The present application relates to a system, apparatus and method for secure communications based on quantum key exchange/distribution protocols and post-quantum cryptography and applications thereto.
Quantum key distribution (QKD) is a secure communication method which implements a cryptographic QKD protocol involving components of quantum mechanics for distributing cryptographic keys. It enables two parties to produce a shared random secret key or cryptographic key known only to them, which can then be used to encrypt and decrypt messages. Following the arrival of large-scale quantum computers, classical (e.g. factorisation and discrete-log based) key exchange methods for key agreement will be vulnerable and unable to provide security. Post-quantum algorithms offer an alternative but suffer from the possibility of yet-to-be-discovered mathematical attacks on their foundations. QKD offers unconditionally-secure agreement of keys between two parties which possess an initial amount of shared secret material but, due to its reliance on physical implementations, the possibility of malfunctions or physical attacks remains.
There is a desire for a more improved secure communications that may take advantage of QKD and post-quantum cryptographic algorithms in a more secure manner.
The embodiments described below are not limited to implementations which solve any or all of the disadvantages of the known approaches described above.
The invention is defined in the appended set of claims.
This Summary is provided to introduce a selection of concepts in a simplified form that are further described below in the Detailed Description. This Summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used to determine the scope of the claimed subject matter; variants and alternative features which facilitate the working of the invention and/or serve to achieve a substantially similar technical effect should be considered as falling into the scope of the invention disclosed herein.
The present disclosure provides method(s), apparatus and system(s) of secure communications using a hybrid mechanism or algorithm based on a combination of using components of post-quantum cryptographic algorithms and quantum key distribution (QKD) to allow a resulting algorithm to deliver security determined by the sum of the strengths of these components. The hybrid mechanism or algorithm including the post-quantum cryptographic algorithm and QKD components is adapted to enable at least two parties who hold some initial shared secret material for authentication purposes to agree additional shared material over an insecure public channel such that, without limitation, for example: a successful attack on the QKD components of the hybrid mechanism/algorithm will be insufficient to recover the shared key due to a failure to also compromise the post-quantum cryptographic algorithmic component (e.g. the cryptographic key exchanged and used between the at least two parties); a successful attack on the post-quantum cryptographic algorithmic component of the hybrid mechanism/algorithm will be insufficient to recover the shared key due to a failure to also compromise the QKD component. The hybrid mechanism/algorithm, apparatus, method and/or system is configured to combine QKD with modifications to the bit-flipping key encapsulation (BIKE) post quantum key encapsulation (KEM) cryptographic algorithm.
In a first aspect, the present disclosure provides a computer-implemented method of secure communications for a sender device comprising: encapsulating and/or encrypting a message using a post-quantum cryptographic algorithm and quantum key, QK, material derived from QK distribution with a receiver device; adding noise to the encapsulated or encrypted message; and sending the noisy encapsulated and/or encrypted message to the receiver device.
In a second aspect, the present disclosure provides a computer-implemented method of secure communications for a receiver device comprising: receiving a noisy encapsulated and/or encrypted message from a sender device, the noisy encapsulated and/or encrypted message having been encapsulated and/or encrypted using a post-quantum cryptographic algorithm and quantum key, QK, material derived from QK distribution with the sender device; decapsulating and/or decrypting the received message using the corresponding QK used by the sender device; decapsulating and/or decrypting the QK-decapsulated/decrypted message using the corresponding post-quantum cryptographic algorithm used by the sender; and outputting the message for use by the receiver device.
The noisy encapsulated and/or encrypted message of the second aspect may have been produced in accordance with the first aspect outlined above.
