TOPICS > Science > Science Wednesday

The race for the unbreakable password is almost over

BY   August 27, 2015 at 3:30 PM EDT
The quantum key distribution hardware, which serves as the basis for their QkarD system, engineered at Los Alamos. Photo by Los Alamos National Laboratory

This quantum key/password distribution hardware, called QkarD and engineered at Los Alamos National Laboratory, is theoretically unhackable by outsiders. Photo by Los Alamos National Laboratory

What Ashley Madison needed was quantum cryptography.

The same could be said for the U.S. Office of Professional Management, Home Depot and Anthem Health Insurance, and any number of hacker targets in recent years…even PBS.

Quantum cryptography is the use of physics, specifically quantum mechanics, to build secret codes. It is so secure, so difficult to intercept, some call it unhackable. Banking, medical, business and government records around the world could be made secure from outside intruders.

As the name suggests, the idea is based on quantum mechanics — a branch of physics that explains the peculiar behavior of atomic and subatomic particles. Theoretical physicist Richard Feynman once said, “It is safe to say that nobody understands quantum mechanics.” We’re going to take a stab in this article at explaining it. But before we dive into its murky principles, let’s tackle why quantum cryptography is needed in the first place.

Even though encryption has existed since the age of Caesar, it’s only in the last five to 10 years that the topic has moved from being small-scale — an attack on a home computer or a single company — to multi-level attacks that can impact millions of people at a time, said Richard Moulds, a data security, cryptography expert and vice president at Whitewood Encryption Systems. Think eBay, JP Morgan Chase or the federal Office of Personnel Management. The stakes have always been high: Codebreakers led to the execution of Mary Queen of Scots in 1587 and helped defeat the Axis powers in World War II. But modern data breaches implicate the personal information — home addresses, phone numbers, credit cards — of whole swaths of society, and the cost of dealing with these hacks are huge.

Data breaches cost U.S. companies $6.5 million on average in 2014, according to The Ponemon Institute. If your company lost over 500,000 records, this number jumped to $11.9 million.

Naturally, these costs get passed onto the consumer, and since 2005, the annual cost per capita for data breaches has risen from $138 to $217. That means you are losing 200 bucks each year due to data breaches. (For a cool visual of the world’s biggest hacks in recent years, check out Information is Beautiful.)

Annual number of data breaches and exposed records in the United States from 2005 to 2014 (in millions). Graph by Statista. Data source: Identity Theft Resource Center

Annual number of data breaches and exposed records in the United States from 2005 to 2014 (in millions). Graph by Statista. Data source: Identity Theft Resource Center

Hacking With Light

Hackers or codebreakers have become increasingly adept at breaking the modern security that safeguards digital information. That’s because at the end of day, most types of computer encryption and passwords are based on a random number, and hackers are getting better at guessing or stealing those numbers.

Take, for example, RSA encryption, which is the foundation for most Internet security today. RSA uses math to conceal data with two randomly selected prime numbers.

“Getting a [traditional] computer program to generate a random number is almost an oxymoron because computer programs do the same thing over and over and over again. They do what they’re programmed to do, and they don’t do things randomly,” Moulds said. “As the bad guys’ computers get better, faster and stronger, then in principle, those random numbers get easier to guess.”

Such was the case of last year’s hack of Sony Pictures. Infiltrators used an advanced computer program with enough brute force to guess the company’s passwords. Once inside, the hackers alleged to have collected sensitive data for nearly a year, before they started wiping many of the computers and tried to publicly damage the company’s reputation.

But if the Sony hack seemed bad, it pales in comparison with what could have happened, had the bad guys used a quantum computer.

The pursuit to build the first quantum computer mirrors the Cold War-era space race or the WWII-era hunt for a nuclear weapon. Such a computer would use the quantum physics of photons — light particles — to outmatch any traditional computer or digital security system that has ever been created.


Unlike classic computers that use electricity to represent information in binary bits (1s and 0s), quantum computers use photons to represent information as 1s, 0s or both values simultaneously. That’s because at the quantum level, photons can exist in more than one state at once. (Remember, quantum mechanics doesn’t make sense). As such, a quantum computer can make more than one calculation at once, significantly cutting the time it takes to process information. For instance, a quantum computer could guess the random numbers that reinforce most passwords and data encryption in a matter of minutes.

