NEWS FEATURE

Code warsQuantum cryptography gears up to fight code-breaking quantum computers. Will the

approach bolster security in the future, or is it fatally flawed?

Stephen Ornes, Science Writer

In October 2014, an Antares rocket blasted off from aNASA launch pad on one of Virginia’s barrier islands,and exploded seconds later. In addition to about5,000 pounds of food and equipment destined forthe International Space Station, the doomed rocketwas carrying 26 miniature satellites called CubeSats,one of which housed physicist Alexander Ling’s ex-periment. “We thought, ‘oh, that’s it, we’re not goingto see our experiment again,’” recalls Ling, of theCentre for Quantum Technologies in Singapore. Hewas mistaken.

Days later, Ling got a phone call. His experimenthad washed up on a nearby beach. The CubeSat’smetal casing had been crushed—“a bit,” says Ling,but the experiment inside had not only survived butwas still working. The nature of the experiment made

this even more astonishing: Their device used crystalsand lasers to generate particles of light, or photons, indelicate, easily destroyed quantum states. Neither theturbulence of the launch nor the shock of the explo-sion had knocked the device out of alignment. Lingwas ecstatic. Although the mission had failed, his ex-periment had endured. He and other quantum cryp-tography researchers hope that expectations aboutthe technology’s potential hold up just as well.

Ling wants to help build a global quantum Internetin which computers would communicate securelyusing the quantum mechanical properties of particlesof light. Such an effort would require both networks onthe ground, built over existing fiber-optic cables, andin space, using satellites capable of exchanging pho-tons in fragile quantum states, like those at the heart ofLing’s design.

One of the most tantalizing implications of such aquantum network is its apparent impregnable secu-rity. That’s important because vulnerabilities lurk ineven the most robust encryption methods that protectinformation transmitted across existing communica-tion networks. Ultrafast quantum computers of the fu-ture, which will exploit quantum states of particles toperform multiple calculations at once, could easilybreak today’s strongest codes. Many physicists saythe only way to thwart quantum computers is to fightfire with fire, using cryptography that itself relies onquantum mechanics. “For quantum cryptography, se-curity is the whole selling point,” says VadimMakarov,an applied physicist at the Institute for Quantum Com-puting at the University of Waterloo, in Canada.

Secret HandshakesUsing quantumphysics to protect amessage frompryingeyes is humankind’s most sophisticated attempt atcryptography to date. Historically, cryptography has in-volved the sender encoding, or locking, the message bysubstituting letters, phrases, or words. Only the recipientwould know what was swapped—such informationconstitutes a key—and thus be able to decode or unlockthe original message. It’s crucial that no one else has thekey. If the key gets stolen, the entire effort goes to waste.

Such cryptography efforts have a rich history. JuliusCaesar is said to have used a letter-substitution cipherto send military messages. About 100 years ago, aGerman inventor patented the Enigma machine, which

Advances in quantum cryptography could enable the creation of a global quantumInternet. It would consist of networks on the ground, as well as in space, set up viasatellites capable of exchanging photons in fragile quantum states. Image cour-tesy of Shutterstock/Login.

2784–2787 | PNAS | March 14, 2017 | vol. 114 | no. 11 www.pnas.org/cgi/doi/10.1073/pnas.1702236114

NEW

SFEATURE

Dow

nloa

ded

by g

uest

on

Aug

ust 2

9, 2

020

used a set of electromechanical rotors—each of whichhad 26 different settings—to scramble a message.The receiver would have to know the exact positionsof these rotors to decode the message. As decodersfigured out how to break such codes, the Enigmamachines evolved and improved in the years leadingup to and during World War II, inspiring more so-phisticated code-breaking approaches. The crypto-graphic race was on.

These days secret messages are a part of everydaylife. People regularly send and receive encoded personaland financial information through the Internet, and trustthat it remains hidden from prying eyes. “A lot of thingsdepend on the ability of communicating securely overthe Internet, including bank transactions and thestock exchange,” says Wolfgang Tittel, a quantumphysicist at the University of Calgary, in Canada. “Ifthat breaks down, our way of life breaks down.”

