Hacking the unhackable
Could quantum encryption have saved Mary, Queen of Scots?
By the time Mary was put on trial for treason in 1586, she had been imprisoned in England for more than 18 years. Mary's cousin, Queen Elizabeth of England, had always viewed her as a threat to the crown, but needed proof positive of treason before ordering her execution. Elizabeth's chief secretary had recently been alerted that Mary's compatriots, including one Anthony Babington, were hatching a plot to assassinate Elizabeth.
In prison, Mary received letters from her supporters seeking approval of the assassination plot. To ensure her replies would remain secret, Mary employed a method that queens, kings, and military leaders had used for thousands of years to communicate sensitive messages: she wrote her consent in a secret cipher. Queen Mary felt certain that even if her correspondence was discovered, no one could decode the seeming jumble of alphabet letters and numerical symbols. Unbeknownst to her, a spymaster for Queen Elizabeth had not only intercepted Queen Mary's replies, but broken the code. Before handing the traitorous evidence over to the court, the code breaker put his own symbol atop Queen Mary's encrypted missives: the gallows.
Mary, Queen of Scots, was beheaded in February 1587.
Cat and mouse
The cat-and-mouse competition between code makers and code breakers has played out for centuries, but today their battles have higher stakes. With the flood of personal information on cell phones, computers, and laptops, the internet is a playground for hackers. They have already stolen millions of social security numbers and health records and intercepted numerous government secrets. If hackers manage to break the complex codes that governments and financial institutions have relied on for the past three decades, it could bring the operation of banks, electrical power grids, and even nations to a standstill.
That's where quantum encryption comes in. The strange laws of quantum physics dictate that a code based entirely on quantum mechanics can never, ever be broken—in theory. In practice, quantum encryption is still vulnerable to code breakers and will be for the foreseeable future. Code makers, however, do have the laws of nature on their side—bizarre, counterintuitive laws, but laws nonetheless.
Consider a code that uses the quantum principle of superposition. Superposition means that an isolated atom or other quantum particle can exist in more than one state at a time. For instance, the spin of an electron has two directions—"up" or "down," akin to the two states "0" and "1" of a classical computer bit. The superposition principle says the spin of an isolated electron is indeterminate: It can point up, down, or exist simultaneously in some schizoid combination of the two.
Evidence of tampering
In the early 1970s, physicist Stephen Weisner, then at Columbia University, proposed that information could be securely coded in such a two-state quantum system, now known as a quantum bit or qubit. Weisner capitalized on another quantum feature: A qubit, whether electron spin or some other two-state quantum system, can't be measured without altering its original state.
If an outsider—a potential code breaker—tries to peek at the spin, the very act of measuring breaks the superposition, forcing the electron spin (qubit) to point in a specific direction, up or down. Instead of decoding the secret message, the eavesdropper destroys the code itself. A hacker cannot attempt to steal quantum information without leaving prima facie evidence that she's done so.
Quantum Coding in Action
Let's say Alice and Bob want to communicate privately and avoid eavesdropping by a third party, Eve. They rely on the quantum principle of superposition and a light's polarization property—the direction in which the electric field of a photon vibrates as the photons journey forward. Photons have four possible polarization states: vertical, horizontal, and diagonal polarizations of plus or minus 45 degrees.
First, Alice sends a stream of photons to Bob through a filter that randomly endows each particle of light with one of the four possible polarizations. For example, a vertical polarization might be assigned a zero, a horizontal polarization a one, a 45-degree polarization to the right a 1 and a polarization of 45 degrees to the left a zero.
Bob has to read the polarizations of each photon by selecting a filter, and he doesn't always guess the right filter to pick. But that's OK. When Bob and Alice compare notes after the transmission, Bob tells her what filter he used for each detection. For those instances in which Bob chose a polarization filter that did not match Alice's, those photons (qubits) are discarded. The remaining photons form a shared key. As the last check, Alice and Bob sacrifice some of the key photons to publicly disclose them and determine if they have been altered in transit. If no one has tried to eavesdrop, they will be identical. The remaining undisclosed photons then form the secret key.
