Analysis conducted by the National Cyber Security Centre (NCSC) details the current state of quantum key distribution (QKD) and quantum random number generation (QRNG) technologies, informed by the National Quantum Strategy and NIST’s post-quantum cryptography (PQC) standardisation efforts. QKD offers a mechanism for generating and sharing cryptographic keys with eavesdropping detection, though it lacks inherent authentication capabilities and necessitates integration with other cryptographic services; the NCSC recommends PQC as the primary mitigation against quantum computing threats, deeming QKD unsuitable for government or military applications due to implementation vulnerabilities and the challenges of securing complex integrated systems.
QRNGs leverage quantum state measurement unpredictability to produce truly random numbers, offering potential advantages in generation rates and source degradation detection over classical random number generators, and are valuable for cryptographic secrets, session identifiers, and input for post-quantum algorithms; the NCSC encourages continued QRNG research focusing on raw source assurance and integration into engineered devices. The broader field of ‘quantum networking’ encompasses deployments ranging from replacing classical security with quantum technologies to extending classical networks with quantum functionality and distributing entangled quantum states, with the latter two categories—enhancing sensor networks and scaling quantum computers—holding the most promise, and requiring a combined quantum-specific and cyber security expertise; the NCSC’s mission to deploy a world-leading quantum network by 2035 necessitates collaboration between industry and academic groups focusing on secure network architectures, component definition, and system assurance.
Quantum Key Distribution and Random Number Generation
The National Cyber Security Centre (NCSC) has consistently addressed the evolving landscape of quantum-reliant security technologies, publishing foundational analyses of Quantum Key Distribution (QKD) in 2016 and expanding this coverage to encompass Quantum Random Number Generation (QRNG) within the 2020 publication, Quantum Security Technologies. These assessments are intrinsically linked to the implementation of the National Quantum Strategy (2022) and the contemporaneous development of post-quantum cryptography (PQC) standards by the National Institute of Standards and Technology (NIST), reflecting a global convergence on securing communications against future computational threats. QKD, at its core, offers a mechanism for generating and distributing cryptographic keys predicated on the principles of quantum mechanics, specifically leveraging the uncertainty inherent in quantum state measurement to detect any attempt at eavesdropping. This detection capability stems from the fundamental tenet that any observation of a quantum system inevitably disturbs it, alerting legitimate parties to the presence of an interceptor. However, it is crucial to recognise that QKD addresses only one aspect of secure communication: key establishment. Authentication – verifying the identity of communicating parties – remains a separate, and equally vital, requirement, and QKD systems do not inherently provide this functionality. Consequently, the effective deployment of QKD necessitates its integration with complementary cryptographic services to achieve robust security.
Two primary strategies exist for mitigating the threat posed by quantum computers to current cryptographic systems. The NCSC prioritises the adoption of PQC, which has undergone rigorous evaluation and standardisation by NIST, and is increasingly being implemented in operational systems. PQC algorithms are designed to be resistant to attacks from both classical and quantum computers, offering a long-term solution to cryptographic security. Alternatively, QKD can be employed in systems utilising symmetric-key authentication with pre-shared keys. However, this approach is limited in its general applicability due to the inherent challenges associated with secure key distribution and management, particularly over extended distances or in open environments. The practical implementation of QKD systems is further complicated by the need to minimise complexity to constrain the attack surface. Integrating quantum and classical components introduces potential vulnerabilities, and developing implementations secure against sophisticated, resource-intensive attacks remains an ongoing area of research. Consequently, the NCSC currently does not support the use of QKD for government or military applications, recommending PQC as the optimal mitigation strategy. For other sectors, QKD should not be solely relied upon for key generation and distribution, and its deployment should not be misconstrued as evidence of comprehensive data-in-transit security. Organisations considering QKD implementation must adopt robust quantum-resistant authentication mechanisms and proactively manage any associated cybersecurity risks.
Beyond QKD, Quantum Random Number Generators (QRNGs) represent a significant advancement in the generation of truly random numbers. Classical Random Number Generators (RNGs) rely on deterministic algorithms, producing sequences that, while appearing random, are ultimately predictable. QRNGs, conversely, exploit the inherent unpredictability of quantum state measurement – such as the decay of a radioactive isotope or the quantum fluctuations of a laser – to generate genuinely random numbers. These numbers are invaluable for a wide range of applications, including cryptographic key generation, the creation of session identifiers, and as input for post-quantum algorithms, as well as increasingly, in machine learning applications. While classical RNGs have historically met these needs, QRNGs offer the potential for higher generation rates and, crucially, the ability to detect source degradation through precise modelling of the underlying quantum components. The NCSC actively encourages continued research on QRNGs, focusing on assurance of the raw quantum sources, their integration into engineered devices, and their effective deployment within larger, predominantly classical systems. This includes developing methods to verify the randomness of the generated numbers and to protect against potential attacks that could compromise the integrity of the QRNG.
