TECHNICAL
for authentication are implemented alongside them, and that they take appropriate steps to ensure they manage any additional cyber security risks arising from the increased complexity. Quantum Random Number Generators Quantum Random Number Generators (QRNG) use the inherent unpredictability in the measurement of quantum states to produce random numbers. In principle, this provides a truly random source of entropy. Random numbers have several important uses in cyber security. They are used to generate cryptographic secrets and session identifiers, and as part of the computation in post-quantum algorithms. They are also used within many machine learning algorithms in AI systems. In all
industry and assurance community will continue to address.
Alongside the need for authentication, it is also important to consider broader cyber risks. Implementation of any security mechanism without inadvertently introducing vulnerabilities needs care. A good design principle is to minimise unnecessary complexity in both the system design and engineering, and hence constrain the potential attack surface. Managing complexity is a challenge when combining, for example, multiple software components. The NCSC’s view is that it is much harder when integrating quantum and classical components, and combining specialised hardware with existing networking infrastructure. Developing implementations of QKD that will themselves be secure against ‘elevated threats’ (where adversaries are prepared to develop sophisticated attacks involving long-term research effort and significant resources) is an ongoing challenge, albeit one that the quantum
For these reasons:
n The NCSC will not support the use of QKD for government or military applications. PQC is the best mitigation to the threat to cryptography from quantum computers.
n For other sectors, the NCSC
recommends that QKD should not be solely relied upon for generating and distributing cryptographic keys. The use of QKD systems should not constitute evidence towards assessments of security of data- in-transit under the NCSC’s Cyber Assessment Framework. n Where organisations are considering using QKD, they should ensure that robust quantum-resistant mechanisms