Improve qkd chapter conclusion, remove redundant attack considerations

inherited from paper version

chapter-ihsm/chapter.tex

@@ -86,9 +86,6 @@ prototype. We conclude this chapter with a general evaluation of our design in S
 % summaries of research papers on HSMs.  I have not found any actual prior art on anything involving mechanical motion
 % beyond ultrasound.
 
-In this section, we will briefly explore the history of HSMs and the state of academic research on active tamper
-detection.
-
 HSMs are an old technology that traces back decades in its electronic realization, initially being conceived by the US
 NSA during the second world war~\cite{boak1973}. Today's common approach of monitoring meandering electrical traces on a
 fragile foil that is wrapped around the HSM essentially transforms the security problem into the challenge to

chapter-qkd/chapter.tex

@@ -462,11 +462,11 @@ the amount of inter-mesh space necessary for power and data feedthroughs as well
 meshes, on the other hand, this pitch increases by the offset distance. Even for a small offset this quickly adds up to
 an unwieldy total mesh size.
 
-In this section, we conceptually introduce a solution to this problem that allows for larger offsets using a design
-where the two meshes interlock like gears. This does mean that the two meshes' rotation must be synchronized, but it
-increases the design space of offset labyrinth meshes. For instance, in a gear setup, the wide sides of the inter-mesh
-zones can be aligned to lie on the same side, so fiber passthrough can be realized more easily even without the need to
-spiral the fiber around the axes of rotation.
+We conceptually introduce a solution to this problem that allows for larger offsets using a design where the two meshes
+interlock like gears. This does mean that the two meshes' rotation must be synchronized, but it increases the design
+space of offset labyrinth meshes. For instance, in a gear setup, the wide sides of the inter-mesh zones can be aligned
+to lie on the same side, so fiber passthrough can be realized more easily even without the need to spiral the fiber
+around the axes of rotation.
 
 \subsection{Mesh synchronization}
 
@@ -475,78 +475,33 @@ In this setup, the mesh tabs act like gear teeth. Depending on the ratio between
 meshes do not have to rotate at the same rate of rotation and harmonic ratios are possible. Additionally, unlike actual
 gears which need to constantly maintain an area of contact, both co-rotating and counter-rotating setups are possible.
 
-\section{Physical attacks and countermeasures}
-\label{sec_attacks}
-In this section we will consider possible ways to attack an IHSM-secured QKD relay, as well as potential
-countermeasures.
-
-\subsection{Attacks on the IHSM mesh}
-
-There are two ways an attacker could attack the mesh itself if an adequate speed of rotation such as \qty{1000}{\rpm} is
-used (cf.\ Chapter~\ref{chapter-ihsm}): Either, an attacker would have to slow down the mesh so they can perform a
-manual attack, or they would have to use a robot. The first class of attack would require the attacker to falsify the
-readings of the centrifugal accelerometer. MEMS accelerometers are complex devices, and the simplest way to falsify its
-readings would be to attach a circuit to the accelrometer's data bus that overrides the measurement result data.
-Creating such a circuit is easy, the challenge the attacker would have to overcome would be to access this bus and
-attach this circuit to the mesh in motion without stopping or disturbing it. At high speeds, this would necessarily
-require a custom attack robot.
-
-\subsection{Contactless attacks on the payload}
-
-Contactless attacks such as electromagnetic (EM) side-channel attacks or optical fault injection attacks on the payload
-could conceivably be conducted from the outside of the mesh. The efficacy of EM side-channel as well as fault injection
-attacks decays quickly with increased distance between probe and target, and they can be counteracted by simply placing
-the QKD relay's components such that they are spaced apart from the mesh. Optical attacks, on the other hand can be
-carried out even at a distance using appropriate focusing optics. The easiest way to prevent such attacks would be to
-place the payload into an opaque enclosure inside the mesh.
-
-An additional variant of optical attacks would be using a laser to cut or drill into the payload. Such attacks can be
-impeded through several defense-in-depth measures. First, the payload QKD relay should be designed such that destroying
-any part of it such as connecting wires or fibers causes it to fail secure. Irrespective of attacks, this is a
-reasonable design objective anyway given that components could fail, and a component failure should never put the device
-in an insecure state. Further, similar to other optical attacks, a shield can be used to prevent laser cutting or
-drilling attacks as well with the only difference being the kind of shield. To prevent laser cutting or drilling, a
-thick metal shield can be used. The large thermal mass, high thermal conductivity and reflective surface of such a
-shield makes it difficult to cut. There are lasers such as pulsed Nd:YAG lasers that can cut even thick steel, but these
-this cutting produces a large amount of metal plasma and debris, which would likely destroy the payload in the process.
-
-To make sure any active laser attack is quickly detected, as a final line of defense, both mesh and payload should
-include wideband optical sensors in their array of environmental tamper sensors. For instace, high-power pulsed lasers
-do not deposit much heat into their target because the surface of the target is vaporized by the laser pulse too
-quickly, and thus might not trigger a simple temperature alarm inside the payload. In contrast, optical sensors even
-outside of the laser's wavelength range would have no trouble detecting the light emitted from the metal plasma created
-by the laser's pulses on impact with the payload.
-
-\subsection{Fast, mechanical attacks on the payload}
-
-A final class of attacks are mechanical attacks where an attacker mechanically compromises the IHSM QKD relay so quickly
-that the tamper alarm mechanism has no time to act. An instance of such an attack would be using a gun to fire a bullet
-at the payload, aiming to selectively destroy parts of it that are involved in tamper alarm response before they can
-act. This class of attack can be counteracted in similar ways as the previously mentioned optical attacks. Destruction
-of parts of the payload should never let it fall into an insecure state, meaning that such an attack alone should never
-be enough to compromise the QKD relay. There is little one can do to prevent destruction of the payload by projectile or
-by explosive, but a thick metal shield around the payload would make it more difficult to selectively target part of it
-using a projectile.
-
 \section{Outlook}
 \label{sec_outlook}
 
