91av

The secret is out

Claims that quantum cryptography is uncrackable are like a red rag to a bull for hackers. And against all expectations, they're discovering its weak spots. Mark Kendall Anderson reports

I’M STANDING in the lab where, in 1971, the first email was sent. Programmer Ray Tomlinson’s SENDMSG allowed a user on one of four fridge-sized PDP-10 computers to send a plain-text message to a user on any of the others. It was a frivolous trick at the time – the computers that first ran SENDMSG were within shouting distance of one another. But that network, dubbed ARPANET, went down in history as the first step towards the global internet we have today.

Now lab 2/177 at BBN Technologies of Cambridge, Massachusetts, is humming to a different tune – the sound of PCs and lasers linked together by more than 10 kilometres of coiled optical cable. Instead of communicating in 0s and 1s, like conventional computer networks, these computers are exchanging photons encoded with quantum states that are shades of 0s and 1s at the same time. By the end of this year, this will be a four-node fledgling quantum internet called the DARPA Quantum Network or, as I will call it, Q-NET for short.

Q-NET represents the first attempt to advance quantum cryptography from the realm of isolated point-to-point links and lab experiments to an actual network. Although the first quantum communication products have already hit the market, from MagiQ in New York city and ID Quantique in Geneva, these systems are one-to-one links, not networks. They include cables, lasers and photon detectors with properties that are very close to ideal, and are marketed as absolutely secure quantum-encrypted communication systems that are guaranteed by the laws of quantum physics. The companies’ customers include military and intelligence agencies, as well as financial firms and other security-conscious companies.

But so far, no one except BBN has begun to develop a network of quantum links that can handle everyday applications like bank transactions and secure web traffic using optical cables that, like any real-world network, will be beset by noise, fluctuations in demand, and attempts to tap the line. If the Q-NET succeeds, it will bring totally secure quantum-encrypted communication to the rest of us.

That’s a big if. Near lab 2/177 is a boardroom table where I recently found myself sitting with 10 of the project’s 15 scientists and engineers, drawn from industry and academia, engaged in their weekly brainstorming session. The puzzles they discussed fell into two categories. Firstly, how can they best build and program the quantum network. And secondly, how can they hack it.

Hack it? How can that be? Because if quantum cryptographers have promised one thing, it’s absolute security. Countless articles, interviews and books have put across the same message: quantum communications can’t be hacked. The very act of eavesdropping disturbs the quantum bits in a way that is provably detectable. For the first time, cryptographers appeared to be offering 100 per cent security.

The snag, as any engineer knows, is that concepts expressed as neat little arrows and boxes become very different creatures indeed when you translate them into cables, lasers and photodetectors. And the engineers who are now building real quantum communication devices are discovering potential hacks that the designers of these schemes never even dreamed of. “These things may fail for that kind of reason,” says Chip Elliott, Q-NET’s principal engineer. “Maybe the protocol wasn’t used in the same way that the mathematicians expected it to be used. So the mathematical proof of security isn’t relevant.”

Many of the possible hacks that could undermine quantum networks are familiar to classical cryptographers. Quantum cryptography is still vulnerable to the “three Bs” of security failures: break-ins, blackmail and bribery. But the Q-NET team is grappling with more than this: the field of quantum cryptography has spawned an entire spectrum of novel hacks.

Hypothetical hackers

“You have to set a series of ground rules,” says Elliott. “Do you allow bad people to be inside the computers or inside the [photon detector] box? If they’re inside the box, then you’re in deep trouble.” Or if someone is allowed to look over your shoulder as you decode an encrypted message, for example, then it obviously cannot be secure. So researchers tend to deny the hypothetical hackers these easy tricks, and ask what else they can try.

Their task will be tough, because the claim that quantum-encrypted messages are uncrackable is not just media hype. In 1984, Gilles Brassard of the University of Montreal and Charles Bennett of IBM invented a scheme called the BB84 protocol, which was the starting point for the whole field of quantum communication. In BB84, a message sender and receiver, conventionally referred to as Alice and Bob, use a quantum communication link to agree on a string of bits that only they know: the “key”. They then use the key to encrypt messages that can be sent on a public channel – by email or over the telephone, say.

Of course, there is already a system that relies on a public key to encrypt information, and you use it whenever you perform a secure transaction over the web, at addresses beginning with the identifier https://. The information sent to and from these sites is encrypted with a mathematical function that uses the public key, a 512-bit number that is the product of just two prime numbers. The code can only be deciphered by someone who knows the “private key”, which is simply one of the prime numbers.

