By Steve Towns, March 2007
Businesses and government organizations compile and exchange a wealth of sensitive information, ranging from national defense data to tax information to trade secrets. Whatís more, a growing number of these transactions occur electronically, putting a premium on the trustworthiness of computer systems and networks.
Current methods for protecting electronic messages such as public key cryptography offer adequate protection for now. But even encryption methods considered virtually uncrackable today are vulnerable to mathematical breakthroughs or technological improvements that make it easier to solve their protective code.
HP Labs researchers in Bristol, UK, are attacking the problem using quantum physics, which one day could provide absolute security for electronic transactions.
The laws of quantum physics state that no one can look at a quantum system without changing it, thus leaving behind evidence that the system has been observed. Through a technique called quantum key distribution (QKD), researchers are exploiting quantum characteristics to detect unauthorized attempts to access secure communications.
"This could allow secure communication between two parties, which is something you donít have with conventional security methods," says Tim Spiller, a distinguished scientist at HP Labs.
Cryptography relies on shared secrets: Both the sender and receiver of a secure communication must possess the code or key that unscrambles the encrypted message.
For most of history, the key for decoding an encrypted message had to be kept an absolute secret that was possessed only by the sender and receiver. The key had to be shared by some trustworthy method -- an in-person meeting or delivered by a trusted courier -- before an encrypted message could be sent.
The practical difficulties of distributing secret keys led to public key cryptography, which allows users to communicate securely without exchanging a shared key beforehand. Instead, the sender uses whatís known as a public key to encrypt the message, which the receiver decodes using a private key. As the name implies, public keys are widely available, but can only be unlocked by corresponding private keys held by the recipient of a message.
Public key cryptography works, but it has a potential Achilles heel. Public and private keys are long, mathematically related numbers, so itís theoretically possible to discover the private key if you know the public key. Public key cryptography relies on mathematical complexity to prevent this from happening. The numbers are so big, that itís simply too difficult to calculate the private key.
"Public key cryptography is an act of faith," Spiller says. "We believe that itís very hard to crack, but in principle it can be done. A clever mathematician could come up with a new technique that would make the necessary factoring much easier."
QKD is designed to eliminate that risk by providing a new method for securely distributing secret encryption keys.
"The problem is, how can you and I share a key in a way that weíre confident that no one has intercepted it en route?" Spiller says. "Encoding information into quantum states -- very weak pulses of light or even single photons -- could provide absolute security. If anyone tries to intercept those systems and look at them, they cannot help but disturb them through their act of looking."
As a result, encryption keys may be shared with assured integrity. Once the keys are distributed, they can be used for secure identification, access, communication or transactions.
Researchers have known that quantum key cryptography is theoretically possible for at least 20 years, but breakthroughs over the past 10 years have moved the idea closer to practical application.
Although still very expensive, the technology is nearing the point where it could be used to create secure quantum communications links. Quantum communications networks currently are limited to about 60 miles, the maximum distance a weak light beam can travel thru optical fiber without amplification or correction, which would corrupt the quantum signal. Large-scale research projects are under way now in the United States and Europe to further develop the technique, he said.
Quantum technology will first appear in secure communications backbones connecting restricted government installations, financial institutions and other specialized facilities. But HP researchers are focused on making the technique practical for everyday tasks.
For instance, quantum key technology built into PDAs or mobile phones could replace passwords and PINs for many common transactions.
"Suppose that we could interface in a quantum secure way from a handheld device to an ATM machine?" Spiller says. "Can we implement a very short- range and free-space quantum secure path so you just walk up to a cash machine and complete a transaction? You donít have to plug anything in or type anything in."
Besides securing transactions and the exchange of sensitive information, quantum devices could one day be used to identify employees, control access to facilities, mobile devices or replace passwords in some situations.
In collaboration with HP, researchers at the University of Bristol already have created a working prototype of a portable quantum secure device, although itís hardly pocket-sized. Ultimately, quantum technology must become inexpensive enough to add to consumer devices, says Spiller.
"Itís going to take a few years for all of the engineering issues to be addressed so that the technology can be built into an iPAQ or something like that," he says. "But I donít think itís an unreasonable vision within three or four years. It would be quite a stretched goal for us, but itís a good thing to aim at."