 \subsection{Achievable security guarantees}
 
-Like conventional HSMs, Inertial HSMs are only ever an engeineering answer to a security question. In contrast with
-cryptographic solutions that can achieve provable, information-theoretic security in some cases, an IHSM's security
+Like conventional HSMs, Inertial HSMs are only ever an engineering answer to a security question. In contrast with
+cryptographic solutions that in some cases can achieve provable, information-theoretic security, an IHSM's security
 rests upon an assumption on the engineering capabilities of an attacker. In contrast to conventional HSMs, which
 achieve this engineering assumption through the manufacture of hard-to-manipulate tamper sensing meshes, Inertial HSMs
 achieve it by rotating their tamper sensing mesh. In a conventional HSM, increasing the security of the tamper sensing
 mesh requires fine-tuning a bespoke manufacturing process. In contrast, increasing the security of an IHSMs simply
 requires making the rotor faster.
 
+While QKD systems provide theroetically impervious security guarantees based on fundamental laws of physics, they too
+are engineered systems embedded into a macroscopic world. As such, while the physics at their core might be sound
+similar to how the cryptography at the heart of a HSM might be provable, like HSMs they also cannot side-step requiring
+engineering solutions to security questions at the system level. As such, IHSMs complement QKD implementations, and
+provide the system-level security barrier necessary for the protection of a QKD node's quantum components.
+
 \subsection{Trust bootstrapping}
 
-A key question in any trusted hardware deployment is how to bootstrap trust in a new device when faced with the
-possibility of supply-chain attacks. Conventional HSMs are only manufactured by a single manufacturer, and the common
-solution is to just trust that manufacturer. The HSM's manufacturer can factory-provision an identity key to the HSM
-that can be used to ascertain the HSM's integrity during shipping to the customer.
+When considering the security of a system, we often assume a steady state, where the system is already secure at the
+start and then needs to resist some attack. A key question in any practical trusted hardware deployment is how to
+bootstrap this initial trust in a new device when faced with the possibility of supply-chain attacks. Conventional HSMs
+are only manufactured by a single manufacturer, and the common solution is to just trust that manufacturer. The HSM's
+manufacturer can factory-provision an identity key to the HSM that can be used to ascertain the HSM's integrity during
+shipping to the customer.
 
 One of the key components of IHSM technology is that it does not require specialized components, or potting of the
 payload. While an IHSM could be manufactured and sold as a complete unit like a conventional HSM, their more modular