It is essential that cryptography remains well ahead of the hackers, and that's precisely the motivation for a project that uses the quantum mechanical properties of photons to create tamper-proof keys.
The future for the protection of sensitive data could be bright. Researchers have uncovered evidence that the quantum mechanical properties of photons (light particles) may be used to generate tamper-proof keys, and this represents a big leap forward in the fight against computer hackers and other cyber-security threats.
Four and a half years ago, the EU-funded Secure Communication based on Quantum Cryptography (SECOQC) consortium successfully demonstrated long-distance, practical quantum-key distribution (QKD) in a fibre-optic network around the Austrian capital Vienna. Now, one of the largest research and development organisations in the US, Battelle, is using a design similar in concept to the SECOQC 'trusted node' architecture to create the US's first commercial quantum-secured network.
Battelle says that it is already in talks with organisations interested in using the technology. "Mostly they are large companies that have data they want to protect for a long period of time, such as medical records or financial information," says Donald Hayford, senior research leader for the Battelle project, "but they include organisations, such as Battelle itself, that have intellectual property they want to secure."
Given its aim of building a 700km QKD link between Battelle's HQ in Columbus, Ohio, and Washington DC within the next two to three years, this American QKD scheme is the largest and most ambitious currently in progress. To an extent, it also reflects concerns that the more conventional cryptography is becoming vulnerable to attack. "Within three years, we believe that governments will have the capability of breaking the public key encryption used on many data transmissions," says Hayford. "Quantum key distribution is the way ahead."
One particular concern is diversion of Internet traffic. In April 2010, state-owned China Telecom rerouted 15 per cent of the world's Internet sites' traffic, including that from US military and government networks, through Chinese servers. "If you hadn't encrypted your network traffic, and it was for one of the diverted sites, all your data would have been accessible," Hayford warns. "This is what we are trying to protect against."
Before two parties can send information securely, they must exchange a secret key. QKD solves the 'Catch 22' of cryptography, which is: how do you exchange that key safely in the first place? QKD offers a way of exchanging keys over optical fibre using a basic principle of physics: quantum states cannot be measured without changing them. Quantum keys are made of streams of specially-prepared photons whose quantum states represent 1s and 0s. High bit-errors detected in a quantum key are used as a sign that someone is listening. "The QKD guarantee is either a secure key or no key," explains Hayford.
QKD has two stages. 'Alice' first sends a string of quantum states to 'Bob' who measures them. Alice and Bob then post-process this raw measurement using a protocol in which they can distil a key. The amount of key generated depends on any error detected in the post-processing. At an error rate close to 11 per cent, the key output reduces to 0.
This method, known as 'privacy amplification', guarantees that all the key that emerges is technically Information Theoretically Secure (ITS). The most widely-used classical encryption algorithm is the Advanced Encryption Standard (AES), a 'symmetric' scheme (the same key is used for encryption and decryption) with a short key-length typically of 128 bits or 256 bits.
Keeping the keys secret is a matter of refreshing them frequently. Between key changes, the initial AES session key is exchanged using public key cryptography (usually the RSA algorithm). Distributing the session key in this way is initially quite slow, but then it can be used many times for rapid AES encryption-decryption.
RSA's security relies on the fact that multiplying two large (300-digit) prime numbers together is easy, but figuring out the prime factors of a 600-digit number is difficult. However, nobody has proven that finding prime factors is hard, which is why there is growing interest in using QKD.
"Somebody may have already devised an algorithm for finding prime factors of large numbers that works well enough," says Hayford. "Quantum computers can factor numbers into prime factors, but only for small numbers at present – but it is only a matter of time."
An alternative to AES is one-time pad (OTP) encryption, in which each bit or character from the unencrypted data is encrypted by a bit or character from a secret random key of the same length as the data. Each OTP key can be used only once.
OTP is considered the only provably secure type of encryption-decryption. However, because the key has to be the same length as the data, it is cumbersome for everyday use. You can either send a key using physical means (on a memory stick, for instance) or QKD. >
< Battelle, which conducts $6.5bn in research each year and runs national laboratories on behalf of the departments of Energy and Homeland Security (as well as a nuclear lab in the UK), approached the Swiss-based quantum encryption firm ID Quantique 18 months ago to see if they could collaborate. ID Quantique was an important player in SECOQC and subsequent QKD trials. It sells commercial QKD hardware, typically to customers who want to protect dedicated links between primary and secondary data centres used for back-up and mirroring. Most recently, the company has started offering QKD encryption as a service in Geneva through telecoms operator Colt.
"For a city like Geneva where there is a big concentration of banks that need to be connected to a data centre 50km away, it means they can all use the same optical fibre. Sharing is done using wavelength division multiplexing, so each bank uses a different colour of light for its data," explains Gregoire Ribordy, CEO of ID Quantique.
Quantum key distribution technology has matured a lot since the Vienna test, says Ribordy, but the main advance was building complex networks and validating the concept of trusted nodes. Trusted nodes are secured locations containing QKD devices and a key management layer to route and relay the secret keys in a hop-by-hop approach.
They are a way of overcoming the limited range in which you can send photons down optical fibres before the quantum states get jumbled. In the long term, quantum repeaters could be used to regenerate keys, but these are still laboratory devices.
