To: Project Committee, Nelson Marlborough Institute of Technology
From: Katie Clark
Date: 12 June 2017
Re: Project Proposal for Grad-Dip, PRJ702
Proposed Project Title:
Introduction to quantum key distribution and its implications for enterprise
This currently hasn’t been organized, but potentially Clare Atkins due to her background in overseeing research projects in previous years. Her experience would be of assistance in coordinating time and developing a project that suits the hours required.
Project Goal / Research Question
The fundamental goal is to determine the viability of quantum key distributions in enterprise. This is done by evaluating the implications that quantum key distribution will likely have in enterprises based upon the current cryptographic key distribution technology and protocols, and its flaws within enterprise. This knowledge will provide a foundational model from which I will base inference for the implication of QKD in enterprise.
The conception of this project proposal came from the mention of cryptography in a RES701 class. Although I haven’t had much experience with cryptography, I have been interested in cryptography since I heard about it during my last period of tertiary study. My last tertiary study was a Bachelor of Science in applied physics, so the concept of quantum cryptography seemed very intriguing to me. However, the area of quantum cryptography is still very new, and I am wanting to use this research project to gain a skill that is applicable, so I have decided to consider quantum key distribution (QKD) in relation to enterprise, based upon the current influence of cryptographic keys.
I have already used some encryption keys in my cloud services networking class, and I can understand how they would be important in data transfer. As such, I want to consider the enterprise implications that arise from possibility of QKD if it were to replace the current keys.
While the current encryption keys are very secure, the encrypted data can still be intercepted by a non-designated party, which can be problematic if that data is able to be decrypted. Currently, key decryption is very complex and for keys such as a 2048-key bit in secure SSL certificates, the time taken for decryption approximates 6 quadrillion years for a standard computer.[i] However, the use of quantum computers could potentially easily decrypt such a key.[ii]
Quantum keys however, abide by quantum mechanical principles and so are unable to be cloned, and cannot be intercepted and read without the quantum data changing due to the ‘observation’ occurring to it.[iii] These two qualities of QKD are foundational quantum mechanical principles. The inability to be intercepted and observed is due to the collapse of the wave function, a principle derived from the ‘uncertainty principle’, that was postulated by physicist, Werner Heisenberg.[iv] This principle implies that the act of observing the quantum particles, which when unobserved exists as a wave with probability of existing in all of space. However, when observed, the act of determining where the quantum particle exists, destroys the wave properties of the particle.[v],[vi] This implies, that were an outside party to observe a quantum key, the act of observation would change the key, thus making the observation known to the intended recipient of the key. The no-cloning theorem is also based upon Heisenberg’s uncertainty principle.[vii]
The quantum key distribution protocol, called BB84, will be the quantum key protocol that I mostly consider.[viii] However, I will look into other quantum key distribution protocols in order to gain a broad understanding of the methodology involved.
My previous knowledge in quantum mechanics, which was studied as part of the applied physics degree will assist in my understanding of quantum key distribution. The purpose of researching enterprise implications is to determine the importance of the role that current cryptographic keys have in data security, and consider the feasibility of the application of quantum key distribution.
Proposed Project Design and Activities
This project will mostly be composed of secondary research, so I will utilize resources such as Google Scholar and ProQuest in an effort to ensure that the information that I collect has been verified, has minimal bias, and so that I have a wide variety of resources that are up-to-date in terms of the current cryptographic keys being utilized and quantum key distribution protocols.
As I will be collecting information on a topic of which I am not yet well informed, I will need to ensure that I implement background analysis on any concept that I do not understand to ensure that my report does not contain a bias of omission due to my lack of understanding.
My current research plan is as follows:
- Break up research question into key words, ideas, and assumptions.
- Determine what bias is upon these ideas, and consider how this could minimized if possible.
- Start research on foundational knowledge required such as current cryptographic key distribution, and enterprise use.
- Determine whether this assumption is of enterprise use of current key distribution is validated.
- Determine whether there is evidence regarding the use of current key distribution in enterprise.
- Consider whether primary research, potentially in the form of a survey, is required and possible given the time constraints for this project.
- Consider what bias could inferred from any primary research and determine how to minimize it.
- Start research on foundational knowledge of quantum key distribution and protocols.
- Ensure that information is being properly comprehended, and background information on QKD is being taken into consideration in order to maximise comprehension.
- Analyze enterprise model of current key distribution.
- Discuss whether QKD would fit into the current model, or whether there would need to be a change.
- Discuss the pros and cons of utilizing QKD compared to current key distribution.
- Resolve how comparative findings may influence enterprise.
- Identify any method of improving the research.
- Consider further research options.
- Write up the final report.
