Researchers at Toshiba have developed a new quantum-based system that can guarantee the distribution of encryption keys across a network with 100 percent certainty.

The system, which was unveiled at this week's NanoTech 2007 exhibition in Tokyo, builds on quantum key distribution, which has been the subject for research and development work for some time because it promises to make possible the secure distribution of encryption keys across a network.

Currently encryption keys must be sent offline, typically on physical media in tamper-proof packages, to ensure their integrity.

"With quantum key distribution we can guarantee unconditional security of the key," said Andrew Shields, quantum information group leader at Toshiba Research Europe. "What that means is it's secure from all advances in mathematics, engineering and computing."

Using the system, each bit of an encryption key is encoded on a single photon of light. The quantum status of photons is changed once they are read, so if an eavesdropper snoops the key while it is being distributed, the action is immediately noticeable by the intended recipient and the key can be discarded as insecure and a new one sent. Thus it's possible for encryption keys to be securely distributed across a network and for Shields to make such a bold statement.

Or at least that's the theory.

In practice is very difficult to control a laser so that it reliably generates a single photon of light with each data pulse. The power can be turned down so that a single photon is emitted almost all the time but occasionally two or more photons are produced. That opens the possibility for an eavesdropper to read the second photon while allowing the first to continue on its way. Such an attack wouldn't be detectable.

The Toshiba scientists say this can be guarded against by transmitting decoy photons. For these, the power of the laser is ratcheted down even further so that fewer photons are produced and proportionally fewer double photons. If an eavesdropper attempts to read part of the key by pulling off the second of each double photon, the receiver would get proportionally fewer decoy photons and so the eavesdropping could be detected, said Shields.

The system on display at NanoTech 2007 involved encryption of a video link. Images from a camera were fed into an encryption device via Ethernet. The device was connected to a decryptor via two fibre optic cable runs of 25 kilometres each. One link was used for transmission of the key and another for transmission of the encrypted data.

The new system with decoy photons also allows the data rate of the key-transmission link to be increased to 5.5 Kbp/s. At that rate many keys can be transmitted per second thus helping to guard against cracking of the link through crypto-analysis.

"We're looking at the possibility of commercialising this fairly soon," said Shields.

One problem that remains with the technology is that it requires end-to-end connection to be across a single fibre optic cable. Routers and switches can't be used because that would involve measuring or in some way interrupting the photon, which would look the same as an eavesdropping attempt. Currently most quantum key distribution systems work over distances of up to about 100 kilometres.

The technology could be made to work over a network or longer distances, but would require that each switch or routing point was in a location physically trusted to be secure from eavesdroppers, said Shields.