the public key to unscramble the message. In principle, an eavesdropper, Eve, could deduce the private key from the public key. In practice, that problem is so hard it would take nearly forever to solve. For example, in the widely used RSA algorithm, the public key is a huge number that factors into two prime numbers known only to Bob. To encode a message, Alice multiplies the binary message by itself a number of times—that is, raises it to a power—that’s based on those factors and specified by Bob. She divides the result by the public key and takes the remainder—an operation called modding out. (For example, 33 mod 15 equals 3.) She sends the remainder to Bob as the coded message. To unscramble the message, Bob raises it to another power that depends on the two primes. That power is his private key. He then mods out by the public key. Voilà! The original message pops out. Confusing? It’s supposed to be. But basically it’s as if Alice has a counter that resembles a car’s odometer, except that it rolls over to zero when the count equals the C RY P TO G R A P H Y public key. She dials in the original message and scrambles it by advancing the counter according to a certain recipe, letting the counter roll over however many times it will. Someday a quantum computer may unlock all our secrets—if it isn’t first stymied by Bob then advances the counter in a way that simpler technologies makes the original message roll around again. The algorithm is secure because, without When the news broke earlier this month that our adversaries will have better computers knowing how many times the counter has the U.S. government is trying to build a super- and better algorithms, but they won’t be able rolled over, Eve can’t readily reverse Alice’s fast quantum computer, reports suggested the to break the laws of physics,” says Richard manipulations. She may have a better shot at demise of private information as we know it. Hughes, a physicist at Los Alamos National figuring out Bob’s private key—the power to “[T]he National Security Agency is racing to Laboratory in New Mexico. which he’s going to raise the coded message. build a computer that could break nearly every Which raises a practical question: If such But that requires factoring the public key. As kind of encryption used to protect banking, countermeasures rob a quantum computer of the key is huge—typically 2048 bits—that medical, business and government records its widely perceived killer app, will anybody task would overwhelm an ordinary computer. around the world,” The Washington Post said put up the huge sums of money likely needed But it would be easy for a quantum in a front-page story on 3 January. to make a quantum computer a reality? computer. An ordinary computer employs The end may not be so nigh, however. “bits” that can be set to either 0 or 1; a “People are not actually shaking in their The threat quantum computer would use “qubits”— shoes so much,” says Lance Fortnow, a Be it data file or love letter, information crosses perhaps spinning ions or little loops of computer scientist and blogger at the Georgia the Internet in the form of numbers, written in superconductor—that could be set to 0, 1, Institute of Technology (Georgia Tech) in binary strings of 0s and 1s. Crypor, thanks to the weirdness of Atlanta. The $80 million National Security tography is the mathematics of quantum mechanics, 0 and 1 at the Agency (NSA) initiative came to light in scrambling a numerical message same time. The qubits’ state would documents leaked by former NSA contractor so that it can be unscrambled only sciencemag.org be described by quantum waves Podcast interEdward Snowden, but experts say they’re not by the intended recipient, at least that can interfere to reinforce or view with Adrian surprised that NSA is working on quantum in a reasonable amount of time. A Cho (http://scim.ag/ cancel one another, making new computing. “It would be shocking if they quantum computer could crack pod_6170). algorithms possible. In 1994, weren’t,” Fortnow says. But a full-fledged current algorithms for so-called Peter Shor, a computer scientist quantum computer is likely decades away. asymmetric or public key encryption, the at the Massachusetts Institute of Technology More important, even if a quantum code technique typically used to begin secure Inter- (MIT) in Cambridge, reported an algorithm cracker can be built, it might be defeated by net communications. that uses such “quantum interference” to encryption algorithms already in the works— In such schemes, a sender, Alice, scrambles factor huge numbers in far fewer steps or by another technology, called quantum key a message to the recipient, Bob, using a than an ordinary computer needs. Shor’s distribution, that relies on quantum mechanics numerical key that Bob makes public. Bob algorithm could crack not just RSA, but all itself for security. “In the future, we believe also possesses a private key that mates with current public key schemes.