In 1984, two researchers, Charles Bennett of IBM in Yorktown Heights, New York, and Gillies Brassard of the University of Montreal, built upon Weisner's proposal and fleshed out a scheme in which two people could create a so-called quantum key distribution (QKD)—a shared code that can encrypt and decrypt messages without fear of hacking.
Other quantum encryption codes, which can be employed over great distances, such as several tens of kilometers of optical fiber, rely on an even stranger quantum property known as entanglement. Consider two isolated quantum particles that are highly correlated—for instance two photons generated with equal and opposite polarizations. No one knows the polarization of either photon—in fact, according to the superposition principle, they are both indeterminate.
Suppose one photon heads towards Alice, who receives signals at one end of the coding network, and the other photon heads towards Bob, at the other endpoint of the network. If Alice measures the polarization of the photon headed her way and finds that it points vertically up, it automatically forces the polarization of the photon headed toward Bob to point vertically down. And that's true even if Alice and Bob reside on opposite ends of the universe. Entanglement manages to teleport a signal from Alice to Bob.
Teleportation via Entanglement
Quantum teleportation transfers information about the quantum state of one particle to another remote particle. In this scenario, Alice and Bob are at either end of a communications network and share a qubit in the form of a pair of entangled photons. Alice has one photon, Bob the other. Alice now wants to share some new quantum data with Bob. To do so, she performs an operation that causes her photon to interact or become entangled with a nearby qubit that contains that quantum data. When she performs a measurement of the state of her entangled photon and the qubit, she finds that the state of her entangled photon has changed due to the interaction with the qubit. But because her photon is entangled with Bob's, his photon must also have changed.
Bob, however, is still in the dark—he can't tell if or how his photon has changed until he receives the results of Alice's measurement. She transmits the information using ordinary (non-quantum) computer bits through a standard optical fiber. When Bob receives the information, he can finally determine how his photon has changed and deduce the quantum data that was securely teleported to him. The beauty of this approach is that no actual particle had to make the passage, only the information.
A key benefit of entanglement is that it enables code makers to create and share strings of random numbers between two members of a communications network who want to keep their messages secret. Cryptographers are enamored by random numbers because by definition they cannot be predicted, and a code based on them cannot be hacked. And only quantum mechanics, with its wholly unpredictable, indeterminate nature, can generate a set of truly random numbers. You might think that some non-quantum activity, like tossing a coin, could just as easily generate a random pattern—the unpredictability of the coin landing heads or tails on a given toss. In fact, if all the factors affecting the coin toss were known, you could predict each time if the coin will land heads or tails. In quantum theory, the outcome of a process can never be predicted with certainty.
"Quantum physics is very weird because we don't have analogies in real life, and that makes it very hard to gain intuition about how this stuff works," says Christopher Monroe of the University of Maryland and Duke University. It's also hard to make the leap from quantum encryption theory to building actual systems that employ theory, he adds.
If you can't attack the code, attack the setup
Although quantum encryption can't be tampered with, the devices built to generate and receive the photons, electrons, or clouds of ions used in quantum encryption are far from perfect. Researchers call this the implementation problem.
"You can't attack the quantum code, but you can attack the setup," says cryptographer Michele Mosca of the University of Waterloo in Canada.
Hackers—often other scientists—take advantage of these imperfections, using their wits to uncover loopholes that can compromise the security of quantum messaging. What's more, some of these attacks can be accomplished without legitimate participants ever knowing about the breach.
Vadim Makarov, a burly physicist with a flowing beard, is famous for finding such loopholes, known as side channels. Now director of the quantum hacking lab at the Russian Quantum Center in Moscow, Makarov found a relatively simple way to steal a QKD without a trace a decade ago.
