Scientific American on Quantum Encryption

Eugen Leitl eugen at
Thu Jan 20 03:16:34 PST 2005

Scientific American has little clue, as usual (see their nanotechnology

Posted by: samzenpus, on 2005-01-20 06:35:00

   from the just-try-and-break-it dept.
   [1]prostoalex writes "Scientific American claims that [2]advances in
   commercially available quantum encryption might obsolete the existing
   factorization-based solutions: "The National Security Agency or one of
   the Federal Reserve banks can now buy a quantum-cryptographic system
   from two small companies - and more products are on the way. This new
   method of encryption represents the first major commercial
   implementation for what has become known as quantum information
   science, which blends quantum mechanics and information theory. The
   ultimate technology to emerge from the field may be a quantum computer
   so powerful that the only way to protect against its prodigious
   code-breaking capability may be to deploy quantum-cryptographic

   IFRAME: [3]pos6



----- End forwarded message -----

December 20, 2004

Best-Kept Secrets

Quantum cryptography has marched from theory to laboratory to real products

By Gary Stix

At the IBM Thomas J. Watson Research Laboratory, Charles Bennett is known as
a brilliant theoretician--one of the fathers of the emerging field of quantum
computing. Like many theorists, he has not logged much experience in the
laboratory. His absentmindedness in relation to the physical world once
transformed the color of a teapot from green to red when he left it on a
double boiler too long. But in 1989 Bennett and colleagues John A. Smolin and
Gilles Brassard cast caution aside and undertook a groundbreaking experiment
that would demonstrate a new cryptography based on the principles of quantum

The team put together an experiment in which photons moved down a
30-centimeter channel in a light-tight box called "Aunt Martha's coffin." The
direction in which the photons oscillated, their polarization, represented
the 0s or 1s of a series of quantum bits, or qubits. The qubits constituted a
cryptographic "key" that could be used to encrypt or decipher a message. What
kept the key from prying eavesdroppers was Heisenberg's uncertainty
principle--a foundation of quantum physics that dictates that the measurement
of one property in a quantum state will perturb another. In a quantum
cryptographic system, any interloper tapping into the stream of photons will
alter them in a way that is detectable to the sender and the receiver. In
principle, the technique provides the makings of an unbreakable cryptographic

Today quantum cryptography has come a long way from the jury-rigged project
assembled on a table in Bennett's office. The National Security Agency or one
of the Federal Reserve banks can now buy a quantum-cryptographic system from
two small companies--and more products are on the way. This new method of
encryption represents the first major commercial implementation for what has
become known as quantum information science, which blends quantum mechanics
and information theory. The ultimate technology to emerge from the field may
be a quantum computer so powerful that the only way to protect against its
prodigious code-breaking capability may be to deploy quantum-cryptographic

The arrival of the quantum computer may portend the eventual demise of
ciphers based on factorization.

The challenge modern cryptographers face is for sender and receiver to share
a key while ensuring that no one has filched a copy. A method called
public-key cryptography is often used to distribute the secret keys for
encryption and decoding of a full-length message. The security of public-key
cryptography depends on factorization or other difficult mathematical
problems. It is easy to compute the product of two large numbers but
extremely hard to factor it back into the primes. The popular RSA cipher
algorithm, widely deployed in public-key cryptography, relies on
factorization. The secret key being transferred between sender and receiver
is encrypted with a publicly available key, say, a large number such as
408,508,091 (in practice, the number would be much larger). It can be
decrypted only with a private key owned by the recipient of the data, made up
of two factors, in this case 18,313 and 22,307.

The difficulty of overcoming a public-key cipher may hold secret keys secure
for a decade or more. But the advent of the quantum information era--and, in
particular, the capability of quantum computers to rapidly perform
monstrously challenging factorizations--may portend the eventual demise of
RSA and other cryptographic schemes. "If quantum computers become a reality,
the whole game changes," says John Rarity, a professor in the department of
electrical and electronics engineering at the University of Bristol in

Unlike public-key cryptography, quantum cryptography should remain secure
when quantum computers arrive on the scene. One way of sending a
quantum-cryptographic key between sender and receiver requires that a laser
transmit single photons that are polarized in one of two modes. In the first,
photons are positioned vertically or horizontally (rectilinear mode); in the
second, they are oriented 45 degrees to the left or right of vertical
(diagonal mode). In either mode, the opposing positions of the photons
represent either a digital 0 or a 1. The sender, whom cryptographers by
convention call Alice, sends a string of bits, choosing randomly to send
photons in either the rectilinear or the diagonal modes. The receiver, known
as Bob in crypto-speak, makes a similarly random decision about which mode to
measure the incoming bits. The Heisenberg uncertainty principle dictates that
he can measure the bits in only one mode, not both. Only the bits that Bob
measured in the same mode as sent by Alice are guaranteed to be in the
correct orientation, thus retaining the proper value.

