ISO/IEC 23837-1:2023

INTERNATIONAL ISO/IEC
STANDARD 23837-1
First edition
2023-08
Information security — Security
requirements, test and evaluation
methods for quantum key
distribution —
Part 1:
Requirements
Technologies de l'information — Exigences de sécurité, méthodes
d'essais et d'évaluation relatives à la distribution quantique de clés —
Partie 1: Exigences
Reference number
ISO/IEC 23837-1:2023(E)
© ISO/IEC 2023

---------------------- Page: 1 ----------------------
ISO/IEC 23837-1:2023(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2023
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
  © ISO/IEC 2023 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/IEC 23837-1:2023(E)
Contents Page
Foreword .v
Introduction . vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Abbreviated terms . 5
5 Theoretical aspects of QKD protocols . 6
5.1 General . 6
5.2 Principle . 6
5.3 Classification . 7
5.4 Architecture . 8
6 Implementation modules of QKD protocols .10
6.1 General . 10
6.2 External interfaces of QKD modules . 11
6.2.1 General . 11
6.2.2 The quantum channel interface . 11
6.2.3 The control and management interface . 11
6.2.4 The key management interface .12
6.3 Internal structure of QKD modules .12
6.3.1 General .12
6.3.2 Components in the QKD transmitter module .13
6.3.3 Components in the QKD receiver module . 15
6.4 TOE scope for QKD modules . 15
6.4.1 General .15
6.4.2 Definition of the TSF . 15
6.4.3 Definition of the TOE . 16
6.5 General working flow of QKD modules . 17
7 Security problems analysis of QKD modules .17
7.1 General . 17
7.2 Security assumptions . 17
7.3 Assets analysis. 19
7.4 Threats to conventional network components . 19
7.4.1 Overview . 19
7.4.2 Threats from the perspective of network-based classical attacks . .20
7.5 Threats to quantum optical components . 22
7.5.1 Overview . 22
7.5.2 Threats exploiting optical source flaws .22
7.5.3 Threats exploiting optical detection vulnerabilities .22
7.5.4 Threats exploiting parameter adjustment vulnerabilities .22
8 Extended security functional components for QKD implementation .23
8.1 General .23
8.2 Extended security functional components to Class FTP: Trusted path/channels .23
8.2.1 Quantum key distribution (FTP_QKD) . 23
8.2.2 User notes . 27
9 Security functional requirements for QKD modules .29
9.1 General .29
9.2 General requirements for conventional network components in QKD modules . 31
9.2.1 FAU_GEN.1 Audit data generation . 31
9.2.2 FCS_CKM.6 Timing and event of cryptographic key destruction . 31
9.2.3 FCS_COP.1 Cryptographic operation . 32
9.2.4 FCS_RNG.1 Random number generation . 33
iii
© ISO/IEC 2023 – All rights reserved

---------------------- Page: 3 ----------------------
ISO/IEC 23837-1:2023(E)
9.2.5 FDP_ACC.1 Subset access control . 33
9.2.6 FDP_ACF.1 Security attribute-based access control .34
9.2.7 FDP_IRC.1 Information retention control .34
9.2.8 FDP_ITC.1 Import of user data without security attributes . 35
9.2.9 FIA_UAU.2 User authentication before any action .36
9.2.10 FIA_UID.1 Timing of identification . .36
9.2.11 FMT_LIM.1 Limited capabilities .36
9.2.12 FMT_LIM.2 Limited availability . 37
9.2.13 FMT_MSA.1 Management of security attributes . 37
9.2.14 FMT_MTD.1 Management of TSF data . 37
9.2.15 FMT_SMF.1 Specification of management functions .38
9.2.16 FMT_SMR.1 Security roles .38
9.2.17 FPT_EMS.1/Convention Emanation of TSF and User data .39
9.2.18 FPT_FLS.1 Failure with preservation of secure state.39
9.2.19 FPT_ITC.1 Inter-TSF confidentiality during transmission .40
9.2.20 FPT_ITI.1 Inter-TSF detection of modification .40
9.2.21 FPT_RCV.2 Automated recovery . 41
9.2.22 FPT_TST.1 TSF self-testing . 42
9.3 General requirements for the implementation of QKD protocols . 43
9.3.1 General . 43
9.3.2 FTP_QKD.1 QKD protocol and raw data generation . 43
9.3.3 FTP_QKD.2 QKD post-processing .44
9.4 General requirements for quantum optical components of QKD modules .44
9.4.1 General .44
9.4.2 FPT_EMS.1/Quantum emanation of TSF and user data . 45
9.4.3 FPT_PHP.3 Resistance to physical attack . 45
10 Conformance statement .47
10.1 General . 47
10.2 Conformance statement specific to the security problem definition . 47
10.3 Conformance statement specific to the security functional requirements .48
Annex A (informative) Guidance for developing protection profiles for QKD modules .49
Bibliography .52
iv
  © ISO/IEC 2023 – All rights reserved

