How to Quantum-Secure Optical Networks

1. Helmut Griesser, ADVA Optical Networking SE France-IX General Meeting 2016, Paris How to Quantum-Secure Optical Networks

2. © 2016 ADVA Optical Networking. All rights reserved. Confidential.22 Communication Security in Daily Life • Cryptographic functions are essential for many everyday activities • Confidentiality, integrity, authenticity • Tapping fiber is easier than it might seem • Protection is also required for data on fiber

3. © 2016 ADVA Optical Networking. All rights reserved. Confidential.33 Confidentiality: Symmetric Cryptography Public key cryptography enables secure communication to be initiated over insecure channels Symmetric cypher Symmetric cypher Public (insecure) channel Key generator Secure channel Secret key K Message M Message M Alice Bob Secret key K Cyphertext C Problem: No secure channel, key exchange over a public channel

4. © 2016 ADVA Optical Networking. All rights reserved. Confidential.44 Public Key Cryptography • For RSA two large prime factors are used to derive the secret key • Security is based on the diffculty of calculating the private key from the public one without the knowledge of the factors • The hard problem is to factorize the large integer number into its prime factors ©Wikipedia

7. © 2016 ADVA Optical Networking. All rights reserved. Confidential.77 • The Quantum Threat – Is It Real? • Protect Against Quantum Computing With Quantum Key Distribution • The Big Picture: Quantum Safe Cryptography • What Is the Most Secure Option? Outline

9. © 2016 ADVA Optical Networking. All rights reserved. Confidential.99 Public-Key Cryptography at Stake All widely used public-key systems rely on three algebraic problems: • integer factoring (RSA): n = p·q, with p and q large prime numbers • discrete logarithm (Diffie-Hellman, DSA): A = ga mod p, with p prime and g primitive root (mod p) • elliptic curve discrete logarithm (ECC, ECDSA): Q = k·P, with P an elliptic curve over a finite field Shor’s Algorithm can solve these problems on a large quantum computer

10. © 2016 ADVA Optical Networking. All rights reserved. Confidential.1010 Photo:IBM The Quantum Computer So far scientists can stabilize only 4-10 qubits, a number far too low to factor arbitrary, long semiprimes. But: Quantum error correction leads to threshold effect that allows scaling.

11. © 2016 ADVA Optical Networking. All rights reserved. Confidential.1111 How Soon Do We Need to Worry? time to build large quantum computer time to update infrastructure encryption needs to be secure secrets can be revealed time ‘Harvesting’ attack: not everybody can do that, but … The ETSI Quantum-Safe Whitepaper 2014, ISBN 979-10-92620-03-0 Attack scenario: • Store encrypted data now • Decrypt later when quantum computers are available

14. © 2016 ADVA Optical Networking. All rights reserved. Confidential.1414 Quantum Properties • qubit is a 2-dimensional quantum state (Hilbert space) • Orthogonal states or • But is linear dependent from and vice versa • The observation of a qubits defined over basis does not allow to detect it with basis : • For transmission qubits are best implemented by single photons Credit: Sebastian Kleis, HSU Hamburg

15. © 2016 ADVA Optical Networking. All rights reserved. Confidential.1515 Quantum Key Distribution (BB84) Image reprinted from article: W. Tittel, G. Ribordy & N. Gisin, “Quantum cryptography,” Physics World, March 1998 Devil Eve is from Vadim Makarov Sifting

16. © 2016 ADVA Optical Networking. All rights reserved. Confidential.1616 Key Extraction Process • In a real system there are transmission errors that have to be corrected via an unsecure channel • These errors can‘t be distinguished from eavesdropping -> reach limitation • Privacy amplification (key compression) takes care of the information leakage during error correction Credit: Eleni Diamanit, PhD Thesis Quantum Transmission Sifting Error Correction Privacy Amplification Theory raw key sifted key error free key secure key Security requirements Characteristics of the source Error rate estimation Leakage during correction

17. © 2016 ADVA Optical Networking. All rights reserved. Confidential.1717 Estimation of Key Rate for BB84 System parameters • Fiber att. 0.2dB/km + 1dB@Rx • System BER = 0.01 • quantum efficiency 10% • count rate 104 counts/s • Measurement window 1ns • Repetition rate 10MHz Credit:EleniDiamanit,PhDThesis 1. Laser photon source (Poisson distribution) 2. Decoy state sequence for bounding transmission performance 3. Ideal single photon source Poisson

18. © 2016 ADVA Optical Networking. All rights reserved. Confidential.1818 QKD in a Commercial Network Choi, I. et al., “Field trial of a quantum secured 10 Gb/s DWDM transmission system over a single installed fiber,” Opt. Express, The Optical Society, 2014, 22, 23121 AES encrypted 10G Data 10G Tx/Rx Real-Time Quantum Keys 10G Client Data Key exchange QKD Tx AES En/Decryption AES En/Decryption QKD Rx Counter mode Counter mode 10G Tx/Rx 10G Client Data Real-Time Quantum Keys QKD Tx

