figure[Getty Images]

Last year, tech giant Google told the world that it had built a quantum computer able to carry out a specific task far faster than any classical device (see “Supreme or Unproven?,” OPN, March 2020). That achievement suggested that it might not be too long before machines exploiting quantum phenomena start doing useful things such as developing new drugs or designing novel materials. But it also raised a more malign prospect—that new quantum algorithms could crack the codes currently used to encrypt much of the communication on the internet.

While researchers have devised encryption algorithms that don’t rely on factorization, it wouldn’t be wise to assume that such algorithms will remain immune to quantum attacks for good.

This possibility has generated sensationalist headlines, but it’s a real concern for many scientists. Current encryption schemes largely rely on classical supercomputers’ inability to quickly work out the prime factors of very large numbers. A big enough quantum computer, though, would be able to do this. OSA Fellow Paul Kwiat, a physicist at the University of Illinois, USA, says that while researchers have devised encryption algorithms that don’t rely on factorization, it wouldn’t be wise to assume that such algorithms will remain immune to quantum attacks for good.

Ironically, perhaps, the only known way of guaranteeing such immunity is through quantum mechanics. So-called quantum key distribution (QKD) involves generating a key to encrypt and decrypt messages whose secrecy is guaranteed not by mathematical complexity but by the laws of physics. Far from an academic curiosity, QKD has led to commercial devices already being used by governments, banks and large companies to ensure the impregnability of sensitive data. Now numerous countries—China, in particular—are looking to transform the technology from a fairly niche product to one that underpins internet security as a whole.

That mission is made all the more urgent, according to Vadim Makarov of the Russian Quantum Center in Moscow, by the fact that it is not only tomorrow’s data that are under threat. He estimates that a code-breaking computer might become a reality in the next 20 years, but notes that much information produced today is expected to remain confidential for at least that length of time. Anyone siphoning off data now could therefore simply store it and then decrypt it when they get their hands on a quantum computer. “The situation we have now in cryptography is a ticking bomb,” Makarov says.

Time for lift-off

Quantum cryptographic schemes date back to a 1984 proposal by Charles Bennett and Gilles Brassard. That idea relies on the uncertainty principle to create a secret key from the random states of quantum particles sent from “Alice” to “Bob,” as the communicating parties are conventionally known. Any eavesdropper (“Eve”) who tries to tap those particles en route, measure their states and then forward them on will reveal her presence in the process—since her intervention will change the outcome of Bob’s measurements.

Scientists have made much progress in the intervening decades, having demonstrated this protocol—known as BB84—and others like it experimentally. They have also refined the equipment used to transmit and receive the messages. Alice usually now creates the key using a series of exceptionally weak laser pulses that each contain approximately one photon, which she can encode using two non-orthogonal pairs of polarization states. Indeed, such devices have been commercially available since at least 2007, when a system from the Swiss firm ID Quantique was used to encrypt election results in Geneva.

ID Quantique founder and chairman Nicolas Gisin admits that progress has been slower than expected since then; the market analyst BCC Research estimates the market for QKD products in 2019 to be a modest US$350 million. But Gisin believes that major new government investments will reinvigorate the sector, notwithstanding the current, pandemic-related economic downturn.

figureChina’s Micius satellite distributing entangled photons to two ground stations spaced more than 1000 km apart. [Jian-Wei Pan]

Leading the charge is China, which opened a 2000-km-long QKD fiber optic “backbone” connecting Beijing to Shanghai in 2017. That same year, the then-presidents of the Chinese and Austrian science academies carried out the world’s first quantum-encrypted intercontinental video call, thanks to Micius, a satellite launched by China into a low-Earth orbit in 2016. By exchanging secret keys with ground stations spaced more than 7000 km apart and then combining the keys, Micius allowed the two parties to talk securely over a classical link for over an hour. (See “Satellite-Based QKD,” OPN, February 2018).

QKD: Keeping the lights on

So-called smart grids let utilities monitor the performance of substations using sensors, and make adjustments to keep the current flowing. But Duncan Earl, president of U.S.-based QKD manufacturer Qubitekk, says a determined hacker tapping into the cable from a substation could, in principle, modify the sensor data so that the phase between voltage and current gets corrected in the wrong direction. That could damage the substation—and potentially bring down a sizeable portion of the electrical grid.

