This week saw two major announcements in the quantum world. Google launched a new chip, Willow, with bold comparisons against classical systems. Meanwhile, my colleagues at Quantinuum revealed a record-setting entanglement of 50 logical qubits.

Whenever significant quantum news is released, my LinkedIn feed overflows with speculation that RSA and Bitcoin can now be hacked. These lazy interpretations frustrate me. Do people think encryption would be shattered overnight without a large collection of experts saying so?

Philip Intallura wonderfully summarised the collective feeling on my side of the fence:

However, if I put on my Hat of Reluctant Understanding, I recognise the quantum threat is difficult to assess based on sporadic industry announcements. How can you tell if a year full of exciting announcements impacts the date when quantum computers will threaten encryption?

One approach is to periodically consult a large group of experts to see what they think. This is exactly what Michele Mosca does in his annual Quantum Threat Report, which was recently updated for 2024. Mosca’s team has polled dozens of experts since 2019, asking them to estimate when quantum computers will break 2048-bit RSA in less than twenty-four hours.

These experts presumably keep abreast of the latest developments in quantum (at least up until the cut-off point for the report). So their collective answers represent a balanced opinion on how the various announcements contribute towards cryptographic risk.

This year, they assigned a one-in-ten probability that a quantum computer would break RSA in the next five years. The risk steadily rises over the subsequent years, passing the fifty-percent mark at the end of the 2030s.

Does that mean we can heave a collective sigh of relief? Absolutely not!

In the world of cybersecurity, even a ten percent risk is unacceptable. Organizations spend millions each year to squash much smaller risks. And since Mosca’s report is a lagging indicator, it’s best to assume things might have worsened since it was published.

The message remains simple and urgent: take this growing threat seriously and begin your migration planning.

There is no need to panic, and no need to believe RSA has been broken each time you read quantum news. However, the exciting announcements this week show the quantum industry is moving rapidly, and we need to be ready for whatever comes next.

Subscribe now

In Other News…

• The Open Quantum Safe project released v0.12 of its quantum-safe library. As of this release, the library now contains FIPS approved versions of both ML-KEM and ML-DSA.

• The Bank of England published a study about using advanced cryptographic techniques (such as zero-knowledge proofs and multi-party computation) to ensure the privacy of digital currency.

• The world of secure enclaves took another battering, this time targeting AMD. A new attack vector allowed attackers with physical access to bypass security mechanisms and expose sensitive data.

• Microsoft is on a mission to move one billion users to passkeys instead of passwords. This blog gives some interesting insights into how they are changing user behaviours.

This week, the Cyber Resilience Act (CRA) comes into force in EU member states. All products containing a “digital element” sold after December 2027 will need to meet minimum cybersecurity standards.

The scope of the CRA is enormous. It applies to any device with “… a direct or indirect logical or physical data connection to a device or network.” In short, any connected device, whether in IT systems, consumer or enterprise IoT, operational technology, or beyond.

Naturally, this is a big deal for cybersecurity and cryptography. Among the requirements defined in Annex I are two that squarely point to greater use of encryption:

• “ensure protection from unauthorised access by appropriate control mechanisms, including but not limited to authentication, identity or access management systems, and report on possible unauthorised access;”

• “protect the confidentiality of stored, transmitted or otherwise processed data, personal or other, such as by encrypting relevant data at rest or in transit by state of the art mechanisms, and by using other technical means.”

It’s all very sensible. And, if implemented correctly, it should lead to improved digital security for all. However, this is easier said than done, which makes me wonder whether poorly implemented security is better than no security. I’m not sure.

Twice in my career, I’ve had the opportunity to inspect the source code underpinning third-party enterprise security software. On each occasion, I was horrified. The code was clearly written by engineers with no training in cryptography since it broke many of the standard rules. Security through obscurity was rampant, along with the incorrect use of encryption parameters (things like all-zero IVs, misused salts, and so forth).

Extrapolating from this small sample, I assume the average engineer finds writing secure code difficult. And now the CRA is forcing almost everyone to do it, we will see some funky stuff going into production.

Stack Overflow may find itself on the front lines of software supply chain security, given how much code will be copied from its pages. I wonder if nation-states have started subverting the code examples yet.

Ultimately, we need the industry to settle on some idiot-proof security libraries for everyone to use. There’s been some progress on this over the years, with libraries like libsodium and RNCryptor trying to limit the amount of damage a developer can do. However, their adoption seems limited, and many developers still resort to the raw cryptographic libraries provided by their programming language.

Until this changes, I shall continue treating my consumer devices as though they have no security at all. And perhaps we should be doing this with enterprise tools as well. As a reminder – it’s OK to ask your vendors to see their code!

Subscribe now

In Other News…

• Congratulation to TNO, who recently released PQChoiceAssistant v2. It’s an interactive tool that helps you choose the PQC algorithm for your use case. Give it a go, it’s brilliant. Thanks to Frederik Kerling for sharing this.

• Related to the above, TNO and collaborators have shipped a revised revision of their PQC Migration Handbook (PDF). I’ve not had a chance to read this in-depth, but it seems extremely comprehensive.

• The NCSC has published their annual review, with the geekiest cover image I’ve ever seen. Buried at the back of the review are some thoughts on post-quantum migration. I was interested to see their hint that regulation will play an important part in creating the motivation for action.

So, I’ve discovered something interesting happens when you write a blog.

In your head, you develop a clear idea to convey to the reader. You try to capture that in 600-800 words with a catchy title. Then you publish it, and despite your best intentions, sometimes a completely different message is heard by your audience.

Of course, this is a failure on the part of the author, not the audience.

My blog last week failed catastrophically on this front. My goal was to push back on some of the over-simplistic statements I’d heard about hack-now, decrypt-later attacks. There is nuance missing from the public narrative and I was trying to trigger a discussion around it.

However, I did a terrible job of conveying that idea. And, horrifyingly, what landed for many readers was a message of “You don’t need to do a post-quantum migration any more.”

Let me be super clear: all organizations must take the quantum threat seriously and take action now. It is well-established that cryptographic migrations take a long time. Just look around at some of the migrations we’ve barely finished (MD5 anyone?). To get our systems quantum-ready is going to take a decade or more, so it must begin with urgency.

Let me also be clear that hack now, decrypt later attacks are a genuine threat to high-value targets. Every organization should consider this type of threat carefully and decide if they are impacted by it. If so, you must move even sooner on your migration.

I’ve deleted my previous post because it seems irresponsible to let that confusion continue. My sincere apologies for being unclear, and my deep thanks to the friend in my network who drew attention to this issue.

What happens to cryptographic keys after you die?

In Japan, citizens have been advised to give loved ones access to their smartphones and subscription details to make a post-mortem cleanup easier.