The system works because there is no known way to factorise such large numbers in less than a few months. All you have to do is change your public key every few weeks. But if some clever person one day writes a program that can factor 512-bit numbers in minutes or hours, then https:// sites, as well as much of the world of modern electronic finance, would become essentially no more secret than the front page of The New York Times. And if quantum computers become a reality in the next decade, as many experts predict, they will be able to crunch those large numbers in no time.

But BB84’s security depends on the laws of physics, rather than our ineptitude at factorisation. It all hinges on Alice and Bob agreeing a secret key, which they do like this: Alice sends Bob a stream of bits in the form of photons, each encoded in one of two incompatible measurement standards. Suppose one standard, called alpha, reads horizontal polarisation as 0 and vertical polarisation as 1. Another, beta, reads diagonal-to-the-right polarisation as 1 and diagonal-to-the-left polarisation as 0.

Alice sends five bits down the fibre to Bob using the following random sequence to encode her bits: alpha, beta, alpha, alpha, alpha. Upon receiving each photon, Bob measures it in his own randomly selected sequence: beta, beta, alpha, beta, alpha. When Bob uses the “wrong” standard to measure one of Alice’s photons, the quantum nature of the photons means there is a 50 per cent chance he will record a 1 when a 0 was sent, and vice versa. The next step is therefore to discard those instances.

Alice and Bob get on the phone and tell each other which standards they used and in which order, but not, crucially, which bits they measured. Whenever they used the same standard, they can be sure their bits are the same, but when they used incompatible standards, there’s uncertainty, so they discard those bits. In this particular example, Alice and Bob would end up keeping only the second, third, and fifth bits.

That done, Alice and Bob have a string of bits in common that no one else knows, and can use this key to encrypt data and send it on a public channel. The security of quantum communication systems depends on the fact that no one else knows this key, and is incredibly unlikely to guess correctly any key more than a few bits in length. Any eavesdropper, conventionally named Eve, would have to measure Alice’s photons herself in order to know the key. And this is where quantum physics steps in to stop her.

When Eve disturbs Alice’s photons, she picks a measurement standard that, half the time, will not be the same as the one Alice and Bob later agree on. Her measurement destroys the quantum state of the photon, and it’s that state that enables Bob and Alice to agree on the same bit. Bob and Alice will end up with different keys, so when Bob tries to use his key on Alice’s messages, it will produce gobbledygook. Unlike a classical cryptographic system, BB84 is not only provably secure, it has its own eavesdropper alarm system, built-in.

At least, that’s how quantum cryptography is supposed to work. The caveats “theoretically” and “ideally” still prefix many claims in this extremely young field. On a real quantum channel there are always imperfections that create noise, causing the photon’s states to fluctuate, so that Alice and Bob may have small differences in their keys.

“There are always assumptions,” says Artur Ekert of the University of Cambridge, designer of a rival protocol to BB84. “Quantum cryptography cannot guarantee that you can always establish the key. It guarantees that each time you try to establish the key you will know by analysing the noise the degree of security of the key.” That noise can shield Eve’s activity, fooling Alice and Bob if they don’t understand their equipment’s weaknesses well enough. “You can decide whether you want to go on and establish the key or not,” says Ekert.

And in a practical situation, Alice and Bob can go astray if they rely on a bad key. Here is a devious example: Eve finds an unprotected piece of optical fibre between Alice and Bob and splices in a line attached to her own laser. Eve fires an intense burst of laser light into the detector at Bob’s end that receives “1” photons, say. Bob’s 1 detector is fried, so he can only receive 0s. If Alice and Bob’s computers are not smart enough to recognise the attack, they’ll start generating keys that seem to be secure and pass all the BB84 tests, but consist entirely of zeros. Eve will know, without needing to measure any photons, that the “encrypted” message is in fact not encrypted at all.

Amid the hubbub of a very busy network, other things can go wrong. “The models that tell us quantum cryptography is hot stuff are drastically simplified,” says John Myers of Harvard University, one of the theorists collaborating with BBN to build Q-NET. Myers likes to cite BBN security guru John Lowry. “He told me that if he wants to crack a crypto system, the first thing he does is find an abstraction and look under it. There are plenty of abstractions floating around here,” he says, gesturing around at the BBN lab. “I can’t tell you that any one of them hides a rotten spot or vulnerability. But I can’t tell you the opposite either.”

