Saturday, September 19, 2020

What is quantum cryptography and how does it work?

[This is a transcript of the video embedded below. Some parts of the text may not make sense without the graphics in the video.]

If you punch your credit card number into a website and hit “submit”, I bet you don’t want to have twenty fraudulent charges on your bank account a week later. This is why all serious online retailers use encryption protocols. In this video, I want to tell you how quantum mechanics can help us keep secrets safe.


Before I get to quantum cryptography, I briefly have to tell you how the normal, non-quantum cryptography works, the one that most of the internet uses today. If you know this already, you can use the YouTube tool bar to jump to the next chapter.

The cryptographic codes that are presently being used online are for the most part public key systems. The word “key” refers to the method that you use to encrypt a message. It’s basically an algorithm that converts readable text or data into a mess, but it creates this mess in a predictable way, so that the messing up can be undone. If the key is public, this means everybody knows how to encrypt a message, but only the recipient knows how to decrypt it.

This may sound somewhat perplexing, because if the key is public and everybody knows how to scramble up a message, then it seems everybody also knows how to unscramble it. It does not sound very secure. But the clever part of public key cryptography is that to encode the message you use a method that is easy to do, but hard to undo.

You can think of this as if the website you are buying from gives you, not a key, but an empty treasure chest that locks when you close it. You take the chest. Put in your credit card number, close it. And now the only person who can open it, is the one who knows how to unlock it. So your message is safe to send. In practice that treasure chest is locked by a mathematical problem that is easy to pose but really hard to solve.

There are various mathematical problems that can, and that are being used, in cryptographic protocols for locking the treasure chest. The best known one is the factorization of a large number into primes. This method is used by the algorithm known as RSA, after its inventors Rivest (i as in kit), Shamir, and Adleman. The idea behind RSA is that if you have two large prime numbers, it is easy to multiply them. But if you only have the product of the two primes, then it is very difficult to find out what its prime-factors are.

For RSA, the public key, the one that locks the treasure chest, is a number that is derived from the product of the primes, but does not contain the prime factors themselves. You can therefore use the public key to encode a message, but to decode it, you need the prime factors, which only the recipient of your message has, for example the retailer to whom you are sending your credit card information.

Now, this public key can be broken, in principle, because we do know algorithms to decompose numbers into their prime factors. But for large numbers, these algorithms take very, very long, to give you a result, even on the world’s presently most powerful computers. So, maybe that key you are using can be broken, given a hundred thousand years of computation time. But really who cares. For all practical purposes, these keys are safe.

But here’s the thing. Whether or not someone can break one of these public keys depends on how quickly they can solve the mathematical problem behind it. And quantum computers can vastly speed up computation. You can see the problem: Quantum computers can break cryptographic protocols, such as RSA, in a short time. And that is a big security risk.

I explained in a previous video what quantum computers are and what to expect from them, so check this out if you want to know more. But just how quantum computers work doesn’t matter so much here. It only matters that you know, if you had a powerful quantum computer, it could break some public key cryptosystems that are currently widely being used, and it could do that quickly.

This is a problem which does not only affect your credit card number but really everything from trade to national security. Now, we are nowhere near having a quantum computer that could actually do such a computation. But the risk that one could be built in the next decades is high enough so that computer scientists and physicists have thought of ways to make public key cryptography more secure.

They have come up with various cryptographic protocols that cannot be broken by quantum computers. This is possible by using protocols which rely on mathematical problems for which a quantum computer does not bring an advantage. This cryptography, which is safe from quantum computers is called “post-quantum cryptography” or, sometimes, “quantum resistant cryptography”.

Post-quantum cryptographic protocols do not themselves use quantum effects. They have the word “quantum” in their name merely to say that they cannot be broken even with quantum computers. At least according to present knowledge. This situation can change because it’s possible that in the future someone will find a way to use a quantum computer to break a code currently considered unbreakable. However, at least at the moment, some cryptographic protocols exist for which no one knows how a quantum computer could break them.

So, computer scientists have ways to keep the internet safe, even if someone, somewhere develops a powerful quantum computer. Indeed, most nations already have plans to switch to post-quantum cryptography in the coming decade, if not sooner.

Let us then come to quantum cryptography, and its application for “quantum key distribution”. Quantum key distribution is a method for two parties to securely share a key that they can then use to encode messages. And quantum physics is what helps keep the key safe. To explain how this works, I will again just use the simplest example, that’s a protocol known as BB Eighty-four, after the authors Bennett and Brassard and the year of publication.

