Is quantum cryptography reliable?

For thousands of years, the best minds of mankind invent ways to protect information from prying eyes, but every time there is a way to uncover the secret of the cipher and read the secret documents. The next holy grail of cryptographers of the whole world has become quantum cryptography, within which information is transmitted using photons. The fundamental properties of a photon as a quantum particle are such that the measurement of characteristics inevitably changes its state. In other words, it is impossible to secretly intercept information transmitted over a quantum channel, because it will change it. Or is it possible?

Principles of quantum cryptography

For the first time, the idea of ​​using quantum objects to protect information was expressed by Stephen Wiesner in 1970. He came up with the idea of ​​banknotes with quantum protection that cannot be faked. Much time has passed since then, but no one ever thought of a way to place quantum objects on bills, but the idea that Wizner shared with his former classmate Charles Bennett turned into an information protection method called quantum cryptography several years later.





Encryption with a one-time quantum cipher notepad



In 1984, Bennett, together with Gilles Brassard of the University of Montreal, finalized Wisner's idea for transmitting encrypted messages using quantum technologies. They suggested using quantum channels to exchange one-time encryption keys, and the length of such keys should be equal to the length of the message. This allows you to transfer encrypted data in a one-time cipher notebook mode. This encryption method provides a mathematically proven cryptographic strength, that is, it is resistant to cracking with unlimited computing capabilities of a cracker.

')

We decided to use a photon as a quantum particle for information transfer. It could be easily obtained using the existing equipment (lamps, lasers, etc.), and its parameters were quite measurable. But for the transfer of information, a coding method was required, allowing one to obtain zeros and ones.



Unlike conventional electronics, where zeros and ones are encoded in the form of different signal potentials or in the form of pulses of a certain direction, such coding is impossible in quantum systems. A photon parameter was required, which can be set when it is generated, and then measured with the necessary degree of confidence. This parameter turned out to be polarization.



Strongly simplifying, polarization can be considered as the orientation of a photon in space. A photon can be polarized at angles of 00, 450, 900, 1350. By measuring a photon, only two mutually perpendicular states or bases can be distinguished:

• “plus” basis - the photon is polarized vertically or horizontally;
• “cross” basis - photon is polarized at angles of 450 or 1350.

It is impossible to distinguish a horizontal photon from a photon polarized at an angle of 450.

These photon properties formed the basis of the BB84 quantum key distribution protocol, developed by Charles Bennett and Gilles Brassard. When applied, information is transmitted through polarized photons, the direction of polarization is used as a zero or one. The security of the system is guaranteed by the Heisenberg uncertainty principle , according to which two quantum values ​​cannot be simultaneously measured with the necessary accuracy: the more accurately one particle characteristic is measured, the less accurately the second one can be measured. Thus, if someone tries to intercept the key during its transfer, legitimate users will find out about it.



In 1991, Arthur Eckert developed the E91 algorithm , in which the quantum key distribution was performed using quantum entanglement, a phenomenon in which the quantum states of two or more photons are interdependent. Moreover, if one of the pair of related photons has a value of 0, then the second will definitely be equal to 1, and vice versa.



Let us understand how the encryption key is generated in a quantum cryptosystem. We assume that the sender of the name is Alice, the recipient is Bob, and Eve is trying to eavesdrop on their conversation.



In accordance with the BB84 protocol, the secret key is generated as follows:

1. Alice forms a random sequence of bits by encoding this information using the appropriate photon polarizations and transmits them to Bob using a randomly selected sequence of bases (cross or plus).
2. Bob randomly measures the state of each received photon, using a randomly selected basis.
3. For each photon, Bob reports to Alice through an open channel in which basis he measured the state of the photon, keeping the measurement result in secret.
4. Alice, through an open channel, tells Bob which measurements should be considered correct. These are the cases for which the bases of transmission and measurement coincided.
5. The result of measurements with matched bases is converted into bits, from which the key is formed.

