Communications of the ACM

and improved efficiency, that is, achieving tasks with fewer resources (as in quantum fingerprinting).

The majority of research on quantumly enhanced security is done on QKD, however, many other protocols, functionalities, and primitives exist that admit enhancement and that require similar or slightly more involved quantum technologies. Some of these technologies include: quantum random number generators, quantum fingerprinting, quantum digital signatures, quantum coin flipping, e-voting, Byzantine agreement, quantum money, quantum private information retrieval, secure multiparty computation (SMPC), and position verification.

Since quantum technologies develop rapidly, the possibilities of practical quantum gadgets increase, as more and more quantumly enhanced protocols become realistic. For example, on top of simple quantum communication between parties, we can now have each of the parties having small quantum processors. It is therefore an exciting time for this type of research since we can now consider tailor-made constructions to enhance the performance of specific involved cryptographic protocols such as e-voting or SMPC.

Practicality. Research in this category involves quantum technologies that are currently possible. While this requirement makes such applications possible, for adaptation of quantumly enhanced solutions for wide use, one must establish the necessary infrastructure, namely a reliable and wide quantum communications network. The development of quantum internet is more than a vision for the future, since a big initiative pushing towards this direction is currently under development (“Quantum Internet Alliance”). 2 In the meantime, priority should be given to applications that involve few parties and do not require a fully developed quantum network.

Quantum hacking. The use of quan-
tum gadgets opens the possibility
for new attacks, specific to the physi-
cal implementations. Standard side-
channel attacks (for example, timing)
may be less applicable, but there are
new side-channel attacks specific to
the quantum devices. The best known
quantum hacking attacks are the
photon number splitting and beam-
splitting attacks, both exploiting the
fact that the real systems used for qu-
bits are not single photons as they are
modeled theoretically. 10 The thermal
blinding of detectors that leak to the
adversary information on the measure-
ment choices before the classical post-
processing phase, 30 something that in-
validates the security proof. The latter
attacks have been realized against (pre-
vious versions) of the commercially
available QKD systems of ID Quantique
and MagiQ Technologies. Naturally
these attacks are specific to each of the
implementations of the quantumly en-
hanced protocols.
Countermeasures discovered to
“fix” systems after side-channel attacks
come at a cost (for example, better
single photon sources or protocols in-
volving decoy states or monitoring the
detectors), but other side-channel at-
tacks are likely to appear. Interestingly,
quantum theory offers a theoretical
method to deal with all side-channel
attacks on the quantum gadgets with
some extra cost in resources.
Device-independence. What enables
side-channel attacks is the mismatch
between the ideal modeling of the
(quantum) device and the real imple-
mentation. One of the most exciting
new possibilities that quantum theory
offers is that using the fundamental
property of quantum non-locality one
can achieve quantum cryptographic
tasks based only on the classical sta-
tistics/correlation of the measurement
outcomes, without the need to make
any assumption on the (quantum) de-
vices used. 17 In particular, security is
maintained even if the devices were
prepared by adversaries and given as
black-boxes to the honest parties. De-
vice-independent protocols are secure
against any side-channel attack on the
quantum device and have been devel-
oped for many functions: QKD, QRNG,
among others. These protocols come
with some cost in resources, currently
too high for practical use. However,
based on weaker correlations, one can
make protocols that are secure without
trusting some, but not all, devices with
considerably reduced cost compared
to fully device independent protocols.
For example, in measurement-device
independent protocols, 11, 29 security is
maintained without trusting the mea-
suring/detecting device and thus one
avoids the thermal blinding detector
attacks mentioned earlier. In general,
there is a trade-off between the extra
cost in resources and the amount of
trust assumed on quantum devices.

Standardization. For the adoption of quantumly enhanced solutions by industry it is important to establish standards for quantum gadgets compatible and acceptable by the general cyber security community. For QKD, discussions already exist for example within the European Telecommunications Standards Institute (ETSI), while in the case of quantum random number generators, ID Quantique, offers the Quantis product that is validated with the AIS31 methodology. It is important and timely to address the standards issues for all quantumly enhanced functionalities.

Quantumly Enabled Security: Secure Use of Quantum Computers As we have seen, quantum computers will offer computational advantages in many problems, varying from exponential to much more modest quadratic or even constant. It is natural that when such devices are available, one might want to use this extra computational power in tasks that also require privacy and security, in other words we seek security for quantumly enabled protocols. All security concepts, such as authentication, encryption but also more involved concepts as computation on encrypted data and secure multiparty computation, would need to be modified to apply to quantum information and quantum computation. Of course, for this type of question to be meaningful, we first must have quantum computation devices of size that can offer concrete computational advantages for everyday problems. This is not the case today, but since we are expected to cross the classical simulation limit (real quantum computers that exceed in size those that can be simulated by classical supercomputers) soon, we are entering the era that will have realistic quantum speed-ups. The time for speed-ups being applied to important everyday problems might not be too far away.

Research in this category is developing rapidly, and already a number of protocols exist for quantum encryption, quantum authentication, quantum non-malleability, blind