When physicists talk about information transfer, they like to give names to senders and receivers. Usually they are called Alice and Bob, so that’s what I will call them to. Alice wants to send a secret key to Bob so they can then have a little chat, but she does not want Bob’s wife, Eve, to know what they’re talking about. In the literature, this third party is normally called “Eve” because she is “eavesdropping”, hahaha, physics humor.

So, Alice creates a random sequence of particles that can have spin either up or down. She measures the spin of each particle and then sends it to Bob who also measures the spin. Each time they measure spin up, they note down a zero, and each time they measure spin down, they note down a one. This way, they get a randomly created, shared sequence of bits, which they can use to encode messages.

But this is no good. The problem is, this key can easily be intercepted by Eve. She could catch the particle meant for Bob in midflight, measure it, note down the number, and then pass it on to Bob. That’s a recipe for disaster.

So, Alice picks up her physics textbooks and makes the sequence of particles that she sends to Bob more complicated.

That the spin is up or down means Alice has to choose a direction along which to create the spin. Bob has to know this direction to make his measurement, because different directions of spins obey an uncertainty relation. It is here where quantum mechanics becomes important. If you measure the direction of a spin into one direction, then the measurement into a perpendicular direction is maximally uncertain. For a binary variable like the spin, this just means the measurements in two orthogonal directions are uncorrelated. If Alice sends a particle that has spin up or down, but Bob mistakenly measures the spin in the horizontal direction, he just gets left or right with fifty percent probability.

Now, what Alice does is to randomly choose whether the particles’ spin goes in the up-down or left-right direction. As before, she sends the particles to Bob, but – and here is the important bit – does not tell him whether the particle was created in the up-down or left-right direction. Since Bob does not know the direction, he randomly picks one for his measurement. If he happens to pick the same direction that Alice used to create the particle, then he gets, as previously, a perfectly correlated result. But if he picks the wrong one, he gets a completely uncorrelated result.

After they have done that, Alice sends Bob information about which directions she used. For that, she can use an unencrypted channel. Once Bob knows that, he discards the measurements where he picked the wrong setting. The remaining measurements are then correlated, and that’s the secret key.

What happens now if Eve tries to intersect the key that Alice sends? Here’s the thing: She cannot do that without Bob and Alice noticing. That’s because she does not know either which direction Alice used to create the particles. If Eve measures in the wrong direction – say, left-right instead of up-down – she changes the spin of the particle, but she has no way of knowing whether that happened or not.

If she then passes on her measurement result to Bob, and it’s a case where Bob did pick the correct setting, then his measurement result will no longer be correlated with Alice’s, when it should be. So, what Alice and Bob do is that they compare some part of the sequence they have shared, again they can do that using an unencrypted channel, and they can check whether their measurements were indeed correlated when they should have been. If that’s not the case, they know someone tried to intercept the message. This is what makes the key safe.

The deeper reason this works is that in quantum mechanics it is impossible to copy an arbitrary state without destroying it. This is known as the no-cloning theorem, and this is ultimately why Eve cannot listen in without Bob and Alice finding out.

So, quantum key distribution is a secure way to exchange a secret key, which can be done either through optical fiber or just free space. Quantum key distribution actually already exists and is being used commercially, though it is not in widespread use. However, in this case the encoded message itself is still sent through a classical channel without quantum effects.

Quantum key distribution is an example for quantum cryptography, but quantum cryptography also more generally refers to using quantum effects to encode messages, not just to exchange keys. But this more general quantum cryptography so far exists only theoretically.

So, to summarize: “Post quantum cryptography” refers to non-quantum cryptography that cannot be broken with a quantum computer. It exists and is in the process of becoming widely adopted. “Quantum key distribution” exploits quantum effects to share a key that is secure from eavesdropping. It does already exist though it is not widely used. “Quantum cryptography” beyond quantum key distribution would use quantum effects to actually share messages. The theory exists but it has not been realized technologically.

I want to thank Scott Aaronson for fact-checking parts of this transcript, Tim Palmer for trying to fix my broken English even though it’s futile, and all of you for watching. See you next week.

40 comments:

  1. English is inherently broken. You present things clearly, anyway. Thanks.

    ReplyDelete
  2. "So, what Alice and Bob do is that they compare some part of the sequence they have shared, again they can do that using an unencrypted channel, and they can check whether their measurements were indeed correlated when they should have been."

    Why can't Eve intercept this communication and replace it with a measurement that makes both Alice and Bob think it matches?

    ReplyDelete
    Replies
    1. Eve has no way of knowing what Alice measured because with a certain probability she destroyed that information.