After transmission, Bob then communicates with Alice, an exchange that need
not remain secret, to tell her which of the two modes he used to receive each
photon. He does not, however, reveal the 0- or 1-bit value represented by
each photon. Alice then tells Bob which of the modes were measured correctly.
They both ignore photons that were not observed in the right mode. The modes
measured correctly constitute the key that serves as an input for an
algorithm used to encrypt or decipher a message.

If someone tries to intercept this stream of photons--call her Eve--she
cannot measure both modes, thanks to Heisenberg. If she makes the
measurements in the wrong mode, even if she resends the bits to Bob in the
same way she measured them, she will inevitably introduce errors. Alice and
Bob can detect the presence of the eavesdropper by comparing selected bits
and checking for errors.

Beginning in 2003, two companies--id Quantique in Geneva and MagiQ
Technologies in New York City--introduced commercial products that send a
quantum-cryptographic key beyond the 30 centimeters traversed in Bennett's
experiment. And, after demonstrating a record transmission distance of 150
kilometers, NEC is to come to market with a product at the earliest next
year. Others, such as IBM, Fujitsu and Toshiba, have active research efforts.

The products on the market can send keys over individual optical-fiber links
for multiple tens of kilometers. A system from MagiQ costs $70,000 to
$100,000. "A small number of customers are using and testing the system, but
it's not widely deployed in any network," comments Robert Gelfond, a former
Wall Street quantitative trader who in 1999 founded MagiQ Technologies.

Some government agencies and financial institutions are afraid that an
encrypted message could be captured today and stored for a decade or more--at
which time a quantum computer might decipher it. Richard J. Hughes, a
researcher in quantum cryptography at Los Alamos National Laboratory, cites
other examples of information that must remain confidential for a long time:
raw census data, the formula for Coca-Cola or the commands for a commercial
satellite. (Remember Captain Midnight, who took over HBO for more than four
minutes in 1986.) Among the prospective customers for quantum-cryptographic
systems are telecommunications providers that foresee offering customers an
ultrasecure service.

The first attempts to incorporate quantum cryptography into actual
networks--rather than just point-to-point connections--have begun. The
Defense Advanced Research Projects Agency has funded a project to connect six
network nodes that stretch among Harvard University, Boston University and
BBN Technologies in Cambridge, Mass., a company that played a critical role
in establishing the Internet. The encryption keys are sent over dedicated
links, and the messages ciphered with those keys are transmitted over the
Internet. "This is the first continuously running operational
quantum-cryptography network outside a laboratory," notes Chip Elliott of
BBN, who heads the project. The network, designed to merely show that the
technology works, transfers ordinary unclassified Internet traffic. "The only
secrets I can possibly think of here are where the parking spaces are,"
Elliott says. Last fall, id Quantique and a partner, the Geneva-based
Internet services provider Deckpoint, put on display a network that allowed a
cluster of servers in Geneva to have its data backed up at a site 10
kilometers away, with new keys being distributed frequently through a
quantum-encrypted link.

The current uses for quantum cryptography are in networks of limited
geographic reach. The strength of the technique--that anyone who spies on a
key transmittal will change it unalterably--also means that the signals that
carry quantum keys cannot be amplified by network equipment that restores a
weakening signal and allows it to be relayed along to the next repeater. An
optical amplifier would corrupt qubits.

To extend the distance of these links, researchers are looking beyond optical
fibers as the medium to distribute quantum keys. Scientists have trekked to
mountaintops--where the altitude minimizes atmospheric turbulence--to prove
the feasibility of sending quantum keys through the air. One experiment in
2002 at Los Alamos National Laboratory created a 10-kilometer link. Another,
performed that same year by QinetiQ, based in Farnborough, England, and
Ludwig Maximilian University in Munich, stretched 23 kilometers between two
mountaintops in the southern Alps. By optimizing this technology--using
bigger telescopes for detection, better filters and antireflective
coatings--it might be possible to build a system that could transmit and
receive signals over more than 1,000 kilometers, sufficient to reach
satellites in low earth orbit. A network of satellites would allow for
worldwide coverage. The European Space Agency is in the early stages of
putting together a plan for an earth-to-satellite experiment. (The European
Union also launched an effort in April to develop quantum encryption over
communications networks, an effort spurred in part by a desire to prevent
eavesdropping by Echelon, a system that intercepts electronic messages for
the intelligence services of the U.S., Britain and other nations.)