This story, reported in The Register, reminds me how short-sighted most cryptographic systems are. Death is inevitable and yet ignored in almost every consumer product. Users have to violate best practices by writing down usernames and passwords or giving others access to their critical data. In many cases, this breaks the terms of the services they are using.

Enterprise systems often have the same problem. Powerful root accounts need to be shared between a few trusted individuals. There are cryptographic solutions to this problem, such as secret sharing, but they are often not implemented.

These are the symptoms of a cyber industry that relegates "far away" problems to a later software release (which never arrives). In my experience, many systems don’t even support key rotation.

I’m not sure how we can fix this systemic issue. But I suspect it involves better cryptographic education for the next generation. More emphasis needs to be given to the lifecycle of cryptography, and the techniques we have available to handle the inevitable changes in business and life.

Take a Long Hard Look in the Mirror

Amid the flurry of reactions to the NIST announcements, something critical is being ignored.

When NIST publishes its advice and standards, it sets the **low bar** for acceptable practice. Their job is to find a pragmatic path forward, which inevitably aligns with the lowest common denominator.

There's no perfect answer to balancing the need for stronger keys with the migration to quantum-safe algorithms. However, while I still question if the decisions made were optimal, I’m expecting cyber practitioners are already taking action.

If you still use 2048-bit RSA keys in 2024 and don’t have a near-term plan to lengthen them, you are negligent.

If you wait until the last possible NIST-approved date before you retire algorithms, then you’re a cryptographic jackass.

If the idea of more than one cryptographic migration in 10 years gives you cold sweats, you need to build more agile systems.

In short, we should stop bashing NIST for their necessarily one-size-fits-all crypto advice. Instead, we need to be deeply critical of a cyber industry that still hasn’t finished its SHA-1 migration.

Time to step it up, folks!

On the Convergence of Certificates and Mayflies

Is the world ready for shorter certificate lifespans? The answer isn’t clear, but we may be heading in that direction regardless.

Many of my posts focus on the post-quantum migration, where NIST will struggle to enforce its migration timeline outside federal agencies. The world of certificates, however, is quite different.

A small group of gatekeepers set the rules, and tech companies with massive user bases can make unliteral decisions. Google has been shaking things up since 2023 when it suggested certificate lifespans should be reduced from 398 days to 90 days. Apple recently proposed to halve that again, demanding 45-day validity periods by 2027.

Shortening certificate lifespans does come with potential security benefits. Attackers would have a smaller window to abuse compromised keys, plus it will trigger the adoption of automated certificate management tools. This is seen as a positive move – carefully managed certificates leave less room for errors and outages.

But the downsides are also significant. Organizations seem ill-prepared for this shift, and smaller enterprises won’t relish the investment in automation tools. Inevitably, certificate expiries will increase, which may lead to users routinely ignoring warnings.

Ultimately, the power rests with big tech companies. With one button press, Google can instruct Chrome to stop trusting long-lifespan certificates. We must hope they wield this privilege carefully and with forethought.

Whatever happens next, this will be a fascinating sector to watch.

Show Me the Quantum Money!

Today, my team and colleagues at Quantinuum announced the first demonstration of quantum tokens sent over commercial-grade QKD equipment.

Quantum tokens are a novel financial instrument, inspired by the concept of quantum money. They offer three useful properties for financial transactions: unconditional unforgeability, near-instant settlement, and user privacy. We are not aware of a classical solution that can guarantee all three.

Unlike quantum money, which was imagined in the 1980s, quantum tokens are a hybrid of quantum and classical communications. This avoids the requirement for long-term quantum memories, while delivering many benefits of quantum money. We anticipate this technology will have multiple use cases across the financial industry, including high-speed financial trading, and ultra-high security access control.

Our demonstration took place in Tokyo, alongside our partners Mitsui and NEC. Token data was delivered over 10km of fibre, using two QKD devices from NEC.

You can read more about this in our white paper (PDF). A press release is also available.

Our team will continue to focus on this technology, and I’ll share further updates as we hit new milestones.

10 Years to Go…

NIST has spoken. RSA and ECDSA are banned from 2035.

Also, key lengths offering 112-bit security are deprecated (but not banned) after 2030. This includes 2048-bit RSA and 224-bit ECDSA.

The new rules are from NIST IR 8547, which was just released for public comments. The 2035 date is no surprise since it matches the deadline already given to federal agencies to complete their migrations.

The main symmetric algorithms are unaffected, as they provide at least 128 bits of security.

NIST IR 8547 is a 29-page document, but other than the timeline announcement, there’s nothing new to read. Page 13 is where you find the good stuff.

View the whole doc here: https://csrc.nist.gov/pubs/ir/8547/ipd.

The clock is ticking! Ten years to go…

Droning On About QKD

Once again, Chinese scientists are pushing the boundaries of quantum key distribution, this time using drones.

A team from Nanjing University has successfully conducted prepare-and-measure QKD over a 200-metre distance between a hovering drone and a ground station. They achieved a key exchange rate of over 8 kHz, with a drone weighing about 30 kg.

I’m not sure drones are the best long-term solution for the last-mile delivery problem. But it’s a cute experiment and maybe something for Amazon drone deliveries to consider!

You can read the paper here: https://journals.aps.org/prl/abstract/10.1103/PhysRevLett.133.200801.

This Key Will Self-Destruct in 5 Seconds

How about a signing key that self-destructs after use? It sounds like Mission Impossible, but it may actually be possible with quantum physics.

I stumbled upon “one-shot quantum signatures” recently, after reading a paper published in 2020 (link below). The idea sounds magical, and I must remind folks that I’m quantum curious, but not a quantum cryptographer. So, I take such papers at face value.

The motivation of the paper is signature delegation. Alice wants to delegate signing authority to Bob but needs to limit him to just one signature. Using classical cryptography, this would be challenging if not impossible. If Bob has the data necessary to construct a valid signing key, he can do so multiple times and Alice cannot stop him.

In this paper, a new concept of a “one-shot quantum signature” is defined, which exhibits this desired behaviour. Through the no-cloning theorem from quantum physics, Bob’s key is proven to be destroyed after use, preventing multiple signatures.

What’s fascinating is that the protocol only requires classical (i.e. non-quantum) communication between Alice and Bob. Bob needs access to a quantum system, but Alice does not.

For more information, including security proofs, check out the paper: https://eprint.iacr.org/2020/107. Several potential use cases are explored.

Quantum-Proof OT — Oxymoron?

CISA’s guidance on quantum-safe operational technology (OT) is a mixed bag.

It paints a bleak picture of the status quo, highlighting how OT often lacks encryption and may rely on outdated operating systems. Acknowledging these major challenges, CISA’s main practical advice is to limit the potential impact of quantum attacks through proper network segmentation.

Where the advice falls short is firmware security. It only briefly mentions that a quantum computer could enable the installation of malware via fraudulent firmware signatures. Yet, this represents a clear and present danger. Each new OT system deployed without a quantum-safe root of trust is a future weak link and a guaranteed swap-out within the next decade.