To see if QKD could guard against such an attack, Qubitekk has been taking part in a trial using substations and optical fiber belonging to utility and telecom operator EPB in Chattanooga, Tennessee, alongside researchers from the Oak Ridge and Los Alamos national labs, USA. Qubitekk’s hardware generates pairs of entangled photons to create secret keys between each substation and a local control center, and so should restrict sensor-data access to only those people physically present inside the center.

The trial will need to show that the system can compensate for the scrambling of photons’ polarization as the particles travel along many kilometers of fiber. If the trial concludes successfully by year end, Earl says the scheme might be rolled out to perhaps 100 of the most sensitive of the U.S.’s roughly 70,000 substations within the next five years.

According to OSA Fellow Jian-Wei Pan at the University of Science and Technology of China in Hefei, Micius has now distributed keys to a dozen cities in China and Europe. He says that in the future it should be joined by many other quantum satellites, in low-Earth, medium-Earth and geostationary orbits. Those will connect nodes on China’s growing terrestrial network, which is envisaged to link up large- and medium-sized cities across the country over the next five years.

In Europe too, plans are afoot. Last year, European Union countries agreed to develop a continent-wide QKD network over the next decade. Costing perhaps €1 billion, the network will use existing fiber on the ground and new satellites in space to link users such as banks, telecom operators, utilities, airports and hospitals. Many of the countries involved are also taking part in a pilot project that sees existing QKD systems being installed in different settings to gauge “customers’ real requirements,” according to project leader Hannes Hübel of the Austrian Institute of Technology in Vienna.

Elsewhere, researchers in the U.S. are evaluating how QKD could help to avoid major blackouts on the country’s electrical grid (see sidebar “QKD: Keeping the lights on”). And in South Korea, wireless operator SK Telecom is installing encryption systems from ID Quantique on some lines in the fiber optic backbone of its new 5G cellular network.

Size matters

In seeking to expand the QKD market, companies are working hard to shrink their devices as much as possible. ID Quantique, for example, has reduced the size of its hardware many times over, so that the boxes now fit in standard telecom racks. An EU-funded project called UNIQORN, meanwhile, aims to produce small, robust and affordable quantum-communication systems by packing all the necessary components onto indium phosphide (InP) photonic integrated circuits.

figureA QKD transmitter made from an InP chip designed by researchers at the Eindhoven University of Technology and fabricated by SMART Photonics, the Netherlands, for the EU UNIQORN project. [Eindhoven University of Technology]

One challenge, according to UNIQORN coordinator Hübel, is establishing whether InP can support very low noise levels so that Alice and Bob can work out whether or not errors in their key are due to Eve. Another important requirement, he says, is being able to attenuate the milliwatt output of standard telecom lasers down to the single-photon level—a reduction in power of nine orders of magnitude, but a margin of error of only a factor of two or three. “This has been done using bulk elements,” he says, “but it’s a challenge doing it on a single chip.”

Even trickier, says Hübel, is miniaturizing single-photon detectors. One option is to co-integrate silicon detectors on an InP base, although these devices aren’t suited to telecom infrared wavelengths. Alternatively, he says, single photons could be ditched for what is known as continuous-variable QKD—but this, he points out, requires even lower levels of noise and thus the development of noiseless amplifiers.

Hübel believes that he and his colleagues could have a chip-based transmitter ready in the next year or two, whereas integrated receivers might need an additional five years. Only at that point, he argues, would QKD technology be ready for the big time—with packaged systems costing perhaps a few thousand euros each, roughly 100 times less than today’s devices. “You have to go to these figures to have large roll out,” he says.

Security and cost

Industry success won’t be determined solely by price, however. Vadim Makarov at the Russian Quantum Center adds that QKD suppliers must prove to customers that their equipment is secure. Although quantum cryptography provides complete security in theory, Makarov says it’s limited by shortcomings in the devices used to implement it. In fact, a game of cat and mouse between manufacturers and professional hackers has exposed numerous loopholes in practical systems.

