<< . .

. 2
( : 3)

. . >>

swap between the rectilinear (+) and diagonal (—) schemes, known in quantum
cryptography as bases, during transmission. An eavesdropper attempting to intercept
the photons will have no idea whether to use a rectilinear or diagonal filter. Around
half of the time a totally inaccurate measurement will be made when a photon will
change its polarisation in order to pass through an incorrect filter. The cryptosystem
neatly takes advantage of one of the fundamental features of quantum theory, a
manifestation of Heisenberg™s uncertainty principle3, that the act of observing will
change the system itself. In this way it is impossible for an attacker to make an
accurate measurement of the data without knowledge of which scheme is being used,
essentially the cryptographic key.

Unfortunately, when this method was first developed, the intended recipient of the
message had no more idea as to the schemes being used than an attacker did, due to
the long-standing problem of secure key exchange. Obviously traditional key
exchange protocols such as RSA and Diffie-Hellman were out of the question as they
are ultimately breakable, and would negate the absolute security offered by a quantum
cryptosystem. Bennett and Brassard made the breakthrough in 1984, and in the
process created an entirely self-sufficient unbreakable cipher.

Assuming that two people named (using the popular cryptographic notation) Alice
and Bob wish to communicate securely. Their method for key-exchange starts with
Alice transmitting a stream of random bits as polarised photons and continually
swapping randomly between the rectilinear and diagonal encoding schemes. Bob at
this point has no idea which schemes are being used for which bit, and so he will also
swap randomly between schemes. Alice will now contact Bob insecurely and tell him
which scheme was used for each photon, Bob can say which ones were guessed
correctly and all the incorrect guesses are discarded. Both parties now share a secret
key, with no useful information leakage to an eavesdropper. In fact it will become
immediately apparent to both if someone is monitoring the photons in transit, because
their use of an incorrect filter is likely to change the polarity of photons before they
reach Bob. If, when comparing a small part of their shared secret key over a public
channel they do not match, it will be clear to both Alice and Bob that the photons
have been observed in transit.

Werner Heisenberg, a German physicist, demonstrated that it is impossible to measure accurately
both the momentum and location of an electron. The act of measurement itself is enough to alter
readings of the other property.

The publication of Bennett and Brassard™s cryptosystem caused a great deal of
excitement in the scientific community, but it was not until 1989 that the first physical
demonstration system (Fig.4) was built by Bennett and Smolin at IBM™s T. J. Watson
Research Laboratories in New York State. Since then the challenge has been to
produce functional systems over greater distances, hindered by the fact that
specifically polarised photons do not travel well through air as the molecules can alter
their polarity.

Fig.4: Quantum cryptographic apparatus constructed at IBM. Flashes of polarised light, each one tenth
of a photon, are generated and measured across a free air optical path of 32 centimetres.

Recent quantum cryptosystems have concentrated on using optical fibres to transmit
the photons. In March of this year a Swiss team of researchers successfully
conducted a quantum key exchange over the telephone network between Geneva and
Lausanne4, a distance of 67 kilometres. In August last year in the US, a team based in
Los Alamos, New Mexico, managed to transmit using two portable units across six
miles of desert5.

The work at Los Alamos is geared towards eventually sending quantum-encrypted
information from the ground to satellites, which would remove all limits to the
distances over which communications could be secured.

Quantum Key Distribution Over 67km with a Plug and Play System, The New Journal of Physics “
Vol.4/41, July 2002
Los Alamos Develops Quantum Crypto System, The EETimes “ August 23rd 2001

Is Quantum Cryptography Secure?

It may seem that this question has been answered quite comprehensively in the
preceding chapter. A message encrypted using quantum cryptography is secured by
the laws of quantum physics, so if it was provably insecure the most successful theory
in the history of physics would be disproved and our current understanding of the
universe shattered. However, there are issues of data security relevant to a cipher
beyond its confidentiality.

