Best-Kept Secrets

[R.A. Hettinga]

<http://www.sciam.com/print_version.cfm?articleID=000479CD-F58C-11BE-AD0683414B7F0000>


Scientific American:
  
December 20, 2004

Best-Kept Secrets

Quantum cryptography has marched from theory to laboratory to real products

By Gary Stix

 At the IBM Thomas J. Watson Research Laboratory, Charles Bennett is known
as a brilliant theoretician--one of the fathers of the emerging field of
quantum computing. Like many theorists, he has not logged much experience
in the laboratory. His absentmindedness in relation to the physical world
once transformed the color of a teapot from green to red when he left it on
a double boiler too long. But in 1989 Bennett and colleagues John A. Smolin
and Gilles Brassard cast caution aside and undertook a groundbreaking
experiment that would demonstrate a new cryptography based on the
principles of quantum mechanics.

 The team put together an experiment in which photons moved down a
30-centimeter channel in a light-tight box called "Aunt Martha's coffin."
The direction in which the photons oscillated, their polarization,
represented the 0s or 1s of a series of quantum bits, or qubits. The qubits
constituted a cryptographic "key" that could be used to encrypt or decipher
a message. What kept the key from prying eavesdroppers was Heisenberg's
uncertainty principle--a foundation of quantum physics that dictates that
the measurement of one property in a quantum state will perturb another. In
a quantum cryptographic system, any interloper tapping into the stream of
photons will alter them in a way that is detectable to the sender and the
receiver. In principle, the technique provides the makings of an
unbreakable cryptographic key.

 Today quantum cryptography has come a long way from the jury-rigged
project assembled on a table in Bennett's office. The National Security
Agency or one of the Federal Reserve banks can now buy a
quantum-cryptographic system from two small companies--and more products
are on the way. This new method of encryption represents the first major
commercial implementation for what has become known as quantum information
science, which blends quantum mechanics and information theory. The
ultimate technology to emerge from the field may be a quantum computer so
powerful that the only way to protect against its prodigious code-breaking
capability may be to deploy quantum-cryptographic techniques.

 The arrival of the quantum computer may portend the eventual demise of
ciphers based on factorization.

The challenge modern cryptographers face is for sender and receiver to
share a key while ensuring that no one has filched a copy. A method called
public-key cryptography is often used to distribute the secret keys for
encryption and decoding of a full-length message. The security of
public-key cryptography depends on factorization or other difficult
mathematical problems. It is easy to compute the product of two large
numbers but extremely hard to factor it back into the primes. The popular
RSA cipher algorithm, widely deployed in public-key cryptography, relies on
factorization. The secret key being transferred between sender and receiver
is encrypted with a publicly available key, say, a large number such as
408,508,091 (in practice, the number would be much larger). It can be
decrypted only with a private key owned by the recipient of the data, made
up of two factors, in this case 18,313 and 22,307.

 The difficulty of overcoming a public-key cipher may hold secret keys
secure for a decade or more. But the advent of the quantum information
era--and, in particular, the capability of quantum computers to rapidly
perform monstrously challenging factorizations--may portend the eventual
demise of RSA and other cryptographic schemes. "If quantum computers become
a reality, the whole game changes," says John Rarity, a professor in the
department of electrical and electronics engineering at the University of
Bristol in England.

 Unlike public-key cryptography, quantum cryptography should remain secure
when quantum computers arrive on the scene. One way of sending a
quantum-cryptographic key between sender and receiver requires that a laser
transmit single photons that are polarized in one of two modes. In the
first, photons are positioned vertically or horizontally (rectilinear
mode); in the second, they are oriented 45 degrees to the left or right of
vertical (diagonal mode). In either mode, the opposing positions of the
photons represent either a digital 0 or a 1. The sender, whom
cryptographers by convention call Alice, sends a string of bits, choosing
randomly to send photons in either the rectilinear or the diagonal modes.
The receiver, known as Bob in crypto-speak, makes a similarly random
decision about which mode to measure the incoming bits. The Heisenberg
uncertainty principle dictates that he can measure the bits in only one
mode, not both. Only the bits that Bob measured in the same mode as sent by
Alice are guaranteed to be in the correct orientation, thus retaining the
proper value.