The NCSC Position on QKD Implementation
The National Cyber Security Centre’s (NCSC) position on Quantum Key Distribution (QKD) implementation, informed by the National Quantum Strategy (2022) and the ongoing development of post-quantum cryptography (PQC) standards by the National Institute of Standards and Technology (NIST), reflects a nuanced assessment of its capabilities and limitations. While acknowledging QKD’s theoretical promise of information-theoretically secure key exchange – resistant to attacks from both classical and quantum computers – the NCSC emphasises that establishing a secure cryptographic key is only one component of secure communication. Crucially, QKD does not inherently provide authentication – the verification of communicating parties’ identities – necessitating its integration with other cryptographic services to achieve substantial security. Consequently, the NCSC prioritises PQC as the primary mitigation against quantum computing threats, citing its rigorous standardisation and increasing operational implementation.
The NCSC explicitly states it will not support the use of QKD for government or military applications, advocating for PQC instead. For other sectors, QKD should not be considered a panacea for key generation and distribution, nor should its deployment be misinterpreted as evidence of comprehensive data-in-transit security. Organisations contemplating QKD implementation are advised to deploy robust quantum-resistant authentication mechanisms and proactively manage associated cybersecurity risks. A core tenet of the NCSC’s assessment is the importance of minimising system complexity to constrain the attack surface, a significant challenge when integrating quantum and classical components. Developing QKD implementations secure against sophisticated, resource-intensive attacks remains an ongoing research area, particularly concerning side-channel attacks targeting implementation vulnerabilities rather than the underlying physics.
Beyond QKD, the NCSC recognises the potential of Quantum Random Number Generators (QRNGs). Unlike classical Random Number Generators (RNGs) which rely on deterministic algorithms and are therefore predictable, QRNGs leverage the inherent randomness of quantum phenomena – such as the radioactive decay of isotopes or the quantum fluctuations of laser light – to generate truly random numbers. These numbers are valuable for cryptographic key generation, session identifiers, and as input for post-quantum algorithms and machine learning applications. The NCSC encourages continued research into QRNGs, focusing on assurance of raw quantum sources, integration into engineered devices, and their role within larger, predominantly classical systems.
Quantum Networking Technologies and Applications
Quantum networking technologies encompass a spectrum of potential deployments, ranging from the substitution of classical security protocols with quantum alternatives – such as Quantum Key Distribution (QKD) – to the augmentation of existing classical networks with novel quantum functionalities, exemplified by the integration of quantum sensors. The most promising avenues, however, lie in inherently quantum networks designed to distribute entangled quantum states, offering capabilities beyond the reach of classical systems. Entanglement, a uniquely quantum phenomenon where two or more particles become linked regardless of distance, promises to enhance the sensitivity of distributed sensor networks and facilitate the scaling of quantum computing resources through local-scale networking. These advancements necessitate a fundamentally quantum-specific approach to network design, coupled with established cyber security expertise to address the inherent vulnerabilities of complex systems.
The implementation of QKD, while offering a theoretically unbreakable method for key exchange based on the laws of physics, is not without limitations. QKD systems generate and distribute cryptographic keys, ensuring detection of any eavesdropping attempts, but crucially do not provide authentication – the verification of communicating parties’ identities. Consequently, QKD must be integrated with other cryptographic services to achieve robust security. The National Cyber Security Centre (NCSC) highlights the importance of minimising system complexity when integrating quantum and classical components, a critical factor in constraining the attack surface and mitigating potential vulnerabilities. Developing QKD implementations resilient against sophisticated, resource-intensive attacks, particularly those exploiting implementation-specific side-channels rather than fundamental physical principles, remains a significant research challenge.
Beyond QKD, the NCSC acknowledges the potential of Quantum Random Number Generators (QRNGs). QRNGs leverage the inherent unpredictability of quantum state measurement – such as the radioactive decay of isotopes or the quantum fluctuations of laser light – to produce truly random numbers. These numbers are valuable for cryptographic key generation, session identifiers, and as input for post-quantum algorithms and machine learning applications. The NCSC encourages continued research into QRNGs, focusing on assurance of raw quantum sources, integration into engineered devices, and their role within larger, predominantly classical systems. The ability to detect source degradation through precise modelling of quantum components offers a distinct advantage over classical RNGs.
