For the conception of the first key agreement protocol whose security is derived from the validity of quantum physics
Writing is a very powerful means of communication for spreading information, for covering large distances, and for preserving knowledge over time. When writing was invented, creating a network of possible readers must have been the primary challenge. As literacy increased, the need to conceal some information from unintended reading developed.
Julius Cesar protected orders to his troops by permuting the letters of the alphabet in his messages. He specifically shifted the letters by three positions to the left, i.e., he substituted E by A, F by B and so on. This cipher had no explicit key. Its transformation became known over time and lost its protective power. Thus, more complex substitutions were developed. The Arab scientist Al Kindi applied statistical analysis to break such ciphers in the 9th century already. Letter-by-letter substitutions were not secure anymore. More complex transformations were needed, and they had to be controlled by keys from a space large enough to prevent exhaustive search. These keys had to be agreed beforehand, which was not very practical in the digital age.
Public key cryptography opened a new approach with everyone being able to encrypt a message using a recipient’s public key. Only the recipient, who knows the associated secret key, would be able to decrypt it. So, there would be two keys one for encryption, which is public, and one for decryption, which is kept secret by its owner. The public key cryptosystems most widely used today are RSA, Diffie-Hellman, and elliptic curves. Koblitz and Miller received the Eduard Rhein Technology Award 2020 for conceiving elliptic curve public key cryptography. In the immediate these schemes enable our digital society. They rely on the expected complexity of inverting the encryption function without knowledge of the secret key. In the long term these schemes are threatened by future capabilities of quantum computers. New post-quantum schemes are thus being developed. They depend on the difficulty of inverting certain functions both on classical and on quantum computers. Currently, there is no theoretical basis to derive bounds on the associated complexity and thus security of the schemes.
The conception of the first quantum key distribution (QKD) protocol by Bennett and Brassard – this year’s recipients of the Eduard Rhein Technology Award – stands out in this respect. Their scheme is secure due to specific properties of quantum mechanics rather than due to an expected computational complexity. Quantum mechanics is one of the best-established physical theory. If it holds and if the scheme was implemented correctly, QKD is provably secure. This is qualitative difference – there is no classical equivalence.
Let us develop this somewhat: in classical physics every observable quantity can take any value, independently of any other observables. Furthermore, a sufficiently careful measurement was believed not to change the value of the observable. In quantum physics, this is no more the case. Observables often take discrete values and typically impact the state itself. The measurement of a photon’s polarization may be horizontal or vertical. This can be represented by states, i.e., vectors in a two-dimensional plane – the Hilbert space. In that plane, the vector associated with the horizontal polarization points in the x-direction and the vector associated with the vertical polarization points in the y-direction. Every single photon can be in either of the states as well as in a superposition of the two states, with its state vector pointing anywhere in that plane. A measurement of the horizontal/vertical polarization for such a single photon state provides the result “horizontal” or “vertical”. The information about the superposition itself is lost. An eavesdropper can thus not reconstruct the state itself. The rigorous “no cloning theorem” prevents the generation of copies of any state in general. This is the basis for QKD, typically described with Alice preparing single-photon states that are transmitted to Bob, who analyses them. Both use two arrangements of their apparatuses: the horizontal/vertical arrangement described already as well as an arrangement rotated by 45 degrees (in counter-clock direction). The projections of the states produced by the latter systems on those produced by the former system have equal lengths. If Alice prepares her state in the original system, with the horizontal state representing a 0 and the vertical state representing a 1 and if Bob measures using the rotated system, he will obtain a result that does not depend on the values transmitted by Alice. If he used the same orientation, he obtains identical values.
The protocol is as follows: Alice and Bob randomly choose their basis, i.e. the orientation of their apparatus (non-rotated or rotated) and perform a sequence of prepare and measure steps. In a subsequent classical and public discussion, they identify the instances in which they used the same setting and for which Bob received a photon. As long as Alice does not transmit multiple copies of her photons, the disturbances introduced by Eve will disclose her presence. This ensures that Alice and Bob share a key string that provably no-one else can know. Alice and Bob must, however, prove to each other who they are. Charles Bennett and Gilles Brassard used the provably secure Wegman-Carter authentication for that purpose. Their protocol – called BB84 – in the meantime has opened the completely new possibility of exchanging keys in a provably secure manner.
Frank Miller in 1882 and Gilbert Vernam in 1917 had proposed to XOR the message bits with the key bits. Joseph Oswald Mauborgne proved that this scheme was secure if every key bit was randomly selected, which is the case for those obtained from BB84. In terms of secrecy this is a perfect system. Since the key rate of QKD is much lower than typical transmission rates, one would prefer to use the keys in a different encryption system, which also protects against message substitution.
