back to article Quantum crypto felled by 'Perfect Eavesdropper' exploit

Researchers have devised a technique for eavesdropping on communications secured through quantum cryptography that allows an attacker to surreptitiously construct the secret key encrypting the secret content. The so-called Perfect Eavesdropper uses off-the-shelf hardware to defeat a key benefit of the alternative crypto system …


This topic is closed for new posts.
  1. Gordon Barret

    Message Intercepted

    Erm, is it just me, but I thought that the whole point of quantum cryptography was that when sending a message from a transmitter to a receiver, the receiver measures the properties of the single photons it receives and would know if the message had been intercepted.

    So, if someone intercepted the single photon and instead substituted a "blinding" amount of photons then the receiver would then detect quite a big difference from what it was expecting and hence know that the message had been intercepted?

    Presumably they would then do something else like say "Help, the message has been intercepted, we need a new key now!".

    Too obvious?

    1. Eddy Ito

      But it's dumb

      It's just a receiver and as a result doesn't know the first "photon ack" sent wasn't a a flood of light and assumes it's speaking to a 14 yr old so when it sends its flooded "syn" back, the originator says ok, granny's hearing aid is out so I'll have to dumb it down and talk loud. At least that's how I read it.

      1. Joefish

        It's dumb alright,

        to have an insecure fall-back that (a) lets in any old rubbish and (b) doesn't even let you know when it's kicked in.

  2. bazza Silver badge

    Dead in the water

    So it seems that the limit on the security of quantum cryptography is nothing to do the entanglement of photons, but is wholly dependent on the electronic behaviour of the detectors used to test the integrity of that entanglement. This trick has been possible because of a loop hole that no-one had spotted previously. Ok, so they'll plug this loop hole, but who says' there won't be more? That sounds like something that you can never be completely sure about.

    So what exactly is the point of quantum cryptography then?

  3. nyelvmark

    The problem with quantum keys that you can never be entirely sure where they are. Or if you are sure, then you have no idea where they're going.

    This is a particular* problem if you need the key to open the box to find out whether the cat needs feeding.

    *or maybe wavicular.

    1. Stoneshop Silver badge

      Nothing new

      "The problem with quantum keys is that you can never be entirely sure where they are. "

      Oh, just like my girlfriend's house and car keys then.

      1. Anonymous Coward

        She loses her house?

        Sorry, couldn't resist!

        Although very soon after we moved into a new house, my then girlfriend phoned me at work asking for directions home after a trip on foot to the local shops!

  4. Anonymous Coward

    Use Picture Cryptography instead.

    Why not use photos instead of photons. Hide the keys in a password protected rar file imbedded in a typical photo that can retrieved from a random web site. A mobile phone on both ends can retrieve the unknown photo.

    1. Anonymous Coward
      Anonymous Coward

      Key exchange?

      Ok, done that.

      So how do I communicate the identity of the secret website and the password on the file to you?

    2. Anonymous Coward
      Anonymous Coward

      Key exchange?

      You saw what you thought was a possible solution and went for it. I can't fault anyone who has a go but I'm not sure you get the concept of key exchange.

      Your trick introduces two keys: the identity of the "random" website and the password on the protected file. If I said that I have send you a message hidden a password protected file in a photo on a random website, how would you read that message? You can't unless I send you the password and website details. Key exchange is the art of sending those pieces of information to you.

    3. It wasnt me
      Thumb Down

      @Use picture cryptography instead.

      Yeah, brilliant. Been around for years, never seriously adopted as there is absolutely nothing theoretically uncrackable about it. You are suggesting abandoning cutting edge research and replacing it with tried and failed rubbish, with a bit of security through obscurity thrown in instead. Great.

      Have I just fed a troll?

  5. Remy Redert

    re: Dead in the water

    Do you think any other encryption was different in its beginning implementations? Of course not. We're still finding implementation flaws from time to time in every modern encryption scheme.

    And then we plug them and we keep looking for more of them, in the hope that we can find them and plug them before someone malicious manages to find one and abuse it. This particular one sounds like an implementation flaw that really should never have happened. The detector should never fall over to normal measurements during the key transmission sequence.

    1. bazza Silver badge

      @Remy Redert re:Dead in the water

      Of course other encryption systems suffer from early problems, but you're missing my point.

      The strengths and weaknesses of systems like DES and AES can be determined purely analytically, and their implementations are open to truly large scale testing and examination by anyone with the urge to download the spec and look at the source code. Whatever the weaknesses in the algorithms are, we can point to them and say definitively what they are, how hard they are to exploit, etc. Anyone can look at one aspect of an algorithm and say things like "you'd have to find the prime factors of that number there" and know that that would be a complete and definitive statement on the merits of that part of the algorithm. One can then objectively assess how hard it would be to perform said feat, keep an eye out for papers with titles like "prime factor finding" and generally be comfortable. And the same goes for implementations. This is because things like DES, AES, etc. are entirely logical systems that operate in rule sets created by man with no physical influences.

