Quantum key distribution is regularly touted as the encryption of the future. While the keys are exchanged on an insecure channel, the laws of physics provide a guarantee that two parties can exchange a secret key without knowing whether they're being overheard. This unencrypted-but-secure form of key exchange circumvents one of the potential shortcomings of some forms of public key systems.

However, quantum key distribution (QKD) has one big downside: the two parties need to have a direct link to each other. So, for instance, banks in and around Geneva use dedicated fiber links to perform QKD, but they can only do this because the link distance is less than 100km. These fixed and short links are an expensive solution. A more flexible solution is required if QKD is going to be used for more general encryption purposes.

A group of Italian researchers have demonstrated the possibility of QKD via a satellite, which in principle (but not in practice) means that any two parties with a view of a satellite can exchange keys.

**Why QKD?**

We live in a world where quantum computing is looming as a viable tool, one that could make current means of encryption obsolete. More secure forms of cryptography are becoming increasingly important. Even now, researchers contemplate a world where various agencies store some intercepted encrypted communication under the assumption that one day they will have sufficient computational power to decode them.

Ars readers know that most security breaches are not due to a failure of encryption; rather they are enabled by poor security practices. However, I think it is fair to say that the exfiltrated data is more accessible due to poor encryption practices. And, once encrypted data has been exfiltrated, it simply awaits the requisite computational power to decode it.

This expectation—that encrypted data can be decrypted in the near future—comes from the fact that many cryptographic algorithms rely on an assumption of mathematical difficulty for their security. The validity of this assumption relies on some deep ideas about how mathematical problems can be solved.

Specifically, the mathematical assumptions that underlie public key exchange are under attack. The most commonly used algorithms are based on the computational complexity of finding prime factors of large numbers. But a quantum computer can solve this problem in far fewer steps than a classical computer. Indeed, the scaling of Shor's algorithm—this is the quantum version of an algorithm for finding prime factors—is so favorable that it is expected that a practical quantum computer will render all encryption methods based on prime factors useless.

This is one reason why QKD is so attractive for certain people: the keys are secret and are exchanged in a way that allows one to ensure that it cannot be intercepted during exchange. Thus, an attacker is always forced to guess the key (rather than use the public part of the key to compute the secret part of the key). Any brute force attack must be performed without even knowing the length of the key or how often a new key is used.

You might argue that an assumption of QKD is that the laws of physics are correct. Science makes a big deal about how we can only get an increasingly accurate approximation of the truth, so surely this assumption is as suspect as the mathematical ones made for classical cryptography? Well, no, not really. Even if we were to discover some deeper theory than quantum mechanics, that theory must still replicate all the experimental results of quantum theory, and this includes the ones on which QKD are based. So this assumption is a fairly safe one.

**In space, no one can hear your key exchange**

In terms of technology, QKD is very close to being suitable for widespread use—though by "use" I mean communication between data centers, rather than for home use. The hurdle, as I stated in the introduction, is that the link must be directly between two parties, which limits us to about 100km via fiber.

There, has, however, been a rather strong push to develop free-space QKD, and this has now gone critical with the tests that show QKD via satellite is possible. In order to do this, the researchers made use of laser ranging satellites, which have corner cube mirrors mounted on them. The corner cube mirrors are retro-reflectors, so any signal that arrives gets sent back in the direction that it came from. More importantly, corner cube reflectors normally preserve polarization, which is commonly used to carry data.

So, as long as the signal arrives at your detector, then you should be able to generate a key using lasers bounced off this satellite.

Getting a signal is, unfortunately, no easy task. First, you need a clock signal to tell you when to measure—the properties of the atmosphere and the relative motion between the sender, detector, and satellite mean that you can't rely on local timing. The clock takes the form of a powerful, let-me-fry-your-eyes laser, emitting 10 pulses per second. The actual qubits (quantum bits) are sent at 100 MHz, with every 105th pulse synchronized with the clock signal. These pulses are emitted and collected by a 1.5m telescope.

The researchers compared the polarization states they detected to the pulses of light they sent. They determined that the newer satellites did preserve polarization, while older satellites generated more errors, possibly because the coatings on the reflectors had been damaged over time (the older satellites are 15 to 20 years old). For the researchers, this showed that the error rate was low enough that a key could be shared via quantum states. But, at this point I was extremely skeptical.

QKD security is only guaranteed if the source emits single photons, since those get altered by any eavesdropping. But, in this system, the receiver gets single photons, while each pulse contains 1.3 billion photons when it exits the telescope. You would think that this renders the result useless. An eavesdropper can, by tapping a tiny fraction of the signal emitted from the telescope, obtain every bit sent without the knowledge of either sender or receiver.

The standard QKD protocol involves revealing how each measurement was performed. While only the sender knows which polarization state was sent, everyone (including an eavesdropper) knows how the measurement was performed. If only the sender and receiver know the results of the measurements, the key is secure.

It is the first and last bit of hidden knowledge—the bits sent and the measurement results—that keeps the key secret. On the face of it, in this scheme, anyone can know what polarization state was sent if they can simply snag one of those 1.3 billion photons. Everyone knows how the measurement was performed; therefore, everyone knows what the measurement results were. No secrets are kept in this situation.

However, the researchers realize this and have an alternative protocol. In their approach, the satellite would contain optics that would modify the polarization of the light at the satellite. Since the reflected signal is at the single photon level, interception after this point is detectable. Therefore, all is well, right?

The key is to make sure that the polarization state sent to the satellite does not reveal the polarization state reflected from the satellite. This can be done by sending pulses of light that are circularly polarized. This can be filtered to two pairs of linearly polarized states at the satellite (under the control of the sender). Now, the sender knows which states were sent, everyone knows how the measurements were performed, and, only the sender and receiver know the results of the measurements. This meets the requirements for QKD, but only under the condition that the control signal sent to the satellite remains secure.

This later point seems like a pretty serious weakness. A solution might be to have two identical pseudo random number generators and initiate both with the same seed at the beginning of the key generation process. But you really need to ensure that the random number generator is protected or that the seed is truly obfuscated.

I guess that what this paper demonstrates is that the single photon states behind QKD are certainly preserved on reflection from a satellite and that this opens up the possibility of having non-fixed links between parties that need to share keys. But we can't use this technique with existing satellites, and there are some very practical problems associated with controlling the satellites in a secret manner that remain unsolved.

## 暂无评论