In Makarov's scenario, interloper Eve sends a pulse of blindingly bright light to the single-photon detector that Bob uses to receive Alice's quantum-encoded message of 1s and 0s. The brilliant flash lowers the sensitivity of Bob's detector so that it can no longer record single photons. It stops acting as a quantum light sensor because the detector has lost the ability to distinguish between the different polarization states of individual photons sent by Alice.
However, the device still responds as an ordinary, non-quantum light detector for streams of photons that are bright enough, which happens whenever Eve surreptitiously sends another bright pulse of light to Bob. Eve sends such a pulse every time she intercepts a signal from Alice that has a bit designation of "1." In this way, Eve's and Bob's readings match, and neither Bob nor Alice has any idea that Eve has hacked the quantum cryptographic system.
In another mode of attack, physicist Hoi-Kwong Lo of the University of Toronto and his colleagues focused on Alice instead of Bob. The strategy exploits the timing involved in how some quantum encryption systems encode messages. To begin encrypting, Alice needs Bob to send a light pulse, which she then encodes using a phase modulator. Because Alice and Bob have agreed that Bob will send his initial signal at a particular time, Alice only switches on the phase modulator just before the signal's expected arrival.
Armed with this knowledge, Eve disrupts the encryption scheme. She slightly delays or advances the timing of Bob's signal, for example by lengthening or shortening the optical fiber through which Bob's signal travels. This introduces errors in Alice's coding that prevent either her or Bob knowing that Eve has stolen the code.
With improved detectors, these particular loopholes have been closed, but others may remain. For instance, some single-photon detectors emit light, known as a back flash, when they detect a photon. If Eve intercepts the back flashes, they might provide enough clues for her to decipher the quantum code without anyone knowing. In yet another scenario, if Eve measures changes in the power consumption of computer chips as they generate the quantum code, she may acquire enough clues to decipher the encryption.
"There's a lot of tricks to the trade," says Mosca.
In patching these loopholes, new, unexpected ones may arise, notes physicist Dirk Englund, head of the quantum photonics laboratory at MIT. That's because QKD typically relies on simple mathematical models to describe the operation of the devices involved in the encryption. If the actual devices behave differently than the models, it could leave real-life QKDs vulnerable to hackers, noted Victor Zapatero and Marcus Curty of the University of Vigo in Spain in a recent Nature article.
So can quantum encryption systems be made secure even if we can't trust the components?
Until recently, Englund says, the answer would have been no. But the landscape has changed with the development of device-independent quantum key distribution (DIQKD) encryption. These are systems in which the protocol for sending a secure message does not require that the devices generating and receiving quantum-encoded signals are trustworthy. No assumptions are made about the inner workings of the devices; instead they are viewed as the quantum version of a black box. Alice and Bob extract their shared code only from the statistical pattern that emerges after recording large amounts of data. If Alice and Bob can prove they have generated true entanglement by examining the statistical data, they are free to send encrypted messages without fear that hackers could break in through side channels.
At present, however, these systems, though foolproof, transmit information too slowly to be practical. They are also difficult to build.
In the meantime, researchers have an alternative that is not quite as secure but protects against side-channel attacks more effectively than other quantum encryption setups. These are measurement-device-independent quantum key distributions (MDIQKD) systems, which allow encrypted data to be successfully transmitted irrespective of the trustworthiness of the device that measures the signal.
With many hackers finding ingenious ways to take advantage of flaws in measuring devices, MDIQKD eliminates a host of vulnerabilities. What's more, several companies in the US and Europe, including IDQuantique in Switzerland, have taken the first steps to building actual MDIQKD systems, which transmit information at a higher rate than the more restrictive DIQKD schemes.
Quantum computers threaten the security of quantum encryption
Chinese researchers, led by the "father of quantum" Pan Jian-Wei of the University of Science and Technology in Shanghai, demonstrated what may be the splashiest example of quantum entanglement in 2017, when they teleported the quantum states of entangled photons on Earth to an orbiting satellite 1,400 kilometers away. As the satellite flew over Beijing and then Vienna, it beamed separate quantum encryption codes, based on the quantum states of the photons, to ground stations near each city. The codes enabled scientists in the two cities to conduct an unhackable video conference. Canada is now planning to launch its own satellite to test quantum communication schemes.
