diff --git a/chapter-qkd/chapter.pdf b/chapter-qkd/chapter.pdf index 69660bf..d9fdd37 100644 Binary files a/chapter-qkd/chapter.pdf and b/chapter-qkd/chapter.pdf differ diff --git a/chapter-qkd/chapter.tex b/chapter-qkd/chapter.tex index 9bcb042..8ce5896 100644 --- a/chapter-qkd/chapter.tex +++ b/chapter-qkd/chapter.tex @@ -40,6 +40,8 @@ \usepackage{multicol} \usepackage{tikz} \usepackage{mathtools} +\usepackage{setspace} +\usepackage{titlesec} \DeclarePairedDelimiter{\ceil}{\lceil}{\rceil} \DeclarePairedDelimiter{\paren}{(}{)} @@ -57,7 +59,6 @@ \usepackage[binary-units,per-mode=fraction]{siunitx} \DeclareSIUnit{\baud}{Bd} \usepackage[hidelinks]{hyperref} -\usepackage{tabularx} \usepackage{commath} \usepackage{graphicx,color} \usepackage{ccicons} @@ -73,6 +74,11 @@ \usepackage{minitoc} \usepackage{minted} % pygmentized source code +% Re-define heading formats to force single line spacing +\titleformat{\section}{\normalfont\large\bfseries\singlespacing}{\thesection}{1em}{} +\titleformat{\subsection}{\normalfont\large\bfseries\singlespacing}{\thesection}{1em}{} +\titleformat{\subsubsection}{\normalfont\large\bfseries\singlespacing}{\thesection}{1em}{} + \newcommand{\degree}{\ensuremath{^\circ}} \newcolumntype{P}[1]{>{\centering\arraybackslash}p{#1}} \setlength{\marginparwidth}{3cm} @@ -86,20 +92,18 @@ \chapter{Physical Security in Quantum Key Distribution} \minitoc \newpage +\setstretch{1.3} \section{Cryptography in the Age of Quantum Computers} For a decade or two now, Quantum Computing has been creating a buzz that nobody in Computer Science and adjacent fields -could evade. Originating in the 1980ies as a highly academic fusion applying concepts from Computer Science in Quantum Physics, -% FIXME citation -its concepts have long found their way into popular science articles. Quantum Computing encompasses a model of -computation that is fundamentally different from the \emph{classical}\footnote{ +could evade. Originating in the 1980ies as a highly academic fusion applying concepts from Computer Science in Quantum +Physics, \todo{Add citation on QKD origins} its concepts have long found their way into popular science articles. +Quantum Computing encompasses a model of computation that is fundamentally different from the \emph{classical}\footnote{ In Quantum Computing, the term \emph{classical} is used as the complement of \emph{quantum}, and refers to the digital computers we know and (sometimes) love. This terminology stems from the distinction between classical and - quantum physics.} -digital circuits that underly all of modern computing. While at first this might seem like a step backwards into the era -of early 1900s analog computing, -% FIXME citation + quantum physics.} digital circuits that underly all of modern computing. While at first this might seem like a step +backwards into the era of early 1900s analog computing,\todo{Add citation on early analog computing} the capabilites of a future quantum computer promise to far outpace those of contemporary classical computers. Key to this improved processing capability is a property called \emph{Quantum Parallelism}. What this refers to is the fact that a quantum computer's internal state can simultaneously represent a multitude of states of a classical, digital @@ -108,10 +112,8 @@ computer, and the quantum computer can operate on all those states at once using Applying Quantum Parallelism to practical problems is far more complicated than, e.g., translating a digital circuit solving some equation to a quantum circuit, but for certain problems we already know \emph{quantum algorithms} that for large inputs solve these problems much faster than any classical computer ever could. Two of these algorithms, one -by Shor % FIXME citation -and one by Grover % FIXME citation -are what caused most of the buzz around the field of quantum computing, because they spell trouble for a large part of -modern cryptography. +by Shor and one by Grover \todo{Add citations on Shor's and Grover's algorithm} are what caused most of the buzz around +the field of quantum computing, because they spell trouble for a large part of modern cryptography. Besides the computational speed-up promised by Quantum Parallelism, there is one more interesting aspect of Quantum Computing where it radically deviates from classical computing. The reason modern cryptography exists is that when we @@ -120,13 +122,13 @@ we can do to prevent an attacker from reading this information. Even with crypto cryptography gives us tools to very effectively make whatever information the attacker is able to read useless to them. A basic principle of Quantum