Developing an unbreakable cryptography is a long-standing question and a global challenge in the internet era. Photonics technologies are at the frontline of research, aiming at providing the ultimate system with capability to end the cybercrime industry by changing the way information is treated and protected now and in the long run. Such a perspective discusses some of the current challenges as well as opportunities that classical and quantum systems open in the field of cryptography as both a field of science and engineering.
In the old days of the Roman empire, Julius Caesar used a type of substitution cipher by codifying secret messages in which each character is shifted three places down the alphabet, thus reporting one of the first historical evidences of the use of cryptography to protect classified information.1 Today, with an information society that transmits one billion Tbytes every year, securing the privacy of confidential data is a global challenge.2,3
Currently, the majority of cryptosystems' security does not rely on unconditional proof, but on mathematical or probable statements. The main idea centers on security margins: if a code is broken with n resources, the code is modified, e.g., by doubling the length of its key, so that the required resources increase exponentially. This model is vulnerable to technological development and does not protect users from the past: an attacker can store the information sent out today and wait for the right technology in order to crack the message tomorrow. History shows that this systematically happens on shorter timescales than what could possibly be predicted.
The most famous example is perhaps the breaking of the enigma machine, which was an encryption typewriter used during the second world war to transmit top secret military information. Because of the large number of combinations at the basis of the encrypted code, the enigma was considered unbreakable.
Notwithstanding, such security conjecture crumbled with the work of Alan Turing and his colleagues who cracked the enigma by engineering the first architectural computer, which was secretly used until the end of the war.4 In this example, the security was broken and not publicly disclosed, allowing one party to freely break into the private information of the other, completely unnoticed. Another case is the US federal data encryption standard (DES), which was considered secure because a machine fast enough to break it was prohibitively expensive.5 This probable argument did not predict the subsequent price revolution in integrated electronics, which, after just twenty years, allowed cracking the code.6 The Advanced Encryption Standard (AES), which superseded the DES, was introduced in 2002. Within only seven years, a realistic attack has been found to suggest a complete revision of its security margins,7 while several attacks have been publicly disclosed on its practical implementations.8–10 The Rivest–Shamir–Adleman (RSA) cryptosystem, introduced in 1977, was considered unbreakable, and it is currently in use for encrypting emails and internet and digital transactions. The RSA security conjecture was broken in less than 20 years by Peter Shor, who developed a quantum computing-based strategy that can also crack many other crypto-systems in use today, shifting current discussions toward post-quantum cryptography scenarios.11,12
These few examples demonstrate that security conjectures of today are proven to be unreliable tomorrow and require continuous revisions of standards that, if not addressed timely, expose the privacy of our present and past communications. To solve this problem permanently, cryptologists developed a third model of security, known as perfect secrecy. Perfect secrecy has been defined by Claude Shannon as13
“…a system that after a cryptogram is intercepted by the enemy the a posteriori probabilities of this cryptogram representing various messages be identically the same as the a priori probabilities of the same messages before the interception.”
In this system, an attacker cannot do better than to best guess the message without having seen it, while the secrecy of the information being communicated is unconditionally “perfect.”
It might be surprising to know that a perfect secrecy cryptography has existed for a century, but it has not been adopted in practice yet. This cryptography system has been known as the Vernam cipher or the one-time pad (OTP),14 and it is based on four conditions: (i) the users share an identical random key that is as long as the message, (ii) the key is kept secret, (iii) the key is never reused, and (iv) each key is uncorrelated to the others. Shannon rigorously demonstrated that a cryptography satisfying (i)–(iv) can never be beaten.
Given the OTP, the crux that limited the adoption of the scheme is related to implementing the key distribution step at points (i) and (ii). The question is to solve the following problem: if two users have at disposal a secure channel to transmit a one-time key that is as long as the message, the users would rather use the channel to send the message and not the key. In this security model, the question has shifted from transmitting secure texts to distribute secure keys among different users.