The SECOQC consortium made the first practical network demonstration of a trusted node architecture in 2008 in Vienna. A similar test was set up around Tokyo in 2010. Meanwhile, between 2009 to 2011, the SwissQuantum Project managed the longest running QKD network to date, which ran continuously for two years in the Geneva metropolitan area connecting the European Organisation for Nuclear Research (CERN), University of Geneva, and the Engineering School of Geneva.
The latest Battelle network builds on all this previous work. The first stage, which is on target for completion in April 2013, is to create a 12-mile-long point-to-point link to allow secure communications between two of Battelle's sites in Columbus, Ohio. Next on the to-do list is to make a small network within the Columbus metropolitan area with four or five trusted nodes connecting different facilities (and possibly some customers), similar to the Vienna SECOQC set-up. A laboratory demo is scheduled for September 2013, and the network should be completed the following year. The final step is to set up the long-distance link between Columbus and Washington DC.
"QKD systems have a range of around 100km, so to do 700km you need to daisy-chain ten systems together, which means nine trusted nodes in the middle with ten links," explains Ribordy. ID Quantique is responsible for providing the basic QKD hardware. Battelle will be building the tamper-proof trusted nodes (containing the QKD hardware), and developing the software needed to connect nodes and relay the keys throughout the network. Battelle will use AES encryption and probably refresh keys on a minute-by-minute basis.
"The biggest challenge is to make effective use of fibre," explains Hayford, who is now in discussion with fibre companies to identify the optimal route to Washington. "In the US, fibre is very expensive, and we want to be able to distribute the most keys with the least fibre. For the 1,000km link, the goal is to use fibre already in the ground – but it might not be all from one company."
QKD in space?
To build a long-distance QKD network today, terrestrial trusted nodes are the only option and they will have a continuing role as a way of distributing keys among users, says Battelle's Don Hayford. "If you imagine a bank with 100 branches, the main branch would have to have 100 QKD devices [one for each branch] if you did not use trusted nodes," he points out. Because a trusted node can contain more than one QKD link, it enables a real network structure where many users can be added. But other possibilities are on the horizon for increasing the range of QKD, including quantum repeaters (Battelle is working with the University of Geneva on this) and satellite nodes. Putting trusted nodes into space, piggybacking on projects to install standard optical communications on satellites, looks promising in the short term.
A trusted node on a low earth orbiting (LEO) satellite would have the advantage of being quite close to the Earth (so there is relatively low attenuation), and of being potentially able connect any two points as the satellite orbits, according to Momtchil Peev, who was in charge of network development for SECOQC and is a senior scientist for optical quantum technologies at the Austrian Institute of Technology, which led the overall SECOQC project. The downside, he says, is that LEOs are available for just a few minutes as they fly over a given point on Earth. In contrast, geostationary (GEO) satellites are visible all the time but the maximal distance between two locations on Earth, for which a given geostationary satellite is visible, does not exceed some 6,000km.
"Maximum distance using GEO nodes is probably New York to London, but you could also have trusted nodes on the ground to extend the reach," says Peev. "Or you could use LEO satellites that travel around."
In Europe, the European Space Agency (ESA) will shortly be installing classical optical communications systems as part of Europe's data relay satellite (EDRS) system whose payload includes a laser communication terminal (LCT) developed by TESAT of Germany to optically transmit data up to 1.8Gbit/s over distances in excess of 40,000km – between Earth observation LEOs and EDRS in geostationary orbit – which would then also optically 'download' terabytes of data to ground stations. Nasa has a similar project, called the Laser Communications Relay Demonstration (LCRD) mission, in progress.
Peev's group has already carried out a feasibility project with the ESA, TESAT, EUTELSAT, and the Austrian Academy of Sciences, to calculate whether adding QKD as an add-on to LCTs for free space optical communications would be viable. Initial results are encouraging, but further analysis is required. Other QKD networks are planned over the next few years. In the US, Los Alamos National Laboratory's quantum cryptography team has just successfully completed the first demonstration of securing control data for electric grids using quantum cryptography. Quintessence Labs, an Australian company, is working with Nasa to use QKD over a 560km link to the Nasa Jet Propulsion Laboratory. Quintessence Labs also has a project with Lockheed Martin to build a Government Quantum Network (GQN) in Canberra, Australia.
While QKD is clearly getting to the point of being trusted to perform reliably in real networks, the technology is still a work in progress. To increase the amount of data that can be encrypted and/or the number of users on a QKD network, research teams would like to raise key generation rates from the kbit/s used in the Vienna trial to Mbit/s – and indeed higher. "We can now exchange enough key to encrypt a sustained data stream of Mbit/s using the one time pad – the only encryption algorithm that is completely secure from cryptanalysis," explains Dr Andrew Shields, assistant managing director of Toshiba Research Europe in Cambridge (UK), which was involved in the Vienna and Tokyo QKD trials. (Symmetric key cryptography can encrypt much higher bandwidths, refreshing the key every few milliseconds.)
Shields' team has shown how quantum keys generated at such high rates can share the same fibre as the data signals. This work means that existing telecoms networks can be secured with quantum encryption without having to send the single photon key through a dedicated fibre, as was the case in the Vienna and Tokyo networks. Arguably the most pressing need is for industrial standards to be completed so that, for example, everyone can agree on the best way to certify QKD system security.