      Delete
    2. To add ..., it is the same reason you need a classical key for teleportation. In the case of measuring spins a classical key or signal is needed so that Alice knows what orientation her Stern-Gerlach apparatus must be in order to match Bob. If Eve does not know this then Eve will induce collapse or decoherence that rubbishes the signal Bob is sending to Alice. Eve gives herself away.

      Delete
  3. I only know the rudiments of this. I have gone through the Shor factorization and a few thing. It is the case that encryption and information security appear to be the biggest area that quantum technology related to computing will impact.

    A friend once said the ultimate success of a physical theory is when its application kills people. Even general relativity has this, where GR corrected GPS is used to target enemy positions. Quantum information and computing in its infancy will probably reach this milestone. Since the main interest is security issues it is not too far off from that arena.

    Hobbes said the world was man against all and Schopenhauer said all of history is a meaningless brutal struggle for power.

    ReplyDelete
  4. Hi Sabine, BB84 looks secure but also seems it could be an easy prey for denial of service attacks. If someone will always be eavesdropping no key will ever be sent correctly on the other side...

    ReplyDelete
    Replies
    1. Yes, Eve could measure the qubit stream in order to demolish the communication. That would of course be a problem. The only way out is a quantum error correction code that has some Hamming distance measure and one must use a distribution of signals that Bob is sending to Alice, or is it Alice to Bob?

      Delete
  5. Sabine,

    Thank you for an excellent introduction into one of those fascinating areas in which deep physics meets and impacts everyday life!

    That quantum key distribution already exists and is being used commercially is a point I’ve also brought up in comments here. The existence of commercial devices that rely fundamentally on non-local spooky action to work is about as good a proof of quantum entanglement that I can think of. There is just more to this universe than classical physics.

    Given the recent surge in quantum computing claims, it’s not surprising that encryption is moving away from primes. The irony is that for secrets sent in the past it’s already too late, since anyone who recorded them can retroactively decode them. This would however still require expensive equipment, so for now the most cost-effective way to obtain the world’s deepest and most dangerous secrets is still to schedule a meeting with the leader of the free world and compliment him on his hair.

    One simple and old (1800s) quantum-resistant method is “one-time pad” (Google it in quotes) encryption. In this method, only you and your recipient have a copy of random numbers on a pad. When you combine your message with those random numbers, it becomes truly and unbreakably random to anyone who does not have the other copy of your one-time pad.

    The main reason why quantum key distribution is preferred over full data stream encryption is because quantum encryption has low data rates. Sending just a key allows quantum security then to be leveraged for sending huge quantities of data conventionally. This is just good engineering, so the key distribution approach will likely persist even as quantum encryption data rates improve.

    -----

    You noted that “it is impossible to copy an arbitrary state without destroying it” (the no-cloning theorem).

    Another way to look at no-cloning, one that I’ve advocated since 2006, is to recognize that if the final outcome of a quantum system is indefinite, then by simple induction the history leading up to that final classical state is also indefinite and thus quantum. That is, for quantum mechanics in general the past has not yet been set.

    If you Google my name in Cyrillic and in quotes, "Терри Боллингер", you can find a 2008 Russian popular article in which I introduce an idea that later was later called “retrocausality”. That’s not my term, and it has an unfortunate and flatly incorrect implication that causal or recorded past can be altered by quantum collapse in the present. The byline of that article captures my real point much better: “If the behavior of macroscopic objects is determined by quantum laws, then their past is indefinite.”

    Quantum physics can be defined as the physics of values for which the past remains indefinite. Conversely, classical physics becomes the physics of systems with known pasts. Indefinite-past quantum physics is equivalent to no-cloning because the quantum-to-classical transition is one-way and irrevocable: Once history is set it cannot be unset, and the universe moves forward from there.

    An interesting question raised at the time of that article was what the broader implications of the indefinite-history view of quantum mechanics might be. I can answer that a bit more specifically now: The simplest and most consistent broad interpretation of indefinite histories is dark wave functions, in which wave functions are bundles of absolutely conserved quantum numbers whose evolution in the future is determined ultimately by absolute quantum number conservation. Dark functions allow quantum systems to be treated as little more than rather boring unset variables, ones for which the past is undefined (dark), and for which history can come into existence only through the application of energy in the presence of historical information (classical context). Assuming absolute conservation as the first quantum rule — the inverse of Noether’s theorem — allows new interpretations for messy mathematical issues like renormalization.

    ReplyDelete
    Replies
    1. Hi Terry

      You mentioned: " The existence of commercial devices that rely fundamentally on non-local spooky action to work ..."

