ADVA adds quantum-resistant security to its optical systems
ADVA has demonstrated two encryption techniques for optical data transmission to counter the threat posed by quantum computing.
“Quantum computers are very powerful tools to solve specific classes of mathematical problems,” says Jörg-Peter Elbers, senior vice president, advanced technology at ADVA. “One of these classes of problems is solving equations behind certain cryptographic schemes.”
The use of three key exchange schemes over one infrastructure: classical public-key encryption using the Diffie-Hellman scheme, the quantum-resistant Neiderreiter algorithm, and a quantum-key distribution (QKD) scheme. Source: ADVA
Public-key encryption makes use of discrete logarithms, an example of a one-way function. Such functions use mathematical operations that for a conventional computer are easy to calculate in one direction but are too challenging to invert. Solving such complex mathematical problems, however, is exactly what quantum computers excel at.
A fully-fledged quantum computer does not yet exist but the rapid progress being made in the basic technologies suggests it is only a matter of time. Once such computers exist, public key based security will be undermined.
The looming advent of quantum computers already threatens data that must remain secure for years to come. There are agencies that specialise in tapping fibre, says Elbers, while the cost of storage is such that storing huge amounts of data traffic in a data centre is affordable. “The threat scenario is certainly a real one,” says Elbers.
Demonstrations
ADVA has demonstrated two techniques, one using quantum-key distribution (QKD) and the other a quantum-resistant algorithm.
For quantum-key distribution, ADVA’s FSP 3000 platform is being used as part of the UK’s first quantum communication network that includes a metro network for Cambridge that is also linked to BT Labs in Ipswich, 120km away.
ADVA’s platform enables the exchange of keys between sites used for encoding the data traffic. In the Cambridge metro, a quantum system from Toshiba is used to encode the keys while between Cambridge and BT Labs the equipment used is from ID Quantique.
The threat scenario is certainly a real one
For ADVA’s second demonstration, a quantum-resistant encryption algorithm - one invulnerable to quantum computing attacks - is incorporated into its FSP-3000 platform to encrypt 100 gigabit-per-second traffic flows over long-haul distances. ADVA has shown secure transmissions over 2,800km, spanning three European national research and educational networks.
“There is never 100 percent security in one system but you can increase security using multiple independent systems,” says Elbers. “You can use your classical encryption methods in use today and add quantum-key distribution or a quantum-resistant algorithm or use all three over one infrastructure.” (See diagram, top.)
Quantum key distribution
Public key cryptography, comprising a public and a private key pair, is an example of an asymmetric key scheme. The public key, as implied by the name, is published with a recipient’s name. Any party wanting to send data securely to the user employs the published public key to scramble the data. Only the recipient, with the associated private key, can decode the sent data. The Diffie-Hellman algorithm is a widely used public key encryption scheme.
Jörg-Peter ElbersWith a symmetric scheme, the same key is used at both ends to lock and unlock the data. A well-known symmetric key algorithm is the Advanced Encryption Standard. AES-256, for example, uses a 256-bit key.
Although being much more efficient than asymmetrical algorithms, the issue with the symmetrical scheme is getting the secret key to the recipient without it being compromised. The key can be sent manually with armed guards. A more practical approach is to send the key over a secure link using public key cryptography; the asymmetric key exchange scheme protects the transmission of the symmetric key used for the subsequent encryption of the payload.
Quantum computing is a potent threat because it undermines all asymmetric encryption schemes in widespread use today.
Quantum key distribution, which uses particles of light or photons, is a proposed way to secure the symmetric key’s transfer. Here, single photons are used to transmit a binary signal that is then used to generate the same secret key at both ends. Should an adversary eavesdrop with a photo-detector and steal the photon, the photon will not arrive at the other end. Should the hacker be more sophisticated and try to measure the photon before sending it on, they are stymied by the laws of physics since measuring a photon changes its parameters.
Given these physical properties of photons, the sender and receiver can jointly detect a potential eavesdropper. If the number of missing or altered photons is too high, the assumption is the link is compromised.
But with quantum key distribution, the distance a photon can travel is a few tens of kilometres only. A photon is inherently low-intensity light. For longer transmission distances, intermediate trusted sites are required to regenerate the key exchange along the way. BT uses two such trusted sites on the link between Cambridge and BT Labs.
ADVA along with Toshiba have been working on an open interface that allows secure quantum key distribution over a dense wavelength division multiplexing (DWDM) link, independent of the systems used. Having an open interface also means operators using different quantum key distribution systems can interoperate and chat, says Elbers.
The US National Institute of Science and Technology (NIST) is assessing candidate quantum-resistant algorithms with the goal of standardising a suite of protocols by 2024
One way to enable single-photon streams is to use a dedicated fibre. But to avoid the expense of a separate fibre, ADVA sends the photons over a dedicated channel alongside the data transmission channels that carry much higher intensity light.
