Serious Flaw Emerges In Device-Independent Quantum Cryptography

The problem of sending messages securely has troubled humankind since the dawn of civilisation and probably before. 

In recent years, however, physicists have raised expectations that this problem has been solved by the invention of quantum key distribution. This exploits the strange quantum property of entanglement to guarantee the secrecy of a message.

Entanglement is so fragile that any eavesdropper cannot help but break it, revealing the ruse. So cryptographers can use it to send a secure key called a one time pad that can then be used to encrypt a message. If the key is intercepted, the sender simply sends another and repeats this until one gets through.

So-called quantum key distribution is unconditionally secure–it offers perfect secrecy guaranteed by the laws of physics.

Or at least that’s what everyone thought. More recently, various groups have begun to focus on a fly in the ointment: the practical implementation of this process. While quantum key distribution offers perfect security in practice, the devices used to send quantum messages are inevitably imperfect.

For example, lasers that are supposed to send one photon at a time can sometimes send several and this allows information to leak to an eavesdropper. 

Last year, we discussed another trick used by a group of quantum hackers to eavesdrop on a commercial quantum cryptography system. This system, although theoretically secure, turned out to be embarrassingly vulnerable in practice. 

That led quantum theorists to begin the search for a device-independent protocol that would be free of the practical imperfections of everyday equipment. Such a system would offer guaranteed security regardless of any weaknesses in the equipment it relies on.  

Today, however, Jonathan Barrett at the Royal Holloway, University of London, and a few pals reveal a problem that looks to scupper this work. The worrying implication of their discovery is that there is no known way to guarantee the security of data sent on any quantum cryptographic system including those that are commercially available today. 

Here’s the problem. Some groups claim to have made progress in developing  device-independent protocols but Barrett and co have found an issue that all others appear to have overlooked. These protocols all treat quantum cryptography as a single-shot process, as if the equipment is used only once. 

The question that Barrett and co consider is what tricks could a malicious manufacturer exploit in a device that is likely to be used more than ince. The answer is obvious: such a manufacturer could build in a memory that stores information before it is transmitted. This information would then be released when the device is reused.  

“In short, the problem is that an adversary can program devices to store data in one protocol and leak it in subsequent protocols, in ways that are hard or impossible to counter if the devices are reused,” say Barrett and co.   

This is a particular worry, they say, because there is no general technique for identifying security loopholes in standard cryptography devices.

Of course, there are a couple of simple ways round this new problem. The most obvious is to discard a quantum cryptography device after it has been used; to actually make the equipment single-use like a disposable camera. 

But Barrett and friends think this impractical: “While these attacks can be countered by not reusing devices, this solution is so costly that we query whether it is generally practical.”

Another is based on the fact that the security of message is guaranteed until the device is re-used. So quantum cryptography could still be used only for secrets that need to be kept only for a short period of time, until the equipment is re-used.

Neither of these is going to stop blood pressures rising at the various government and military organisations that have bet the farm on the guarantees that quantum cryptography was thought to provide. That’s not to mention the commercial organisations offering quantum cryptography such as ID Quantique.

There may be other ways round this problem that have yet to emerge. Indeed, Barrett and co’s ideas will be an important driver of future work. 

In the meantime, they conclude: “In our view, the attacks are generic and problematic enough to merit a serious reappraisal of the scope for device-independent quantum cryptography as a practical technology.”

That’ll mean more than few a few sleepless nights over this.

Ref: arxiv.org/abs/1201.4407: Prisoners Of Their Own Device: Trojan Attacks On Device-Independent Quantum Cryptography

Correction: 

The headline of this story was edited on 30 January to clarify the scope of the article, following a request from the authors that is reproduced below. 

Dear KFC,

Our attention was drawn to your post http://www.technologyreview.com/blog/arxiv/27522/ about our recent arXiv paper.  We are of course pleased that our work has received attention and has appeared on your site.  We appreciate that it’s difficult to summarize the content of technical papers while retaining a lively blog style, and we appreciate the obvious thought and effort that went into this article, which does a good job on many points.  However, we have to say that both the headline and the article inadvertently overstate the impact of our work and are likely to mislead readers.   

Our paper does not present any attacks on quantum cryptography in general.  We present cryptographic attacks specific to so-called device-independent quantum cryptography, a theoretical idea whose aim is to promise security without trusting anything at all about the quantum devices used in the protocol.    It might be reasonable to use the headline “Serious Flaw Emerges In Device-Independent Quantum Cryptography”, but to suggest that quantum cryptography in general has been revealed to be a flawed technology is simply incorrect.  If one is willing to trust and/or verify properties of the quantum devices used – as many users, in many scenarios, reasonably may - our attacks do not apply.   In particular, our attacks do not affect the security guarantees offered by commercially available quantum cryptosystems, which do not promise device-independent security.   Notwithstanding our work, quantum cryptography can still solve the problem of perfect secrecy in ways that are classically impossible, modulo some level of trust in the quantum devices.

We would not lightly request a revision, even if there were minor inaccuracies.  In this case, though, we fear there is a clear risk that much good theoretical and experimental work may be unfairly tarnished by the suggestion that all of quantum cryptography is flawed.  We would therefore be very grateful if you could update your article along the lines suggested above.  If it would be helpful, we would be more than happy to help revise the article.   

On a more minor point, we would note that (as is pretty standard in our field) the authors of the paper were listed alphabetically, with no intended implication as to seniority or level of contribution to the paper.   In the interests of fairness, we would prefer that all our names be listed, for example by replacing “Jonathan Barrett at the Royal Holloway, University of London, and a few pals” by “Jonathan Barrett, Roger Colbeck, and Adrian Kent”.  

With thanks for your time and trouble, and best wishes,

Jonathan Barrett
Roger Colbeck
Adrian Kent