In a third aspect, the present disclosure provides a computer-implemented method of secure communication between a sender device and receiver device comprising: encapsulating and/or encrypting, by the sender device, a message using a post-quantum cryptographic algorithm and quantum key, QK, material derived from QK distribution with a receiver device; adding noise, by the sender device, to the encapsulated and/or encrypted message; and sending, by the sender device, the noisy encapsulated and/or encrypted message to the receiver device; receiving, by the receiver device, the noisy encapsulated and/or encrypted message from the sender device; decapsulating and/or decrypting, by the receiver device, the received message using the corresponding QK used by the sender device; decapsulating and/or decrypting, by the receiver device, the QK-decapsulated/decrypted message using the corresponding post-quantum cryptographic algorithm used by the sender; and outputting, by the receiver device, the message.
As an option, the computer-implemented method according to any of the first, second and/or third aspects, further comprising the receiver device choosing a secret and publishing a public key. As another option, the computer-implemented method according to any of the first, second and/or third aspects, further comprising the sender device generating a random message M of length L using a random source. As a further option, the computer-implemented method according to any of the first, second and/or third aspects, further comprising the sender device performing encoding the message M using the published public key and the QK material.
As an option, the computer-implemented method according to any of the first, second and/or third aspects, further comprising the sender device performing steps of: generating a QK codeword by using the quantum key material, which is known by the receiver device, for computing an exclusive-OR (XOR) of the QK material with a codeword representing the message encoded with the published public key; generating a ciphertext, comprising first and second ciphertext portions c_0 and c_1, by corrupting or flipping random bits of the QK codeword; and sending the ciphertexts to the receiver device.
As a further option, the computer-implemented method according to any of the first, second and/or third aspects, further comprising the receiver device performing the steps of: receiving ciphertext, c_1 and c_0, from the sender device; decrypting and/or decapsulating the first ciphertext portion c_0 using QK material used by the sender device and known by the receiver device based on QKD process between sender device and receiver device; further decrypting or decapsulating using post quantum cryptography algorithm.
As another option, the computer-implemented method according to any of the first, second and/or third aspects further comprising the receiver device performing the steps of: generating a noisy codeword based on computing an exclusive OR, XOR, of the QK material with a received portion of the ciphertext, c_0; and decrypting and/or decapsulating the noisy codeword by applying an error decoding algorithm to recover the encoded message.
As another option, the computer-implemented method according to any of the first, second and/or third aspects, wherein the post-cryptographic algorithm is based on a bit-flipping key encapsulation, BIKE, post-quantum key encapsulation mechanism, KEM, cryptographic algorithm.
As another option, the computer-implemented method according to any of the first, second and/or third aspects, wherein the error decoding algorithm is a medium density parity check code, MDPC, decoding algorithm.
In a fourth aspect, the present disclosure provides a sender apparatus comprising a processor unit, a memory unit, and a communication interface, the processor unit connected to the memory unit and the communication interface, wherein the processor unit, memory unit and communication interface are adapted to implement the computer-implemented method of any of the first aspect.
In a fifth aspect, the present disclosure provides a receiver apparatus comprising a processor unit, a memory unit, and a communication interface, the processor unit connected to the memory unit and the communication interface, wherein the processor unit, memory unit and communication interface are adapted to implement the computer-implemented method of any of the second aspect.
In a sixth aspect, the present disclosure provides a system comprising: a sender device comprising an apparatus according to the fourth aspect; and a receiver device comprising an apparatus according to the fifth aspect; wherein the sender device and receiver device are configured to communicate with each other and implement the computer-implemented method of the third aspect.
In a seventh aspect, the present disclosure provides a computer-readable medium comprising computer code or instructions stored thereon, which when executed on a processor, causes the processor to perform the computer implemented method according to the first aspect.
In an eighth aspect, the present disclosure provides a computer-readable medium comprising computer code or instructions stored thereon, which when executed on a processor, causes the processor to perform the computer implemented method according to the second aspect.
In a ninth aspect, the present disclosure provides a computer-readable medium comprising computer code or instructions stored thereon, which when executed on a processor, causes the processor to perform the computer implemented method according to the third aspect.
In a tenth aspect, the present disclosure provides a computer program product comprising instructions which, when the program is executed by a computer, cause the computer to carry out the method of the first aspect.