As it happens in science, the solution to an apparently lockdown problem in one field is obtained by borrowing concepts from other scientific areas. In this case, a solution path toward implementing key distribution through the physics of quantum light was suggested by Bennett and Brassard in the BB84 quantum key distribution (QKD) protocol.15
In the scheme [Fig. 1(a)], one user (Alice) generates bit sequences from randomly polarized single photons among four different angular directions and then she sends the sequence to the second user (Bob). After the sequence exchange, Alice and Bob compare the measures over a public classical channel, extracting a key from the sequence of correlated states [Fig. 1(b)]. While the random nature of the data being exchanged with BB84 does not make it possible to directly communicate a message, it allows us to perform the key distribution to implement the OTP.
The security of the BB84 scheme leverages on the projection postulate of quantum mechanics: any measures performed on traveling photons will statistically change the photon polarization, introducing uncorrelated states between Alice and Bob, which can be identified and discarded, leaving the attacker with zero information.
In the last forty years, the progress of QKD increased enormously, ranging from a large variety of mathematical algorithms for amplifying the privacy,16–20 to authenticating schemes21–25 and to systems design.26–37 However, despite significant advances, the implementation of QKD has challenges, notably lack of speed, high costs, and low scalability of quantum communication networks. For distances beyond 100 km, QKD's communication bit rate is currently limited in the range of 100 bit/s,38 thus requiring expensive single-photon detectors operating at tens of degree below zero.39,40 Other challenges involve implementation-related attacks, originating from the fact that the unbreakability of QKD is evaluated for ideal quantum communication channels, ideal quantum sources, and detectors.41,42 Practical implementations are not ideal, opening QKD schemes to different vulnerabilities.43–47
If a method and system to incorporate QKD into a fully classical optical communication network became possible, quantum network limitations would be overcome. In this sense, most of the QKD development would be retained, all the while enabling the “last mile” with the benefits of classical optical communications. Classical optical networks currently enable data transfer rates up to Terabits per seconds (Tbps),48 global transmission distance covering the entire planet with contained costs,2,49 and ultrafast switching technology for demultiplexing different users.50–52
In the recent work,53 the authors demonstrate that such a method and system indeed are feasible. They addressed the limitations of QKD and demonstrated solutions by using the theory of chaos formulated for thermodynamic irreversible systems. There is an intimate connection between quantum mechanics and chaos, which was initially explored by Einstein.54 While a quantum system is, in general, unpredictable because any taken measure would force the system to collapse into an eigenstate chosen with random probability, a classical chaotic system is equivalently unpredictable because each implementation is never identical; thus, it is mathematically impossible to anticipate the system's evolution.55
By leveraging on this property, the algorithm in Ref. 53 proposes a classical version of the BB84 QKD scheme by using chaotic correlated wavepackets generated from thermodynamic irreversible random media (Fig. 2). In this system, Alice and Bob employ two different chips [Fig. 2(a)] composed of time varying distribution of scatterers, which are implemented by etching holes in a silicon on insulator (SOI) platform. The chips are connected to two broadband light sources SA and SB, which are different for each user [Fig. 2(a)]. The source differences set the desired bit error rate (BER) for the communication. Each user can independently vary the input conditions An and Bn of light injected into the chips at every step i of the communication. Different input conditions play the role of different polarization states in the BB84 scheme. In the chaotic chips of Fig. 2, the number of input conditions is not limited to four and grows linearly with the size of the chips.53 To couple a broadband light pulse into the chip at ultrafast speed, it is possible to use directly addressable fiber bundles, which are commercially available and can also be manufactured directly in the chip.
At each communication step [Fig. 2(b)], Alice and Bob choose randomly a coupling waveguide and then send the spectra and in the public channel, detecting at each end the combined power density spectrum and , respectively (⊕ is the operator that combines the states after the propagation over the channel). If the status of the chips and that of the channel do not change during each communication step, then system is reciprocal and . In the following communication step, Alice and Bob independently decide whether to change the coupling waveguide and/or chip status or to repeat the sending and acquisition procedure. The steps are repeated as many times as required. At the end of the exchange, following the same idea of BB84, Alice and Bob communicate openly which steps have been repeated and extract the respective signal by identifying a sequence of repeated spectra, which are digitized into an OTP key [Fig. 2(c)]. Once the key is generated, the two chips are changed in time by an irreversible transformation. This transformation is applied independently by each user, and it is not disclosed. A second irreversible transformation is applied prior to the next communication.
