Filling the international gap! China-led international standard for quantum key distribution enters release stage

The ISO/IEC JTC1/SC27 (Sub-Technical Committee on Information Security, Cybersecurity and Privacy Protection, hereinafter referred to as "SC27") working group meetings and plenary sessions were held as an online conference from October 3 to 13, 2022, with approximately 220 experts and representatives from more than 30 member countries and organizations. About 220 experts and representatives from more than 30 member countries and organizations participated in the meeting. The National Information Security Standardization Technical Committee (hereinafter referred to as "NISSC") organized a 38-member Chinese delegation to attend the meeting.

The meeting included two stages: working group meetings and plenary sessions. The five working group meetings discussed a total of 59 standards projects under research and 24 pre-research work projects. The plenary session listened to the work of the working group convenors, and discussed issues related to the organization and management of SC27 and the arrangements for the April 2023 meeting.

Among them, China-led ISO/IEC 23837-1 "Security Requirements, Testing and Evaluation Methods for Quantum Key Distribution Part 1: Requirements" and ISO/IEC 23837-2 "Security Requirements, Testing and Evaluation Methods for Quantum Key Distribution Part 2: Testing and Evaluation Methods" international standard proposals entered the international standard publishing stage. According to PhotonBox, this is the first international standard that systematically regulates quantum key distribution (QKD) security testing technology, and is co-led by Guodun Quantum and China Information Security Testing and Evaluation Center.

In November 2017, on behalf of China, Guodun Quantum and China Information Security Testing and Evaluation Center jointly launched this international standard project at the ISO/IEC JTC 1/SC 27 (Sub-Technical Committee on Information Security, Network Security and Privacy Protection, hereinafter referred to as "S27") working group meeting in Berlin. It has taken five years, and now it has finally entered the publication stage.

01About the ISO/IEC 23837 standard

Theoretically, QKD provides a way to build longer symmetric keys using pre-shared keys whose security does not depend on the computational power of the adversary; the keys built can then be used for cryptographic purposes, such as for encryption mechanisms to create secure communication channels.

Although the security of the QKD protocol is proven under a strict security model that assumes two communicating parties share a key in advance, discrepancies between the model and the actual implementation often occur during the lifecycle phase of the QKD module. These flaws or deviations in the security model may lead to vulnerabilities that compromise the security of the actual QKD system. Among others, QKD hacking experiments have demonstrated serious side-channel attacks. As with traditional cryptographic modules or network devices, QKD modules require rigorous security testing and evaluation to avoid security attacks and information leakage before they can be deployed into real-world applications. Intensive and rigorous evaluation is a necessary step for QKD to be widely accepted by the industry.

To this end, the ISO/IEC 23837 standard defines a set of strict and common security specifications for QKD module manufacturers so that manufacturers can design and implement IT products using QKD according to the standard, and evaluators can test and evaluate the security of QKD modules according to the standard, reducing the risk of security failures in operation.

ISO/IEC 23837 specifies the security requirements, testing and evaluation methods for Quantum Key Distribution (QKD). The first part focuses on specifying a common baseline set of security functional requirements for QKD modules. The second part then specifies the assessment methods and associated assessment activities for the security assessment of QKD modules in a relatively generic manner.

02About ISO/IEC JTC1: Standardization of Quantum Technologies

In their Joint Technical Committee JTC1, the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) have developed quantum technology standardization activities in two Working Groups (WG-Work Groups): WG14 on Quantum Computing and Sub-Committees (Sub-Committee) SC27 and WG3 on QKD System Safety Certification.

Working Group 14 on Quantum Computing (WG14) was established with the following objectives: to serve as a focus and supporter of the JTC1 quantum computing standardization program; to identify gaps and opportunities in quantum computing standardization; and to develop and maintain a list of existing quantum computing standards and ongoing standards development projects arising from ISO/TC, IEC/TC, and JTC1. Another goal is to develop additional deliverables in the area of quantum computing. As a systems integration entity, it maintains relationships with other ISO and IEC technical committees and other organizations involved in the standardization of quantum computing.

The first work item of WG14 is ISO/IEC-4879, which is developing a terminology and vocabulary standard for quantum computing. Work began in 2020 and the committee draft is expected to be completed in the first half of 2022. The complete standard should be ready for refinement by the end of 2022. When ready, this will be the first standards organization developed by the standards development department specifically for quantum computing.

SC27 WG3 is the working group that develops and maintains ISO/EN 15408 "Common Criteria for Security Assessment of Information Technology", which includes the two standards mentioned above: "ISO/IEC 23837-1 Information security - Quantum key distribution Part 1 "Requirements" (containing predefined security functional requirements for QKD PP (Protection Profile)) and Part 2 "Test and Evaluation Methods".

03China's quantum information standardization process

In recent years, international standardization in the field of quantum information technology has been accelerated. Quantum communication, quantum computing, quantum Internet and other quantum information technology fields have become emerging hotspots for standardization; ISO, IEC, ITU, IEEE, IETF, ETSI and other international/regional standards organizations have advanced the layout and accelerated the work of quantum information standards.

For example, the European Telecommunications Standardization Institute (ETSI) established the ISG-QKD (Quantum Key Distribution) Working Group in 2008, which has carried out a total of 12 standards development and released 9 specifications. The Institute of Electrical and Electronics Engineers (IEEE) launched the P1913 software-defined quantum communication project in 2016 and started to study quantum computing definitions and evaluation methods in 2018. The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) launched the QKD security evaluation study in October 2017 and started to develop 2 standards from 2019. The International Telecommunication Union (ITU) started preparing nearly 20 QKD network and security standards in July 2018 and established the QIT4N (Quantum Information Technology for Networks) focus group in September 2019. The International Internet Engineering Task Force (IETF) established the Quantum Internet Research Group in July 2018.

It is worth mentioning that the QIT4N Focus Group is chaired by a Chinese expert and aims to promote the integration and development of quantum key distribution, quantum computing and other technologies with ICT fields and the evolution of future quantum information networks, etc.

Nine Chinese ITU member units and one Korean member unit co-signed the proposal manuscript of "Establishing a Focus Group in the Field of Quantum Information Technology".

And in China, in June 2017, the China Communications Standards Association (CCSA) established the Ad Hoc Task Group on Quantum Communication and Information Technology (ST7), with the Working Group on Quantum Communication (WG1) and the Working Group on Quantum Information Processing (WG2), which are responsible for the standardization work related to quantum communication technology and quantum communication networks, quantum computing technology related to quantum communication, and general quantum information key devices The two international standards are approved for publication.

The approval of the two international standards to enter the publication stage is an important milestone for China and the world in the field of quantum information. But there is still a lot of standardization work to be done in the field of quantum communication in China, even if it is only limited to the most basic quantum communication, quantum confidentiality communication, the standardization work has just begun. In the field of quantum computing and quantum measurement, standardization is even more difficult due to the wide variety of technologies.

Despite the difficulties, as the country continues to invest in human and material resources to accelerate research on quantum information standardization, it is believed that China can occupy an important position in the fierce global competition.