      I did not completely follow (my fault I am sure) the BB84 protocol described by Sabine but I did not notice any non-local or spooky aspects at work. Quantum - yes. No-cloning - yes. Spooky - no.

      Measurement of a particle in the same spin direction that it was prepared gives a predictable outcome without involving the idea of spookiness. Measurement in a different spin direction gives an uncertain outcome for an individual particle. Probably because of chaos reasons. Which may be related to chaos/fractal effects at work in a recent Superdeterminism thread.

      My view of the past is of a tangled and knotted web. The knots are measurements i.e. interactions which have brought wave/particles to a point/single state/collapse of the wave function. The rest is waves or uncollapsed particles. One cannot change history by undoing the knots but one could maybe add more knots if one only knew how. I think it may be possible, as I believe that some of the uncollapsed waves are (were?) travelling backwards in time. I am not working on how to do it!

      Austin Fearnley

      Delete
    2. Hi Austin,

      Ah, superdeterminism!

      Superdeterminism is an elegant way to get spooky action results without invoking spooky action. That is, it produces spooky-like correlations while keeping all processes local and speed-of-light bound.

      All physicists who accept Minkowski's casual one-sentence 1908 assertion that all of spacetime is filled with "substance" also necessarily and trivially accept superdeterminism, since spooky-like quantum correlations must be precoded into the block universe that results from bundling together all such infinitely extended particles.

      Curiously, infinitely extending the "substance" of particles along the time axis also implies that such particles have infinite mass, since they become infinitely long "worldlines" of this substance.

      But that brings up an interesting question: How do you then extract with mathematical precision the point-like particle masses from those worldlines?

      It wasn't until over a decade later that quantum physicists realized that the time width of a particle wave function is variable, so Minkowski never had to deal with this issue. Notice also that finite wave function width is not a problem for distance quantum uncertainty, since Minkowski never assumed that all of space is filled with "substance". It was only for time that Minkowski assumed particles to be infinitely long and thus infinitely massive.

      By far the simplest logical conclusion is that this pre-quantum Minkowski postulate was simply wrong, and that the "substance" of a particle is just as finite and localized in time as it is in space. No block universe!

      What that in turn implies is that spacetime is actually a finite-mass hyperplane -- the Boltzmann fabric -- that is moving at c through an otherwise empty 4-space. With this more quantum-consistent model there are no worldlines, and no fully predetermined futures. Instead, there is just a set of future paths that grow increasingly narrow as entropy -- historical data -- increases.

      Curiously, the foliations or "slices" of some block universe that both Minkowski and Einstein thought necessary are not logically required in such a fabric, since speed-of-light delays ensure that every frame will see itself as the one driving causality for the entire universe. In 4-space, though, what is really happening is that the trailing frame side is in the past, and only its leading edge is still in the undetermined future.

      Delete
    3. In this Wigner’s friend experiment it is natural to assume there is a joint probability for all four measurements of Alice-Bob and Charlie-Debbie. Following reasoning with local hidden variables correlations must obey Bell inequalities. One of the Bell inequalities, two measurement settings per party and binary outcomes, is violated in a six-photon experiment [Proietti, M. et al. Sci. Adv. 5, 9832 (2019]. This supports the conclusion no joint probability exists, which means superobserver's and the friend's data are fundamentally inconsistent.

      Yet it must be pointed out these “observers” are quantum mechanical. They are not classical observers, and what is happening here is consistent with the Schrödinger equation. This experiment is meant in some ways to push the envelope on the Schrödinger cat issue, where further experiment may attempt to scale up these quantum observers to be more classical-like.

      The Bell inequality means that if we assume reality, which is there is some existential basis for observables prior to a measurement, then we have nonlocality. On the other hand, with the Wigner friend and the Frauchigger-Renner argument, we can impose locality and have a loss of reality. This condition is where one gets superdeterminism. We can look as superdeterminism was where hidden variables are nonlocal, where this superdeterminism is unobservable and thus effectively nonexistent, or with locality, where superdeterminism is in effect unreality. It is a sort of nihilism of nonsense. Yet in another setting it can be seen as rather illuminating.


      We formulate the Born rule according to a basis and this is ultimately a statistical concept. We are running into the issue of what do we mean by a classical system as distinct from a quantum system. Heisenberg found this problem with the Bohr CI. An observer may sense they are macroscopic or classical and nobody can do a Hadamard operation on their brain, but ultimately this is a statistical probability statement very near P = 1. I may feel my observation of a quantum system, even if I am performing observations of observers of a quantum system, are going to be consistent because we are after all classical. In that setting locality and reality are consistent with each other. Here again reality just means the outcome of a measurement represents the state of the universe prior to a measurement. This implies two things. One is the basis an observer is measuring in is certain, where it is a matter of probability whether or not there is some Hadamard gate operation on the observer's brain state that changes that basis. The basis we choose is not objective, it is subjective. The other implication this assumption makes is that whether I make an observation or not the state of the system is objectively the same. This assumption is then problematic.

