Photonics steps in to solve security issues with cryptography
Image credit: Science photo library
Cryptography could get a boost from photonic technology.
The encryptions on which our finances, work and national security rely are based on one simple assumption: that some mathematical operations are hard for computers to perform and will stay that way. The public-key infrastructure developed in the 1970s and now practically ubiquitous thanks to its incorporation into protocols, such as those used to protect web-surfing sessions, relies on the intrinsic computational difficulty of a select group of mathematical functions. The difficulty of these operations ensures the private keys that should be used to unlock the data cannot be reverse-engineered from the encrypted text or the widely disseminated public keys that make this security strategy practical. However, better algorithms and faster computers mean the bar for ‘hard to break’ is constantly rising. If they work as expected, quantum computers may render many of the arithmetic techniques redundant.
Professor Guohai Situ of the Shanghai Institute of Optics and Fine Mechanics says: “Although it has been proved that there are information-theoretically secure digital cryptosystems, the security of almost all practical ones is dependent on the computational complexity of cryptanalysis.”
Is there an alternative that is less vulnerable to improvements in algorithms and changes in computer technology? One possibility is to harness the media used to convey data around the world. Some 890,000km of fibre-optic cable lie under the oceans, transmitting vast quantities of information at high speed across the globe. Optical security is already a part of everyday life, from the holographic patches on CDs, DVDs and bank notes that allow us to ensure our music, movies and money are authentic, to biometric border control speeding up entry into countries. But what if the properties of propagating light could be used to provide better security for digital systems?
Free-space optical security and encryption is an often-missed area of active and intense research that potentially offers just this: a physical layer of security for anything from biometrics and surveillance inspection, to medical and health monitoring, holographic data storage and a host of other areas.
Using the properties of light freely propagating in air, space or a vacuum, free-space optics (FSO) is actually a diverse field with numerous sub-branches. “For example, there are well-established companies providing building-to-building line-of-sight FSO communication systems,” explains Professor John Sheridan from University College Dublin. In addition, Li-Fi FSO systems - developed to provide an alternative to RF-based Wi-Fi - have been demonstrated by UK start-up pureLiFi.
FSO and optical security are now coming together, as Sheridan describes: “If you want to develop a holographic data storage system, for example, we ask: is it possible to produce better storage characteristics combined with increased security using the existing capabilities and characteristics of the optics/optoelectronics in such systems?”
“Whereas conventional digital encryption deals with binary data, optical encryption systems are designed to encode information in the wavefront of an electromagnetic wave,” explains Professor Artur Carnicer from the University of Barcelona.
With optical encryption for physical storage, the information is encoded into holograms. The authenticity of the message can be validated using optical tests such as ellipsometry or speckle analysis. “This technology can be used in bank notes, printed QR codes, integrated circuits and many more applications,” says Carnicer.
Security for FSO manipulates certain physical parameters of the optical waves that convey the information. These waves offer a host of hiding places for sensitive data: “FSO possesses many degrees of freedom such as amplitude, phase, polarisation, spectral content and multiplexing, which can be combined in different ways to make the information encoding more secure,” says Professor Bahram Javidi from the University of Connecticut. “In a sense, you can create multi-dimensional keys which are much harder to attack.”
Alongside Professor Philippe Réfrégier of the Institut Fresnel, Javidi pioneered the most widely known FSO encryption technique in the 1990s. Called the double random phase encoding (DRPE) method, it converts an input laser signal, which is encoded with data using changes in phase and amplitude, into what appears to be white noise. The technique uses phase masks - two random pattern gratings - that alter the light in both the frequency and spatial domains.
As an indication of its power, given a regular 512 × 256 pixel encrypted image and no knowledge of the original message, you are more likely to find a specific grain of sand in the Sahara desert than decipher the hidden content. The researchers calculated the probability to be one in 22,097,152.
The encrypted data bits are recorded and stored as a hologram, which can then be recorded by a CCD (charge-coupled device) camera and reconstructed digitally by a computer, ready to be transmitted. When the receiver clicks on the attachment in their inbox, the image they see will be white noise. Central to decrypting the image are the phase mask keys - a full description of the two pattern gratings that encrypted the image. If the receiver has physical copies of the phase masks, they can reconstruct the image optically by simply reversing the encryption process. If the receiver instead just has the keys, they can rebuild the image digitally.