Most information exchanged online is protectedby codes that can only be broken by solving excep-tionally difficult math problems. First developed in the1970s, RSA is one of the most popular and powerfulmethods (1). Under RSA, an encryption key is createdby multiplying two extremely large prime numbers.The key can be shared publicly, but the primes arekept private. Only someone with knowledge of thetwo primes can decode the encrypted message.

Consider the case when you are using your Internetbrowser to access a bank account. The browser re-ceives an extremely large number (the key) from thebank to encode information. Only the bank knows the

two prime numbers used to create the key, and it usesthem to decode messages that you send. For a pub-lic key with more than 600 digits, for example, an av-erage user who tries to factor it would need billions ofyears of computing time to break it. Although multi-plying two large prime numbers is easy, factoring theproduct back into its constituent primes is near im-possible. Classic computers simply lack the power todo it fast enough.

The bigger the key, the stronger the lock. Even ascomputer scientists devise classic algorithms that factorfaster, encryption keys keep getting large enough toremain practically unbreakable.

Quantum DangerBut a threat looms. In 1994, American mathematicianPeter Shor proved that a quantum computer couldcrack such codes (2). Quantum computers solveproblems in a fundamentally different way than classiccomputers. Instead of bits that can only exist in twostates—as 1s and 0s—quantum computers exploit aquantum mechanical property of particles that allowsthem to simultaneously exist in multiple states (calleda superposition). So a quantum computer can do cal-culations that are not just using 0s and 1s, as in classiccomputers, but also calculations involving superposi-tions of states, dramatically increasing the speed ofcomputation. Shor’s algorithm, effectively a recipe forfactoring big numbers, requires a quantum computer.

Most researchers believe quantum computers thatcan hack today’s codes will be a reality in the next

Fifteen seconds after it launched in 2014, this Antares rocket exploded, showering the shore and sea with debris.The rocket’s cargo included a photon pair generator (Inset), which somehow survived intact. A similar device was laterused to test new satellite technology that could help connect a global quantum Internet. Main image courtesy of NASA/Joel Kowsky; Inset courtesy of GomSpace.

Ornes PNAS | March 14, 2017 | vol. 114 | no. 11 | 2785

Dow

nloa

ded

by g

uest

on

Aug

ust 2

9, 2

020

10–20 years, says Tittel. If so, hackersmight use quantumcomputers to decode files encrypted with today’s bestmethods. Quantum cryptography can withstand theonslaught of quantum computers by offering a pro-foundly new way to safeguard information, placing theemphasis on the detection of an intruder trying to accessthe key.

In 1984, cryptographer Charles Bennett, at IBM,and physicist Gilles Brassard, at the University ofMontreal, introduced the first such quantum key dis-tribution (QKD) protocol, in which two people, calledAlice and Bob, exchange a key using the quantummechanical properties of photons and can detect thepresence of an eavesdropper, called Eve (3). Sincethen, physicists have worked out more elaborate waysof encoding keys that rely on a quantum propertycalled entanglement.

Entangled photons are intrinsically correlated. IfAlice and Bob each have one of a pair of entangledphotons and they do the same measurement on theirrespective photons, they will get the same result. It’s

important that both measurements are of the sametype. For example, if information is encoded in thepolarization states of the photons, both measure-ments can look at whether the photon is polarizedhorizontally (0°) or vertically (90°), in what’s known asthe rectilinear basis of measurement. Or, both mea-surements can look at whether the photon is polarizedat 45° or 135°, the so-called diagonal basis.

Such measurements can be used to exchange akey. For each entangled photon, Alice chooses thebasis of measurement (either rectilinear or diagonal) atrandom and notes the result of her measurement. Bobdoes the same with his photon. They do this for anumber of entangled photon pairs. Then, they pub-licly exchange the sequence of bases that they usedfor measuring the state of each photon and discardthe results of the measurements for which they haveused different bases. The remaining measurements,done with the same basis in each instance, form thekey: Alice and Bob know that they must have the samevalues for each measurement because the photonswere entangled and the bases were the same.