Ultimately cryptographers want some form of quantum repeater--in essence, an
elementary form of quantum computer that would overcome distance limitations.
A repeater would work through what Albert Einstein famously called "spukhafte
Fernwirkungen," spooky action at a distance. Anton Zeilinger and his
colleagues at the Institute of Experimental Physics in Vienna, Austria, took
an early step toward a repeater when they reported in the August 19, 2004,
issue of Nature that their group had strung an optical-fiber cable in a sewer
tunnel under the Danube River and stationed an "entangled" photon at each
end. The measurement of the state of polarization in one photon (horizontal,
vertical, and so on) establishes immediately an identical polarization that
can be measured in the other.

Entanglement spooked Einstein, but Zeilinger and his team took advantage of a
link between two entangled photons to "teleport" the information carried by a
third photon a distance of 600 meters across the Danube. Such a system might
be extended in multiple relays, so that the qubits in a key could be
transmitted across continents or oceans. To make this a reality will require
development of esoteric components, such as a quantum memory capable of
actually storing qubits without corrupting them before they are sent along to
a subsequent link. "This is still very much in its infancy. It's still in the
hands of physics laboratories," notes Nicolas Gisin, a professor at the
University of Geneva, who helped to found id Quantique and who has also done
experiments on long-distance entanglement.

A quantum memory might be best implemented with atoms, not photons. An
experiment published in the October 22 issue of Science showed how this might
work. Building on ideas of researchers from the University of Innsbruck in
Austria, a group at the Georgia Institute of Technology detailed in the paper
how two clouds of ultracold rubidium atoms could be entangled and, because of
the quantum linkage, could be inscribed with a qubit, the clouds storing the
qubit for much longer than a photon can. The experiment then transferred the
quantum state of the atoms, their qubit, onto a photon, constituting
information transfer from matter to light and showing how a quantum memory
might output a bit. By entangling clouds, Alex Kuzmich and Dzmitry
Matsukevich of Georgia Tech hope to create repeaters that can transfer qubits
over long distances.

Entanglement spooked Einstein, but researchers have used the phenomenon to
"teleport" quantum information.

The supposed inviolability of quantum cryptography rests on a set of
assumptions that do not necessarily carry over into the real world. One of
those assumptions is that only a single photon represents each qubit. Quantum
cryptography works by taking a pulsed laser and diminishing its intensity to
such an extent that typically it becomes unlikely that any more than one in
10 pulses contains a photon--the rest are dark--one reason that the data
transfer rate is so low. But this is only a statistical likelihood. The pulse
may have more than one photon. An eavesdropper could, in theory, steal an
extra photon and use it to help decode a message. A software algorithm, known
as privacy amplification, helps to guard against this possibility by masking
the values of the qubits.

But cryptographers would like to have better photon sources and detectors.
The National Institute of Standards and Technology (NIST) is one of many
groups laboring on these devices. "One very interesting area is the
development of detectors that can tell the difference between one, two or
more photons arriving at the same time," says Alan Migdall of NIST.
Researchers there have also tried to address the problem of slow transmission
speed by generating quantum keys at a rate of one megabit per second--100
times faster than any previous efforts and enough to distribute keys for
video applications.

Quantum cryptography may still prove vulnerable to some unorthodox attacks.
An eavesdropper might sabotage a receiver's detector, causing qubits received
from a sender to leak back into a fiber and be intercepted. And an inside job
will always prove unstoppable. "Treachery is the primary way," observes Seth
Lloyd, an expert in quantum computation at the Massachusetts Institute of
Technology. "There's nothing quantum mechanics can do about that." Still, in
the emerging quantum information age, these new ways of keeping secrets may
be better than any others in the codebooks.

Eugen* Leitl <a href="">leitl</a>
ICBM: 48.07078, 11.61144  
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE

[demime 1.01d removed an attachment of type application/pgp-signature]

More information about the cypherpunks-legacy mailing list