Moving towards quantum resilience

An interview with Jaya Baloo, Chief Information Security Officer at KPN

"We’ll count ourselves fortunate if we’ll see a commercially available quantum internet in the next five to ten years"

What triggered your interest in quantum communication?

My interest in quantum communication arose more than a decade ago when I was working on lawful interception and we discussed how we could accomplish lawful interception in the face of quantum communication. It really opened up my eyes to the possibilities of how we could guarantee security in the face of all types of monitoring threats. When things are encrypted mathematically, there might be a backdoor that we don’t know about or there might be threats that we haven’t fully understood. But with quantum, it’s encrypted at the physical layer. That is a totally different ballgame.

Where do you see the opportunities for a company like KPN?

We are only at the beginning of what quantum communications could mean for our society, certainly in terms of ubiquitous usage. Today, we mostly talk about point-to-point links. But it only becomes powerful when you can communicate many to many, on demand, instantly. This is the goal of projects that are being done now, creating quantum repeaters and architecture building blocks for a new type of quantum communications-delivered internet. I consider this to be the most exciting thing that will happen in the next few years. KPN would like to be one of the first providing such a network.

What do you recommend to companies that aim to become quantum resilient?

The idea of quantum resilience is that regardless of whatever happens, even with a quantum computing attack, your communications remain secure. I recommend a 3-step plan towards quantum resilience:

1) Buy yourself some time. Assess the cryptography you currently use, and what you use it for. Make sure that you’re using the maximum key length option for your current cryptography. Assess the cryptographic agility you have with your current cryptographic algorithms, in other words, your capacity to adopt other encryption methods without significant changes to your system infrastructure.

2) Look for specific places in your network where quantum key distribution would be an asset. For example, primary and secondary data center connections or crucial places for particular transactions that are mission-critical. Those areas will need to be planned for and examined, and built out. The technology is available today off the shelf, so there should really be no reason to not do it for a few places, but this does not scale well across large distances or networks.

3) Think about how you can fully explore crypto agility by replacing current algorithms with post-quantum cryptography. This is a new set of post- quantum algorithms that are currently under submission for NIST, but you can already start playing around with them now. There are different cryptographic algorithms, each with a specific purpose and yet different merits. You can already start examining, especially for critical data, which one works the best for you. This way you learn if it’s possible to, and how easy it is to, swap one algorithm for another. It is all about crypto agility. We use different cryptographic algorithms for our internet connections than for our VPNs or for our banking algorithms. I recommend that regardless of what industry you’re in, you examine how you use cryptography today and which algorithms you use for that, and then take a look at the best possible post-quantum mix for your future business.

Why did KPN choose to partner with TU Delft in building a quantum internet?

The partnership with TU Delft gives us an advantage to be better prepared for the future by participating in the present. We will be better able to cope with new technologies if we’re part of the build and development, compared to being only part of the group that needs to adopt and follow once it’s there. Finally, it’s an honor to be part of such inspirational endeavors with a partner that does such groundbreaking work on all things quantum.

When do you expect a commercial quantum network service?

Initial forays to provide quantum computing services are already being commercialized now, and we’ll see several providers doing that. For quantum communication, there is quite a bit of work being done by different companies on quantum key distribution and hardware, but it’s not being deployed as a managed service yet. We will first see managed services for point-to-point links that will provide quantum-grade security. When we can extend this to entire network services, it becomes really interesting. But a lot of fundamental research still needs to happen. Developing a quantum repeater is not a small task, as it is not just the technical challenges, it’s also making sure there is funding and the cooperation of all parties that are necessary to make this a success. We’ll count ourselves fortunate if we’ll see a commercially available quantum internet in the next five to ten years.