IDQ Leads Efforts to Standardize QKD Technology
As a founding member of the ETSI Industry Specification Group for QKD, ID Quantique (IDQ) has been supporting the community effort to standardize QKD systems for more than 10 years. A crucial standard for QKD security evaluation is about to be finalized: a so-called Protection Profile with mandatory security requirements for the QKD link. This standard should be published later this year.
Prospective customers will only entrust their most valuable data to QKD systems when they have sufficient assurance that the systems are secure and compliant to their security policies. Security evaluation provides a way to give this assurance:
- A trusted, competent testing lab thoroughly tests and evaluates the QKD systems and networks
- An oversight certification body gives green light for qualified deployment and use.
Standardizing QKD Security
The paradigm for security evaluation is also based on a standard. The “Common Criteria for Information Technology Security Evaluation” (ISO/IEC/EN 15408, since 1996, recently upgraded to version 4.0) defines the procedures and necessary “ingredients.” One of the main goals of the ETSI Industry Specification Group-QKD is to develop and provide all these ingredients, which are standards.
- Characterization of the optical components used
- Protocols and algorithms
- Implementation security against particular attacks
- Generic security requirements
Advancing QKD Standards: Challenges and Contributions
The new ETSI Common Criteria Protection Profile Group Specification QKD 016 defines such security requirements for a generic BB84 QKD link and is thus applicable for ID Quantique’s new Clavis XG QKD system. The Protection Profile itself is currently being evaluated by SGS in Graz, Austria and will be published in December 2023.
However, some mandatory ingredients for the evaluation are still missing. For example, a security proof for the QKD protocol in the specific format required by the security certification. Several promising efforts to formalize a QKD protocol are currently ongoing, and together with its partner Nutshell Quantum-Safe, IDQ is actively contributing to these community efforts. Internally, IDQ is striving to cover all the manufacturer’s responsibilities for the evaluation process to have everything ready for the evaluation of its Clavis XG, once all the ingredients are available. These include:
- Preparation of the extensive specifications and documentations
- Adaption of processes to required security levels
- Identification of necessary design modifications
Beyond security evaluation, IDQ together with Toshiba Europe (UK) is driving the update of two ETSI standard interfaces for the QKD network: ETSI Group Specifications QKD 014 and 020. The latter enables large QKD networks with multiple (vendor) domains. This is the kind of network IDQ is currently implementing in Korea.
Unifying QKD Standards across Organizations
In addition to its participation in ETSI, IDQ assists its partners SK telecom (SKT) and SK Broadband to promote standards for QKD Networks, such as integrating QKD and post-quantum cryptography (PQC) within ITU-T’s Study Group 17. In a recent press release, SK Telecom announced it would be working to develop standards for the combined use of QKD and PQC at the ITU-T SG17 meeting in Seoul, Korea.
The extensive interest in QKD of main standard organizations is further demonstrated by the recent publication by the ISO (International Organization for Standardization) of its first standards for QKD security evaluation. The two-part ISO/IEC 23837 provides a common baseline set of Common Criteria security functional requirements (SFRs) of QKD modules, as well as related test and evaluation methods.
Today, these various standards developing organizations cover different aspects of QKD standardization and security. However, they also communicate and collaborate through liaisons. We expect that this will result in a common framework, which will be beneficial to the entire QKD community.
About ID Quantique
ID Quantique (IDQ), founded in 2001, initially operated as a spin-off company of the University of Geneva, working on research projects to demonstrate the feasibility of quantum key distribution (or QKD, also known as quantum cryptography). In late 2003, IDQ developed the first QKD product for data centers to protect data in transit. 20 years later, IDQ released its 4th generation of quantum key distribution systems and remains the market leader in quantum safe cryptography and quantum sensing solutions. It maintains close ties with academic institutions by participating in numerous research programs and plays a leading role in cutting-edge projects to drive innovation to the market.
To request more information or a quotation for any ID Quantique products, contact IL Photonics.