<http://www.sciam.com/print_version.cfm?articleID=000479CD-F58C-11BE-AD0683414B7F0000> Scientific American: December 20, 2004 Best-Kept Secrets Quantum cryptography has marched from theory to laboratory to real products By Gary Stix At the IBM Thomas J. Watson Research Laboratory, Charles Bennett is known as a brilliant theoretician--one of the fathers of the emerging field of quantum computing. Like many theorists, he has not logged much experience in the laboratory. His absentmindedness in relation to the physical world once transformed the color of a teapot from green to red when he left it on a double boiler too long. But in 1989 Bennett and colleagues John A. Smolin and Gilles Brassard cast caution aside and undertook a groundbreaking experiment that would demonstrate a new cryptography based on the principles of quantum mechanics. The team put together an experiment in which photons moved down a 30-centimeter channel in a light-tight box called "Aunt Martha's coffin." The direction in which the photons oscillated, their polarization, represented the 0s or 1s of a series of quantum bits, or qubits. The qubits constituted a cryptographic "key" that could be used to encrypt or decipher a message. What kept the key from prying eavesdroppers was Heisenberg's uncertainty principle--a foundation of quantum physics that dictates that the measurement of one property in a quantum state will perturb another. In a quantum cryptographic system, any interloper tapping into the stream of photons will alter them in a way that is detectable to the sender and the receiver. In principle, the technique provides the makings of an unbreakable cryptographic key. Today quantum cryptography has come a long way from the jury-rigged project assembled on a table in Bennett's office. The National Security Agency or one of the Federal Reserve banks can now buy a quantum-cryptographic system from two small companies--and more products are on the way. This new method of encryption represents the first major commercial implementation for what has become known as quantum information science, which blends quantum mechanics and information theory. The ultimate technology to emerge from the field may be a quantum computer so powerful that the only way to protect against its prodigious code-breaking capability may be to deploy quantum-cryptographic techniques. The arrival of the quantum computer may portend the eventual demise of ciphers based on factorization. The challenge modern cryptographers face is for sender and receiver to share a key while ensuring that no one has filched a copy. A method called public-key cryptography is often used to distribute the secret keys for encryption and decoding of a full-length message. The security of public-key cryptography depends on factorization or other difficult mathematical problems. It is easy to compute the product of two large numbers but extremely hard to factor it back into the primes. The popular RSA cipher algorithm, widely deployed in public-key cryptography, relies on factorization. The secret key being transferred between sender and receiver is encrypted with a publicly available key, say, a large number such as 408,508,091 (in practice, the number would be much larger). It can be decrypted only with a private key owned by the recipient of the data, made up of two factors, in this case 18,313 and 22,307. The difficulty of overcoming a public-key cipher may hold secret keys secure for a decade or more. But the advent of the quantum information era--and, in particular, the capability of quantum computers to rapidly perform monstrously challenging factorizations--may portend the eventual demise of RSA and other cryptographic schemes. "If quantum computers become a reality, the whole game changes," says John Rarity, a professor in the department of electrical and electronics engineering at the University of Bristol in England. Unlike public-key cryptography, quantum cryptography should remain secure when quantum computers arrive on the scene. One way of sending a quantum-cryptographic key between sender and receiver requires that a laser transmit single photons that are polarized in one of two modes. In the first, photons are positioned vertically or horizontally (rectilinear mode); in the second, they are oriented 45 degrees to the left or right of vertical (diagonal mode). In either mode, the opposing positions of the photons represent either a digital 0 or a 1. The sender, whom cryptographers by convention call Alice, sends a string of bits, choosing randomly to send photons in either the rectilinear or the diagonal modes. The receiver, known as Bob in crypto-speak, makes a similarly random decision about which mode to measure the incoming bits. The Heisenberg uncertainty principle dictates that he can measure the bits in only one mode, not both. Only the bits that Bob measured in the same mode as sent by Alice are guaranteed to be in the correct orientation, thus