In the first part of my interview with Jörg-Peter Elbers, SVP of advanced technology at ADVA, we discussed quantum-safe communication and what it means for the future of networking security. In the second part, we look at implementation strategies for post-quantum cryptography and quantum key distribution. Here’s an edited transcript of our conversation.
Carl Weinschenk: To review, how should people think about quantum-safe communication?
Jörg-Peter Elbers: Quantum safe communication gives you a secure communication channel which is robust against future quantum computer attacks. There are two different fundamental solutions to solve the problem: post quantum cryptography and quantum key distribution. Each has certain advantages and disadvantages. There's nothing preventing you from combining those.
You could run QKD as the base layer but, if you don’t want to use this as your only protection, you could still run a post-quantum cryptographic algorithm on top of it and combine the keys at the end points. Even in the unlikely event that there’s a problem with your quantum key distribution, you still have the security of the other algorithm. It all depends on how critical the long-term security of your data is to you and consequently how much effort you’re willing to put in and what you're willing to spend.
CW: Is it just that you're doing the job twice and using one as a backup, or is it that one can tell you if the other one is working correctly? In other words, do they work together, or do they run in parallel to solve the same problem?
JPE: It's the latter. I often use the onion example. Rather than just having one layer of security, one slice of an onion, you have multiple layers, because you're using multiple algorithms. You can also do the same not only with your key exchange but also with the encryption of your data, i.e. using encryption on multiple protocol layers, such as on Layer 1 (OTN), Layer 2 (MACSec) and Layer 3 (IPSec). Obviously, the more layers you encrypt on, the more overhead you put onto the overall transmission – but the more security you get.
CW: Okay, where are we in terms of actual deployment?
JPE: I think the technology is becoming ready to be deployed. Post-quantum algorithms are much easier to deal with, because in principle it's just an update of some of the algorithms at the endpoints of a connection. We have actually demonstrated a 2800km PQC link with our production equipment. We have changed the algorithms at the end points; we have put it into the field.
It's relatively easy to deploy post-quantum algorithms on the commercial side. You can buy or build QKD equipment, and we’ve worked with partners such as Toshiba. We've also worked with ID Quantique, demonstrating that it is possible to work with multiple QKD companies if you have a defined software interface for the key exchange.
For QKD over a fiber optic link, you have two options. Running the QKD system over a separate fiber than the encrypted payload data is the best because you don't get any interference or any interactions between revenue-generating channels and the QKD information, which you need to put over the fiber. Obviously you need to have more fibers. If the link is shorter, that might not be a problem.
If you need to do this over hundreds or thousands of kilometers, you probably want to transmit your QKD channels over the same fiber as the traffic generating channels. That requires changes in the physical infrastructure, which we’ve also demonstrated. With a standardization of the optical interface, you’re also able to work with different QKD suppliers. I’d say QKD technologies are fairly mature but further miniaturization and cost reduction is certainly desirable.
For a commercial deployment, it’s important to get official endorsement from cybersecurity agencies. To date, they only recommend classical key exchange schemes but are evaluating post-quantum algorithms. NIST for example plans to come up with recommendations in the 2022-24 time frame.
CW: That's a long time. Even if it works perfectly, isn't it off the table until it gets the certification from the governing bodies?
JPE: I wouldn't say that. It might also depend a little bit on the set of customers you're dealing with. Some customers have very high security requirements, and they might run their own analysis. They have experts in their organization who may say, "Yes, we believe that's a good solution. We'll deploy it." In many cases, recommendations for the general public will then follow.
CW: Is there a way for organizations to simplify things and reduce the price tag?
JPE: People may say, "Quantum equipment is expensive, so let's create quantum keys in the cloud, and then we transmit them to the end customers using a classical channel." But what’s the point of using quantum keys if you then use classical means of distributing them? It only makes sense, in my opinion, to generate these quantum keys in a trusted environment and distribute them in a way that nobody has the possibility to get to them by just breaking some classical elements.
CW: Quantum actions are notoriously sensitive. We're talking about a communications network sending this quantum information thousands of miles. Is it not impacted by even a minimal amount of interference and noise? Doesn't that just screw everything up?
JPE: When we put the theory into practice, actually you’re not relying on single photons. You work with a very low average amount of photons and can relax some of the hardware requirements. But the essence of the requirements are absolutely there. If you want to transmit your quantum information over the same fiber as traffic generating channels, typically those channels have higher data rate, have higher power requirements, and there's cross-talk between those channels and the QKD channel. This limits the distance which you can go.
As I said earlier, you deploy those kinds of things easier on shorter connections, maybe 40 kilometers, something like that. That is the typical distance where people build twin data centers for business continuity, disaster recovery, synchronously running applications and so on. If you really want to go hundreds or thousands of kilometers, you need to build something which people will classify as a trusted node in between. You build an environment where you terminate the quantum channel and then create a new quantum signal. You do this in a trusted box, which is hardened so that it cannot be tampered with and people do not have access to it and so on. That's the only way to do this over long distances over fiber.