# Quantum crypto boffins in successful backdoor sniff

Computer scientists have pulled off what is claimed to be the first successful attack against a commercial system based on theoretically uncrackable quantum cryptography. Quantum key exchange, which forms the basis of quantum cryptography, relies on a principle of quantum physics that means it is not possible to eavesdrop on …

#### Or...

They could just send an email to the recipient saying -

"BIG TITS CHECK OUT THIS!!!!!! (see attachment .exe)"

Cyrpto problem solved.

#### Bah!

But..it has Teh Quantums in it. Doesn't that make it all Star Trekky and unbreakable? Perhaps these scientists "accidentally" turned Teh Quantums off before they did their attack?

#### Obviously I'm no quantum physicist..

because I really don't understand what prevents it from being intercepted...

Surely if you can read a quanta, and create an equivalent quanta (which has to be possible because otherwise the originals couldn't be created), then you can intercept all quanta, recreate them and send them on their way... essentially a quantum man in the middle attack.

Any Quantum Physicists care to explain in layman's terms how / why this isn't possible?

#### It's down to something called 'entanglement'

Which is a quantum phenomenon where two photons are magically tied together, so that anything you do to one of them affects the other.* If you snaggle one of these photons, you can't just replace it with another, because mesauring the original photon would affect its entangled partner, and the replacement photon would not be entangled. The receiver would then know that that particular photon had be 'compromised', as it were...

* Horribly simplified version, obviously.

#### It's Somewhat Uncertain

Well there are two variants on quantum key distribution. One uses entanglement as mentioned - but I don't think any of the commercial offerings use this technique. A more straightforward technique is to (effectively) exploit the uncertainty principle to provide the security.

Basically in quantum mechanics it is not possible to measure certain quantities with arbitrary precision. So, for example, it is not possible **in principle** to measure both the position and speed (actually the momentum) with arbitrary precision. If we do an experiment to find out how fast a particle is moving - then we lose some information about where the particle is. And vice versa. The actual limit is given by the uncertainty principle.

The idea behind QKD is to think of these properties as different coding schemes. So sometimes we encode the information as a 'position' and sometimes we encode the information as a 'speed'.

An adversary trying to measure this would have to make some choice about what to measure - position or speed - the adversary cannot measure both properly. If the adversary gets it wrong then this act of measurement destroys the information that is coded on the other property.

As you rightly say the man in the middle attack would work as you suggest IF we could copy these quanta. However the ability to accurately copy these quanta is impossible in QM (it's something called the no-cloning theorem). We can think of this as a kind of consequence of the uncertainty principle. In QM the object is described by a wavefunction which contains the knowledge of the object's properties - if we could recreate this then we'd have a way of being able to measure all of the system properties including those that are subject to an uncertainty relation - which cannot be done.

So Alice and Bob arrange it so that a random coding is applied for each transmitted quanta. The adversary or eavesdropper Eve does not know what coding scheme (position or speed) has been applied for any given quanta - so sometimes Eve will guess wrong and disrupt the information encoded on the correct property. This leads to an unavoidable error rate that can be detected.

But practical systems live in the real world and there are all sorts of noise mechanisms - and so classical techniques are employed to do the error correction. These can be done securely at the expense of some of the transmitted quantum key material. This attack has exploited a weakness in the implementation of these - it hasn't upset the quantum apple cart.

Entanglement uses another property of QM - that of correlation. The idea is that two correlated particles are created and one is sent Alice and one to Bob. Alice and Bob can perform measurements on their particles and show that they violate Bell's inequality - this is a quantum mechanical property. A classical system would satisfy this inequality. Basically it's showing that there are no 'hidden variables' in quantum mechanics - these hidden variables, inaccessible to experiment, give a more complete or definite picture than the wavefunction.

In an entangled QKD system the eavesdropper when making a measurement effectively acts as a hidden variable by forcing the system to be in a certain state. The transmitted particles will no longer violate Bell's inequality and so the eavesdropping can be detected.

Hope that helps.

