The July 2022 issue of IEEE Spectrum is here!

Close bar

Quantum Randomness Now Boosts Everyday Security

Encryption needs random numbers, and the subatomic realm has plenty to spare

4 min read
Floating binary data numbers with red lasers
Yuichiro Chino/Getty Images

Randomness is typically seen as a problem, interfering with our ability to make sense of the world and complicating our attempts to predict the future. But that very unpredictability also makes it a crucial ingredient in the encryption that protects billions of dollars worth of private data. Random numbers are used to make cryptographic keys, and any latent pattern in the key can be used to crack encryption. True randomness is harder to come by than you might think though, which is why people are increasingly turning to the strange world of quantum mechanics to find it.

Chinese tech giant Alibaba recently published research on a quantum random number generator (QRNG) platform that it has been using to enhance the security of its cloud as well as financial services like Alipay and Ant Financial. And in April, Samsung released the Galaxy Quantum 2 - the second generation of its new line of smartphones secured using a specialized QRNG chip.

Others may soon follow in their footsteps, says Axel Foery, an executive at Swiss company ID Quantique, which supplies QRNG chips used by both Alibaba and Samsung. He says they are in discussions with a number of major cloud-providers and leading smartphone makers and he thinks the use of quantum randomness could soon be standard practice. That's because ever more powerful computers and new techniques like machine learning and quantum computing are making traditional sources of randomness increasingly easy to hack, he says.

"It's still some effort, but it's less effort than it was in the past," he adds. "And if you understand the randomness and you can predict it then you have no randomness. And then you can manipulate all the functions that rely on this randomness."

It's possible for computer to generate random numbers by harnessing environmental processes such as thermal noise in a computer chip or a user's mouse movements. But this can be too slow for many applications, and there are typically biases in the way these phenomena are measured that reduce their randomness.

As a result, most encryption today relies on pseudo-random number generators, which use algorithms to produce numbers with statistical properties close to random. But any "random" number generated by a mathematical process is inherently deterministic, says Foery, and if you can crack how it works you can predict any security key it produces.

Quantum processes on the other hand are inherently probabilistic. Even with perfect information its impossible to predict their outcome exactly. One of the most popular way of harnessing this quantum randomness is to fire light at a beam splitter. The chances of an individual photon going one way or the other are 50-50, so by counting the number of photons that land either side you can generate a string of random binary bits.

This approach has the benefit of being able to generate random numbers much faster than alternatives, says Foery and is the technique used by ID Quantique. And while such devices used to be bulky and expensive, rapid improvements in the ability to integrate optical components with silicon means their latest chips are just 2.5 millimeters across. Prices have also dropped significantly and Foery estimates their chip only represents a few percent of the overall production cost of the Galaxy Quantum 2.

Whether your average smartphone user needs the extra security provided by a QRNG is debatable. But Juan Carlos García Escartín, an associate professor at the Universidad de Valladolid in Spain who studies quantum information, says the fact they are now making it into consumer products is a promising sign the technology is breaking out of niche applications. "I wouldn't have expected a few years ago that something you can buy in a store will have a QRNG inside," he said.

The platform outlined by Alibaba in their recent Nature paper is even more intriguing though, he says. The system combines three commercial QRNGs, including one from ID Quantique, with a QRNG made by the company's own researchers. The system has been used to deliver random numbers to a variety of applications running on the company's cloud for more than a year. Alibaba declined an interview request.

The paper's authors describe how combining output from the QRNGs in different ways lets them tune the level of security provided and the speed with which numbers can be generated, which is important for a cloud server that has to generate large numbers of security keys.

"Their servers will be connecting to millions of users," says García Escartín. "These quantum devices can be very fast and that's something that, if you are on a daily basis working with huge amounts of randomness, would be very interesting." However, sending random numbers from a central server to other applications running on the cloud is potentially risky, he says, because an attacker could potentially intercept them.

Generally you want to generate your random numbers at the same location that you generate your security keys to avoid this risk, says Roger Colbeck, a professor at the University of York in the UK who studies quantum information. "If they're using some method to get them from their server to the user that could be hacked then they're kind of compromising the 'quantumness' of their random numbers," he says.

In that respect, integrating QRNGs into users individual devices may be a more secure approach. But given the still considerable cost, how many manufacturers are ready to do away with conventional random number generators remains to be seen.

"Whether they're quantum or not is really a question of a money and security trade-off," he says. "But if manufacturers really get into competition, there's a real drive towards miniaturization and costs get reduced I don't see why in 10 years time every computer you buy couldn't have a little QRNG inside."

The Conversation (0)

Today’s Robotic Surgery Turns Surgical Trainees Into Spectators

Medical training in the robotics age leaves tomorrow's surgeons short on skills

10 min read
Photo of an operating room. On the left side of the image, two surgeons sit at consoles with their hands on controls. On the right side, a large white robot with four arms operates on a patient.

The dominant player in the robotic surgery industry is Intuitive Surgical, which has more than 6,700 da Vinci machines in hospitals around the world. The robot’s four arms can all be controlled by a single surgeon.

Thomas Samson/AFP/Getty Images
Blue

Before the robots arrived, surgical training was done the same way for nearly a century.

During routine surgeries, trainees worked with nurses, anesthesiologists, and scrub technicians to position and sedate the patient, while also preparing the surgical field with instruments and lights. In many cases, the trainee then made the incision, cauterized blood vessels to prevent blood loss, and positioned clamps to expose the organ or area of interest. That’s often when the surgeon arrived, scrubbed in, and took charge. But operations typically required four hands, so the trainee assisted the senior surgeon by suctioning blood and moving tissue, gradually taking the lead role as he or she gained experience. When the main surgical task was accomplished, the surgeon scrubbed out and left to do the paperwork. The trainee then did whatever stitching, stapling, or gluing was necessary to make the patient whole again.

Keep Reading ↓Show less
{"imageShortcodeIds":[]}