3) “I spoke to several people in Europe, and everybody believes that it (Herbert’s FLASH Experiment) should work.”91
Though the editor couldn’t know it at the time, his referees were in good company. Even Richard Feynman had been stumped by the FLASH setup, unable to poke any holes in Herbert’s design until Wojciech Zurek walked him through the no-cloning argument at a blackboard. (“I think his reaction was short of full satisfaction,” Zurek dryly recalled.)92
Of course, the Foundations editor had received some reports that were critical of Herbert’s paper, too. But, the editor explained to Ghirardi and Weber, no consensus had emerged among those reports as to just what Herbert’s error had been. Rather than decide the matter in secret by himself, the editor had decided to publish Herbert’s paper. In that way, “Found. Phys. could be instrumental in stimulating the controversy surrounding Herbert’s paper and hastening its resolution in a public forum.” And, indeed, subsequent events, such as the publication of the Wootters-Zurek article in Nature and the Dieks article in Physics Letters, had shown the editor’s instincts to be “dead right.” His only regret was that the rebuttals by Wootters, Zurek, and Dieks had “bypassed” Foundations of Physics, appearing in those other (vastly more prestigious) journals.93 In sum, the editor assured Ghirardi and Weber, “I took the action I did for the noblest of reasons…. All the same, I wish I could make amends for the mental agony you have suffered.” Perhaps the Trieste physicists would like to submit their own article on the matter to Foundations of Physics?94
Ghirardi and Weber didn’t have to wait for the editor’s suggestion. They had already written up a lengthy article of their own, building on Ghirardi’s notes from his first inspection of Herbert’s paper back in April 1981. They mailed the latest paper off to the journal Il Nuovo Cimento (in which their earlier critiques of superluminal communication schemes had appeared) the same week that they sent off their spirited letter of complaint to the Foundations editor. (They were too fed up with Foundations of Physics at the time to consider submitting anything there.)95 At least some cognoscenti appreciated their detailed analysis of the way that quantum theory’s linearity scuttled any design for superluminal telegraphy. An Italian colleague showed their preprint to Rudolf Peierls, a grand old man of the field and John Bell’s former advisor, who offered his congratulations. Not only had Ghirardi and Weber arrived at “the right answer”; Peierls was “glad that the reason why Herbert’s proposed experiment is nonsense, has been presented so clearly.”96 Their paper came out in November 1983, a year after the articles by Wooters, Zurek, and Dieks had been published.97
While Jack Sarfatti, Nick Herbert, and their brilliant critics—Stapp and Eberhard, Ghirardi and Weber, Wootters and Zurek, Dieks, and others—wrestled with superluminal communication, a parallel set of efforts began to coalesce. The activities were never truly independent—the hiccups of history had already entangled several key players—but by the mid-1980s, the two lines had become thoroughly enmeshed. The result: the first proposals for quantum encryption, a whole new way to protect information.
In each of its guises, the no-cloning theorem seemed to be about limitations: things that quantum theory will not allow. In short order, that fundamental limitation had been transformed into an asset, or, as computer programmers might say, the “bug” had been turned into a “feature.” Faster-than-light communication? Probably not. But how about slower-than-light communication that could be perfectly secure: an encryption system for sending secret messages that could never be hacked, stolen, altered, or imitated?
