QKD stuff WIP

chapter-qkd/chapter.tex

@@ -76,7 +76,7 @@ could evade. Originating in the 1980ies as a highly academic fusion applying con
 its concepts have long found their way into popular science articles. Quantum Computing encompasses a model of
 computation that is fundamentally different from the \emph{classical}\footnote{
     In Quantum Computing, the term \emph{classical} is used as the complement of \emph{quantum}, and refers to the
-    digital computers we know and (maybe) love. This terminology stems from the distinction between classical and
+    digital computers we know and (sometimes) love. This terminology stems from the distinction between classical and
     quantum physics.}
 digital circuits that underly all of modern computing. While at first this might seem like a step backwards into the era
 of early 1900s analog computing,
@@ -128,6 +128,7 @@ that provides practical security to its users that goes beyond the (surprisingly
 proofs.
 
 \subsection{Computational Assumptions and Information\Hyphdash Theoretic Security}
+\label{qc_comp_assum}
 
 In the past paragraphs we have briefly mentioned that Quantum Computing provides a significant speed-up that can be
 applied to solve many cryptographic problems fast enough for it to become a problem, but we have not elaborated on what
@@ -148,8 +149,9 @@ decryption of a given ciphtertext.
 
 An important nuance applying these algorithms to cryptography is that while both provide significant speed-ups over
 classical computers, the speed-up of Shor's algorithm is exponential and effectively breaks most modern asymmetric
-cryptography as it erases the asymmetric nature of the underlying mathematical problem. That is, for an asymmetric
-cryptosystem susceptible to Shor's algorithm, there is no set of parameters that is large enough to be safe.
+cryptography as it erases the asymmetric nature of the underlying mathematical problem's computational complexity. That
+is, for an asymmetric cryptosystem susceptible to Shor's algorithm, there is no set of parameters that is large enough
+to be safe.
 
 In contrast to this, while Grover's algorithm radically speeds up the breaking of a symmetric cryptosystem, this
 speed-up is only quadratic. In practice this means that it halves the security level % FIXME definition, citation of sec. lvl
@@ -159,10 +161,94 @@ easily be compensated by doubling key size. Longer key sizes require more storag
 and result in slightly slower operation of the cipher, but this additional cost is easily manageable even without any
 improvement in today's hardware.
 
+\section{The Practical Security Implications of Quantum Computing}
+\label{qc-practical-implications}
+
+Given that as of yet, noone has claimed to have a quantum computer powerful enough to pose a threat to current
+cryptographic protocols, one may ask the fair question why the possible future development of such a machine would be
+consequential for today's cryptographic practice. The answer to this question lies in \emph{Store-Now-Decrypt-Later}
+attacks. In such attacks, the attacker records all data transmitted between a cryptographic protocol's parties. The
+security of any key exchange protocol rests on a computational hardness assumption about some particular problem. When
+this assumption falls, for example because of a powerful quantum computer becoming available, the attacker can then
+retroactively break the security of those stored protocol instances and decrypt all traffic.
+
+Modern cryptographic protocols such as TLS or the Signal messenger's key ratchet are designed with facilities to provide
+some degree of protection against key compromise called \emph{(Perfect) Forward Secrecy}. Forward Secrecy means that a
+compromise of keys at one protocol step will not break the secrecy of past protocol steps. Forward Secrecy is achieved
+by repeatedly mixing fresh key material called \emph{Ephemeral Keys} into the protocol's secret state. For a
+post-quantum attacker, this implies that to decrypt a run of a forward-secret cryptographic protocol, the quantum
+algorithm breaking the protocol's computational assumption must be run a number of times, but this results only in a
+linear increase of both protocol and attack complexity, which turns out to no advantage for the defender.
+
+Store-Now-Decrypt-Later attacks are considered a serious threat today based on the stark discrepancy between the
+capacity of today's inexpensive storage media, and the comparatively tiny bandwidth of cryptographic protocols in
+applications such as \emph{End-To-End-Encrypted} text messaging. A single hard drive can conceivably store years of a
+person's encrypted digital communications.
+
+There has been ongoing work on quantum secure cryptographic algorithms, and standardization of several such algorithms
+is progressing. However, in the time frame of cryptosystems, these algorithms are still rather young and the recent
+discovery of a catastrophic key recovery attack against the Supersingular Isogeny Diffie-Hellman protocol
+(SIDH)\cite{hazay_efficient_2023} illustrates the risk in the use of immature cryptographic primitives. Thus,
+recommendations on the concrete steps that should be taken today to mitigate Store-Now-Decrypt-Later attacks vary. For
+instance, Google's under its threat model as laid out in \textcite{schmieg_blog_2024} recommends a list of quantum
+secure counterparts to classically secure cryptographic algorithms, but recognizes the relative immaturity of these
+quantum secure algorithms and consequently recommends \emph{Hybrid Deployment}, where a young, quantum secure algorithm
+is paired with a mature classically secure algorithm such that \emph{both} algorithms would have to be broken to
+compromise the composite protocol's security. Given that quantum secure public key cryptography tends to have both a
+much larger key and/or ciphertext size and worse performance compared to state-of-the-art Elliptic Curve-based key
+exchange or signature algorithms, pairing it with a classically secure alternative incurs only a negligible overhead in
+key storage, network communication and computation costs.
+
+% FIXME TODO research some more policies.
+
 \section{The Physics of Quantum Computing}
 
