Trojan Attacks on Quantum Cryptography

The security of device-independent quantum key distribution (QKD) has been called ineffective by a team of researchers.

Last month Feihu Xu, Bing Qi and Hoi-Kwong Lo at the University of Toronto in Canada reported a successful hack of devices made by ID Quantique, a commercial quantum cryptography company.

In a nutshell, the classic Bob and Alice explanation maintains that if Eve tries to eavesdrop on the quantum communication, usually visualized as a stream of variously angled photons, she'll introduce errors in the original message, tipping off Bob and Alice. That's in theory, but in reality there's up to 20% error that is tolerated in the communication because of naturally occurring background noise. Knowing this, the researchers have found a way for Eve to intercept some of the packets and still glean the message without the error rate topping that 20% threshold.

The commercial application of this is that a device-dependent cryptography system, where two devices perform the role of Bob and Alice, could be infected by a Trojan that performs as Eve, intercepting and storing the communications before sending it on. This is known as an "intercept and resend attack." While not fatal, it does poke a hole into the invincibility of quantum cryptography.

The academic paper can be found here.