#### Nice explanation

However, I feel compelled to point out that with photons, there is no uncertainty between position and speed. Photons *always* travel at the speed of light in a vacuum (when travelling through anything else, they are statistically 'slowed' by being absorbed and readmitted by intervening atoms, but still travel at c between them). As I understand it, since photons always travel at a known speed, their position cannot be known until they interact with some physical matter (e.g. the back of your eye) and give up their energy. At this point, their position can be known precisely, but they have *no* speed (the 'uncertainty' element that actually comes into play here is that the time at which this interaction occurs cannot be co-measured with the position with perfect precision).

The most common method of quantum cryptography exploits the 'no cloning' theory which you mention above. A secret key is generated as follows:

Alice generates a random sequence of 1s and zeroes. These are encoded in the polarisation of the photons, with one state corresponding to horizontal polarisation, and one as vertical.

For example, 10111100010 would be encoded as -|----|||-|.

The clever bit is then that Alice randomly rotates half of these through 45 degrees, e.g. -/\--\|/|-/

When bob measures the photons, he randomly measures half of the bits with a 45 degree bias. Only the bits which are generated and measured with the same bias remain, Bob informs Alice of which photons he measured, but not the values. Both parties then know the exact state of half the photons, which are used as teh cryptographic key.

Any observer in the middle would affect the polarisation of the photons by measuring them, and also introduce a delay if they attempted to recreate the photons with the same polarisation. This alerts Alice and Bob, who would discard the values encoded in those photons, and send new ones.

A good explanation of this is here: http://en.wikipedia.org/wiki/Quantum_cryptography

And the mathematical basis for it here: http://en.wikipedia.org/wiki/BB84

#### Quantum Jiggery

Thanks for the kind words Ed.

You are right - I was using the position/momentum uncertainty relation by way of explanation. The quantum property that is being exploited is that of complementarity. Position and momentum are complementary variables in that the quantum operators do not commute which leads directly to an uncertainty relation between them. In the case of a photon we can use phase or polarisation.

The standard implementation uses a long time division interferometer to create different path lengths and a phase modulator to establish the coding and measurement bases. It's a bit easier to work with phase than polarisation.

Essentially the key property is that two different, complementary or non-commuting, operators are employed to establish (at least) two different coding schemes. The coding scheme for each transmitted bit is chosen at random - as is the measurement basis. The measurement basis determines the 'read' code.

Now quantum mechanics ensures that a measurement in the wrong coding basis will scramble the information in the other correct coding scheme. The randomness of the choice ensures that an eavesdropper is forced to create an unavoidable error rate. The eavesdropper has no idea whether a measurement is wrong or right and the measurement irreversably projects the state onto the eigenbasis of the measured observable.

The key is only established from the photons that are received - and with Alice and Bob choosing their transmit and receive coding schemes at random this means that 1/2 of the data (on average) is potentially corrupted. It also means that the eavesdropper has to be active - a photon that never gets to Bob never forms part of the eventual key. An eavesdropper must do some kind of intercept re-send strategy in order to have a chance of getting information about the key.

Each transmission requires 2 bits of information - the coded bit and the coding scheme. After the transmission Alice and Bob compare for each time slot their send and receive coding schemes. The data in which they chose different schemes is discarded. The remaining 50% of the data should be in agreement. This procedure gives away 1 of the bits per transmission - but the actual value of the transmitted bit is not revealed. They then take a random sample of the non-rejected data which should agree and compare the actual bit value that has been transmitted and received. If there has been an eavesdropper there will be an error rate.

If this error rate is below a certain level then the data can be corrected. What Alice and Bob now have is a smaller set that they agree on but which is now only partially secret. They then have to distil a much more secure smaller secret from this using a classical technique of privacy amplification.

The operating error rate is obtained by assuming the most general measurement that can be performed by an eavesdropper consistent with the laws of quantum mechanics. These are Quantum Non-Demolition measurements (QND) and they are the most general measurements that can be performed - at least in theory because many such schemes are infeasible using current technology. It can be shown that with such error rates and with a BB84 protocol the minimum error rate that an eavesdropper can cause consistent with the laws of quantum mechanics is around 11% (if she were to measure every transmitted bit).

As with so many security systems it is the implementation that is flawed rather than the general principles. So even one time pads can be broken with a flawed key management implementation. The same is true here of the QKD implementation.

#### Sorry but fail to see how this is a big achievement...

They've managed to get less then 20% of a message without setting off alarm bells. Sorry but that doesnt seem like a huge achievement. With less then 20% your not going to be able to decipher what the original message was.

