Helmut Griesser from ADVA Optical Networking discusses quantum-safe cryptography and quantum key distribution. He explains that quantum computers pose a threat to current public key encryption algorithms. Quantum key distribution provides absolute security by using quantum properties, but has limitations such as decreasing key rates with distance. Post-quantum or quantum-safe cryptography relies on unproven computational assumptions rather than physical properties. The best approach may be to combine diverse key exchange mechanisms like post-quantum, quantum key distribution, and classic public key encryption to strengthen security.

1. Helmut Griesser, ADVA Optical Networking SE
France-IX General Meeting 2016, Paris
How to Quantum-Secure
Optical Networks

2. © 2016 ADVA Optical Networking. All rights reserved. Confidential.22
Communication Security in Daily Life
• Cryptographic functions are essential for
many everyday activities
• Confidentiality, integrity, authenticity
• Tapping fiber is easier than it might seem
• Protection is also required for data on fiber

3. © 2016 ADVA Optical Networking. All rights reserved. Confidential.33
Confidentiality: Symmetric Cryptography
Public key cryptography enables secure communication
to be initiated over insecure channels
Symmetric
cypher
Symmetric
cypher
Public (insecure) channel
Key
generator
Secure channel
Secret key K
Message M Message M
Alice Bob
Secret key K
Cyphertext C
Problem: No secure channel, key exchange over a public channel

4. © 2016 ADVA Optical Networking. All rights reserved. Confidential.44
Public Key Cryptography
• For RSA two large prime factors are used to derive the secret key
• Security is based on the diffculty of calculating the private key from
the public one without the knowledge of the factors
• The hard problem is to factorize the large integer number into its
prime factors
©Wikipedia

5. © 2016 ADVA Optical Networking. All rights reserved. Confidential.55

6. © 2016 ADVA Optical Networking. All rights reserved. Confidential.66
Quantum Research

7. © 2016 ADVA Optical Networking. All rights reserved. Confidential.77
• The Quantum Threat – Is It Real?
• Protect Against Quantum Computing With Quantum Key Distribution
• The Big Picture: Quantum Safe Cryptography
• What Is the Most Secure Option?
Outline

8. © 2016 ADVA Optical Networking. All rights reserved. Confidential.88
The Quantum Threat – Is It Real?

9. © 2016 ADVA Optical Networking. All rights reserved. Confidential.99
Public-Key Cryptography at Stake
All widely used public-key systems rely on three algebraic problems:
• integer factoring (RSA):
n = p·q, with p and q large prime numbers
• discrete logarithm (Diffie-Hellman, DSA):
A = ga mod p, with p prime and g primitive root (mod p)
• elliptic curve discrete logarithm (ECC, ECDSA):
Q = k·P, with P an elliptic curve over a finite field
Shor’s Algorithm can solve these problems on a large quantum computer

10. © 2016 ADVA Optical Networking. All rights reserved. Confidential.1010
Photo:IBM
The Quantum Computer
So far scientists can stabilize only 4-10 qubits, a number far too low to
factor arbitrary, long semiprimes.
But: Quantum error correction leads to threshold effect that allows scaling.

11. © 2016 ADVA Optical Networking. All rights reserved. Confidential.1111
How Soon Do We Need to Worry?
time to build large quantum computer
time to update infrastructure encryption needs to be secure
secrets can be revealed
time
‘Harvesting’ attack: not everybody can do that, but …
The ETSI Quantum-Safe Whitepaper 2014, ISBN 979-10-92620-03-0
Attack scenario:
• Store encrypted data now
• Decrypt later when quantum computers are available

12. © 2016 ADVA Optical Networking. All rights reserved. Confidential.1212
NSA Data Center in Bluffdale / Utah

13. © 2016 ADVA Optical Networking. All rights reserved. Confidential.1313
Protect Against Quantum Computing With
Quantum Key Distribution?