Online
482
31 JANUARY 2014
VOL 343 SCIENCE www.sciencemag.org Published by AAAS
CREDIT: ™ & © E.C. PUBLICATIONS INC. USED WITH PERMISSION. VISIT: WWW.MADMAG.ORG
Quantum Spy Games
Downloaded from www.sciencemag.org on January 31, 2014
NEWSFOCUS
NEWSFOCUS Building a quantum computer, however, is easier said than done. Researchers must keep the qubits isolated enough to maintain their delicate quantum waves, yet make them interact enough to perform a calculation. That’s a monumental challenge. Quantum computing has been a hot topic since the 1990s, but physicists are still struggling to manipulate a handful of qubits. The best anyone has done with Shor’s algorithm has been to factor 21. One company, D-Wave of Burnaby, Canada, sells a more limited type of supposedly quantum computer that cannot run Shor’s algorithm. But for the most part, quantum computing remains a basic research subject, says Addison Snell, an industry analyst with Intersect360 Research in Mountain View, California. “If I were a big company like IBM, I’d have a couple of guys in the back room working on this,” he says. Countermeasures Even if a quantum computer remains a remote threat, some researchers are already working to counter it. That’s because it’s not just future communications that might be jeopardized, but also messages we’re sending today, which could be cracked after a quantum computer becomes a reality. “How do you know that somebody hasn’t recorded all those communications?” says Georgia Tech’s Fortnow. “The Internet doesn’t forget so fast.” The easiest safeguard would be to improve cryptography. A quantum computer couldn’t defeat every type of encryption. In symmetric or private key systems, Alice and Bob share a secret key and a public algorithm that, for example, makes two different chunks of coded message look like random bits when Eve compares them. In that case, Eve can’t hack a transmission by looking for correlations in the stream of bits. Such schemes seem capable of withstanding a quantum attack and already encrypt most of the data transmitted in secure Internet transactions. New public key algorithms might also fend off a quantum computer. For example, Chris Peikert, a cryptographer at Georgia Tech, and colleagues are working on so-called lattice methods. A lattice is a repeating array of dots like the atoms in a crystal. In three dimensions, each distinct crystal lattice can be characterized by three arrows or “basis vectors” that can be added to and subtracted from one another repeatedly to reconstruct the structure. Describing a lattice in 1000 dimensions requires 1000 basis vectors. Given only the basis vectors for a 1000-dimensional lattice, which two points in the lattice are closest together? That is, what
is the shortest vector that can be made from the basis vectors? That problem appears to be hard, even for a quantum computer, Peikert says. So he’s developing schemes in which the basis vectors serve as the public key to encode a message, and the shortest vector serves as the private key to decode it. “In terms of having something that is real that can be measured and optimized, we are either there or very close to there,” Peikert says. Perhaps the best defense against a quantum computer is another quantum strategy: quantum key distribution. In that technology, Alice passes Bob a secret key encoded in individual photons. The photons can be polarized—say, horizontally for 0 and vertically for 1. Thanks to quantum theory, Eve can’t measure the photons without altering them and revealing herself. A handful of companies already sell quantum key distribution systems. For example, ID Quantique in Geneva,
to make than a quantum computer, says Gregoire Ribordy, co-founder and CEO of ID Quantique: “Which is good, because it means we will be able to do [fully] quantum communications before encryption is broken.” More immediate dangers Even without a quantum computer, public key systems are under pressure because of improvements in algorithms and increases in computing power. When RSA was invented in 1977, mathematician and writer Martin Gardner challenged readers to crack a message encoded with a 426-bit key. Ronald Rivest, a computer scientist at MIT and one of the inventors of RSA, estimated that it would take 40 quadrillion years to do so. Seventeen years later, 600 volunteers decoded the message in 8 months. To fend off such challenges, Internet companies such as Google and Microsoft are now phasing out 1024-bit RSA keys in favor of tougher 2048-bit ones.
Universal Quantum Computer vs. Quantum Key Distribution Primarily a theoretical construct
Status
Entering market
Could crack current algorithms for public key encryption
Strength
Passes key for private key algorithms under eavesdroppers' noses
Can't break private key encryption, could be shut out by quantum key distribution
Weakness
Requires rewiring networks with optical fiber, fully quantum network not yet possible
Has been a decade away for nearly 20 years and may stay that way
Prospects
Hard and expensive, but easier and cheaper than building a quantum computer
Trumped? As a code cracker, a quantum computer might be foiled by simpler quantum key distribution.
