Published online 20 May 2010 | Nature | doi:10.1038/news.2010.256

News

A commercial quantum encryption system has been fully hacked for the first time.

A hacker of quantum cryptography can disguise his interference as acceptable levels of noise. A. Prokhorov/iStockphoto

Quantum cryptography isn't as invincible as many researchers thought: a commercial quantum key has been fully hacked for the first time.

In theory, quantum cryptography — the use of quantum systems to encrypt information securely — is perfectly secure. It exploits the fact that it is impossible to make measurements of a quantum system without disturbing it in some way. So, if two people — Alice and Bob, say — produce a shared quantum key to encode their messages, they can be safe in the knowledge that no third party can eavesdrop without introducing errors that will show up when they compare their keys, setting off warning bells.

In practice, however, no quantum cryptographic system is perfect and errors will creep in owing to mundane environmental noise. Quantum physicists have calculated that as long as the mismatch between Alice's and Bob's keys is below a threshold of 20%, then security has not been breached. Now, however, quantum physicist Hoi-Kwong Lo and his colleagues at the University of Toronto in Ontario, Canada, have hacked a commercial system released by ID Quantique (IDQ) in Geneva, Switzerland, while remaining below the 20% threshold.

"Even with a relatively simple attack, the hacker can get the complete key, and nobody would know anything about it," says Lo.

Lo's hack works by intercepting the bits that Alice sends to Bob while creating the key, and resending a slightly modified version to Bob. In standard quantum cryptographic techniques, Alice encodes each bit using the polarization of photons. When she sends these bits out, the polarization should be perfectly oriented in one of four directions, separated by 45 degrees (north, northeast, east or southeast).

In a perfect world, any hacking attempt would disturb a significant fraction of the bits' orientations, introducing errors just above the threshold. However, in practice, Alice cannot switch orientations for successive bits instantaneously — each time she wants to send a bit with a new orientation, she has to change the voltage applied to the photon to shift its orientation. This gives the hacker time to swoop in and hijack the bit before it is sent out to Bob, measure it, and then send it on its way again.

However, if the hacker simply sends the bit to Bob along one of the four orientations that Alice originally defined, the hacker's presence will be discovered because his measurements will introduce random errors into the system that exceed the 20% limit. But Lo's team has now demonstrated that if the hacker sneakily sends the bits along slightly different directions, the errors introduced by his interference will fall just under the 20% threshold at 19.7%1.

Hack attack

"This is not the first time that researchers have claimed to hack quantum cryptographic systems, and it won't be the last," says Grégoire Ribordy, chief executive of IDQ. Lo's group performed a partial hack on the IDQ system in 20082, and other researchers have also demonstrated ways to hack quantum cryptographic systems3.

However, Ribordy argues that Lo's hack does not threaten the security of IDQ's commercial product, which contains extra alarms above those included in the version that was sold to Lo's group a few years ago. For instance, the current commercial release aborts if errors exceed just 8%.

Ribordy also notes that an additional alarm would be triggered when the hacker joins the line, momentarily perturbing the system far beyond the 20% threshold. However, Lo argues that such a heavily alarmed system would be accidentally triggered too often to be practical. "Even a passing heavy truck would trigger a false alarm," he says.

ADVERTISEMENT

Quantum hacker Vadim Makarov, at the Norwegian University of Science and Technology in Trondheim, agrees that the hack does not threaten IDQ's current security. As Lo and his team did not alert IDQ of the hack in advance, Makarov adds that Lo's team must be careful not to breach the hackers' unwritten code of ethics, which prescribes that hackers should alert the company to any flaws in its systems before making them public. "This prevents the bad guys out there from exploiting the published loophole before the vendor has a chance to patch it, or at least alert the users," he says.

Lo, however, does not agree that publishing his demonstration before contacting the company was unethical, because his group originally published the theory behind the hack in 20074. "People have known about this idea for a long time, we have just put it into action," he says. "But we haven't done anything destructive to the company — these flaws are very simple to fix."

In the long run, Lo believes that his work will strengthen quantum cryptography. "Each time we find a new loophole, it is fairly easy for companies to close them," he says. "But we've shown that all assumptions about security need to be carefully tested."

Nicolas Gisin, a physicist who is on the board of directors at IDQ, agrees that hackers at research institutes can play an important part in identifying unexpected flaws, which companies can then address before they can be exploited maliciously. "The success of [quantum cryptography] and of IDQ make it inevitable — and actually profitable — to see the emergence of a new community of quantum hackers," he says.