Quantum-safe firmware signing is a solvable problem today. We’ve had quantum-safe firmware signatures algorithms long before the recently standardised general-purpose PQC algorithms. So there's no reason not to be prioritising this today.

Asides from this bug bear, there’s nothing else offensive in the document, which proposes typical advice of inventorying, prioritising, and working with vendors to achieve crypto agility. But do let me know in a reply if you feel I’ve missed something.

You can view the CISA document here: https://www.cisa.gov/resources-tools/resources/post-quantum-considerations-operational-technology.

Google found a new way to use random numbers: efficiently watermarking AI-generated text to prevent plagiarism.

The new approach is called “SynthID-Text”, suggesting the marketing team had the week off. Nonetheless, the technical details are interesting.

Large language models generate text by repeatedly choosing a plausible next word based on the preceding text. Google’s watermarking approach influences which words are chosen without degrading the resulting text.

Before each word is chosen, a random number is generated based on a secret watermarking key and the context of recently generated words. This random number is used to score potential word choices, which compete against each other in a tournament bracket system until only one word remains.

The reverse process is used to detect a watermark. The scoring of each word is compared against the candidates that could have been chosen. If it scores too highly against the random-number-driven preference, the text is considered watermarked.

You can read more about the details, and Google’s large-scale testing with Gemini, in their paper: https://www.nature.com/articles/s41586-024-08025-4.

Finally, It’s Banned…

If you need proof that cryptographic standards move slowly, look no further.

Thirty-one years ago, Bruce Schneier lambasted ECB mode in his seminal book, Applied Cryptography. Finally, in 2024, it’s about to be banned in the standards.

Electronic codebook (ECB) is a block-cipher mode that describes how to encrypt long messages. ECB is the simplest possible mode: the message is divided into equal-sized blocks, encrypted, and then concatenated. However, this simplicity caused a lot of problems.

One major issue is that patterns in the message show through as patterns in the encrypted data. This is best demonstrated in the classic penguin image, which I’ve included in this post. There’s so much structure and repeated data in the original image that the encrypted version still looks like a penguin.

Despite this problem (and others), ECB was widely adopted. Unfortunately, this made it very difficult to erase. Cryptographic standards have complex inter-dependencies, which makes it hard to remove a foundational ingredient like a cipher mode. It’s taken many years to get to the point where ECB can finally be killed.

Remember, just because something is standardised doesn’t mean it’s the best choice. Always do your research to find the best option.

Thanks, GSMA!

Here’s something post-quantum fans should bookmark.

The GSMA has compiled a list of governmental guidance on the transition to post-quantum. For each country, you get links to the official documents alongside a summary of their timeline requirements and preferred algorithms.

It was last updated in early October, so it’s reasonably fresh. It has data for Australia, Canada, China, the Czech Republic, the European Union, France, Germany, Italy, Japan, Netherlands, New Zealand, Singapore, South Korea, Spain, the United Kingdom, and the United States.

Bookmark this link: https://www.gsma.com/newsroom/post-quantum-government-initiatives-by-country-and-region/.

Don’t bother lengthening your RSA keys, says NIST. Just move straight to quantum-safe algorithms. But does that leave a security gap?

The new rules come from NIST SP 800-131A Rev. 3, which is out for public comment.  There’s too much in this document to cover in one post. But I want to zoom in on the rules around key strengths.

In previous documents, NIST set a 2030 deadline for transitioning from 112-bit security to 128-bit security. This meant moving from to 3072-bit RSA or 256-bit ECDSA or stronger.

Since then, post-quantum algorithms have been standardised, and NIST feels it’s unfair to expect two big shifts in cryptography in a small space of time. As a result, they are encouraging organizations to shift directly from 112-bit security to post-quantum.

This is pragmatic and will reduce costs. But it does leave a security hole.

To give organisations time to move to post-quantum, they're removing the 2030 ban on 112-bit security. Instead, it will be merely deprecated. Meanwhile, there isn’t yet a NIST timeline for moving to post-quantum algorithms. I assume the date will be significantly after 2035 since that is the timeline for federal government migrations.

Why is this important? Well, it means a system in 2036 (perhaps) might be running on only 2048-bit RSA. Not only is this system more vulnerable to classical attacks, but 2036 is also right in the range of when quantum computers might break cryptography. And you need a less powerful quantum computer to break 2048-bit than longer bit lengths.

I shall be submitting a comment to suggest they rethink this approach. Yes, it will be harder to make two shifts. However, we know from experience that people avoid changing cryptography unless they are forced to do so. And even then, they drag their heels.

Let me know in a reply if you agree or disagree with this.

Cryptanalysis in Short Supply

With the fuss around the new PQC standards, it’s easy to forget NIST is still hunting for new signature algorithms.

Last week, the selection process entered its second round, with 14 candidates surviving from a pool of 40. This round of analysis will last up to eighteen months and will be followed by a third and final round.

Worryingly, NIST noted that “some of the second-round candidates have received little or no published cryptanalysis”.

Perhaps the academic community has grown tired of examining dozens of algorithms. Or maybe they’re focusing on breaking the new standards since that brings far more kudos...

You can read the report from NIST here: https://csrc.nist.gov/pubs/ir/8528/final.

CPU, GPU, … VPU?

Have you ever heard of a verifiable processing unit (VPU)? Me neither. But a startup claims VPUs will revolutionise high-performance cryptography, like GPUs revolutionised AI.

The company, Fabric, argues that high-performance cryptography needs hardware acceleration. However, the options available today are not great. Either you try your best with GPUs, which are not designed for cryptographic operations, or you spend a lot of money to build custom silicon.

They are working on a third option – a brand-new type of chip, with an instruction set designed to accelerate trendy crypto operations, like zero-knowledge proofs and fully homomorphic encryption.

I’ve never met the team at Fabric and have no idea if their technology is sound. But I shall watch with interest to see if the concept of a VPU takes off.

You can read a one-sided and investor-focused overview of their technology here: https://www.blockchaincapital.com/blog/the-dawn-of-a-new-era-in-cryptography-with-fabrics-innovative-vpu-technology.

Separately, this reminds me of the ongoing efforts to build a memory-safe processor architecture, which started as the CHERI project at Cambridge University. The CHERI team has since partnered with ARM and Microsoft to bring this closer to reality: https://newsroom.arm.com/news/morello-research-program-hits-major-milestone-with-hardware-now-available-for-testing.

Were the recent Salt Typhoon attacks a hack-now, decrypt-later strategy?

The Chinese-backed group gained persistent access to telecom networks in the United States, seemingly with access to large amounts of encrypted data. Though they appear to have targeted federal wiretap systems, news reports suggest they had access to miscellaneous Internet traffic as well.