Entangled photons allow Alice and Bob to detecteavesdroppers. Imagine that Eve intercepts the streamof photons being sent to Bob. She’d have to make ameasurement, extract a value, and then resend thephoton to Bob, encoding the value she obtained intothe new photon. Her measurement would first destroythe entanglement. And since she’d not know theoriginal basis in which the photon was encoded, she’dalso get the basis wrong—on average—half the time.So, when Alice and Bob compare their results, thedisturbed entanglement and sometimes-wrong basis

would reveal Eve’s presence in the form of reducedcorrelations in their own measurement results. Theycan repeat their efforts until they are sure they haven’tbeen hacked.

Commercial and reliable QKD-based encryptionsystems have been available for a decade. Even so,these systems are still in their infancy, limited both inrange and data rates. But the newest results from re-search laboratories in China and Canada promise torevolutionize quantum communications in the not-too-distant future.

Entangled CitiesIn practice, using entangled photons to distribute akey between Alice and Bob over arbitrarily large dis-tances is not easy, nor is it impossible. Entanglement isa delicate quantum state and can be easily destroyed.Middlemen can help. Imagine a scenario where Aliceand Bob each create a pair of entangled photons.Alice sends one of her pair of particles to a middlemancalled Charlie, and keeps the other particle with her.Bob does the same. Now, Charlie has access to twoparticles, one from Alice and one from Bob. Charliecan now do something called a Bell-state measure-ment, which results in the photons that are with Aliceand Bob becoming entangled. Now Alice and Bobcan use the entanglement-based protocol to establisha key. Crucially, they can double the distance betweenthem using Charlie, a technique that can allow Aliceand Bob to communicate over longer distances.

This fall, two teams independently reported im-portant steps toward the implementations of thisapproach that would make it easier to distributecryptographic keys using entanglement and Bell-state measurements. Both teams used existing city-wide fiber-optic networks and reached distances ofa few kilometers.

One was a team led by Qiang Zhang and Jian-WeiPan at the University of Science and Technology ofChina, in Hefei (4). Zhang’s team envisages a quantumnetwork with a central hub that exchanges quantumstates with distant nodes, where each link between thehub and a node uses an Alice-Charlie-Bob protocol,with Bob at the hub. In September, they demon-strated one such link over Hefei’s optical fiber net-work. Then, in November, the team broke a newrecord for QKD by sending information over 400 kilo-meters of existing optical fiber (5). “Entanglement isbeautiful, but it hasn’t been practical [for security] untilnow,” says Zhang. He notes that transmitting quantumstates over long distances in this way—called “quan-tum teleportation”—could also be used for otherquantum processes, including quantum computing.

The other group, reporting in September, was ledby Tittel in Calgary (6). His team used their city’s fiber-optic network to achieve similar results. They, how-ever, implemented a scheme that could be used tostring together a sequence of quantum links, such thatthe distance between Alice and Bob could span cities.Taken together, the work of the two teams shows howsecure land-based quantum networks could be built,using quantum cryptography to exchange keys. “In

“Entanglement is beautiful, but it hasn’t been practical[for security] until now.”

—Qiang Zhang

2786 | www.pnas.org/cgi/doi/10.1073/pnas.1702236114 Ornes

Dow

nloa

ded

by g

uest

on

Aug

ust 2

9, 2

020

principle, we should soon be able to do this over ar-bitrarily large distances,” Tittel says.

Another way to increase the reach of quantumnetworks is to have ground stations communicate viasecure quantum links with satellites (playing the role ofCharlie) in space. That’s what Alexander Ling is after.His experiment, which survived the rocket explosion,was designed to generate entangled photons in space.“Space is a bit trickier,” says Ling. Still, he’s madeprogress: in December 2015 his team sent anotherCubeSat-packed light source into space—this timewithout incident—onboard a rocket launched fromIndia. It’s in orbit now and generating photons, notentangled yet, but it’s another step toward aglobal, space-based quantum Internet.