Encryption of one kind or another has been around for millennia. Indeed, for as long as people have needed to send secret messages—strategies for battle, missives between star-crossed lovers—they have sought some way to keep those messages out of the wrong hands. Some have looked to physical mechanisms, such as invisible ink. Others have invented secret codes or ciphers, scrambling the original message so that the intended meaning could only be unpacked by someone in possession of the encryption key. The stakes can be huge: think of the heroic effort undertaken by British mathematicians during World War II to crack the Nazis’ “Enigma” code, with which the Germans had been coordinating deadly U-boat and Luftwaffe attacks. The 1970s saw another uptick in efforts to design reliable encryption devices for both government and commercial purposes, as electronic computers expanded ever more quickly into the daily routines of business and corporate life. Those years saw the birth of public-key encryption, such as the RSA algorithm, named for its MIT inventors, Ronald Rivest, Adi Shamir, and Leonard Adleman.98
Public-key encryption involves a carefully choreographed dance among two or more parties. They exchange some information in public—even in the midst of potential eavesdroppers—while keeping other information tightly guarded. The public exchange of information allows them to devise a secret key without taking the trouble of meeting somewhere in person, a handy feature when trying to execute secret plans at a distance. For example, the two parties can publicly exchange a series of large, arbitrary numbers, dozens of digits long. They also select a distinct set of large numbers, but keep these secret, even from each other. After they conduct a few ordinary mathematical operations on their publicly shared and privately held numbers—nothing more complicated than multiplication and division—they trade answers in public. By broadcasting some numbers and guarding others, they may divine each other’s hidden numbers and use them as the basis for an encryption key.99
Encryption algorithms, such as RSA, rely on the practical difficulty of breaking down very large numbers into their smallest (prime-number) constituents. That is, they employ mathematical operations like multiplication and division that are in principle reversible. It just so happens, as the inventors of RSA and others were able to show, that beginning with a big number and trying to isolate its prime factors takes a long time using realistic, buildable electronic computers—in some cases, a really long time, several times the age of the universe.100 These types of encryption thus offer de facto security: banks and governments can trust that their messages will remain secure for all practical purposes. Today we all trust these systems, whether we realize it or not, whenever we send an email or make a purchase on the Internet. But what if the security of those messages could be protected de jure—not by this or that government regulation, but by a law of nature?
The path toward quantum encryption began with some creative brainstorming by a young physics graduate student named Stephen Wiesner. His father, Jerome Wiesner, had worked on radar as an electrical engineer at the wartime Radiation Laboratory at MIT. Wiesner père made his career at MIT, rising through the administrative ranks and serving as president of the Institute from 1971 through 1980. He had also been a highly placed science advisor in the Kennedy and Johnson administrations.101 Stephen Wiesner grew up reading about quantum mechanics, information theory, and electronic communication, often borrowing books from his father’s shelves. He enrolled as an undergraduate at Caltech in 1960, where his lab partner for freshman physics turned out to be John Clauser (who would go on to conduct the first experimental test of Bell’s theorem and join the Fundamental Fysiks Group). In addition to talking about physics, Clauser and Wiesner sprung together to buy a used car; Wiesner can’t remember whether it cost a total of $15 or $16 (roughly $100 in 2010 dollars). Aside from his friendship with Clauser, things did not go well for Wiesner at Caltech. He flunked out and transferred to Brandeis University, in the Boston area near where his family lived.102 There he befriended a fellow undergraduate, Charles Bennett.103 Though neither knew it at the time, John Bell visited Brandeis and wrapped up his famous article on Bell’s theorem during their senior year, in 1964.
Wiesner entered graduate school a few years later at Columbia University, not realizing that Clauser was also a graduate student there. (By that time, Clauser was working on astrophysics, so his office was in a building different from the main physics department.)104 Wiesner came to Columbia at a propitious moment: Co
lumbia saw some of the worst rioting of any American campus during the spring of 1968, as a wave of unrest over the Vietnam War crested across the nation’s universities. Wiesner had planned to study high-energy physics, but suddenly the laboratory was closed and classes canceled. “This gave me the chance to forget about what I was supposed to be doing and reflect on what seemed really important to me,” Wiesner put it recently.105 As chaos reigned all around him, he wondered whether quantum theory might enable some foolproof means of securing order. Could one make “quantum money,” for example, money that could never be counterfeited, even in principle?
