand Bob to communicate for the first time in a way thatis secure against an eavesdropper who has access to everybit of information they exchange. However, a commonly-usedanalogy can quickly convey how this might be done. The exclusive-or function of two bits a and b is if are the same and if they differ. ATIONAL ACADEMY OF SCIENCES, QUANTUM SENSING AND COMMUNICATIONS COLLOQUIUM, AUG. 23, 2018, WASHINGTON, DC. 2
Suppose Alice wishes to mail a piece of paper containing asecret message to Bob. To ensure security during transport sheplaces the paper in a box and applies a lock before sending.When Bob receives the box he of course can’t open it becauseof the lock, but he can apply his own lock and send the boxback to Alice. Upon receipt, Alice removes her lock and sendsthe box back to Bob, who can now open it and read themessage.If it is assumed that the box and locks can’t be compromisedthen this protocol is secure even if Eve is able to gain physicalaccess to the box during transport. An analogous protocol canbe applied to digital information if it is possible for Aliceand Bob to sequentially encrypt a given message and thensequentially decrypt it. To do so, however, Alice must be ableto remove her encryption mask after
Bob has applied his.In other words, their respective encryption operations mustcommute and not be invertible by Eve.It turns out that no classical protocol can satisfy the neces-sary properties for unconditional security. However, a prac-tical equivalent of unconditional security can potentially beachieved in the sense that Eve may be able to invert theencryption – but only if she expends thousand years ofcomputation time. Under the assumption that security of themessage will be irrelevant at that point in the distant future,the protocol can be regarded as unconditionally secure for allpractical purposes .At present there are technically no protocols that provablyrequire such large amounts of computational effort, but somedo if certain widely-believed conjectures (relating to one-wayfunctions) are true. Assuming that these conjectures are infact true, classical public-key protocols would seem to offerpractically the same level of security as a one-time pad butwithout the limitation of prior communication.
On the other hand... estimating the expected amount of timenecessary to break a classical public-key protocol is verydifficult. Even if it is assumed that the amount of workrequired by Eve grows exponentially with the length of acritical parameter, a particular value for that parameter must bechosen. For all existing protocols the value of this parameterintroduces an overhead coefficient (both in computational timeand space) which may not be exponential but may growsuch that the protocol becomes impractical in most real-worldcontexts.Suppose the parameter is selected based on a tradeoff be-tween practical constraints and a minimum acceptable levelof security, e.g., that it would take Eve 500 years to breakthe encryption using the fastest existing supercomputer. Whatif Eve can apply 1000 supercomputers and break it in sixmonths? Or what if she develops an optimized implementationof the algorithm that is 1000 times faster? Breaking the codemay still require time that is exponential in the value of theparameter, but the real question is how to estimate the rangeof parameter values that are at risk if Eve applies all availableresources to crack a given message. As an example, in 1977 it was estimated that the timerequired to break a message encrypted with the RSA public-key protocol using a particular parameter value would beon the order of many quadrillion years. However, improvedalgorithms and computing resources permitted messages ofthis kind to be broken only four years later, and by 2005 itwas demonstrated that the same could be done in only a day.The difficulty of making predictions, especially about thefuture [3], raises significant doubts about the extent to whichany particular classical public-key scheme truly provides adesired level of security for all practical purposes , and itis this nagging concern that motivates interest in quantum-based protocols that offer true unconditional security, at leastin theory.IV. Q
UANTUM K EY D ISTRIBUTION (QKD)Quantum-based public-key protocols have been developed thatprovide unconditional security guaranteed by the laws ofphysics. In the case of Quantum Key Distribution (QKD) [2],its security is achieved by exploiting properties that only holdfor qubits. The first is the no-cloning theorem , which says thatthe complete quantum state of a qubit cannot be copied. Thesecond is that a pair of qubits can be generated with entangled states such that the classical binary value measured for one bya particular measurement process using parameter value Θ willbe identical to what is measured for the other using the sameparameter value, but not necessarily if the second measurementis performed with a different parameter value Θ ′ = Θ .The no-cloning theorem is clearly non-classical in the sensethat a qubit stored in one variable can’t be copied into adifferent variable the way the content of a classical binaryvariable can be copied into another variable or to many othervariables. For example, if the state of a given qubit is somehowplaced into a different qubit then the state of the original qubitwill essentially be erased in the process . In other words, thestate of the qubit should not be viewed as having been copiedbut rather teleported from the first qubit to the second qubit.If it is simply measured, however, then its state collapses to aclassical bit and all subsequent measurements will obtain thesame result.Based on these properties, the following simple quantumcommunication protocol can be defined:1) Alice and Bob begin by agreeing on a set of k distinctmeasurement parameter values Θ = { Θ , Θ , ..., Θ k } .This is done openly without encryption, i.e., Eve seeseverything. The theoretical physics explaining why quantum states can’t be cloned,and the details of how qubits are prepared and manipulated, are not importantin the present context for the same reason that details of how classical bitsare implemented in semiconductor devices are not relevant to discussions ofalgorithmic issues. This toy protocol is intended only to illuminate the key concepts in a waythat links to classical one-time pad (variations can be found in [7]). Muchmore complete expositions of the general theory and practice of quantumcryptography can be found in [1], [4]–[6].
