Use-case: storing molecular data
The company CloudCorp provides digital storage solutions for users with high security needs. It ensures the availability of the data by replicating them over five buildings in the same city forming their availability zone.
CloudCorp is contracted by a consortium of pharmaceutical companies looking to store highly valuable data on molecular assays for drug design. These data constitute the core intellectual property of their owners, and have a very high market value. The danger of hacking of these data while at rest, or while being used for simulations for drug design is high, and security is required for many decades, as the utility of new compounds may only be discovered on this timescale.
Quantum cybersecurity offers a future-proof solution: the data are as secure in the future as they are at the moment of their storage. CloudCorp decides to setup a quantum communication infrastructure between their buildings in order to offer the highest security guarantees for their customer’s data, with a lifelong storage protection.
Using HyQloud, the quantum communication infrastructure consists in a single optical fiber line connecting the five buildings. The fiber is standard telecom equipment, already in place for the communication between the various buildings of CloudCorp. Qline is deployed to connect the five buildings using this fiber. The devices are establishing secured communication channels, and HyQloud’s software stack manages the secret shares distribution among the servers in each location.
The data sent by the end-user enter the network at the data entry point. This node manages data distribution between each building, which is then stored using CloudCorp’s standard cloud appliance. The distributed storage algorithm generates five secret shares from the data, with a threshold of t=3. This parameter, the minimum number of shares required to reconstruct the initial data, has been determined by the user to offer the best tradeoff between security, availability and efficiency.
The security is strengthened by regenerating shares periodically. CloudCorp sets the share validity time to 6 months to match their authentication certificate validity time. Using these parameters, an eavesdropper trying to learn the original data would need to compromise 3 servers in 6 months.
The share regeneration is decentralized. At each regeneration phase, one node creates new shares for the others. This operation does not require to re-create the original data in a single point, avoiding single points of weakness. Similarly, HyQloud does not use trusted nodes to route encryption keys for share distribution. Unlike in QKD networks, Information leakage from one node of the system would not impact the others.
The short distance between the buildings allows HyQloud to achieve high rate for key generation. Using existing state-of-the-art quantum hardware that generates 1Mb of key per second, HyQloud expands standard bipartite quantum communication to a fully-connected network that can generate 1Mb of key per second between any pair of nodes. Over six months, the amount of key established by the relevant pairs of nodes is of the order of 400GB. This upper-bounds the amount of data that can be securely stored with lifelong security.
The amount of data processed can be expanded using AES encryption. While this does not lead to the highest security, it still results quantum-safe storage with strong guarantees about future security. Following NIST recommendations about key refreshments, the amount of data that can be securely stored with this method is of the order of 100000TB of data.
The dedicated hardware, added to each building, fits into a 19-inch rack, and uses standard optical fiber to communicate with the quantum appliances in other buildings. It works in combination with standard HSMs to boost the security of the existing system. The software manages operations on the secret shares directly. The integration process is oblivious for the end-user, who does not have to change its software to manage its data. Without any update on the user side, the data get lifelong protection thanks to HyQloud.