Switzerland, has roughly 100 systems in use; its clients include the Canton of Geneva, which protects election results with the technology. Current systems cost about $100,000 for two stations linked by an optical fiber. And they’re not yet ideal: A message sent across a network must be decoded at each station along the way, where it might be intercepted. To overcome that weakness, researchers hope to use the photons not simply to send the key, but to create a mysterious quantum connection called entanglement between qubits in 0-and-1 states at either end of a link. Alice and Bob could then generate a secret key by measuring their qubits: Alice would measure hers, causing its state to “collapse” into either 0 or 1. She’d know that Bob’s had collapsed into the same state. Entanglement could be passed from node to node, so that Alice and Bob could share the key without danger of spying at the nodes between them. That vision requires a device called a quantum repeater at each node. Such a thing does not yet exist, but it should be easier
www.sciencemag.org
SCIENCE
VOL 343
Published by AAAS
But going further and switching to new algorithms would be hugely expensive. Widespread quantum key distribution would require rewiring networks with optical fibers. Without a dramatic threat, the technologies may not be worth the hassle. “The old joke is that one of the uses for quantum computing is to create a market for quantum key distribution,” says Scott Aaronson, a theoretical computer scientist at MIT. The economic calculus could also cut the other way, however. If quantum-proof algorithms and quantum key distribution take off, then they might blunt the desire of governments and private companies to build a quantum computer. “It could happen,” Ribordy says. “It’s a good argument.” Aaronson argues that a quantum computer will have other uses and that the real reason to build one is to prove it can be done. “That’s a harder case to make to many business people, but I think that’s the honest case,” he says. It also doesn’t sound like a goal that NSA would spend $80 million to reach. –ADRIAN CHO
31 JANUARY 2014
483
Online
482
31 JANUARY 2014
VOL 343 SCIENCE www.sciencemag.org Published by AAAS
CREDIT: ™ & © E.C. PUBLICATIONS INC. USED WITH PERMISSION. VISIT: WWW.MADMAG.ORG
Quantum Spy Games
Downloaded from www.sciencemag.org on January 31, 2014
NEWSFOCUS
NEWSFOCUS Building a quantum computer, however, is easier said than done. Researchers must keep the qubits isolated enough to maintain their delicate quantum waves, yet make them interact enough to perform a calculation. That’s a monumental challenge. Quantum computing has been a hot topic since the 1990s, but physicists are still struggling to manipulate a handful of qubits. The best anyone has done with Shor’s algorithm has been to factor 21. One company, D-Wave of Burnaby, Canada, sells a more limited type of supposedly quantum computer that cannot run Shor’s algorithm. But for the most part, quantum computing remains a basic research subject, says Addison Snell, an industry analyst with Intersect360 Research in Mountain View, California. “If I were a big company like IBM, I’d have a couple of guys in the back room working on this,” he says. Countermeasures Even if a quantum computer remains a remote threat, some researchers are already working to counter it. That’s because it’s not just future communications that might be jeopardized, but also messages we’re sending today, which could be cracked after a quantum computer becomes a reality. “How do you know that somebody hasn’t recorded all those communications?” says Georgia Tech’s Fortnow. “The Internet doesn’t forget so fast.” The easiest safeguard would be to improve cryptography. A quantum computer couldn’t defeat every type of encryption. In symmetric or private key systems, Alice and Bob share a secret key and a public algorithm that, for example, makes two different chunks of coded message look like random bits when Eve compares them. In that case, Eve can’t hack a transmission by looking for correlations in the stream of bits. Such schemes seem capable of withstanding a quantum attack and already encrypt most of the data transmitted in secure Internet transactions. New public key algorithms might also fend off a quantum computer. For example, Chris Peikert, a cryptographer at Georgia Tech, and colleagues are working on so-called lattice methods. A lattice is a repeating array of dots like the atoms in a crystal. In three dimensions, each distinct crystal lattice can be characterized by three arrows or “basis vectors” that can be added to and subtracted from one another repeatedly to reconstruct the structure. Describing a lattice in 1000 dimensions requires 1000 basis vectors. Given only the basis vectors for a 1000-dimensional lattice, which two points in the lattice are closest together? That is, what
