Can quantum cryptography work in the real world?

Battelle Memorial Institute has built what it claims is the nation’s first production system for quantum distribution of cryptographic keys and announced plans to create a 400-mile link enabling quantum-key distribution (QKD) between Columbus, Ohio, and Washington, D.C., by 2015.

The project links two facilities in central Ohio and is a demonstration of the R&D organization’s faith in the ability of the emerging technology to future-proof cryptography threatened by increasingly powerful computers.

“Practical QKD systems have existed for about 10 years,” said Don Hayford, director of research at Battelle. But limitations in the range and scalability of the systems have so far restricted their use in this country primarily to research.

Although new in the United States, banks and government agencies in Europe have been using QKD for several years. Battelle is using hardware from the Swiss firm ID Quantique to link its headquarters campus in Columbus with a manufacturing facility about 30 miles away in the suburb of Dublin. New tools will be needed to make the technology feasible for anything larger than a metro area, but Hayford is confident Battelle will be able to offer the technology to its customers, including government, in a few years. “We certainly will go for FIPS approval,” required for government crypto systems, he said, referring to the Federal Information Processing Standards.

Not everyone is so sanguine about the current capabilities of QKD. The National Institute of Standards and Technology, which has been doing research on quantum cryptography for years, does not yet feel it is viable for production systems.

“It’s still a work in progress,” said Alan Mink, electronic engineer in NIST’s Advanced Networking division. “It’s a complicated protocol,” and the limitations of implementing the technology have not yet been overcome.

That does not mean that he disapproves of the early adopters. “They are doing the rest of us a favor by implementing it at this time,” he said. “The more we learn about it, the better we can make it. The more feedback, the better.”

Key exchange, or distribution, is a weak spot in many crypto systems. Even the strongest cryptography is useless if the keys used to encrypt and decrypt data are not secure. A number of methods are commonly used for secure key exchange. The Diffie-Hellman, RSA algorithms and elliptic curve cryptography all use different schemes of public-key cryptography to protect keys during exchange. These schemes are secure today, but increasingly powerful computers eventually could break them.

Quantum-key distribution relies on the quantum state of individual photons to exchange key data. Each photon conveys a single bit of data, based on its quantum state. Because that state cannot be examined without changing it, any eavesdropping is evident.

Commercial products for QKD have been around for a while. MagiQ Technologies sells a system, but it is marketed for research purposes. Battelle began looking at QKD as a tool for secure key exchange about three years ago and began testing ID Quantique’s system in its labs about a year ago. It installed it on its network in August. “It’s live now,” Hayford said, and it is used for all encrypted traffic between the Columbus and Dublin facilities.

“We use AES 256-bit encryption as part of our overall QKD solution,” Hayford said. Keys are changed every five minutes. The system uses an existing gigabit metro-area fiber-optic ring, and Battelle added only about a mile of new fiber to connect to the ring.

“There are limitations to QKD,” Hayford said. Photons can only be sent about 60 miles, and it is a point-to-point protocol, meaning that complete system hardware is needed at each location. Expanding a system beyond a campus or a small number of local facilities “starts to be a little impractical.”

Battelle is working with ID Quantique to develop repeaters, called “trusted nodes,” to extend the range and to enable multiple links, which are expected to enable extension of the QKD network to Battelle offices in Washington by 2015.

But NIST’s Mink says developing a really trustworthy intermediate node is a big hurdle. “Nobody serious about security would accept a multi-hop environment,” he said.

There also are challenges with existing hardware, particularly in the generation and measurement of individual photons. “That is a complicated physics problem,” which NIST and other research facilities have been working on for years, he said. Ideally the photon source would generate a single photon on demand. “We can’t do that right now.”

The specification today for the mean photon rate is 0.1, meaning that on average every 10 attempts will generate one photon. “But you don’t know which attempt, if any, will generate it,” Mink said. “There is no guarantee.”

The other side of the equation, measuring the quantum state of the photon, also is problematic. There are room-temperature devices that can measure photons at a megabit-per-second rate, but they work in wavelengths not usually used for communication. Devices that work in the proper bandwidth are slower and have a long recovery time after each photon is detected. There are devices that work fast and in the proper spectrum, but they require supercooling to temperatures near absolute zero.

Advancing the state of QKD is worth the effort because it is the only provably secure key exchange scheme. Other schemes depend on complexity that can be challenged by powerful computers; the security of quantum key distribution is based on the laws of quantum physics. All hacks demonstrated for intercepting cryptographic keys in commercial QKD systems have been “side channel” attacks that exploit inadequate real-world implementation of the protocol, not weaknesses in QKD itself, Mink said.