Quantum key distribution (QKD) has been touted as the ultimate solution for obtaining technological communications security. It can't secure people against their own foibles, but it is supposed to ensure that a network can securely distribute a series of one-time cyphers for later use in normal communications. Unfortunately, as demonstrated by a recent hack of a commercial QKD system, this might prove to be a pipe dream.

QKD obtains security by using the fundamental laws of quantum mechanics to determine that there is no third party (commonly called Eve) listening in on data transfered between two parties, usually referred to as Alice and Bob. The basic process involves Alice sending both herself and Bob a set of random numbers encoded in the quantum properties of light. Bob and Alice both measure these properties, obtaining two different strings of random numbers. Alice then tells Bob how she made her measurements, while Bob tells Alice how he made his measurements. They then look for coincidences where they both made the same measurement, and use those parts of the string to create a fully private key to encrypt their data.

If Eve should decide to try to listen in, she will, in some manner, make measurements as if she were Bob. In doing so, she alters the quantum properties of the data stream, and Bob, Alice, and Eve all end up with different strings. When Bob and Alice look for coincidences, they find fewer than expected and conclude that Eve is hanging about; they can then abandon the key and try again.

There are a number of ways to attack this system, but they are all pretty impractical, as they rely on making measurements we don't know how to make yet, or the possibility that Bob wouldn't notice that his detectors are all simultaneously clicking at a constant rate. The point is, theoretical attacks exist, but practical ones don't: QKD 1, real world 0.

The real point of weakness in a QKD system is the public communications that are required for Bob and Alice to tell each other how they made their measurements. In principle, you can learn nothing beyond the number of bits sent, and which bit positions can be used to generate a secret key unless, two conditions are met: Eve must control the arrival time of the bits at Bob's detectors, and Bob's detectors must not be identical. The first condition is easily met if you insert switches and rolls of fiber optic cable and a few other optic devices to keep the optical pulse length right—actually, making it shorter is even better, and this is possible also. The second condition is always met. No two detectors are ever exactly identical.

The idea behind the detectors is that a sensitive material absorbs a photon and produces some electrons in response, giving Bob an electronic click. But not every photon will trigger a click, and the ratio of success to failure depends on the exact properties of the absorbing material. In this way, detectors are always different because, for instance, the exact level of impurity doping will be different. One consequence of this plays out in the detector's recovery time. After detecting a photon, the detector is rendered insensitive for a certain time, and that time will not be identical for both detectors. If Eve knows the exact mismatch of Bob's detectors, then she can insert an appropriate delay and know that there is a higher probability that a particular detector will click and can make an educated guess regarding the bit value it clicks with.

Eve faces a problem though: what delay is appropriate? She can figure that out by trying different delay values and listening to Alice and Bob's classical communications. As the ratios of ones and zeros change, she can figure out how long each detector takes to recover and what their detection efficiencies are for each delay. With this information, Eve can choose two delays that give the highest probability that Bob either gets a click on one detector or another. From Bob and Alice's communication, Eve might get the whole key, or at least enough of it so that a brute force attack can succeed.

The researchers themselves were quite surprised at how effective their attack was. The tone of their paper makes it clear that they expected to fail (in practical terms anyway). They make the point that the hypothetical Eve in security papers is usually far more powerful than their Eve, yet their Eve succeeds because one cannot build a system that is invulnerable. In fact, the detector mismatch problem will never go away, and the only thing device designers can do to minimize the chance of a successful attack against this weakness is to devise ever more complicated protocols.

Physical Review A, 2008, DOI: 10.1103/PhysRevA.78.042333