It is acknowledged in the 1991 paper “Experimental Quantum Cryptography”6
contributed to by Bennett and Brassard, that there are issues of authentication not
fully resolved by the current system. It is stated that “the assumption that the public
messages cannot be corrupted by [an eavesdropper] is necessary” to avoid what is
known as the man-in-the-middle attack. As both Alice and Bob have no way within
the proposed system of proving their identity to each other, it is possible for an
attacker to sit between them and impersonate Bob to Alice, and Alice to Bob thus
negotiating a secret key with each of them. The suggested solutions are an
“unjammable public channel” or a standard authentication scheme which would
require that both Alice and Bob shared some secret information beforehand. The
latter approach would seem to negate the main advantage of Bennett and Brassard™s
key exchange protocol, which is the ability for two entities to negotiate shared secret
knowledge in a public channel without the need for any prior secrets. This, as it
currently stands, suffers from the same drawback as the one-time pad which provides
absolute secrecy but with the additional headache of securely distributing the keys. It
would be possible to extend Bennett and Brassard™s protocol to include an adaptation
of the current certification authority authentication mechanism for conventional
public keys. The current system uses trusted agencies to digitally sign public keys
and so verify the identity of their owner. This however, whilst removing the need for
shared secret knowledge, relies on computationally infeasible, but breakable,
mathematical equations and, as such, would not offer an absolutely secure means of

Another element of a quantum cipher™s security is that of availability, which has not
previously been an issue with conventional encryption. The root of the problem is an
eavesdropper™s ability to alter photons in transit and so prevent two entities from
achieving an error free channel. This could be seen as a denial of service (DoS)
vulnerability, and a malicious user is not limited to this line of attack. Even if Alice
and Bob are sharing secret authentication keys, an attacker could repeatedly corrupt
the public authentication exchange leading to both parties exhausting their supplies of
keys before a secure connection is established. However the majority of DoS attacks,
whilst annoying, are not considered security critical, and there is certainly no way for
an attacker to trick Alice and Bob into believing that a secure connection exists.

Experimental Quantum Cryptography “ C. H. Bennett, F. Bessette, G. Brassard, L. Salvail and J.
Smolin, Journal of Cryptology, vol. 5, no. 1, 1992, pp. 3 “ 28

There are physical attacks which may be mounted on the transmission medium itself.
Assuming that an eavesdropper has access to unlimited technology, two major
techniques which have been identified are intercept/resend and beam-splitting.

Intercept/resend takes advantage of the fact that current photon detecting equipment is
far from perfect; only around 1 in 400 pulses (one tenth of a photon) are successfully
transmitted and received. As Alice and Bob know to expect this level of photon loss,
an attacker can intercept selected pulses of light before they reach Bob, measure them,
and then resend them on with the detected polarity. However, due to the difficulties
in quantum measurement of photons, the probability of the resent and measured
photons still having the correct polarisation when measured by Bob is only 0.25 or
one in four6. The discrepancies will therefore be apparent to both Alice and Bob.
Additionally Bennett™s calculations as to any advantage gained by the eavesdropper
puts the probability that they have correctly guessed a particular bit as 1/√2 or
approximately 0.7 (1 DP). For a cipher to be absolutely secure, it is unacceptable that
even partial disclosure of the key occurs, so therefore whilst the optical technology is
imperfect, any errors in transmission must be treated as an eavesdropping attempt and
the entire exchange repeated.

Beam-splitting utilises the fact that the pulses of light which Alice and Bob use to
communicate, in practice, are not single photon-states. The attacker uses a mirror to
deflect part of the original light beam allowing it to continue, albeit with reduced
intensity, towards Bob. The deflected pulses will be stored until Alice and Bob
publicly announce the bases used to encode each bit, at which point the stored beam
can be correctly measured. At the current time the technology does not exist, and it is
not known if it is possible, to store polarised light pulses. However a present-day
attacker is still able to make guesses as to the correct measurements of their diverted
beam, as in the intercept/resend attack, with the added bonus of avoiding error
creation in the data stream. The drop in beam intensity is likely to alert Alice and Bob
to an intruder, and a sufficient delay before the bases are publicly discussed will also
allow time for any stored photons to decay.

