If experts are to be believed, the engineering world is currently on the eve of a fourth industrial revolution. Having already mastered steam, electricity and automation, we will soon enter an era dominated by digital twins, machine learning and smart factories. The main driving force behind all this innovation is the Internet of Things, also simply known as “IoT,” a technology that will soon connect every electronic device with a microchip into one vast, global network.
Although manufacturers everywhere are looking ahead to prepare for the changes, the biggest hurdle to successfully hailing in the age of IoT is an acute lack of cybersecurity. Without effective security measures, hackers could cause immeasurable damage to the world’s factories, homes and cities, simply by exploiting weak points in the linked web of sensors and controllers. In fact, we have already witnessed the consequences of poor IoT security firsthand. And if Gartner’s prediction of 20 billion connected IoT devices by 2020 comes true, engineers can soon anticipate attacks of a much larger scale.
With the stakes growing higher everyday, out-of-the-box thinking is sorely needed in the world of IoT security. And when it comes to crazy ideas that somehow get engineered into viable solutions, quantum cryptography is a prime candidate.
Quantum cryptography may sound like something out of futuristic science fiction, but here in the present, there are multiple startups already hard at work transforming the hypothetical into a scalable, factory-ready product. Engineering.com spoke to one company that may have already even succeeded. But before we hear what they have to say, let’s discuss what exactly quantum cryptography is, how it works, and what a quantum cryptographic IoT security solution might look like.
The “Quantum” of Quantum Cryptography Explained
Quantum cryptography as a technology makes use of both clever mathematics and the principles of physics—albeit some of the weirder ones. People have known for thousands of years that math can help us hide secret messages behind cryptographic algorithms. But tossing quantum mechanics into the mix delivers ciphers that are more advanced than anything that has ever been done before. To help make sense of how this might work, what follows is a quick Quantum 101 to get you up to speed.
Remember Schrodinger’s Cat? You’ve likely heard of it, but might be a bit fuzzy on the details. Start by imagining a cat that has been placed inside a box, such that no one can see what’s happening inside. Next, a quantum particle is hooked up to a vial of poison gas. The quantum particle’s behaviour is as random as a 50/50 coin flip, and depending on how it acts, the particle will serve as a switch that causes the poison vial either to open, or to remain closed. Subsequently, the cat will either survive or be killed. The idea is that, up until the exact moment you open the box and look inside, the cat is simultaneously alive and dead (or neither, depending on how you choose to interpret quantum weirdness).
To be clear, it doesn’t really matter how one would go about engineering a poison vial switch that’s linked to the behaviour of a quantum particle. Instead, the Schrodinger’s Cat thought experiment can help demonstrate the two most important principles of quantum mechanics: randomness and observation.
First, remember that the behaviour of a quantum particle is completely unpredictable; it’s as random as the flip of a coin or the toss of a die. Second, remember that the cat becomes fully dead or fully alive only after the inside of the box is observed.
By our coin flip analogy, a tossed coin that is unobserved may as well not have been flipped, right until the point that you open your hand to check the results. It’s not that the outcome is hidden from view, it’s more that the coin is both heads and tails until you look at it, at which point it is “forced” to be either one or the other.
Of course, the Schrodinger’s Cat thought experiment is only a game of the imagination, invented by Erwin Schrodinger to illustrate how absurd quantum mechanics is. It is almost entirely impossible that a living, breathing animal such as a cat would be subject to the weird consequences of quantum behaviour. But when it comes to quantum particles—electrons and photons and anything else that is smaller than an atom—the two principles of randomness and observation are no longer a hypothetical thought experiment, they are an experimentally verified reality.
Here’s how a quantum process might actually work in the real world. Imagine a particle that is only large enough to fit in one of six places inside a sub-atomic sized box. Until a physicist tries to measure the precise position of the particle inside the box, the particle exists both everywhere and nowhere—its location is a super-position of all six possible locations. When the physicist takes a measurement, the particle is “forced” to pick an exact position, and it randomly selects one of the six locations to occupy. Hypothetically, this process could be used to select a truly random number between one and six.
This is remarkable for the following reason: whereas any computer algorithm that generates a random number can be hacked, no hacker can predict the outcome of a quantum process—only nature knows how the particle will behave. This is where the cryptography part of quantum cryptography comes in.