“Ideally you want a single quantum but, in practice, you might work with a highly attenuated laser source that emits less than a single quantum on average,” says Elbers. “Everything you have on your co-propagating channels can impact the performance.” ADVA uses optical filtering to ensure the data channels don’t spill over and adversely affect the key’s transfer.
Quantum-resistant algorithms
The second approach uses maths rather than fundamental physics to make data encryption invulnerable to quantum computing. The result is what is referred to as quantum-resistant techniques.
The US National Institute of Science and Technology (NIST) is assessing candidate quantum-resistant algorithms with the goal of standardising a suite of protocols by 2024.
The maths behind these schemes is complicated but what unifies them is that none are based on the mathematical problems susceptible to known quantum computing attacks.
ADVA uses the Niederreiter key exchange algorithm, one of NIST’s candidate schemes, for its system. To ensure the highest level of security for high-speed optical transmission a new symmetric key is sent frequently. The Neiderreiter algorithm uses comparatively long key lengths but Elbers points out that with a 100-gigabit payload, the overhead of long keys is minimal. Moreover, ADVA communicates key exchange information in the Optical Transport Network’s (OTN) OTU-4 frame’s overhead field.
Customers are already showing interest in quantum security, says Elbers, and is one of the reasons why ADVA is active in the UK’s Quantum Communications Hub initiative. “We are showing people that the technology is here, ready for deployment and can be integrated with existing systems,” says Elbers.
For organisations keen to ensure the long-term secrecy of their data, they need to be considering now what they should be doing to address this, he adds.
A quantum leap in fear
The advent of quantum computing poses a threat which could break open the security systems protecting the world’s financial data and transactions.
Professor Michele Mosca
Protecting financial data has always been a cat-and-mouse game. What is different now is that the cat could be de-clawed. Quantum computing, a new form of computer processing, promises to break open the security systems that safeguard much of the world’s financial data and transactions.
Quantum computing is expected to be much more powerful than anything currently available because it does not rely on the binary digits 1 or 0 to represent data but exploits the fact that subatomic particles can exist in more than one state at once.
Experts cannot say with certainty when a fully-fledged quantum computer will exist but, once it does, public key encryption schemes in use today will be breakable. Quantum computer algorithms that can crack such schemes have already been put through their paces.
The good news is that cryptographic techniques resilient to quantum computers exist. And while such “quantum-safe” technologies still need to be constructed, security experts agree that financial institutions must prepare now for a quantum-computer world.
Experts cannot say with certainty when a fully-fledged quantum computer will exist but, once it does, public key encryption schemes in use today will be breakable
Ticking clock
There is a 50 percent chance that a quantum computer will exist by 2031, according to Professor Michele Mosca, co-founder of the Institute for Quantum Computing at the University of Waterloo, Canada, and of security company evolutionQ.
A one-in-two chance of a fully working quantum computer by 2031 suggests financial institutions have time to prepare, but that is not the case. Since financial companies are required to keep data confidential for many years, quantum-safe protocols need to be in place for the same length of time that confidentiality is mandated prior to quantum computing. So, for example, if data must be kept confidential for seven years, quantum-safe techniques need to be in place by 2024 at the latest. Otherwise, cyber criminals need only intercept and store RSA-encrypted data after 2024 and wait until 2031 to have a 50-50 chance of access to sensitive information.
Unsurprisingly, replacing public key infrastructure with quantum-safe technology is itself a multi-year project. First, the new systems must be tested and verified to ensure they meet existing requirements – not just that their implementation is secure but that their execution times for various applications are satisfactory. Then, all the public key infrastructure needs to be revamped – a considerable undertaking. This means that, if upgrading infrastructure takes five years, companies should be preparing if quantum computers arrive by 2031.
Professor Renato Renner, the head of the quantum information theory research group at ETH Zurich, the Swiss science and technology university, sees the potential for even more immediate risk. “Having a full-blown quantum computer is not necessarily what you need to break cryptosystems,” he says. In his view, financial companies should be worried that there are already early examples of quantum computers that are stronger than current computers. “It could well be that in five years we have already sufficiently powerful devices that can break RSA cryptosystems,” says Renner.
Quantum-safe approaches
Quantum-safe technologies comprise two approaches, one based on maths and another that exploits the laws of physics.
The maths approach delivers new public key algorithms that are designed to be invulnerable to quantum computing, known as post-quantum or quantum-resistant techniques.
The US National Institute of Science and Technology is taking submissions for post-quantum algorithms with the goal of standardising a suite of protocols by the early to mid-2020s. These include lattice-based, coding-based, isogenies-based and hash-function-based schemes. The maths behind these schemes is complex but the key is that none of them is based on the multiplication of prime numbers and hence susceptible to factoring, which is what quantum computers excel at.
It could well be that in five years we have already sufficiently powerful devices that can break RSA cryptosystems
Nigel Smart, co-founder of Dyadic Security, a software-defined cryptography company, points out that companies are already experimenting with post-quantum lattice schemes. Earlier this year, Google used it in experimental versions of its Chrome browser when talking to its sites. “My betting is that lattice-based systems will win,” says Smart.