Last week, the National Security Agency issued a bulletin that warned companies to prepare for the emergence of a quantum computers.

“Our ultimate goal is to provide cost effective security against a potential quantum computer,” the statement reads.

The advisory, wrote Dan Goodin wrote for Ars Technica, signals the growing recognition that quantum computing “could soon represent a practical threat on U.S. national security. Until now, the lack of consensus about how long it will take for scientists to build a working quantum computer has kept the NSA from making such concrete recommendations.”

As Goodin points out, it could take 10 to 50 years before a quantum computer is ready to replace our PCs, but the components for such a device exist. On August 14, physicists at Bristol University in the UK announced that they had engineered a 4-inch by 1.5 inch optical chip that can serve as a quantum central processing unit (CPU).

“It can implement all the basic gates [or circuits] required for quantum computing,” said University of Bristol physicist Anthony Laing, who led the project. His group teamed with Nippon Telegraph and Telephone (NTT), a major telecommunications company, and their invention was reported in the journal Science.

Silicon oxide based quantum optics lab-on-a-chip. Photo by University of Bristol

Silicon oxide based quantum optics lab-on-a-chip. Photo by University of Bristol

Bristol University’s optical chip tests quantum theories with unprecedented speed. Quantum experiments that would otherwise months to a year can be completed in just minutes, even seconds, with this chip. It would allow Laing and other physicists to can push the limits of computer science. Consider the Church-Turing thesis, which is named after American mathematician Alonzo Church and the British mathematician and Engima machine codebreaker Alan Turing.

“Church-Turing thesis is a foundational idea in computer science that every realistic, physical system should be efficiently simulated by a classical computer,” Laing said, but since quantum computers don’t operate by classical laws, they’re immediately in conflict with the idea. Some strong supporters don’t believe that quantum computers could ever exist, because they’re forbidden by this thesis.

Dr. Anthony Laing with his students Chris Sparrow, Jacques Carolan, and Chris Harrold (left to right) stand behind the universal linear optical processor, with its electronics, photon source and photon detection system. Photo by University of Bristol

Dr. Anthony Laing with his students Chris Sparrow, Jacques Carolan, and Chris Harrold (left to right) stand behind the universal linear optical processor, with its electronics, photon source and photon detection system. Photo by University of Bristol

“So MIT computer scientist Scott Aranson had a neat idea. He said instead of building the final package [quantum computer], let’s just build a quantum device that can specifically overthrow the Church-Turing thesis,” Laing said. The result was a phenomenon called called boson sampling.

“We were able to implement 100 boson experiments back-to-back in rapid fire with three and four photons,” Laing said. That’s not at the scale where they could challenge the Church-Turing thesis, but by using more photons and building a larger version of the device, which would be relatively easy to do, they could disprove the Church-Turing thesis, and in essence, could shake what we know about the traditional computer.

The Antidote: An unbreakable quantum password

Quantum computers are knocking on humanity’s door. Google wants one. IBM wants one. The NSA wants one. The devices could solve complex math problems, create new drugs or speed up your Google searches, but when used nefariously, they could tap your encrypted messages. In fact, computer scientist Lov Grover and MIT mathematician Peter Shor conceived the “quantum software” for the job around 20 years ago.

So what can everyone else do to protect their digital messages and data from the potential of quantum hackers?

Simple. “You send the messages in a quantum state,” said Boston University quantum physicist Alexander Sergienko.

Quantum cryptography uses photons to send secret messages between two people. Think of it as a tin-can telephone, wherein a nylon string transmits two people’s voices via tin cans. With quantum cryptography, the string is replaced by a stream of photons — the basic unit of rays of light. So rather than sending email as electronic bits (1s and 0s), the two people send quantum messages using photons with two different physical states.

Due to the foundations of quantum — namely the Heisenberg Uncertainty Principle — it’s impossible to copy or intercept these photons without altering them and alerting the message recipient. To return to the tin-can telephone analogy, it’s impossible for an eavesdropper to intercept a quantum message without cutting the string.