If they had managed to intercept 20% of the message without any error messages being received at all then thats somethiing to crow about, but this - meh! It just says we need to reduce the allowable error percentage. Problem solved.

#### A Question.

QKE relies on the fact that the state of a particle changes if someone looks at it.

What happens if, rather than just examining the data stream, I intercepted the data stream? At that point I know the quantum key (and the intended recipient does not). I can now reconstruct the QK and send a good copy to the victim as easily as the original sender did to me.

At this point all three of us know the key and can read any subsequent data.

So; what is wrong with this method?

Nick.

#### IANAQP

If you intercept the data stream, it gets modified.

(I am not a quantum physicist) but one of the bits that I think I do vaguely understand is that you cannot reconstruct the key without observing what it currently is - and by doing that, you change parts of it. Your reconstruction thus has a percentage of errors and if this percentage of errors is above what might be caused by signal losses etc, the victim should be able to work out that it's been intercepted.

The bit I don't currently understand is how Bob's key sent to Bill can be used by Bill without Bill's observance of the key causing errors. For now, that may just have to stay a mindf*ck.

#### This is how it works

The reason why QKD works is because of the peculiar quantum rules for measurements.

Quantum states work like vectors and we can create superpositions of them. The basis states are actually associated with observables. Let's suppose we have an observable A and an observable B. Now let's suppose a measurement of A will yield two values a1 and a2 - this is the case for polarisation - and that the measurement of B yields two values b1 and b2.

The superposition means that we can write a state a1 as an addition of the states b1 and b2.

Thus a1 = b1 + b2

Now here's where the weird quantum rules come in. Suppose we prepare a state a1. If we measure the observable A we will find the state a1 with 100% probability. The state will be undisturbed.

However if we measure B then the quantum rules tell us that we get the result b1 with 50% probability and the result b2 with 50% probability. Furthermore, if we obtain the result b1 the system has been projected into the state associated with b1.

Now if we think of A and B as two coding schemes where a1 = 1 and a2 = 0 and b1 = 1 and b2 = 0 for example then we can see how we can use the quantum rules to give us a QKD system.

For each transmission we randomly choose whether to use the A or B coding scheme and we also randomly choose whether we will transmit a 1 or 0. Thus we end up with a list of transmitted data - an example is given below.

time slot 1 : state a1, bit value 1, coding scheme A

time slot 2 : state b2, bit value 0, coding scheme B

time slot 3 : state b2, bit value 0, coding scheme B

time slot 4 : state b1, bit value 1, coding scheme B

Now at the other end the receiver does not know which coding scheme has been chosen for each time slot and so must guess. If the coding scheme is guessed correctly then the laws of quantum mechanics mean that the transmitted bit value will be read correctly with 100% probability.

What happens when the receiver gets it wrong? Let's look at time slot 1 and suppose the receiver guesses that a B coding has been used. The laws of quantum mechanics tell us that the result of this measurement will be b1 or b2 with 50% probability of each. Thus half of the time the incorrect bit value will be read.

So in order to get consistent data the sender and receiver select all those instances where they used the same coding scheme and throw away all of the rest of the data. They can do this by revealing the coding scheme they used, but they do not reveal the actual bit that was transmitted/received. The actual bit values where the same coding scheme was chosen can be used to form a key - provided there has been no attempt at eavesdropping - but how do we know? Well the laws of quantum mechanics mean that we can tell.

If there is an eavesdropper we might have the situation

transmit A -> eavesdrop B -> receive A

The eavesdropper guesses the coding scheme wrongly - now the laws of QM tell us that there is a 50% chance each of getting the result b1 or b2. This projects the state into b1 or b2 depending on the actual result. So the eavesdropper who has no way of knowing whether this is correct or incorrect transmits the state she has measured. Now the state that arrives at the receiver is now a B state instead of an A state. Let's suppose it was b1

To the receiver's device, set to measure an A coding, this looks like b1 = a1 + a2 by the superposition rule. So the receiver has a 50% chance of getting the result right - even though he is measuring in the same coding scheme that the transmission used. This leads to an error rate in this data which can be detected.

The simple intercept strategy outlined here leads to an error rate caused by an eavesdropper of 25% if she measures and re-sends every photon.