5 November 2019 Michele Mosca - ETSI€¦ · 5 November 2019 7th ETSI-IQC Quantum-Safe Cryptography...

Introduction to Quantum Computing and the Security Implications

5 November 2019

7th ETSI-IQC Quantum-Safe Cryptography Workshop

Michele Mosca

Computation in a quantum paradigm

E. Lucero, D. Mariantoni, and M. Mariantoni

New paradigm brings new possibilities

Designing new materials, drugs, etc.

Optimizing What else???Sensing and measuring

Secure communication

Quantum system:

019.0

000.0

242.0

121.0

401.0

000.0

000.0

875.0

Classical simulation:

Simulating quantum bits with classical bits

• Describing n qubits in a classical computer generally appears to require more than 2n bits of memory.

# qubits #classical numbers to store

3 8=23

4 16=24

10 1024=210Kilo

20 1048576=220Mega

30 1073741824=230Giga

40 1099511627776=240Tera

50 1125899906842624=250Peta

60 1152921504606846976=260Exa

70 1180591620717411303424=270Zetta

128 340282366920938463463374607431768211456=21283.4x1038

230 1725436586697640946858688965569256363112777243042596638790631055949824=223010100

Applications: studying materials and chemicals

Optimization for businesses, including cyber defence

How can we entrust information and tasks to untrusted systems???

CipherText(k,M) =

Message Mto be encrypted

Shared key k

Shared key k

DecryptedMessage M

• Symmetric encryption• Key Establishment

• Authentication

And more!!

• Secure multi-party computations• Securely outsourcing computations to untrusted

parties• Protect privacy AND retain security• Protect privacy AND achieve business functions

E.g. use “homomorphic encryption” for Anti-Money-Laundering

New feature:Eavesdropper detection

The ultimate key‐establishment tool

Quantum physics guarantees the mathematical security of the cryptographic key

•A quantum satellite in LEO can interconnect ground networks located anywhere on Earth.•Together with ground‐based repeaters, we will eventually have a “quantum internet”.

QL AQL B

Final Key

Network A Network B

Quantum communication in space is real

Dedicated quantum hardware in Space:• China (J.W. Pan)

– Entanglement Distribution over 1200 km ! (Science, 2017)– QKD from space to ground, (Nature 549, 43–47 (2017)– Teleportation (Nature 549, 70–73 (2017)– QKD between Bejing and Graz

• Japan (NICT) – 50 kg satellite: Nature Photonics 11, 502–508 (2017)

• Singapore (A. Ling)

– Correlated Photon Source onboard CubeSat (Phys. Rev. Applied 5, 054022, 2016)

Proof of concept demonstrations• Germany (G. Leuchs): Demonstration of quantum limited states sent from GEO 

satellite to ground (Vol. 4, No. 6 Optica, 2017)• Italy (P. Villoresi): Demonstrating a quantum channel from space to ground, 

(Phys. Rev. Lett. 115, 040502 (2015))• Canada (T.J.): Airborne demonstration of a quantum communication satellite 

payload (QST, 2017)

Beijing and Vienna have a quantum conversationSeptember 2017, www.physicsworld.comhttp://english.cas.cn/newsroom/news/201709/t20170928_183577.shtml

Thanks to Thomas Jennewein for these slides.

Buildings in a City Centre

Satellites

Aircraft

ATMVehicles

ServiceProviders

Agencies

Computers

Handheld

WLAN

Quantum Internet – the Long Term VisionQubit distribution with moving systems: satellites, aircraft, vehicles, ships, handheld

QL A

Final Key

Distant Network

Thanks to Thomas Jennewein for these slides.

But… while in the classical paradigm

Encrypting is easy. Codebreaking is hard.

…in the quantum paradigm

Encrypting is easy. Codebreaking is easy!

Cryptography:RSA, DSA, DH, ECDH, ECDSA,…, SHA, AES

Secure web browsing, Auto-updates, VPN, Secure email, Blockchain, etc…

Cloud computing, payment systems, internet, IoT, eHealth, etc…

• User errors

• Corrupt users

• Admin errors

• Corrupt admin

• Platform implementation errors

• Platform design errors

• Cryptography implementation errors

• Fundamentally vulnerable cryptography

So many different vulnerabilities

• User errors

• Corrupt users

• Admin errors

• Corrupt admin

• Platform implementation errors• Platform design errors

•Crypto implementation errors•Fundamentally vulnerable 

cryptography

Ranked, from bad to worse?

Do we need to worry now?Depends on*:• security shelf‐life (x years)• migration time (y years)• collapse time (z years)“Theorem”: If x + y > z,  then worry.

y

time

xz

*M. Mosca: e‐Proceedings of 1st ETSI Quantum‐Safe Cryptography Workshop, 2013.  Also http://eprint.iacr.org/2015/1075

4 threats

Loss of confidentiality and data integrity. (if x+y>z)

Critical infrastructures fail with no quick fix. (if y>z)

Rushing “Y” is expensive, disruptive, and leads to vulnerable implementations.