Makarov, who himself has spent many years hacking QKD systems, is now involved in drafting international standards to specify how such systems must be implemented in future. He says that all major loopholes have now been closed, but points out that a compromise remains between a system’s security and its cost and performance. “We can build a type of system that is more resistant to certain types of loophole but is more expensive and not as fast,” he says.

figureLeft: A quantum hacker’s suitcase (circa 2010) containing Eve’s copy of Bob’s photon detection unit and a faked-state generator, which consists of many optical components including semiconductor lasers, polarization controllers, variable attenuators and fiber couplers. Right: A researcher in the quantum hacking lab at the Russian Quantum Center in Moscow. [©2019 Vadim Makarov, RQC]

Among the roughly 25 types of attack that have been identified, some, such as the siphoning off of excess photons in a pulse, are relatively easy to combat. Others create more of a headache—including the fact that it’s possible to turn a single-photon detector into a classical device not beholden to the uncertainty principle by blinding it with bright light.

While scientists and engineers strive to make QKD hardware as secure and affordable as possible, system performance depends fundamentally on connection quality.

This latter kind of attack can be neutralized by taking the detector out of Bob’s hands, and having both Alice and Bob send photons to a third party—“Charlie”—for measurement. This measurement-device-independent (MDI) QKD does not rely on Charlie’s honesty, as he only learns whether the two photons he receives in each case match, rather than seeing their absolute values. However, it is more expensive than BB84.

Beyond the city limits

While scientists and engineers strive to make QKD hardware as secure and affordable as possible, system performance depends fundamentally on connection quality. Researchers have demonstrated quantum cryptography across metropolitan networks linking a handful of nodes, in cities such as Tokyo, Hefei and Vienna. Such networks, however, have tended to use “dark fiber.” The challenge is being able to send secret keys at high bit rates along optical fiber that is already used to communicate classical data.

Several recent demonstrations have shown how this might be done. In 2018, for example, Dirk Englund and colleagues at the Massachusetts Institute of Technology and Sandia National Laboratories, USA, used a silicon integrated circuit to distribute secret keys along a 43-km-long stretch of existing fiber in the greater Boston area. The chip’s phase stability meant they could correct for polarization drift in the fiber, allowing them to send keys at more than 150,000 bits per second (bps).

figureAn engineer at Toshiba Europe adjusts a QKD system. [Toshiba Europe Ltd.]

Following that, Andrew Shields of Toshiba Europe and colleagues last year reported key rates of over 2 million bps on roughly 10-km-long fiber links making up a three-node network in Cambridge, U.K. Here too the fiber was shared with normal internet traffic, although the keys were encoded using photons’ phase rather than polarization. High key rates are important, Shields notes, when there are lots of users, and in this case he says the network could support thousands of users each having a key rate of several hundred bps.

For QKD to really take off, however, metropolitan networks need to be linked up with one another. Attenuation of light in optical fiber has so far limited the distance that signals can travel without amplification to a few hundred kilometers; the current record of 404 km achieved a measly rate of only 1.16 bits per hour. This record could soon be broken thanks to a new protocol proposed two years ago that surprised many in the field by exceeding what seemed at the time to have been an inviolable limit (see sidebar “Charlie helps go the distance”).

That novelty aside, however, it seems unlikely that fully quantum-encrypted messages will be sent around the world using only BB84-like protocols. While attenuation in classical communication can be corrected by amplifying the signal, the inability to create identical copies of arbitrary quantum states makes it impossible to simply refresh quantum signals.

Long-range QKD networks instead rely on so-called trusted nodes, where Charlie combines keys shared separately with Alice and Bob to generate a single key that spans the entire distance separating the latter two. The Beijing to Shanghai backbone, for example, has 32 such nodes. However, the scheme relies on Alice and Bob trusting Charlie not to steal the keys.

Charlie helps go the distance

Scattering and attenuation of light—by about an order of magnitude every 50 km—dictates the rate at which quantum keys can be exchanged over a given length of optical fiber. In 2017 Stefano Pirandola at the University of York, U.K., and colleagues worked out a theoretical upper bound on this rate for point-to-point communications. But a QKD protocol published just a year later by physicists at Toshiba Europe in Cambridge, U.K., showed how this relationship might in effect be broken to obtain higher bit rates over long distances.

