6 min Security

Intelligence agencies don’t like encryption with Quantum Key Distribution

Intelligence agencies don’t like encryption with Quantum Key Distribution

Several European intelligence agencies voiced their criticism about Quantum Key Distribution (QKD) in a recent position paper. This encryption method theoretically guarantees secure communications by preventing anyone from intercepting keys undetected. The agencies point to several supposedly inherent flaws and note that a practical implementation would be far too costly and limited. Marc Hulzebos, Innovation Officer at Eurofiber, explains that the existing challenges of QKD are in fact being addressed.

Agencies in Germany, France, the Netherlands and Sweden voiced their criticism against Quantum Key Distribution in a 7-page document. The position paper appeared last week, whereas previously, the encryption method has typically received media attention when proof-of-concepts and test beds were set up. Hulzebos argues that such projects are already bearing fruit. It shows that some of QKD’s supposedly insurmountable problems are actually solvable.

A year and a half ago, Techzine attended a successful QKD demonstration by Eurofiber together with partners QuTech and Juniper. This QKD testbed was set up with Eurofiber’s fiber-optic connections between datacenters owned by the same company. An “untappable,” multi-user quantum network has been set up by several parties, although its widespread exploitation is still in the future. The technology was developed by Q*Bird bv, a spin-off of QuTech. In addition to Eurofiber and Juniper, Cisco, the Dutch universities of Delft and Eindhoven and others are also engaged in quantum projects. With what’s known as MDI-QKD (Measurement-device independent quantum key distribution), more and more users can join a scalable network for guaranteed secure communication.

Criticism does not apply to every form of QKD

This example contradicts a central proposition that the position paper posited. There, it criticized the limitations allegedly inherent in QKD. For example, because these keys are distributed via single photons, the distances involved are very limited. In the long run, a node is needed to ensure that communication is possible not at dozens, but hundreds or even thousands of kilometers. The paper assumes trusted nodes to be in play. Hulzebos indicates that there’s a fundamental difference here, because in the case of MDI-QKD, there’s a central untrusted node. It never sees what information is passed on, but only does a measurement. In other words, the criticism of the intelligence services does not apply to every QKD variant.

Een man met een koptelefoon die aan een bureau zit met een microfoon.
Marc Hulzebos, Innovation Officer at Eurofiber

Hulzebos argues that distance need not be such a big problem for QKD at all, in particular when enabled through an advanced digital infrastructure such as in the Netherlands. “The fewer fiber optic splices you encounter along the way, the further you get,” he says. In other words, the quality of the fiber-optic cable network is essential. That explains why Eurofiber felt compelled to participate in the development of QKD. It specializes in building connections that are as reliable and fast as possible, meaning it can play a key role in developing a deployable form of QKD. The company is working with Q*Bird on a way to bring it to market. “We asked ourselves: if you can make it affordable, who can you sell it to?”

Trial and error

In all likelihood, QKD will be a niche product. However, it can potentially secure communications around the most critical information. Examples include the sharing of patient data or the security around high-voltage grids.

Currently, all of this is protected by keys that are virtually impossible to crack, but in time, quantum computers could change that. Shor’s algorithm could theoretically break any classical encryption at an exponentially faster rate than what’s currently possible. Since QKD contains no crackable encryption, it is “quantum proof”. However, the intelligence agencies argue that post-quantum cryptography is already better established elsewhere than QKD is.

Hulzebos readily acknowledges that QKD is still in need of further development. However, he points out that the alternatives are anything but foolproof. When NIST challenged cryptographers to come up with quantum-proof methods, the end results weren’t quite what they were hoping for. One of the finalists’ proposed methods was cracked in as little as 62 minutes using an ordinary computer with a single CPU core. As Hulzebos puts it: “No machine can already apply Shor’s algorithm. There is currently only room to theorize about how such a computer would use it to break encryptions. We’re unaware about potential other algorithms that may be developed for quantum computers in the future. We don’t currently know what we’re protecting against with current encryption standards.”

“For a CISO, it is also becoming increasingly relevant in what direction encryption is developing, because CISOs are increasingly being held accountable,” Hulzebos observes.

From security profile to security target

Either way, QKD requires a somewhat different view of security practices. Normally, says Hulzebos, a security profile is carried out at a customer’s site. This involves the ranking of which data and which resources should be provided with the most robust security method. By contrast, the development of QKD forces parties like Eurofiber to zero in on the security target, or in other words: what would a client want to protect using this method? “We don’t know right now where companies will seek security at the lowest layers,” he says.

The investigative phase is still ongoing, then. According to Hulzebos, the criticism of QKD by the intelligence services is not very remarkable. “What’s being said here isn’t causing total bewilderment within the encryption world, it’s not a new story. In the meantime, the development of QKD continues, and new protocols like MDI-QKD can refute many of the arguments for not applying it.” He also argues that the technology can complement other encryption methods.

In doing so, Eurofiber is said to take on a social responsibility where government agencies also play a role. At the European level, for example, there’s EuroQCI, which is using input from all member states to construct the world’s first digital infrastructure for quantum technology. “Work is in full swing on that,” Hulzebos said. Eurofiber and several other Dutch companies are taking a leading role in the development of quantum, too, with the governmental project Quantum Delta NL taking an ambitious approach to securing the Netherlands’ leading role in connectivity both in Europe and globally.

Also read: CyberArk releases online ransomware decryptor