For 10 years, Javidi’s DRPE technique remained impenetrable, but no one had rigorously tested the method during that time. “We were concerned that no cryptanalysis of optical encryption had been reported at that time,” Carnicer recalls. “Our target was to demonstrate that DRPE was secure, but we demonstrated the opposite.”
Carnicer and his team discovered that DRPE was vulnerable to the so-called ‘lunchtime attack’; the idea being that the computer someone uses to decrypt messages is infiltrated by an attacker while they are out to lunch.
The underlying approach was to produce a set of ciphertexts that, when analysed in combination, could reverse-engineer the random phase key.
Carnicer says: “Since the recorded intensities displayed a cosine-like landscape, the periodicity of these functions provided information of the values of the phase key.”
Not only was this an important hack of a well-established encryption method, but it was also the very first systematic attack - known as ‘cryptanalysis’ - of any optical encryption system. The successful attack on DRPE inspired Javidi to further analyse the method, attacking the encryption himself in nine different ways. Although he proved that DRPE remains robust against brute-force attacks - that is, trying every possible key until finding the correct one - the study revealed weaknesses against chosen- and known-plaintext attacks.
In a chosen-plaintext attack, the attacker has the ability to trick a legitimate user of the system into encrypting particular images of their choosing and can also see the resulting encrypted images. Javidi found that by choosing, at most, three image pairs, an attacker can recover the two encryption keys and break the system.
Known-plaintext attacks are different in that the attacker can see but not influence some of the unencrypted images and also has access to their encrypted versions. Worryingly, in his cryptanalysis Javidi found that attacks of this kind would only require two image pairs to break the system.
The reason DRPE and many related techniques failed against these attacks boils down to one fatal flaw: linearity. The mathematical description of propagation involves a set of transformations, mainly Fourier and Fresnel transforms, “that are linear by nature”, explains Carnicer.
Sheridan illuminates this best: “In general, for linear systems one can imagine the relationship between the input and output as being describable using a huge number of simultaneous equations, written for example as a huge matrix equation. There is only one possible solution that satisfies all the equations and so, although it might be numerically difficult or tedious [to solve], in general it is possible to find the one good solution, or at least get close to it.”
Far from discouraging the community though, this crucial weakness has stimulated ingenious directions in research that can deal with cunning attack strategies. The key problem is one caused by the greater predictability of linear systems.
“My work in cryptanalysis revealed that all the previous linear optical encryption systems are not as secure as they claim,” Situ explains. He and others are now looking to exploit non-linearity in optical processes.
Carnicer and Javidi have joined forces to lead the way in advancing one research direction that could overcome the effects of linearity: photon counting. Allied to Javidi’s DRPE, photon counting involves limiting the number of photons arriving at a pixel in an image. Importantly, this is a nonlinear transformation of the data. However, since photon counting is performed on the amplitude of the encrypted message, information is lost, so that when decrypting the message the receiver obtains a noisy, unrecognisable image. Importantly, though, only the amplitude information is modified. The photon-limited encrypted image can be verified from phase information using nonlinear filters.
This technique could have important uses in object identification, particularly hardware security. For example, counterfeit integrated circuits (ICs) are a growing problem. In 2008, two nuclear operators in the US reported they had unwittingly purchased counterfeit parts for replacements to their control systems. Reported counterfeit parts incidents quadrupled between 2009 and 2014. Half of all manufacturers have, at some point, encountered bogus components.
Adding an optical phase tag to a genuine IC means its authenticity can be confirmed by the eventual buyer simply by illuminating the tag with a laser and capturing the resulting speckle signature with a CCD. Further, by encrypting, compressing and storing information about an IC in a QR code next to the optical phase tag using the DRPE method, a buyer with the correct decryption keys can scan the QR code using a smartphone to reveal information about the IC.
One way of introducing nonlinearity in optical security that Situ is exploring is to change the way light propagates through the encryption device. With a photorefractive crystal placed into a standard DRPE system, laser light can propagate nonlinearly. Situ has shown that phase-retrieval-based attacks on such a system fail to recover the original key. “I believe that this will be the most important result that I will have in this field,” he says.
Other, more speculative possibilities are also being explored. For instance, the nanoworld offers a raft of potential new ways to hide information. One example is in optical artefact metrics. Artefact metrics use the intrinsic, complicated and hopefully unique characteristics of a physical object for authentication.
