China's 'future-proof' crypto: We talk to firm behind crazy quantum key distribution network
Should we believe the hype? And why drop so much $$?
Two hundred local government employees across the capital of China's eastern Shandong province will soon be encrypting messages with keys that are "impossible" to crack.
QuantumCTek, headquartered in the humid, subtropical city of Hefei in eastern China, will next month launch a commercial network for creating and sharing secure "quantum keys" across 200km2 of Jinan, China. It'll be the first such citywide system in the country, and outside scientists tell us it's likely one of the largest in scale (at least, that isn't top secret) in the world.
The classical encryption we enjoy today in our apps, sites and services has a tiny flaw: it's based on the principles of mathematics. If a computer were able to make an unlimited number of guesses, then it could theoretically discern any key.
Many security professionals call existing government-grade cryptosystems – such as 128-bit or 256-bit AES keys – secure enough for practical purposes. It would take today's computers an infeasible amount of time to find the correct key and then crack private messages open (it's publicly known that the US's National Security Agency can today crack 80-bit encryption, but scientists believe that AES-256, which could require a computer to make up to 2256 guesses, might take 100 years to be feasible to crack.)
QuantumCTek CEO Yong Zhao is worried about the future possibility: quantum computers, which can exploit the mysterious principles of quantum mechanics to perform computations much faster than a classical computer, finding values for keys much more quickly. With one quantum computing algorithm, for example, 256-bit keys could be discerned in 2128 steps or less.
Distributing RSA over a public communication channel might not be secure if RSA could be cracked, Zhao says.
QuantumCTek's new quantum key distribution network, as first reported by China's state news agencies earlier this month, has six "control centres" spread throughout Jinan that facilitate sharing keys hidden inside the states of photons. Like quantum computers, these special keys exploit the principles of quantum mechanics.
In this case, the aim is make them physically unguessable, thus future-proofing encryption done by these keys to possible attack.
"We know there's no backdoor," Zhao told The Register.
How it works
In the quantum key distribution network, the control centres generate and stores random keys at 10kbps, 24 hours a day. The bits of these keys get stored as 0 or 1 inside the polarisation states of photons. By the principles of quantum mechanics, once you measure a photon's state, you can't measure it again without changing the state – so good luck guessing it after it's used!
The system has one fibre for sharing photons and one fibre for data transfer.
For our classic crypto couple Alice and Bob to communicate, they first must receive a secret random number, N, that will be used to help authenticate their interaction via any one of the control centres.
Then, they each generate their own separate sequence of random bits, A1 for Alice and B1 for Bob. Alice and Bob send their respective bits – stored as photon states – to that control centre.
Using four semiconductor photodetectors (about the size "of a small box" – Zhao declined to clarify their size or provide further technical details) – the control centre measures their polarization state and creates new bit sequences, C1 for Alice and C2 for Bob. After doing some postprocessing (C1 and C2 are shorter than the original bits because of fibre losses, channel noise and measurement error) for length and security, the control centre creates a K1 for Alice and K2 for Bob, which it shares with Alice and Bob inside photons.
Next, the control centre encrypts K1 by adding its bits to K2 (called a "one-time pad") and sends K1 to Bob via photons. Now, Bob has K2, so he can decrypt K1 to get it. Hence Bob can use K1 to decrypt any future messages from Alice.
The control centre also shares a third key, K3, with Alice and Bob that will be used in addition to their secret random number for authentication, created the same way.
Alice then encrypts a message with K1, typically by using AES or SM4 (a Chinese encryption standard) or, in cases where extreme security is necessary, using a one-time pad. Alice creates a checksum of this message using the random number, encrypting it with K3.
Alice then sends the K1-encrypted message and K3-encrypted checksum to Bob. Bob uses K1 to decrypt the message, and verifies it came from Alice by decrypting the checksum with K3 and recomputing it using the random number N they'd shared previously.
They send 40 million photons per second, and in the end they get, on average (after processing) a data transfer rate of 4,000bps sent. The longest transfer is about 50km to 60km. Zhao says the system photon loss is about .2 or .3dB per kilometer.
The frequency of key updating depends on the wishes of the users, he says.
From theory to practice
The CEO said the most difficult part of engineering was making the system commercial – to deal with the reality of working in a real environment. The team created a test bed network in 2013, which evolved into the commercial network this year – with 100 test users. Testing finally finished just under three weeks ago, on 30 June.
Zhao said researchers independent from QuantumCTek had evaluated the security of the network (to check for any loopholes) and are preparing a paper on the results of the test bed network. For documentation, he referred The Register to papers on the backend technology published before the testbed network was constructed (see here, here, here and here).
