On an otherwise quiet Saturday evening in 1946, Frederic de Hoffman briefly thought he had lost the secrets of the atomic bomb. De Hoffman was a physicist at Los Alamos National Laboratory in New Mexico. As part of his job, he kept the design for the weapon in nine filing cabinets in his office. When he came into work and opened one, he found an enigmatic note: “When all the combinations are the same, one is no harder to open than another — same guy.”

Credit: D. ALLISON; L. DUNCAN/UNIV. ROCHESTER/AIP EMILIO SEGRE VISUAL ARCHIVES

De Hoffman thought that the 'same guy' was the person who had tried to break into the lab's secure facility earlier that summer, but, as it turned out, the thief was standing next to him. It was Richard Feynman (pictured above), a leading quantum theorist who had a reputation as an incorrigible prankster. He had broken into de Hoffman's filing cabinets earlier that day to grab a few documents he needed to write a report.

Security has come a long way since 1946, but some things never change. Quantum physicists are now learning how to crack what is arguably the most secure form of data transmission ever conceived: quantum cryptography. This encryption method is theoretically unbreakable, but nevertheless, groups are finding weaknesses that may require rethinking the design of commercial systems. The work, says Seth Lloyd, a physicist at the Massachusetts Institute of Technology (MIT) in Cambridge, is a cautionary tale. “Nothing is unassailable,” he warns.

Quantum cryptography uses the fundamental laws of physics to encode information in the quantum states of particles, usually photons. Most existing systems use a protocol known as Bennett–Brassard 1984, or BB84, which generates a secure quantum 'key' that can be used to encode messages sent between parties. BB84 works like this: the sender transmits an encoded key by polarizing single photons along one of two axes — up and down or tilted at 45° — and sending them along a fibre-optic cable to the receiver (see diagram). The receiver then randomly chooses an up-and-down or tilted filter to read each photon. If the filter they choose is aligned with the sender's original polarization, the receiver will be able to read one bit of the sender's data, but if they choose the wrong alignment, then the photon, by virtue of quantum mechanics, will pass through the filter in a random orientation.

After the original key has been transmitted, the sender and receiver compare the filters they used for each photon. They throw away the random bits and keep the rest as part of a new, secure shared key, which is then used to encode a longer message sent over regular channels.

At first glance, the BB84 protocol may seem complicated and highly inefficient. But the method behind it means that it can't be intercepted without the sender and receiver finding out. Suppose an eavesdropper were to try to listen in on their conversation. As she reads each photon with her own two filters, she passes it along to the receiver, but not necessarily in the same orientation as it was originally sent. Therefore, when the sender and receiver compare their keys, they will find a lot more random bits created by the eavesdropper and they can immediately cut off their communication or try to send a fresh key through a different channel.

What sets the BB84 protocol apart from other forms of cryptography is that the code should be impossible to crack. Most of today's keys are encrypted with a mathematical technique that depends on large prime numbers. Security hinges on the idea that large numbers are hard to factor into primes, but there is no way to be sure of that assumption, says Daniel Gottesman, who studies quantum cryptography at the Perimeter Institute in Waterloo, Canada. “We don't think there's a way to do it on a classical computer in any reasonable amount of time, but there is no way to prove that,” he says. By contrast, the security of BB84 and other quantum protocols hinges on the immutable laws of physics: “Given that quantum mechanics is correct, then we can mathematically prove that this idealized BB84 protocol is actually secure.”

But if the idealized version of the BB84 protocol is secure, the real version can be anything but, according to Charles Bennett, a computer scientist at IBM Research in Yorktown Heights, New York. Bennett is one of the 'B's in the BB84 name, and he and other researchers built the first demonstration unit in 1989. In that very first quantum-cryptographic system, Bennett recalls, the polarization of the photon was switched by use of a high-voltage power supply. “The power supply hummed differently depending on whether or not the voltage was being applied,” Bennett says. “If you listened, you could hear it.”