As an option, the computer program product may be executed by a computer or system-on-chip processor. A system-on-chip (SOC) is an integrated circuit that combines all of the functions of a computer or other electronic system onto one microchip. Commonly found in smartphones, wireless routers, tablets, and wearable technology, SOCs process the increasingly complex computing needs of many small devices.
In an eleventh aspect, the present disclosure provides a computer program product comprising instructions which, when the program is executed by a computer, cause the computer to carry out the method of the second aspect.
In a twelfth aspect, the present disclosure provides a computer program product comprising instructions which, when the program is executed by a computer of computers, cause the computer to carry out the method of the third aspect.
The methods and/or process(es) described herein may be performed by software in machine readable form on a tangible storage medium e.g. in the form of a computer program comprising computer program code means adapted to perform all the steps of any of the methods described herein when the program is run on a computer and where the computer program may be embodied on a computer readable medium. Examples of tangible (or non-transitory) storage media include disks, thumb drives, memory cards etc. and do not include propagated signals. The software can be suitable for execution on a parallel processor or a serial processor or a system on chip solution, such that the method steps may be carried out in any suitable order, or simultaneously.
This application acknowledges that firmware and software can be valuable, separately tradable commodities. It is intended to encompass software, which runs on or controls “dumb” or standard hardware, to carry out the desired functions. It is also intended to encompass software which “describes” or defines the configuration of hardware, such as HDL (hardware description language) software, as is used for designing silicon chips, or for configuring universal programmable chips, to carry out desired functions.
The preferred features may be combined as appropriate, as would be apparent to a skilled person, and may be combined with any of the aspects of the invention.
Embodiments of the invention will be described, by way of example, with reference to the following drawings, in which:
Common reference numerals are used throughout the figures to indicate similar features.
Embodiments of the present invention are described below by way of example only. These examples represent the best mode of putting the invention into practice that are currently known to the Applicant although they are not the only ways in which this could be achieved. The description sets forth the functions of the example and the sequence of steps for constructing and operating the example. However, the same or equivalent functions and sequences may be accomplished by different examples.
The present disclosure provides method(s), apparatus and system(s) for secure communication between a sender device and a receiver device using a hybrid mechanism or algorithm based on using quantum key distribution material and post-quantum cryptographic algorithms based on a combination of using components of post-quantum cryptographic algorithms and quantum key distribution (QKD) to allow a resulting algorithm to deliver security determined by the sum of the strengths of these components. The hybrid mechanism or algorithm including the post-quantum cryptographic algorithm and QKD components is adapted to enable at least two parties who hold some initial shared secret material for authentication purposes to agree additional shared material over an insecure public channel such that, without limitation, for example: a successful attack on the QKD components of the hybrid mechanism/algorithm will be insufficient to recover the shared key due to a failure to also compromise the post-quantum cryptographic algorithmic component (e.g. the cryptographic key exchanged and used between the at least two parties); a successful attack on the post-quantum cryptographic algorithmic component of the hybrid mechanism/algorithm will be insufficient to recover the shared key due to a failure to also compromise the QKD component. The hybrid mechanism/algorithm, apparatus, method and/or system is configured to combine QKD with modifications to the bit-flipping key encapsulation (BIKE) post quantum key encapsulation (KEM) cryptographic algorithm.
For example, hybrid mechanism/algorithm, apparatus, method and/or system(s) are provided for performing a secure communication between a sender device and receiver device. This includes encapsulating or encrypting, by the sender device, a message using a post-quantum cryptographic algorithm and quantum key (QK) material derived from QK distribution with a receiver device. Noise is added, by the sender device, to the encapsulated or encrypted message. The sender device sends the noisy encapsulated/encrypted message to the receiver device. On receipt of the noisy encapsulated or encrypted message from the sender device, the receiver device decapsulates or decrypts the received message using corresponding QK used by the sender device. The receiver device decapsulates or decrypts the QK decapsulated/decrypted message using the corresponding post-quantum cryptographic algorithm used by the sender, and the receiver device outputs or uses the message sent by the sender. The post-quantum cryptographic algorithm is the BIKE algorithm, which may use medium density parity check codes, MDPC, decoding algorithms. The sender and receiver may be a sender device and a receiver device, respectively. The sender and/or receiver device may each be any device or communication device capable of communicating with each other and capable of performing post-quantum cryptography and quantum key distribution for exchanging quantum key materials with each other, such that the QK materials are known by the sender and receiver. The hybrid mechanism/algorithm, apparatus, method and/or system(s) as described herein may be used to protect, without limitation, for example communications between receiver and senders/transmitters, cloud services and/or transactions and the like.
Post-quantum algorithms offer an alternative to classical encryption algorithms but suffer from the possibility of yet-to-be-discovered mathematical attacks on their foundations. Meanwhile, quantum key distribution offers unconditionally-secure agreement of keys between two parties which possess an initial amount of shared secret material but, due to its reliance on physical implementations, the possibility of malfunctions or physical attacks remains.
The hybrid mechanism or algorithm as herein described provides a combination of these two techniques that allows the resulting hybrid algorithm to deliver security determined by the sum of the strengths of the components. In practical terms, the inventions allows two parties who hold some initial shared secret material (e.g. quantum key distributed material) for authentication purposes to agree additional shared material over an insecure public channel such that: a successful attack on the QKD components of the hybrid algorithm will be insufficient to recover the shared key due to a failure to also compromise the post-quantum algorithmic component; and a successful attack on the post-quantum algorithmic component of the hybrid algorithm will be insufficient to recover the shared key due to a failure to also compromise the QKD component. In particular, the strengths of each of the post-quantum algorithmic component and the QKD component compensate for the weaknesses of the other to provide a more robust and secure system.
An example of the hybrid algorithm/mechanism is described, by way of example only and is not limited to, combining QKD with the BIKE (bit-flipping key encapsulation) post quantum key encapsulation mechanism (KEM) algorithm.
Conventional QKD includes the following steps of: 1) Alice and Bob a priori possess a volume of secret key material known only to Alice and Bob; 2) Alice and Bob engage in a number of QKD ‘rounds’ in which their existing shared key material is used for process authentication and allows them to progressively expand the volume of shared key material they hold; 3) Surplus shared key material (beyond that required to sustain future QKD rounds) is made available for securing classical communications.
Although the BIKE encapsulation (encryption) algorithm 100 and BIKE decapsulation (decryption) was described in relation to sending a cryptographic key from Alice to Bob, this is by way of example only and the invention is not so limited, it is to be appreciated by the skilled person that the random message M generated by Alice may instead be a message M that Alice wishes to send to Bob, where the message M has been encrypted with a generated cryptographic key. For example, in step 104 the random source may generate a cryptographic key which may be XORed with the information Alice wishes to send to generate the message M. Thus, Alice sends, using codewords c_0 and c_1, the ciphertext representing the message M in
The hybrid encapsulation (encryption) process 200 includes the following steps of: In step 202, a sender may encrypt a message using BIKE algorithm; In step 204, the sender may encrypt further using quantum key (QK) material (e.g. the QK one-time-pad (OTP) material); In step 206, the sender adds noise to the BIKE and QK encrypted message. The process of adding noise may be carried out as described above in relation to
For example, the QK one-time-pad (OTP) material used by the sender and receiver may have been previously shared between sender and receiver using a QKD protocol and the like. So, essentially, the QK material may be considered to be known by sender and receiver.
Thus, instead of removing noise prior to decrypting using the QK material, the hybrid encapsulation/decapsulation (encryption/decryption) process(es) 200 and 210 first decrypts using the QKD material, then removes noise using the BIKE algorithm. Thus, the noise removal procedure is inverted, which is made possible by the nature of BIKE and its compatibility with one-time pad encryption using QKD-sourced material. In security terms, this confers the advantage that, even if an attacker were able to break the BIKE encryption (encapsulation), leveraging this ability (even in a partial sense) would not be possible without breaking the QKD one-time pad encryption first.
