żěè¶ĚĘÓƵ

‘Quackers’ tarnish quantum secrecy’s halo of invincibility

As the first network protected by quantum cryptography is switched on, eavesdroppers are using increasingly sophisticated methods to crack such "unhackable" systems
'Quackers' tarnish quantum secrecy's halo of invincibility

EVE, the world’s most famous eavesdropper, passed away last week after a long illness. She had been the victim of a condition known as quantum cryptography, which gradually starves its victims of their basic fodder – insecure messages. Her passing was mourned by her long-time adversaries, Alice the sender and Bob the receiver. “Eve was a worthy opponent but a pain in the neck,” said Alice. “We never liked her but of course we couldn’t say that while she was listening,” added Bob.

If the hype is to be believed, the world of cryptography has changed forever. Last week, the world’s first communications network protected by quantum cryptography was switched on in Vienna, Austria. Any message passing through this optical-fibre network is protected from eavesdroppers by the rules of quantum mechanics. The total security of these messages can be proved beyond doubt, says the team behind it.

However, just as quantum cryptographers were showing off their network in Vienna, a new breed of quantum hackers – let’s call them “quackers” – were talking about the techniques they have been developing to find and shore up weaknesses in such networks. Quantum cryptography may have forever changed the cat and mouse game between broadcasters and eavesdroppers, but the contest is far from over. On the contrary, eavesdroppers are reinventing themselves to break quantum networks in ever more devious ways. Reports of Eve’s demise may be premature.

“Eavesdroppers are working to break quantum networks in ever more devious ways”

Quantum cryptography relies for its security on the fact that it is impossible to measure a quantum object without changing it. So if Alice sends her message to Bob using photons, for example, their polarisation will be disturbed by any attempt Eve makes to “listen in” or intercept them. As long as Alice and Bob are careful, they can always spot that disturbance.

Although there will always be some errors that occur because photons get lost, for example, as long as these losses do not rise above a certain threshold, then Alice and Bob know that Eve has not intercepted anything.

The trick is not to use quantum cryptography to send the message itself, because Eve might be listening, but to use it to send a “” (OTP) – an encryption key that can be used to conventionally encode a message with absolute secrecy. If the OTP is compromised, they simply disregard it and send a new one. The technique is called quantum key distribution (QKD) and, in theory, it offers perfect security.

The ¬11 million network unveiled in Vienna last week combines eight different QKD techniques into a single network. That’s impressive because until now QKD has only ever been done between two points. The new network consists of six nodes with eight links between them, at distances of between 6 and 82 kilometres. “It’s the first time we’ve been able to guarantee the security of a network,” says Christian Monyk at the Austrian Research Centers in Vienna who heads the project, which is funded by the European Commission.

The project is known as SECOQC – an acronym of the French name for the Development of a Global Network for Secure Communication based on Quantum Cryptography. It is designed to test a number of technologies. For example, one thing that has held back the commercialisation of quantum cryptography is the number of different and incompatible protocols for putting it into practice. The SECOQC network gets around this by using software running on hubs in the network to translate one protocol into another, allowing it to handle communication between the different systems. At the moment, the quantum signals still have to be converted into classical form at these hubs and then re-encrypted before being sent on, but quantum routers are being developed in a number of labs around the world that will not require this conversion stage.

Such quantum routers would reduce the opportunities for translation between protocols, so what the quantum cryptography industry desperately needs is a single standard for sending information. And now that a network has been established that allows the rival protocols to be compared on a level playing field, a standard should emerge. “In many ways, it shows the maturity of the field,” says Andrew Shields at Toshiba Research Europe in Cambridge, UK, which is one of the organisations demonstrating a protocol in the Vienna network.

The most impressive aspect of Toshiba’s system is the rate at which it can send a quantum key. One of the practical limitations of quantum cryptography is the rate at which detectors can spot single photons. The problem, which limits today’s detectors to speeds of just a few kilobits per second over distances of 20 kilometres, is related to the way photon detectors work. The arrival of a photon triggers a cascade of electrons that can be detected as a current. But while the cascade is in process, it cannot spot the arrival of other photons so for that moment the detector is effectively blind. So photons must be sent with an adequate delay between them if the detector is to see them.

But Shields has found a way to detect photons using much shorter electron cascades which in turn leads to a shorter dead time. Consequently, his detectors work at data rates of around 1 megabit per second at a distance of 20 kilometres, this time limited only by the rate at which photons can be sent, says Shields.

So does all this mean the game is up for eavesdropping Eve? Not quite, says Vadim Makarov, a member of the quantum hacking group at the Norwegian University of Science and Technology in Trondheim. Earlier this year, the team of quackers found that a certain kind of photon detector used by a number of quantum cryptography groups has a serious flaw that allows it to be hijacked by Eve: zapping the detector with a powerful beam of light overwhelms its electronics, allowing Eve to control the signals that Bob receives without alerting him or Alice.

“If I were to mount a series of attacks, I would be successful in some of them,” says Makarov, who presented his results at SECOQC last week. Makarov is currently looking for ways to shore up this potential loophole, and Shields says that shouldn’t be too hard. “It should be straightforward to spot a more powerful beam aimed at the detector,” he says. Nevertheless, Makarov’s claims are extraordinary for a system that is supposedly perfectly secure.

What’s more, Martin Suda and Stefan Schauer at the Austrian Research Centers also pointed out last week that it may be possible for Eve to replace intercepted photons with some specially prepared photons of her own, without breaching the error threshold and giving herself away.

So far their attack has only been shown to work on one theoretical protocol that has not yet been used in practice. “But we are working on applying it to other protocols,” says Suda.

Such a quantum attack on a quantum network sounds serious, says Artur Ekert, a quantum physicist at the University of Cambridge, but all it really reveals is that this particular protocol is poorly conceived. It will always be possible to attack protocols with built-in weaknesses, he says. “But the basic QKD protocols remain secure no matter how powerful the eavesdropper,” he stresses.

Nevertheless, Makarov and Suda’s limited success will give other quackers a sense that quantum cryptography’s halo of invincibility is slipping. Far from being dead and buried, Eve is very much alive. Which means Alice and Bob may have to put the funeral celebrations on hold.

Quantum World – Learn more about a weird world in our comprehensive special report.

A light challenge

Hackers attempting to find a loophole in the security of quantum cryptography systems may be inspired by a weakness in the way photons are produced.

Making beams of photons is easy, but producing photons one at a time is remarkably hard. For quantum cryptography, this is done by reducing the intensity of a laser beam until it produces only one photon at a time, on average. That means that some of the time the laser produces no photons, most of the time just one photon and at other times packets of two, three or more. There is no way to know exactly what the laser is producing at any moment.

For eavesdropper Eve, this is handy because she can use the data encoded in any of the excess photons to help her break the encryption key of the message Alice is sending to Bob. And since Alice and Bob don’t know these unsuitable photons have even been sent, they have no idea that Eve has swiped them.

This loophole will soon be closed by the development of reliable single-photon guns, but its existence puts the claim of perfect security in perspective.

Topics: Quantum science