The other quantum-safe approach exploits the physics of the very small – quantum mechanics – to secure links so that an eavesdropper on the link cannot steal data. Here particles of light – photons – are used to send the key used to encrypt data (see Cryptosystems – two ways to secure data below) where each photon carries a digital bit of the key.
Financial and other companies that secure data should already be assessing the vulnerabilities of their security systems
Should an adversary eavesdrop with a photodetector and steal the photon, the photon will not arrive at the other end. Should the hacker be more sophisticated and try to measure the photon before sending it on, here they come up against the laws of physics where measuring a photon changes its parameters.
Given these physical properties of photons, the sender and receiver typically reserve at random a number of the key’s photons to detect a potential eavesdropper. If the receiver detects an altered photon, the change suggests the link is compromised.
But quantum key distribution only solves a particular class of problem – for example, protecting data sent across links such as a bank sending information to a data centre for back-up. Moreover, the distances a single photon can travel is a few tens of kilometres. If longer links are needed, intermediate trusted sites are required to regenerate the key, which is expensive and cumbersome.
The technique is also dependent on light and so is not as widely applicable as quantum-resistant techniques. “People are more interested in post-quantum cryptography,” claims Smart.
What now?
BT, working with Toshiba and ADVA Optical Networking, the optical transport equipment maker, has demonstrated a quantum-protected link operating at 100 gigabits-per-second.
What is missing still is a little bit more industrialisation,” says Andrew Lord, head of optical communications at BT. “Quantum physics is pretty sound but we still need to check that the way this is implemented, there are no ways of breaching it.”
Kelly Richdale
ID Quantique, the Swiss quantum-safe crypto technology company, supplied one early-adopter bank with its quantum key distribution system as far back as 2007. The bank uses a symmetric key scheme coupled with a quantum key.
“You can think of it as adding an additional layer of quantum security on top of everything you already have,” says Kelly Richdale, ID Quantique’s vice-president of quantum-safe security.
“Quantum key distribution has provable security. You know it will be safe against a quantum computer if implemented correctly,” she says. “With post-quantum algorithms, it is a race against time, since in the future there may be new quantum attacks that could render them as vulnerable as RSA.”
Andersen Cheng, chief executive of start-up PQ Solutions, a security company with products including secure communication using post-quantum technology, argues that both quantum- resistant and quantum key distribution will be needed. “You can use both but quantum key distribution on its own is not enough and it is expensive,” he says.
Most organisations do not have a detailed map of where all their information assets are and which business functions rely on which crypto algorithms
What next?
Mosca says that leading financial services companies are aware of the threat posed by quantum computing but their strategies vary: some point to more pressing priorities while others want to know what they can buy now to solve the problem.
He disagrees with both extreme approaches. Financial companies should, in his view, already be assessing the vulnerabilities of their systems. “Most organisations do not have a detailed map of where all their information assets are and which business functions rely on which crypto algorithms,” he says.
Companies should also plan for their systems to change a lot over the next decade. That is why it is premature to settle on a solution now since it will probably need upgrading. And they must test quantum-resistant algorithms. “We don’t have a winner yet,” says Mosca.
Most importantly, financial institutions cannot afford to delay. “Do you really want to be in the catch-up game and hope someone else will solve the problem for you?” asks Mosca.
The article first appeared in the June-July issue of the Financial World, the journal of The London Institute of Banking & Finance, published six times per year in association with the Centre for The Study of Financial Innovation (CSFI).
Cryptosystems – two ways to secure data
To secure data, special digital “keys” are used to scramble the information. Two encryption schemes are used – based on asymmetric and symmetric keys.
Public key cryptography that uses a public and private key pair is an example of an asymmetric scheme. The public key, as implied by the name, is published with the user’s name. Any party wanting to send data securely to the user employs the published public key to scramble the data. Only the recipient, with the associated private key, can decode the sent data. The RSA algorithm is a widely used example. (RSA stands for the initials of the developers: Ron Rivest, Adi Shamir and Leonard Adleman.) A benefit of public key cryptography is that it can be used as a digital signature scheme as well as for protecting data. The downside is that it requires a lot of processing power and is slow even then.
Symmetric schemes, in contrast, are much less demanding to run and use the same key at both link ends to lock and unlock the data. A well-known symmetric key algorithm is the Advanced Encryption Standard, which uses keys up to 256-bits long (AES-256); the more bits, the more secure the encryption.
The issue with the symmetrical scheme is getting the secret key to the recipient without it being compromised. One way is to send a security guard handcuffed to a locked case. A more digital-age approach is to send the secret key over a secure link. Here, public key cryptography can be used; the asymmetric key scheme can be employed to protect the symmetric key transmission prior to secure symmetric communication.
Quantum computing is a potent threat because it undermines both schemes when existing public key cryptography is involved.