Quantum key distribution is regularly touted as the encryption of the future. While the keys are exchanged on an insecure channel, the laws of physics provide a guarantee that two parties can exchange a secret key and know if they're being overheard. This unencrypted-but-secure form of key exchange circumvents one of the potential shortcomings of some forms of public key systems.

However, quantum key distribution (QKD) has one big downside: the two parties need to have a direct link to each other. So, for instance, banks in and around Geneva use dedicated fiber links to perform QKD, but they can only do this because the link distance is less than 100km. These fixed and short links are an expensive solution. A more flexible solution is required if QKD is going to be used for more general encryption purposes.

A group of Italian researchers have demonstrated the possibility of QKD via a satellite, which in principle (but not in practice) means that any two parties with a view of a satellite can exchange keys.

Why QKD?

We live in a world where quantum computing is looming as a viable tool, one that could make current means of encryption obsolete. More secure forms of cryptography are becoming increasingly important. Even now, researchers contemplate a world where various agencies store some intercepted encrypted communication under the assumption that one day they will have sufficient computational power to decode them.

Ars readers know that most security breaches are not due to a failure of encryption; rather they are enabled by poor security practices. However, I think it is fair to say that the exfiltrated data is more accessible due to poor encryption practices. And, once encrypted data has been exfiltrated, it simply awaits the requisite computational power to decode it.

This expectation—that encrypted data can be decrypted in the near future—comes from the fact that many cryptographic algorithms rely on an assumption of mathematical difficulty for their security. The validity of this assumption relies on some deep ideas about how mathematical problems can be solved.

Specifically, the mathematical assumptions that underlie public key exchange are under attack. The most commonly used algorithms are based on the computational complexity of finding prime factors of large numbers. But a quantum computer can solve this problem in far fewer steps than a classical computer. Indeed, the scaling of Shor's algorithm—this is the quantum version of an algorithm for finding prime factors—is so favorable that it is expected that a practical quantum computer will render all encryption methods based on prime factors useless.

This is one reason why QKD is so attractive for certain people: the keys are secret and are exchanged in a way that allows one to ensure that it cannot be intercepted during exchange. Thus, an attacker is always forced to guess the key (rather than use the public part of the key to compute the secret part of the key). Any brute force attack must be performed without even knowing the length of the key or how often a new key is used.

You might argue that an assumption of QKD is that the laws of physics are correct. Science makes a big deal about how we can only get an increasingly accurate approximation of the truth, so surely this assumption is as suspect as the mathematical ones made for classical cryptography? Well, no, not really. Even if we were to discover some deeper theory than quantum mechanics, that theory must still replicate all the experimental results of quantum theory, and this includes the ones on which QKD are based. So this assumption is a fairly safe one.



Exchanging quantum keys

Since I've written about QKD many times, I will take the liberty of quoting myself:

QKD is based on, essentially, the fact that once you measure the state of a photon, the photon is gone—you need to absorb the photon with a detector to measure its state. To take a particular example, we have Alice and Bob who want to communicate without letting the nefarious Eve into the picture. They begin by generating a secret key, through the laws of quantum physics, with which to encode their future communications. Alice generates two lists of random ones and zeros. The first list contains bit values, and the second set is used to set the basis (think of this as the orientation of the measurement system) of a string of single photons. An important point is that these two basis sets are not orthogonal. So, for instance, a common example is to choose vertical and horizontal polarization for one basis and two diagonal polarizations for the second. Between the two values, the polarization of the photon is set into four possible states. These single photons are sent to Bob, who will measure them. But, the quantum measurements don't allow you to ask a photon "What polarization are you?" Instead you end up asking questions like "Are you vertical or horizontally polarized?" So, Bob randomly chooses between the two basis sets. Sometimes he asks the photons which diagonal polarization they have and other times he asks them if they are vertical or horizontally polarized. Now, if Alice sends a vertically polarized photon to Bob who asks which diagonal polarization it has, the photon will end up randomly choosing 45 degrees or 135 degrees. However, if Alice chooses to send a horizontally polarized photon and Bob asks the photon if it is horizontally or vertically polarized, he will always get horizontally polarized. The key point is that the measurement basis choice determines how the photon must be described. If Bob and Alice make the same choice, the photon is either in one or other state. If their choices are different, the photon, according to Bob, is in a superposition of two states. The upshot is that, in the first case, the measurement process is deterministic. Alice and Bob can know from their instrument settings exactly which of Bob's detector must click. In the second case, however, the measurement process forces the photon to randomly choose from two states: neither Bob nor Alice can predict the outcome of the measurement. It is this uncertainty, and how intervening measurements by Eve modify that uncertainty, that give QKD its security. After all the photons are sent, Bob has a string of random numbers, but he has no way of knowing which ones to choose to make up a key. To create a common secret key, Bob and Alice publicly announce their choice of basis set for each bit. But, the choice of which polarization is kept secret. Alice and Bob can look for the positions in the string where they made the same choices and choose those bits to generate the common key. The next step is to reveal Eve. To do this, Alice announces a section of the secret key. How does this reveal Eve? Let's suppose that Eve is intercepting the photons. She randomly chooses a basis set and measures the photons, but Eve doesn't know which basis set Alice chose. When Eve tries to recreate the photon state that Alice sent, she gets it wrong half the time. So, instead of Alice and Bob finding that they get the same result all the time, the number drops to one half. Eve can, of course, be subtler and only intercept every second photon, bringing the statistic closer to full agreement. But, the fewer photons she intercepts, the less information she has. When Alice and Bob compare statistics for the partial key, they not only know that Eve is there, but how much information Eve is getting. If Eve was not present, they can throw away the revealed section of key and continue to generate more key digits. However, even if Eve is listening in, they can determine if they wish to go on, based on knowing how much of the key Eve is intercepting.

