Quantum crypto felled by 'Perfect Eavesdropper' exploit
All your photons are belong to us
Researchers have devised a technique for eavesdropping on communications secured through quantum cryptography that allows an attacker to surreptitiously construct the secret key encrypting the secret content.
The so-called Perfect Eavesdropper uses off-the-shelf hardware to defeat a key benefit of the alternative crypto system, namely that the use of properties rooted in quantum physics offers a theoretically fool-proof way for parties to exchange the secret key securing their communications without being intercepted. QKD, or quantum key distribution, allows a trusted party to construct a key by transmitting light to the other trusted party one photon at a time and then measuring their properties.
In theory, anyone monitoring the transmissions passing between the two parties will automatically be detected because in the world of quantum mechanics the act of eavesdropping taints the key in ways that are clear to the trusted parties.
The researchers, from the the National University of Singapore, the Norwegian University of Science and Technology, and the University Graduate Center in Norway, were able to compromise the QKD by making the key exchange behave in a classical way. Using readily available equipment that fits inside a suitcase, they intercepted single photons traveling over a 290-meter fiber link network and then re-emitted the corresponding pulses of light.
The re-emitted pulses in effect blinded the photodiodes used by the trusted party receiving the transmission of photons. As a result, the photodiodes were no longer sensitive to single photons, making them behave like classical detectors that generate a current proportional to the intensity of the incoming light.
“Quantum key distribution has matured into a true competitor to classical key distribution,” Christian Kurtsiefer, a professor at the Center for Quantum Technologies at the National University of Singapore, said in a release. “This attack highlights where we need to pay attention to ensure the security of this technology.”
One of the biggest challenges faced by cryptographers throughout history is finding a secure way for trusted parties to share their secret key. Public key cryptography solved this problem by using a public key to encrypt communications and a separate private key that's unique to each recipient to decrypt the content. As a result, the key never has to be transmitted. Quantum cryptography takes a different approach by allowing one party to securely transmit the key to another party using principles at the heart of quantum mechanics.
The findings are similar to those published last year by researchers from the University of Toronto, who claimed to carry out the first successful attack against a commercial system based on theoretically uncrackable quantum cryptography. The researchers behind the more recent Perfect Eavesdropper said it's the first practical exploit that surreptitiously steals a key during a typical QKD setup.
The researchers have already identified the loopholes that allow the Perfect Eavesdropper to function and are working on countermeasures.
The problem with quantum keys
...is that you can never be entirely sure where they are. Or if you are sure, then you have no idea where they're going.
This is a particular* problem if you need the key to open the box to find out whether the cat needs feeding.
*or maybe wavicular.
@Remy Redert re:Dead in the water
Of course other encryption systems suffer from early problems, but you're missing my point.
The strengths and weaknesses of systems like DES and AES can be determined purely analytically, and their implementations are open to truly large scale testing and examination by anyone with the urge to download the spec and look at the source code. Whatever the weaknesses in the algorithms are, we can point to them and say definitively what they are, how hard they are to exploit, etc. Anyone can look at one aspect of an algorithm and say things like "you'd have to find the prime factors of that number there" and know that that would be a complete and definitive statement on the merits of that part of the algorithm. One can then objectively assess how hard it would be to perform said feat, keep an eye out for papers with titles like "prime factor finding" and generally be comfortable. And the same goes for implementations. This is because things like DES, AES, etc. are entirely logical systems that operate in rule sets created by man with no physical influences.
The problem with quantum cryptography is that the security of a key transfer relies entirely on the behaviour of physical processes, namely the quantum entanglement itself as well as the single photon sources and detectors. Knowing whether or not we have a complete understanding of these physical processes is much harder to be sure about. Mankind has been constantly revising its opinions of nature for millennia, and I don't suppose we're going to stop doing that anytime soon.
So far the problems that have been encountered with quantum cryptography are related to the physical properties of the detectors and photon generators (it turned out that single photons weren't always on their own...). No great surprises there - matter does not always behave as we tell it to! This latest problem is just another instance of our misunderstanding the physical properties of one electro-optic component in the system. I doubt that one can ever prove analytically that the components are designed and implemented correctly. All one can ever say is that N tests have shown them to work properly, but N can never be a truly large number. And should one test each and every photon detector, or just a sample of the production run?
But what about entanglement itself, and the impossibility of messing with it? There's several bunches of physicists who are questioning whether this is in fact correct or not. It looks like the rule that you can't measure the state of an entangled photon without effecting the state is more of an assumption than a proven fact. It's easy to say that it is hard to make such measurements, but to the best of my knowledge no one has quite yet been able to completely rule it out. Some very elegant experiments are being planned by academics to explore this. Some have already been done with electrons which showed that you can 'sniff'' their quantum state, repair the damage done to the state, repeat until you know everything. Not good news so far, except that quantum cryptography uses photons.
My point is that all an experimentalist can say is that their particular experimental design could or could not measure states without disturbing them, but that say's nothing about someone else's experiment. Saying "I can't do it" doesn't prove that no one else can. Yet for quantum cryptography to be guaranteed you have to prove the rule. As I said above some results are already known for experiements with electrons which would suggest the issue is more one of experimental design, not hard physical facts. So where would quantum cryptography be if someone successfully designed and performed the right experiment? It is not guaranteed that they won't be able to do so. Certainly, if some one *does* manage to do it (which would be impressive because it would mean our quantum model of the world is wrong, Nobel prize in the post) quantum cryptography would be finished.
And it's worth pointing out that quantum cryptography is in fact ordinary symmetric cryptography that relies on a physical trick to securely exchange the key. That still doesn't stop someone getting the design and implementation of the actual encryption/decryption algorithm wrong.
Erm, is it just me, but I thought that the whole point of quantum cryptography was that when sending a message from a transmitter to a receiver, the receiver measures the properties of the single photons it receives and would know if the message had been intercepted.
So, if someone intercepted the single photon and instead substituted a "blinding" amount of photons then the receiver would then detect quite a big difference from what it was expecting and hence know that the message had been intercepted?
Presumably they would then do something else like say "Help, the message has been intercepted, we need a new key now!".