Hacking a Cipher: From Difficult to Impossible
Cryptography is an important part of how the internet keeps secret information (such as your credit card number) hidden from potential thieves. But ciphers don’t have to be that complicated to understand. In fact, many children develop their own ciphers to use in case, for instance, private notes passed in class are discovered by a teacher. A child may invent a code that is similar to the following: assign a number to every letter in the alphabet, and then write the note as a string of numbers instead of as words. In this cipher, the word “cat” may become “3 1 20.”
It would be straightforward to write a computer code that can hack such a cipher in seconds, which is why mathematicians developed cipher algorithms that are asymmetrical in nature. Meaning, they are easy to write, but difficult to hack. This sounds like something that should be hard, but conceptually it’s actually very simple—it just involves multiplication.
We can take our code for “cat,” which is “3 1 20” and multiply it by a number x to get an even larger number that provides an even more complex code. The intended recipient of the code must know the factorization key, our number “x,” ahead of time. But a hacker will have to factor the code by every smaller prime number to try and find a result that is intelligible.
Thanks to computer engineering, processors are getting more and more powerful all the time, and cryptographers can generate larger and more complex cryptographic keys. But these advances are a double-edged sword, as hackers can also build more powerful computers and engineer cleverer factorization algorithms. It’s like a game of cat and mouse where the only rule is Moore’s Law—so long as keys are determined by computer algorithm, the hacker is just one step behind. There is always a chance that one day they will catch up.
What cryptographers really need is a non-computer dependent way of generating keys. And this is what brings us back to quantum mechanics.
In theory, quantum mechanics could help cryptographers generate keys that are truly random and completely unique. A hacker can never write an algorithm to predict the key, because it is impossible for any algorithm to predict nature. Not just that, but the moment a hacker tries to observe the key, it changes the properties of the quantum system. This is how the observation principle could be exploited to design an alarm system that alerts users that a hacking attempt has been made.
The influence that true quantum cryptography will have on the internet, cybersecurity, and the IoT cannot be understated. Cybersecurity that is built on quantum cryptography is not just difficult to hack–it’s completely impossible. Once engineers master quantum cryptography, virtually every online industry, from intelligence to banking to bitcoins, will be changed forever.
Why Quantum Cryptography Both Is and Isn’t Possible
Of course, “mastering quantum cryptography” is much easier said than done. After all, if we had already found a successful quantum cryptographic solution, then there wouldn’t be a cybersecurity problem in the first place.
There are several key difficulties with quantum cryptography that make it hard to employ in the real world. But some companies, such as the UK-based Crypto Quantique, believe that the most important benefits of quantum cryptography can still be exploited to engineer a working, scalable product. We spoke to Shahram Mossayebi, CEO and Founder of Crypto Quantique, to discuss some quantum cryptography challenges—and their solutions.
In a phone interview with engineering.com, Mossayebi explains that there are actually a few distinct technologies which all fall under the umbrella term of “quantum cryptography.”
“[Quantum cryptography] has a different definition in the market and in academia,” says Mossayabi. “A broad sense definition is that whatever is somehow related to quantum technologies is called quantum cryptography. That can even just include quantum-safe cryptographic algorithms, which are basically normal mathematical algorithms that we use today, but they cannot be broken by quantum computers.”
Even though the term “quantum cryptography” is sometimes loosely used, other times, it is mistakenly only applied to one specific technique: Quantum Key Distribution, or “QKD.” QKD is by far the most well-known type of quantum cryptography. This is unfortunate, as QKD is also highly ambitious, and will likely be the last quantum cryptographic method that is engineered into a working product.
Because QKD is often thought of as the main way forward for quantum cryptography, many companies, including Crypto Quantique, start out by trying to find a QKD-based solution. And many of these companies, again including Crypto Quantique, inevitably hit a dead end.
Here’s why: in QKD, encrypted information is carried by light signals, using channels such as fiber optic cables or even simply a laser beam. Although this is how quantum cryptography was originally hypothesized to work, the technology unfortunately has many limitations.
First of all, light-based messages (photonics) are sensitive to environmental disturbances, and because of that, they can’t go very far before they are irreversibly disrupted. The latest record for QKD was set at only 400km—not very useful for the internet, which is used to share information over much larger distances.
Additionally, QKD protocols are limited to only two connected devices. Again, this is not ideal for applications in the IoT, in which multiple devices need to exchange secure information with each other, often over a complex network.