Referring to
Although the hybrid encapsulation (encryption) algorithm 220 and hybrid decapsulation (decryption) algorithm 230 as described with reference to
Furthermore, the Quantum key (QK) material can be re-used, conditioned on hash-function being unbreakable and nonces being of sufficient size. If nonces are used, then, for security purposes or one or more use cases, they should never be used more than once and should be random and independent. However, this restriction may be relaxed depending on the use case and/or as the application demands.
Further modifications and/or alternative applications may be applied to the hybrid encapsulation and/or decapsulation process(es) 200, 210, 220, and/or 230 of
During the process of establishing a key via QKD a certain level of errors are expected to occur via natural processes and potential attempts at eavesdropping. In normal usage these errors are identified and removed. It is possible that these errors could be instead used as an input to the bit-flipping corruption of approximately sqrt(n) bits of the codeword produced by BIKE, removing the need to source this randomness from an external process
It is noted that in the BIKE algorithm, the second ciphertext component is denoted c_1 and, assuming that the SHA384 hash function is secure, does not necessarily need protection using one-time pad material in the hybrid encapsulation/decapsulation process(es) 200, 210, 220 and/or 240. As an option, the additional protection of the c_1 value using QKD-derived one-time pad material may lend to further enhanced security at the cost of increased one-time-pad (OTP) consumption.
In the embodiment described above the server may comprise a single server or network of servers. In some examples the functionality of the server may be provided by a network of servers distributed across a geographical area, such as a worldwide distributed network of servers, and a user may be connected to an appropriate one of the network of servers based upon a user location.
The above description discusses embodiments of the invention with reference to a single user for clarity. It will be understood that in practice the system may be shared by a plurality of users, and possibly by a very large number of users simultaneously.
The embodiments described above are fully automatic. In some examples a user or operator of the system may manually instruct some steps of the method to be carried out.
In the described embodiments of the invention the system may be implemented as any form of a computing and/or electronic device. Such a device may comprise one or more processors which may be microprocessors, controllers or any other suitable type of processors for processing computer executable instructions to control the operation of the device in order to gather and record routing information. In some examples, for example where a system on a chip architecture is used, the processors may include one or more fixed function blocks (also referred to as accelerators) which implement a part of the method in hardware (rather than software or firmware). Platform software comprising an operating system or any other suitable platform software may be provided at the computing-based device to enable application software to be executed on the device.
Various functions described herein can be implemented in hardware, software, or any combination thereof. If implemented in software, the functions can be stored on or transmitted over as one or more instructions or code on a computer-readable medium. Computer-readable media may include, for example, computer-readable storage media. Computer-readable storage media may include volatile or non-volatile, removable or non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data. A computer-readable storage media can be any available storage media that may be accessed by a computer. By way of example, and not limitation, such computer-readable storage media may comprise RAM, ROM, EEPROM, flash memory or other memory devices, CD-ROM or other optical disc storage, magnetic disc storage or other magnetic storage devices, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer. Disc and disk, as used herein, include compact disc (CD), laser disc, optical disc, digital versatile disc (DVD), floppy disk, and blu-ray disc (BD). Further, a propagated signal is not included within the scope of computer-readable storage media. Computer-readable media also includes communication media including any medium that facilitates transfer of a computer program from one place to another. A connection, for instance, can be a communication medium. For example, if the software is transmitted from a website, server, or other remote source using a coaxial cable, fiber optic cable, twisted pair, DSL, or wireless technologies such as infrared, radio, and microwave are included in the definition of communication medium. Combinations of the above should also be included within the scope of computer-readable media.
Alternatively, or in addition, the functionality described herein can be performed, at least in part, by one or more hardware logic components. For example, and without limitation, hardware logic components that can be used may include Field-programmable Gate Arrays (FPGAs), Application-Program-specific Integrated Circuits (ASICs), Application-Program-specific Standard Products (ASSPs), System-on-a-chip systems (SOCs), Complex Programmable Logic Devices (CPLDs), etc.
