May 20, 2010
It is supposed to be absolutely secure – a means to transmit secret information between two parties with no possibility of someone eavesdropping.
Yet quantum cryptography, according to some engineers, is not without its faults. In a preprint submitted late last week to arXiv, Hoi-Kwong Lo and colleagues at the University of Toronto, Canada, claim to have hacked into a commercial quantum cryptography system by exploiting a certain practical "loophole". So does this mean high-profile users of quantum cryptography – banks and governments, for example – are in danger of being eavesdropped after all?
Quantum cryptography works because a system's quantum state cannot be observed without changing it. In the standard protocol, two users, typically known as Alice and Bob, openly share encoded information. They can only decode the information once they also share the secret quantum "key". But they will always know if another party, typically known as Eve, tries to eavesdrop on the key, because by observing it she will always change its state.
Finding the loopholes
At least, that's how it should work in theory. Lo's group is one of several to look for faults in such quantum key distribution (QKD) in practice. "Our work is not bad news for QKD," says Lo. "By discovering and plugging loopholes in practical QKD systems, we make QKD more secure in the future."
The loopholes Lo refers to concern noise. It is impossible to shield out all environmental noise in a QKD system, so manufacturers have to tell the "Alice" and "Bob" receivers to tolerate a small error level, while still ensuring the system is secure from Eve. In past proofs, physicists have shown the maximum error level to be 20%.
Lo's group, however, attack a different source of noise: the inherent noise Alice introduces when she prepares quantum states for Bob to generate the secret key. By exploiting this additional leeway, Eve can learn sufficient information about the key without increasing the error level above the critical threshold. Indeed, on experiments with the commercial "ID-500" QKD system built by the Swiss company id Quantique, the Toronto researchers claim they can hack the key with an error level of just 19.7%.
No cause for alarm
The study would suggest that customers using QKD systems ought to beware, although id Quantique sees no cause for alarm. "It's important and interesting in the sense that quantum cryptography is just like any other security technology – you must test it to know that it is secure," explains Gregory Ribordy, an engineer who works at the company. "Where I'm less happy is with the buzz that it generates. [The preprint is] a bit overblown, and the claims that are derived from this research are completely exaggerated."
Ribordy points out that the ID-500 system is "old", having been manufactured in 2004. Moreover, he says it was only ever sold for research evaluation purposes. "This particular attack would not work in commercial applications or non-R&D applications," he adds.
The founder of id Quantique, Nicolas Gisin of the University of Geneva, is also sceptical about the preprint's merits. "The claim is largely oversold because the found error rate of 19.7% is largely above the alarm level of 8% that is implemented in id Quantique's commercial system," he says. "Consequently, the claim that a commercial QKD system has been hacked is simply wrong."
So are users of QKD systems being fooled by the theoretical promises of security? Despite the criticisms of the Toronto group's preprint, everyone seems to agree that quantum cryptography – a field only just beginning to mature – will always require practical testing. "More and more groups try to find weaknesses in the implementation of QKD – [although] no one questions its principle," says Gisin. "Thoroughly testing QKD systems by independent groups is indeed a must and id Quantique is collaborating with several university groups on this."
The research can be found online at arXiv:1005.2376.