Stolen encrypted traffic could be attacked using a powerful quantum computer in as little as 10-15 years. And by examining metadata related to the connections (such as source/destination info), the masses of data could be prioritised for decryption.

This is wild speculation, of course. Hypocritical even, since I’ve recently denounced inflated media claims about Chinese activities. However, I’m flagging this because it’s a reminder of the need to accelerate the deployment of post-quantum cryptography.

We must assume nation-states are in our global networks, sniffing for interesting traffic. The sooner we can protect that with quantum-resistant technology, the better.

Even if Salt Typhoon isn’t gathering encrypted transmissions, it is a worrying reminder that powerful nations don’t struggle to infiltrate our systems.

Let me know in a reply if you think I’m being paranoid! And a hat-tip to Roy Stephan for planting this question in my head.

P.S. I messed up my LinkedIn scheduling, so this post has already been published. You can join the conversation in the replies.

Is Multi-Party Computation on the Radar?

This interesting paper shows how multi-party computation (MPC) could solve a real-world problem: military radar fingerprinting among allies.

Radar fingerprinting identifies vessels based on the unique characteristics of the radar signal they emit. Tiny imperfections in the radar systems – like oscillator drift, power amplifier characteristics, or antenna configurations – create subtle variations in the transmitted signal.

Each country has a secret fingerprint database based on the vessels they’ve encountered. Allowing full access to this database, even to allied countries, would be challenging due to national security regulations. However, MPC can offer a neat solution to help allies identify vessels without sharing the crown jewels.

Read the paper for a deeper dive into the trade-offs made in such a solution and to learn more about MPC. However, the takeaway is that the authors demonstrate this solution would work in practice. Using an example scenario of a ship approaching an offshore installation at speed, they conclude that the ship can be identified within 400 seconds, with an unoptimized implementation.

Link to the paper: https://eprint.iacr.org/2024/1590.

Why Encryption Is a Bit Like Ordering Pizza

I can’t decide if this is deranged or brilliant. I think I’m leaning towards brilliant.

It’s a paper full of analogies to help you discuss cryptography and the quantum threat. I often find the right analogy is critical when telling stories about technology. For instance, talking about padlocks and keys has helped me explain the difference between cryptography algorithms and randomness to a wide range of audiences.

This paper provides analogies for a wide range of subjects, from the basics of cryptography to network security. The analogies are amusingly varied, including pizza delivery systems, trains, and aircraft flight dynamics.

Read the paper here: https://eprint.iacr.org/2024/1487.

Have the Chinese broken “military-grade encryption” using quantum computers, as claimed in the media?

Of course not. But let’s use this as an example of distinguishing fact from fiction in the world of cryptanalysis.

In this case, Chinese scientists claim to have worked with a quantum annealing company to demonstrate attacks against substitution–permutation network (SPN) structures.

The AES algorithm relies on SPN structures to operate. Remember those “S-boxes” you’ve seen in diagrams about AES? That’s what we are talking about.

However, breaking one SPN-based algorithm doesn’t bring you closer to another. In this case, it seems like the Chinese have broken some toy algorithms that happen to use SPN structures. And the media have translated this into “AES broken, world ends”.

But we don’t need to pick apart the details to realise these media claims are nonsense. We just need to apply a modicum of common sense. If you were the Chinese military and you had just broken AES, what would you do?

I suspect speaking to the South China Morning Post would be quite far down your priority list. Instead, you would maximise your informational advantage, without revealing you’ve broken a critical global cipher.

Any major cryptographic break, whether from academics or government spooks, would follow the same pattern. Either you wouldn’t hear about it, or someone would post definitive evidence. It would likely be the former since the spooks are quite good at suppressing these things.

Shame on the journalists for allowing their headline writers to get away with murder.

The Vanishing Bitcoin Trick

Imagine inventing a new attack against Bitcoin, only to discover the criminals beat you to it. Here’s the story of how $10 million vanished without a trace…

First, some background. Bitcoin uses the Elliptic Curve Digital Signature Algorithm (ECDSA) for transaction security. It’s difficult to write a good ECDSA implementation because small mistakes can reveal your private key.

ECDSA relies on nonces, which are random numbers used only once during a cryptographic operation. Small weaknesses in your ECDSA nonces can be exploited to reverse-engineer your private key.

In 2023, researchers discovered a new flaw in ECDSA nonce generation related to weak random number generators. With this attack, dubbed Polynonce, tiny correlations between the random numbers in the nonces and the private key were exploited to break the private key.

Curious about the impact of this attack, the researchers downloaded the entire Bitcoin transaction history. They discovered over 700 wallets that exhibited evidence of this weakness. But here’s the catch – someone beat them to it.

The wallets were all empty.

Digging further into the transactions, they concluded at least $10 million was stolen because of this Polynonce weakness. These thefts were unreported until that point, which makes me wonder how many other undiscovered attacks there are on weak randomness or other ECDSA vulnerabilities.

I recommend reading this blog for more details on the research behind Polynonce: https://research.kudelskisecurity.com/2023/03/06/polynonce-a-tale-of-a-novel-ecdsa-attack-and-bitcoin-tears/.

Thanks to Kevin Milner for drawing this to my attention.

End-to-End Security (Ish)

A recent paper exposed vulnerabilities in four major providers of end-to-end (E2E) encryption for public clouds.

The providers involved are not household names, yet they are leaders in the E2E encryption space. Their websites claim they are trusted by organizations such as the German and Canadian governments, Amnesty International, SAP, and many others.

The goal of these E2E solutions is to protect confidential data from malicious or compromised cloud providers. Users should have full control of the data, as well as the encryption keys that protect it.

The paper tells a different story. The researchers found basic cryptographic errors in 4 out of 5 providers, including lack of authentication, protocol downgrade attacks, and link-sharing exploits.

Quoting from the paper:

“Not all of our attacks are sophisticated in nature, which means that they are within reach of attackers who are not necessarily skilled in cryptography. Indeed, our attacks are highly practical and can be carried out without significant resources. Additionally, while some of these attacks are not novel from a cryptographic perspective, they emphasise that E2EE cloud storage as deployed in practice fails at a trivial level and often does not require more profound cryptanalysis to break.”

Read the full details here (PDF): https://eprint.iacr.org/2024/1616.pdf.

Given the trivial nature of these attacks, I doubt any penetration testing was performed on these systems. I suggest this serves as a warning for anyone buying sophisticated encryption systems: do your homework. Probe the providers to understand who has assessed their systems. Ask for previous penetration testing reports and be deeply suspicious of any perfect “nothing found” scores.

Unpopular opinion: you don't need a VPN to use public Wi-Fi.

Consumer VPN vendors want you to fear the Starbucks Wi-Fi. However, with recent enhancements to cryptographic protocols, the risks are dwindling.