By the end of next month, he says 200 employees in the local Jinan government (which owns the network) will use it for sending text, photos and videos.
He says many researchers are working on using satellites to aid with quantum key distribution or quantum encryption, and he says that "I think we need both" a ground network as well as satellites because of technical difficulties during ground-to-satellite communication (you'd need a satellite for communicating from China to the United Kingdom, for example, because of losses at great distances).
"We think our tech is secure right now," he says. "Why do we wait until quantum computers can break classical cryptography?"
Companies such as NEC and Toshiba are also testing quantum key distribution, while companies such as ID Quantique in Geneva have been offering hardware for quantum key distribution for years. Many research groups are also developing their own quantum communication networks.
Quantum key distribution is 'complete overhype'
Outside security researchers are sceptical.
Masahide Sasaki, a quantum encryption researcher at the National Institute of Information and Communications Technology in Japan working on a quantum key distribution network in Japan, told The Register by email that "wealthy countries can invest a lot of money and construct networks. However, it is a different question whether QKD can be a viable solution in the real world competing with existing crypto systems" – he thinks many haven't found a "killer application" that makes QKD better than existing schemes.
Bart Preneel, a cryptography expert at the University of Leuven in Belgium, told The Register that "It is clear that there are somes benefits in building security based on additional assumptions, in this case assumptions about the laws of quantum physics; this is different from all cryptographic systems we use today that are based on mathematical assumptions."
But quantum key distribution is "kind of complete overhype," he adds.
He says there are several problems to its adoption.
"There is the cost," he says, "which is well beyond classical cryptography that has become inexpensive" such as the cryptographic functions inside bank cards and phones.
The next is data transfer rates and distance rates, which are intrinsically limited due to fibre losses (without going to satellites, which brings up new issues).
"The current quantum technology makes it mandatory to fix the routes and limits the distance," he says "which means it is only good for niche applications" such as connecting main sites of government offices or banks.
Then, if the network is using the quantum key as a seed for an encryption algorithm such as AES or SM4 and not using the one-time pad that guarantees security (Zhao pointed out that it would take about 10 minutes to generate enough keys to encrypt a 1MB image, so typically the company doesn't recommend it), then it's theoretically possible to calculate the key – because by using the algorithm, you're again limited by the rules of mathematical cryptography.
One advantage of the network in that case, he says, might be that the authentication keys are still impossible to be hacked in the future – so you know you won't be spoofed in 100 years.
But on the flipside, having to pre-install a secret random number for two users to help authentication limits the system's scalabilty, he says.
Finally, without end-to-end quantum encryption, you have to trust the control centres to store the keys.
Stephanie Wehner, a quantum cryptography and communication expert at TU Delft in the Netherlands, told The Register that "Many people have a hard time to work with trusted repeaters" like the single relay control centres used in Jinan because "in the real world these trusted repeaters would be installed in data centres whose maintenance employees are badly paid, and who have full access to the trusted repeaters. Much easier to attack there than to try and attack a transmission line anyway."
She and her team are one of several groups around the world working on an end-to-end qubit transmission network.
Zhao says QuantumCTek is continuously working on improving the system: for example, it is hoping to raise the key generation rate of its tech to 1Mbps "in the near future". It also hopes to finish building its longer term project, a 2,000km-long fibre-optic link from Beijing to Shanghai where quantum keys will be swapped, later this year. ®
You’d think this system would allow China to beat its own censors, especially since Zhao has told us that any third-party is unable to see the content of an encrypted message.
However, if the State is simply blocking large data transfers, it might not. (We’d be just guessing that was what they did in the case of WhatsApp, though, because we don’t know exactly how it was done.)
Cryptography prof at the University of Surrey Alan Woodward said: "I think it is likely to be the sort of infrastructure more tightly controlled by government, but if they make it generally available it will have the same issues as other forms of encryption – ie, they will not know what is in it.
"Blocking services is much simpler. Stripping out material such as attachments is rather more problematic and I’m not sure how they are doing that yet. They must be exploiting something that enables you to tell what is an attachment and strip out that part regardless of what it contains – they wouldn’t know. When QKD is used to pass keys (as is done using a Diffie-Hellman key exchange at present in WhatsApp and Signal) then the rest of the message security is pretty much as it is at present so if they have the ability to strip it now, they probably will in future."
Belgian crypto-boffin Bart Preneel added: "QKD offers link security also known as point-to-point security rather than end-to-end. So if there are 200 users, the 7 middle nodes can read all communications. There is no direct secure connection between user A and user B." (Preneel directed us to this article as an example.)
"Hence QKD does not interfere with the censors. This explains in part why governments like QKD (they also like the claimed long-term security), and why citizens should not embrace QKD. It's security for large organizations, not for users." ®