If Eve tries to intercept the secret key, she will need to measure the polarization of the photons. Without knowing the correct basis for each measurement, Eve will receive incorrect data, and the photon polarization will change. Both Alice and Bob will immediately notice this mistake.



Since distortions in a quantum system can be introduced not only by a spy, but also by ordinary interferences, a method is needed to reliably identify errors. In 1991, Charles Bennett developed an algorithm for detecting distortions in data transmitted over a quantum channel . To check all the transmitted data is divided into the same blocks, then the sender and the receiver in different ways calculate the parity of these blocks and compare the results.

In real quantum cryptosystems, interaction between subscribers occurs over fiber; when light enters the fiber, polarization is irreversibly disrupted. Therefore, commercial installations, which we will discuss a little later, use other methods of coding bits.



For example, the company ID Quantique uses to encode the bits of the phase of light:

1. Bob generates a light pulse.
2. The impulse is divided into two separate impulses that are sent to Alice.
3. Alice randomly changes the phase of one of the received pulses using a delay, choosing one of the bases.
4. As in the case of polarization, two bases are used: the first with zero delay or with a delay of ½ wavelength, the second with delays of or ³ / 4 wavelength.
5. Alice returns pulses to Bob, who randomly selects a delay from the first or second basis and interferes with the pulses.
6. If Alice and Bob have chosen the same basis, the phases of the pulses will either completely coincide or be out of phase, providing 0 or 1 at the output.
7. If the bases are different, the measurement result will be correct in 50% of cases.

The system of quantum key distribution Cerberis QKD production ID Quantique. The maximum range of the quantum channel is 50 km, the transmission speed of the secret key is 1.4 kbit / s. Photo: ID Quantique.

Practical implementations

In 1989, Bennett and Brassard built an installation to test their concept at the IBM Research Center. The installation was a quantum channel, at one end of which was Alice’s transmitting apparatus, and Bob’s receiving apparatus at the other. The devices were placed on an optical bench with a length of about 1 m in an opaque casing with dimensions of 1.5 × 0.5 × 0.5 m. The system was controlled using a computer loaded with software representations of legal users and the attacker.



With the help of the installation we managed to find out that:

• reception and transmission of quantum information is quite possible even through the air channel;
• The main problem with increasing the distance between the receiver and transmitter is the preservation of the polarization of photons;
• the safety of the transmission secret depends on the intensity of the flashes of light that are used for transmission: weak flashes make it difficult to intercept but increase errors in the legal recipient, increasing the intensity of flashes allows you to intercept information by splitting the initial single photon into two.

Installation of Bennett and Brassard. Source: IBM Journal of Research and Development (Volume: 48, Issue: 1, Jan. 2004)



The success of the Bennett and Brassard experiment led other research teams to work on quantum cryptography. From the air channels switched to fiber-optic, which immediately increased the transmission distance: the Swiss company GAP-Optique implemented a quantum channel between Geneva and Nyon on the basis of a 23-km optical fiber laid along the bottom of the lake and generated a secret key, the error level of which did not exceed 1.4%.



In 2001, a laser LED was developed that allowed emitting single photons. This made it possible to transmit polarized photons to a greater distance and increase the transmission speed. During the experiment, the inventors of the new LED Andrew Shields and his colleagues from TREL and the University of Cambridge managed to transmit the key at a speed of 75 kbit / s, although more than half of the photons were lost during the transfer.



In 2003, Toshiba joined the research in the field of quantum cryptography. The company introduced the first system in October 2013, and in 2014 it was possible to achieve a stable transfer of quantum keys over standard optical fiber for 34 days. The maximum photon transmission distance without a repeater was 100 km. It was important to check the operation of the installation for a long time because the level of losses and interference in the channel could change under the influence of external conditions.

Problems of quantum cryptography

The limitations of the first implementations of quantum encryption systems were a small transmission distance and a very low speed :

• the length of the quantum channel in the Bennett-Brassard system was 32 cm, and the information transfer rate did not exceed 10 bit / s;
• The Swiss GAP-Optique quantum communication channel had a length of 23 km, but the data transfer speed was depressingly low - it was also about units of bits per second;
• shortly after GAP-Optique, Mitsubishi Electric set a new record for the quantum cryptosystem, transferring the quantum key to 87 km, albeit at a speed of one byte per second.