For years it's been safe to exchange confidential data using public Wi-Fi. TLS protects every important service you access, including online banking and work emails. The data is end-to-end encrypted, offering no option for an evil employee to spy on it.

Now, privacy is a different matter. Some folks don't want the Wi-Fi owner to know which websites they are visiting. There are two ways this information can leak, and both routes are becoming less viable.

The first is through DNS queries. Historically, these have been sent in plaintext, which exposes the website you want to visit. However, modern browsers support encrypted DNS queries, which plugs this gap.

The second leak is via TLS handshakes. One of the messages sent during the handshake is the ClientHello, which exposes plaintext information about the server you want to connect to. However, a solution is on the way, called encrypted ClientHello (ECH). A draft RFC is nearing completion, and major players, including Cloudflare and Mozilla, are supporting the initiative.

Once all these pieces are in place, public Wi-Fi will be risk-free. Even today, the biggest risk is that a skilled hacker might figure out which domains you visit, but they won’t be able to see the specific pages you access. For most of us, that's not a big deal.

If you're paranoid enough to worry about that, what makes you think you can trust a $5/month VPN provider?

P.S. Thanks to Prof Bill Buchanan for writing about this recently - I wasn't aware of ECH until then.

Myth-Busting Quantum Key Distribution

“Quantum key distribution doesn't improve security because it relies on a classical authentication channel.”

I still hear this viewpoint being touted by people who, frankly, ought to know better. To explain why this is wrong, we need to consider something called "everlasting security".

A key exchange protocol that exhibits everlasting security is immune to future advances in cryptanalysis. Even if the algorithms used in the key exchange are broken, the keys will not be revealed.

QKD offers everlasting security, provided the authentication channel is not broken during the execution of the protocol. Said another way, an attacker would have to possess a zero-day exploit for the classical channel and execute it during the time it takes for the QKD protocol to complete. If this is not accomplished, the keys remain secure indefinitely.

This is a stronger guarantee than offered by key exchanges that rely on public-key cryptography. Here, an attacker could record the exchange and attack it in the future, using advances in cryptanalysis. For example, if ECDSA was broken in two years, an attacker could decrypt the recorded key exchange and steal the key. This would not be possible if QKD were used.

That being said, QKD faces many challenges that prevent its widespread adoption. So we will continue with classical key exchanges for quite some time!

Amazon’s Subtle But Important Decision

AWS services now prioritise post-quantum security over performance.

If a connecting client advertises support for PQC algorithms, the server will select them, even if it introduces additional round-trip times.

This decision is more important than it seems.

AWS could have taken a different path, preferring well-established classical algorithms unless the client forced the selection of PQC algorithms. However, they've opted to use PQC by default.

If AWS left it to clients to mandate PQC algorithms, the global migration would be slower, and we would discover errors and issues further down the path.

I hope other service providers follow suit so the transition to PQC will be as seamless as possible.

You can read more about Amazon's work here: https://aws.amazon.com/blogs/security/customer-compliance-and-security-during-the-post-quantum-cryptographic-migration/.

I’m going to just pretend my hiatus didn’t happen, and leap straight into edition #30…

Deep Learning Meets Quantum

This is cool. MIT researchers claim to have used the quantum properties of light to increase the security of deep-learning computation.

The proposed protocol allows a client to securely perform inference on their own data, using a model generated by a central server. The security of the model is preserved because the client is unable to store the model weights sent by the server (thanks to quantum behaviour). And the client data is preserved because the inference is performed locally, avoiding sending sensitive data to the cloud.

This nicely fits real-world ML use cases, such as a doctor wanting to perform analysis on sensitive patient data, using a proprietary model owned by a third party.

The MIT article does a great job of explaining how the protocol works (and links to the underlying paper). Interested readers should learn more here: https://news.mit.edu/2024/new-security-protocol-shields-data-during-cloud-based-computation-0926.

This project reminds us that quantum cybersecurity isn't just about quantum randomness and key distribution.

Deloitte Sets the Tone

Deloitte's recent white paper is a big deal for the QRNG industry. Here’s why:

Firstly, a credible third party is weighing in on the topic. It’s one thing for people like me to gush about QRNGs since my company is knee-deep in the game. But for Deloitte to stick their neck out on the topic is quite another.

Consumers of advanced products struggle to separate hype from reality. When measured opinions emerge from companies like Deloitte, it helps buyers comprehend the menu in front of them.

Secondly, it provides a language framework to use. Language matters around new technology. We’ve seen in the broader quantum world how hard it is to wrestle with “advantage” vs “supremacy” vs “utility” and so forth. In the QRNG world, we’ve also struggled with terminology, around what it means to be “proven” or to be “truly random” (if such a thing exists).

The paper solves this by defining four levels of security for random number generators. Level 3 is the typical quality level found in cryptosystems, and it falls short of Level 4 because it cannot prove the quality of the output. Only QRNGs can inhabit Level 4, although most are still stuck in Level 3.

Finally, papers like this encourage standards bodies to take note. The consultancies are focusing on QRNGs because their customers are asking. The standards bodies need to be ready to adapt to the changes in front of them. The framework proposed in this paper could find its way into the standards one day.

You can read the Deloitte paper here (PDF): https://www.deloitte.com/content/dam/assets-shared/docs/services/risk-advisory/2024/qrng-what-is-the-fuss-all-about.pdf

Congrats to the authors: Itan Barmes, Colin Soutar, and Carlos Abellan.

Maybe They Wrote It Badly First Time?

A post for the crypto geeks. (And I mean cryptography, obviously.)

Though I regularly comment on the quantum side of cyber, it's great to know folks are still paying attention to the algorithms that got us this far.

In particular, a recent blog from Amazon gives a great overview of how elliptic curve cryptography works, and how they've painstakingly optimized it for better performance and security.

In one setting, they saw an 86% increase in performance through these changes. Impressive!

There's also some interesting commentary around proving algorithm correctness at the assembly level, which means their proofs are independent to the compiler.

You can read the gory details here: https://www.amazon.science/blog/better-performing-25519-elliptic-curve-cryptography.

Europe is one step away from agreeing to an EU-wide digital wallet. This is pretty cool!

The new wallets would serve as a form of digital identity, as well as proof of personal attributes (such as an educational degree). It could also be used to produce qualified electronic signatures, which are legally binding in EU courts.

Interestingly, the European parliament has mandated wallet software be open-source, in the interest of security. A bold step, which makes a lot of sense, given the long history of shoddy cryptography in closed systems.

There is also a strong encouragement to use zero-knowledge proofs. Relying parties should be able to “validate whether a given statement based on the person’s identification data and attestation of attributes is true, without revealing any data on which that statement is based, thereby preserving the privacy of the user”. It’s great to see advanced cryptography concepts being written into policy.

Sadly, in a post-Brexit world, I’ll have to watch with envy from the shores of Britain. Missing out on this cool technology may hurt even more than the “All Passports” lane.

