Re: [Qirg] Review of draft-irtf-qirg-quantum-internet-use-cases-04

[John Mattsson <john.mattsson@ericsson.com>]

Hi Patrick,

Thanks for the link to ANSSI. Further comments on one of the bullets below.

Cheers,
John

- Section 1
”It is anticipated that the Quantum Internet will provide intrinsic benefits such as improved end-to-end and network security.”

I would remove "anticipated" and "will". I don't think I have heard anybody working with security believed that QKD will provide much practical benefits. I mostly see it as something quantum network researchers do because they cannot do anything else yet. If you want to make such claims, I think you should ask CFRG or the security area in IETF.
https://protect2.fireeye.com/v1/url?k=aca627ec-f33d1ea8-aca66777-861d41abace8-699f6b09314b6c82&q=1&e=d56c58da-31d7-416c-be07-ee0b34ec9bb5&u=https%3A%2F%2Fwww.schneier.com%2Fessays%2Farchives%2F2008%2F10%2Fquantum_cryptography.html
https://protect2.fireeye.com/v1/url?k=32cd8b42-6d56b206-32cdcbd9-861d41abace8-ed3a7b618dda68a9&q=1&e=d56c58da-31d7-416c-be07-ee0b34ec9bb5&u=https%3A%2F%2Fwww.schneier.com%2Fblog%2Farchives%2F2018%2F08%2Fgchq_on_quantum.html
https://www.nsa.gov/what-we-do/cybersecurity/quantum-key-distribution-qkd-and-quantum-cryptography-qc/
The document should also bring up denial of service risks and the requirement for trusted relays. These are areas where a Quantum Internet is expected to provide intrinsic security disadvantages.

[PG] It seems that there is still a debate between the secret sharing service based on properties of quantum physics  (QKD) https://protect2.fireeye.com/v1/url?k=20b22723-7f291e67-20b267b8-861d41abace8-6dbf4bb4b549cc74&q=1&e=d56c58da-31d7-416c-be07-ee0b34ec9bb5&u=https%3A%2F%2Fwww.ssi.gouv.fr%2Fen%2Fpublication%2Fshould-quantum-key-distribution-be-used-for-secure-communications%2F and the post-quantum approach  in which the intended service is to replace the current classical public key and signature standards by new standards that are robust to attacks by future quantum computers. The difference with quantum cryptography is that post-quantum solutions are based on the difficulty of solving a mathematical problem and therefore offer a security that cannot be demonstrated to be unconditional unlike the quantum approach which relies on physical properties of the quantum world (in theory, but for all practical purpose there is security weakness).

[John] I don't think there has ever been much of a debate in the security community. Bruce Schneider's "As Awesome As It Is Pointless" is maybe a bit harsh but just like the one-time pad (theoretically proven perfect secrecy), QKD will likely see limited niche use. Thanks for the link to ANSSI, I think they summarize things quite well:

"Although QKD can be used in a variety of niche applications, it is therefore not to be considered as the next step for secure communications."

"Security guarantees provided in principle by QKD come with significant deployment constraints which reduce the scope of the services offered and compromise in practice QKD security assurances, particularly in scenarios where communications travel through a network of interconnected QKD links. While the use of QKD on point-to-point links can nevertheless be considered as a defense-in-depth measure to complement conventional cryptographic techniques, the cost incurred should not jeopardize the fight against current threats to information systems."

I think everybody can agree that a PQC-based key exchange combined with QKD would increase security, but if I would have to choose between only PQC or only QKD based on practical security alone, I would choose PQC every day. Most security problems are due to implementation problems, not the algorithms themselves, and QKD implementation are definitely not hardened. The idea of trusted relays is a security showstopper for links beyond point-to-point.

Best theoretical security has in the past never won market shares. Cost, speed, and flexibility are very important decision factors. AES-128-GCM does not provide the best theoretical confidentiality, integrity, or nonce-reuse protection, yet it is completely dominating the market due to its high performance.

I think QKD may be used in some niche military systems where cost does not matter. It might also be used if quantum networks are built to connect sensors and computers and QKD comes for free. I am all for spending research money on quantum networks, but I don’t think the motivation should be security at this point. In general I think the quantum network community talks a bit too much about security and a bit too much about QKD. There are many theoretically interesting ideas in quantum cryptography, especially things that that cannot be achieved with classical cryptography. It would be interesting to see if things like position-based quantum cryptography could be used to enhance network security.


