Quantum cryptography provides an ensemble of protocols, such as quantum key distribution [1-3], quantum random number generation [4], closed group digital signatures [5], long-term secure data storage [6] and multi-party secure computation [7], which are robust against future algorithmic and computational advances, including the emergence of quantum computers. This is because its security is information-theoretic, i.e., it can be proven based only on models of the local devices operated by legitimate users and does not require any assumptions on the resources available to an adversary [8-12]. Information-theoretic security will be important for data confidentiality in the future when we expect more powerful computers and new algorithms to be at the fingertips of our digital foes. Of particular concern is the advent of quantum computers that can be used to launch efficient attacks on conventional techniques, such as the widely-used forms of public key cryptography. Well before more powerful conventional and quantum computers become available, quantum cryptography will be important to protect against a generic vulnerability inherent to current cryptographic techniques based on computational complexity: encrypted data can be stored today and decrypted in the future, when suitable technology becomes available. This leads to the possibility of retrospectively breaking encryption keys established with computational techniques, such as the Diffie-Hellman key exchange algorithm. This becomes a serious threat if data confidentiality must be maintained for several years, especially as it is now feasible to store large volumes of information.Although the quantum cryptographic protocolsare information-theoretic secure, real systemsmay still possess side channels, i.e. security vulnerabilities, if their implementation deviates significantly from the idealised models used in the security analysis [12-15]. This is a common threat to any cryptosystem, irrespective of whether it is based on quantum theory [16-23] or computational complexity [24-28]. For example, timing attacks can threaten implementations of both quantum [16] and non-quantum [24] systems. Therefore, the security analysis of a cryptosystem’s implementation, for simplicity called “implementation security”, is anatural and important development in the evolution of all cryptographic technologies, including quantum cryptography.Since the security of quantum cryptography depends only on the legitimate users’ local equipment, the fundamental task in quantum cryptography implementation security is to estimate how much information such equipment leaks to a potential adversary. When this information leakage can be bounded below a certain value, security can be restored [29, 30] using a technique called privacy amplification[31, 32, 33]. This compresses a partially secret bit sequence into a highly secure key, with the amount of compression depending upon the estimated information leakage. Thus, by adequately characterising a real system, it is possible to restore the security promise of the theoretical protocol against technology available at the time that secret key is being created. It is a specific feature of quantum cryptography that this security statement does not change with future technological advances.Privacyamplification is not the only resource available to enforce the implementation security of quantum cryptography. Modifications to hardware and protocols can dramatically reduce the information leakage and the potential occurrence of side-channels and active attacks [34-38]. Moreover, quantum correlations can be used to test the hardware of a real system [39-40]. Such tests can be quite demanding to implement but have the advantage of immunity against a large class of implementation issues. The importance of analysing the implementation security of quantum cryptography is widely recognised and is a very active area of research. National metrology institutes, government organisations, universities and private companies fully acknowledge the importance of thissubject and are supporting its effective development. ETSI has established an Industry Specification Group (ISG) to coordinate these efforts and to set forward-looking standards in quantum cryptography implementation security [41]. These will guide security evaluation by qualified third parties, as part of a security certification of quantum cryptographic products.

Implementation Security of Quantum Cryptography - Introduction, challenges, solutions | ETSI White Paper No. 27 / Lucamarini, Marco; Shields, Andrew; Alléaume, Romain; Chunnilall, Christopher; Degiovanni, IVO PIETRO; Gramegna, Marco; Hasekioglu, Atilla; Huttner, Bruno; Kumar, Rupesh; Lord, Andrew; Lütkenhaus, Norbert; Makarov, Vadim; Martin, Vicente; Mink, Alan; Peev, Momtchil; Sasaki, Masahide; Sinclair, Alastair; Spiller, Tim; Ward, Martin; White, Catherine; Yuan, Zhiliang. - 27:(2018), pp. 1-28.

