Quantum crypto felled by 'Perfect Eavesdropper' exploit

All your photons are belong to us


Researchers have devised a technique for eavesdropping on communications secured through quantum cryptography that allows an attacker to surreptitiously construct the secret key encrypting the secret content.

The so-called Perfect Eavesdropper uses off-the-shelf hardware to defeat a key benefit of the alternative crypto system, namely that the use of properties rooted in quantum physics offers a theoretically fool-proof way for parties to exchange the secret key securing their communications without being intercepted. QKD, or quantum key distribution, allows a trusted party to construct a key by transmitting light to the other trusted party one photon at a time and then measuring their properties.

In theory, anyone monitoring the transmissions passing between the two parties will automatically be detected because in the world of quantum mechanics the act of eavesdropping taints the key in ways that are clear to the trusted parties.

The researchers, from the the National University of Singapore, the Norwegian University of Science and Technology, and the University Graduate Center in Norway, were able to compromise the QKD by making the key exchange behave in a classical way. Using readily available equipment that fits inside a suitcase, they intercepted single photons traveling over a 290-meter fiber link network and then re-emitted the corresponding pulses of light.

The re-emitted pulses in effect blinded the photodiodes used by the trusted party receiving the transmission of photons. As a result, the photodiodes were no longer sensitive to single photons, making them behave like classical detectors that generate a current proportional to the intensity of the incoming light.

“Quantum key distribution has matured into a true competitor to classical key distribution,” Christian Kurtsiefer, a professor at the Center for Quantum Technologies at the National University of Singapore, said in a release. “This attack highlights where we need to pay attention to ensure the security of this technology.”

One of the biggest challenges faced by cryptographers throughout history is finding a secure way for trusted parties to share their secret key. Public key cryptography solved this problem by using a public key to encrypt communications and a separate private key that's unique to each recipient to decrypt the content. As a result, the key never has to be transmitted. Quantum cryptography takes a different approach by allowing one party to securely transmit the key to another party using principles at the heart of quantum mechanics.

The findings are similar to those published last year by researchers from the University of Toronto, who claimed to carry out the first successful attack against a commercial system based on theoretically uncrackable quantum cryptography. The researchers behind the more recent Perfect Eavesdropper said it's the first practical exploit that surreptitiously steals a key during a typical QKD setup.

The researchers have already identified the loopholes that allow the Perfect Eavesdropper to function and are working on countermeasures.

The findings were reported in the most recent issue of Nature Communications (abstract here). More from Physics World and Forbes is here and here. ®


Other stories you might like

  • Colocation consolidation: Analysts look at what's driving the feeding frenzy
    Sometimes a half-sized shipping container at the base of a cell tower is all you need

    Analysis Colocation facilities aren't just a place to drop a couple of servers anymore. Many are quickly becoming full-fledged infrastructure-as-a-service providers as they embrace new consumption-based models and place a stronger emphasis on networking and edge connectivity.

    But supporting the growing menagerie of value-added services takes a substantial footprint and an even larger customer base, a dynamic that's driven a wave of consolidation throughout the industry, analysts from Forrester Research and Gartner told The Register.

    "You can only provide those value-added services if you're big enough," Forrester research director Glenn O'Donnell said.

    Continue reading
  • D-Wave deploys first US-based Advantage quantum system
    For those that want to keep their data in the homeland

    Quantum computing outfit D-Wave Systems has announced availability of an Advantage quantum computer accessible via the cloud but physically located in the US, a key move for selling quantum services to American customers.

    D-Wave reported that the newly deployed system is the first of its Advantage line of quantum computers available via its Leap quantum cloud service that is physically located in the US, rather than operating out of D-Wave’s facilities in British Columbia.

    The new system is based at the University of Southern California, as part of the USC-Lockheed Martin Quantum Computing Center hosted at USC’s Information Sciences Institute, a factor that may encourage US organizations interested in evaluating quantum computing that are likely to want the assurance of accessing facilities based in the same country.

    Continue reading
  • Bosses using AI to hire candidates risk discriminating against disabled applicants
    US publishes technical guide to help organizations avoid violating Americans with Disabilities Act

    The Biden administration and Department of Justice have warned employers using AI software for recruitment purposes to take extra steps to support disabled job applicants or they risk violating the Americans with Disabilities Act (ADA).

    Under the ADA, employers must provide adequate accommodations to all qualified disabled job seekers so they can fairly take part in the application process. But the increasing rollout of machine learning algorithms by companies in their hiring processes opens new possibilities that can disadvantage candidates with disabilities. 

    The Equal Employment Opportunity Commission (EEOC) and the DoJ published a new document this week, providing technical guidance to ensure companies don't violate ADA when using AI technology for recruitment purposes.

    Continue reading
  • How ICE became a $2.8b domestic surveillance agency
    Your US tax dollars at work

    The US Immigration and Customs Enforcement (ICE) agency has spent about $2.8 billion over the past 14 years on a massive surveillance "dragnet" that uses big data and facial-recognition technology to secretly spy on most Americans, according to a report from Georgetown Law's Center on Privacy and Technology.

    The research took two years and included "hundreds" of Freedom of Information Act requests, along with reviews of ICE's contracting and procurement records. It details how ICE surveillance spending jumped from about $71 million annually in 2008 to about $388 million per year as of 2021. The network it has purchased with this $2.8 billion means that "ICE now operates as a domestic surveillance agency" and its methods cross "legal and ethical lines," the report concludes.

    ICE did not respond to The Register's request for comment.

    Continue reading
  • Fully automated AI networks less than 5 years away, reckons Juniper CEO
    You robot kids, get off my LAN

    AI will completely automate the network within five years, Juniper CEO Rami Rahim boasted during the company’s Global Summit this week.

    “I truly believe that just as there is this need today for a self-driving automobile, the future is around a self-driving network where humans literally have to do nothing,” he said. “It's probably weird for people to hear the CEO of a networking company say that… but that's exactly what we should be wishing for.”

    Rahim believes AI-driven automation is the latest phase in computer networking’s evolution, which began with the rise of TCP/IP and the internet, was accelerated by faster and more efficient silicon, and then made manageable by advances in software.

    Continue reading

Biting the hand that feeds IT © 1998–2022