ATIONAL ACADEMY OF SCIENCES, QUANTUM SENSING AND COMMUNICATIONS COLLOQUIUM, AUG. 23, 2018, WASHINGTON, DC. 3
2) Alice and Bob each separately choose one of the k parameter values but do not communicate their choices,thus Eve has no knowledge of them.3) Alice generates a pair of entangled qubits. She measuresone and sends the other to Bob.4) Bob reports his measured value. If Alice sees that itis not the same as hers then she chooses a differentparameter and repeats the process. She does this for eachparameter value until only one is found that always (fora sufficiently large number of cases) yields the samemeasured value as Bob but does not give results expectedfor different Θ values.5) At this point Alice and Bob have established a sharedparameter value that is unknown to Eve. The process cannow be repeated to create a shared sequence of randombits that can be used like an ordinary one-time pad.In fact, subsequent communications can be conductedsecurely using classical bits.The security of the above protocol derives from the fact thatEve cannot clone k copies of a given qubit to measure witheach Θ k , and simply measuring transmitted qubits will preventAlice and Bob from identifying a unique shared measurementparameter. In other words, Eve may corrupt the communicationchannel but cannot compromise its information. At this pointAlice and Bob can create a shared OTP (which they can verifyare identical by using a checksum or other indicator) andcommunicate with a level of security beyond what is possiblefor any classical public-key protocol.V. T HE A UTHENTICATION C HALLENGE
For research purposes it is natural to introduce simplifyingassumptions to make a challenging problem more tractable.The hope is that a solution to the simplified problem willprovide insights for solving the more complex variants thatarise in real-world applications. This was true of the lockboxexample in which it was assumed that Eve might obtainphysical access to the locked box but is not able to dismantleand reassemble the box, or pick the lock, to access the messageinside. The secure digital communication problem as posed inthis paper also has such assumptions.Up to now it has been assumed that Eve has enormouscomputational resources at her disposal sufficient to over-come the exponential computational complexity demanded tobreak classical protocols. Despite these resources, it has alsobeen assumed that she is only able to passively monitor thechannel between Alice and Bob. This is necessary becauseotherwise she could insert herself and pretend to be Alicewhen communicating with Bob and pretend to be Bob whencommunicating with Alice. This is referred to as a Man-In-The-Middle (MITM) attack, which exploits what is known asthe authentication problem.To appreciate why there can be no general countermeasureto MITM attacks, consider the case of Eve monitoring all ofAlice’s outgoing communications. At some point Eve sees thatAlice is trying to achieve first-time communication with a guy named Bob. Eve can intercept the messages intended for Boband pretend to be Bob as the two initiate a secure quantum-based protocol. Pretending to be Alice, Eve does the same withBob. Now all unconditionally secure communications involveEve as a hidden go-between agent.In many respects it might seem easier to actively tap into aphysical channel (e.g., optical fiber or copper wire) than topassively extract information from a bundle of fibers or wireswithin an encased conduit, but of course it’s possible to addphysical countermeasures to limit Eve’s ability to penetratethat conduit. On the other hand, if that can be done then itmight seem possible to do something similar to thwart passivemonitoring.Ultimately no quantum public-key protocol can be uncon-ditionally secure without a solution to the authenticationproblem. Many schemes have been developed in this regard,but ultimately they all rely on additional assumptions and/orrestrictions or else involve mechanisms that potentially couldfacilitate a comparable level of security using purely classicalprotocols.As an example, suppose a company called Amasoft Lexicon(AL) creates a service in which customers can login andcommunicate with other registered customers such that ALserves as a trusted intermediary to manage all issues relatingto authentication. This may involve use of passwords, confir-mation emails or text messages to phones, etc., but ultimatelyit must rely on information that was privately established atsome point between itself and each of its customers, e.g., Aliceand Bob.Suppose each customer is required to set up a strong password.Initially, how is that information exchanged securely with AL?One option might be to require the customer to physically visita local provider so that the person’s identity can be verified,and a secure password can be established, without having togo through an unsecure channel. Okay, but how long mustthe password be? If it is to be repeatedly used then it wouldbecome increasingly vulnerable as Eve monitors more andmore messages.To avoid repeated use of a short password, AL could giveAlice a drive containing 4TB of random bits for an OTP thatwould be shared only by her and AL. The same would bedone using a different OTP when Bob registers. Now Alicecan initiate unconditionally secure communicates with AL, andAL can do the same with Bob, and therefore Alice and Bobcan communicate with unconditional security via AL.Regardless of whether communications through AL involvea quantum component, the security of the overall systemdepends on the trusted security of AL – and on the securitypractices of its customers in maintaining the integrity oftheir individual OTPs. The situation can be viewed as oneof replacing one point of vulnerability with a different one.For example, what prevents Eve from seeking employment atAL? Are there sufficient internal safeguards to protect againstnefarious actions of AL employees?