In the meantime, Pan and his collaborators reported another first earlier this year: They set a new distance record for producing entangled quantum pairs on the ground. Using photons and atoms as the partners, they achieved entanglement between two nodes of a communications system separated by 50 kilometers. That's long enough to connect two cities.
In the Netherlands, researchers are working to build a secure quantum communications network between Delft and three other cities. Their goal is to develop a blueprint for a future quantum internet that would operate across Europe.
But research institutions, private companies, and governments aren't only pouring money into developing secure quantum encryption systems. They know that quantum theory can be used to break codes well as protect them. The threat comes from future quantum computers, which may begin to threaten cyber-security in less than a decade, and are the focus of a lot of government and industrial R&D.
Researchers demonstrated two decades ago that quantum computers will have the power to smash the classical encryption codes that now secure everything from health records to Amazon purchases. Which is why nations are racing to develop more complex classical codes that can withstand a quantum computer attack. (Battling the problem by using unhackable quantum encryption is not possible, experts say, because advanced quantum computers can be built long before the necessary network, devices, and software to support a worldwide QKD system.)
A quantum computer wields enormous power because its qubits can simultaneously assume a multiplicity of values between 0 and 1. A quantum computer with 50 qubits can exist in 250 (one quadrillion) states at once. That means it can solve enormously complex mathematical problems that are beyond the ken of the world's largest supercomputer. A boon to basic and applied research, a quantum computer's abilities include something cryptographers of 30 years ago had not counted on: It can factor a number as large as 500 digits, determining which two numbers, multiplied together, will produce that large number.
That's of grave concern because the standard classical code, known as RSA (named for the trio of researchers, Rivest, Shamir, and Adelman, who developed it), relies on keeping secret the factors of large numbers employed in the code. Because bona fide users of an RSA code generate a large number by multiplying together two smaller ones, they automatically know the factors.
Reversing the process—given a very large number, find the factors that generated it—is far more difficult and not solvable by any computer existing today. It's a little like the difference between mixing two paint colors to get a third and trying to find and separate the two colors that produced the mixture. A future quantum computer would have no trouble separating the colors.
That code-breaking capability imperils cybersecurity not only in the future but right now. Suppose a government agent sends an ultrasensitive message today using RSA. If a hacker intercepts the message, he of course won't be able to decipher the message with any existing computer. But the hacker is patient. If he archives the recording and waits long enough—until an advanced quantum computer is in operation—he can break the code then, revealing the contents of a message that may still prove to be highly dangerous if made public. In that sense, a quantum computer that comes online a decade from now can travel back in time, exposing today's supposedly secure secrets.
It's not easy to prove that a new classical code is complex enough to resist a quantum computer attack, but at the National Institute of Standards and Technology (NIST) in Gaithersburg, Maryland, they're trying. NIST recently sponsored a competition to find such codes and has winnowed the 69 entries down to 15 that will undergo extensive testing. It will take several years to prove that any of the 15 can withstand the scrutiny of an advanced quantum computer.
Developing codes that can't be cracked by quantum computers, and building encryption systems based on the law of quantum mechanics, aren't either/or endeavors, says Mosca. With so much of our lives and our economic prosperity online, he notes, "both are needed to protect cybersecurity."
These endeavors might even, perhaps, protect an encrypted message from MaryQueenofScots@gmail.com.
Ron Cowen is an award-winning science writer based in Silver Spring, Maryland. His writing focuses on physics and astronomy and the history and technology of early recorded sound. His first book—Gravity's Century: From Einstein's Eclipse to Images of Black Holes—was recently published by Harvard Press.
|Enjoy this article?
Get similar news in your inbox