Physics is the \emph{No-Cloning Theorem}, which states that it is impossible to create an -identical, independent copy of an arbitrary, unknown quantum state. % FIXME citation +identical, independent copy of an arbitrary, unknown quantum state. \todo{Add citation on No-Cloning Theorem} An implication of this theorem is that when we encode classical information into quantum states in just the right way, we can make it so that an attacker atttempting to eavesdrop on our quantum information can only actually read this information by destroying it in the process. This property can be exploited to replace a number of classical asymmetric -primitives in interactive settings, % FIXME citation, check if interactive only -the most popular application of which is replacing an asymmetric Diffie-Hellman key exchange % FIXME citation -with a quantum process called Quantum Key Distribution that yields much of the same properties. +primitives in interactive settings, \todo{Add citation on substitution, check if interactive only} the most popular +application of which is replacing an asymmetric Diffie-Hellman key exchange \todo{Add citation on DH-Kex} with a quantum +process called Quantum Key Distribution that yields much of the same properties. In the past decades, the field of cryptography has been fundamentally shaped by the development of Quantum Computing and Quantum Key Distribution. However, the popular conception that all of today's cryptography will be broken and that we @@ -252,6 +254,28 @@ flaw in the quantum secure algorithm is found. Note that here, because we assume possibility of a flaw in the quantum secure algorithm extends beyond mathematical flaws leading to practical attacks with classical computers, and includes novel quantum algorithms. +\subsection{Security assumptions in QKD} + +While QKD protocols provide information-theoretic security, part of these protocols is always an authenticated channel +that is used by the protocol's parties to exchange information necessary to align both parties' quantum measurements so +that they can reconstruct the same secret key bit stream. In the security model of QKD, this authenticated channel does +some heavy lifting. While the QKD protocol provides key exchange--an asymmetric primitive--based on this authenticated +channel--which in its most simple implementation requires only symmetric primitives, an implementation of QKD using +symmetric primitives such as HMAC or CMAC for the authenticated channel would not achieve information-theoretic +security. To acheive information-theoretic security, the authenticated channel itself must use an +information-theoretically secure authentication method. The issue with that is that information-theoretically secure +authentication methods are (provably)\todo{citation on ``provably''} rather inefficient in their key use. While +symmetric MACs can use a single, short key for a very long time, information-theoretically secure MACs need a continuous +stream of fresh key bits. + +In QKD, the authenticated channel can be bootstrapped by taking these MAC key bits from the QKD channel itself. The +disadvantage of doing that is that it consumes a fraction of the system's precious secure key rate. As a consequence, at +this point there is ongoing research\todo{citations on ongoing research} on both systems based on symmetric MACs and +systems using information-theoretically secure MACs, with commercial systems often choosing the +latter\cite{bibakQuantumKeyDistribution2021} owing to the low secure key rates that are the state of the art. + +% \textcite{impagliazzoPersonalViewAveragecase1995} + \subsection{The Technical Implementation of QKD} On the technical level, QKD must be distinguished from general Quantum Computing. While QKD systems employ the @@ -262,7 +286,6 @@ various aspects of currents in superconducters into phonons\cite{berriosHighFide \subsection{Practical Challenges} \todo{I don't like this paragraph.