Quantum Key Distribution (QKD) and Quantum Cryptography (QC)
Source: Hacker News
Synopsis
NSA continues to evaluate cryptography solutions for securing data transmission in National Security Systems. NSA does not recommend the use of quantum key distribution (QKD) or quantum cryptography (QC) for protecting data in National Security Systems (NSS) unless the limitations listed below are resolved.
What are Quantum Key Distribution (QKD) and Quantum Cryptography (QC)?
Quantum key distribution uses the unique properties of quantum mechanical systems to generate and distribute cryptographic keying material with special‑purpose technology. Quantum cryptography applies the same physical principles to communicate over a dedicated link. Theory suggests that QKD/QC can detect the presence of an eavesdropper—a capability not offered by conventional cryptography.
Quantum‑resistant (post‑quantum) algorithms run on existing platforms and rely on mathematical complexity for security. These algorithms provide confidentiality, integrity, and authentication even against future quantum computers. The National Institute of Standards and Technology (NIST) is conducting a rigorous selection process for quantum‑resistant algorithms1. After NIST finalizes its selections, NSA will issue updated guidance through CNSSP‑15.
Understanding the QKD/QC story
Vendors and media sometimes claim that QKD/QC offers “guaranteed” security based on the laws of physics. In practice, communications needs and security requirements often conflict, and the engineering required to balance these issues tolerates very little error. Consequently, the security of QKD/QC is highly implementation‑dependent rather than inherently assured by physics. Although the discussion below refers to QKD for simplicity, similar points apply to QC.
Technical limitations
Quantum key distribution is only a partial solution
QKD generates keying material for an encryption algorithm that provides confidentiality. The same material could be used with symmetric algorithms to provide integrity and authentication only if the source of the QKD transmission is trusted. QKD itself does not authenticate the transmission source; authentication still requires asymmetric cryptography or pre‑placed keys. Moreover, quantum‑resistant cryptography can provide comparable confidentiality at lower cost and with a better‑understood risk profile.
Quantum key distribution requires special‑purpose equipment
Because QKD relies on physical properties, it demands dedicated fiber connections or free‑space transmitters. It cannot be implemented purely in software, offered as a network service, or easily integrated into existing networking gear. The hardware‑centric nature also limits flexibility for upgrades or security patches.
Quantum key distribution increases infrastructure costs and insider‑threat risks
QKD networks often need trusted relays, which add expense for secure facilities and introduce additional insider‑threat vectors. These factors eliminate many potential use cases.
Securing and validating quantum key distribution is a significant challenge
The security of a QKD system is not the theoretical “unconditional security” promised by physics, but rather the limited security achievable through specific hardware and engineering designs. Cryptographic error tolerances are many orders of magnitude tighter than typical physical engineering tolerances, making validation difficult. Hardware imperfections have led to several well‑publicized attacks on commercial QKD systems2.
Quantum key distribution increases the risk of denial of service
The same sensitivity to eavesdropping that underpins QKD security claims also makes denial‑of‑service attacks a notable risk.
Conclusion
NSA views quantum‑resistant (post‑quantum) cryptography as a more cost‑effective and maintainable solution than quantum key distribution. For these reasons, NSA does not support the use of QKD or QC to protect communications in National Security Systems and does not anticipate certifying any QKD/QC products for NSS customers unless the above limitations are overcome.
- Vakhitov, Makarov, and Hjelme, Large pulse attack as a method of conventional optical eavesdropping in quantum cryptography, Journal of Modern Optics 48, 2001.
- Makarov and Hjelme, Faked states attack on quantum cryptosystems, Journal of Modern Optics, vol. 52, 2005.
- Ferenczi, Grangier, Grosshans, Calibration Attack and Defense in Continuous Variable Quantum Key Distribution, CLEO‑IQEC, 2007.
- Zhao, Fung, Qi, Chen, and Lo, Experimental demonstration of time‑shift attack against practical quantum key distribution systems, Physical Review A vol. 78, 2008.
- Scarani and Kurtsiefer, The black paper of quantum cryptography: Real implementation problems, Theoretical Computer Science 560, 2014.