After a quantum key exchange has completed, according to Bennett and Brassard
“Alice and Bob are now in the possession of a string that is almost certainly shared,
but only partly secret”. This is due to their assumption that the exchange will be
eavesdropped, and that it will be done to the best of an attacker™s ability. Instead of
repetition of the whole process, Alice and Bob can make an estimation as to the
amount of their secret key which can have been divulged (or lucky guessed), and then
perform a process known as “privacy amplification”. This involves publicly selecting
a hashing function from a shared secret set, and then applying it to their shared secret
key. The result will be a different secret key which they both share, and of which an
attacker knows nothing.

The protocol developed by Bennett & Brassard et al is the first quantum
cryptographic protocol ever produced. Quantum cryptography itself is still very much
in its infancy, and has not yet made it out of the laboratory and become widely and
publicly used. It is not surprising therefore, that while the physics behind the idea are
unshakable, there are issues which may impede its rapid take-up and acceptance. The
very feature of quantum physics which gives quantum cryptography its security as a
confidential cipher also reduces its security as a reliable cryptosystem. The act of
observation of a quantum key exchange will irreversibly alter it, destroy data and
possibly necessitate the repetition of the exchange. In practice in a public channel,
this could easily be classified a denial of service attack, and at the very least will
waste time and cause frustration.

As the protocol stands, the issue of authentication is not fully resolved. A small
amount of shared data is required between communicants before the exchange even
begins, if this is necessary before a secure channel is established then it is an echo of
the key-distribution problems faced by Diffie and Hellman, and GCHQ in the Sixties.
The protocol however does allow for a key to be exchanged between two parties who
may never have met, although there is no way for them to be assured that they are
actually negotiating with each other.

The telephone networks in the countries which would lead the implementation of
quantum cryptosystems are heavily reliant on optical fibres. These use pulses of light
to transfer telephone conversations in digital form. The existing infrastructure of
optical fibres would be an ideal medium for the transfer of quantum encrypted data.
An added advantage is the perceived security of the telephone system in comparison
to a local network or the Internet on which anyone with a grounding in security can
sniff traffic. The practice of placing telephone taps has so far largely been restricted
to law enforcement and requires more engineering and electrical knowledge than most
malicious attackers will possess. There is physical security at local exchanges giving
another barrier to eavesdropping. Essentially this adds up to an existing, secure
infrastructure for the rollout of quantum cryptography. Indeed, as previously
mentioned, a Swiss team has already used the Swiss network for a successful quantum

The Swiss team used a technique known as quantum entanglement to transmit their
exchange. This involves using a crystal to split a polarised photon into a pair of
photons, each in a superposition of polarised states. When the polarity of one member
of an entangled pair is measured, the other member immediately assumes its
companion™s polarity, a quantum effect which Einstein disparagingly termed “spooky
action at a distance”. This method was first proposed by Oxford physicist Artur
Ekert, and involves sending pairs of entangled photons to both Alice and Bob
simultaneously. Entanglement makes statistical analysis of the transmitted data
useless, as neither member of the pair has polarisation until it is measured. This
ensures absolute randomness of keys generated by the quantum exchange.

Absolute Security and the Wider Social Issues

The communications security offered by quantum encryption cannot be disputed. If
two people have established a secret key and are passing polarised photons between
two points, the laws of quantum physics dictate that it is impossible for the
information exchanged to be compromised. The ability of private citizens to achieve
this, which has never before been possible, is likely to be of particular interest to
national government and law enforcement agencies. Since computer encryption has
been available to the public it has been legislated and the export of algorithms from
country to country tightly controlled.

When Rivest, Shamir and Adleman first developed the RSA algorithm in 1977 the
American National Security Agency (NSA) put great pressure on both the researchers
and their employer, the Massachusetts Institute of Technology (MIT), to prevent
publication7. They published regardless, and in their hurry lost patent rights to the
algorithm outside the US where most countries require registration before publication.