} ->>>>>>> b6e2696 (Add todo command) The central challenge in general quantum computers is extending the lifetime of the quantum state encoding a qubit. Quantum states are extremely sensitive to disturbances, and despite the best efforts to shield their quantum states against external influence, their lifetime is still inconveniently short compared to the timescales required for quantum @@ -407,23 +430,27 @@ With the exception of special cases such as the middle node in a MDI-QKD system, components that the endpoint of a QKD connection uses. Only in a QKD relay, two transceivers are connected back-to-back to one another. QKD provides physical security for the photons traversing the fiber that forms the systme's channel, and the security envelope of the system begins where this fiber is terminated in the power splitters, single-photon -deetctors, lasers, and interferometers of the QKD transmitter and receiver. To process the raw measurements of the QKD +detectors, lasers, and interferometers of the QKD transmitter and receiver. To process the raw measurements of the QKD system into a usable stream of secret key bits, in addition to these components implementing the physics of the QKD system, a classical computer is needed. On top of the remote monitoring and management tasks that any piece of networking equipment is expected to perform nowadays, this computer is tasked with the information reconciliation and -privacy amplification that form the information-theoretic part of the QKD system. Since this computer necesesarily -handles secret key bits in their plain text form, it, too, must be inside the relay node's physical protection envelope. +privacy amplification that form the information-theoretic part of the QKD system. Since this computer must necessarily +handle secret key bits in their plain text form, it, too, must be inside the relay node's physical protection envelope. \subsection{Physical requirements of QKD transceivers} +Putting a QKD relay node and associated machinery inside of an IHSM, we first need to answer two key questions. First, +\emph{will it fit?}, and second, \emph{Can we hook it up?}. In the following paragraphs, we will go through several +aspects of these general questions one by one. + \paragraph{Physical dimensions.} At this point, a number of commercial systems promising QKD exist. Common QKD protocols do not require any particularly large or power-hungry components, and so commercial systems have generally adopted the 19 Inch rackmount enclosure standard that is common to modern telecommunications equipment, with a width of $\approx\qty{50}{\centi\meter}$, a height between $\approx\qtyrange{4}{30}{\centi\meter}$ and a depth below $\approx\qty{100}{\centi\meter}$.\todo{Re-check -these shortly before submission}. While something of this size would be infeasible to protect with the security mesh of -a traditional hardware security module, placed vertically, even without modifications any of these systems are well -within an envelope that can be protected with a single IHSM cage. +these numbers shortly before submission} While something of this size would be infeasible to protect with the security +mesh of a traditional hardware security module, placed vertically, even without modifications any of these systems are +well within an envelope that can be protected with a single IHSM cage. \paragraph{Power supply.} QKD systems do not contain any particularly power-hungry components. Unlike quantum computers, most of the signal path @@ -451,12 +478,17 @@ In a QKD relay node, the key stream never leaves the security envelope. The mana links can be combined into a single, classical network link, requiring a single fiber when using a standard wavelength division multiplexing transceiver. The QKD link's clock channel and the quantum channel require a dedicated fiber each, adding up to a total of five fibers for a uni-directional QKD relay, or nine fibers for a bidirectional one. Since fiber -pigtails have an outer diameter of usually about \qty{1}{\milli\meter}, this amount of fibers can easily be fed through -an IHSM's axis of rotation. The mechanical challenge in such a multi-fiber signal and data feedthrough is to observe the +pigtails have an outer diameter of usually about \qty{1}{\milli\meter}, this amount of fibers can be fed through an +IHSM's axis of rotation. The mechanical challenge in such a multi-fiber signal and data feedthrough is to observe the fiber's minimum bending radius, which for common fibers is usually in the range of \qtyrange{5}{10}{\milli\meter}\todo{Provide citation on bend radius. Maybe a small table of products by a few vendors?}. -For detailed passthrough designs, we refer the reader to Chapter FIXME of this thesis.\todo{Actually write the chapter, -then cross-link here.} + +Concluding the above paragraphs, a QKD node is not a particularly challenging payload for an IHSM. The most problematic +requirement is feeding through a number of fibers for its various input and output signals, but fundamentally it is no +different from any server or other piece of IT equipment. In the following section, we will present a design that +provides a combined power and multi-fiber passthrough that is sufficient for QKD applications. + +\subsection{Multi-fiber passthrough with active secondary mesh}