-----Original Message-----
From: Qirg <qirg-bounces@irtf.org> on behalf of Gelard Patrick <Patrick.Gelard@cnes.fr>
Date: Friday, 12 March 2021 at 10:31
To: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>, "qirg@irtf.org" <qirg@irtf.org>
Subject: Re: [Qirg] Review of draft-irtf-qirg-quantum-internet-use-cases-04

Hi John,

Your analysis is very interesting. My commentaries are online indexed by [PG]

Thank
Patrick

-----Message d'origine-----
De : Qirg <qirg-bounces@irtf.org> De la part de John Mattsson
Envoyé : vendredi 12 mars 2021 00:37
À : qirg@irtf.org
Objet : [Qirg] Review of draft-irtf-qirg-quantum-internet-use-cases-04

Review of draft-irtf-qirg-quantum-internet-use-cases-04

Hi,

I think this is a useful document. I do not think it is ready for RGLC yet but it is getting close.

Cheers,
John


Comments:


- Section 1
"The connections between the various nodes in the Internet include Digital Subscriber Lines (DSLs), fiber optics, coax cable and wireless that include Bluetooth, WiFi, cellular (e.g., 3G, 4G, 5G), satellite, etc."

This seems too focused on last mile Internet access.


- Section 1
”It is anticipated that the Quantum Internet will provide intrinsic benefits such as improved end-to-end and network security.”

I would remove "anticipated" and "will". I don't think I have heard anybody working with security believed that QKD will provide much practical benefits. I mostly see it as something quantum network researchers do because they cannot do anything else yet. If you want to make such claims, I think you should ask CFRG or the security area in IETF.
https://protect2.fireeye.com/v1/url?k=aca627ec-f33d1ea8-aca66777-861d41abace8-699f6b09314b6c82&q=1&e=d56c58da-31d7-416c-be07-ee0b34ec9bb5&u=https%3A%2F%2Fwww.schneier.com%2Fessays%2Farchives%2F2008%2F10%2Fquantum_cryptography.html
https://protect2.fireeye.com/v1/url?k=32cd8b42-6d56b206-32cdcbd9-861d41abace8-ed3a7b618dda68a9&q=1&e=d56c58da-31d7-416c-be07-ee0b34ec9bb5&u=https%3A%2F%2Fwww.schneier.com%2Fblog%2Farchives%2F2018%2F08%2Fgchq_on_quantum.html
https://www.nsa.gov/what-we-do/cybersecurity/quantum-key-distribution-qkd-and-quantum-cryptography-qc/
The document should also bring up denial of service risks and the requirement for trusted relays. These are areas where a Quantum Internet is expected to provide intrinsic security disadvantages.

[PG] It seems that there is still a debate between the secret sharing service based on properties of quantum physics  (QKD) https://protect2.fireeye.com/v1/url?k=20b22723-7f291e67-20b267b8-861d41abace8-6dbf4bb4b549cc74&q=1&e=d56c58da-31d7-416c-be07-ee0b34ec9bb5&u=https%3A%2F%2Fwww.ssi.gouv.fr%2Fen%2Fpublication%2Fshould-quantum-key-distribution-be-used-for-secure-communications%2F and the post-quantum approach  in which the intended service is to replace the current classical public key and signature standards by new standards that are robust to attacks by future quantum computers. The difference with quantum cryptography is that post-quantum solutions are based on the difficulty of solving a mathematical problem and therefore offer a security that cannot be demonstrated to be unconditional unlike the quantum approach which relies on physical properties of the quantum world (in theory, but for all practical purpose there is security weakness).


- Section 1
"unique physical principles"
Is unique the right word here?


- Section 2
The document does not seem to use any of the words. I don't know if an Informational IRTF docuement needs this section at all but if it does it should refer to RFC 8174 as well


- Section 3
"i.e. fundamental unit of information in a classical computer"
Bit is equally much a unit of informaiton in communication .


- Section 3
"from 50 to a few hundred qubits"
Logical or physical qubits?


- Section 3
"classical bits, or the measured state of qubits."
They would still be classic bits


- Section 3
"to securely distribute security keys from a sender to a receiver."
I would more say that QKD let the two securely establish/agree on a key. 


- Section 3
OLD "The Quantum Internet will be merged into the Classical Internet to form a new Hybrid Internet"
NEW "The Quantum Internet is expected to be merged into the Classical Internet to form a new Hybrid Internet"


- Section 3
"fundamental unit of information in a quantum computer"
Qubit is equally much a unit of informaiton in communication .


