
THE Romans had a saying in praise of a reliable man: 鈥淵ou can trust him in the dark.鈥 But as Julius Caesar realised when several members of his inner circle stabbed him to death, sometimes the best course of action is to trust no one.
Throughout history, people have been burned by misplaced trust. Users of the extramarital affairs website Ashley Madison, whose details were leaked in August, are a good example. Their spouses are another. But as far as cybersecurity is concerned, we are finally poised to create a world in which trust is optional. The development taking us there is called device-independent quantum cryptography. Once it is perfected, you will be able to buy a secure device from your worst enemy and still be certain that no one is spying on the messages you send using it. 鈥淵ou don鈥檛 have to trust anyone,鈥 says , the University of Oxford physicist whose innovations in cryptography led to the idea.
Advertisement
This perfectly secure future can鈥檛 arrive quickly enough, as present-day cryptographic systems are in a precarious state. The security of all of our online purchases, bank transactions and personas rely on a single shaky assumption: that certain mathematical operations are hard to do. The best known of our modern encryption systems is called RSA. To encode data, it builds a key from two very large prime numbers. These are kept secret, but their product 鈥 a number thousands of binary digits long 鈥 is public knowledge. Data can be encoded using this public key, but only those with knowledge of the original numbers can decrypt it. RSA鈥檚 security relies on the fact that there is no known shortcut to find the two starting numbers. The only ways to do it are almost interminable processes, such as trying all the possibilities one by one.
Or so we hope. 鈥淲e cannot prove that these problems are inherently difficult,鈥 Ekert says. It鈥檚 not impossible that someone will discover a procedure allowing a conventional computer to quickly factorise the product of two huge primes. Maybe they already have and they鈥檙e cleverly keeping it secret. If such an algorithm ever came to light, internet transactions would collapse, and financial deals and top secret government communications would be exposed. 鈥淚t would truly be a catastrophe,鈥 says of the Institute for Quantum Computing in Waterloo, Canada. 鈥淚t鈥檚 like a Y2K problem, except we don鈥檛 know precisely when it might happen.鈥
鈥淚t鈥檚 like a Y2K problem except we don鈥檛 know when it will happen鈥
Even if we could prove that the factorisation problem is beyond the abilities of traditional computers, there are still quantum computers to consider. Because they compute using quantum phenomena they could consider all the possible primes at once. In 1994 mathematician Peter Shor, now at the Massachusetts Institute of Technology, showed this would be a speedy process. Simple quantum computers already exist and advanced machines able to realise Shor鈥檚 idea can鈥檛 be far off.
One way to reinvigorate our privacy is to fight fire with fire and employ quantum cryptography. This promises the ability to create keys that are entirely random, entirely unpredictable and totally inaccessible to spies.
Quantum cryptography hinges on the rules that govern particles like photons or electrons. Their properties, including polarisation for instance, take multiple values at once, only snapping into sharp definition when measured. Use these properties as a basis for encryption and you preclude any attempt to peek at your key: that would change the result of the measurement, in effect destroying the key鈥檚 tamper-proof seal. The technique has already been used to protect hospital data, financial transactions and voting in the Swiss general elections.
Current systems use a protocol where the person transmitting the key, usually referred to as Alice, releases a polarised photon and makes a measurement on it before sending it. Her listening partner, usually referred to as Bob, chooses a particular way to make a measurement of that polarisation, and then he and Alice use an unencrypted channel to compare the sort of measurements they did. This allows them to create one digit of a private key for use in encrypting messages. To build the entire key, Alice and Bob simply repeat the process.
You might think that鈥檚 good enough, yet this type of quantum cryptography has weaknesses. 鈥淵ou always have to make some assumptions about certain pieces of equipment,鈥 says Vadim Makarov, one of Mosca鈥檚 colleagues in Waterloo. Makarov is an expert at showing that those assumptions matter, having broken into many 鈥渟ecure鈥 systems around the world. He is the first to admit that you have to go to fantastic lengths to exploit these weaknesses, but when it comes to state secrets, say, or large bank transactions, who鈥檚 to say nobody would?
One example of such a vulnerability is known as the detection loophole. It arises because the efficiency of photon detectors is never perfect, making practical quantum cryptography a bit like sending multiple copies of your key via an army of couriers to an office that occasionally shuts for lunch. Alice has to send far more photons than would otherwise be necessary, because Bob can鈥檛 detect them all. This intermittent detection means Alice and Bob can鈥檛 be certain that their apparatus is working securely.
It鈥檚 not impossible to dream up ways of solving these technical hitches, but there鈥檚 another more subtle problem that comes as an unavoidable side dish and which takes us to the heart of the problem with trust.
Imagine you have bought a state-of-the-art quantum cryptography system. It might well come complete with a shiny certificate guaranteeing its security, but how do you know the manufacturer hasn鈥檛 built in a covert back door that allows them to read and sell your secrets?
鈥淗ow do you know the device hasn鈥檛 got a back door that will leak your secrets?鈥
It鈥檚 hardly unthinkable. As soon as a new encryption technology becomes available, governments, corporations and intelligence agencies look for 鈥 and may even demand 鈥 a hidden flaw that they can exploit. Maybe your machine is programmed to spit out a key matching what someone somewhere has on file. Or perhaps there is a side-channel that logs a copy of any key you generate.
Here鈥檚 where device-independent cryptography comes in. It started when Ekert came up with a smart new form of quantum cryptography in 1991 .
This protocol also uses a stream of photons and, just as before, Alice creates a string of random numbers by measuring a property of each. The twist is that this time Bob has a separate stream of photons from the same source, and his photons are 鈥渆ntangled鈥 with Alice鈥檚. Entangled photons are generated in pairs, and their properties are subtly connected. If Alice has one of a pair, and Bob has the other, they can perform measurements on their respective photons that will help them create each digit of a shared key.
