How to Quantum-Secure Optical Networks

Helmut Griesser, ADVA Optical Networking SE

France-IX General Meeting 2016, Paris

How to Quantum-Secure Optical Networks

© 2016 ADVA Optical Networking. All rights reserved. Confidential.22

Communication Security in Daily Life

• Cryptographic functions are essential formany everyday activities

• Confidentiality, integrity, authenticity

• Tapping fiber is easier than it might seem

• Protection is also required for data on fiber


Confidentiality: Symmetric Cryptography

Public key cryptography enables secure communication

to be initiated over insecure channels

Symmetriccypher

Symmetriccypher

Public (insecure) channel

Keygenerator

Secure channel

Secret key K

Message M Message M

Alice Bob

Secret key K

Cyphertext C

Problem: No secure channel, key exchange over a public channel


Public Key Cryptography

• For RSA two large prime factors are used to derive the secret key

• Security is based on the diffculty of calculating the private key fromthe public one without the knowledge of the factors

• The hard problem is to factorize the large integer number into itsprime factors

© W

ikip

edia



Quantum Research


• The Quantum Threat – Is It Real?

• Protect Against Quantum Computing With Quantum Key Distribution

• The Big Picture: Quantum Safe Cryptography

• What Is the Most Secure Option?

Outline


The Quantum Threat – Is It Real?


Public-Key Cryptography at Stake

All widely used public-key systems rely on three algebraic problems:

• integer factoring (RSA):

n = p·q, with p and q large prime numbers

• discrete logarithm (Diffie-Hellman, DSA):

A = ga mod p, with p prime and g primitive root (mod p)

• elliptic curve discrete logarithm (ECC, ECDSA):

Q = k·P, with P an elliptic curve over a finite field

Shor’s Algorithm can solve these problems on a large quantum computer

© 2016 ADVA Optical Networking. All rights reserved. Confidential.1010 Ph

oto

: IB

M

The Quantum Computer

So far scientists can stabilize only 4-10 qubits, a number far too low to

factor arbitrary, long semiprimes.

But: Quantum error correction leads to threshold effect that allows scaling.


How Soon Do We Need to Worry?

time to build large quantum computer

time to update infrastructure encryption needs to be secure

secrets can be revealed

time

‘Harvesting’ attack: not everybody can do that, but …

The ETSI Quantum-Safe Whitepaper 2014, ISBN 979-10-92620-03-0

Attack scenario:

• Store encrypted data now

• Decrypt later when quantum computers are available


NSA Data Center in Bluffdale / Utah


Protect Against Quantum Computing WithQuantum Key Distribution?


Quantum Properties

• qubit is a 2-dimensional quantum state (Hilbert space)

• Orthogonal states or

• But is linear dependent from and vice versa

• The observation of a qubits defined over basis does not allow to detect it with basis :

• For transmission qubits are best implemented by single photons

Credit: Sebastian Kleis, HSU Hamburg


Quantum Key Distribution (BB84)

Image reprinted from article: W. Tittel, G. Ribordy & N. Gisin, “Quantum cryptography,” Physics World, March 1998Devil Eve is from Vadim Makarov

Sifting


Key Extraction Process

• In a real system there are transmission errors thathave to be corrected via an unsecure channel

• These errors can‘t be distinguished fromeavesdropping -> reach limitation

• Privacy amplification (key compression) takes care of the information leakage during error correction

Credit: Eleni Diamanit, PhD Thesis

QuantumTransmission

Sifting

ErrorCorrection

PrivacyAmplification

Theory

raw key

sifted key

error free key

secure key

Securityrequirements

Characteristicsof the source

Error rate estimationLeakage during correction


Estimation of Key Rate for BB84

System parameters

• Fiber att. 0.2dB/km + 1dB@Rx

• System BER = 0.01

• quantum efficiency 10%

• count rate 104 counts/s

• Measurement window 1ns

• Repetition rate 10MHz

Cre

dit:

Ele

ni D

iam

anit, PhD

Thesis

1. Laser photon source (Poisson distribution)

2. Decoy state sequence for bounding transmission performance

3. Ideal single photon source

Poisson


QKD in a Commercial Network

Choi, I. et al., “Field trial of a quantum secured 10 Gb/s DWDM transmission system

over a single installed fiber,” Opt. Express, The Optical Society, 2014, 22, 23121

AES encrypted10G Data

10G Tx/Rx

Real-TimeQuantum Keys

10G Client Data

Key exchangeQKD Tx

AES En/Decryption

AES En/Decryption

QKD Rx

Counter mode Counter mode

10G Tx/Rx

10G Client Data

Real-TimeQuantum Keys

QKD Tx


How to Build Long-Haul QKD Links

Refe

rence fro

mM

ark

.

