Exploring US and PRC Risk Choices in Quantum-Era Cryptographic Policies

Examining U.S. and China Approaches to Quantum-Era Cryptographic Security

As the world prepares for a quantum future, the U.S. faces pivotal decisions in its cryptographic strategies for critical infrastructure protection. While traditional defenses rely on multi-layered strategies, in the realm of quantum cryptography, the U.S. has predominantly focused on Post-Quantum Cryptography (PQC), leaving Quantum Key Distribution (QKD) largely unexplored at the federal level.

Current U.S. policy heavily relies on PQC for safeguarding critical infrastructure. This approach is deemed effective for most communication links where confidentiality is time-sensitive. The National Institute of Standards and Technology (NIST) has established sound PQC standards, viewed as more cost-efficient and scalable for enterprises concerned with potential "harvest-now-decrypt-later" threats. However, the more pressing issue remains whether relying solely on PQC is sufficient for Tier-1 infrastructure, where breaches could have catastrophic and lasting consequences, such as in nuclear command or financial systems.

In the new ICIT paper, Entangled Migrations: PQC, QKD, and US–PRC Risk Postures for Critical Infrastructure, it is argued that a different analytical approach is necessary to address these concerns. The paper builds on previous analyses, highlighting the pivotal period leading up to the early 2030s, when crucial cryptographic decisions are to be made amidst the rise of AI and low Earth orbit (LEO) infrastructure enhancements.

PQC and QKD: A Symbiotic Relationship

Although often viewed as competing technologies, PQC and QKD are inherently interconnected. Both share vulnerabilities during migration phases and face similar hardware development challenges. Notably, QKD's reliance on trusted-node architectures can reintroduce vulnerabilities that quantum cryptography aims to mitigate.

The paper argues for a combined framework to assess the implications of these technologies, as evaluating them in isolation could lead to oversights in risk management. Thus, understanding how global shifts in QKD impact PQC-only operators is vital and vice versa.

Contrasting Risk Strategies: U.S. vs. China

China has invested significantly in QKD infrastructure, constructing over 12,000 kilometers of QKD networks with numerous relay nodes. In contrast, the United States has emphasized PQC, which offers simplicity but at the risk of concentrating security on a single mathematical assumption. The paper questions not the scale but the nature of risks each nation has chosen to accommodate, especially given the potential catastrophic outcomes involved with Tier-1 links.

The U.S. federal framework lacks comprehensive guidance on QKD integration, leading various operators to independently deploy QKD, resulting in a fragmented approach without the benefits of a dual-layer defense strategy.

Implications for Critical Infrastructure Stakeholders

The paper stops short of recommending universal QKD deployment but emphasizes the necessity of a targeted, Tier-1-specific risk evaluation. Given the investment and vendor commitments required for PQC migration, stakeholders must consider the long-term impact of their cryptographic strategies. The ICIT analysis underscores the critical window for embedding secure systems within AI and LEO infrastructures, urging a proactive risk assessment that mirrors the U.S.'s defense-in-depth approach in other security areas.

For more detailed insights, the full paper is available here.