Author: Zen and the Art of Computer Programming
1 Introduction
Quantum Key Distribution (QKD) is an encrypted communication protocol that allows two parties to establish a secure key pairing process. It uses quantum technology and cryptography principles for secure and trustworthy data transmission while reducing the cost of communication links. Traditional RSA, ECC or Diffie-Hellman key exchange protocols all rely on key generation functions, while QKD uses quantum computing technology to generate shared keys. Its advantages mainly lie in low latency, high efficiency, security, etc. Currently, mainstream cloud service vendors such as AWS, Azure and Google Cloud Platform provide QKD-based key management solutions, such as AWS Key Management Service (KMS), Google Cloud HSM, and Microsoft Azure Key Vault.
This article will introduce QKD technology and its implementation in detail. First, the basics of quantum communication networks and QKD technology are introduced, including concepts and terms such as error correction coding, Bell states, qubits, quantum gates, quantum entanglement, quantum circuits, and quantum resources. Then, it introduces AWS KMS's support for QKD, and focuses on its working mechanism and principles. Finally, Open Quantum Safe, an end-to-end encryption solution provided by the open source community, is introduced to discuss the application of QKD in cloud environments.
2. Explanation of basic concepts and terms
2.1. Quantum communication network
Quantum communication network refers to a communication system built using quantum technology. Traditional communication systems rely on electromagnetic waves to transmit information, while quantum communication relies on quantum channels. Quantum communication networks usually consist of quantum nodes, or quantum nodes, each of which can send or receive information from one or more qubits.
The two most important elements in a quantum communication network are quantum nodes and quantum channels. Quantum nodes are generally physical experimental equipment with fixed positions and directions that can be used to store and process quantum information. They can be superconducting quantum tubes, photon couplers or atomic nuclei.
A quantum channel is an unstructured medium constructed using radio or radio frequency technology, and its length can reach thousands of kilometers or even tens of thousands of kilometers. It can accommodate an extremely large number of qubits and can therefore be used to transmit large amounts of quantum information. Quantum channels can be constructed using fiber optics, nanotubes, lidar and other methods. Quantum communication networks also need to consider protection measures to prevent quantum nodes from being tampered with, damaged or lost.
2.2. Bell states and qubits
The Bell state is a special quantum state consisting of two superposition states, called Psi+ and Psi-. Their superposition produces a new quantum state. In quantum communication networks, the Bell state is also called the EPR state (Entangled Pair of Photons). EPR states can be used in quantum key pairing protocols, where Alice and Bob interact to generate EPR states and then send their respective keys through the quantum communication network. The EPR state is the superposition of any two independent Bell states.
Qubits are important communication units in quantum communication networks and can be used to store and transmit information. Each qubit is a superposition state and has two quantum states, namely |0〉 and |1〉. These two states are obtained through superposition. We call this state a qubit.
A qubit can be viewed as a logical combination of two registers, where the first register is the state |0> or |1>, and the second register is the result of the operation under the action of the controlled quantum gate. Together, these two registers determine the state of the qubit. The messages in a quantum communication network are the interactions between these qubits.
2.3. Quantum gate
Quantum gates are the most basic components in quantum communication networks. Any quantum gate can be viewed as a two-part matrix operation. The first part is a control box that selectively activates or deactivates the qubits. The second part is an arithmetic box used to transform the state of the qubit.
A variety of quantum gates have been proposed, such as CX, CZ, Hadamard, Pauli gates, etc. These doors are designed to fulfill a specific purpose. For example, the CX gate can implement the function of the CNOT logic gate, and the CZ gate can implement the function of the CZ logic gate. Of course, there are many other types of quantum gates, and they serve different purposes.
2.4. Quantum entanglement
Quantum entanglement refers to a certain correlation between two qubits in a quantum communication network, such that the information transmitted between them affects each other. When there is entanglement between two qubits, the communication between them is no longer one-way and closed, but can transfer information to each other.
Quantum entanglement is achieved by acting on specific quantum gates. Currently, existing quantum entanglement protocols include Z-guessing protocol, BBPSSW protocol, CPHG protocol, etc. These protocols are based on specific quantum entanglement models. According to the protocol rules, the corresponding quantum gate is selected as the medium for entanglement connection.
2.5. Quantum circuits
A quantum circuit is the path between classical bits and qubits in a quantum communication network. A quantum circuit can be composed of a series of quantum gates and qubits corresponding to input and output. A quantum circuit can be seen as a link in the transmission, collection, and processing of quantum information.
2.6. Quantum resources
Quantum resources refer to physical and computing resources that can be used in actual production or simulation. For quantum communication networks, quantum resources mainly include the following aspects:
Number of available qubits: The number of qubits that can be built into a quantum node is limited. Currently, mainstream quantum communication networks use atomic nuclei or integrated circuits as quantum nodes. Each quantum circuit can build up to hundreds or thousands of qubits, so quantum resources are precious.
