ҹ1000

Closing the last loophole for unhackable quantum security

Need to share a secret? A code that's as strong as the laws of physics is within our grasp and could finally make sure your data can never leak

Closing the last loophole for unhackable quantum security

THE Romans had a saying in praise of a reliable man: “You can trust him in the dark.” But as Julius Caesar realised when several members of his inner circle stabbed him to death, sometimes the best course of action is to trust no one.

Throughout history, people have been burned by misplaced trust. Users of the extramarital affairs website Ashley Madison, whose details were leaked in August, are a good example. Their spouses are another. But as far as cybersecurity is concerned, we are finally poised to create a world in which trust is optional. The development taking us there is called device-independent quantum cryptography. Once it is perfected, you will be able to buy a secure device from your worst enemy and still be certain that no one is spying on the messages you send using it. “You don’t have to trust anyone,” says , the University of Oxford physicist whose innovations in cryptography led to the idea.

This perfectly secure future can’t arrive quickly enough, as present-day cryptographic systems are in a precarious state. The security of all of our online purchases, bank transactions and personas rely on a single shaky assumption: that certain mathematical operations are hard to do. The best known of our modern encryption systems is called RSA. To encode data, it builds a key from two very large prime numbers. These are kept secret, but their product – a number thousands of binary digits long – is public knowledge. Data can be encoded using this public key, but only those with knowledge of the original numbers can decrypt it. RSA’s security relies on the fact that there is no known shortcut to find the two starting numbers. The only ways to do it are almost interminable processes, such as trying all the possibilities one by one.

Or so we hope. “We cannot prove that these problems are inherently difficult,” Ekert says. It’s not impossible that someone will discover a procedure allowing a conventional computer to quickly factorise the product of two huge primes. Maybe they already have and they’re cleverly keeping it secret. If such an algorithm ever came to light, internet transactions would collapse, and financial deals and top secret government communications would be exposed. “It would truly be a catastrophe,” says of the Institute for Quantum Computing in Waterloo, Canada. “It’s like a Y2K problem, except we don’t know precisely when it might happen.”

“It’s like a Y2K problem except we don’t know when it will happen”

Even if we could prove that the factorisation problem is beyond the abilities of traditional computers, there are still quantum computers to consider. Because they compute using quantum phenomena they could consider all the possible primes at once. In 1994 mathematician Peter Shor, now at the Massachusetts Institute of Technology, showed this would be a speedy process. Simple quantum computers already exist and advanced machines able to realise Shor’s idea can’t be far off.

One way to reinvigorate our privacy is to fight fire with fire and employ quantum cryptography. This promises the ability to create keys that are entirely random, entirely unpredictable and totally inaccessible to spies.

Quantum cryptography hinges on the rules that govern particles like photons or electrons. Their properties, including polarisation for instance, take multiple values at once, only snapping into sharp definition when measured. Use these properties as a basis for encryption and you preclude any attempt to peek at your key: that would change the result of the measurement, in effect destroying the key’s tamper-proof seal. The technique has already been used to protect hospital data, financial transactions and voting in the Swiss general elections.

Current systems use a protocol where the person transmitting the key, usually referred to as Alice, releases a polarised photon and makes a measurement on it before sending it. Her listening partner, usually referred to as Bob, chooses a particular way to make a measurement of that polarisation, and then he and Alice use an unencrypted channel to compare the sort of measurements they did. This allows them to create one digit of a private key for use in encrypting messages. To build the entire key, Alice and Bob simply repeat the process.

You might think that’s good enough, yet this type of quantum cryptography has weaknesses. “You always have to make some assumptions about certain pieces of equipment,” says Vadim Makarov, one of Mosca’s colleagues in Waterloo. Makarov is an expert at showing that those assumptions matter, having broken into many “secure” systems around the world. He is the first to admit that you have to go to fantastic lengths to exploit these weaknesses, but when it comes to state secrets, say, or large bank transactions, who’s to say nobody would?

One example of such a vulnerability is known as the detection loophole. It arises because the efficiency of photon detectors is never perfect, making practical quantum cryptography a bit like sending multiple copies of your key via an army of couriers to an office that occasionally shuts for lunch. Alice has to send far more photons than would otherwise be necessary, because Bob can’t detect them all. This intermittent detection means Alice and Bob can’t be certain that their apparatus is working securely.

It’s not impossible to dream up ways of solving these technical hitches, but there’s another more subtle problem that comes as an unavoidable side dish and which takes us to the heart of the problem with trust.

Imagine you have bought a state-of-the-art quantum cryptography system. It might well come complete with a shiny certificate guaranteeing its security, but how do you know the manufacturer hasn’t built in a covert back door that allows them to read and sell your secrets?

“How do you know the device hasn’t got a back door that will leak your secrets?”

It’s hardly unthinkable. As soon as a new encryption technology becomes available, governments, corporations and intelligence agencies look for – and may even demand – a hidden flaw that they can exploit. Maybe your machine is programmed to spit out a key matching what someone somewhere has on file. Or perhaps there is a side-channel that logs a copy of any key you generate.

Here’s where device-independent cryptography comes in. It started when Ekert came up with a smart new form of quantum cryptography in 1991 .