 After transmission, Bob then communicates with Alice, an exchange that
need not remain secret, to tell her which of the two modes he used to
receive each photon. He does not, however, reveal the 0- or 1-bit value
represented by each photon. Alice then tells Bob which of the modes were
measured correctly. They both ignore photons that were not observed in the
right mode. The modes measured correctly constitute the key that serves as
an input for an algorithm used to encrypt or decipher a message.

 If someone tries to intercept this stream of photons--call her Eve--she
cannot measure both modes, thanks to Heisenberg. If she makes the
measurements in the wrong mode, even if she resends the bits to Bob in the
same way she measured them, she will inevitably introduce errors. Alice and
Bob can detect the presence of the eavesdropper by comparing selected bits
and checking for errors.

 Beginning in 2003, two companies--id Quantique in Geneva and MagiQ
Technologies in New York City--introduced commercial products that send a
quantum-cryptographic key beyond the 30 centimeters traversed in Bennett's
experiment. And, after demonstrating a record transmission distance of 150
kilometers, NEC is to come to market with a product at the earliest next
year. Others, such as IBM, Fujitsu and Toshiba, have active research
efforts.

 The products on the market can send keys over individual optical-fiber
links for multiple tens of kilometers. A system from MagiQ costs $70,000 to
$100,000. "A small number of customers are using and testing the system,
but it's not widely deployed in any network," comments Robert Gelfond, a
former Wall Street quantitative trader who in 1999 founded MagiQ
Technologies.

 Some government agencies and financial institutions are afraid that an
encrypted message could be captured today and stored for a decade or
more--at which time a quantum computer might decipher it. Richard J.
Hughes, a researcher in quantum cryptography at Los Alamos National
Laboratory, cites other examples of information that must remain
confidential for a long time: raw census data, the formula for Coca-Cola or
the commands for a commercial satellite. (Remember Captain Midnight, who
took over HBO for more than four minutes in 1986.) Among the prospective
customers for quantum-cryptographic systems are telecommunications
providers that foresee offering customers an ultrasecure service.

 The first attempts to incorporate quantum cryptography into actual
networks--rather than just point-to-point connections--have begun. The
Defense Advanced Research Projects Agency has funded a project to connect
six network nodes that stretch among Harvard University, Boston University
and BBN Technologies in Cambridge, Mass., a company that played a critical
role in establishing the Internet. The encryption keys are sent over
dedicated links, and the messages ciphered with those keys are transmitted
over the Internet. "This is the first continuously running operational
quantum-cryptography network outside a laboratory," notes Chip Elliott of
BBN, who heads the project. The network, designed to merely show that the
technology works, transfers ordinary unclassified Internet traffic. "The
only secrets I can possibly think of here are where the parking spaces
are," Elliott says. Last fall, id Quantique and a partner, the Geneva-based
Internet services provider Deckpoint, put on display a network that allowed
a cluster of servers in Geneva to have its data backed up at a site 10
kilometers away, with new keys being distributed frequently through a
quantum-encrypted link.

 The current uses for quantum cryptography are in networks of limited
geographic reach. The strength of the technique--that anyone who spies on a
key transmittal will change it unalterably--also means that the signals
that carry quantum keys cannot be amplified by network equipment that
restores a weakening signal and allows it to be relayed along to the next
repeater. An optical amplifier would corrupt qubits.

 To extend the distance of these links, researchers are looking beyond
optical fibers as the medium to distribute quantum keys. Scientists have
trekked to mountaintops--where the altitude minimizes atmospheric
turbulence--to prove the feasibility of sending quantum keys through the
air. One experiment in 2002 at Los Alamos National Laboratory created a
10-kilometer link. Another, performed that same year by QinetiQ, based in
Farnborough, England, and Ludwig Maximilian University in Munich, stretched
23 kilometers between two mountaintops in the southern Alps. By optimizing
this technology--using bigger telescopes for detection, better filters and
antireflective coatings--it might be possible to build a system that could
transmit and receive signals over more than 1,000 kilometers, sufficient to
reach satellites in low earth orbit. A network of satellites would allow
for worldwide coverage. The European Space Agency is in the early stages of
putting together a plan for an earth-to-satellite experiment. (The European
Union also launched an effort in April to develop quantum encryption over
communications networks, an effort spurred in part by a desire to prevent
eavesdropping by Echelon, a system that intercepts electronic messages for
the intelligence services of the U.S., Britain and other nations.)