---------------------- Page: 4 ----------------------
ISO/IEC 23837-1:2023(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work.
The procedures used to develop this document and those intended for its further maintenance
are described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria
needed for the different types of document should be noted. This document was drafted in
accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives or
www.iec.ch/members_experts/refdocs).
ISO and IEC draw attention to the possibility that the implementation of this document may involve the
use of (a) patent(s). ISO and IEC take no position concerning the evidence, validity or applicability of
any claimed patent rights in respect thereof. As of the date of publication of this document, ISO and IEC
had not received notice of (a) patent(s) which may be required to implement this document. However,
implementers are cautioned that this may not represent the latest information, which may be obtained
from the patent database available at www.iso.org/patents and https://patents.iec.ch. ISO and IEC shall
not be held responsible for identifying any or all such patent rights.
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to
the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see
www.iso.org/iso/foreword.html. In the IEC, see www.iec.ch/understanding-standards.
This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, Information security, cybersecurity and privacy protection.
A list of all parts in the ISO/IEC 23837 series can be found on the ISO and IEC websites.
Any feedback or questions on this document should be directed to the user’s national standards
body. A complete listing of these bodies can be found at www.iso.org/members.html and
www.iec.ch/national-committees.
v
© ISO/IEC 2023 – All rights reserved

---------------------- Page: 5 ----------------------
ISO/IEC 23837-1:2023(E)
Introduction
The ISO/IEC 23837 series specifies the security requirements, test and evaluation methods for quantum
key distribution (QKD) under the framework of the ISO/IEC 15408 series. This document focuses on
specifying the common baseline set of security functional requirements (SFRs) of QKD modules.
Theoretically, QKD provides a method to use a pre-shared key to establish a longer symmetric key
with security that does not depend upon the computational power of an adversary; the established key
can then be used for cryptographic purposes, such as for an encryption mechanism to create a secure
communication channel.
Although the security of QKD protocols is proven through rigorous security models that assume the two
communicating parties share a secret key beforehand, discrepancies between the models and practical
implementations frequently occur during the life cycle phases of QKD modules. These imperfections
or deviations from the security models can result in vulnerabilities that compromise the security
of practical QKD systems. Among them, severe side channel attacks have been proposed and there
have been some proof-of-principle demonstrations in QKD hacking experiments. Like conventional
cryptographic modules or network devices, QKD modules are expected to have strict security testing
and evaluation to avoid security attacks and then leakage of information before being deployed into
real applications. Intensive and strict evaluation is an essential step before QKD is widely accepted by
the industry.
For this purpose, the ISO/IEC 23837 series defines a set of rigorous and common security specifications
for QKD modules manufacturers, so that manufacturers can follow the standard procedure to design
and implement IT products that use QKD, and evaluators can follow the standard procedure to test
and evaluate the security of QKD modules, reducing the risk of a failure of security in operation. This
document uses the standardized model and language of the ISO/IEC 15408 series to define a common
baseline set of SFRs for QKD modules. The entire implementation of QKD protocols is included, from
conventional network components to quantum optical components. Annex A provides information
to facilitate the development of protection profiles for QKD modules. ISO/IEC 23837-2 is intended
to specify evaluation activities that are necessary for the security evaluation of QKD modules at the
expected evaluation assurance levels.
NOTE In this document, the description of extended security functional components in 8.2 and
SFRs in Clause 9 corresponds to the style of the description of security functional components in
ISO/IEC 15408-2. This includes not only the structure of the security functional family and components,
but also the font styles (i.e. bold and italics) of the text, which are described by following the convention
of ISO/IEC 15408-2 to distinguish some terms from the rest of the text. In this case, users with a
background in using the ISO/IEC 15408 series can easily apply the extended security functional
components and the SFRs to write documents for the evaluation of QKD modules.
vi
  © ISO/IEC 2023 – All rights reserved