Finally, the vast majority of the world’s electronic and IoT infrastructure is silicon-based. Although some chipmakers have made great advances in silicon photonics—the type of chips that integrate photon signals with standard silicon chips—this technology is still considered prohibitively expensive to employ on a larger scale.
“In photonics, the way the protocol works is as an ad hoc protocol, which means that there needs to be two parties that are connected via fiber optics or point-to-point laser,” says Mossayebi. “There’s a couple of reasons we’re not doing that. One is that it cannot be integrated with existing semiconductors. The devices that are out there doing QKD are bulky, big, and very expensive.”
“There are some companies trying to miniaturize it using silicon photonics,” Mossayebi further explains, “but those can be very expensive, not really scalable, and won’t be easily integrated into existing semiconductors. Pretty much you cannot use QKD in the real world yet.”
Unless there is a future in which all of the world’s silicon-based engineering gets converted into something that runs on fiber optics, it is unclear whether QKD will ever be easily integrated into our global communications network. When it comes to IoT security today, QKD is likely completely unviable.
“Because of all the constraints, it doesn’t make sense at all to use QKD, at least for the problem that we are trying to solve,” Mossayebi concludes.
In order to create an IoT-specific security protocol that still manages to exploit the benefits of quantum cryptography, Crypto Quantique moved away from QKD and tried to find another path forward.
Hybrid Solutions
There is another, lesser known class of quantum cryptography called the “hybrid solutions.” In a hybrid solution, engineers use some sort of quantum tech, like quantum random number generators, and combine them with classical modern cryptographic algorithms. Hybrid solutions provide a far more realistic way forward that still manages to exploit the most important benefits of quantum cryptography.
To devise a hybrid system, Mossayebi built a security chip that generates a unique quantum key for each and every IoT device within a network. The key lives inside the IoT device, and is only exchanged with the central hub during the onboarding process.
“In an IoT network so many different parties want to communicate with each IoT device securely,” says Mossayebi, “that means somehow they need to exchange some sort of key with the device. We do this a different way [from QKD]. Using quantum effects inside each device, we are able to generate a large key space that is unique to that chip.”
Because the cryptographic keys inside Mossayebi’s IoT devices are generated with quantum mechanics, no algorithm could possibly try to hack or replicate them. But the security chips are also able to benefit from the quantum observation principle, which provides a built-in alarm system against hackers.
“The key is unclonable and tamper evident,” Mossayebi continues. “That means that if someone wants to find out what the unique key inside the device is, they have to physically go down and look into it. That will disturb the system, so the device or the user will find out about it.”
Crypto Quantique unveiled their “zero touch zero trust” security solution at the IoT Solutions World Congress, which was held last month in Barcelona. During the demo, Mossayebi emphasized that using quantum mechanics allows for security measures that are not just secret to potential hackers, they’re a secret from the manufacturer itself.
“In the market, once you want to have end-to-end security, you need to go and work with two or three different firms to put all the bits and pieces together,” Mossayebi explains. “You have to go to a big hardware company to buy some module, you have go to a third party to do secret key injection and provisioning for you, then go to your manufacturer to put the chip inside your device, and then go to a software company to get a library of plug-ins to connect your device to a cloud service.
“There are so many intervention points here, and if at any point in time you have to put full trust into all those parties that you’re working with, the moment one thing goes wrong, you may be left without any security in place.”
Mossayebi believes that with the use of quantum cryptography, these security headaches can be eliminated.
“We showed a demo of how one could use a quantum cryptographic chip on the cloud side to be able to do this secure device onboarding, all without any secret key exchanging taking place beforehand per device,” Mossayebi says. Because of that, the customer does not need to trust any third party to have end-to-end security, as everything is in one place.
“It’s kind of proven by science and quantum physics, and the rest is standard cryptographic algorithms,” he concludes.
Impending Patents and the Future
The exact design that Mossayebi used to get a chip to generate random quantum keys is still confidential for now. Crypto Quantique has a patent currently pending on their technology. But hopefully in a few months, they’ll be able to reveal the method behind the magic.
In the meantime, Crypto Quantique is in the stage of running pilots with prospective customers, the details of which still need to be figured out with respect to firmware and hardware.
Mossayebi says that, at the moment, their API is only being integrated inside the Microsoft Azure IoT hub. But next year they plan to extend that to AWS, Google, and other public platforms.
They are hoping to deliver a full product to their customers in 2019.