- Section 4.2.
"Quantum cryptography applications - Refers to the use of quantum information technology to ensure secure communications"

Just like classic cryptography, Quantum cryptography is much more than securing communication https://en.wikipedia.org/wiki/Quantum_cryptography


- Section 4.2. 
"sensors or Internet of Things (IoT) devices"
sensors are typically IoT devices.
[PG] Although the notion of IoT is not clearly defined (Each standard has its own definition and moreover it comes to be added for the sensors the ecosystems M2M, WSN, SCADA, ...) , not all sensors are connected objects compatible with the Internet protocol and service and not all quantum sensor will be compatible with a quantum internet. 

- Section 4.3. 
"to share a secret key"
Probably good to explain to people that the key is a classic key.
[PG] The secret Key is classical but the establishment of a common secret key between two distant quantum node isn't a classic method. The establishment of public/private secret key  or common secret key between two distant parties can be achieved by algorithms based on the difficulty of solving a mathematical hard problem (Factoring integers (e.g RSA, ...), Discrete Logarithm (e.g Diffie-Hellman, ELGamal, DSA, ..) or Elliptic Curves (ECDH, ECDSA, ...). The problems are considered mathematically hard, but no proof exists (so far). QKD which is an algorithm for the establishment of common secret key between two distant quantum node (Key etablissement protocol) is based on quantum physical property that quantum information generally cannot be measured without disturbing the state and cannot be cloned, thus statistical tests can prove the absence of eavesdropping and guaranteeing the secrecy of bit values get from the measure of the qubit.   


- Section 5.1
"This results in a source quantum node A at Bank #1 to securely send a classic secret key to a destination quantum node B at Bank #2."
I don't think that is a correct description of QKD. Maybe use "establish” or ”agree”


- Section 5.1
"One requirement for this secure communication setup process is that it should not be vulnerable to any classical or quantum computing attack."

Most of the attacks discussed on QKD has been more physical. It would be good if the document discussed other types of attacks then computing attacks. Wikipedia does e.g. mention the following: "The first attack that claimed to be able to eavesdrop the whole key [70] without leaving any trace was demonstrated in 2010. It was experimentally shown that the single-photon detectors in two commercial devices could be fully remote-controlled using specially tailored bright illumination. " 


- Section 5.1
This section should mention authentication, which is a cornerstone in almost all security protocols.


- Section 5.1
"The source quantum node A transforms the secret key to qubits."
I don't think the random bits should be called a "key" at this point
[PG] yes the algorithms (prepare and measure or entanglement based) are more complex (there is a processus of Key Distillation : Sifting, purification, error correction and amplification). 


- Section 6.1
"a current 20-qubit machine"
Would be good to inform the reader if these are physical or logical qubits.


- Security 9
"because of the exponential increase of computing power with quantum computing"
This seems like a press release from someone selling a quantum computer.
I don’t think the claim is correct for integer factorization and discrete logarithm problem. The running time of GNFS is sub-exponetial and the running time of Shor is n^3 so the speedup should also be sub-exponential. Maybe correct for ECDLP.


- Security 10
”Paradoxically, development of the Quantum Internet will also mitigate the threats posed by quantum computing attacks against public-key cryptosystems.”

That is not true. QKD can only replace an unauthenticated Diffie-Hellman Exchange. The Quantum Internet will not do anything to mitigate the threats against digital signatures used in e.g. DNSSEC, TLS, IPsec, firmware updates, etc... 


_______________________________________________
Qirg mailing list
Qirg@irtf.org
https://protect2.fireeye.com/v1/url?k=e76a68c9-b8f1518d-e76a2852-861d41abace8-3e0de0953602a97b&q=1&e=d56c58da-31d7-416c-be07-ee0b34ec9bb5&u=https%3A%2F%2Fwww.irtf.org%2Fmailman%2Flistinfo%2Fqirg
_______________________________________________
Qirg mailing list
Qirg@irtf.org
https://protect2.fireeye.com/v1/url?k=10adbb8e-4f3682ca-10adfb15-861d41abace8-a91c6da45305504a&q=1&e=d56c58da-31d7-416c-be07-ee0b34ec9bb5&u=https%3A%2F%2Fwww.irtf.org%2Fmailman%2Flistinfo%2Fqirg