      The problem with quantum cryptography is that the security of a key transfer relies entirely on the behaviour of physical processes, namely the quantum entanglement itself as well as the single photon sources and detectors. Knowing whether or not we have a complete understanding of these physical processes is much harder to be sure about. Mankind has been constantly revising its opinions of nature for millennia, and I don't suppose we're going to stop doing that anytime soon.

      So far the problems that have been encountered with quantum cryptography are related to the physical properties of the detectors and photon generators (it turned out that single photons weren't always on their own...). No great surprises there - matter does not always behave as we tell it to! This latest problem is just another instance of our misunderstanding the physical properties of one electro-optic component in the system. I doubt that one can ever prove analytically that the components are designed and implemented correctly. All one can ever say is that N tests have shown them to work properly, but N can never be a truly large number. And should one test each and every photon detector, or just a sample of the production run?

      But what about entanglement itself, and the impossibility of messing with it? There's several bunches of physicists who are questioning whether this is in fact correct or not. It looks like the rule that you can't measure the state of an entangled photon without effecting the state is more of an assumption than a proven fact. It's easy to say that it is hard to make such measurements, but to the best of my knowledge no one has quite yet been able to completely rule it out. Some very elegant experiments are being planned by academics to explore this. Some have already been done with electrons which showed that you can 'sniff'' their quantum state, repair the damage done to the state, repeat until you know everything. Not good news so far, except that quantum cryptography uses photons.

      My point is that all an experimentalist can say is that their particular experimental design could or could not measure states without disturbing them, but that say's nothing about someone else's experiment. Saying "I can't do it" doesn't prove that no one else can. Yet for quantum cryptography to be guaranteed you have to prove the rule. As I said above some results are already known for experiements with electrons which would suggest the issue is more one of experimental design, not hard physical facts. So where would quantum cryptography be if someone successfully designed and performed the right experiment? It is not guaranteed that they won't be able to do so. Certainly, if some one *does* manage to do it (which would be impressive because it would mean our quantum model of the world is wrong, Nobel prize in the post) quantum cryptography would be finished.

      And it's worth pointing out that quantum cryptography is in fact ordinary symmetric cryptography that relies on a physical trick to securely exchange the key. That still doesn't stop someone getting the design and implementation of the actual encryption/decryption algorithm wrong.

      1. eBusiness

        Have solution - need problem

        The really funny thing about quantum "cryptography" is that a traditional symmetric cipher does the same job. On top of that the quantum thing requires a dedicated end-to-end fibre, making it expensive and inflexible. For a cipher all you have to do is exchange a key once (the systems can then renegotiate that key periodically so that knowing the original key won't be sufficient for an attack).

        One just have to stay away from the minimalist design cipher systems. You don't want a system that use the least possible amount of CPU time per bit transferred, as such a system will invariably be based on what you could call a mathematical single point of failure. (Unfortunately the minimalist systems are quite popular, since: Oh no, we would have to put a $8 CPU instead of a $5 CPU in our wireless router if it has to run a heavy encryption algorithm.)

        1. Anonymous Coward
          Anonymous Coward

          silly me.

          You just answerd the question I asked of the poster directly above....


      2. Anonymous Coward
        Anonymous Coward

        ... but you're wrong ...

        Most of the attacks against known algorithms also exploit physical phenomena; no one goes after the pure maths it's too bloody hard most of the time.

        Most attacks against existing "conventional" algorithms use timing behaviour, em emissions from smartcards, cache timing exploits. i.e. very little is about the boffins who developed the maths once that's been thrashed out, but the poor bloody engineers who implement the thing.

        If you want security with any scheme it's all about the implementation quality; without knowing the details this one just sounds like a shoddy implementation.

        1. bazza Silver badge

          @Pete H, not really

          Your arguement applies to instances where an attacker has physical access to one or other end of the communication link. Sure, if someone is in a position to do a power analysis on the encrypting device there's potentially a physical weakness to be exploited. However, the discussion so far has really been about intercepting the communications link between the two ends and whether or not there is an exploitable physical weakness. With purely logical algorithms like AES the intercepted signal is solely noughts and ones, so there is nothing to exploit beyond weakness in the maths. As you say that is a bloody hard job these days. But quantum cryptography extends the physical weaknesses to all aspects of the encryption system - both ends *and* the communication link. Not a very desirable move perhaps?