---------------------- Page: 6 ----------------------
INTERNATIONAL STANDARD ISO/IEC 23837-1:2023(E)
Information security — Security requirements, test and
evaluation methods for quantum key distribution —
Part 1:
Requirements
1 Scope
This document specifies a general framework for the security evaluation of quantum key distribution
(QKD) according to the ISO/IEC 15408 series. Specifically, it specifies a baseline set of common
security functional requirements (SFRs) for QKD modules, including SFRs on the conventional network
components and the quantum optical components, and the entire implementation of QKD protocols.
To facilitate the analysis of SFRs, security problems that QKD modules can face in their operational
environment are analysed based on a structural analysis of the security functionality of QKD modules
and the classification of QKD protocols.
The SFRs on conventional network components of QKD modules are mainly characterized under the
framework of the ISO/IEC 15408 series and also refer to the methodology of ISO/IEC 19790 and relevant
standards on testing of cryptographic modules and network devices.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 15408-1:2022, Information security, cybersecurity and privacy protection — Evaluation criteria
for IT security — Part 1: Introduction and general model
ISO/IEC 15408-2:2022, Information security, cybersecurity and privacy protection — Evaluation criteria
for IT security — Part 2: Security functional components
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 15408-1 and the following
apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
adversary
attacker
entity seeking to exploit potential vulnerabilities of a quantum key distribution system (3.28)
[SOURCE: ISO/IEC 19792:2009, 4.1.2, modified — “adversary” has been added as an admitted term; in
the definition, “person” has been replaced by “entity”, and “biometric system” has been replaced by
“quantum key distribution system”.]
1
© ISO/IEC 2023 – All rights reserved

---------------------- Page: 7 ----------------------
ISO/IEC 23837-1:2023(E)
3.2
authentication
provision of assurance of the claimed identity of an entity
[SOURCE: ISO/IEC 10181-2:1996, 3.3]
3.3
classical channel
communication channel that is used by two communicating parties for exchanging data encoded in a
form which may be non-destructively read and fully reproduced
[SOURCE: ETSI GR QKD 003 V2.1.1:2018]
3.4
component
constituent part of a quantum key distribution (QKD) module (3.23)
EXAMPLE Conventional network components, quantum optical components in a QKD module.
Note 1 to entry: A term with the same name of component is defined in ISO/IEC 15408-1 for a security requirement
element group. The user of this document can distinguish which term is referenced from the context.
3.5
cryptographic module
set of hardware, software, and/or firmware that implements security functions and are contained
within the cryptographic boundary
[SOURCE: ISO/IEC 19790:2012, 3.25]
3.6
decoding
procedure of converting quantum signals (3.32) into classical information
3.7
detection efficiency
probability that a photon, of a specific energy (spectral frequency) or wavelength, incident at the optical
input is detected within a detection gate, and produces an output signal
[SOURCE: ETSI GR QKD 007 V1.1.1:2018]
3.8
double-click event
event indicating simultaneous detection of two single-photon detectors (3.37)
3.9
encoding
procedure of converting classical information into quantum signals (3.32)
3.10
error corrected data
keying material obtained after correcting the bit errors in the sifted data (3.36)
3.11
error correction
process of correcting errors in data that may have been corrupted due to errors during transmission or
in storage
[SOURCE: ETSI GR QKD 007 V1.1.1:2018]
3.12
final key
key generated by a complete run of a quantum key distribution session (3.27)
2
  © ISO/IEC 2023 – All rights reserved