 \section{Quantum Key Distribution}
 
+As we discussed in Section \ref{qc_comp_assum}, quantum computers promise novel attacks on many contemporary
+cryptographic systems. At the same time, quantum technology also promises new cryptographic primitives that support
+security guarantees beyond what can be realized with the best classical computers. The core of this nascent field of
+Quantum Cryptography is a set of methods that are collectively called Quantum Key Distribution.
+
+Informally speaking, a Quantum Key Distribution system is a system that distributes a secret key between two\footnote{
+    Although the key distribution problem can conceptually be framed for any number $n\ge 2$ of parties, practical
+    treatment is almost always limited to the two-party case. In case of QKD, problem instances for $n > 2$ parties can
+    trivially be reduced to $(n^2 - n)/2$ invocations of the two-party protocol, combined with any
+    information-theoretically secure secret sharing scheme.
+} parties such that after a successful execution of the protocol, each of the two parties holds a copy of a randomly
+generated secret key, and the probability that an attacker was able to extract some portion of the key during the
+protocol's execution can be bounded to some negligible $\epsilon$ by each of the parties.
+
+Quantum Key Distribution provides a similar service as cryptographic key exchange protocols such as the classic
+Diffie-Hellman key exchange provide. The core difference between QKD and cryptographic key exchange protocols is that
+QKD provides information-theoretic security based on the No-Cloning Theorem, where cryptographic protocols provide only
+computational security based on the computational hardness assumption underlying some public-key cryptosystem.
+
+QKD is attractive in that it gives practically useful security guarantees without relying on any computational hardness
+assumptions. This way, QKD would remain secure even in a scenario where a hybrid deployment of a classically secure but
+mature algorithm paired with a quantum secure but young algorithm as discussed in Section
+\label{qc-practical-implications} poses too much of a risk---a scenario where both large quantum computers arrive and a
+flaw in the quantum secure algorithm is found. Note that here, because we assume we have large quantum computers, the
+possibility of a flaw in the quantum secure algorithm extends beyond mathematical flaws leading to practical attacks
+with classical computers, and includes novel quantum algorithms.
+
+\subsection{The Technical Implementation of QKD}
+
+On the technical level, QKD must be distinguished from general Quantum Computing. While QKD systems employ the
+No-Cloning Theorem and sometimes quantum entanglement in their operation, the scope of their quantum operations is very
+limited. QKD systems always operate on photons, while general quantum computers use a variety of physical
+implementations for their qubits that include photons and squeezed light, but extend over atom nuclei, trapped ions,
+various aspects of currents in superconducters into phonons\cite{berrios_high_2012}.
+
+% FIXME I don't like this paragraph.
+The central challenge in general quantum computers is extending the lifetime of the quantum state encoding a qubit.
+Quantum states are extremely sensitive to disturbances, and despite the best efforts to shield their quantum states
+against external influence, their lifetime is still inconveniently short compared to the timescales required for quantum
+computation, resulting in significant amounts of noise in the output of quantum algorithms run on contemporary quantum
+computers. Quantum Key Distribution systems use photons and only perform a handful of operations on each photonic state
+between generation and measurement, with the vast majority of the state's lifetime spent in transit between the two
+endpoints of the QKD protocol.
+
 \section{Quantum Networking}
 
 \section{Securing QKD Networks with Inertial HSMs}