Although illustrated as a single system, it is to be understood that the computing device may be a distributed system. Thus, for instance, several devices may be in communication by way of a network connection and may collectively perform tasks described as being performed by the computing device.
Although illustrated as a local device it will be appreciated that the computing device may be located remotely and accessed via a network or other communication link (for example using a communication interface).
The term ‘computer’ is used herein to refer to any device with processing capability such that it can execute instructions. Those skilled in the art will realise that such processing capabilities are incorporated into many different devices and therefore the term ‘computer’ includes PCs, servers, mobile telephones, personal digital assistants and many other devices.
Those skilled in the art will realise that storage devices utilised to store program instructions can be distributed across a network. For example, a remote computer may store an example of the process described as software. A local or terminal computer may access the remote computer and download a part or all of the software to run the program. Alternatively, the local computer may download pieces of the software as needed, or execute some software instructions at the local terminal and some at the remote computer (or computer network). Those skilled in the art will also realise that by utilising conventional techniques known to those skilled in the art that all, or a portion of the software instructions may be carried out by a dedicated circuit, such as a DSP, programmable logic array, or the like.
It will be understood that the benefits and advantages described above may relate to one embodiment or may relate to several embodiments. The embodiments are not limited to those that solve any or all of the stated problems or those that have any or all of the stated benefits and advantages. Variants should be considered to be included into the scope of the invention.
Any reference to ‘an’ item refers to one or more of those items. The term ‘comprising’ is used herein to mean including the method steps or elements identified, but that such steps or elements do not comprise an exclusive list and a method or apparatus may contain additional steps or elements.
As used herein, the terms “component” and “system” are intended to encompass computer-readable data storage that is configured with computer-executable instructions that cause certain functionality to be performed when executed by a processor. The computer-executable instructions may include a routine, a function, or the like. It is also to be understood that a component or system may be localized on a single device or distributed across several devices.
Further, as used herein, the term “exemplary” is intended to mean “serving as an illustration or example of something”.
Further, to the extent that the term “includes” is used in either the detailed description or the claims, such term is intended to be inclusive in a manner similar to the term “comprising” as “comprising” is interpreted when employed as a transitional word in a claim.
The figures illustrate exemplary methods. While the methods are shown and described as being a series of acts that are performed in a particular sequence, it is to be understood and appreciated that the methods are not limited by the order of the sequence. For example, some acts can occur in a different order than what is described herein. In addition, an act can occur concurrently with another act. Further, in some instances, not all acts may be required to implement a method described herein.
Moreover, the acts described herein may comprise computer-executable instructions that can be implemented by one or more processors and/or stored on a computer-readable medium or media. The computer-executable instructions can include routines, sub-routines, programs, threads of execution, and/or the like. Still further, results of acts of the methods can be stored in a computer-readable medium, displayed on a display device, and/or the like.
The order of the steps of the methods described herein is exemplary, but the steps may be carried out in any suitable order, or simultaneously where appropriate. Additionally, steps may be added or substituted in, or individual steps may be deleted from any of the methods without departing from the scope of the subject matter described herein. Aspects of any of the examples described above may be combined with aspects of any of the other examples described to form further examples without losing the effect sought.
It will be understood that the above description of a preferred embodiment is given by way of example only and that various modifications may be made by those skilled in the art. What has been described above includes examples of one or more embodiments. It is, of course, not possible to describe every conceivable modification and alteration of the above devices or methods for purposes of describing the aforementioned aspects, but one of ordinary skill in the art can recognize that many further modifications and permutations of various aspects are possible. Accordingly, the described aspects are intended to embrace all such alterations, modifications, and variations that fall within the scope of the appended claims.
Number | Date | Country | Kind |
---|---|---|---|
2011219.9 | Jul 2020 | GB | national |
Filing Document | Filing Date | Country | Kind |
---|---|---|---|
PCT/GB2021/051863 | 7/20/2021 | WO |