Randomness is typically seen as a problem, interfering with our ability to make sense of the world and complicating our attempts to predict the future. But that very unpredictability also makes it a crucial ingredient in the encryption that protects billions of dollars worth of private data. Random numbers are used to make cryptographic keys, and any latent pattern in the key can be used to crack encryption. True randomness is harder to come by than you might think though, which is why people are increasingly turning to the strange world of quantum mechanics to find it.
Chinese tech giant Alibaba recently published research on a quantum random number generator (QRNG) platform that it has been using to enhance the security of its cloud as well as financial services like Alipay and Ant Financial. And in April, Samsung released the Galaxy Quantum 2 - the second generation of its new line of smartphones secured using a specialized QRNG chip.
Others may soon follow in their footsteps, says Axel Foery, an executive at Swiss company ID Quantique, which supplies QRNG chips used by both Alibaba and Samsung. He says they are in discussions with a number of major cloud-providers and leading smartphone makers and he thinks the use of quantum randomness could soon be standard practice. That's because ever more powerful computers and new techniques like machine learning and quantum computing are making traditional sources of randomness increasingly easy to hack, he says.
"It's still some effort, but it's less effort than it was in the past," he adds. "And if you understand the randomness and you can predict it then you have no randomness. And then you can manipulate all the functions that rely on this randomness."
It's possible for computer to generate random numbers by harnessing environmental processes such as thermal noise in a computer chip or a user's mouse movements. But this can be too slow for many applications, and there are typically biases in the way these phenomena are measured that reduce their randomness.
As a result, most encryption today relies on pseudo-random number generators, which use algorithms to produce numbers with statistical properties close to random. But any "random" number generated by a mathematical process is inherently deterministic, says Foery, and if you can crack how it works you can predict any security key it produces.
Quantum processes on the other hand are inherently probabilistic. Even with perfect information its impossible to predict their outcome exactly. One of the most popular way of harnessing this quantum randomness is to fire light at a beam splitter. The chances of an individual photon going one way or the other are 50-50, so by counting the number of photons that land either side you can generate a string of random binary bits.
This approach has the benefit of being able to generate random numbers much faster than alternatives, says Foery and is the technique used by ID Quantique. And while such devices used to be bulky and expensive, rapid improvements in the ability to integrate optical components with silicon means their latest chips are just 2.5 millimeters across. Prices have also dropped significantly and Foery estimates their chip only represents a few percent of the overall production cost of the Galaxy Quantum 2.
Whether your average smartphone user needs the extra security provided by a QRNG is debatable. But Juan Carlos García Escartín, an associate professor at the Universidad de Valladolid in Spain who studies quantum information, says the fact they are now making it into consumer products is a promising sign the technology is breaking out of niche applications. "I wouldn't have expected a few years ago that something you can buy in a store will have a QRNG inside," he said.
The platform outlined by Alibaba in their recent Nature paper is even more intriguing though, he says. The system combines three commercial QRNGs, including one from ID Quantique, with a QRNG made by the company's own researchers. The system has been used to deliver random numbers to a variety of applications running on the company's cloud for more than a year. Alibaba declined an interview request.
The paper's authors describe how combining output from the QRNGs in different ways lets them tune the level of security provided and the speed with which numbers can be generated, which is important for a cloud server that has to generate large numbers of security keys.
"Their servers will be connecting to millions of users," says García Escartín. "These quantum devices can be very fast and that's something that, if you are on a daily basis working with huge amounts of randomness, would be very interesting." However, sending random numbers from a central server to other applications running on the cloud is potentially risky, he says, because an attacker could potentially intercept them.
Generally you want to generate your random numbers at the same location that you generate your security keys to avoid this risk, says Roger Colbeck, a professor at the University of York in the UK who studies quantum information. "If they're using some method to get them from their server to the user that could be hacked then they're kind of compromising the 'quantumness' of their random numbers," he says.
In that respect, integrating QRNGs into users individual devices may be a more secure approach. But given the still considerable cost, how many manufacturers are ready to do away with conventional random number generators remains to be seen.
"Whether they're quantum or not is really a question of a money and security trade-off," he says. "But if manufacturers really get into competition, there's a real drive towards miniaturization and costs get reduced I don't see why in 10 years time every computer you buy couldn't have a little QRNG inside."
- Waiting for Quantum Computing? Try Probabilistic Computing - IEEE ... ›
- The Case Against Quantum Computing - IEEE Spectrum ›
Edd Gent is a freelance science and technology writer based in Bangalore, India. His writing focuses on emerging technologies across computing, engineering, energy and bioscience. He's on Twitter at @EddytheGent and email at edd dot gent at outlook dot com. His PGP fingerprint is ABB8 6BB3 3E69 C4A7 EC91 611B 5C12 193D 5DFC C01B. His public key is here. DM for Signal info.