19. © 2016 ADVA Optical Networking. All rights reserved. Confidential.1919 How to Build Long-Haul QKD Links ReferencefromMark. Trusted node repeater Also works with satellites Alice Bob + + K1 K2 K2K1 K1 K1 K2 K2 = K1 K1 K2+ + + Trusted node QKD1 QKD2

20. © 2016 ADVA Optical Networking. All rights reserved. Confidential.2020 Quantum Key Distribution: Pros & Cons • QKD provides ultimate security for the key distribution problem Does not rely on the hardness of certain computational problems • But QKD also has disadvantages: Decreasing key rates with distance requiring trusted node repeaters for long haul Physical layer technique Relatively high complexity, still bulky Cannot easily replace current protocols • … and key distribution is only one of several security primitives

22. © 2016 ADVA Optical Networking. All rights reserved. Confidential.2222 Computational security AES Diffie-Hellman RSA ECC Information theoretic security One-Time Pad Classification of Cryptographic Algorithms Quantum-safe cryptography Post- Quantum Cryptography Physical Layer SecurityNetwork Coding QKD Jouguet et al., “Experimental demonstration of long-distance continuous- variable quantum key distribution”, Nature Photonics 7, 378–381 (2013) Vahid Forutan, “Information-theoretic security through network coding” NTRU, McEliece, Rainbow, BLISS “New Hope“

23. © 2016 ADVA Optical Networking. All rights reserved. Confidential.2323 Quantum Safe Cryptography • Lattice-based cryptography • Encryption (R-LWE, NTRU), Signatures (“BLISS”), and Key Exchange (“New Hope”) • Code-based cryptography • Encryption (McEliece, McBits, QC-MDPC) • Multivariate polynomial cryptography • Signatures (UOV, Rainbow, HFEv-) • Hash-based signatures • Signatures (XMSS, SPHINCS) The ETSI Quantum-Safe Whitepaper 2014, ISBN 979-10-92620-03-0

24. © 2016 ADVA Optical Networking. All rights reserved. Confidential.2424 ‘Post-quantum’ cryptography Security relies on the hardness of certain computational problems Vulnerable to advances in cryptoanalysis and computing power No security proof Quantum cryptography Security is based on some quantum property Typically no computational assumptions and therefore secure against quantum attacks Conceptual security guaranteed by quantum physics Quantum Safe Cryptography Comparison What option delivers better security in practice? CSAQuantum-SaveSecurityWorkingGroup

25. © 2016 ADVA Optical Networking. All rights reserved. Confidential.2525 Three Serious Encryption Problems in 2014 • Heartbleed (OpenSSL software implementation error) • POODLE (Sloppy implementation of security protocols) • Goto fail error (Error in Apples TLS/SSL implementation) Mostly implementation is the problem, not the algorithm

27. © 2016 ADVA Optical Networking. All rights reserved. Confidential.2727 But: No Need to Decide, Just Combine AES-256 AES-256 Public channel Secret key K Message M Message M Alice Bob Secret key K Cyphertext C + + Diffie- Hellman Diffie- Hellman QKD QKD BB84 Public key Combined key is at least as random as both component keys individually XORXOR

28. © 2016 ADVA Optical Networking. All rights reserved. Confidential.2828 • Quantum computers threaten current key exchange algorithms • QKD offers the promise of absolute security • Quantum safe public key protocols are an alternative • No need to decide against or in favour of any specific key exchange • Classic public key exchange can run in parallel with QSA • QKD can be an additional key exchange mechanism • All keys can be combined by bitwise XOR operation Take-Aways Lesson from vulnerability of public key algorithm to Shor: Better security might be achieved by combining fundamentally diverse mechanisms for key exchange …

30. Thank You IMPORTANT NOTICE The content of this presentation is strictly confidential. ADVA Optical Networking is the exclusive owner or licensee of the content, material, and information in this presentation. Any reproduction, publication or reprint, in whole or in part, is strictly prohibited. The information in this presentation may not be accurate, complete or up to date, and is provided without warranties or representations of any kind, either express or implied. ADVA Optical Networking shall not be responsible for and disclaims any liability for any loss or damages, including without limitation, direct, indirect, incidental, consequential and special damages, alleged to have been caused by or in connection with using and/or relying on the information contained in this presentation. Copyright © for the entire content of this presentation: ADVA Optical Networking. info@advaoptical.com

31. © 2016 ADVA Optical Networking. All rights reserved. Confidential.3131 Security Is Only as Strong as Its Weakest Link © xkdc Bruce Schneier on QKD: It's like defending yourself against an approaching attacker by putting a huge stake in the ground. It's useless to argue about whether the stake should be 50 feet tall or 100 feet tall, because either way, the attacker is going to go around it.