      The Frauchiger-Renner result and subsequent experiments set the meta-observers into quantum superposed states and they are localized. If these observers were purely classical there would be no paradox. What do we mean by purely classical? There is no such thing. We have something is classical "modulo quantum decoherence," which is to mean a macroscopic system appears classical only because decoherence from the environment acts as a sort of quantum Zeno machine that enforces the large system into a single stable state. So there is no worry about our ordinary observations of the world becoming a hodge-podge of inconsistent results, and further if we do not attempt to impose locality in a quantum system then inconsistent results will be a measure ε set.

      Delete
    4. cont: A part of the problem is that classical systems are usually a large N-state system. Here N can be number of particles, states or degrees of freedom. This is a domain of many-body theory and represents a sort of phase transition. The Mott insulator state for a superconductor occurs when some critical number of dopants block electrons, where the material is in a new phase. The occurrence of many states, particles of DoF is similarly a sort of phase transition. However, we know, say in the thermal domain, that a chunk of ice will sublime off water molecules, where even though it is in this colder state so it is in a solid phase some molecules may statistically absorb enough energy to escape. We can think of temperature as related to time with T = ħτ/k with τ = it and so by the same token there is some non-zero, though very small, probability that two observers are going to report inconsistent measurements of the same system.

      As a result, the loss of reality is not secured away by classicality, for there is no such thing as purely classical systems. If we wanted to push the size of these systems to larger scales to measure these deviations the difference between classical and quantum complexity, C and e^C, is such that for a sufficiently large system any observable departure from reality, or inconsistency the this FR measurement would be far smaller than 1/(#protons in the universe) and other such small numbers. From a practical perspective there is no particular concern with reality melting into a tohu va bohu of chaos an nonexistence.

      Delete
    5. Lawrence, thanks, that was an excellent and thought provoking read. I may in the future be tempted to paraphrase-quote you for inventing the phrase: "an illuminating nihilism of nonsense". Nice!

      Delete
    6. I guess I am not sure where I wrote, "an illuminating nihilism of nonsense." Unless you are saying what I wrote is nonsense, which it might in the end be. However, anyone who finds such should be kind enough to show me why.

      Delete
    7. Hi Lawrence, your exact words (with my italics) were: "It is a sort of nihilism of nonsense. Yet in another setting it can be seen as rather illuminating." I paraphrased to shorten it, but hopefully still correctly captured your nicely insightful intent about the paradoxes of locality and non-locality in quantum physics.

      Delete
    8. Hi Terry

      I was not trying to insert spookiness covertly via superdeterminism and I still see nothing spooky in the BB84 encription protocol. I prefer retrocausality myself, and in my retrocausal method there is no known way of predicting an outcome for an individual particle measured at any given angle to its preparated spin direction.

      It seems to be like trying to predict if a particular car picked up by a tornado will be thrown out of the twister to the left or right. On average there may be 50% left and 50% right but no easy prediction for a single object.

      However, the Bell correlation for a beam can be found using the retrocausality method even if an individual particle's measurement is not calculable in a simulation. So the method is not trying to achieve more that is possible using QM.

      Retrocausality could appear to be spooky, but if it exists then it is already weaved into our past fabric of space. IMO it is already weaved into every Bell experimental measurement. So it is not very spooky. BTW I think that the Bell correlation would not be achieved if pairs of entangled electrons were used instead of electron/positron pairs. I do not think this is possible to achieve, though.

      Also, the protocol does not seem to need entanglement and the article does not even mention entanglement, and so that should rule out spookiness.

      Austin Fearnley

      Delete
    9. Lawrence Crowell,

      "In this Wigner’s friend experiment..."

      I have already shown that those experiments are completely irrelevant. There is no way to completely shield a system from its environment even theoretically. Any system will continue to interact electromagnetically and gravitationally with the external world, hence no macroscopic superpositions can exist.

      "This supports the conclusion no joint probability exists, which means superobserver's and the friend's data are fundamentally inconsistent."

      A fallacious argument cannot "support" anything. It's useless.

      "Yet it must be pointed out these “observers” are quantum mechanical."