The new scheme, dreamt up by Toshiba group member Marco Lucamarini, is similar to MDI-QKD in having Alice and Bob send photons to Charlie. But here they utilize photons’ phase rather than polarization. Each party encodes a series of weak laser pulses with secret bit values and bases, but Charlie only has to detect a single photon each time, which allows longer-distance communication. Whereas in other protocols the log of the key bit rate drops in proportion to the loss, and hence length, of the fiber, in this “twin-field QKD” the rate instead falls as the square root of the loss.

Using a lab-based attenuation system, the Toshiba group showed last year that it could exceed Pirandola’s upper bound at long distances—achieving about 100 bps over the equivalent of some 550 km of fiber—but now needs to test the scheme in real-word conditions.

In twin-field QKD, information is encoded in the phase of optical pulses prepared by Alice and Bob using phase modulators (PM). The secret key is retrieved via Charlie’s single photon detectors (SPD) after the pulses interfere on a beam splitter (BS). [Adapted from Tittel, W. Quantum key distribution breaking limits. Nat. Photon. 13, 310–311 (2019) https://doi.org/10.1038/s41566-019-0424-4]

This also holds true for space-based links. Satellites can extend the range of QKD by exchanging secret keys with nodes at different points on the Earth’s surface as Micius did in 2017. Such a setup takes advantage of satellites’ movement along an orbit and the very limited attenuation of signals beamed through the sparse upper atmosphere. But satellites themselves are trusted nodes, which means that if they fall into the wrong hands, the figurative Charlie onboard could in principle steal the combined key he creates.

Toward a quantum internet

The ultimate solution to these problems, according to Stefano Pirandola at the University of York, U.K., is to exploit quantum entanglement. This intimate correlation between two distant particles has no classical equivalent, and means that Alice and Bob can always carry out a test to establish the integrity of their link if they each receive one half of a series of pairs from (dishonest) Charlie. Although more technically demanding than BB84 and similar protocols, this type of QKD has been demonstrated on ground and in space—Micius having distributed pairs of entangled particles to two ground stations spaced 1120 km apart.

Beyond just guaranteeing the security of individual links, entanglement could potentially be used to join many links together to create a globe-spanning, unhackable network known as the quantum internet. Enabled by devices known as quantum repeaters, this network could be used to extend completely secure QKD over arbitrarily long distances. But it would also allow any two users to “teleport” information between themselves—meaning that the content of their messages, and not just the keys used for encryption, would be quantum mechanical.

The first tiny shoots of this new technology are appearing in the Netherlands, where researchers are building a quantum network between several cities, in which the nodes themselves can act as repeaters. With the first link between Delft and The Hague set to switch on next year, this network is seen as the forerunner of a pan-European quantum internet to be built over the coming decades. In the U.S., meanwhile, scientists at the Argonne National Laboratory and the University of Chicago earlier this year took a step in that direction by entangling photons across two 26-mile loops of optical fiber running underneath the Chicago suburbs. Some researchers also have envisioned a space-based quantum internet.

Beyond just guaranteeing the security of individual links, entanglement could potentially be used to join many links together to create a globe-spanning, unhackable network.

The most advanced form of such a network would link up quantum, rather than classical, computers—potentially allowing distributed quantum computing, quantum sensing and very high-resolution telescopes at optical wavelengths. But with research on quantum repeaters still at a relatively early stage, Pirandola posits that such an all-quantum internet could still be more than 20 years away.

In the nearer term, he says, it will be QKD that ensures online security. While currently only used by a fairly select group, Pirandola believes that the technology should be rolled out across the internet for the most sensitive communications. Indeed, he argues that quantum computers are not the only potential means for cracking our current encryption schemes—number theorists, for instance, could conceivably discover a new, more efficient classical algorithm for finding prime factors.

As such, he believes there is no time to lose. “You want to have peace of mind,” Pirandola says. “You want to have a system that is in principle unbreakable.”


Edwin Cartlidge is a freelance science journalist based in Rome.

For references and resources, visit: www.osa-opn.org/link/q-encryption.