91av

Quantum hackers: Cracking the uncrackable code

It promised the ultimate in security, but quantum cryptography is under attack – from cunning eavesdroppers who have worked out how to fool the system
Quantum cryptography is under attack from cunning eavesdroppers who have worked out how to fool the system (Image: Paul Taylor/Stone +/Getty)
Quantum cryptography is under attack from cunning eavesdroppers who have worked out how to fool the system (Image: Paul Taylor/Stone +/Getty)

WHEN Vadim Makarov boards an aircraft, he carries with him a bright yellow suitcase. Inside is a jumble of wires and connections, and a large black-and-white symbol that looks unnervingly like a skull and crossbones.

But while the contents of his suitcase might give airport security staff cause for concern as it passes through their X-ray machines, it poses no threat. Instead, Makarov uses it to eavesdrop on quantum cryptography systems, which transmit top-secret information in networks across the world. Fortunately, his mission is benign. , a researcher at the Norwegian University of Science and Technology in Trondheim, hopes to detect loopholes in these quantum networks before they are spotted by hackers.

Some may regard his job as unnecessary. Quantum cryptography is meant to harness the laws of quantum mechanics to catch eavesdroppers before they can do damage. For this reason, it has often been hailed as “uncrackable” encryption. “There’s been the impression that since it is based on the laws of physics, its security is guaranteed,” says Makarov.

Once you put the technique into practice, however, it’s another matter. Makarov’s group and others have already found some weak spots in quantum cryptography, and there are potentially many more.

Any weaknesses will be a cause for concern for the many operations that already use this form of encryption to transmit secure messages. Since 2007, quantum key distribution (QKD) has been used to send the results of Swiss elections securely from local centres to the State of Geneva’s central data repository. It is also being used 24 hours a day by banks, multinational companies and some hospitals to transmit confidential information to remote backup centres.

For such commercial clients, QKD promises security that seems future-proof. A typical technique of conventional cryptography is to encode messages using encryption keys made from the product of two large prime numbers. In order to read these messages, a hacker would need to retrieve the original primes, a factorisation process that takes an unfeasibly long time, even for the most powerful computers. “But there is no evidence that it’s impossible, it is just that the best algorithm has not yet been found,” says , an expert in quantum cryptography at the University of Geneva in Switzerland.

Should a technological development come along that made it possible to crack these prime numbers quickly, all electronic financial transactions would collapse in an instant, he says. “It would be an enormous crisis that would make the credit crunch look like a joke.”

QKD, on the other hand, should unveil any eavesdroppers before they tap into the important data. To understand how this works, you need to meet Alice and Bob – two imaginary figures who want to send a secret key. In the most widespread implementation of QKD, Alice, the sender, creates the key by encoding a string of 0s and 1s in the polarisation of individual photons. She has two systems for doing this – using either vertical or horizontal polarisation, or “diagonal” polarisations of plus or minus 45 degrees. When sending the digits to Bob, Alice randomly alternates between these systems.

What makes QKD supposedly so secure is that, until it is measured, a quantum object such as a polarised photon can exist in a “superposition” of all its possible polarisation states. At Bob’s end, this stream of quantum bits hits a beam splitter that randomly diverts each photon to one of two sets of receivers, each equipped to deal with one of the two polarisation systems. If the set matches the system used to encode the photon, Bob will measure a definitive state, the one encoded by Alice, and the correct result. If, however, the photon hits the other set, the detector will measure a superposition state and get a random result – half of the time it will be correct, and half of the time wrong.

That second outcome would not present a problem because after the message has been transmitted, Alice and Bob can compare which systems they used to send and receive each photon to work out which recordings to eliminate. This leaves them with a string of digits – the key – which Bob can then use to decode a scrambled message sent via a conventional communications link.

But suppose then that an eavesdropper, Eve, attempts to intercept the data and then resend the signal. Like Bob, she would also record the wrong data when she chose the wrong type of receiver to decode the photons. In doing so, however, she would collapse the superposition and polarise the photon into whatever state she measured it in, passing this state rather than Alice’s original on to Bob. The result would be that when Bob and Alice compared notes to decide on the final key, they would see unexpected errors in the transmission, alerting them to Eve’s presence.

This, in theory, should make QKD systems impenetrable. But in 2008, Makarov and his team of quantum hackers decided to challenge the idea. “We had an inkling that once you started to scrutinise the devices used to implement the system, loopholes might emerge that could be exploited with today’s technology,” he says.

To search for these weaknesses, Makarov’s team began to investigate the detectors that would be used by Bob to read Alice’s messages. Most systems use a type of detector called an avalanche photodiode, which generates an electrical pulse when it receives a single photon. When the team played with this setup, they found that they could “blind” the detectors with a short pulse of bright light, raising the detectors’ threshold so that they no longer responded to single photons.

However, if a second, stronger pulse was sent, the detectors would respond. Thanks to the way the beam is divided among the different receivers, Eve could engineer this pulse so that it would fall under the threshold of three of the detectors, but above the threshold of the remaining detector, to register whatever digit she wanted (see diagram). In this way, she could read Alice’s message, and resend the correct sequence to Bob, without creating an increase in the error rate ().

Blinding attack

Once the quantum hacking team had demonstrated that this attack was possible in the lab, they borrowed two commercial QKD systems, one developed by ID Quantique, based in Geneva in Switzerland, the other by Magiq Technologies in Boston, Massachusetts. Working with colleagues at the Max Planck Institute for the Science of Light in Erlangen, Germany, they demonstrated that both commercial systems were vulnerable to attack. They published their results in a paper in Nature Photonics in 2010 (). “This seems to be a common feature of all detectors used in QKD,” says Makarov. “We have tested seven different detector models, and they could all be blinded and controlled.”