Anticipated Project Outcomes
My anticipated outcomes are as follows:
- A report that clarifies quantum key distribution, and provides an inferred answer as to the influence that QKD could have upon enterprise.
- Potentially, survey results confirming or denying the extent of key utilisation within a certain enterprise field.
- Greater knowledge of current cryptographic keys and QKDs, which can be referenced within my CV.
Required Project Resources
- Personal Skills
- Knowledge of current cryptographic keys -I will need to learn this.
This can be learned through research of scholarly or tertiary level specific publications.
- Knowledge of quantum key distribution -I will need to learn this.
This can be learned through research of scholarly or tertiary level specific publications.
- Knowledge of key distribution in enterprises -I will need to learn this.
This can be learned through research of scholarly or tertiary level specific publications. Or I could gain some understanding by creating a survey.
- Knowledge of basic quantum physics -I have a foundational knowledge of quantum physics from my previous degree.
- Knowledge of effective research methods -The NMIT course of RES701 should equip me with the necessary knowledge.
- If I were to complete a survey, then I would need to develop the skills to ensure that the questions are comprehensible and not ambiguous, and that there is minimal bias within the survey.
- Project Resources
- Report writing software -This could be done through Microsoft Word, LaTeX, or Google Docs.
- Access to ProQuest -This is covered through my enrollment status at NMIT.
If I were to complete a survey, I would need the following:
- Online survey system for ease of creation and deployment.
- List of enterprises and confirmation of survey participation.
- The ethics committee for confirmation that my survey was ethically appropriate.
Potential Limitations and Issues
The biggest limitation for this project is time. This is due to this being a PRJ702 research project, and so only having an allotted 300 hours of expected work instead of 450 hours. This limitation may cause slight adjustments to the project question if the workload is becoming larger than originally anticipated.
The next limitation is due to the technique of secondary research. Whilst this project would be too large to attempt from a primary research attempt, and there is already information pertaining to the project; the limitation derives from the potential inaccuracy of secondary research. One limitation of secondary research is that the information available may not be specific enough to the question proposed for this project.[ix]
Potential issues arise if my secondary research does not provide enough information in regards to key distribution in enterprise. If this instance occurs, I will need to implement a survey and gain the information first-hand. A survey may have the following potential issues:
- Whether I use New Zealand-based companies, or global companies.
The issue here is that, if I were to source my information from online, I would compare a variety of global enterprises, and determine whether this information needs to be restricted to one area. However, If I am required to do a survey, then the enterprises would mostly be New Zealand-based due to the time limitation of this project, the influence of NMIT’s name is unlikely to have any impact beyond the country, and I do not have the resources to commit to a large global-scale survey. If I am limited to New Zealand based companies, then due to the size of New Zealand’s financial commercial infrastructure, my number of enterprise level companies is reduced. A look into New Zealand enterprise numbers for February 2016, show that although this may not be an issue, specifying the service of enterprise will be required due to the different proportions of service.[x]
- The time limit with regards to the sample size of the survey.
From a statistical perspective, the higher the sample size, the more confidence that I can have in the results of the sample. However, due to time constraints, if I were to make the survey sample size too large, then I run the risk of not allowing myself enough time for analysis of the survey results, which would take longer with an increased sample size. Another factor to take into consideration, is that not every enterprise business will respond, or respond within the time limit.
As I would be dealing with businesses, who may consider my questions to be encroaching on sensitive information, I would need to ensure that I pass the survey through the NMIT ethics committee. I would need to stipulate confidentiality through anonymity, the optionality of participation of the survey, and that the participating businesses are clear as to the purpose for why the information is being collected.
- The time limit with regards to Beta testing
In order to ensure that the survey provides me with the information that I am seeking, and is not misconstrued between myself, and the intended recipients, I should do a beta test. The limitation with this is the time constraint, which may prevent me from being able to complete a full beta-test run through.
If I find the information on enterprises from secondary research, then my biggest ethical concerns are giving credit to the authors or companies of the articles, which can be done through correct referencing.
If I need to take a survey, then there are more ethical considerations involved. For this, I will need to have the survey judged to be suitable by the NMIT ethics committee. The ethical principles, as described in NMIT’s Survey Template[xi], that I will need to take into consideration are as follows:
- Informed consent
As the information being asked of the enterprises is in regards to a security practice, I will need to ensure that they are clear of exactly what information I’m after, and are willing to provide that information.
- Confidentiality and privacy
The information being asked could be considered sensitive information, and so I would need to uphold the 1993 Privacy Act, which allows the enterprise refusal to my request, and also requires that I do not share any information from the enterprise that could be considered personal, unless the enterprise clearly states permission of the sharing of such detail, in which case I would be legally bound to any stipulated proviso.[xii]
- Minimization of harm
I need to ensure that the survey questions do not cause conflict within the enterprise, which may occur if I were to require the information from someone in a position that does not hold the authority to provide it. I also need to ensure that what I’m asking does not have any negative repercussions upon the subject enterprises due to the potential sensitivity of the data.