retaining the proper value. After transmission, Bob then communicates with Alice, an exchange that need not remain secret, to tell her which of the two modes he used to receive each photon. He does not, however, reveal the 0- or 1-bit value represented by each photon. Alice then tells Bob which of the modes were measured correctly. They both ignore photons that were not observed in the right mode. The modes measured correctly constitute the key that serves as an input for an algorithm used to encrypt or decipher a message. If someone tries to intercept this stream of photons--call her Eve--she cannot measure both modes, thanks to Heisenberg. If she makes the measurements in the wrong mode, even if she resends the bits to Bob in the same way she measured them, she will inevitably introduce errors. Alice and Bob can detect the presence of the eavesdropper by comparing selected bits and checking for errors. Beginning in 2003, two companies--id Quantique in Geneva and MagiQ Technologies in New York City--introduced commercial products that send a quantum-cryptographic key beyond the 30 centimeters traversed in Bennett's experiment. And, after demonstrating a record transmission distance of 150 kilometers, NEC is to come to market with a product at the earliest next year. Others, such as IBM, Fujitsu and Toshiba, have active research efforts. The products on the market can send keys over individual optical-fiber links for multiple tens of kilometers. A system from MagiQ costs $70,000 to $100,000. "A small number of customers are using and testing the system, but it's not widely deployed in any network," comments Robert Gelfond, a former Wall Street quantitative trader who in 1999 founded MagiQ Technologies. Some government agencies and financial institutions are afraid that an encrypted message could be captured today and stored for a decade or more--at which time a quantum computer might decipher it. Richard J. Hughes, a researcher in quantum cryptography at Los Alamos National Laboratory, cites other examples of information that must remain confidential for a long time: raw census data, the formula for Coca-Cola or the commands for a commercial satellite. (Remember Captain Midnight, who took over HBO for more than four minutes in 1986.) Among the prospective customers for quantum-cryptographic systems are telecommunications providers that foresee offering customers an ultrasecure service. The first attempts to incorporate quantum cryptography into actual networks--rather than just point-to-point connections--have begun. The Defense Advanced Research Projects Agency has funded a project to connect six network nodes that stretch among Harvard University, Boston University and BBN Technologies in Cambridge, Mass., a company that played a critical role in establishing the Internet. The encryption keys are sent over dedicated links, and the messages ciphered with those keys are transmitted over the Internet. "This is the first continuously running operational quantum-cryptography network outside a laboratory," notes Chip Elliott of BBN, who heads the project. The network, designed to merely show that the technology works, transfers ordinary unclassified Internet traffic. "The only secrets I can possibly think of here are where the parking spaces are," Elliott says. Last fall, id Quantique and a partner, the Geneva-based Internet services provider Deckpoint, put on display a network that allowed a cluster of servers in Geneva to have its data backed up at a site 10 kilometers away, with new keys being distributed frequently through a quantum-encrypted link. The current uses for quantum cryptography are in networks of limited geographic reach. The strength of the technique--that anyone who spies on a key transmittal will change it unalterably--also means that the signals that carry quantum keys cannot be amplified by network equipment that restores a weakening signal and allows it to be relayed along to the next repeater. An optical amplifier would corrupt qubits. To extend the distance of these links, researchers are looking beyond optical fibers as the medium to distribute quantum keys. Scientists have trekked to mountaintops--where the altitude minimizes atmospheric turbulence--to prove the feasibility of sending quantum keys through the air. One experiment in 2002 at Los Alamos National Laboratory created a 10-kilometer link. Another, performed that same year by QinetiQ, based in Farnborough, England, and Ludwig Maximilian University in Munich, stretched 23 kilometers between two mountaintops in the southern Alps. By optimizing this technology--using bigger telescopes for detection, better filters and antireflective coatings--it might be possible to build a system that could transmit and receive signals over more than 1,000 kilometers, sufficient to reach satellites in low earth orbit. A network of satellites would allow for worldwide coverage. The European Space Agency is in the early stages