No escape from reality

Nobody was planning on sending state secrets over the experimental set-up in Bennett's office. But while showing that quantum cryptography could work, he and his collaborators inadvertently demonstrated something else: idealizations are often far from reality. “It's hard to ensure that any box that you build is entirely secure,” he says.

It's hard to ensure that any box that you build is entirely secure. Charles Bennett

Such real-world security is the key to moving quantum cryptography from the lab to the commercial sector, and it has been a slow process. BB84 protocols require sending single photons, but early technology often sent more than one photon at a time, raising the possibility that an eavesdropper could read one without disturbing the others. Single-photon systems became commercially available a few years ago, but they remain modest in their capabilities. Error rates can be high, data speeds slow, and they can only be transmitted as far as a single photon can travel along a commercial fibre-optic line.

Meanwhile, researchers are stepping up their attacks on quantum cryptography. The most scientifically sophisticated strike was conducted earlier this year by MIT physicists led by Jeffery Shapiro and Franco Wong1. The team stole information from a passing photon by entangling its polarization with its own momentum. This quantum-mechanical entanglement allowed the team to read about 40% of the key while leaving the polarization relatively untouched. But Shapiro and Wong both admit that an eavesdropper would be defeated just by increasing the length of the key. Commercial systems already use long keys to deflect such attacks.

Other vulnerabilities could be even more dangerous because they have been overlooked by theorists. For instance, theoretical physicists assume that the sender and receiver will have absolute control over their equipment. But the real world is less precise, says Nicolas Gisin of the University of Geneva in Switzerland. Gisin and his colleagues have shown that an eavesdropper could learn a sender's polarizations by shining a light down the fibre and into the sender's set-up2. Because the cryptographic protocol assumes that light will only come from the sender, it doesn't take into account such dirty tricks.

And still other attacks can take advantage of simple flaws in individual components. Earlier this year, Hoi-Kwong Lo and his colleagues at the University of Toronto in Canada showed that they could steal a commercial system's quantum secrets by exploiting a small defect in the receiver's photodetectors. The protocol under attack was different from BB84 in that it required two photons. The system switched on the two highly sensitive detectors only when it was expecting photons from the sender to avoid false alarms. But the detectors switched on at slightly different times. By delaying photons so that they arrived just as a detector was turning on or off, Lo showed that an eavesdropper could modify the measurement, which blinds the receiver to the eavesdropper's presence.

Not everyone agrees on how serious the threats are to commercial systems. “We are quite confident that our system will remain impervious,” says Robert Gelfond, chief executive of MagiQ, a quantum-cryptography company in Somerville, Massachusetts. Gelfond says MagiQ's government and military customers regularly try to breach their systems' security. “They want to see it and test for themselves,” he says. So far, MagiQ has not had to modify any of its cryptographic technology.

Weak spots

Not enough attention has been paid to vulnerabilities. Daniel Gottesman

But others think that more needs to be done to ensure that the systems live up to their theoretical reputation. “There's been a lot of lip service,” says Gottesman. “But I don't think enough attention has been paid to vulnerabilities.” The researchers are more concerned with getting their set-up to work than they are with finding ways to cheat the system, he says.

That may be changing. Gisin thinks that the number of studies on potential attacks has risen over the past few years. “The entire field is getting more mature,” he says. “Now is really the time to think about these things.” As quantum cryptographic networks grow in size and complexity, they are also at risk from new kinds of attacks. Gisin would like to see the industry develop standards for detectors, transmission lines and other equipment that would help to close future gaps in security.

But there will always be a dirty trick to try, as the quantum-theorist-turned-safecracker Richard Feynman knew all too well. Feynman didn't rely on his theoretical brilliance to open the safes holding America's atomic secrets. He simply guessed the combination. He knew that his friend, a physicist, would undoubtedly choose a number he already had memorized, and the sly theorist got it on the second try: 27-18-28, the first six digits of the mathematical constant e.