ATIONAL ACADEMY OF SCIENCES, QUANTUM SENSING AND COMMUNICATIONS COLLOQUIUM, AUG. 23, 2018, WASHINGTON, DC. 4
VI. T HE C OMPLEXITY C HALLENGE
Complexity is a double-edged sword in the context of commu-nication security. On the one hand it can be used to increasethe computational burden on Eve. On the other hand, it canintroduce more points of vulnerability for her to exploit as thescale of the implementation (amount of needed software andhardware) increases.In the case of quantum-based protocols there is need forhighly complex infrastructure to support the transmission ofqubits and the preservation of entangled states. The details arebeyond the scope of this paper, but it is safe to say that asimplementation details become more concretely specified thenumber of identified practical vulnerabilities grows.An argument can be made that as long as the theory is solidthe engineering challenges will eventually be surmounted.This may be verified at some point in the indefinite future,but it is worthwhile to consider the number of practicalsecurity challenges that still exist in current web browsers,operating systems, etc., despite the recognized commercial andregulatory interests in addressing them.The critical question is whether the investment in quantum-based infrastructure to support quantum-based secure commu-nication protocols is analogous to a homeowner wanting toimprove his security by installing a titanium front door withsophisticated intruder detection sensors but not making anychanges to windows and other doors.The natural response to the titanium door analogy is to agreethat quantum-based technologies represent only one part ofthe overall security solution and that of course there are manyother vulnerabilities which also must be addressed. However,this raises a new question: Is it possible that a completesolution can be developed that doesn’t require any quantum-based components?It may turn out that it is only feasible to guarantee practicallysufficient levels of security (as opposed to unconditional )and only for specialized infrastructure and protocols tailoredto specific use-cases. If the scope of a given use-case issufficiently narrow (e.g., communications of financial infor-mation among a fixed number of banks) then the prospects forconfidently establishing a desired level of security are greatlyimproved. In other words, relative simplicity tends to enhancetrust in the properties of a system because it is difficult to befully confident about anything that is too complicated to befully understood. VII. D
ISCUSSION
The foregoing considerations on the status of quantum-basedapproaches for secure communications have leaned stronglytoward a sober, devil’s-advocate perspective . This was in-tentional to firmly temper some of the overly-enthusiasticdepictions found in the popular media. For example, the See the appendices for more succinct expressions of arguments consideredin this paper. following is from media coverage of an announcement in Mayof 2017 about the launch of a quantum-based “unhackable”fiber network in China: “The particles cannot be destroyed or duplicated.Any eavesdropper will disrupt the entanglement andalert the authorities,” a researcher at the ChineseAcademy of Sciences is quoted as saying.
Hopefully our discussion thus far clarifies the extent to whichthere is a factual basis for this quote and how the implicit con-clusion (i.e., that the network is “unhackable”) goes somewhatbeyond that basis. One conclusion that cannot be doubted isthat remarkable progress has been made toward implementingpractical systems based on theoretically-proposed quantumtechniques. Another equally-important conclusion that can bedrawn is that China is presently leading this progress.In many respects the situation is similar to the early days ofradar when it was touted as a sensing modality that could notbe evaded by any aircraft or missile because it had the means“to see through clouds and darkness.” While this claimedcapability was not inaccurate, that power motivated the devel-opment of increasingly sophisticated countermeasures to maskthe visibility of aircraft to enemy radar, thus motivating thedevelopment of increasingly more sophisticated technologiesto counter those countermeasures. The lesson from this is thatevery powerful technology will demand continuing researchand development to meet new challenges and to support newapplications.It is likely that the real value of future quantum fiber networkswill not be communication security but rather to supportthe needs of distributed quantum sensing applications. Morespecifically, quantum information from quantum-based sensorsand related technologies can only be transmitted via specialchannels that are implemented to preserve entangled quantumstates. The future is quantum, so the development of infras-tructure to manage and transmit quantum information has tobe among the highest of priorities.VIII. C
ONCLUSION
In retrospect it seems almost ludicrous to suggest that any tech-nology could ever offer something as unequivocally absoluteas “unconditional guaranteed security,” but that doesn’t meanquantum-based technologies don’t represent the future state-of-the-art for maximizing network communication security.More importantly, surmounting the theoretical and practicalchallenges required to realize this state-of-the-art will havemuch more profound implications than simply supporting theprivacy concerns of Alice and Bob.