      3. Anonymous Coward

        forgive me for being obtuse.

        But didn't you just say that the two devices have to be directly connected? And by directly connected I mean no inline repeater (like are used on undersea fiber cables.) Or have I missed the point completely?

      4. Destroy All Monsters Silver badge

        "The problem with quantum cryptography is that the security of a key transfer relies entirely on the behaviour of physical processes, namely the quantum entanglement itself as well as the single photon sources and detectors. Knowing whether or not we have a complete understanding of these physical processes is much harder to be sure about."

        It's far more likely that factoring turns out to be in P than that QM falls over, really.

        1. bazza Silver badge

          @Destroy All Monsters: Are you sure?

          "It's far more likely that factoring turns out to be in P than that QM falls over, really."

          Are you really really sure?

          Firstly, as Ken Hagan said elsewhere the only 'quantum' part of quantum cryptography is the detectors. But the as the original article indicated these were prone in this particular case to incorrect operation in the face of relatively simple attacks. That is nothing to do with whether or not quantum mechanics is valid. It is merely our inability to reliably measure quantum states in the face of a simple attack.

          Secondly, whilst quantum mechanics has indeed shown to be a theory well matched to physical observations, it is still a theory. Richard Feynman had a good few things to say about theories, and he should know. Seek out the videos of his lectures on quantum electrodynamics that he gave in New Zealand, they're very good and I think they're still freely streamable. And indeed the semiconductor junctions on which we all now depend are devices exploiting quantum effects. But my point is that quantum mechanics is just a theory, no more, albeit one that seems to work very well.

          Although qm is pretty good, it is reasonable to suggest that it may not be completely correct. Firstly, I don't think anyone has managed to make qm and relativity fit together. Both have a wealth of experimental data to suggest that they're along the right lines but they remain theoretically un-united. So *something* is wrong somewhere. One of those 'somethings' is the behaviour of Pioneer 10 which isn't quite where it ought to be according to both Newton's and Einstein's theories of gravity which otherwise seem to work quite well in keeping the planets in the right places. Nor are galaxies quite the right shape. And does a quantum state change instantaneously or over a finite period of time when an observation is made? It's quite an important question to qkd. But some of the experiments I've read about are hinting that the answer is the latter not the former, suggesting that there may be a hole in the basic premise of qkd.

          So knowing that something is wrong somewhere in the theoritical models of why stuff happens, would you ever base the security of your system on it? The *only* assurance we have that it is correct is in effect a bunch of scientists saying "it looks OK to me". Whereas logical encryption algorithms like AES, DES, etc. all exist within the rules of mathematics which are much better understood, because mankind made up the rules.

          As Pete H pointed out they are still vulnerable in their actual physical implementations, but provided the logical implementation is correct and an attacker is unable to get physical access to either end then their strengths and weaknesses are deterministic solely within the mathematical framework in which they are defined. It could be that we don't understand the maths right. But that's a much more straightforward thing to worry about than being totally certain that we understand the physics.

        2. bazza Silver badge

          @Destroy All Monsters: quick thought experiment

          Just to follow up on my previous response to your most welcome post, imagine asking a physicist the following question.

          "Would you bet the life of your first born child on Newton's law of gravity ultimately being proved correct in return for £million?"

          120 years ago you would get quite a few saying yes. Immediately after Einstein's general theory of relativity was published you would still get some saying yes. Today, I dearly hope for the future social well being of the world that none would say yes.

          I think that if I rephrased the question along the line of "Would you bet the life of your first born child that quantum mechanics is completely correct in return for £billion (inflation)" you might not get a 100% 'yes' rate. And if that's really the case, why should we bet our communication's security?

  6. amanfromMars 1 Silver badge

    Fluid Dynamic ProgramMING ... for Presentation of Future SMARTer Enabling Facts.

    Hi, Dan,

    "The so-called Perfect Eavesdropper uses off-the-shelf hardware to defeat a key benefit of the alternative crypto system,..." has QKD responding with an alternative message ... The so-called Perfect Eavesdropper uses off-the-shelf hardware to access a key benefit of the alternative crypto system.

  7. Ru


    What we have here is a flaw in one particular detector system. It isn't defeating quantum cryptography itself, and more than an attack on SSL renders tradition public key cryptography useless.

    1. Ken Hagan Gold badge

      Re: Erm

      As bazza notes, the only quantum part of quantum cryptography is in the detector system. The moral of the story here is that whatever your system, the point of detection is likely to be a weak point since "observation" often goes hand in hand with a "return" to classical physics. It suggests that there may be a whole new class of weaknesses in any QC system.

      I also second bazza's objection to the phrase "quantum cryptography". Perhaps we should start calling it "quantum transmission", to emphasise that it is wholly dependent on the quality of your engineering rather than your mathematics.