      Sure, so they aren't observers at all. This can only make their fallacious argument even more ridiculous.

      "The Bell inequality means that if we assume reality, which is there is some existential basis for observables prior to a measurement, then we have nonlocality."

      Only if you also assume that the hidden variable is independent on the measurement setup. And this assumption has no basis in classical field theories. A planet's trajectory depends on the position/momenta of other massive objects. An electron's trajectory depends on the position/momenta of other charged particles. Any change in the experimental setup implies a change of the hidden variable. The acceptance of this basic fact about classical physics is what is called "superdeterminism".

      "We can look as superdeterminism was where hidden variables are nonlocal, where this superdeterminism is unobservable and thus effectively nonexistent, or with locality, where superdeterminism is in effect unreality. It is a sort of nihilism of nonsense. Yet in another setting it can be seen as rather illuminating."

      The above conclusion is a brilliant example of where a bunch of fallacies can lead. Neither QM, locality or superdeterminism requires nihilism or non-sense. Physics is not nonsensical or contradictory. It's actually pretty simple. Let us now forget about undoable experiments (Wigner) or false assumption (Bell's independence) and see where a proper evaluation of evidence leads us:

      1. We have strong evidence that physics is local. No instantaneous effect was ever recorded and we have theoretical proof that none of the presently accepted theories allow for such effects. So, as proven by EPR, non-realism is ruled out. And to satisfy Bell's theorem we must accept superdeterminism, which, as pointed above, is nothing but accepting that classical field theories imply that a system cannot be isolated from its environment. That's all.

      Delete
    10. Austin, peace, I truly think we are arguing more over wording than over mathematical prediction. I don't use "retrocausal" any more, but that's just me nitpicking words, which I tend to do. I'm pretty sure, though, that if you introduce any variant of retrocausality, you should get something that at least looks like non-classical correlations.

      One of the nicest and least spooky definitions of "entanglement effects" was by the amazing Asher Peres, who had no problem at all scolding Einstein and company pointedly and validly for using the undefinable (by Einstein's own work!) word "simultaneous" several times in their EPR paper. A nice summary of Peres matter-of-fact ways of resolving this mystery can be found in the last paragraph of his Wikipedia bio.

      Delete
    11. Hi Terry

      Peace and goodwill at all times, of course.
      Sorry if my wording was abrupt in the previous post.
      That was completely unintentional, and I would call it an enjoyable discussion rather than 'arguing'.

      I looked up your reference to the www page on Peres and disagree with Alice's measurement information being localised at Alice's position. This may be literally correct in terms of Alice's log book of measurements being in Alice's pocket, but the information about the measurement is contained in, and travels with, the particle or wave after measurement. That is assuming a hidden variable, which I do. I do not like the word retrocausal and IMO what is happening is strongly retro but weakly causal. When an electron is measured, its spin changes so in a series of measurements it could change from -0.5 to +0.5 to -0.5 to +0.5 to -0.5 etc etc. I have tried without success to think of a way to prove whether a positron is changing spin, causally, forwards or backwards in time. With a beam of positrons one could also try to prove whether a beam was polarised or not on one 'side' of the measurement. But that does not work either as inserting a test measurement on a beam would impose the polarisation that we were trying to detect.

      In my retro model it is important that the measurement information on the positron travels backwards in time after measurement by Alice. That information is picked up by the partner-paired electron, at source/origin, and travels on to Bob when he measures the electron. The info does not stay in Alice's pocket lab-book! Alice's measurements on a random beam of positrons therefore imposes polarisation (along Alice's spin direction setting) of the beam of electrons measured by Bob. And of course when you measure a polarised beam at a given angle then the intensity is knowable. And strangely enough the formula for that intensity is exactly dual to the formula for the QM Bell correlation.

      I did this without knowing any retrocausality models. But since then, I have read and been amazed that in 2013 one paper says that the information of the spin is carried back in time, after measurement, to the origin. Just as I have suggested. But I cannot yet find any carry through to calculating the QM Bell correlation. I need to search more through the retrocausality literature though I like the philosphy sections even less than the term 'retrocausality'.

      So the measurement information is passed from positron to partner-electron at source. Alice does not need to communicate with Bob. Alices's apparatus is similarly mute. No information travels superluminary.

      And I do not expect this retro model will be compatible with super-fast quantum computing.