of putting together a plan for an earth-to-satellite experiment. (The European Union also launched an effort in April to develop quantum encryption over communications networks, an effort spurred in part by a desire to prevent eavesdropping by Echelon, a system that intercepts electronic messages for the intelligence services of the U.S., Britain and other nations.) Ultimately cryptographers want some form of quantum repeater--in essence, an elementary form of quantum computer that would overcome distance limitations. A repeater would work through what Albert Einstein famously called "spukhafte Fernwirkungen," spooky action at a distance. Anton Zeilinger and his colleagues at the Institute of Experimental Physics in Vienna, Austria, took an early step toward a repeater when they reported in the August 19, 2004, issue of Nature that their group had strung an optical-fiber cable in a sewer tunnel under the Danube River and stationed an "entangled" photon at each end. The measurement of the state of polarization in one photon (horizontal, vertical, and so on) establishes immediately an identical polarization that can be measured in the other. Entanglement spooked Einstein, but Zeilinger and his team took advantage of a link between two entangled photons to "teleport" the information carried by a third photon a distance of 600 meters across the Danube. Such a system might be extended in multiple relays, so that the qubits in a key could be transmitted across continents or oceans. To make this a reality will require development of esoteric components, such as a quantum memory capable of actually storing qubits without corrupting them before they are sent along to a subsequent link. "This is still very much in its infancy. It's still in the hands of physics laboratories," notes Nicolas Gisin, a professor at the University of Geneva, who helped to found id Quantique and who has also done experiments on long-distance entanglement. A quantum memory might be best implemented with atoms, not photons. An experiment published in the October 22 issue of Science showed how this might work. Building on ideas of researchers from the University of Innsbruck in Austria, a group at the Georgia Institute of Technology detailed in the paper how two clouds of ultracold rubidium atoms could be entangled and, because of the quantum linkage, could be inscribed with a qubit, the clouds storing the qubit for much longer than a photon can. The experiment then transferred the quantum state of the atoms, their qubit, onto a photon, constituting information transfer from matter to light and showing how a quantum memory might output a bit. By entangling clouds, Alex Kuzmich and Dzmitry Matsukevich of Georgia Tech hope to create repeaters that can transfer qubits over long distances. Entanglement spooked Einstein, but researchers have used the phenomenon to "teleport" quantum information. The supposed inviolability of quantum cryptography rests on a set of assumptions that do not necessarily carry over into the real world. One of those assumptions is that only a single photon represents each qubit. Quantum cryptography works by taking a pulsed laser and diminishing its intensity to such an extent that typically it becomes unlikely that any more than one in 10 pulses contains a photon--the rest are dark--one reason that the data transfer rate is so low. But this is only a statistical likelihood. The pulse may have more than one photon. An eavesdropper could, in theory, steal an extra photon and use it to help decode a message. A software algorithm, known as privacy amplification, helps to guard against this possibility by masking the values of the qubits. But cryptographers would like to have better photon sources and detectors. The National Institute of Standards and Technology (NIST) is one of many groups laboring on these devices. "One very interesting area is the development of detectors that can tell the difference between one, two or more photons arriving at the same time," says Alan Migdall of NIST. Researchers there have also tried to address the problem of slow transmission speed by generating quantum keys at a rate of one megabit per second--100 times faster than any previous efforts and enough to distribute keys for video applications. Quantum cryptography may still prove vulnerable to some unorthodox attacks. An eavesdropper might sabotage a receiver's detector, causing qubits received from a sender to leak back into a fiber and be intercepted. And an inside job will always prove unstoppable. "Treachery is the primary way," observes Seth Lloyd, an expert in quantum computation at the Massachusetts Institute of Technology. "There's nothing quantum mechanics can do about that." Still, in the emerging quantum information age, these new ways of keeping secrets may be better than any others in the codebooks. -- ----------------- R. A. Hettinga <mailto: rah@ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'