“It would be the niche of absolutely secure communication. It means no one could break it. It’ll stay secure for 10, 20, 30 years down the road, unlike many conventional encryption technologies,” Sergienko said. As long as the equipment isn’t flawed, that is.

In 2003 and 2004, Sergienko teamed with scientists at Harvard University and BBN Technologies to build a three-node, 18-mile network for sending quantum encrypted messages along fiber optic cables in Boston. Since then, groups in Europe and Japan have demoed citywide networks. China plans to build a 1,200-mile quantum connection between Beijing and Shanghai, while the Ohio-based research and development company is constructing a quantum network that stretches from Boston to Georgia to California.

However, distance is a major impediment to quantum messages, as photons tend to be absorbed or disturbed the further that they travel through a fiber optic cable.

“Several papers show an upper limits of 124 to 186 miles. Also, the longer that you go, the lower the rate. The question is how useful is sending data 186 miles at one bit per second, when everything in modern telecommunications goes at megabits and gigabits per second?” said Sergienko.

This bandwidth issue could take years to fix. Scientists at Los Alamos National Laboratory in New Mexico are not only working on ways around it, but on how to reinforce our current data security with quantum mechanics. Last autumn, Los Alamos struck the biggest deal in its history with Richard Moulds’ parent company Allied Minds to commercialize these products.

Earlier this month, it unveiled a quantum-based generator that creates random numbers — the same random numbers that fuel passwords and other current forms of digital security. The quantum number generator — dubbed The Entropy Engine — looks like a regular computer board that you would slide into a server. Unlike passwords made by conventional computers, these quantum passcodes (or keys) would be difficult to guess by brute force, thus, impeding brute force attacks like the Sony Picture hack.

“Eventually, random number generators like the Entropy Engine would be placed in data centers to continuously generate passwords and data encryption. Most people would be consuming it as a security service from their email, Internet or cloud provider, rather than buying hardware. The cost might run between $5,000 and $10,000,” Moulds said.

Quantum random number generator churns out encrypted passcodes/keys so fast that it could make life harder for hackers like the ones that struck Ashley Madison or Home Depot, where an insider possibly revealed the passwords or weakened security systems so hackers could access an internal network.

“Our quantum random number generator generates entropy so rapidly that one could create new cryptographic keys very rapidly and not need to reuse keys,” said Los Alamos physicist and leader of the quantum communications team Raymond Newell. “As an analogy, if you only have one key, you’ll need to build all your locks to match it, and anyone who steals your key can open all your locks. But if you have many many keys, you can build a different lock for each [door], and anyone who steals a key can open only one lock.”

Moulds points out that another issue with the Ashley Madison hack “was that they only bothered to encrypt some of their data.”

“The attacker wasn’t interested in accessing accounts, he or she was focused on attacking and discrediting Ashley Madison as an organization. Therefore being able to steal large quantities of non-encrypted personal information was exactly what the attacker was looking for – details about sexual preferences is much more sensational than passwords,” Moulds said. “What this shows, is that for organizations that acknowledge that they might suffer a data breach (which really should be everyone) then they should encrypt all data that might be interesting to anyone. To encrypt only a subset of your data is like locking the front door but leaving the windows open.”

The next stage is beefing up security that involves moving quantum keys, which would involve a quantum network. Los Alamos ran its secure communications on a secret quantum Internet for two years and has since put that technology into a package called QkarD.

“The first targeted market would be not directly to consumers, but rather for the type of Internet corporations that are securing their internal communications,” Newell said. “Our team and others around the world are working on those distance challenges, but it will be two to five years before QkarD reaches consumers.”

Newell’s team is working to circumvent the problem and send faster quantum messages via the air like satellite signals. Chinese scientists are also developing a quantum satellite, slated to launch in 2016.

“If you think about the progression from where we are today and how we can make sure that our security in 20 years is able to withstand quantum computing effects. We’ve got to migrate our cryptosystems over the next two decades to much stronger systems,” Moulds said