All of the recent discussion about the NSA has really brought privacy protocols to the forefront of the mind of the public. I try to avoid discussions about the ethics of eavesdropping (I was in Navy Intelligence, so I don’t have a popular take on the issue), but I am fascinated by the technology behind enabling privacy at the highest level. According to Edwin Cartlidge writing on physicsworld.com, quantum mechanics and special relativity have been used to implement a protocol that ensures that a “sealed envelope” is not opened ahead of time – according to its creators in Switzerland and Singapore.
Sealed envelope systems, whether literal or metaphorical, allow information to remain temporarily inaccessible to both author and intended recipient, and are used in processes such as secure voting. The latest experimental results could lead to improvements in certain kinds of financial transaction, say the researchers. Quantum mechanics is already exploited commercially in cryptography to carry out what is known as quantum key distribution. This involves two parties, known conventionally as Alice and Bob, sharing a secret cryptography key in the form of a string of quantum particles. Any eavesdropper trying to make measurements of the particles will reveal their presence by destroying the particles’ quantum state.
Rather than protecting against intrusive third parties, a sealed envelope – or “bit commitment” – ensures mutual trustworthiness. A bit of information (0 or 1) is deposited and neither changed by Alice, the creator, nor looked at by Bob, the receiver, prematurely. Research in the early 1990s appeared to show that quantum mechanics could be used to achieve bit commitment by ensuring that any tampering by either Alice or Bob would be revealed in the altered state of the quantum particles. But in 1997 Dominic Mayers of the Université de Montréal in Canada, as well as Hoi-Kwong Lo and Hoi Fung Chau of the Institute of Advanced Study in Princeton, US, poured cold water on the idea, showing, in fact, that even with the hypothetical envelope in Bob’s hands, Alice will always be able to make it look as if she created a “one” when she actually created a “zero”, and vice versa.
The latest work, carried out by Hugo Zbinden and colleagues at the University of Geneva together with researchers at the National University of Singapore, provides experimental demonstration of a scheme that overcomes this problem. The underlying concept was proposed last year by Adrian Kent of the University of Cambridge in the UK, and exploits special relativity as well as quantum mechanics. It splits up the roles of Alice and Bob so that each works with two distant agents spaced far apart from one another. The idea is that the speed of light imposes a minimum time for any causal influence to travel between Alice or Bob and their respective agents. This time delay removes the possibility for the kind of tampering that impairs a non-relativistic approach.
In Kent’s scheme, it is receiver Bob who initiates the information transfer. He sends a string of photons to Alice, polarizing each one as he chooses, either horizontally, vertically, or along one of two different diagonal axes. Alice then declares her choice of bit value via the type of polarizer she uses to measure the state of the photons. For the sake of argument, if she plumps for “zero” she uses a horizontal–vertical polarizer, whereas if she opts instead for “one” she uses a diagonal polarizer. The result of each photon measurement is sent at close to the speed of light to Alice’s two agents, who in turn communicate the results to Bob’s agents (positioned close by). Since no information can travel faster than light, this set-up guarantees that in the time it takes for data to travel from Alice to her agents, none of the six parties could have tampered with those data. That is the time that the metaphorical envelope remains closed.
To find out whether Alice has told him the truth about her bit choice, Bob compares Alice’s results with his polarizations for all those photons (roughly half) that he happened to polarize along one of the two axes of Alice’s polarizer. If Alice is honest, there will be a 100% match. But if instead she tries to make him believe that she chose the other bit value, there will only be about a 50% match. That is because in re-measuring the photons using the other set of polarizers, to try and hoodwink Bob, she will no longer have access to the original polarization information, having destroyed it with her first set of measurements.
However, it is still possible that Alice cheated in a different way, forwarding the photons to her agents without making a measurement. By getting her agents to make the measurement instead, she would be able to make her bit choice at a later time than she claimed. Bob, however, can check for this particular trick thanks to the fact that each of them has two agents. Being spaced so far apart, the first of Alice’s agents wouldn’t be able to communicate the result of his or her measurement to the second agent before the envelope is opened. The deceit would therefore be revealed in a disparity between the two agents’ results. The first experimental test of this scheme was actually reported earlier this year by Yang Liu of the University of Science and Technology of China in Hefei and colleagues. But by sending laser beams through free space they could not transmit data beyond the horizon, limiting the distance between the various parties to about 20 km and the commitment time to only 30 µs. They also sent a limited number of photons – only 107 in all – giving any cheats a 5% chance of success.
The Swiss–Singapore team has achieved better results by modifying Kent’s scheme slightly. They allow Alice to communicate with her agents via a fibre-optic cable, separating out the bit decision from the polarization measurements. This allows the two sets of agents to be separated by more than 9000 km, resulting in a whopping commitment time of 15 milliseconds. The probability of successful cheating using this set up, they calculate, was a tiny 1 in 18 million. Kent speculates that the scheme could be used in financial markets, allowing traders to commit to buy or sell something – be that gold or shares, for example – before declaring that commitment. “The idea is that you have an extra mechanism for controlling how information propagates,” he explains, “so damping down the arms race in which everyone is fighting to get a nanosecond ahead of everyone else.”
Kent is confident that there are no loop holes in his scheme, claiming that the team’s analyses “characterize every possible attack and show that none of them can work”. He points out that his calculations do not account for the effects of general relativity, but says those effects are likely to be very small. “Were there a portal connecting Geneva to Singapore it is possible that someone could break the scheme,” he adds, “but that is not something that I lie awake at night worrying about.” Chau, now at the University of Hong Kong, believes that the latest work will have “addressed a lot of the practical issues”, identified by himself and others, needed to turn quantum cryptography into a real-world technology. But he argues that the new experiments still leave “room to improve and develop”, adding that detection using non-identical detectors remains an outstanding problem.
The research is reported in Physical Review Letters.