[tt] NS: 'Quantum ATM' rules out fraudulent web purchases

Sat Nov 17 20:13:06 UTC 2007

'Quantum ATM' rules out fraudulent web purchases
http://technology.newscientist.com/article.ns?id=mg19626296.600&print=true
* 10 November 2007
* Duncan Graham-Rowe

A WOMAN walks up to an ATM, types in her PIN number, holds her
cellphone up to the screen for a few seconds and then walks away.
Not very exciting, you may think, but with those simple actions she
has set in motion an elaborate quantum protocol that will allow her
to shop online with complete confidence.

Thanks to a "quantum ATM" system under development at HP Labs in
Bristol, UK, this is now all it will take for two parties to share
a secret string of bits via a quantum key distribution (QKD)
protocol. That string of bits will be used to verify your identity
when you use a credit card to buy something over the internet or by
phone, making it impossible for someone to use your card or card
number to make fraudulent purchases.

QKD systems are sold by several companies worldwide, including ID
Quantique of Geneva, Switzerland, MagiQ Technologies in New York,
and SmartQuantum in Lannion, France. Their customers are restricted
to governments, banks and large companies, which use the system as
a means for two parties to agree on a secret key, with which they
encrypt subsequent information. Until now, the feeling was that QKD
would never be available to consumers because these systems require
lasers and pricey light-polarisers as well as photon detectors and
dedicated optical fibre networks - pushing the price up to many
tens of thousands of dollars.

Now a team of researchers led by Keith Harrison at HP Labs and John
Rarity at the University of Bristol, UK, have built a QKD device
the size of a sugar cube. It costs just $10, can be added to a
cellphone and will transmit a quantum key over short distances, so
there is no need for dedicated optical fibres. Although the system
will mean upgrading ATMs to the tune of $10,000 each, the team says
that banks may consider this a worthwhile investment, eager as they
are to cut down on fraud.

"It's interesting because there was this general understanding that
quantum key distribution had to be expensive," says Grégoire
Ribordy, co-founder of ID Quantique. The price is likely to come
down further as quantum ATMs are mass-produced, adds Jo Duligall of
HP, one of the system's creators.

The aim of all quantum key systems is to enable the sender,
traditionally dubbed Alice, to transmit a secret key to a receiver,
Bob, without allowing a malevolent eavesdropper Eve to listen in.
In one version, Alice generates a random string of 1s and 0s and
encodes them using a photon polarised in either the rectilinear
"basis", in which 0 and 1 are represented by vertical and
horizontal polarisations or the diagonal basis, where 1 and 0 are
represented by +45° and -45° polarisations.

Not knowing which basis Alice has used to encode each bit, Bob
randomly measures the photons he receives using either the
rectilinear or diagonal basis and then tells Alice which basis he
has used, but not the values he detected. Alice then tells him to
discard the bits he detected on the wrong basis, which should be
roughly half. The rest form the secret key, which they now share
and can use to encrypt data sent over a public channel.

The point of this elaborate set-up is that if Eve tries to
intercept the photons, Alice and Bob will know about it. The nature
of quantum mechanics ensures that if Eve tries measuring any of the
photons before they reach Bob, she will destroy Bob's ability to
read many of those that he might otherwise have read correctly.
This higher portion of unreadable photons alerts Bob to Eve's
presence. If the correct proportion of photons can be read, Alice
and Bob know that the information channel is secure.

Until now, the key has largely been used to encrypt information,
safe in the knowledge that it is impossible for anyone else to
crack the code and decipher the data. In the new system the shared
key will instead be used to confirm someone's identity when they
make a purchase over the internet (see Diagram). This will be
similar to the way that the 3-digit security code on the back of
some credit cards is used to authenticate users today, except that
with the quantum ATM a different part of the key is used for every
purchase, and then scrapped. This means users will have to "top up"
their phone with new keys periodically by going to the ATM. Unlike
the security code on a card, the key can't be reused in a
transaction if the phone is stolen. Even if someone steals your
phone as well as your credit card, they would still need to know
your PIN to use the key.

To make the quantum ATM system cheap enough for widespread use, the
researchers decided that the cellphone should act as Alice, because
the photon emitters that she requires would be easier to
miniaturise and make inexpensively than the detectors needed by
Bob. The ATM then acts as Bob.

Wireless and cheap

They also opted for photon transmission through free space,
avoiding the need for dedicated, high-quality fibre-optic networks.
Wireless QKD has been done before, but over large distances, which
required expensive lasers. In contrast, for the quantum ATM, the
link need only work over 1 metre, making it possible to do both
wirelessly and cheaply.

A key discovery was that a cheap LED could be made to emit single
photons by carefully controlling the pulsed current that powers it.
Previously single-photon LEDs were custom-made and therefore
expensive. But in the sugar-cube device, four such LEDs are
programmed to randomly emit one photon at a time. Each LED has a
different "mask" in front of it, which polarises any photons it
releases in one basis of the four that are possible. The photons
are then sent out and detected by the ATM. Although the ATM is
constantly being bombarded by photons from its surroundings, the
machine can pick out the quantum ones by their distinctive energy
and amplitude and the pre-programmed time gaps between subsequent
photons.

The next challenge was reducing the size and cost of the computing
- photon emitters in today's commercially available systems run on
large computers. The team discovered they could use ready-made,
inexpensive computer chips, saving them the cost of making their
own. These field programmable gate arrays will run almost any
software and have recently been miniaturised.

Alice uses one FPGA, as well as some other chips, to run the
software that triggers the LEDs, record which basis is used for
each bit, and then compare it with what Bob has received. "We are
now down to a design where the technology in Alice is less
complicated than what goes into an average camera chip," says
Duligall.

The team have used the device to successfully share a secret key
with a photon detector, which could be built into an ATM. They hope
the quantum ATM will be rolled out for consumers within five years.

Its main application will be to secure phone and internet
transactions. These often only require a credit card number, making
them easier to carry out fraudulently. They are now one of the
fastest-growing forms of fraud in the developed world.

In future, secret keys created at quantum ATMs could also be used
as a replacement for public keys. These are used in many
cryptographic systems today, including digital signatures. If
quantum computers become more powerful, however, they will be able
to crack public keys and there will be a need for an alternative.

Quantum World - Learn more about a weird world in our comprehensive
special report.

Computer Viruses - Learn more about the threats to your PC in our
comprehensive special report.

Related Articles

* 'Half-quantum' cryptography promises total security
* http://technology.newscientist.com/article/mg19626266.000
* 21 October 2007
* Quantum cryptography takes to the skies
* http://technology.newscientist.com/article/dn2875
* 02 October 2002
* Old hard drives are a goldmine for data thieves
* http://technology.newscientist.com/article/dn12675
* 21 September 2007
* Virtual voucher masks online users' identity
* http://technology.newscientist.com/article/dn11100
* 03 February 2007

E-mail me if you have problems getting the referenced articles.