Quantum key distribution in superposition of "insecure" and "unneeded"

[begood]

It's apparent that the physics lexicon has been dragged kicking and screaming out of the 19th century with a recent paper published in Nature Photonics titled "Hacking commercial quantum cryptography systems by tailored bright illumination." I never thought I would live to see the word "hacking" used in its proper context in a physics paper. But enough about physics lingo. What about the quantum encryption hacks alluded to by the title?

What we have is another paper demonstrating that the weak point of quantum encryption systems is the point where classical meets quantum. This is not the first hack of its kind, but, it is, in true hacker tradition, the first focused on a commercial system.

Quantum key distribution makes use of the laws of physics to provide a guaranteed level of security. Boiled down to its essential components, quantum systems must be measured to determine their state. In making the measurement, the system is forced into a certain state. An eavesdropper cannot listen in on a quantum communication without everyone else on the line knowing that someone is getting the goods on them. It's security heaven: the walls may have ears, but in the quantum world, they are fluorescent pink and scream I CAN HEAR YOU.

This vision of security nirvana breaks down when you consider that the act of measurement, at some point, involves taking a quantum property and making it classical. At that point, vulnerabilities creep into the system. In the work of Lydersen and coworkers, the point of attack is precisely that: the photodiodes used to detect light.

In quantum cryptographic systems, the quantum part is transferred in packets that consist of just a single photon. Photons, being kind of low on energy, are hard to detect, but there's a type of photodiode called an "avalanche photodiode" that is pretty good at it. In these photodiodes, a section of material has a voltage applied across it, giving it a large electric field. When the photon hits the photodiode, the material loses an electron. The field grabs hold of the electron and accelerates it, and, like every good drunk driver, the electron collides, freeing up more electrons. This sets off a chain reaction, where a single photon generates a large number of electrons that can be recorded as a click.

Avalanche photodiodes are not without their problems. Less than half of absorbed photons actually set off an avalanche, and, quite often, avalanches occur even when no photon is around to trigger them—these spurious clicks are called dark counts. Engineers get around the dark count problem by lowering the voltage and preventing avalanches until they expect a photon. There isn't much you can do about the detector not seeing every photon, except to know that the problem exists and keep sending photons until enough bits have been received. It is precisely these two properties that are used to listen in on quantum key distribution.

This is how the attack works. Eve—the eternal villain in security—gets in between Alice and Bob. Her first task is to get control over Bob's photodiodes. To do this, she sends a short light pulse along with a small amount of light that stays on all the time. The short pulse looks like a dark count and triggers the photodiode to switch the accelerating field off to stop the avalanche, while the continuous light field keeps the accelerating field off. Now Bob can't detect single photons, nor does he get dark counts, but, if a sufficiently intense light pulse hits his photodiodes, he will think he has seen a single photon. Eve is now ready to steal the key.

When Alice sends her single photons to Bob to create a private key, Eve imitates Bob and intercepts all of the photons. As she measures each photon, she resends the results of her measurement, not as a single photon, but as a bright light pulse. Bob, unaware of Eve, is randomly choosing from a set of measurements and then making that measurement on the light pulse. There are two possible choices here: he chooses the same measurement that Eve chose, or he chooses a different measurement.

If Bob chooses to make the same measurement as Eve, then Eve's light pulse ends up falling on a single photodetector, and, since it is bright, it makes that detector go click. If Bob chooses to make a different measurement, Eve's pulse gets split up so only half falls on each detector. The light is no longer bright enough to make either detector go click. The upshot is that Bob ends up with identical results to Eve, but half the measurements get thrown away, and Eve doesn't know which half.

You might think that would be a problem, but remember, the detectors don't always click anyway. Eve doesn't get every photon that Alice sends, and Bob doesn't get every bright pulse that Eve sends, but the whole system is rather inefficient anyway. Bob can never be absolutely sure how good his connection with Alice is, so Alice just keeps sending photons until Bob finally tells her to stop.

Every other step of the process is done in open classical communication, in which Eve can, well, eavesdrop on with ease. From Alice and Bob's open chatter, Eve can match her results with Bob's and from there it's game over. End result: Eve has an identical key to Bob and Alice.

So, how do you get around this? It's going to be difficult, because every solution involves interfering with the photodiode and making it less efficient. One could periodically divert the light to a non-amplified photodiode to check for the presence of a continuous light beam. Or one might be able to play with the amplification of the photodiode to try and distinguish a continuous light field from dark counts. But no matter what, it is pretty clear that quantum key distribution has only changed the playground, but not the game played between hackers and cryptographers.

Quantum key distribution in superposition of "insecure" and "unneeded"