Trusted node repeater

Also works with satellites

Alice Bob

+

+

K1 K2 K2K1

K1 K1 K2 K2 = K1

K1 K2+

+ +

Trusted nodeQKD1 QKD2


Quantum Key Distribution: Pros & Cons

• QKD provides ultimate security for the key distribution problem

Does not rely on the hardness of certain computational problems

• But QKD also has disadvantages:

Decreasing key rates with distance

requiring trusted node repeaters for long haul

Physical layer technique

Relatively high complexity, still bulky

Cannot easily replace current protocols

• … and key distribution is only one of several security primitives


The Big Picture: Quantum Save Cryptography


Computationalsecurity

AES

Diffie-Hellman

RSA

ECC

Information theoretic security

One-Time Pad

Classification of Cryptographic Algorithms

Quantum-safecryptography

Post-Quantum

Cryptography

PhysicalLayer

SecurityNetworkCoding

QKD

Jouguet et al., “Experimental demonstration of long-distance continuous-

variable quantum key distribution”, Nature Photonics 7, 378–381 (2013)

Vahid Forutan, “Information-theoretic security through network coding”

NTRU, McEliece,

Rainbow, BLISS

“New Hope“


Quantum Safe Cryptography

• Lattice-based cryptography

• Encryption (R-LWE, NTRU), Signatures (“BLISS”), and Key Exchange (“New Hope”)

• Code-based cryptography

• Encryption (McEliece, McBits, QC-MDPC)

• Multivariate polynomial cryptography

• Signatures (UOV, Rainbow, HFEv-)

• Hash-based signatures

• Signatures (XMSS, SPHINCS)

The ETSI Quantum-Safe Whitepaper 2014, ISBN 979-10-92620-03-0


‘Post-quantum’ cryptography

Security relies on the hardness of certain computational problems

Vulnerable to advances in cryptoanalysis and computing power

No security proof

Quantum cryptography

Security is based on some quantum property

Typically no computational assumptions and therefore secure against quantum attacks

Conceptual security guaranteed by quantum physics

Quantum Safe Cryptography Comparison

What option delivers better security in practice?

CSA Q

uantu

m-S

ave S

ecuri

ty W

ork

ing G

roup


Three Serious Encryption Problems in 2014

• Heartbleed (OpenSSL software implementation error)

• POODLE (Sloppy implementation of security protocols)

• Goto fail error (Error in Apples TLS/SSL implementation)

Mostly implementation is the problem, not the algorithm


Successful Attacks on QKD Implementations

Cre

dits:

Vadim

Makaro

v,

Univ

. of W

ate

rloo


But: No Need to Decide, Just Combine

AES-256 AES-256Public channel

Secret key K

Message M Message M

Alice Bob

Secret key K

Cyphertext C

+ +Diffie-

HellmanDiffie-

Hellman

QKD QKDBB84

Public key

Combined key is at least as random as both component keys individually

XORXOR


• Quantum computers threaten current key exchange algorithms

• QKD offers the promise of absolute security

• Quantum safe public key protocols are an alternative

• No need to decide against or in favour of any specific key exchange

• Classic public key exchange can run in parallel with QSA

• QKD can be an additional key exchange mechanism

• All keys can be combined by bitwise XOR operation

Take-Aways

Lesson from vulnerability of public key algorithm to Shor:

Better security might be achieved by combining

fundamentally diverse mechanisms for key exchange …


… But Take Care to Do It the Right Way!

© x

kdc

Acknowledgements

Sebastian Kleis

Joo Yeon Cho

Michael Eiselt

Thank You

IMPORTANT NOTICE

The content of this presentation is strictly confidential. ADVA Optical Networking is the exclusive owner or licensee of the content, material, and information in this presentation. Any reproduction, publication or reprint, in whole or in part, is strictly prohibited.

The information in this presentation may not be accurate, complete or up to date, and is provided without warranties or representations of any kind, either express or implied. ADVA Optical Networking shall not be responsible for and disclaims any liability for any loss or damages, including without limitation, direct, indirect, incidental, consequential and special damages, alleged to have been caused by or in connection with using and/or relying on the information contained in this presentation.

Copyright © for the entire content of this presentation: ADVA Optical Networking.

[email protected]

http://www.linkedin.com/company/adva-optical-networking

http://www.linkedin.com/company/adva-optical-networking

http://twitter.com/ADVAOpticalNews

http://twitter.com/ADVAOpticalNews

http://www.facebook.com/pages/ADVA-Optical-Networking/37630238931?ref=ts#!/pages/ADVA-Optical-Networking/37630238931?v=wall

http://www.facebook.com/pages/ADVA-Optical-Networking/37630238931?ref=ts#!/pages/ADVA-Optical-Networking/37630238931?v=wall

http://www.youtube.com/user/ADVAOptical

http://www.youtube.com/user/ADVAOptical

http://advaopticalnews.tumblr.com/

http://advaopticalnews.tumblr.com/

http://www.slideshare.net/ADVAOpticalNetworking

http://www.slideshare.net/ADVAOpticalNetworking


Security Is Only as Strongas Its Weakest Link

© xkdc

Bruce Schneier on QKD:

It's like defending yourself against an approaching attacker by putting a

huge stake in the ground.

It's useless to argue about whether the stake should be 50 feet tall or 100 feet tall, because either way,

the attacker is going to go around it.

Technology

How to Quantum-Secure Optical Networks