Number of available quantum channels: The number of quantum channels that a quantum node can be linked to is also limited. Currently, photon-based quantum communication networks may be able to accommodate tens of thousands of quantum channels, but they still require significant investment to obtain.
Programmable quantum computers: It is estimated that in the next three to five years, the number of quantum computers in the field of quantum communications may exceed that of general ical computers. A growing number of researchers are working on developing chips with quantum computing capabilities.
3. Cloud service provider KMS supports QKD
The KMS service provided by Amazon Web Services (AWS) implements the QKD-based key management solution of the AWS cloud platform. KMS can help users create and manage keys in the cloud, and provides a complete API and tool set for user convenience.
3.1. KMS service architecture
The architecture diagram of the KMS service is as follows:
The KMS service consists of four main parts:
User interface: Provides a user interface for KMS services, including the function of managing keys.
Request processor: receives client requests and converts them into back-end processing.
Key Generator: Used to generate ECDSA, RSA or Diffie-Hellman key pairs.
Key Storage: Where keys are stored. Keys can be saved to a hardware security module (HSM), a software key repository, or the cloud.
3.2. KMS key generation process
The key generation process of KMS is as follows:
Create key material: Customers can use the KMS SDK, CLI, or console to create key material, such as an ECC or RSA public/private key pair, or an X25519 elliptic curve public key. These materials contain raw data, as well as signed and encrypted hashes.
Submit key material to KMS: The client sends an HTTP request containing the key material, requesting the creation of a new key.
Generate key pair: KMS will generate a random number and use the original data and random number provided by the customer to generate the key.
Return key: KMS will return a key containing the public key, private key, CMK ID, expiration time, and ARN (Amazon Resource Name) of the key.
3.3. KMS key storage
KMS supports three key storage types:
AWS KMS Managed Keys: This is the default key storage type. It is stored in an HSM within AWS for the highest level of security.
Customer Master Keys (CMKs): This is another optional key storage type. A CMK is just a set of encryption keys, regardless of data access permissions. Customers are free to place CMKs in different regions and accounts.
External keys stored in Amazon S3 buckets: This type of key storage allows customers to host their own keys. Customers can store their own keys in an Amazon S3 bucket, and KMS will read the keys and manage them.
3.4. KMS service strategy
The KMS service supports two strategies:
IAM Policies: IAM policies control access to KMS services. These policies can be specified for a specific IAM user or role, or for the entire AWS account.
Key Policy: Key policy specifies the access permissions and usage restrictions of the key. When a consumer attempts to perform an operation on a key, KMS checks whether its policy allows it to perform the operation.
3.5. Key rotation
KMS supports automatic key rotation and notifies users in advance before keys expire. The key rotation process is as follows:
KMS has detected that the key is about to expire.
KMS marks the next key as Active and disables the current key.
If a user attempts to use an expired key, KMS will deny their request.
Expired keys are automatically deleted after a specified period.
4. Open Quantum Safe end-to-end encryption solution
Open Quantum Safe is an open source project aimed at developing secure, open source, and commercially available quantum communication solutions. It provides free SDK and reference implementation, supporting various quantum communication protocols, including BB84, E91, MWPM, etc.
4.1. BB84 quantum key pairing protocol
BB84 quantum key pairing protocol (Bell–Bennett–Booker, BB84) is the first quantum key pairing protocol. It utilizes two parties to exchange encryption keys with the help of Bell gates. BB84 is characterized by being easy to understand and implement, and has strong anti-interference capabilities.
4.2. Security of BB84
The BB84 quantum key pairing protocol is the first proven quantum key pairing protocol with good security. The protocol utilizes a quantum communication network to complete key pairing without the involvement of physical parties. In addition, the protocol also has high anti-interference capability and reliability. However, BB84 cannot guarantee that third parties can be trusted. Therefore, this protocol is generally only suitable for covert communication scenarios.
4.3. OQS’s implementation of BB84
The OQS project provides a reference implementation of the BB84 quantum key pairing protocol. Its implementation uses OpenSSL, LibSodium and SWIFFT algorithm libraries. LibSodium is used to generate high-entropy random numbers, and the SWIFFT algorithm library is used for fast quantum computing.
The API provided by LibSodium can be called by the application layer to generate encryption keys, encrypt and decrypt data. Additionally, it provides signing and verification APIs to authenticate data.
4.4. Future plans for OQS
Future plans for OQS include the following:
Add more quantum communication protocols, including ADIAKON, Möttönen-Wilson protocol, Steane code, etc.
Improve implementation performance, error correction and concealment.
Improve code quality and test coverage to ensure the reliability and security of the protocol.
Summarize
This article introduces QKD technology, key terms, related cloud service providers and open source solutions. The KMS protocol provides functions such as quantum key generation, storage, management and rotation in the cloud. The OQS project provides end-to-end encryption solutions for quantum and covert communications.