So random
Until 2004, Ekert鈥檚 idea was just another way of doing quantum cryptography, subject to the same old loopholes (see diagram below). But that changed when Antonio Ac铆n of the Institute of Photonic Sciences in Barcelona, Spain, and colleagues realised that this version of cryptography of the manufacturer. The implications are profound: with this protocol, you could buy the machine from your worst enemy and still be certain that it couldn鈥檛 leak your secrets. 鈥淚t came as a surprise to me,鈥 Ekert says. 鈥淪ometimes your inventions can be cleverer than you are.鈥
The rules of quantum theory say that the link between two entangled particles is 鈥渕onogamous鈥: there is no correlation with anything else and so no information can escape to an eavesdropper. Ac铆n鈥檚 neat insight was that you can prove whether this is the case using something known as a Bell test.
First set out by physicist John Bell in 1964, the test aims to determine whether two sets of numbers are more highly correlated than can be achieved by chance. 鈥淭he more they are correlated together, the less they can be correlated with anything outside,鈥 Ekert says.
If your system passes the Bell test, you have a cast-iron guarantee of three things. First, that your key is generated on the fly and thus not predictable. Second, that its digits have an inherent randomness, and thus can鈥檛 be guessed. Third, and perhaps most importantly, that no one is tapping into your key transmission using a back door. If they were, the correlations would be tainted.
There was just one problem with the scheme: no one had built a fully watertight experimental set up to conduct the Bell test. It comes down to the same problems that plague today鈥檚 versions of quantum cryptography, plus one more that comes into play now we鈥檙e dealing with entanglement.
This final problem is called the locality loophole. The worry is that there might be some as yet undiscovered signal relaying information between the entangled particles. If there were, that would invalidate our assumptions about randomness and open up the possibility of some genius adversary tapping the signal.
It might seem like madness to be concerned about all this, but there are two good reasons to push ahead. For one thing, get this right and we would have totally eliminated the need for trust. And for another, this is where the story of quantum cryptography intersects with physicists鈥 quest to prove quantum theory is a full and accurate description of reality. Here is an opportunity to slay the lingering doubt about whether there is something beneath the spooky links between entangled particles.
Proving that there isn鈥檛 would involve a Bell test where the locality and the detection loopholes are simultaneously closed. In the 51 years since Bell published his test researchers did one or the other, but no one had done both at the same time. It鈥檚 surprisingly hard to do, according to of Delft University of Technology in the Netherlands. 鈥淚t鈥檚 like saying I can ride a bike and I can juggle, so I must be able to juggle while riding a bike,鈥 she says. 鈥淚t鈥檚 not as easy as you might think.鈥
But Wehner and her colleagues a loophole-free Bell test earlier this year (Nature, ). The crucial idea they harnessed in their experiment is called entanglement swapping. The Delft team set up two diamonds, 1.3 kilometres apart on their campus. Imagine our hypothetical Alice being stationed at one, Bob at the other. Each diamond contained a defect known as a nitrogen vacancy centre. Hitting an electron located there with a microwave pulse produces a photon that is entangled with the electron. The team arranged things so that pulses hit both diamonds at roughly the same time and their respective photons shot off to a detector in the middle. Here鈥檚 the smart bit: if the photons arrived at that central detector exactly in sync, the entanglement would swap from being between each person鈥檚 electron-photon pair to being shared between the electrons. Now Alice and Bob have a pair of entangled electrons that haven鈥檛 travelled anywhere (see 鈥淧rivacy guaranteed鈥 below)
Because electrons are much easier to detect than photons, the experiment easily closed the detection loophole. And because the electrons were so far apart, the researchers had a 4-microsecond window in which to measure their correlations 鈥 plenty of time in 21st-century physics 鈥 and prove that any physical signal that could have created them would have needed to travel faster than light. Since this is forbidden by the laws of general relativity, of course, that took care of the locality loophole.
Under wraps
Thanks to this ingenuity, the correlations passed the Bell test, and we know that they are not due to detector errors, nor to a communication that has a hackable physical mechanism. 鈥淭hat feels good,鈥 says Wehner鈥檚 college Bas Henson who led the project. Finally, we have closed the loopholes; quantum theory has passed the test and we know it can be used to create a certifiably safe cryptographic system.
There are still a few wrinkles. Familiar ones that have always hindered cryptographers. An enemy might break into your office and steal your key, for instance. 鈥淧hysical security is always an issue,鈥 Mosca says. 鈥淚f I can look into your lab and see the plain text, then I don鈥檛 need to break your cipher.鈥 Makarov points to another caveat: the key distribution might be device-independent, but other parts of the system could be compromised. 鈥淵ou have to trust that no ingredient at the end stations contains some malicious piece,鈥 he says.
Those eternal issues aside, though, we have finally reached the end of the road for perfecting security. It will take time to move from proof of principle to application: implementing the protocol is still hard work for now. The Delft team achieved 245 entanglement events in 9 days 鈥 not exactly a useful rate for generating a cryptographic key, which might need to be thousands of digits long. But things are improving. 鈥淲e expect to be able to make entanglement 100,000 times faster in the near future,鈥 says Henson.
Device independent quantum cryptography, the last word in secret messaging, does now appear to be within our grasp. The quantum part provides an unbreakable protocol; the device-independence takes the reliability of the supplier out of the equation. 鈥淚n terms of being able to verify physical security, it鈥檚 the best,鈥 says Mosca. Ekert agrees: the Bell test routine is so simple anyone can use it. 鈥淵ou don鈥檛 even have to understand physics.鈥
(Image: Jamie Mills)
This article appeared in print under the headline 鈥淭rust no one鈥