Communications of the ACM

of quantum computers. We assume there exist quantum computation devices that offer advantages in many useful applications compared with the best classical computers. At that time, there will be tasks that involve quantum computers and communication and processing of quantum information, where the parties involved want to maintain the privacy of their data and have guarantees on the security of the tasks achieved. This period may not be too far, since quantum devices being developed now are already crossing the limit of quantum computations that can be simulated by classical supercomputers.

These categories, in general, in-
clude all aspects of cyber security. We
will focus on the effects that quantum
technologies have for cryptographic
attacks and attacks that exploit vulner-
abilities of the new quantum hardware
when such hardware is used. As far as
exploits of other vulnerabilities of ex-
isting classical hardware is concerned
(for example, timing attacks), we do
not expect they will significantly ben-
efit from quantum technologies and
thus we do not expand further.a
This review. First of all we clarify
what this review is not. It is not an ex-
haustive list of all research in quan-
tum cyber security, neither a his-
torical exposition on how quantum
cryptography developed, nor a proper
introduction to the field including the
background required. Excellent such
reviews have been written (for exam-
ple, Broadbent13).

Our aim in this article is twofold. On the one hand, we want to clarify misconceptions and organize/categorize the research landscape in quantum cyber security in a comprehensible and approachable way to the non-experts. On the other hand, we want to focus on specific aspects, for each of the quantum cyber security research categories given here that we believe have been underrepresented in research and exposure to the public, despite being very important. We clarify some facts about quantum computers and quantum adversaries, setting the stage to ana- a One could imagine that enhanced quantum sensing and quantum metrology could improve certain side-channel attacks, but this is beyond the scope of this article.

are (see Figure 1). In the first category we ensure that currently possible tasks remain secure, while in the other two categories we explore the new possibilities that quantum technologies bring.

As is typical in cryptography, we first assume the worst-case scenario in terms of resources, where the honest parties are fully classical (no quantum abilities), while the adversaries have access to any quantum technology (whether this technology exists currently or not). In particular we assume they have a large quantum computer. Ensuring the security and privacy guarantees of a classical protocol remain intact is known as post-quantum (or “quantum-safe”) security.

In the second category we allow
honest parties to have access to quan-
tum technologies in order to achieve
enhanced properties, but we restrict
this access to those quantum technolo-
gies that are currently available (or that
can be built in near-term). Requesting
this level of quantum abilities comes
from the practical demand to be able
to construct now, small quantum
devices/gadgets that implement the
“quantum” steps of (the honest) pro-
tocols. The adversaries, again, can use
any quantum technology. In this cat-
egory we focus on achieving classical
functionalities but we are able to en-
hance the security or efficiency of the
protocols beyond what is possible clas-
sically by using current state-of-the-art
quantum gadgets.

Finally, the third category looks further in the future and examines the security and privacy of protocols that are possible (are enabled) by the existence

Figure 1. Schematic representation of the quantum cyber security research landscape.

Red boxes are the three categories of research. Dotted lines indicate the resources (computation and communication) required from the honest parties. Green boxes represent issues on which we focus in this review. For the post-quantum category, we consider the changes required: which are the hard problems used, security definitions and proof techniques. For the quantumly enhanced category we consider the types of enhancements we may get in different protocols: information theoretic security (from computational), increased efficiency, functionalities impossible classically (even with computational assumptions). For the quantumly enabled category we consider separately the different communication infrastructures available (classical/quantum).