Quantum encryptionCommercial quantum cryptography vulnerable to attack

Published 2 September 2010

Quantum cryptography is one of the most secure known means of transmitting data; in fact, it is often described as “unbreakable” because it relies on the Heisenberg uncertainty principle — observation causes perturbation: if a third party does intercept a quantum signal, this very interception changes the encryption key, making the tampering apparent to parties at both ends; researchers, though, developed and tested a technique exploiting imperfections in quantum cryptography systems to implement an attack

Quantum cryptography is one of the most secure known means of transmitting data. In fact, it is often described as “unbreakable,” because if a third party does intercept a quantum signal, this very interception changes the encryption key, making the tampering apparent to parties at both ends (see “A first: Commercial quantum cryptography system hacked,” 18 May 2010 HSNW).

It appears, though, that nothing is perfect. The Norwegian University of Science and Technology (NTNU) and the University of Erlangen-Nurnberg together with the Max Planck Institute for the Science of Light in Erlangen have recently developed and tested a technique exploiting imperfections in quantum cryptography systems to implement an attack. Countermeasures were also implemented within an ongoing collaboration with leading manufacturer, Geneva, Switzerland-based ID Quantique.

Quantum cryptography is a technology that allows one to distribute a cryptographic key across an optical network and to exploit the laws of quantum physics to guarantee its secrecy. It makes use of the Heisenberg uncertainty principle — observation causes perturbation — to reveal eavesdropping on an optical fiber.

The technology was invented in the mid-1980s, with first demonstration less than a decade later and the launch of commercial products during the first years of the century.

The security of quantum cryptography relies in principle only on the laws of quantum physics, but it is also dependent on the lack of loopholes in specific implementations, just like any other security technology.

The security of quantum cryptography relies on quantum physics but not only… It must also be properly implemented. This fact was often overlooked in the past,” explains Professor Gerd Leuchs of the University of Erlangen-Nurnberg and the Max Planck Institute for the Science of Light.

Recently, NTNU in collaboration with the team in Erlangen has found a technique remotely to control a key component of most of today’s quantum cryptography systems, the photon detector, which is reported today in Nature Photonics advance online publication (see more details at How We Did It Web site).

Unlike previously published attempts, this attack is implementable with current off-the-shelf components,” says Dr. Vadim Makarov, a researcher in the Quantum Hacking group at NTNU, who adds: “Our eavesdropping method worked both against MagiQ Technology’s QPN 5505 and ID Quantique Clavis2 systems.”

In the framework of a collaboration initiated with ID Quantique, the researchers shared their results with the company prior to publication. ID Quantique has then, with a help of NTNU, developed and tested a countermeasure.

Academic researchers of the two laboratories will continue testing security aspects of quantum cryptography solutions from ID Quantique. “Testing is a necessary step to validate a new security technology and the fact that this process is applied today to quantum cryptography is a sign of maturity for this technology,” explains Grégoire Ribordy, CEO of ID Quantique.

— Read more in Lars Lydersen et al., “Hacking commercial quantum cryptography systems by tailored bright illumination,” Nature Photonics (29 August 2010) (doi:10.1038/nphoton.2010.214)