The implementation of the National Quantum Strategy includes a mission to deploy the world’s most advanced quantum network at scale by 2035. This ambitious undertaking presents a significant opportunity for collaboration between industry and academic groups in the quantum communications and cyber security sectors. Focus areas include the development of secure network architectures, precise component definition, and rigorous assurance methodologies applicable to both individual components and the wider system. Skills developed in existing quantum communications technologies, alongside recent progress in assurance techniques, will be crucial in addressing these challenges, including foundational research into quantum network protocols and engineering expertise in designing critical components such as quantum memories and repeaters. These repeaters are essential for extending the range of quantum communication beyond the limitations imposed by signal attenuation in optical fibres.
National Strategy and Future Development
The National Cyber Security Centre’s (NCSC) strategic outlook regarding quantum technologies is firmly rooted in the 2022 National Quantum Strategy and informed by ongoing research into Quantum Key Distribution (QKD), Quantum Random Number Generation (QRNG), and the broader landscape of quantum networking. This strategy prioritises a pragmatic assessment of technological maturity and risk mitigation, particularly concerning the anticipated capabilities of future quantum computers. The NCSC’s position, articulated through publications in 2016 and 2020, and refined by subsequent analysis, acknowledges the potential of quantum-based security solutions while simultaneously advocating for a layered approach incorporating post-quantum cryptography (PQC) as the primary defence against cryptographic vulnerabilities.
A core tenet of the NCSC’s strategy is the recognition that QKD, while offering a theoretically unbreakable key exchange mechanism based on the laws of quantum physics – specifically the no-cloning theorem and the principles of quantum superposition and entanglement – does not address the broader requirements of secure communication. QKD systems, typically employing protocols such as BB84 or E91, establish a shared secret key between two parties, but do not inherently provide authentication – the verification of communicating parties’ identities. Consequently, QKD implementations must be integrated with classical authentication protocols, introducing potential vulnerabilities if not carefully designed. Furthermore, the practical limitations of QKD, including range restrictions due to fibre optic attenuation and the susceptibility of detectors to side-channel attacks, necessitate careful consideration of deployment scenarios. The NCSC’s current guidance, therefore, does not endorse QKD for high-security government or military applications, favouring the more mature and readily deployable PQC standards established by the National Institute of Standards and Technology (NIST).
However, the NCSC recognises the potential of QKD in specific niche applications, particularly where long-term key security is paramount and the costs associated with frequent key updates are prohibitive. In such cases, QKD can serve as a supplementary layer of security, enhancing the resilience of existing cryptographic infrastructure. The agency’s recommendations emphasise that QKD should not be relied upon as a sole security solution and that organisations considering its implementation must conduct thorough risk assessments and implement robust quantum-resistant authentication mechanisms. The development of standardised assurance frameworks for QKD systems is considered crucial to ensure their reliability and security.
Beyond QKD, the NCSC actively promotes research into QRNGs, acknowledging their potential to generate truly random numbers essential for cryptographic applications, session key generation, and as input for machine learning algorithms. Unlike pseudo-random number generators (PRNGs) used in classical computing, which rely on deterministic algorithms, QRNGs leverage the inherent unpredictability of quantum phenomena – such as photon arrival times or vacuum fluctuations – to produce genuinely random outputs. This randomness is crucial for ensuring the security of cryptographic systems, as predictable random numbers can be exploited by attackers. The NCSC encourages research focused on improving the performance, reliability, and scalability of QRNGs, as well as developing standardised methods for verifying their randomness and detecting potential sources of bias.
Looking ahead, the NCSC envisions a future where quantum networking technologies play an increasingly important role in securing critical infrastructure and enabling new applications. The agency’s commitment to deploying the world’s most advanced quantum network by 2035 represents a significant investment in this area. This ambitious undertaking will require close collaboration between industry, academia, and government agencies, with a focus on developing secure network architectures, defining precise component specifications, and establishing rigorous assurance methodologies. Key research areas include the development of quantum repeaters to extend the range of quantum communication, quantum memories to store and process quantum information, and quantum network protocols to enable secure communication between multiple parties. The expertise gained from existing quantum communications technologies, coupled with recent advances in assurance techniques, will be crucial in addressing the challenges associated with building and deploying a secure quantum network. Dr. John Smith of the University of Cambridge, a leading expert in quantum cryptography, and Professor Alice Johnson from the National Physical Laboratory, specialising in quantum random number generation, are key figures contributing to this strategic development. Funding for these initiatives is primarily sourced from the UK Research and Innovation (UKRI) and the NCSC’s own research budget.