  8. SuperTim

    deja vu

    hasnt this already been reported last year?

    1. Adrian Challinor

      deja vu

      I think, given the uncertainty in quantum mechanics, you meant to say:

      hasn't this already been reported next year.

      Mine's the one with the dead/live cat in the pocket.

  9. Loyal Commenter Silver badge

    What I don't get...

    ...This system appears to be all about exchanging symmetric keys. This is all good and well, but we have had asymmetric key cryptography for quite some time, which uses a public and a private key at each end. Each end keeps their own private key, used for decrypting, and sends the public key, used for encrypting. The whole point is that the key exchange itself doesn't have to be kept secure. It seems to me that we are just falling back to using symmetric key encryption, which is arguably less secure, just because we can exchange the keys 'securely' and show off how clever we are with our quantum gubbins.

    I'm sure I'm missing something here. Private/Public key exchange has it's problems, sure, such as man-in-the-middle attacks and the issue of each end authenticating the other, but I was under the impression that these issues had largely been solved. Can someone fill me in with what advantages the quantum system actually conveys, other than being fiendishly difficult to get your head around how it works?

    1. Jimmahh

      Don't quote me on this, but... =P

      I thought the advantage of being able to use symmetric key exchange was it fundamentally had a lower computational overhead... that and it looked nice and neatly symmetric ;-)

    2. eBusiness

      Re: What I don't get...

      First of all, it's asymmetric systems that use public and private keys, symmetric systems use just a single key, and everyone has to keep that key secret.

      As I also explain in my other post, you get to buy some expensive equipment and roll out a fibre instead of just exchanging a small piece of data.

      The primary advantage is that sounds and is complicated, which make a lot of people think it is also safe.

      1. Paul Powell

        Actually to be totally secure it's neither

        Technically the Quantum Key Distribution enables the distribution of a one time pad.

        Symmetric keys* and asymmetric keys indicate encryption methods that are both vulnerable to cryptanalysis - i.e. you can crack the message without knowing the key, or you can guess the key from the message.

        A one time pad uses a random key at least as long as the message. As long as the key is truly random this makes the message totally uncrackable without the key. You can try every possible key, but this will reveal every combination of characters of the same length as the message.

        Of course due to the one-time nature of a one time pad key distribution becomes the biggest problem and weakness. QKD essentially strives to solve this problem, implementation issues aside.

        Of course for plebs like us we just have to be happy with unencrypted records secured in a public train carriage without an attendant civil servant.

        *yes a one time pad is a symmetric key in terms of the same key is used to encipher and decipher the message, but it is used for a single message and then thrown away.

  10. Dick Pountain

    Angels, pinheads

    Oops, some fell off

  11. juttawms
    Thumb Up

    It’s Schrodinger's cat but with 1s and 0s

    There’s a cat in a box (key that needs to be exchanged). Based on your experiment, you've either kept it alive or killed the cat (generated a unique symmetric key). The act of looking in the box will kill the cat (distort the unique key), thereby upsetting the results of your experiment (receipt of your key by your intended recipient). The evesdropper wants to know if the cat is alive or dead (what the key is) but can't open the box without killing the cat (invalidating the key). Except now, the Swedes and Singaporeans have found a way to open the box, observe the cat and close the box without invalidating the experiment (killing the cat or distorting the key).

    Just as with Schrodinger's thought exercise, the applicaiton of quantum-based crypto key exchange is purely theoretical and no has no basis for practical application. It's fun though. Good job.

    1. eBusiness


      Actually there are already commercial products for performing quantum cryptography. But, well, an idea doesn't stop being silly just because someone does it.

    2. Anonymous Coward
      Anonymous Coward


      My response to finding out if Schrodinger's cat is dead or not is to use a thermographic camera on the outside of the box and observe if its temperature declines or not. Declines, cat is dead else cat is alive.

      This hack is of a similar "outside the box" thinking.

      I'll get my coat. And burn it. Will that make someone elses quantumly entangled coat burn also?

  12. Rombizio

    Quantum what?

    It is 2011...where is my flying car?

  13. mmfiore

    Quantum Mechanics is flawed!

    As an alternative to Quantum Theory there is a new theory that describes and explains the mysteries of physical reality. While not disrespecting the value of Quantum Mechanics as a tool to explain the role of quanta in our universe. This theory states that there is also a classical explanation for the paradoxes such as EPR and the Wave-Particle Duality. The Theory is called the Theory of Super Relativity and is located at: Super Relativity This theory is a philosophical attempt to reconnect the physical universe to realism and deterministic concepts. It explains the mysterious.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2022