PQC Is Coming to TLS… Slowly

Cloudflare reports that 1-2% of TLS connections use post-quantum algorithms today.

Almost all of that traffic comes from Google Chrome users. Roughly 10% of Google Chrome users have PQC algorithms enabled, according to Cloudflare.

On the one hand, this sub-2% figure seems pitiful. But when you consider how much traffic Cloudflare handles, you realise these post-quantum algorithms are getting hammered at scale.

Brave readers can check out Cloudflare’s blog. It’s a 10,000-word dissertation, covering everything from why we need PQC algorithms to performance metrics for individual algorithms.

Some Random Ideas

People have tried some very weird tricks to generate random data.

I recently spotted a blog which walks through some of the more esoteric ideas employed by companies like Cloudflare.

You may have heard about their Lava Lamp wall. But did you know each Cloudflare office has a different gimmick installed in the foyer, ranging from pendulums to overgrown baby mobiles?

Elsewhere, different organisations are measuring seismic activity or looking at atmospheric static and pulsars to try and find something unpredictable.

It’s almost sad that these ideas will soon be a nostalgic curiosity of the past. Nowadays, quantum technology allows us to generate provably random data. And while mixing sources of randomness is always a healthy idea, we won’t be needing walls of Lava Lamps to protect the internet going forward.

I hope people keep doing weird things to generate randomness. It’s fun to see what ideas get invented. But with my security hat on, I’m glad we will be relying on stronger quantum foundations in the years ahead.

A new paper claims to reduce the qubits needed to run Shor’s Algorithm. The updated approach requires fewer than 1,700 logical qubits to break a 2048-bit RSA key.

Should we panic? Probably not.

As with most attempts to optimise Shor’s Algorithm, trade-offs are being made. In this case, the consequence of reducing logical qubits is a significant increase in gate count (by a factor of 1,000). So it’s hard to judge whether “Y2Q” has gotten closer as a result.

And yet, each paper like this is a reminder that science doesn’t stand still. On the one hand, quantum computers are becoming more error-resistant and powerful each day. On the other hand, algorithm specialists are continually trying to optimise Shor’s Algorithm with papers like this.

All the more reason to take the quantum threat seriously and start planning!

You can check out the paper here: https://eprint.iacr.org/2024/222.

Pop Quiz

Can you spot the cryptographic coding error in this picture?

Look carefully!

If you can’t spot it, you might want to read this excellent article about constant-time cryptography:

https://www.chosenplaintext.ca/articles/beginners-guide-constant-time-cryptography.html

Constant-time algorithm implementation is critical for avoiding a whole bunch of nasty side-channel attacks in cryptography. And this article does a great job of introducing the topic to non-technical newcomers. Take a peek!

On Cryptographic Debt

Let’s talk about cryptographic debt, and how it spawned a presidential memo and a multi-billion dollar industry.

Cryptographic debt accumulates through years of bad security decisions taken in the interest of speed or as a result of ignorance. Much like technical debt, which plagues software development projects, cryptographic debt has to be repaid. And the longer you leave it, the more painful it becomes.

Examples of cryptographic debt include:

• Failing to implement key rotation.

• Hard-coding algorithm choices.

• Spattering crypto code throughout your project, instead of centralising it.

• Not following (or even having) a cryptographic policy.

• Losing track of where cryptography is being used.

A critical consequence of cryptographic debt is an inability to adapt quickly to changing circumstances.

And so here we are, in 2024, needing to change a lot of algorithms to tackle the quantum threat. And companies are finding it very tough indeed. They’ve lost track of what cryptography is in use, which data lives where, and changing anything requires rewriting software from scratch.

The result? A presidential memo urging federal departments to take action, and a multi-billion dollar industry supporting organisations through the pain that lies ahead.

All of this should have been easy, had we baked crypto agility into our systems when we had the chance.

It’s important to recognise we now have a wonderful opportunity to build a better future. The quantum threat is forcing us to change all of our cryptographic systems. This means we can solve some of these problems once and for all, and develop a more agile and future-proofed set of technologies underpinning our cybersecurity.

I fear it won’t happen because it requires spending more than the minimum possible money. However, I suspect we’ll need more algorithmic changes in the years ahead, so it would be a wise decision to eliminate cryptographic debt while we have the chance.

Apple Makes Post-Quantum Cool

Everyone’s talking about Apple's PQ3 announcement, but most reports miss the point. The important thing is NOT the technology.

The real significance of Apple adding post-quantum security to iMessage is the impact on the zeitgeist.

In the UK, the BBC’s prime-time radio show dedicated three minutes to the topic. Ten million listeners learned about post-quantum security while cooking their bangers and mash.

Outlets like Bloomberg and Fast Company also reported on the news, driving awareness into executive minds across the world. I suspect opinion pieces will soon appear in other major outlets as their editors notice the splash Apple’s announcement has made.

This is coverage of post-quantum security at a scale we’ve never seen before.

A raft of similar high-profile announcements will no doubt follow, as organisations race to be seen as security thought leaders. We’ve already seen this on a smaller scale in the last year, with Signal, OpenSSL and Google making their first announcements.

2024 has started with a bang for PQC, and Apple has done the industry a huge favour by raising awareness to new heights. I’m excited to see what happens next as we steam towards NIST's publication of the final standards.

If you haven’t seen the Apple blog yet, check it out here.

RSA Key Fingerprinting

Did you know RSA public keys have fingerprints that identify the cryptographic library that generated them?

In a paper from 2016, researchers studied sixty million keys generated by a range of open-source libraries and closed-source smartcards. By analysing the most significant byte of the public key modulus, distinct patterns were found.

These “fingerprints” can be used to identify which library generated a given key. The underlying patterns are caused by different approaches to the difficult task of prime number generation. The paper authors created heat maps, showing the likely distribution of bits, which are quite fascinating.

These fingerprints are not just a curiosity – they represent a potential cyber risk. If a vulnerability is discovered in a popular library, these fingerprints could be used to identify vulnerable keys in the wild. Similarly, fingerprinting could aid deanonymisation when using services like Tor.

You can see more of these cool graphs, and find links to the paper, on this website: https://rsa.sekan.eu/. And a hat-tip to my colleague Kevin Milner for drawing my attention to this paper several months ago.

Hybrid Opinions

Most post-quantum implementations, including Apple's PQ3, rely on a hybrid of traditional and PQC algorithms. So why are governments in the US and the UK still lukewarm on this concept?

In January, Daniel Bernstein posted an interesting blog with his views. It’s worth reading if you're building a quantum-safe system and are debating whether to go hybrid or not.

For those new to Bernstein's writing: brace yourself for conspiracy-theory vibes and plentiful jabs at NIST, the NSA, and allied organisations (like GCHQ). Yet, there is wisdom in what he writes. He carefully dissects the arguments against using hybrid modes and finds them wanting.