This protocol also uses a stream of photons and, just as before, Alice creates a string of random numbers by measuring a property of each. The twist is that this time Bob has a separate stream of photons from the same source, and his photons are “entangled” with Alice’s. Entangled photons are generated in pairs, and their properties are subtly connected. If Alice has one of a pair, and Bob has the other, they can perform measurements on their respective photons that will help them create each digit of a shared key.

So random

Until 2004, Ekert’s idea was just another way of doing quantum cryptography, subject to the same old loopholes (see diagram below). But that changed when Antonio Acín of the Institute of Photonic Sciences in Barcelona, Spain, and colleagues realised that this version of cryptography of the manufacturer. The implications are profound: with this protocol, you could buy the machine from your worst enemy and still be certain that it couldn’t leak your secrets. “It came as a surprise to me,” Ekert says. “Sometimes your inventions can be cleverer than you are.”

The rules of quantum theory say that the link between two entangled particles is “monogamous”: there is no correlation with anything else and so no information can escape to an eavesdropper. Acín’s neat insight was that you can prove whether this is the case using something known as a Bell test.

First set out by physicist John Bell in 1964, the test aims to determine whether two sets of numbers are more highly correlated than can be achieved by chance. “The more they are correlated together, the less they can be correlated with anything outside,” Ekert says.

If your system passes the Bell test, you have a cast-iron guarantee of three things. First, that your key is generated on the fly and thus not predictable. Second, that its digits have an inherent randomness, and thus can’t be guessed. Third, and perhaps most importantly, that no one is tapping into your key transmission using a back door. If they were, the correlations would be tainted.

There was just one problem with the scheme: no one had built a fully watertight experimental set up to conduct the Bell test. It comes down to the same problems that plague today’s versions of quantum cryptography, plus one more that comes into play now we’re dealing with entanglement.

This final problem is called the locality loophole. The worry is that there might be some as yet undiscovered signal relaying information between the entangled particles. If there were, that would invalidate our assumptions about randomness and open up the possibility of some genius adversary tapping the signal.

It might seem like madness to be concerned about all this, but there are two good reasons to push ahead. For one thing, get this right and we would have totally eliminated the need for trust. And for another, this is where the story of quantum cryptography intersects with physicists’ quest to prove quantum theory is a full and accurate description of reality. Here is an opportunity to slay the lingering doubt about whether there is something beneath the spooky links between entangled particles.

Proving that there isn’t would involve a Bell test where the locality and the detection loopholes are simultaneously closed. In the 51 years since Bell published his test researchers did one or the other, but no one had done both at the same time. It’s surprisingly hard to do, according to of Delft University of Technology in the Netherlands. “It’s like saying I can ride a bike and I can juggle, so I must be able to juggle while riding a bike,” she says. “It’s not as easy as you might think.”

But Wehner and her colleagues a loophole-free Bell test earlier this year (Nature, ). The crucial idea they harnessed in their experiment is called entanglement swapping. The Delft team set up two diamonds, 1.3 kilometres apart on their campus. Imagine our hypothetical Alice being stationed at one, Bob at the other. Each diamond contained a defect known as a nitrogen vacancy centre. Hitting an electron located there with a microwave pulse produces a photon that is entangled with the electron. The team arranged things so that pulses hit both diamonds at roughly the same time and their respective photons shot off to a detector in the middle. Here’s the smart bit: if the photons arrived at that central detector exactly in sync, the entanglement would swap from being between each person’s electron-photon pair to being shared between the electrons. Now Alice and Bob have a pair of entangled electrons that haven’t travelled anywhere (see “Privacy guaranteed” below)

Because electrons are much easier to detect than photons, the experiment easily closed the detection loophole. And because the electrons were so far apart, the researchers had a 4-microsecond window in which to measure their correlations – plenty of time in 21st-century physics – and prove that any physical signal that could have created them would have needed to travel faster than light. Since this is forbidden by the laws of general relativity, of course, that took care of the locality loophole.

Under wraps

Thanks to this ingenuity, the correlations passed the Bell test, and we know that they are not due to detector errors, nor to a communication that has a hackable physical mechanism. “That feels good,” says Wehner’s college Bas Henson who led the project. Finally, we have closed the loopholes; quantum theory has passed the test and we know it can be used to create a certifiably safe cryptographic system.

There are still a few wrinkles. Familiar ones that have always hindered cryptographers. An enemy might break into your office and steal your key, for instance. “Physical security is always an issue,” Mosca says. “If I can look into your lab and see the plain text, then I don’t need to break your cipher.” Makarov points to another caveat: the key distribution might be device-independent, but other parts of the system could be compromised. “You have to trust that no ingredient at the end stations contains some malicious piece,” he says.

Those eternal issues aside, though, we have finally reached the end of the road for perfecting security. It will take time to move from proof of principle to application: implementing the protocol is still hard work for now. The Delft team achieved 245 entanglement events in 9 days – not exactly a useful rate for generating a cryptographic key, which might need to be thousands of digits long. But things are improving. “We expect to be able to make entanglement 100,000 times faster in the near future,” says Henson.

Device independent quantum cryptography, the last word in secret messaging, does now appear to be within our grasp. The quantum part provides an unbreakable protocol; the device-independence takes the reliability of the supplier out of the equation. “In terms of being able to verify physical security, it’s the best,” says Mosca. Ekert agrees: the Bell test routine is so simple anyone can use it. “You don’t even have to understand physics.”

(Image: Jamie Mills)

Topics: Computer crime / prime numbers / Quantum science