In space, no one can hear your key exchange

In terms of technology, QKD is very close to being suitable for widespread use—though by "use" I mean communication between data centers, rather than for home use. The hurdle, as I stated in the introduction, is that the link must be directly between two parties, which limits us to about 100km via fiber.

There, has, however, been a rather strong push to develop free-space QKD, and this has now gone critical with the tests that show QKD via satellite is possible. In order to do this, the researchers made use of laser ranging satellites, which have corner cube mirrors mounted on them. The corner cube mirrors are retro-reflectors, so any signal that arrives gets sent back in the direction that it came from. More importantly, corner cube reflectors normally preserve polarization, which is commonly used to carry data.

So, as long as the signal arrives at your detector, then you should be able to generate a key using lasers bounced off this satellite.

Getting a signal is, unfortunately, no easy task. First, you need a clock signal to tell you when to measure—the properties of the atmosphere and the relative motion between the sender, detector, and satellite mean that you can't rely on local timing. The clock takes the form of a powerful, let-me-fry-your-eyes laser, emitting 10 pulses per second. The actual qubits (quantum bits) are sent at 100 MHz, with every 105th pulse synchronized with the clock signal. These pulses are emitted and collected by a 1.5m telescope.

The researchers compared the polarization states they detected to the pulses of light they sent. They determined that the newer satellites did preserve polarization, while older satellites generated more errors, possibly because the coatings on the reflectors had been damaged over time (the older satellites are 15 to 20 years old). For the researchers, this showed that the error rate was low enough that a key could be shared via quantum states. But, at this point I was extremely skeptical.

QKD security is only guaranteed if the source emits single photons, since those get altered by any eavesdropping. But, in this system, the receiver gets single photons, while each pulse contains 1.3 billion photons when it exits the telescope. You would think that this renders the result useless. An eavesdropper can, by tapping a tiny fraction of the signal emitted from the telescope, obtain every bit sent without the knowledge of either sender or receiver.

The standard QKD protocol involves revealing how each measurement was performed. While only the sender knows which polarization state was sent, everyone (including an eavesdropper) knows how the measurement was performed. If only the sender and receiver know the results of the measurements, the key is secure.

It is the first and last bit of hidden knowledge—the bits sent and the measurement results—that keeps the key secret. On the face of it, in this scheme, anyone can know what polarization state was sent if they can simply snag one of those 1.3 billion photons. Everyone knows how the measurement was performed; therefore, everyone knows what the measurement results were. No secrets are kept in this situation.

However, the researchers realize this and have an alternative protocol. In their approach, the satellite would contain optics that would modify the polarization of the light at the satellite. Since the reflected signal is at the single photon level, interception after this point is detectable. Therefore, all is well, right?

The key is to make sure that the polarization state sent to the satellite does not reveal the polarization state reflected from the satellite. This can be done by sending pulses of light that are circularly polarized. This can be filtered to two pairs of linearly polarized states at the satellite (under the control of the sender). Now, the sender knows which states were sent, everyone knows how the measurements were performed, and, only the sender and receiver know the results of the measurements. This meets the requirements for QKD, but only under the condition that the control signal sent to the satellite remains secure.

This later point seems like a pretty serious weakness. A solution might be to have two identical pseudo random number generators and initiate both with the same seed at the beginning of the key generation process. But you really need to ensure that the random number generator is protected or that the seed is truly obfuscated.

I guess that what this paper demonstrates is that the single photon states behind QKD are certainly preserved on reflection from a satellite and that this opens up the possibility of having non-fixed links between parties that need to share keys. But we can't use this technique with existing satellites, and there are some very practical problems associated with controlling the satellites in a secret manner that remain unsolved.

Physical Review Letters, 2015, DOI: 10.1103/PhysRevLett.115.040502