A sheet of paper, for example, scanned at the micro-level will have a unique pattern of random, naturally occurring texture imperfections that can be used to watermark or fingerprint a document. Although this pattern is unique, it is only due to current technological limitations that it cannot be copied by a skilled forger.
Exploiting the physically unavoidable uncertainty of the nanoscale, truly random nanostructures offer the promise of optical nano-artefact metrics that are technologically impossible to reproduce. Such techniques may be the ultimate in anti-counterfeiting. But attackers may still come up with ways to penetrate the security of even these tiny, apparently irreproducible structures.
Cat and mouse
Coming up with new encryption methods requires ingenuity and imagination, but the only way to truly test their security is to try to break into them. Unlike lone-wolf hackers infiltrating government and corporate digital systems from their bedrooms, optical cryptanalysts work in collaboration and simulate attacks on security systems in the lab.
“This is a game that’s different from what people hear about hackers,” says Professor Guohai Situ from the Shanghai Institute of Optics and Fine Mechanics. “Usually we follow Kerchoff’s assumption, which states that the attacker knows everything about the optical cryptographic system except the keys. Then we send something into the system and get something out.”
Using the input and output data, cryptanalysts attempt to establish a connection, and develop suitable computational algorithms to deduce the keys. “Since all the optical encryption systems proposed so far are linear, the relation between the output and input is not very complicated, and we found that such strategies are very efficient,” Situ adds.
Professor John Sheridan from University College Dublin, who has also mounted successful attacks on advanced DRPE-based systems, notes a dearth of people willing to attack optical security systems: “Most people only propose and simulate methods numerically. They check robustness by demonstrating key-space size but do not actually attack,” he says. This might be the case for several reasons: “Showing that an older method is not so good will not make you many friends in the short term, there are very many proposed techniques - or variations on a few core methods - to examine, and there is also a question of where to start and how to proceed systematically.”
This last point is echoed by Professor Artur Carnicer from the University of Barcelona: “Whereas cryptanalysis of digital systems is a rigorous discipline, at this time a measure of the security of an optical system has not been proposed.”
So while increasingly complex systems are being designed, there is still no way of telling how vulnerable they are to attacks - always leaving a sliver of doubt in the mind of even the most confident cryptographer. “I once teased someone, whom I respect a lot, that if they really believed their encryption technique was good they should give me their personal bank details encoded using their method,” recalls Sheridan. “They would not give me their details.”
How to hack in
Brute-force attack - as the name suggests, a brute-force attack involves trying every possible combination of data in order to find the key that decrypts an encrypted message. It is usually a last resort and usually not regarded as practical because modern encryptions have huge key spaces that would take hundreds or thousands of years to crack with this method.
Known-ciphertext attack - here, Eve steals ciphertexts from Alice’s handbag, but has no idea what the plaintext corresponding to these ciphertexts are. This is a weak attack because the attacker has little to work with. It can, however, be successful, as witnessed in early versions of Microsoft’s PPTP virtual private network software.
Known-plaintext attack - Eve listens in on an encrypted conversation between Bob and Alice, and knows they both love cheese and wine, so can guess the conversation had the words ‘cheese’ and ‘wine’ in it. She now has plaintext-ciphertext pairs that she didn’t choose. Many classic ciphers are susceptible to this type of attack, as were older versions of encrypted ZIP files.
Chosen-plaintext attack - Bob signs up to a file storage system that uses the same key to encrypt everyone’s documents, and lets all users see each other’s files in encrypted form. Eve registers and starts encrypting chosen files and looks at the resulting ciphertext. From this she obtains the service’s encryption key, and decrypts Bob’s documents. The Allies mounted such an attack to decipher messages from the Enigma machine during World War Two, but could only do so once they had captured one.
Chosen-ciphertext attack - including the lunchtime attack and the adaptive chosen-ciphertext attack. If Eve breaks into Bob’s house while he is sleeping and replaces the ciphertext he was going to send to Alice tomorrow with one of her choosing, she can then eavesdrop on their communications (encrypted or not) the next day to try and work out what Alice read when she decrypted the fake ciphertext. This kind of attack is impractical in many situations, but is also the strongest of the above methods.
Side-channel attack - unlike other methods, which find weaknesses in the cryptographic algorithms or use brute force, side-channel attacks exploit weaknesses in the physical implementation of the security. Sound, electromagnetic leaks, power use and many more can be exploited to break the system. RFID tags, smart cards and even PCs have been shown in the past to be vulnerable to attacks on hardware leakage.