Wiesner walked through the argument. Perhaps each dollar bill could carry a unique serial number—as they do now—as well as a set of trapped photons hidden inside special boxes. The issuing bank would insert the photons in definite states of polarization (box 1, state R; box 2, state H; and so on), and keep a sealed record in its archives of the arrays of polarizations that went with each serial number. Anyone who wanted to make a copy of the bill would need to open up the boxes and make measurements of each photon’s polarization. But how could they know whether a given photon was in a state of linear or circular polarization? If the photon in box 1 really had been set up in state R (that is, a definite state of circular polarization), but the counterfeiter happened to choose to measure linear polarization instead, he would have a fifty-fifty chance of finding H or V; he would never find R. And so on down the list: the counterfeiter would need to know, ahead of time, whether each photon was in a linear or circular polarization state before even attempting to make a measurement or produce a copy. The bank, meanwhile, could easily check any bill against its own records to detect fakes. For the whole scheme to work, Wiesner had to assume that the photons in the original dollar bill could not be duplicated without disturbing their original polarizations—an assumption he did, in fact, make, though without providing any justification.106
Wiesner wrote up his brief paper while the real-world events on campus continued to swirl. He passed it along to a department secretary, who agreed to type up a clean preprint copy since all ordinary business had ground to a halt. Looking back, Wiesner emphasizes that neither he nor the secretary received “any permission from the higher-ups. Discipline had broken down. The paper couldn’t have been produced a year earlier or a year later.” Indeed, once order was restored and classes had resumed, none of Wiesner’s professors at Columbia showed any interest in his odd little paper—no more than John Clauser’s Columbia advisors appreciated his budding interest in Bell’s theorem. None of the referees from the various journals to which Wiesner submitted his paper knew what to make of it, either.107 And so the paper languished in a kind of samizdat gray zone, much as Nick Herbert’s QUICK paper would do, circulating here and there in crude photocopied form.108
A few years later Wiesner ran into his old lab partner, John Clauser, in Berkeley. Wiesner had set his quantum money paper aside, completed his dissertation on mainstream particle physics, and hit the road. Living as a self-styled hippie, Wiesner caught up with Clauser and got a tour of his in-progress experiments on Bell’s theorem. Neither remembers talking about the quantum money proposal during that visit.109 Nick Herbert, whose QUICK and FLASH schemes share so many features with Wiesner’s idea, seems not to have met Wiesner at that point; he first learned about quantum money many years later.110 Their collective wavefunction, still so full of possibilities, had yet to collapse.
Back on the east coast, however, Wiesner’s idiosyncratic ideas did start to percolate. One of the few people who took notice was Wiesner’s old friend from Brandeis, Charles Bennett. Bennett was just finishing up his PhD at Harvard, where he worked on computer models of molecular behavior. From Harvard, Bennett moved to the IBM research laboratory in Yorktown Heights, New York. He and Wiesner had stayed in touch since their undergraduate days. Meanwhile, at IBM, Bennett’s interests shifted more and more from computer simulations of physical systems to the nature of computation and information in their own right. How should scientists conceive of information, computation, and communication in the light of quantum theory? And did those topics offer any insights, in turn, into the nature of quantum mechanics? As he explored the new terrain, he returned often to Wiesner’s unpublished thought-piece.111 A few years later Bennett and Wiesner teamed up to combine the insights about quantum money with various encryption methods. Rather than lock away all the information about each dollar bill, they realized, perhaps they could reveal some of the relevant information publicly while keeping the rest hidden. Maybe that could become the basis for some new form of public-key encryption, a quantum version of the RSA algorithm.112
By that time, Bennett’s work had caught John Wheeler’s eye. Wheeler invited Bennett to a tiny workshop at Austin on the foundations of quantum theory early in 1984.113 There Bennett first met Bill Wootters; he crossed paths with Wojciech Zurek at a different conference around the same time. From them he learned about their recent work on the no-cloning theorem.114 Now armed with a solid proof that arbitrary quantum states, such as a photon’s polarization, cannot be duplicated, Bennett had the final piece of the puzzle. That December, he and his Montreal colleague Gilles Brassard presented a paper at a computer science conference. Ever since, their paper has been known by the simple abbreviation “BB84,” for Bennett, Brassard, 1984. It offered the first blueprint of a provably secure encryption system.115
Like Herbert’s FLASH scheme, the BB84 protocol relies on encoding messages using the polarization states of photons. There is one key difference. After experimenters A and B conclude their measurements on the photons, they open up a conventional communication channel—telephone, email, carrier pigeon, you name it. They compare notes on what their detectors had been set to, but not what each measurement outcome had been at those settings. Then they can see on which runs their detector settings happened to have matched. Zeroing in on the subset of runs with matching detector settings, they would then know what results their partners should have measured each time, based on the perfect correlation of entangled quantum systems. If both A and B happened to have set their detectors to measure circular polarization for the photons of run 1139, for example, and if experimenter B checked her log and saw that her detector measured L on that run, then she would know that experimenter A must have registered R on that same run. No one else could know that: even with the public chatter about which set of photons they were considering, and what their detectors had been set to measure for that round, no one could know what actual results each had found. The results would be pure quantum randomness: perfectly correlated between A and B, but unpredictable in advance.