is the shortest vector that can be made from the basis vectors? That problem appears to be hard, even for a quantum computer, Peikert says. So he’s developing schemes in which the basis vectors serve as the public key to encode a message, and the shortest vector serves as the private key to decode it. “In terms of having something that is real that can be measured and optimized, we are either there or very close to there,” Peikert says. Perhaps the best defense against a quantum computer is another quantum strategy: quantum key distribution. In that technology, Alice passes Bob a secret key encoded in individual photons. The photons can be polarized—say, horizontally for 0 and vertically for 1. Thanks to quantum theory, Eve can’t measure the photons without altering them and revealing herself. A handful of companies already sell quantum key distribution systems. For example, ID Quantique in Geneva,
to make than a quantum computer, says Gregoire Ribordy, co-founder and CEO of ID Quantique: “Which is good, because it means we will be able to do [fully] quantum communications before encryption is broken.” More immediate dangers Even without a quantum computer, public key systems are under pressure because of improvements in algorithms and increases in computing power. When RSA was invented in 1977, mathematician and writer Martin Gardner challenged readers to crack a message encoded with a 426-bit key. Ronald Rivest, a computer scientist at MIT and one of the inventors of RSA, estimated that it would take 40 quadrillion years to do so. Seventeen years later, 600 volunteers decoded the message in 8 months. To fend off such challenges, Internet companies such as Google and Microsoft are now phasing out 1024-bit RSA keys in favor of tougher 2048-bit ones.
Universal Quantum Computer vs. Quantum Key Distribution Primarily a theoretical construct
Status
Entering market
Could crack current algorithms for public key encryption
Strength
Passes key for private key algorithms under eavesdroppers' noses
Can't break private key encryption, could be shut out by quantum key distribution
Weakness
Requires rewiring networks with optical fiber, fully quantum network not yet possible
Has been a decade away for nearly 20 years and may stay that way
Prospects
Hard and expensive, but easier and cheaper than building a quantum computer
Trumped? As a code cracker, a quantum computer might be foiled by simpler quantum key distribution.
Switzerland, has roughly 100 systems in use; its clients include the Canton of Geneva, which protects election results with the technology. Current systems cost about $100,000 for two stations linked by an optical fiber. And they’re not yet ideal: A message sent across a network must be decoded at each station along the way, where it might be intercepted. To overcome that weakness, researchers hope to use the photons not simply to send the key, but to create a mysterious quantum connection called entanglement between qubits in 0-and-1 states at either end of a link. Alice and Bob could then generate a secret key by measuring their qubits: Alice would measure hers, causing its state to “collapse” into either 0 or 1. She’d know that Bob’s had collapsed into the same state. Entanglement could be passed from node to node, so that Alice and Bob could share the key without danger of spying at the nodes between them. That vision requires a device called a quantum repeater at each node. Such a thing does not yet exist, but it should be easier
www.sciencemag.org
SCIENCE
VOL 343
Published by AAAS
But going further and switching to new algorithms would be hugely expensive. Widespread quantum key distribution would require rewiring networks with optical fibers. Without a dramatic threat, the technologies may not be worth the hassle. “The old joke is that one of the uses for quantum computing is to create a market for quantum key distribution,” says Scott Aaronson, a theoretical computer scientist at MIT. The economic calculus could also cut the other way, however. If quantum-proof algorithms and quantum key distribution take off, then they might blunt the desire of governments and private companies to build a quantum computer. “It could happen,” Ribordy says. “It’s a good argument.” Aaronson argues that a quantum computer will have other uses and that the real reason to build one is to prove it can be done. “That’s a harder case to make to many business people, but I think that’s the honest case,” he says. It also doesn’t sound like a goal that NSA would spend $80 million to reach. –ADRIAN CHO
31 JANUARY 2014
483