14. © 2016 ADVA Optical Networking. All rights reserved. Confidential.1414
Quantum Properties
• qubit is a 2-dimensional quantum state (Hilbert space)
• Orthogonal states or
• But is linear dependent from and vice versa
• The observation of a qubits defined over basis does not
allow to detect it with basis :
• For transmission qubits are best implemented by single photons
Credit: Sebastian Kleis, HSU Hamburg

15. © 2016 ADVA Optical Networking. All rights reserved. Confidential.1515
Quantum Key Distribution (BB84)
Image reprinted from article: W. Tittel, G. Ribordy & N. Gisin, “Quantum cryptography,” Physics World, March 1998
Devil Eve is from Vadim Makarov
Sifting

16. © 2016 ADVA Optical Networking. All rights reserved. Confidential.1616
Key Extraction Process
• In a real system there are transmission errors that
have to be corrected via an unsecure channel
• These errors can‘t be distinguished from
eavesdropping -> reach limitation
• Privacy amplification (key compression) takes care
of the information leakage during error correction
Credit: Eleni Diamanit, PhD Thesis
Quantum
Transmission
Sifting
Error
Correction
Privacy
Amplification
Theory
raw key
sifted key
error free key
secure key
Security
requirements
Characteristics
of the source
Error rate estimation
Leakage during correction

17. © 2016 ADVA Optical Networking. All rights reserved. Confidential.1717
Estimation of Key Rate for BB84
System parameters
• Fiber att. 0.2dB/km + 1dB@Rx
• System BER = 0.01
• quantum efficiency 10%
• count rate 104
counts/s
• Measurement window 1ns
• Repetition rate 10MHz
Credit:EleniDiamanit,PhDThesis
1. Laser photon source (Poisson distribution)
2. Decoy state sequence for bounding transmission performance
3. Ideal single photon source
Poisson

18. © 2016 ADVA Optical Networking. All rights reserved. Confidential.1818
QKD in a Commercial Network
Choi, I. et al., “Field trial of a quantum
secured 10 Gb/s DWDM transmission system
over a single installed fiber,” Opt. Express,
The Optical Society, 2014, 22, 23121
AES
encrypted
10G Data
10G
Tx/Rx
Real-Time
Quantum Keys
10G Client
Data
Key exchange
QKD Tx
AES
En/Decryption
AES
En/Decryption
QKD Rx
Counter mode Counter mode
10G
Tx/Rx
10G Client
Data
Real-Time
Quantum Keys
QKD Tx

19. © 2016 ADVA Optical Networking. All rights reserved. Confidential.1919
How to Build Long-Haul QKD Links
ReferencefromMark.
Trusted node repeater
Also works with satellites
Alice Bob
+
+
K1 K2 K2K1
K1 K1 K2 K2 = K1
K1 K2+
+ +
Trusted node
QKD1 QKD2

20. © 2016 ADVA Optical Networking. All rights reserved. Confidential.2020
Quantum Key Distribution: Pros & Cons
• QKD provides ultimate security for the key distribution problem
Does not rely on the hardness of certain computational problems
• But QKD also has disadvantages:
Decreasing key rates with distance
requiring trusted node repeaters for long haul
Physical layer technique
Relatively high complexity, still bulky
Cannot easily replace current protocols
• … and key distribution is only one of several security primitives

21. © 2016 ADVA Optical Networking. All rights reserved. Confidential.2121
The Big Picture:
Quantum Save Cryptography

22. © 2016 ADVA Optical Networking. All rights reserved. Confidential.2222
Computational
security
AES
Diffie-Hellman
RSA
ECC
Information theoretic
security
One-Time Pad
Classification of Cryptographic Algorithms
Quantum-safe
cryptography
Post-
Quantum
Cryptography
Physical
Layer
SecurityNetwork
Coding
QKD
Jouguet et al., “Experimental demonstration of long-distance continuous-
variable quantum key distribution”, Nature Photonics 7, 378–381 (2013)
Vahid Forutan, “Information-theoretic security through network coding”
NTRU, McEliece,
Rainbow, BLISS
“New Hope“