ATIONAL ACADEMY OF SCIENCES, QUANTUM SENSING AND COMMUNICATIONS COLLOQUIUM, AUG. 23, 2018, WASHINGTON, DC. 5 A PPENDIX AD EVIL ’ S A DVOCATE A RGUMENTS • “The theoretical guarantees provided by QKD are onlysatisfied under certain assumptions. It may be that thoseassumptions can’t be satisfied in any practical implemen-tation and thus QKD provides no theoretical advantagesover classical alternatives.” • “If it’s possible to implement the highly-complex infras-tructure needed to support QKD, and to provide physicalsecurity against MITM attacks, then it should also bepossible to implement physical security against passivemonitoring. If that can be achieved then there is no needfor QKD.” • “The complexity associated with QKD may make it lesssecure than simpler classical alternatives. Just considerthe number of security challenges that still exist incurrent web browsers, operating systems, etc., despitethe recognized commercial and regulatory interests inaddressing them.” • “Progress on the development of classical protocols(e.g., based on elliptic curve cryptography) may verywell lead to rigorous guarantees about the asymmetriccomputational burden imposed on Eve. If so, this wouldprovide essentially unconditional security for all practicalpurposes.” • “The need for provable unconditional security may belimited to only a few relatively narrow contexts in whichclassical alternatives are sufficient. For example, commu-nications of financial information among a fixed numberof banks could potentially be supported using classicalone-time pads that are jointly established at regularintervals.” • “QKD assumptions on what the physical infrastructure isrequired to support, and on what Eve is and is not ableto do, seem to evolve over time purely to conform to thelimits of what the theoretical approach can accommodate.This raises further doubts about QKD’s true scope ofpractical applicability.” • “Implementing quantum infrastructure to support QKD isanalogous to a homeowner wanting to improve securityby installing a titanium front door but not making anychanges to windows and other doors. In the case of Aliceand Bob, for example, it’s probably much easier for Eveto place malware on their computers, or place sensors attheir homes, than to identify and compromise a networklink somewhere between them.” A PPENDIX BR EPLIES TO THE D EVIL ’ S ADVOCATE : • “If demands are set too high at the outset then noprogress can ever be made to improve the status quo.” • “Even if it is true that most security-critical applicationswill demand specially-tailored solutions, the availabilityof quantum-based tools will offer greater flexibility inproducing those solutions.” • “People can assume responsibility for their local securitybut have no choice but to trust the security of infrastruc-ture outside their control.” • “A network that supports quantum information is un-questionably more powerful than one that does not. Itis impossible to foresee the many ways this power willbe exploited down the road, but it is hard to imagine thatenhanced security will not be included.” R EFERENCES[1] G. Van Assche,
Quantum Cryptography and Secret Key Distillation ,Cambridge University Press, 2006.[2] C. H. Bennett and G. Brassard, “Quantum Cryptography: Public keydistribution and coin tossing”, in
Proceedings of the IEEE InternationalConference on Computers, Systems, and Signal Processing , Bangalore, p.175, 1984.[3] Berra, Yogi (famous quote).[4] N. Gisin, G. Ribordy, W. Tittel, and H. Zbinden, “Quantum Cryptogra-phy”,
Rev. Mod. Phys.
74, 175, 2001.[5] C. Kollmitzer and M. Pivk (eds.),
Applied Quantum Cryptography ,Springer, 2010.[6] A.V. Sergienko (ed.),
Quantum Communications and Cryptography , Tay-lor & Francis, 2006.[7] J. Uhlmann, M. Lanzagorta, and S. Venegas-Andraca, “Quantum Commu-nications in the Maritime Environment,” J. Uhlmann, M. Lanzagorta, andS. Venegas-Andraca,