 Ultimately cryptographers want some form of quantum repeater--in essence,
an elementary form of quantum computer that would overcome distance
limitations. A repeater would work through what Albert Einstein famously
called "spukhafte Fernwirkungen," spooky action at a distance. Anton
Zeilinger and his colleagues at the Institute of Experimental Physics in
Vienna, Austria, took an early step toward a repeater when they reported in
the August 19, 2004, issue of Nature that their group had strung an
optical-fiber cable in a sewer tunnel under the Danube River and stationed
an "entangled" photon at each end. The measurement of the state of
polarization in one photon (horizontal, vertical, and so on) establishes
immediately an identical polarization that can be measured in the other.

 Entanglement spooked Einstein, but Zeilinger and his team took advantage
of a link between two entangled photons to "teleport" the information
carried by a third photon a distance of 600 meters across the Danube. Such
a system might be extended in multiple relays, so that the qubits in a key
could be transmitted across continents or oceans. To make this a reality
will require development of esoteric components, such as a quantum memory
capable of actually storing qubits without corrupting them before they are
sent along to a subsequent link. "This is still very much in its infancy.
It's still in the hands of physics laboratories," notes Nicolas Gisin, a
professor at the University of Geneva, who helped to found id Quantique and
who has also done experiments on long-distance entanglement.

 A quantum memory might be best implemented with atoms, not photons. An
experiment published in the October 22 issue of Science showed how this
might work. Building on ideas of researchers from the University of
Innsbruck in Austria, a group at the Georgia Institute of Technology
detailed in the paper how two clouds of ultracold rubidium atoms could be
entangled and, because of the quantum linkage, could be inscribed with a
qubit, the clouds storing the qubit for much longer than a photon can. The
experiment then transferred the quantum state of the atoms, their qubit,
onto a photon, constituting information transfer from matter to light and
showing how a quantum memory might output a bit. By entangling clouds, Alex
Kuzmich and Dzmitry Matsukevich of Georgia Tech hope to create repeaters
that can transfer qubits over long distances.

 Entanglement spooked Einstein, but researchers have used the phenomenon to
"teleport" quantum information.

The supposed inviolability of quantum cryptography rests on a set of
assumptions that do not necessarily carry over into the real world. One of
those assumptions is that only a single photon represents each qubit.
Quantum cryptography works by taking a pulsed laser and diminishing its
intensity to such an extent that typically it becomes unlikely that any
more than one in 10 pulses contains a photon--the rest are dark--one reason
that the data transfer rate is so low. But this is only a statistical
likelihood. The pulse may have more than one photon. An eavesdropper could,
in theory, steal an extra photon and use it to help decode a message. A
software algorithm, known as privacy amplification, helps to guard against
this possibility by masking the values of the qubits.

 But cryptographers would like to have better photon sources and detectors.
The National Institute of Standards and Technology (NIST) is one of many
groups laboring on these devices. "One very interesting area is the
development of detectors that can tell the difference between one, two or
more photons arriving at the same time," says Alan Migdall of NIST.
Researchers there have also tried to address the problem of slow
transmission speed by generating quantum keys at a rate of one megabit per
second--100 times faster than any previous efforts and enough to distribute
keys for video applications.

 Quantum cryptography may still prove vulnerable to some unorthodox
attacks. An eavesdropper might sabotage a receiver's detector, causing
qubits received from a sender to leak back into a fiber and be intercepted.
And an inside job will always prove unstoppable. "Treachery is the primary
way," observes Seth Lloyd, an expert in quantum computation at the
Massachusetts Institute of Technology. "There's nothing quantum mechanics
can do about that." Still, in the emerging quantum information age, these
new ways of keeping secrets may be better than any others in the codebooks.

-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com