In the past America has maintained strict controls on the export to other countries of
cryptographic algorithms or software, in effect treating them as munitions comparable
to missiles or machine guns. In January 2000, in a historic move, the government
relaxed controls on all cryptographic software exported by US companies. Following
this, in March 2001, the government allowed strong encryption (128 bit keys) for
export, from a previous maximum of 40 bits. There is still some distance to go, and
there is still great pressure in the senate for further relaxation of controls.

In 1991 Phil Zimmerman released a software package called PGP (Pretty Good
Privacy) which uses RSA encryption within a simple user interface. The software
was directed at the home user, and was intended to give everyone secure Internet
communications. The effects of Zimmerman™s altruistic efforts were to make him the
target of an FBI enquiry and a grand jury investigation. Zimmerman released his
software for free on the Internet and, as it contained cryptographic code, had
effectively become an international arms dealer. The US government eventually
dropped its investigation in 1996.

In 1991 the US government attempted to pass Senate Bill 266, which stipulated that
all encryption software must have a back-door built into it to allow officials to read
private messages. It read in part:

"It is the sense of Congress that providers of electronic communications
services and manufacturers of electronic communications service equipment
shall insure that communications systems permit the Government to obtain the
plain text contents of voice, data, and other communications when
appropriately authorized by law" 8.

Crypto: How the Code Rebels Beat the Government - Saving Privacy in the Digital Age “ Steven
Levy, ePenguin, B00005UOTX (e-Book)
Comprehensive Counter-Terrorism Act of 1991 (Senate Bill 266)

The bill was defeated after strong protests from civil liberties groups. This is a
parallel to the UK government™s Regulation of Investigatory Powers Bill which was
enacted into law9 in July 2000. This now allows for “lawful interception” of all
communications data, meaning that anyone using cryptography must give up a copy
of their key if a warrant is obtained. Failure to do so is punishable by up to two years
in prison.

A practical and widely-used quantum cryptosystem would pose serious problems for
the NSA and render much of the previous cryptography legislation redundant at a
stroke. Obtaining a crypto-key with a warrant is of very little use if you don™t have a
copy of the original encrypted message, as current technology does not allow storage
of light photons for long.

There is clearly a public safety issue here, as presumably the NSA and GCHQ do not
want access to encrypted emails simply to keep tabs on political opponents. Currently
public-key encryption is widely used by organised crime and terrorist networks.
Computers owned by al-Qaeda operatives in Afghanistan contained files encrypted
using 40-bit DES. Before March 2001, this was the strongest encryption which could
be shipped internationally from the US; journalists broke it using a brute-force attack
within five days10. Crypto-software using 128 bit keys can now be exported
internationally; this gives exponentially more security and, using the journalist™s
setup, would be absolutely unfeasible to crack.

In 1995 the Aum Shinrikyo cult released sarin nerve gas on the Tokyo subway, killing
12 people and injuring thousands. When their headquarters were raided the
authorities retrieved RSA encrypted documents, and after finding the key on a floppy
disk, decoded plans to deploy weapons of mass destruction in Japan and the US. Had
they not had the luck to also discover the key, these documents could have been lost

Quantum cryptography, as it stands at the moment, is purely a transmission
cryptosystem. There is no provision for storage of encrypted data which can, and
does, impede criminal investigations. Dorothy Denning listed the threats to society
posed by encryption in her 1997 paper as:

“failure to get evidence needed for convictions, failure to get intelligence vital
to criminal investigations, failure to avert catastrophic or harmful attacks,
and failure to get foreign intelligence vital to national security. Encryption
can also delay investigations, increase their costs, and necessitate the use of
investigative methods which are more dangerous or invasive of privacy”11.