      Austin Fearnley

      Delete
  6. Pre-physics consideration, we humans have plenty of trouble communicating accurately. As Bill indicates, Sabine's broken English isn't. I did pick up a 'to' that should have been a 'too'. Such nit-picking can be overconsuming. Current computing is allowing us to reveal much we missed in previous experiments in biology and become key ib "the biology of noise". As quantum tech becomes day-to-day, will the tech itself unfold another level of listening-in we are not considering now? Co-evolution in the system? The ability to quantum-encode is a signal of sorts, and so on and so forth. This isn't the physics, but then it's not long since the stochastic fluctuations we now pay attention to weren't biology.

    ReplyDelete
  7. These considerations are important for attaining absolute security and for establishing communications without pre-arranged keys.

    But for pre-arranged communications with practical security, a binary overlay sequence is adequate, where only the source of future overlay material need be agreed on.

    For instance Alice and Bob could agree in a personal meeting to always use as the overlay the file of Sabine's latest video encrypted by AES with a key taken from the last closing prices on the stock market. That would provide practical security for many megabytes per day. Given their method but not the choice of sources, not even government agencies would break it.

    ReplyDelete
    Replies
    1. Bill93 wrote: "not even government agencies would break it"

      Yes, if you keep your browser history secret. :-)

      Delete
  8. I think I remember having read that the distribution can be broken because of real-world effects. As far as I remember (and that isn't from here to the fridge) the attack vector was for Eve to blind Bob's detector by sending a lot more than one photon down the line. Did you find anything about that while researching for this video?

    ReplyDelete
    Replies
    1. Bjørn wrote: "that the distribution can be broken because of real-world effects"

      I remember that, too, and it was quite a number of years ago.

      Cryptographically, quantum physics does not really add much to cryptography. It's just one special elaborate method to create (and distribute) a one-time pad. Though often touted as unbreakable and tamper-proof, googling for "quantum cryptography flawed" turns up many articles deflating this claim. "Any encryption method will only be as secure as the humans running it."

      The claim for "security rooted in the laws of physics" is dangerously misleading. The fact that our best theories cannot predict the results of Bell-type experiments in every detail does not constitute proof that more comprehensive theories cannot exist. (Superdeterminism anyone?)

      As for the threat of quantum computers to RSA ciphers, it is important to keep in mind that quantum computers must be physical machines. Despite the talk of "qubits", they are not digital, but analog devices. The matrix elements of a Hamiltonian are infinitely precise only in the theoretician's mind. I expect the shepherding of 100 qubits to compute the product of two 50-bit numbers to be just as difficult as determining a frequency with an accuracy of 30 (decimal) digits. It's a rather safe bet that this won't happen soon.

      Delete
  9. What if Eve could add her own clones of particles entangled with transferred quanta and not measure them before she get the key info that Alice send to Bob?

    It is in principle possible to clone entangled states, isn't it?

    ReplyDelete
    Replies
    1. Why do you think it's called the "no cloning theorem"?

      Delete
    2. I mean that Eve added spy particles into the Bob's machine so that she gets identical copies and is capable to store them until Alice read...

      Delete
    3. Eve doesn't need to clone anything. It would be enough for Eve to pretend to be Alice by sending a different key to Bob while she responds back to Alice as pretending to be Bob.
      I think I've seen a movie with this subject and Bob is in trouble :)

      Delete
    4. What Eve can do is to perform her measurement and then pass the photon into a sapphire or BBO crystal to parametric down convert the photon into two entangled photons. This has the effect removing the demolition of the so called quantum wave collapse. Such quantum eraser experiments have been performed, where in a two-slit experiment a photon can be known which slit it passed through, then parametric down converted into two photons the have interference. Eve could do something similar, though Alice or Bob as the recipient would detect a photon of lower energy or greater wavelength. Eve would have to step up the down converted photon to higher energy. This is possible, but not easy.

      Delete
    5. Alice and Bob can exchange something only known by them. This might then involve an RSA public encryption key.

      The dawn of quantum computing means we are probably heading into a time where information security will never be secure. RSA nay in principle be cracked by quantum computers, and eavesdropping can be covered with quantum erasure.

      I have done a few simple things with the IBM QE computer and I can see some great prospects for research. However, I hope honestly the wide use of quantum computers is delayed. The fragility of large N quantum systems makes this plausible. Once quantum processors are widespread we will be in a world exponentially more complex and uncertain than what is around us now. I have certain misgivings about the current emergence of 5G. The quantum revolution in wide use of computing will make that look like Babbage machines.

      Delete
    6. Lawrence: Isn't the whole point that RSA may someday be cracked by a factoring algorithm?

      The "proper" thing to do may be to revert to the old-school methods; physical books (or disks) of randomized one-use substitution codes. We can use quantum mechanics to generate truly random numbers, so we generate a trillion of them, only Alice and Bob have copies of them, and without the Book it doesn't make a difference if anybody eavesdrops; there is no encryption key to discover.