- Publication Results
I need to ensure that I keep all participating enterprises anonymous during the report, and provide them with a comprehensible set of results, if required.
The purpose of the survey will be to determine the proportion of enterprises that use cryptographic keys for the secure exchange of information, and the prevalence of this form of security within their organization. Whilst I will do my best to ensure that the questions are not in any way harmful to the organizations involved, I still need to ensure that they are willing to cooperate and provide the information.
The timeline milestones are:
- Week starting 21 August: Milestone 1: All secondary research complete. (This is if survey not required. If survey required, the Milestone one shifts to 11 September.)
- Week starting 25 September: Milestone 2: All research analysis complete. (If survey is required, then Milestone two shifts one week forward to 2 October.)
- Week starting 6 November: Milestone 3: Final report is complete.
From the timeline shown above, if I did need to create a survey, then on the assumption that the survey could be sent and returned in 4 weeks, I would be reducing the amount of time that I have to analyze the information, review my research, and draw a conclusion. If my anticipated weekly hours were correct, then I would be using nearly 10% more time for this project than required. While the hours still seem feasible, this increased amount may still have a detrimental effect on my other courses, which is something that I need to take into consideration.
This timeline doesn’t take into account the mid-semester break, and assumes that I will be working on the project regardless, which will be my goal.
Statement of Ownership
The work done within this project will be solely my own, with references to any external source material or assistance.
 This research plan is loosely based upon the ‘Proposed Research steps’ of Belma Gaukrodger’s ‘Project Proposal for PRJ701 to be conducted in 2013’ from the RES701 NMIT moodle project proposal templates.
 If survey is required, then ethical concerns, survey development, survey result analysis, and determining factors for response, will all need to be applied.
[i] (n.d.) The Maths behind Estimations to Break a 2048-bit Certificate, digicert. https://www.digicert.com/TimeTravel/math.htm (Accessed: 12 June 2017)
[ii] Nordrum Amy. (3 March 2016) Quantum Computer Comes Closer to Cracking RSA Encryption. http://spectrum.ieee.org/tech-talk/computing/hardware/encryptionbusting-quantum-computer-practices-factoring-in-scalable-fiveatom-experiment (Accessed: 10 June 2017)
[iii] Scharitzer, Gerald. (24.10.2003). Basic Quantum Cryptography. https://pdfs.semanticscholar.org/57e3/1e7216db8e4063bd0d4c99360cc97ba7a7fe.pdf (Accessed: 12 June 2017)
[iv] Feynman Richard. (n.d.) Quantum Behaviour. Based upon the books, The Feynman Lectures on Physics, Volume III. Sourced from http://www.feynmanlectures.caltech.edu/III_01.html (Accessed: 12 June 2017)
[v] Nave R. (n.d.) The uncertainty principle, Hyperphysics. http://hyperphysics.phy-astr.gsu.edu/hbase/uncer.html (Accessed: 10 June 2017)
[vi] Feynman Richard. (n.d.) Quantum Behaviour. Based upon the books, The Feynman Lectures on Physics, Volume III. Sourced from http://www.feynmanlectures.caltech.edu/III_01.html (Accessed: 12 June 2017)
[vii] Scharitzer, Gerald. (24.10.2003). Basic Quantum Cryptography. https://pdfs.semanticscholar.org/57e3/1e7216db8e4063bd0d4c99360cc97ba7a7fe.pdf (Accessed: 12 June 2017)
[viii] Preskill John, Shor Peter. (12 May 200) Simple Proof of Security of the BB84 Quantum Key Distribution Protocol. https://arxiv.org/abs/quant-ph/0003004 (Accessed: 12 June 2017)
[ix] Do Thuy Linh, (n.d.) Secondary Research. http://designresearchtechniques.com/casestudies/secondary-research/ (Accessed: 12 June 2017)
[x] MacPherson Liz. (19 December 2016) New Zealand Business Demography Statistics: At February 2016, Stats NZ. http://www.stats.govt.nz/browse_for_stats/businesses/business_characteristics/BusinessDemographyStatistics_HOTPFeb16.aspx (Accessed: 12 June 2017)
[xi] (n.d.) Research Survey Template Text, NMIT. Sourced from course RES701: Research Methods on NMIT’s moodle page. (Accessed: 12 June 2017)
[xii] (17 May 1993 -Reprinted 27 April 2017) Privacy Act 1993, New Zealand Legislation, Parliamentary Counsel Office. http://www.legislation.govt.nz/act/public/1993/0028/latest/DLM296643.html (Accessed: 12 June 2017)