Chinese scientists have recently announced the use of a satellite to transfer quantum entangled light particles between two ground stations over 1,000 kilometres apart. This has been heralded as the dawn of a new secure internet.

Should we be impressed? Yes – scientific breakthroughs are great things.

Does this revolutionise the future of cyber security? No – sadly, almost certainly not.

At the heart of modern cyber security is cryptography, which provides a kit of mathematically-based tools for providing core security services such as confidentiality (restricting who can access data), data integrity (making sure that any unauthorised changes to data are detected), and authentication (identifying the correct source of data). We rely on cryptography every day for securing everything we do in cyberspace, such as banking, mobile phone calls, online shopping, messaging, social media, etc. Since everything is in cyberspace these days, cryptography also underpins the security of the likes of governments, power stations, homes, and cars.

Cryptography relies on secrets, known as keys, which act in a similar role to keys in the physical world. Encryption, for example, is the digital equivalent of locking information inside a box. Only those who have access to the key can open the box to retrieve the contents. Anyone else can shake the box all they like – the contents remain inaccessible without access to the key.

A challenge in cryptography is key distribution, which means getting the right cryptographic key to those (and only those) who need it. There are many different techniques for key distribution. For many of our everyday applications key distribution is effortless, since keys come preinstalled on devices that we acquire (for example, mobile SIM cards, bank cards, car key fobs, etc.) In other cases it is straightforward because devices that need to share keys are physically close to one another (for example, you read the key on the label of your Wi-Fi router and type it into devices you permit to connect).

Key distribution is more challenging when the communicating parties are far from one another and do not have any business relationship during which keys could have been distributed. This is typically the case when you buy something from an online store or engage in a WhatsApp message exchange. Key distribution in these situations is tricky, but very solvable, using techniques based on a special set of cryptographic tools known as public-key cryptography. Your devices use such techniques every day to distribute keys, without you even being aware it is happening.

There is yet another way of distributing keys, known as quantum key distribution. This uses a quantum channel such as line of sight or fibre-optic cable to exchange light particles, from which a cryptographic key can eventually be extracted. Distance limitations, poor data rates, and the reliance on specialist equipment have previously made quantum key distribution more of a scientific curiosity than a practical technology. What the Chinese scientists have done is blow the current distance record for quantum key distribution from around 100kms to 1000kms, through the use of a satellite. That’s impressive.

However, the Chinese scientists have not significantly improved the case for using quantum key distribution in the first place. We can happily distribute cryptographic keys today without lasers and satellites, so why would we ever need to? Just because we can?

Well, there’s a glimmer of a case. For the likes of banking and mobile phones, it seems unlikely we will ever need quantum key distribution. However, for applications which currently rely on public-key cryptography, there is a problem brewing. If anyone gets around to building a practical quantum computer (and we’re not talking tomorrow), then current public-key cryptographic techniques will become insecure. This is because a quantum computer will efficiently solve the hard mathematical problems on which today’s public-key cryptography relies. Cryptographers today are thus developing new types of public-key cryptography that will resist quantum computers. I am confident they will succeed. When they do, we will be able to continue distributing keys in similar ways to today.—in other words, without quantum key distribution.

Who needs quantum key distribution then? Frankly, it’s hard to make a case, but let’s try. One possible advantage of quantum key distribution is that it enables the use of a highly secure form of encryption known as the one-time pad. One reason almost nobody uses the one-time pad is that it’s a complete hassle to distribute its keys. Quantum key distribution would solve this. More importantly, however, nobody uses the one-time pad today because modern encryption techniques are so strong. If you don’t believe me, look how frustrated some government agencies are that we are using them. We don’t use the one-time pad because we don’t need to. The same argument applies to quantum key distribution itself.

Finally, let’s just suppose that there is an application which somehow merits the use of the one-time pad. Do the one-time pad and quantum key distribution provide the ultimate security that physicists often claim? Here’s the really bad news. We have just been discussing all the wrong things. Cyber security rarely fails due to problems with encryption algorithms or the ways that cryptographic keys are distributed. Much more common are failures in the systems and processes surrounding cryptography. These include poor implementations and misuse. For example, one-time pads and quantum key distribution don’t protect data after it is decrypted, or if a key is accidentally used twice, or if someone forgets to turn encryption on, etc. We already have good encryption and key distribution techniques. We need to get much better at building secure systems.

So, I’m very impressed that a cryptographic key can be distributed via satellite. That’s great – but I don’t think this will revolutionise cryptography. And I certainly don’t feel any more secure as a result.

Featured image credit: Virus by geralt. CC0 public domain via Pixabay .

The post Who needs quantum key distribution? appeared first on OUPblog.