To test for any tampering, experimenters A and B could use the open, public channel to compare notes on a few selected measurements. “For photon 1157, when we both happened to have our detectors set to measure linear polarization, did you get H?” experimenter B might ask. If A responds yes—and if that matches B’s expectation, given her own log of results—then they can be certain that no one had intervened with the photons of that run. Having publicly exposed the detector settings and measurement outcomes of that run, experimenters A and B would toss those results out of their sample. They would thus sacrifice a small handful of results to ensure that the rest were accurate, their security beyond question. Using the results that were left over, experimenters A and B would have a shared stock of provably secret data—in essence, a string of ones and zeros—with which to encrypt their messages.
The only reason to consider such a jerry-built scheme was the no-cloning theorem. Without that key result—and thus without Nick Herbert’s FLASH provocation—the carefully choreographed exchanges of the BB84 protocol would be for naught. Bennett and Brassard explained right up front: usually one assumed that digital communications could always be “passively monitored or copied, even by someone ignorant of their meaning.” Not so with their quantum system, which no eavesdropper could possibly access, even in part, without destroying the sought-after signal and anno
uncing her presence. Any effort to intercept the photons en route to make clandestine measurements would irreversibly disturb their quantum state. Thanks to Wootters’s and Zurek’s result, moreover, no eavesdropper could make clones of the source photons, retaining some for nefarious purposes while sending perfect copies on their way toward the unsuspecting experimenters at A and B.116
A follow-up proposal, published a few years later, demonstrated an even more efficient way to test for eavesdropping, by making more direct use of Bell’s theorem.117 Since then, experiments have roared ahead. In recent years, quantum encryption has moved beyond the laboratory to several real-world demonstrations, such as the 2004 bank transfer in Vienna and the 2007 electronic voting in Geneva. Both of those demonstrations used entangled photons shot through fiber-optic cables. Other groups have demonstrated the ability to send robust quantum-encrypted signals even further, down fiber-optic cables as long as 115 miles.118 Another group successfully broadcast quantum-encrypted signals nearly 100 miles through open air: far enough to demonstrate that quantum encryption could be used to bounce signals from an earthbound station to an orbiting satellite and back, opening up the possibility of creating a worldwide network of quantum-secure communications.119
Given the obvious potential for government and military applications, the Defense Advanced Research Projects Agency (DARPA) has lavished millions of dollars in funding. National laboratories such as Los Alamos and the National Institute of Standards and Technology (formerly the U.S. Bureau of Standards) maintain active groups in quantum cryptography, as do similar government organizations throughout Europe and Japan.120 The private sector has shown comparable interest. In addition to several start-up firms specializing in quantum cryptography, most of the major electronics corporations now sport their own internal divisions dedicated to the topic, including IBM, Hewlett-Packard, Toshiba, Mitsubishi, and NEC.121 The recent flurry of activity has attracted feature articles not just in the places one might expect—Scientific American, Physics World, New Scientist, Wired Magazine—but also in BusinessWeek, The Wall Street Journal, and more.122 Thanks to breakthroughs like the no-cloning theorem and the BB84 protocol, the foundations of quantum mechanics have made their way onto the business pages.
How the Hippies Saved Physics: Science, Counterculture, and the Quantum Revival Page 27