Ling isn’t the only one working on such efforts noris he the best-funded. In August, China launched a$100 million satellite to test quantum entanglement inspace for the next 2 years. It will link to two ground-based stations, one in the Xinjiang province in westernChina and the other about 120 miles south of Beijing.After that, the researchers plan to go international byconnecting with a station in Vienna. If the experimentsucceeds, China plans to launch a fleet of such satel-lites by 2020.

Not So Fast. . .Even as some physicists celebrate quantum cryp-tography’s robustness, others argue that QKD toomay be flawed. Since the first QKD systemsappeared, computer scientists have found loopholesthat enable hackers to spy on a system without de-tection. The problem isn’t so much the physics as theimplementation: it’s tough to build devices that de-liver on the promises of quantum physics. That’spartly because the actual performance of a photongenerator or detector deviates from the ideal be-havior required by theory, and hackers can exploitsuch deviations. For example, a hacker who knowshow a detector measures light pulses can interceptthe beam of photons in such a way that the in-terception would be detectable by an ideal device

but falls within the margin of error of real-world machines.

Quantum hacking expert Makarov demonstratedone hacking strategy in 2010 while working at theNorwegian University of Science and Technology inTrondheim (7). Makarov and his team used off-the-shelf devices to successfully blind Bob’s photon de-tectors, allowing the intruder to control them. Theintruder could then detect all photons from Alice andmake Bob repeat his detection results exactly. Bob’sdevice didn’t detect the interception because itthought it was detecting photons from Alice. “It wasbehaving classically as a sock-puppet of the intruder,”says Makarov. More recently, he and his team en-gaged in a more brute-force approach, using lasers todrill holes in devices, destroying security protections,and leaving the system open to attacks.

Some computer scientists remain unconvinced thatquantum cryptography will ever be widespread be-cause of its high cost and difficulty to implement. Thatskepticism has led researchers to pursue “post-quantumcryptography,” which aims to identify which mathe-matical algorithms will fall to Shor’s algorithms andwhich can withstand quantum computers.

But Zhang maintains that QKD is the best wayforward. “Some people say there may be loopholes inQKD because QKD is a theory, and to implement ityou need practical devices, and there’s a gap betweenpractical devices and ideal devices,” Zhang says. “Butit’s much more secure than any classical algorithm.”

Also, the devices that make QKD possible are ex-pensive, which means they are appealing to only anarrow range of uses, such as interbank transactions,says Zhang. The dream of a global quantum Internet—like ones that use Ling’s satellite-based technology—won’t be realized without a lot of money. Ultimately,quantum cryptography’s biggest challenge may notbe technology or the limits of quantummechanics, butthe real-world costs. “What we need most is marketdemand,” says Makarov. “If a company has to sell amillion of these systems, they will become cheaperand miniaturized.”

1 Rivest RL, et al. (1978) A method for obtaining digital signatures and public-key cryptosystems. Commun ACM 21(2):120–126.2 Shor PW (1994) Algorithms for quantum computation: Discrete logarithms and factoring. Proceedings of the 35th Annual Symposiumon Foundations of Computer Science, Santa Fe, NM, Nov. 20–22, 1994 (IEEE Computer Society Press, Washington, DC), pp 124–134.

3 Bennett CH, Brassard G (1984) Quantum cryptography: Public key distribution and coin-tossing. International Conference onComputers, Systems, & Signal Processing, Bangalore, India, Dec. 10–12, 1984.

4 Sun Q-C, et al. (2016) Quantum teleportation with independent sources and prior entanglement distribution over a network. NatPhotonics 10:671–675.

5 Yin H-L, et al. (2016) Measurement-device-independent quantum key distribution over a 404 km optical fiber. Phys Rev Lett 117(19):190501.

6 Valivarthi R, et al. (2016) Quantum teleportation across a metropolitan fibre network. Nat Photonics 10:676–680.7 Lyderson L, et al. (2010) Hacking commercial quantum cryptography systems by tailored bright illumination. Nat Photonics 4:686–689.

Ornes PNAS | March 14, 2017 | vol. 114 | no. 11 | 2787

Dow

nloa

ded

by g

uest

on

Aug

ust 2

9, 2

020