Having undermined the security of quantum systems, the next step was to attempt to eavesdrop on an entire message sent between Alice and Bob. In June, Makarov’s crew took their yellow suitcase containing their Eve apparatus to the Centre for Quantum Technologies at the National University of Singapore. There, they joined forces with a team led by Christian Kurtsiefer to hack a working QKD system. Tapping into the middle of a 290-metre fibre-optic cable linking Alice and Bob, they managed to eavesdrop on an entire 300,000 digit key within minutes (). “The QKD system generated the key at the same rate and with the same parameters as before Eve was placed on the line,” says Makarov. “The eavesdropper went completely unnoticed.”

What’s more, attack by blinding is not the only option available to potential Eves. Since Makarov first announced his hacking plan, some other ingenious lines of attack have been discovered. For instance, and colleagues at the Ludwig Maximilians University and quantum cryptography company Qutools, both in Munich, Germany, have shown that Eve might be able to write Alice and Bob’s secret key herself.

“Since the first weaknesses in quantum cryptography were announced, several more ingenious lines of attack have been discovered”

She can do this by exploiting the fact that, in most QKD systems, the detectors are only active for short periods beginning just before Alice sends each photon. If a photon is received outside this window, it won’t register on Bob’s readout. By sending a small pulse of light in these gaps, Eve can temporarily blind three of the four receivers just before Alice sends each signal, without being detected. If Bob then registers a photon, Eve can be sure it arose from the remaining detector. Otherwise, the photon will have been “lost” and Bob will record nothing. By repeating this process, Eve can dictate exactly which digits the key will include (). “We just manipulate the detectors so that we know which of them is capable of making a click, and therefore which bit will be generated by Bob’s receiver,” says Weinfurter.

A team led by at the University of Toronto in Canada has developed a third approach that exploits the way in which Alice prepares her signal. In commercial QKD systems, Bob first sends a precisely timed light pulse to Alice, who then encodes the signal using a device called a phase modulator and sends it back to Bob. When Alice expects to receive a signal from Bob, she simply switches on the phase modulator to encode the signal, and then switches it off again.

However, if Eve alters the timing of Bob’s initial pulse, for instance by simply shortening or lengthening the fibre-optic cable that connects him to Alice, she can ensure that the signal arrives slightly earlier or later than expected. This introduces slight errors into Alice’s encoding, which Eve can then use to mask the disturbance she creates in snooping on the signal sent from Alice to Bob ().

These attacks have triggered a debate among quantum cryptographers. Some, like of Toshiba Research Europe’s Cambridge Research Laboratory, are unconvinced they would ever pose a real threat. He thinks Makarov’s results may be down to an unnecessary resistor in the single-photon receivers, which seemed to allow the blinding attack to occur. Toshiba’s setup doesn’t include this resistor, meaning it is immune to these attacks. What’s more, the team found that blinding only works if the detector’s discrimination level is set too high. This renders it insensitive to the bright pulses used in the attack. “If the discrimination level is properly set, the bright pulses will trigger errors that alert the QKD users to the attack,” he says. “Makarov’s work is valuable in showing a potential pitfall, but if the QKD system were used in real life it wouldn’t be set up in that way.” A Magiq Technologies spokesperson agrees, saying Makarov’s experiment was not implemented in the way they advise for their commercial customers.

Makarov counters that the ID Quantique commercial system the team cracked in 2010 was shipped to customers with the “unnecessary” resistor soldered to its circuit board – a fact that Gisin, who is also a board member of ID Quantique, confirms, though he says this has been fixed in the latest version of the system. Makarov adds that it was also shipped with the high discrimination level pre-programmed. “Neither did we change the research system in Singapore,” he says. “It had been used in several demonstrations by the time we came to hack it.”

Cat-and-mouse games

Makarov and his team also disagree with Shields over how best to defend QKD systems against attacks. According to Shields, the blinding attacks generate a large photocurrent, so to unveil the hacker all you need to do is monitor the detector for unusually high levels of photocurrent.

But Lars Lydersen, also of the quantum hacking group at the Norwegian University of Science and Technology, argues that simply developing patches against particular attacks in this way will create an ongoing cat-and-mouse game with attackers, not unlike the one challenging conventional cryptographers. “It’s like locking your door and keeping your key under the doormat, then one day you realise someone knows your key is there, so you put it under the garage door,” he says.

Instead, Lydersen believes a better option would be to design QKD systems so that they regularly check themselves to ensure they are operating correctly. “So one part of the solution is to have a calibrated light source – like a laser – within the box containing the detectors, and you occasionally turn on the light to check your detectors are actually detecting single photons.”

In the end, the attacks and the ensuing debate can only be good news for the security of QKD technology, says Valerio Scarani of the Centre for Quantum Technologies at the National University of Singapore, who was not involved in the experiments. “It’s a natural step in the maturation of a field,” he says. “First of all there is enthusiasm, then people start being a bit more prudent, and begin to look for problems so they can be fixed.”

He adds, however, that the attacks would have made less of a splash if quantum cryptographers had been more modest from the beginning. In the same way that the Titanic taught us that no ship is ever “unsinkable”, the attacks demonstrate that no technology, however smart, will ever be truly safe from Eve and her cronies.

Topics: prime numbers / Quantum science