In applications BB-84 and most other QKD-protocol implementations use optical transmission, due to the capability of reliably detecting single photons in the optical domain. The state of these photons is not much perturbed in optical fibers as long as there are no amplifiers or repeaters. Bennett and Brassard incidentally performed a demonstration of principles over a distance of 30 centimeters. Today, fibers are used in selected applications for governments, banks as well as in data centers. The distances involved are typically rather short. Attenuation limits the distances to a few 100 km. Some key rates have been shown up to 1000 km with an intermediate receiver. In general, maintaining security over larger distances requires genuine quantum repeaters. They create a chain of quantum entanglements, which permits the teleportation of photonic states from Alice to Bob with a similar observability of eavesdropping as with single hop systems. Building quantum repeaters is difficult in practice and still subject to further research.
Low Earth Orbiting (LEO) satellites provide an alternative to fiber optical links. Free-space propagation is associated with a much lower attenuation and enables QKD with reasonable apertures on the satellites and on the ground. China demonstrated QKD over satellites with its Micius mission launched in 2016. Several other missions are in preparation, also in Europe. The most prominent one is Eagle-1, which aims at substantial key rates using a LEO satellite. Other missions consider satellites down to the size of CubeSats, e.g., the German QUBE2 project. A network of such satellites could provide a key distribution service between distant nodes. Efficiency considerations typically make the satellite a trusted node. This is seen as acceptable for dedicated satellites in trusted hands, since they can be very well protected against cyber-attacks. Besides satellite payload developments, several projects aim at extending terrestrial links by developing quantum repeaters.
Achieving security in networked QKD systems is another important task. It is addressed by all interested parties. China runs a network of QKD-secured systems with metropolitan networks in Beijing, Shanghai as well as Jinan and Hefei, which are all connected. The network spans a distance of 2000 km. Two satellite links allow for the integration of terminals separated by as much as 7600 km. The EuroQCI-Initiative also comprises a terrestrial network and a space segment (SAGA). Furthermore, a number of regional QKD network initiatives in Europe are in various states of planning and initial operations. Initiatives focused on technologies and their application, like OPENQKD at European Level and QuNET in Germany additionally promote the development and industrialization of QKD technologies, as well as their adoption by governments, infrastructures and in the financial, industrial and medical sector.
In view of the dependency of modern society on information technology in governmental, infrastructural, medical, industrial and many other application areas, the capability of establish provably secure keys is vital to our society. This was our motivation to award the Eduard Rhein Technology Award 2023 to Dr. Charles Bennett and Prof. Giles Brassard.
Dr. Bennett studied in Harvard. He is an IBM fellow at the IBM Research. Besides his seminal work on quantum cryptography, he is a co-inventor of quantum-teleportation and significantly contributed to the use of entanglement in information theory. He has co-founded and significantly shaped quantum information theory.
Charles Bennett is a Fellow of the National Academy of Sciences and of the American Physical Society. In 2022, he became a member of the Royal Society. He is the recipient of the Harvey-Prize (Technion, 2008), of the Dirac-Medal (International Center for Theoretical Physics, 2017), of the Wolf-Prize in Physics (Israel, 2018), of the “BBVA Foundation Frontiers of Knowledge Award in Basic Science” (Banco Bilbao Viscaya Argentaria, 2019), of the Micius Quantum Prize in 2019, and of the Claude E. Shannon Award (IEEE, 2020). In parallel to the Eduard Rhein Technology Award in 2023, he will also receive the prestigious “Breakthrough Prize in Fundamental Physics.”
Dr. Giles Brassard studied computer science at Cornell University. He is a full Professor at the University of Montreal since 1988 and a Canada Research Chair since 2001. He is a fellow of the Royal Society of Canada and of the Royal Society in London. He won the Prix Marie–Victorin and was elected Fellow of the “International Association of Cryptographic Research”. He also became an officer of the order of Canada. Since Giles Brassard and Charles Bennett worked closely together, they share the merits of shaping quantum information theory and also share some of the awards, including in particular the Wolf Prize in Physics (2018), the “BBVA Foundation Frontiers of Knowledge Award in Basic Science” and the Micius Quantum Prize as well as the “Breakthrough Prize in Fundamental Physics” and the Eduard Rhein Technology Award in 2023.
Prof. Dr.-Ing. Christoph Günther