---------------------- Page: 8 ----------------------
ISO/IEC 23837-1:2023(E)
3.13
homodyne detection
method to detect quadrature of a weak signal through interfering the weak signal with a strong phase
reference
3.14
keying material
data necessary to establish and maintain cryptographic keying relationships
[SOURCE: ISO/IEC 11770-1:2010, 2.27]
3.15
non-deterministic random bit generator
NRBG
random bit generator whose security depends upon sampling one or more entropy sources
[SOURCE: ISO/IEC 18031:2011, 3.23, modified — “an” has been replaced by “one or more”, note 1 to
entry has been removed.]
3.16
parameter adjustment procedure
procedure or function aiming to adjust specific parameter(s) of a system
3.17
post-processing
quantum key distribution protocol (3.24) procedure for converting raw data (3.33) into a final key (3.12)
3.18
pre-shared key
key pre-established in secure ways between the legitimate parties before initiating a quantum key
distribution (QKD) session (3.27)
Note 1 to entry: A pre-shared key is used to authenticate messages sent over the classical channel (3.3) during the
first QKD session.
3.19
privacy amplification
process of extracting keys from partially compromised data
[SOURCE: ETSI GR QKD 007 V1.1.1:2018, modified — “distilling secret keys” has been replaced by
“extracting keys”.]
3.20
quantum channel
communication channel for transmitting quantum signals (3.32)
[SOURCE: ETSI GR QKD 007 V1.1.1:2018]
3.21
quantum key distribution
QKD
procedure or method for two legitimate parties to agree on symmetric keys using a pre-shared key
(3.18), whose security is based on quantum information theory
Note 1 to entry: In some QKD protocols (3.24), establishment of keys occurs jointly involving both legitimate
parties, while in others one party generates keys that are eventually transported to the other party.
3.22
quantum key distribution authentication key
QKD authentication key
cryptographic key used to authenticate messages over the classical channel (3.3) of a quantum key
distribution system (3.28)
3
© ISO/IEC 2023 – All rights reserved

---------------------- Page: 9 ----------------------
ISO/IEC 23837-1:2023(E)
3.23
quantum key distribution module
QKD module
set of hardware, software and/or firmware components (3.4) that implements the functions of a
quantum key distribution transmitter party (3.30) or receiver party (3.26)
3.24
quantum key distribution protocol
QKD protocol
protocol that implements the function of quantum key distribution (3.21)
3.25
quantum key distribution receiver module
QKD receiver module
functional module in a quantum key distribution (QKD) system (3.28) corresponding to the QKD receiver
party (3.26) of the implemented QKD protocol (3.24)
3.26
quantum key distribution receiver party
QKD receiver party
quantum signal (3.32) receiver in a quantum key distribution (QKD) protocol (3.24)
[SOURCE: ETSI GR QKD 007 V1.1.1:2018, modified — the term has been changed from "Bob" to "quantum
key distribution receiver party"; in the definition, “information” has been replaced by “signal”.]
3.27
quantum key distribution session
QKD session
session comprising a series of operations defined in a quantum key distribution protocol (3.24) to
generate a final key (3.12), which generally includes the stages of raw data generation (3.34) and post-
processing (3.17)
3.28
quantum key distribution system
QKD system
system that implements quantum key distribution (QKD) protocols (3.24), including at least two QKD
modules (3.23) as well as the interconnecting quantum (3.20) and classical channels (3.3)
3.29
quantum key distribution transmitter module
QKD transmitter module
functional module in a quantum key distribution (QKD) system (3.28) corresponding to the QKD
transmitter party (3.30) of the implemented QKD protocol (3.24)
3.30
quantum key distribution transmitter party
QKD transmitter party
quantum signal (3.32) sender in a quantum key distribution protocol (3.24)
[SOURCE: ETSI GR QKD 007 V1.1.1:2018, modified — the term has been changed from "Alice" to
"quantum key distribution transmitter party"; in the definition, “
...