China's 'future-proof' crypto: We talk to firm behind crazy quantum key distribution network
Should we believe the hype? And why drop so much $$?
Quantum key distribution is 'complete overhype'
Outside security researchers are sceptical.
Masahide Sasaki, a quantum encryption researcher at the National Institute of Information and Communications Technology in Japan working on a quantum key distribution network in Japan, told The Register by email that "wealthy countries can invest a lot of money and construct networks. However, it is a different question whether QKD can be a viable solution in the real world competing with existing crypto systems" – he thinks many haven't found a "killer application" that makes QKD better than existing schemes.
Bart Preneel, a cryptography expert at the University of Leuven in Belgium, told The Register that "It is clear that there are somes benefits in building security based on additional assumptions, in this case assumptions about the laws of quantum physics; this is different from all cryptographic systems we use today that are based on mathematical assumptions."
But quantum key distribution is "kind of complete overhype," he adds.
He says there are several problems to its adoption.
"There is the cost," he says, "which is well beyond classical cryptography that has become inexpensive" such as the cryptographic functions inside bank cards and phones.
The next is data transfer rates and distance rates, which are intrinsically limited due to fibre losses (without going to satellites, which brings up new issues).
"The current quantum technology makes it mandatory to fix the routes and limits the distance," he says "which means it is only good for niche applications" such as connecting main sites of government offices or banks.
Then, if the network is using the quantum key as a seed for an encryption algorithm such as AES or SM4 and not using the one-time pad that guarantees security (Zhao pointed out that it would take about 10 minutes to generate enough keys to encrypt a 1MB image, so typically the company doesn't recommend it), then it's theoretically possible to calculate the key – because by using the algorithm, you're again limited by the rules of mathematical cryptography.
One advantage of the network in that case, he says, might be that the authentication keys are still impossible to be hacked in the future – so you know you won't be spoofed in 100 years.
But on the flipside, having to pre-install a secret random number for two users to help authentication limits the system's scalabilty, he says.
Finally, without end-to-end quantum encryption, you have to trust the control centres to store the keys.
Stephanie Wehner, a quantum cryptography and communication expert at TU Delft in the Netherlands, told The Register that "Many people have a hard time to work with trusted repeaters" like the single relay control centres used in Jinan because "in the real world these trusted repeaters would be installed in data centres whose maintenance employees are badly paid, and who have full access to the trusted repeaters. Much easier to attack there than to try and attack a transmission line anyway."
She and her team are one of several groups around the world working on an end-to-end qubit transmission network.
Zhao says QuantumCTek is continuously working on improving the system: for example, it is hoping to raise the key generation rate of its tech to 1Mbps "in the near future". It also hopes to finish building its longer term project, a 2,000km-long fibre-optic link from Beijing to Shanghai where quantum keys will be swapped, later this year. ®
You’d think this system would allow China to beat its own censors, especially since Zhao has told us that any third-party is unable to see the content of an encrypted message.
However, if the State is simply blocking large data transfers, it might not. (We’d be just guessing that was what they did in the case of WhatsApp, though, because we don’t know exactly how it was done.)
Cryptography prof at the University of Surrey Alan Woodward said: "I think it is likely to be the sort of infrastructure more tightly controlled by government, but if they make it generally available it will have the same issues as other forms of encryption – ie, they will not know what is in it.
"Blocking services is much simpler. Stripping out material such as attachments is rather more problematic and I’m not sure how they are doing that yet. They must be exploiting something that enables you to tell what is an attachment and strip out that part regardless of what it contains – they wouldn’t know. When QKD is used to pass keys (as is done using a Diffie-Hellman key exchange at present in WhatsApp and Signal) then the rest of the message security is pretty much as it is at present so if they have the ability to strip it now, they probably will in future."
Belgian crypto-boffin Bart Preneel added: "QKD offers link security also known as point-to-point security rather than end-to-end. So if there are 200 users, the 7 middle nodes can read all communications. There is no direct secure connection between user A and user B." (Preneel directed us to this article as an example.)
"Hence QKD does not interfere with the censors. This explains in part why governments like QKD (they also like the claimed long-term security), and why citizens should not embrace QKD. It's security for large organizations, not for users." ®