Implementation Security of Quantum Cryptography - Introduction, challenges, solutions | ETSI White Paper No. 27

Ivo Pietro Degiovanni;Marco Gramegna;
2018

Abstract

Quantum cryptography provides an ensemble of protocols, such as quantum key distribution [1-3], quantum random number generation [4], closed group digital signatures [5], long-term secure data storage [6] and multi-party secure computation [7], which are robust against future algorithmic and computational advances, including the emergence of quantum computers. This is because its security is information-theoretic, i.e., it can be proven based only on models of the local devices operated by legitimate users and does not require any assumptions on the resources available to an adversary [8-12]. Information-theoretic security will be important for data confidentiality in the future when we expect more powerful computers and new algorithms to be at the fingertips of our digital foes. Of particular concern is the advent of quantum computers that can be used to launch efficient attacks on conventional techniques, such as the widely-used forms of public key cryptography. Well before more powerful conventional and quantum computers become available, quantum cryptography will be important to protect against a generic vulnerability inherent to current cryptographic techniques based on computational complexity: encrypted data can be stored today and decrypted in the future, when suitable technology becomes available. This leads to the possibility of retrospectively breaking encryption keys established with computational techniques, such as the Diffie-Hellman key exchange algorithm. This becomes a serious threat if data confidentiality must be maintained for several years, especially as it is now feasible to store large volumes of information.Although the quantum cryptographic protocolsare information-theoretic secure, real systemsmay still possess side channels, i.e. security vulnerabilities, if their implementation deviates significantly from the idealised models used in the security analysis [12-15]. This is a common threat to any cryptosystem, irrespective of whether it is based on quantum theory [16-23] or computational complexity [24-28]. For example, timing attacks can threaten implementations of both quantum [16] and non-quantum [24] systems. Therefore, the security analysis of a cryptosystem’s implementation, for simplicity called “implementation security”, is anatural and important development in the evolution of all cryptographic technologies, including quantum cryptography.Since the security of quantum cryptography depends only on the legitimate users’ local equipment, the fundamental task in quantum cryptography implementation security is to estimate how much information such equipment leaks to a potential adversary. When this information leakage can be bounded below a certain value, security can be restored [29, 30] using a technique called privacy amplification[31, 32, 33]. This compresses a partially secret bit sequence into a highly secure key, with the amount of compression depending upon the estimated information leakage. Thus, by adequately characterising a real system, it is possible to restore the security promise of the theoretical protocol against technology available at the time that secret key is being created. It is a specific feature of quantum cryptography that this security statement does not change with future technological advances.Privacyamplification is not the only resource available to enforce the implementation security of quantum cryptography. Modifications to hardware and protocols can dramatically reduce the information leakage and the potential occurrence of side-channels and active attacks [34-38]. Moreover, quantum correlations can be used to test the hardware of a real system [39-40]. Such tests can be quite demanding to implement but have the advantage of immunity against a large class of implementation issues. The importance of analysing the implementation security of quantum cryptography is widely recognised and is a very active area of research. National metrology institutes, government organisations, universities and private companies fully acknowledge the importance of thissubject and are supporting its effective development. ETSI has established an Industry Specification Group (ISG) to coordinate these efforts and to set forward-looking standards in quantum cryptography implementation security [41]. These will guide security evaluation by qualified third parties, as part of a security certification of quantum cryptographic products.
File in questo prodotto:
File Dimensione Formato  
etsi_wp27_qkd_imp_sec_FINAL(2).pdf

accesso aperto

Descrizione: © ETSI 2018. All rights reserved.
Tipologia: Versione editoriale
Licenza: Pubblico - Tutti i diritti riservati
Dimensione 1.26 MB
Formato Adobe PDF
1.26 MB Adobe PDF Visualizza/Apri

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: http://hdl.handle.net/11696/59931
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus ND
  • ???jsp.display-item.citation.isi??? ND
social impact