Distance limitations are due to the fact that photons simply do not survive over long distances due to thermal noise, loss, and optical fiber defects. A high level of interference causes the system to repeat the package many times to correct errors and agree on the final session key. This significantly slows down the transfer rate.



To solve this problem, quantum repeaters are being developed - devices that allow one to recover quantum information without violating its integrity. One of the ways to implement such repeaters is based on the effect of quantum entanglement. But the maximum distance at which it is possible to maintain the effect of entanglement, today is limited to 100 km. Further, all the same noise comes into play: the useful signal is simply lost in them. And unlike conventional electromagnetic signals, it is impossible to amplify or filter photons.



In 2002, an effect was discovered, which was called quantum catalysis. In an experiment conducted by a research group under the leadership of Alexander Lvovsky, it was possible to create conditions under which the entanglement of quantum states of light was restored. In fact, scientists have learned to "confuse" photons that have lost quantum confusion due to a long journey in optical fiber. This allows you to get a stable connection over long distances with a slight decrease in transmission speed.



Another problem with quantum cryptography is the need to create a direct connection between subscribers , because only this way of interaction allows you to organize a secure distribution of encryption keys. The cost of quantum systems today is tens and hundreds of thousands of dollars, so the developers of commercial solutions offer the technology of quantum key distribution as a service, because the optical channels are idle most of the time.



The session key in this case is formed of two parts: the first — the master key — is formed by the client using traditional cryptography, and the second — by the quantum — is generated by the system of quantum key distribution. The final key is obtained by the bitwise XOR operation of these two parts. Thus, even if hackers can intercept or hack the client's master key, the data will remain secure.

Quantum Cryptography Vulnerabilities

Although quantum key distribution is positioned as invulnerable to hacking, specific implementations of such systems allow for a successful attack and stealing a generated key.



We present some types of attacks on cryptosystems with quantum key distribution protocols. Some attacks are theoretical, others are quite successfully used in real life:

1. Attack with a beam splitter - consists in scanning and splitting pulses into two parts and analyzing each of the parts in one of two bases.
2. The Trojan Horse attack involves scanning a pulse through an optical multiplexer towards the sending side or the receiving side. The pulse is divided into two parts for synchronism of detection and is fed to the decoding scheme, while the distortion of the transmitted photons does not occur.
3. Coherent attacks that are based on retransmission tactics. The attacker intercepts the photons of the sender, measures their state, and then sends the pseudophoton to the recipient in the measured states.
4. Incoherent attacks in which the photons of the sender are intercepted and mixed up with a group of transmitted single photons. The group state is then measured and the changed data is sent to the recipient.
5. The avalanche photodetectors blinding attack developed by the research team of Vadim Makarov allows an attacker to obtain the secret key so that the recipient does not notice the fact of interception.
6. Attack with photon separation. It consists in the detection of more than one photon in a pulse, its lead and entanglement with the sample. The remaining unchanged part of the information is sent to the recipient, and the interceptor receives the exact value of the transmitted bit without introducing errors into the sifted key.
   
   
   
   
   
   Spectral attack. A source
   
   
7. Spectral attack. If photons are created by four different photodiodes, they have different spectral characteristics. An attacker can measure the color of a photon, not its polarization.
8. Attack to random numbers. If the sender uses a pseudo-random number generator, an attacker can use the same algorithm and get a real sequence of bits.

Let us examine, for example, the attack with the blinding of the recipient's detector , developed by Vadim Makarov with a group of colleagues from the Norwegian University of Natural and Technical Sciences. To get the key, the receiver's detector is blinded by a laser beam. At this time, the attacker intercepts the sender's signal. The blinded quantum detector of the recipient begins to work as a normal detector, producing "1" when exposed to a bright light pulse, regardless of the quantum properties of the pulse. As a result, the attacker, intercepting "1", can send a light pulse to the receiver's detector, and he will consider that he has received this signal from the sender. In other words, an attacker instead of a quantum one sends a classical signal to the recipient, which means that it has the ability to steal the information received from the sender without being noticed.