Regulation of Investigatory Powers Act 2000 “ Chapter 23 (ISBN 0105423009)
Weakened Encryption Lays Bare Al-Qaeda Files “ Will Knight, New Scientist, 17/1/2002
Encryption and Evolving Technologies as Tools of Organized Crime and Terrorism “ Dorothy E.
Denning, 1997

When quantum cryptography enters widespread public use it will only protect data in
transit across public networks. However, assuming that eventually advances in
particle physics will occur that allow storage of polarised photons, it will be possible
to hold data could be completely unreadable without the key, and indeed any
unauthorised attempt to read it will result in that data™s destruction. The obvious legal
response to this has already been enacted in the UK in the form of the mandatory key
disclosure part of the RIP Act 2000.

It is currently still a contested issue to what extent existing cryptography hampers law
enforcement, and it is difficult to obtain accurate information due to the secrecy of
government agencies. Most of the investigators Denning spoke to did not find that
“encryption was obstructing a large number of investigations. They were, however,
concerned about the future”. Denning estimated the number of criminal cases
worldwide involving encryption in 1997 to be around 500, so using her 50%-100%
estimation of annual growth, that puts the 2002 figure at somewhere between 4 000
and 16 000. The encryption systems encountered ranged from the well known DES,
RSA and IDEA (International Data Encryption Algorithm) to more obscure
proprietary systems and custom made ciphers. In the same year, 1997, in which the
FBI contested that “court ordered wire-tapping is the single most effective
investigative technique used by law enforcement to counter illegal drugs, terrorism,
violent crime, espionage and organized crime”, a White House official confirmed a
worrying trend that “organized crime members are some of the most advanced users
of computer systems and of strong encryption”. In 2000 before a Senate panel, the
director of the FBI, Louis Freeh stated that “uncrackable encryption is allowing
terrorists - Hamas, Hezbollah, Al-Qaeda and others - to communicate about their
criminal intentions without fear of outside intrusion”.

In February 1997 the Australian Attorney-General™s Department put a stop to the
public release of the Walsh report, a review of the government™s policies on
cryptography. After one failed attempt to force disclosure of the document, the civil
liberties group Electronic Frontiers Australia (EFA) successfully obtained a heavily
edited version in June of 1997 under the Freedom of Information Act. In December
1998 the missing sections were recovered, and provide a rare insight into
governmental attitudes to the increasing use of cryptography. Section 4.3.1 warned

“the loss of real-time access to communications would require the AFP the
NCA and ASIO (and all State and Territory police services) to rely more
heavily on human sources of information, on the use of listening devices, on
tracking devices, on video surveillance, and on physical surveillance - all
more invasive intrusions on a person's privacy”.

Later in section 4.3.4 the document confirms law enforcement™s concern for the
increasing criminal reliance on cryptography to destroy evidence:

“there is an observable pattern of changed encryption behaviour following
arrests and even searches of property. Either the power of the encryption
being employed is increased or the encryption practice, which may have been
flawed because of poor password protection or similar, is enhanced”.

The Australian government originally suppressed these parts of the report under a
section of the Freedom of Information Act which deals with documents affecting the
enforcement of law and public safety. This suggests that a major component of the
legal opposition to strong cryptography is based on restricting widespread knowledge
of the available techniques; insecurity through obscurity is not an approach which is
likely to prove effective in the long run.

Much of the press relating to cryptography is positive and focuses on the potential for
protection from criminals. A major story in July of 2002 was the release by an
offshoot from the hacking group Cult of the Dead Cow called Hacktivismo of a free
tool called Camera/Shy which was touted as a worldwide benefit to democracy. The
software uses steganography, hiding a secret message, combined with 256-bit
encryption to encapsulate messages within GIF format picture files. The group
maintains their product is aimed at political dissidents in countries with strict controls
over the Internet, such as China, and will allow them to communicate securely with
the rest of the world without fear of reprisals. It is a very valid point that a vital part
of freedom of speech is the freedom to speak privately. Indeed it is recognised by
Article 12 of the United Nations Universal Declaration of Human Rights:

“No one shall be subjected to arbitrary interference with his privacy, family,
home or correspondence, nor to attacks upon his honour and reputation.
Everyone has the right to the protection of the law against such interference
or attacks”12.

<< . .

. 2
( : 3)

. . >>