Check out his blog post here.

If NIST publishes their PQC standards tomorrow, would you be ready?

Today, you can dodge the issue. “I’d love to get started, but the standards aren’t out yet!” Soon that response won’t cut it any more.

The NIST announcement will be global news. The broadsheets read by company board members will cover it. High-ranking executives will helicopter down to ask about plans for tackling the quantum threat. You’ll be quizzed about store-now, decrypt-later attacks, and cryptographic inventories.

Hopefully, as a reader of my newsletter, you’re already thinking about this stuff. But if you’re a serial can-kicker, remember we might be less than 100 days from new PQC standards. And the deafening boom of a starting gun.

Faster QKD at Long Distances

A new paper from TU Eindhoven proposes a CV-QKD scheme with key rates far higher than typically assumed limits.

The scheme targets long-distance communications and relies on the use of unusual error-correcting codes. Typically these codes are impractical to implement because they require too much memory. But in long-distance CV-QKD, the low rates make it feasible to consider.

As a reminder, CV-QKD (or "continuous-variable" QKD) is an attractive technology because it operates at normal telecom wavelengths. This paper seems interesting because it explores higher key establishment rates at long distances, which will be a typical deployment model for QKD.

I freely admit this paper is beyond me mathematically, so I'll leave interested readers to conclude whether they find this result plausible and/or exciting.

You can find the paper here: https://arxiv.org/abs/2402.04770.

European Telcos Go Bananas for QKD

This article gives a good overview of the QKD activities of European telcos.

The interviewee is Andrew Lord, Senior Manager of Optical Research at BT. Andrew is well-known to those in the quantum cyber sector.

It's a balanced article that touches on NIST perspectives as well as hardware challenges. There's even a reference to my favourite subject, quantum randomness, which lies at the heart of QKD devices.

What's fascinating is the summary of activity by European telcos. Alongside BT, there are projects underway involving Deutsche Telekom, Orange, Telefónica, and Vodafone.

Take a read and let me know what you think.

Amazon just published a paper on PQC performance in TLS 1.3. The results are promising!

With good network conditions, there is a 5% impact of switching to post-quantum algorithms. In less ideal conditions, where stability or bandwidth is lower, the impact is 10-15%.

Uniquely, this research considered total data transfer time, rather than the initial TLS handshake. I prefer this approach because it mimics real-world concerns. Nobody cares about handshake speed. They care how long it takes to fling 200KB across their network.

Papers like this make me feel confident about the path ahead. In most settings, small overheads of 5-15% are not going to impact our lives.

Read the paper here: https://eprint.iacr.org/2024/176.

Launch of the Post-Quantum Cryptography Alliance

“We implemented some PQC algorithms” was never going to be a long-term software business model. And now the end has come.

The Linux Foundation just launched the Post-Quantum Cryptography Alliance, which seeks to be “the central foundation for organizations and open source projects seeking production-ready libraries”.

The founding members include Google, AWS, Cisco and IBM. Given this critical mass of big players, I expect the PQCA will become the leading open-source community for quantum-safe algorithm implementations.

The University of Waterloo, another founding partner, has contributed its Open Quantum Safe project to the PQCA. Open Quantum Safe has been a bedrock of the PQC community for years, thanks to its high-quality implementations and convenient plugins for software like OpenSSL.

Despite this announcement, there’s plenty of opportunity for vendors who specialise in hardware implementations of PQC algorithms. But for those who peddle non-descript software with the only differentiator being PQC algorithms, the future looks bleak.

Kyber in 500 Beautiful Lines of Code

Kyber in 500 lines of code and actually readable 🙌

I don’t often delve into the nuts and bolts of algorithm implementation, but I was inspired by the recent work of Filippo Valsorda. Filippo was the head of cryptography for the Go team at Google and is now a professional open-source programmer.

He wrote an implementation of ML-KEM (f.k.a Kyber) in the Go language, straight from the FIPS-203 draft standards. It is remarkably readable, concise, and somewhat performant.

You can read his blog about the topic, but here are my takeaways:

• Readability will pay dividends for years to come. Security bugs are nasty, and we all need code that is clear and concise.

• The specs work! Filippo didn't refer to the reference implementations and worked straight from the FIPS-203 draft specs.

• Exhaustive testing needn't bloat the code base. In another 650 lines of code, 95%+ code coverage was achieved.

I might have to fire up the text editor and write some Go code! I miss it.

Quantum: Jekyll or Hyde?

If you’re interested in quantum cybersecurity, you should check out the paper published on arXiv last week:

“Assessing the Benefits and Risks of Quantum Computers”

It’s a broad title and a broad paper. Thirty-four pages of dense text attempt to answer the question: “Will quantum computers be economically impactful before they become a threat to cryptography?”

The authors are all big hitters in the quantum and cyber worlds, so I was keen to read it. Here are some takeaways on the crypto side:

• (Spoiler) The authors expect economic benefits to arrive first. Quantum computers that threaten cryptography are expected to arrive later.

• Several techniques appear promising for accelerating the arrival of economic value on quantum computers. However, there’s no known work in the literature that enables cryptanalysis to be performed using those same techniques.

• It is unlikely that cryptanalysis will be possible without fault tolerance. The same may not be true for economically useful activities.

• Section 4.2 provides a summary of the best resource estimates for running Shor's and breaking RSA and ECC. Later in that section, it is noted that RSA will be far harder to break than ECC for the same security strength, based on the state-of-the-art approaches.

• Section 5 goes into quite some detail on quantum-safe migrations. (I said it was a broad paper!). There is nothing fundamentally new in there from my perspective, but it’s a good read for those who don't know the topic.

Is it important to know which milestone comes first (cryptanalysis vs business use cases)? I’m not sure it is. But in answering that curious question, this paper consolidated a lot of interesting data and perspectives, which will prove helpful to the quantum cyber community.

You can read the paper here: https://arxiv.org/abs/2401.16317.

P.S. I lack a PhD in quantum computing, so I was taking much of this paper at face value.

That Certificate Looks Familiar!

Today I learned that public CAs issue certificates for compromised private keys every day!

The aptly named “pwnedkeys” service publishes a warning every time a compromised private key is certified. It scrapes the Certificate Transparency logs and compares the thumbprints of new certificates against a naughty list of broken keys. Each time a match is found, it's added to the database and posted online.

In case you’re wondering, private keys become compromised (i.e. known publicly) for all sorts of reasons. Often, developers post them to GitHub by mistake. Sometimes, software or hardware mistakes result in private keys being overly predictable.

Whatever the reason for the compromise, it’s a bad idea for a CA to issue a certificate for a broken key. And yet they do it every day.

The numbers are not staggering. However, we can assume this is the tip of the iceberg. This service is run by one guy doing his best to spot broken keys using Internet searches, and there are still several hits a day.