The Makarova group has demonstrated an attack on the quantum encryption systems manufactured by ID Quantique and MagiQ Technologies. For the preparation of a successful hack were used commercial copies of the systems. The development of the attack took two months.

The revealed vulnerability, despite its critical nature, does not refer to technology as such, but to the features of a specific implementation. The possibility of such an attack can be eliminated by installing a source of single photons in front of the recipient's detectors and including it at random times. This will ensure that the detector operates in a quantum mode and responds to individual photons.

How much does it cost, does it work in reality and who needs it?

When it comes to areas where true secrecy is required, little things like cost, distance limits and transfer speeds are not taken into account.

The demand for quantum cryptography in the military, government and financial sectors has led to the fact that research groups receive serious funding, and the industrial installations developed by them are not only sold, but are being put into real use.





The system of quantum key distribution. Source: Toshiba



The newest examples of commercial quantum cryptographic systems have a range of more than 1000 kilometers, which allows them to be used not only within one country, but also for the organization of secure communications at the interstate level.



The introduction of devices for quantum cryptography in mass production leads to cheaper. In addition, manufacturers are developing various solutions in order to increase the availability of quantum cryptography and reduce its cost per subscriber.



For example, the Toshiba quantum key distribution system allows connecting only two points at a distance of up to 100 km. But at the same time, the device allows simultaneous use of quantum cryptography to 64 subscribers.



Despite the limitations, quantum cryptography has an undoubted advantage over the traditional one, since it has proven cryptographic robustness. However, as practice shows, proven persistence is a property of theoretical models, concepts, but not concrete realizations. The developed methods of attacks on specific systems of quantum key distribution deprive quantum cryptography of this advantage, since no one can guarantee that the next quantum crypto noon will not be vulnerable to any attack on third-party channels.



On the other hand, quantum cryptosystems can generate a truly random private key. You can decrypt data encrypted on this key only if you guess the key. This allows you to protect information for many years, choosing a quantum key of sufficient length.



Some facts confirming the promise of quantum cryptography as a technology:

• China in 2017 launched the construction of an unbreakable communication network based on quantum cryptography. By July 2017, the network had more than 200 subscribers from military and government structures, as well as the financial and energy sector.
• On December 13, 2017, the Russian company InfoTeX introduced “ViPNet Quantum Phone” - a device that allows you to connect workstations with installed ViPNet software and encrypt traffic between them using quantum key distribution.
• In May 2018, in Russia, for the first time , successful tests were conducted of a system of quantum and cryptographic information protection on a high-speed communication line suitable for use in large data centers. The tests were carried out by the specialists of the S-Terra CSPP crypto equipment manufacturer and the Russian Quantum Center upon the request of Gazprombank.
• In September 2018, Toshiba demonstrated a working quantum cryptography system, which provided an average monthly transfer rate of quantum keys over a conventional optical fiber of 10.2 Mbps.

The operation of the Chinese quantum cryptosystem on the satellite Micius. Source: arXiv.org



In May 2018, Toshiba announced the invention of a new quantum key distribution protocol called the Twin-Field QKD (Quantum Key Distribution). The protocol allows you to transfer keys over distances of more than 1000 km without trusted relays or quantum repeaters. His test on the experimental setup is promised in 2019.



The rapid progress that has been observed in the field of quantum cryptography leaves no doubt that in the next decade the use of this technology will become widespread and will in fact turn into a standard. And cryptographers and cryptanalysts will have to prepare for the next round of the battle for the protection of information.



Perhaps the next invincible frontier will be cryptography based on lattice theory (Lattice-based Cryptography), which is invulnerable to quantum computers and can work successfully even on devices with weak processors. In any case, the variety of options for impenetrable protection information will benefit the end users.