      Then we are back to physical discovery, somebody has to physically find and copy the code book. You could even erase the code book as it gets used; so past saved messages cannot be decrypted if the code book is found the next day.

      Delete
    7. Prime factorization is a somewhat different topic from quantum security or knowing Eve is snooping in. Admittedly it is related. The one thing about quantum computing is often you need a classical key or signal. It may be impossible to make any quantum computing or key distribution completely free from classicality.

      Radioactive decay is a great way to make a random number generator. I suggested this to a physicist last decade at SNL and the guy ran with it. I sort of wish I had a little more credit for this.

      Delete
    8. Lawrence Crowell: My point was that if the raison d'être of quantum cryptography is that classical cryptography is crackable, then if quantum cryptography that relies on classical cryptography destroys the utility of quantum cryptography.

      Delete
    9. The relation between "quantum" and "cryptography" is very much like that between "snake" and "oil". :-)

      Delete
    10. Lawrence Crowell: Besides, Alice and Bob exchanging something "only known to them" would eliminate the need for quantum cryptography.

      They can use a codebook, which is classical cryptography, and can be made unbreakable as long as the codebooks remain only known to them. Even with unlimited past messages in both encrypted and non-encrypted form to analyze.

      Maybe I should file a patent! Any patent lawyers out there?

      Delete
  10. The history of cryptology has been another one of my many hobbies, coming no doubt from my Army training in cryptology. It has led me to understand that thee will always be human error and laziness, and of course traffic analysis.

    ReplyDelete
  11. Dr. Hossenfelder; I don't understand why this cryptography cannot be broken by a relatively simple spoofing middle-man attack.

    Presumably, Eve can pretend to be Bob (to Alice) and simultaneously pretend to be Alice (to Bob). And presumably, besides the quantum particles, Even can also intercept (and replace) the order of measurements taken; i.e. up/down or left/right.

    So while Eve is getting info from Alice, she is generating info for Bob, in the same way Alice is generating it. Bob is not receiving anything correlated to what Eve is receiving, but that won't matter.

    After all the bits are received, Alice sends the list of bits indicating her choice of measurements (up/down or left/right). Eve gets that, and does not forward it to Bob; instead she simultaneously sends Bob the the list indicating HER (Eve's) choice of measurements.

    But Eve now knows the Alice<->Eve key, and Bob knows the Eve<->Bob key. Eve can receive Alice's information, decrypt it, alter it, and re-encrypt it with the Eve<->Bob key and send it to Bob.

    Eve is "spoofing" in two directions, pretending to be Bob for Alice, pretending to be Alice for Bob.

    Is it fair to presume that *all* channels of communications between Alice and Bob can be compromised by Eve?

    The only exception I can see to this is if the open-channel communication from Alice to Bob (of measurement type) is broadcast in a way that Eve cannot interfere with Bob's reception of it; on TV or in the Wall Street Journal or something. But then that is subject to basic spycraft, replacing the WSJ that Bob receives, or hacking his TV or radio so a substitute broadcast is received.

    And in any case, not many keys can be transmitted by such public means.

    Why can't Eve still mount a middle man attack?

    ReplyDelete
    Replies
    1. QKD assumes that Alice and Bob trust each other and have an authenticated classical channel, meaning they know who they are talking to. How to do that is a valid question to raise, and some people prefer to call QKD a "key growing scheme", because if for example you have some initial shared randomness between Alice and Bob that can be used for authentication, then they can use QKD to grow that key.

      Delete
    2. fulis: Then I fail to see the utility of it; the hype was that quantum cryptography was supposed to REPLACE "authenticated classical channels" because those might be crackable as quantum computing capability advances; because the quantum nature prohibited eavesdropping by the laws of quantum physics. But as I outlined, if the quantum channel is subject to a middle-man attack, it is no more secure than any other classical scheme.

      And we certainly don't need any key generation technology! A classical codebook scheme does not depend on any authenticated classical channel and is immune to a middle man attack or eavesdropping: It is cheap and easy to generate and store a billion of one-time-use random bit keys that, by physical hand-off, ONLY Alice and Bob have and own.

      Here's your thumb drive with a billion quantum-generated random keys, Bob, it cost $12.

      That's not subject to eavesdropping, either. And it is also not subject to a middle man attack.

      Delete

COMMENTS ON THIS BLOG ARE PERMANENTLY CLOSED. You can join the discussion on Patreon.

Note: Only a member of this blog may post a comment.