You can read more about this service in this blog post. And you can see the bot announcing compromises here.

Prepare Your Photons

ETSI just published an update to their Common Criteria Protection Profile for QKD.

The original document was launched with some fanfare in early 2023. It targets prepare-and-measure QKD devices (only) and helps manufacturers prepare their equipment for evaluation at a testing house.

I couldn’t see a changelog for this document, so I’m not sure what has been tweaked. But presumably, the updates are to address a year of feedback from companies passing through the process.

You can find a link to the document on the ETSI website: https://www.etsi.org/committee/qkd.

I have a few thoughts on this topic, which I’ve split into two posts below. As a reminder, this newsletter is a concatenation of my future LinkedIn posts, which sometimes means I split large topics into multiple pieces.

I’d love to hear your replies on this QKD topic. I suspect it will divide Chasing Cyber readers!

Finally, I apologise for the broken link in my last newsletter. The German BSI website doesn’t work properly when I link to it from my emails. To view the BSI report, check out the web version of the last edition, where the link works correctly.

After the Hype Comes the Storm

Yikes! Who spat in their bean curd? Quantum key distribution (QKD) gets slammed in the latest assessment from European governments.

The joint report from the French, German, Swedish, and Dutch governments is highly critical of QKD and strongly advocates for post-quantum cryptography or symmetric key distribution.

The mere existence of this report demonstrates a big challenge in the quantum cybersecurity industry. Too many voices still preach “perfect” or “unhackable” quantum solutions. While this attracts commercial success (to some degree), it forces government agencies to put our hit pieces like this one.

Let’s hope these negative reports don't squash a useful technology in its infancy. It reminds me of how the UK government failed to launch a digital ID system because they positioned it as a solution to terrorism. Had they pitched it as a cheap, wallet-sized passport, we may have had a different outcome.

I firmly believe QKD has a role to play in the future of cybersecurity. But right now, it needs support from governments and not public criticism. And yet, I struggle to blame these agencies for their report, as they've been forced to respond to the hype in the industry.

The report itself is very one-sided and overlooks significant challenges for both post-quantum algorithms and symmetric key distribution. But the criticism levelled at QKD is mostly fair. In my next post (below), I’ll break that down and analyse it.

Meanwhile, you can read the report here: https://cyber.gouv.fr/actualites/uses-and-limits-quantum-key-distribution.

P.S. If “spat in your bean curd” had you confused, watch Disney's Mulan.

Part Dieu – What’s Their Bœuf with QKD?

As mentioned above, the recent statement from European cyber agencies was highly critical of quantum key distribution (QKD). Here are the main challenges they pointed out:

Denial of Service

QKD systems only work correctly if there are no eavesdroppers on the line. This is one of the great strengths of QKD, but it is also a great weakness. A persistent eavesdropper can prevent any keys from being distributed.

Bandwidth Issues

QKD systems don't have enough bandwidth to support the distribution of one-time pads. Therefore, QKD systems are used to distribute cryptographic keys.

This means an unconditionally secure system (QKD) is used to distribute keys that will be used in systems that are not unconditionally secure. The report claims this weakens the overall benefit of QKD.

Lack of Protocol Standardisation

There has been no equivalent to the NIST PQC standardisation process applied to QKD. Of course, there are several popular schemes in the literature, e.g. BB84, but these have not been subjected to a formal standardisation process.

The report also criticises the lack of security proofs available for practical QKD protocols.

Limited Device Certification

Security devices are usually certified before being used in production. For instance, hardware security modules are usually FIPS 140-3 certified.

The report complains that there are only very limited certification schemes in place at the moment. Although, ironically, the German BSI is involved in such as scheme (and co-authored this QKD report).

Conclusions

Overall, much of the criticism in the report is fair. My main objection would be to the comments around bandwidth. They seem to imply there is no value in unconditional security in the distribution of keys, which doesn't feel right to me.

I believe many of these QKD challenges can be rectified with time. If we can control the hype around QKD and let it mature naturally, then it will become a valuable tool in the security toolbox.

It's a shame the agencies felt the need to put this piece out, but I agree with the fundamental recommendation – adopt PQC as a near-term solution.

Again, here's a link to the full report: https://cyber.gouv.fr/actualites/uses-and-limits-quantum-key-distribution.

An Allied Approach to QKD

NATO just announced its Quantum Technologies Strategy.

Their stance on quantum key distribution is more positive than we see from individual governments. Here’s what they say:

“In the future, further improvements could allow quantum key distribution to also contribute to secure communications.

... Allies can support each other... in the development and implementation of post-quantum cryptography and quantum key distribution to enhance the quantum-resilience of our networks.”

It’s great to see a balanced statement on the topic from NATO. To date, I’ve found national governments unnecessarily critical of QKD. At a conference last year, the French ANSSI even described it as “science fiction”.

QKD isn’t ready for large-scale deployment yet. But there’s no need to pour cold water on a technology that may offer future security improvements for critical communications. Well done to NATO for treating it fairly.

I also thought the conclusion of their quantum threat section was particularly interesting:

“Strategic competitors and potential adversaries may also leverage disinformation opportunities within Allied societies by creating public distrust of the military use of quantum technologies. Allies will seek to prevent and counter any such efforts through the use of strategic communications. NATO will support Allies as required.”

You can read the summary document here.

A History Lesson from GCHQ (and Hollywood)

Colossus was the Stephen Baldwin of World War II.

Despite being a strong contributor to the Allied success, few people know about Colossus. Pop culture favours the Enigma-busting Bombe machine instead.

To help rebalance this, GCHQ is celebrating the 80th anniversary of the Colossus machine, with some never-before-seen images:

Colossus was used to crack the Lorenz cipher, which encrypted strategic messages between senior German officers. It is widely regarded as the first programmable digital computer system.

The Colossus was kept secret until the early 2000s, which might explain its lack of fame. By contrast, the world learned the Enigma storyline back in the 1970s.

These stories make me wonder whether present-day ciphers have been similarly broken. I guess we’ll need to wait 30 years to find out.

You can read the GCHQ article here. And you can learn more about Colussus on Wikipedia.

QKD under das Mikroskop

If you’re building or buying a QKD system, you need to read this document.

The industrious folks at the German BSI have compiled the most comprehensive survey of QKD implementation attacks I’ve ever seen.

Over 300 papers were analysed, and 49 attack paths were identified. Each attack is graded with a feasibility score, and known countermeasures are listed.

One conclusion from the document is more research into continuous-variable (CV-QKD) systems is needed. The older and more established discrete-variable (DV-QKD) protocols have seen far more scrutiny over the years. This is reflected in the number of papers and attacks found so far.

The document is mostly news for QDK nerds. However, the opening sections provide a good overview of QKD technology, which would benefit the general reader.

You can access the report on the BSI website.