Loss of trust in the tools and institutions underpinning our digital economy.

Another milestone will be the achievement of quantum supremacy. It will signal that there has been great progress in our ability to build and operate quantum devices, and it will certainly receive the attention of news outlets. On the other hand, it will only be a relatively small step towards a cryptographically relevant quantum computer, which requires a much higher level of sophistication, specifically in relation to using error correction to achieve fault‐tolerance.

[the] claim will “likely [be] controversial” 

https://globalriskinstitute.org/publications/quantum‐threat‐timeline/

Some (future?) milestones

“Quantum supremacy”

CNOT fault-tolerant CNOT

Critical Milestone:Scalable fault‐tolerant logical qubits

Logical layer Physical layer

=

Estimating ‘z’?

https://www.bsi.bund.de/DE/Publikationen/Studien/Quantencomputer/quantencomputer.html(first draft in 2018; updated version 1.1 in 2019)

https://www.nap.edu/catalog/25196/quantum‐computing‐progress‐and‐prospects (presented in Dec. 2018)

What is ‘z’?• Michele Mosca [Oxford, 1996]: “20 qubits in 20 years”

• Microsoft Research [October 2015]: ”Recent improvements in control of quantum systems make it seem feasible to finally build a quantum computer within a decade”.

• Michele Mosca ([NIST, April 2015], [ISACA, September 2015]): “1/7 chance of breaking RSA‐2048 by 2026, ½ chance by 2031”

• Michele Mosca [London, September 2017]: “1/6 chance within 10 years”

• Simon Benjamin [London, September 2017]: Speculates that if someone is willing to “go Manhattan project” then “maybe 6‐12 years”

• Michele Mosca [Seattle, November 2019]: 1/5 chance within 10 years

https://globalriskinstitute.org/publications/quantum‐threat‐timeline/

Quantum‐safe cryptography tool‐chest

conventional quantum‐safe cryptography a.k.a. Post‐Quantum Cryptography or Quantum Resistant Algorithms

quantum cryptography+

Both sets of cryptographic tools can work very well together in quantum-safe cryptographic ecosystem

http://www.idquantique.com/photon‐counting/clavis3‐qkd‐platform/

Courtesy of Qiang Zhang, USTC

“quantum-safe” = designed to be safe against quantum attacks

Very High

High

Medium

Low

Very Low

Low Medium High

Convenience

Risk

ITS signatures

QKD key agreement

OTP encryption

Post-quantum signatures

QKD key agreement

OTP encryption

Post-quantum signatures

QKD key agreement

AES encryption

Post-quantum signatures

Post-quantum key agreement

AES encryption

Risk vs convenience

Security is a choice

“Fault‐tolerant scalable qubit” = starting gun

“Quantum supremacy” = warning shot

We don’t get to call a “time‐out” if we’re not ready!

“Execution is 90% planning and 10% doing”

x

Quantum Risk Assessment (QRA) Methodology:

Phase 1- Identify and document assets, and their current cryptographic protection.

Phase 2- Research the state of emerging quantum technologies, and the timelines for availability of quantum computers.

Phase 3-Identify and document threat actors, and estimate their time to access quantum technology “z”.

Phase 4-Identify the lifetime of your assets “x”, and “y” the time required to migrate the organizations technical infrastructure to a quantum-safe state.

Phase 5- Determine quantum risk by calculating whether business assets will become vulnerable before the organization can move to protect them. (x + y > z ?)

Phase 6- Identify and prioritize the activities required to maintain awareness, and to migrate the organization’s technology to a quantum-safe state.

Ongoing work to develop standards and certifications for these tools.

https://csrc.nist.gov/CSRC/media/Projects/Post‐Quantum‐Cryptography/documents/asiacrypt‐2017‐moody‐pqc.pdf

openquantumsafe.org 

Can test and prototype post‐quantum algorithms now

Other open source implementations:https://github.com/mupq/pqm4https://libpqcrypto.orghttps://github.com/safecrypto/libsafecryptoIndustry tool‐kits also available.

QKD Link Layer(QLL)

QKD Network Layer (QNL)

Key Mgmt. ServiceLayer(KMS) 

Host Layer

OpenQKDNetwork.com

Can design QKD into systems now

Full protocol stack for QKD

Can design QKD into systems today as a key establishment alternative.

Also need to look at future platforms and tools

Historic opportunity

Dual short-term quantum track for business

Thank you!Comments, questions and feedback are very welcome.

Michele MoscaProfessor, Faculty of MathematicsCo‐Founder, Institute for Quantum Computing, University of Waterloo www.iqc.ca/~mmoscammosca@uwaterloo.ca

CEO, evolutionQ Inc. @evolutionQincmichele.mosca@evolutionq.com

Co‐founder, softwareQ Inc. softwareq.ca