The above scheme implements conditions (i)–(iv) of the OTP: it allows the ultrafast transmission of a key that is as long as the message via classical optical communications; it generates completely uncorrelated keys in the complex scattering chips; it does not disclose the key to the attacker; it never reuses the same key. As in the BB84 QKD protocol, the security of this scheme is dictated by the laws of physics. The second law of thermodynamics does not permit us to an attacker to duplicate the chips once the communication takes place, as it would require us to invert an irreversible physical transformation, and the mathematical unpredictability of chaos makes it impossible for an enemy to reconstruct the correlated states and , which can be observed only in the isolated network connecting the two users. A third person who tries to obtain the same states by measuring the data flowing in the communication line, in fact, will inevitably perturb the system. This action always results in one bit of uncertainty for every bit measured, regardless of the type of attack employed or the type of instrumentation used.53
In analogy to the BB84 scheme, active manipulation of the states generates uncorrelated sequences that can be isolated and removed using many techniques of privacy amplification and error reconciliation already developed for QKD. An advantage of this scheme compared to BB84 is that any non-ideal component present in the experimental realization sums up to increase the unpredictability of the system, and it does not furnish vulnerabilities.53
It is interesting to discuss the technological requirements of the chip with respect to experimental implementations with different platforms, communication speed, and scalability. In the scheme of Fig. 2, the OTP key length is proportional to the bandwidth of the spectrum, which, in turn, limits the maximum transmission rate B because of the fiber dispersion and the associated pulse broadening. An accepted rule of thumb is , where is the pulse broadening factor, with D being the dispersion, L the length of the fiber, and the pulse bandwidth. For a single mode fiber with dispersion and length L = 100 km, the safe transmission of pulses with a bandwidth of nm can be as fast as . This value is faster than the current best rate of QKD.
These figures give the upper boundaries for the speed required for the input waveguide switch. Current-integrated waveguide arrays can be dynamically tuned using thermal, mechanical, electrical, or all optical methods, with associated switching speed up to tens of fs,56 which is abundantly faster than the transmission requirements.
The state of the individual chips can be changed, e.g., by coating the surface of the chip with colloidal scatterers dispersed in a solution, delivered by a microfluidic channel, allowing a material/s to be continuously deformed by external conditions such as temperature and light.
Another important factor is the number of uncorrelated channels that can be addressed at the input of the scattering section. In Ref. 53, it is demonstrated that shifting the input beam by 200 nm is enough to create uncorrelated transmission spectra. The aforementioned shows the possibility to scale up to of different keys—with Nb being the number of bits extracted from each spectrum—for every mm of the width of the chip and prior to every irreversible transformation.
Future work includes coupling the above-mentioned system to authentication schemes, addressing the security gaps that will be increasing with the evolution of the society in the near future with the advent of, e.g., Smart City, Internet-of-Things (IoT), Cloud Computing, Big Data, and, especially, the tendency that biometrics systems will be everywhere in the society.
Developing unconditionally secure communications is an exciting journey that has been pursued for thousands of years, and that is not yet concluded. While there are still plenty of challenges, there are also a large number of opportunities for developing applications that could counteract a six trillion dollar cybercrime industry.57 If perfect secrecy were to fundamentally impact the society, it will need to offer ultrafast resources at a reasonable cost for users connected everywhere. “Criminals are using every technology tool at their disposal to hack into people's accounts. If they know there's a key hidden somewhere, they won't stop until they find it.58” (Tim Cook, Apple CEO).
A.D.F. acknowledges support from EPSRC (No. EP/L017008/1).
DATA AVAILABILITY
Data sharing is not applicable to this article as no new data were created or analyzed in this study.