Foolproof Quantum Cryptography

Adding decoy photons to quantum-cryptographic signals should finally make them "unconditionally secure."

Researchers at Toshiba, in Cambridge, U.K., have found a way to plug a security hole that currently limits how far and how fast encryption keys can be distributed using existing quantum-cryptographic systems. The developments could broaden the commercial appeal of "unconditionally secure" quantum key distribution, says Andrew Shields, head of Quantum Information Group at Toshiba Research Europe, who led the research.

Danger in numbers: Making quantum encryption totally secure will require the use of single-photon pulses. Pictured is a new light-emitting diode capable of generating such pulses. Credit: Toshiba Research Europe Ltd.

Quantum cryptography is currently only used for sending encryption keys between buildings by some banks and government departments. But systems can only guarantee security over relatively short distances. The challenge is to extend the range and increase the speed at which the keys can be sent so that they can be used more widely, says Shields.

Current commercial quantum-cryptography systems are designed to enable two parties to exchange secret encryption keys without running the risk of them being intercepted. This is done by encoding the digital key information in bursts of light sent over standard optical fibers.

The 1s and 0s of these digital keys are encoded in time delays between pulses of individual photons. In theory, what makes this so secure is that any attempt by an eavesdropper to intercept the signal will necessarily involve removing individual photons from the signal--an act that can be detected.

In practice, however, this sort of unconditional security can only really be guaranteed if one's light source emits nothing but single photons. Since this is not the case in current quantum encryption, eavesdropping attacks are possible. In one strategy, an eavesdropper siphons off individual photons; this attack relies on the fact that some pulses will consist of more than one photon, meaning they won't be missed.

To get around this, existing commercial quantum-encryption systems use tricks to reduce the probability that pulses will contain multiple photons. For example, the systems might limit the intensity of each pulse and reduce the bit rate at which they are sent. However, the trade-off is that the weaker a pulse is, the less distance it can travel, while a slower bit rate will limit the speed at which keys can be distributed, says Shields.

Toshiba's solution is to include within the signal what Shields calls "decoy pulses." These pulses are randomly interspersed within the signal and are weaker than the rest of the signal. This means they rarely consist of more than one photon. If an eavesdropper tries blocking single photons while siphoning off multiple photons from the rest of the pulses, more of these decoy pulses will be blocked on average than will the rest of the signal. So by monitoring the proportion of signals to decoy pulses that make it through, it is possible to detect an attack.