23. © 2016 ADVA Optical Networking. All rights reserved. Confidential.2323
Quantum Safe Cryptography
• Lattice-based cryptography
• Encryption (R-LWE, NTRU), Signatures (“BLISS”), and Key Exchange (“New Hope”)
• Code-based cryptography
• Encryption (McEliece, McBits, QC-MDPC)
• Multivariate polynomial cryptography
• Signatures (UOV, Rainbow, HFEv-)
• Hash-based signatures
• Signatures (XMSS, SPHINCS)
The ETSI Quantum-Safe Whitepaper 2014, ISBN 979-10-92620-03-0

24. © 2016 ADVA Optical Networking. All rights reserved. Confidential.2424
‘Post-quantum’ cryptography
Security relies on the hardness of
certain computational problems
Vulnerable to advances in
cryptoanalysis and computing
power
No security proof
Quantum cryptography
Security is based on some
quantum property
Typically no computational
assumptions and therefore
secure against quantum attacks
Conceptual security guaranteed
by quantum physics
Quantum Safe Cryptography Comparison
What option delivers better security in practice?
CSAQuantum-SaveSecurityWorkingGroup

25. © 2016 ADVA Optical Networking. All rights reserved. Confidential.2525
Three Serious Encryption Problems in 2014
• Heartbleed (OpenSSL software implementation error)
• POODLE (Sloppy implementation of security protocols)
• Goto fail error (Error in Apples TLS/SSL implementation)
Mostly implementation is the problem, not the algorithm

26. © 2016 ADVA Optical Networking. All rights reserved. Confidential.2626
Successful Attacks on QKD Implementations
Credits:VadimMakarov,Univ.ofWaterloo

27. © 2016 ADVA Optical Networking. All rights reserved. Confidential.2727
But: No Need to Decide, Just Combine
AES-256 AES-256
Public channel
Secret key K
Message M Message M
Alice Bob
Secret key K
Cyphertext C
+ +
Diffie-
Hellman
Diffie-
Hellman
QKD QKD
BB84
Public key
Combined key is at least as random as both component keys individually
XORXOR

28. © 2016 ADVA Optical Networking. All rights reserved. Confidential.2828
• Quantum computers threaten current key exchange algorithms
• QKD offers the promise of absolute security
• Quantum safe public key protocols are an alternative
• No need to decide against or in favour of any specific key exchange
• Classic public key exchange can run in parallel with QSA
• QKD can be an additional key exchange mechanism
• All keys can be combined by bitwise XOR operation
Take-Aways
Lesson from vulnerability of public key algorithm to Shor:
Better security might be achieved by combining
fundamentally diverse mechanisms for key exchange …

29. © 2016 ADVA Optical Networking. All rights reserved. Confidential.2929
… But Take Care to Do It the Right Way!
©xkdc
Acknowledgements
Sebastian Kleis
Joo Yeon Cho
Michael Eiselt

30. Thank You
IMPORTANT NOTICE
The content of this presentation is strictly confidential. ADVA Optical Networking is the exclusive owner or licensee of the content, material, and information in this
presentation. Any reproduction, publication or reprint, in whole or in part, is strictly prohibited.
The information in this presentation may not be accurate, complete or up to date, and is provided without warranties or representations of any kind, either express or
implied. ADVA Optical Networking shall not be responsible for and disclaims any liability for any loss or damages, including without limitation, direct, indirect, incidental,
consequential and special damages,
alleged to have been caused by or in connection with using and/or relying on the information contained in this presentation.
Copyright © for the entire content of this presentation: ADVA Optical Networking.
info@advaoptical.com

31. © 2016 ADVA Optical Networking. All rights reserved. Confidential.3131
Security Is Only as Strong
as Its Weakest Link
© xkdc
Bruce Schneier on QKD:
It's like defending yourself against
an approaching attacker by putting a
huge stake in the ground.
It's useless to argue about whether
the stake should be 50 feet tall or
100 feet tall, because either way,
the attacker is going to go around it.