Quantum physics behind 'unhackable' security authentication

News by Doug Drinkwater

A team of Dutch scientists is proposing a new security system for credit cards and passports which uses the power of quantum physics - and which is apparently 'impossible to hack'.

In a new paper entitled ‘Quantum-secure authentication of a physical unclonable key', scientists Sebastianus Goorden, Marcel Horstmann, Allard Mosk, Boris Skoric and Pepijn Pinkse – who work for universities in Twente and Eindhoven - detail how the so-called Quantum-Secure Authentication (QSA) can use a strip of nanoparticles and photons on credit cards, ID cards and passports to authenticate the user with a unique pattern that is ‘impossible to crack'.

Using quantum state computing, millions of nanoparticles and photons of light are zapped onto the tiny paint strips that can be applied to credit cards, and this results in a unique authentication pattern that is forever changing, as photons can be in multiple places at the same time.

This method, according to the researchers, makes the authentication unclonable and unhackable as there are too many data points for the hacker to intercept and – even if they tried to intercept at the ‘Question and Answer' authentication exchange – this would result in the collapse of the quantum properties of the light and the destruction of information being transmitted. Hackers would only capture a fraction of the information required.

This is where there is a difference to ‘normal light', which an attacker could use to measure the entering and return patterns. But with quantum physics, single ‘photon' dots appear to have more information than projected, making it difficult for a would-be hacker or fraudster.

The report notes:  “Authentication of persons and objects is a crucial aspect of security. We experimentally demonstrate quantum secure authentication (QSA) of a classical multiple scattering key. The key is authenticated by illuminating it with a light pulse containing fewer photons than spatial degrees of freedom and verifying the spatial shape of the reflected light. Quantum-physical principles forbid an attacker to fully characterise the incident light pulse. Therefore, they cannot emulate the key by digitally constructing the expected optical response, even if all information about the key is publicly known.

“QSA uses a key that cannot be copied due to technological limitations and is quantum-secure against digital emulation. Moreover, QSA does not depend on secrecy of stored data, does not depend on unproven mathematical assumptions, and is straightforward to implement with current technology.”

Adam Kujawa, head of malware intelligence at Malwarebytes, said in an email to SCMagazineUK.com that the proposed security authentication could one day be commercially-viable.

“Whilst the database could be hacked and the pairs could be stolen, or at least the expected result of the challenge, the keys would not be in a form that could be digitally reproduced and therefore, virtually useless to the attacker. The problem is that even if the attacker were to obtain a correct challenge response, for a single challenge, it would be impossible for them to recreate that response in a way that would authenticate due to the properties of quantum physics.  In addition, they would need to know that the challenge response would be used again in a lock that has dynamically generated keyholes.”

He added:  “Basically, the amount of effort required to ensure that any key would make it through authentication for a single QSA would require numerous tries and having access to both the client and server, something like that would throw flags faster than a working key could be calculated. Authentication at that point would be impossible.”

Alan Woodward, visiting professor at the University of Surrey's computing department and an advisor to Europol, has been following the rise of quantum computing for some time. He says that quantum physics is being applied in various sectors – from technology to medicine – but is seeing some efforts to use it for security solutions too, including the use of quantum dots.

Some UK universities, he says, have been tasked by the British government to research further into the matter, with the government itself investing £270 million into emerging quantum technologies.

There have been concerns though that quantum physics could undermine present-day security technologies, such as encryption. He says that this is ‘true theoretically' but only if quantum computing machines were in existence - something that the NSA is reportedly working on.  

As an example, it has been claimed that Shor's algorithm – developed by scientist Peter Shor – could be used in conjunction with a quantum machine to crack public-key cryptography schemes such as RSA's. Woodward says that this could potentially be carried out in ‘minutes'.

However, noting the launch of this new report, and other efforts to use quantum physics to improve information security, he said: “Quantum computing could be a problem for security, but it could also be answer to some of its problems.”

“It's quite neat technology because it manages to verify someone's authentication because you're using the key you're supposed to. Even a brute-force attack would never get the right answer, so it's self-protecting in a way.

“It's a really good use of quantum phenomenon and if it's viable then it's something we'll see more of in the market.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews