By Zeeya Merali

Quantum cryptography isn't as invincible as many researchers thought: a commercial quantum key has been fully hacked for the first time.

In theory, quantum cryptography--the use of quantum systems to encrypt information securely--is perfectly secure. It exploits the fact that it is impossible to make measurements of a quantum system without disturbing it in some way. So, if two people--Alice and Bob, say--produce a shared quantum key to encode their messages, they can be safe in the knowledge that no third party can eavesdrop without introducing errors that will show up when they compare their keys, setting off warning bells.

In practice, however, no quantum cryptographic system is perfect and errors will creep in owing to mundane environmental noise. Quantum physicists have calculated that as long as the mismatch between Alice's and Bob's keys is below a threshold of 20 percent, then security has not been breached. Now, however, quantum physicist Hoi-Kwong Lo and his colleagues at the University of Toronto in Ontario, Canada, have hacked a commercial system released by ID Quantique (IDQ) in Geneva, Switzerland, while remaining below the 20 percent threshold.

"Even with a relatively simple attack, the hacker can get the complete key, and nobody would know anything about it," says Lo.

Lo's hack works by intercepting the bits that Alice sends to Bob while creating the key, and resending a slightly modified version to Bob. In standard quantum cryptographic techniques, Alice encodes each bit using the polarization of photons. When she sends these bits out, the polarization should be perfectly oriented in one of four directions, separated by 45 degrees (north, northeast, east or southeast).

In a perfect world, any hacking attempt would disturb a significant fraction of the bits' orientations, introducing errors just above the threshold. However, in practice, Alice cannot switch orientations for successive bits instantaneously--each time she wants to send a bit with a new orientation, she has to change the voltage applied to the photon to shift its orientation. This gives the hacker time to swoop in and hijack the bit before it is sent out to Bob, measure it, and then send it on its way again.

However, if the hacker simply sends the bit to Bob along one of the four orientations that Alice originally defined, the hacker's presence will be discovered because his measurements will introduce random errors into the system that exceed the 20 percent limit. But Lo's team has now demonstrated that if the hacker sneakily sends the bits along slightly different directions, the errors introduced by his interference will fall just under the 20 percent threshold at 19.7 percent.

Hack attack

"This is not the first time that researchers have claimed to hack quantum cryptographic systems, and it won't be the last," says Grégoire Ribordy, chief executive of IDQ. Lo's group performed a partial hack on the IDQ system in 2008, and other researchers have also demonstrated ways to hack quantum cryptographic systems.

However, Ribordy argues that Lo's hack does not threaten the security of IDQ's commercial product, which contains extra alarms above those included in the version that was sold to Lo's group a few years ago. For instance, the current commercial release aborts if errors exceed just 8 percent.

Ribordy also notes that an additional alarm would be triggered when the hacker joins the line, momentarily perturbing the system far beyond the 20 percent threshold. However, Lo argues that such a heavily alarmed system would be accidentally triggered too often to be practical. "Even a passing heavy truck would trigger a false alarm," he says.

Quantum hacker Vadim Makarov, at the Norwegian University of Science and Technology in Trondheim, agrees that the hack does not threaten IDQ's current security. As Lo and his team did not alert IDQ of the hack in advance, Makarov adds that Lo's team must be careful not to breach the hackers' unwritten code of ethics, which prescribes that hackers should alert the company to any flaws in its systems before making them public. "This prevents the bad guys out there from exploiting the published loophole before the vendor has a chance to patch it, or at least alert the users," he says.

Lo, however, does not agree that publishing his demonstration before contacting the company was unethical, because his group originally published the theory behind the hack in 2007. "People have known about this idea for a long time, we have just put it into action," he says. "But we haven't done anything destructive to the company--these flaws are very simple to fix."

In the long run, Lo believes that his work will strengthen quantum cryptography. "Each time we find a new loophole, it is fairly easy for companies to close them," he says. "But we've shown that all assumptions about security need to be carefully tested."

Nicolas Gisin, a physicist who is on the board of directors at IDQ, agrees that hackers at research institutes can play an important part in identifying unexpected flaws, which companies can then address before they can be exploited maliciously. "The success of [quantum cryptography] and of IDQ make it inevitable--and actually profitable--to see the emergence of a new community of quantum hackers," he says.