For instance, Myers points out that the detector Bob uses to read the individual photons that Alice sends is a complex electronics box that can only process photons as the rate of a few hundred thousand a second. In contrast, the theoretical detector can operate infinitely fast.

Overstressed networks

This means Eve can find vulnerabilities that overstress the network, something that does not happen to a theoretical network, or a reserved point-to-point link. For example, she could shine thousands of junk laser pulses into Bob’s detectors at the same time as Alice’s laser pulses arrive. Bob’s overstretched detectors may leak copies of some of Alice’s photons back into the fibre – photons that Eve can detect to read off the value of Alice and Bob’s key. No one has demonstrated a hack like this, but it is possible in principle, says Myers.

Likewise, Eve can send tiny tracer pulses down the line and bounce them off Alice’s laser. Alice may use different lasers to encode a 1 or a 0, or her laser may reflect the trace pulses differently depending on which is being encoded. So Eve can tell whether Alice has encoded a 1 or a 0 without actually measuring Alice’s photons herself.

There are also attacks that are less “quick and dirty” than messing with Alice and Bob’s equipment. One example is the photon “number-splitting” attack, designed by a team headed by Nicolas Gisin at the University of Geneva in Switzerland, who co-founded ID Quantique. Most lasers, including Alice’s, can accidentally burp out two or three photons instead of just one. Eve could detect when this happens and divert the extra photons into her own apparatus and store them there. When Alice and Bob reveal whether they measured that photon in the alpha or beta format, Eve can pull out her stored photon, measure it in the appropriate format and extract the encoded bit. The technology to store the photons without measuring them does not exist, but if someone finds a way to do this, Eve will be able to find out at least part of Alice and Bob’s key. Even in an otherwise perfectly functioning system, a small portion of Alice and Bob’s messages could be readable.

Earlier this year a team of scientists led by Gisin announced an alternative protocol, similar to BB84, but immune to number-splitting attacks. The idea is to change the way Alice tells Bob what measurement standard she used to encode each photon. Instead of stating the standard outright, she gives him a series of possible outcomes, for example, she may say, “you either measured 1 in the alpha standard or 0 in the beta standard”. He then knows whether they have a match, but Eve still does not know what standard to use to measure her captured photon.

Gisin admits there is a possibility of someone devising a devious attack that also beats the new scheme. “In general, I do not think that a real quantum cryptography system will ever be 100 per cent secure, because a real system will always implement an approximation of the theorist’s system,” he says. With care, he thinks designers will push their real systems close to the ideal. Indeed, both ID Quantique and MagiQ claim that the point-to-point systems they provide are as good as perfect.

But the message from engineers at BBN is that this would be much tougher to achieve on a public internet, and to make things even more confusing, the engineers have a huge number of different quantum communication schemes to choose from.

Earlier this year Rick Kuhn of the National Institute of Standards and Technology in Gaithersburg, Maryland, investigated a class of quantum communication schemes that were designed to avoid Alice and Bob having to have any classical communication at all. Everything could be done in the quantum channel. Such schemes were thought to be secure, but Kuhn showed that they are vulnerable to what is known as a “man in the middle” attack, in which Eve intercepts Alice and Bob’s photons and replaces them with her own, to fool them into thinking there is no eavesdropping on the line. This attack does not work on most quantum schemes. “I think quantum crypto can be commercially successful, but we’ll have to figure out how it fits into conventional networks,” says Kuhn.

To get an idea of how that fit might work, I drive across town to Boston University Photonics Center, where scientist Alexander Sergienko is developing four more nodes to be added to the BBN Q-NET next year. Sergienko is planning to use a different quantum cryptography scheme to BB84, one developed by Ekert in 1991. In Ekert’s scheme, Alice and Bob establish their key by sharing two photons that have been “entangled” by generating them in a shared quantum state. Sergienko thinks exploiting entanglement could make eavesdroppers easier to detect in practice, and indeed, Ekert’s scheme and variants of it are not considered vulnerable to the number-splitting attack. But Elliott thinks even Ekert’s protocol might succumb to a frying attack. “They may be susceptible to detector warming or breaking, but I don’t think this area has been thought through carefully,” says Elliott.

And thinking things through before promising security is vital. “You look around the edges of things,” says Elliott. “You look for the cracks where somebody made a mistake.” And wherever you look, you find Eve. Whether dealing with conventional hackers or quantum attackers, staying one step ahead will be a never-ending battle.

The secret is out