91TV

Fellows

Fellows

91TV is a self-governing Fellowship made up of many of the world’s most eminent scientists, engineers, and technologists.

Search the Fellows Directory

About elections
Events

Events

Discover events, scientific meetings and exhibitions held by the Royal Society, as well as access to videos of past events and information on our venue.

Public events

Scientific meetings

Accessibility

Summer Science Exhibition

Venue hire
Journals

Journals

Discover new research from across the sciences in our international, high impact journals. Find out more about our values as a not-for-profit society publisher, our support for open science and our commitment to research integrity.

See all journals

Authors

Reviewers

Librarians

Open access

About our journals

Journal policies

Metrics
Current topics

Current topics

Find out about our work in areas of current topical interest to the Royal Society.

AI and data

Climate change and biodiversity

Education and skills

Equality, diversity and inclusion

Genetic technologies

Health

History of science

Innovation

New technologies

Research culture and funding
Grants

Grants

91TV provides a range of grant schemes to support the UK scientific community and foster collaboration between UK based and overseas scientists.

Applying
See all grants Application and assessment process Application dates

Support
Training and development opportunities Global Talent Visa

About Grants
Policies and positions Contact the Grants team
Medals and prizes

Medals, awards and prizes

The Society’s medals, awards and prize lectures recognise excellence in science and technology. Our most prestigious award, the Copley Medal, was first awarded in 1731.

See all medals and prizes

Nomination guidance

Premier awards

Science Book Prize

Young People's Book Prize
91TV

Who we are

Mission

Charity

Strategy

Our staff

Diversity and inclusion

Our history

What we do

Collections

Advising policy makers

Public engagement

Schools engagement

Industry engagement

International activities

Recognising excellence

Supporting researchers

UK Young Academy

How we are governed

Committees and working groups

Council

Our funding

Our supporters

Trustees Report

Work for us

Our values

Vacancies
News and resources

News and resources

Explore the latest work from the Royal Society, from news stories and blog posts to policy statements and projects. You can also find resources for teachers and history of science researchers.

Blog

News

Projects

Reports and publications

Resources for schools

History of science resources

Explainers and introductions

Videos

Women in STEM

Privacy for the paranoid: the ultimate limits of secrecy | 91TV

1 hour and 3 mins watch 12 November 2024

So, it's going to be a very popular lecture. I guess some of you may find it perhaps too simple,
but I think it's probably better to err on this side rather than to go into technicalities. So I'm
going to present you with two narratives. One is about curiosity-driven research,
trying to understand the notion of randomness in nature, trying to understand the foundations of
quantum physics and how we should understand the world where it seems that randomness is inherent
into it. So it's going to be one narrative. The other narrative will be about our search to design
a perfect cipher, something that is immune to any eavesdropping, something that can offer perfect
security. perfect privacy. Then I will tell you about the fusion of the two. So I'll just
bring those two narratives together, and I'll hope to show you how quantum physics
helped cryptography and how cryptography offered some tools to foundations of quantum physics.
So let me start with the with the second narrative, our quest to design
a perfect cipher. Of course, when it comes to cryptography and the art of secure communication,
you can almost give a separate lecture. It has a beautiful history. Essentially, as soon as
human beings started writing, especially in the Mediterranean basin where people, the Phoenicians,
came up with a finite set of characters called alphabet and people started playing with the
letters of the alphabet, you can then take any written text and make it a little bit less
readable when you just all try to scramble it by using essentially two basic techniques. As long
as we can trust historians, we know that ancient Greeks employed the first encryption device
called scytale, which was essentially a wooden baton of a fixed diameter.
So what you would do, you would take a strip of parchment. You would just wrap it around
this wooden baton and write your message lengthwise, and then you would just unwrap
it and give it to a courier that would take it from one military commander to another. So
when unwrapped it looks scrambled, right? So the letters retain its form, modulo some rotation,
but were placed in a different way. So that was actually the first device we are aware
that ancient Spartans used to send encrypted messages from one military commander to the
other. A slightly different technique was used a bit later. Julius Caesar allegedly used a
very simple substitution cipher to communicate with his military commanders. The idea is quite
simple. You take the letters of the alphabet and shift the whole alphabet, in this case by three
characters to the left. Then you have this ABC sticking out, which you can attend to at the end
of this alphabet. Then you have a substitution rule which essentially says for A substitute D.
For B substitute E, and so on and so forth. So in this particular case the same message
that we had on the scytale will be encrypted by a very simple one-to-one substitution. Now,
as you can guess, they were not what we would consider today the most
secure method of scrambling messages or encrypting them. Probably, to the best of our knowledge,
the first attempt to break a substitution cipher came in the ninth century, and the person to whom
it is attributed, a method that is based on the statistical analysis of characters of an
encrypted message, is attributed to Al-Kindi, who lived in what is today Baghdad around the
ninth century. So he realized that in any natural language the characters are not entirely random.
So if you take essentially any Indo-European language, for example English, in English the
most frequent character is the letter E. If you have a cryptogram which is based on this very
simple one-to-one substitution, then you look for the most frequent character in your cryptogram.
Then it's a reasonable thing, if you have enough material to analyse, it's a reasonable thing to
assume it's going to be the letter E, and the second most frequent would be the letter T,
and so on and so forth. So it is relatively easy using very simple statistical analysis to break a
one-to-one substitution cipher. Of course, we are talking here on a typical text. So we're talking
about a typical English text. There are - and some writers like to show their skills - there are
examples, which even have a name in literature. It's called lipograms, where you write your text
and on purpose you avoid certain characters. So for example, you see that this paragraph that
you can see at the top of the slide is an example of a lipogram where the letter E doesn't appear,
the most frequent letter in English. It's not easy to write a lipogram. That's possible, and
probably the most famous lipogram ever is a novel written by Georges Perec in French. In French the
letter E is also the most frequent letter so. So he wrote over 85000 words without a single
letter E. What's even more interesting, it was translated to English and was titled A Void, and
the translator also managed to avoid the letter E in the English translation. So it's quite a
task. So this simple statistical analysis wouldn't actually work on the lipogram. Then we have some
other interesting characters like Burmann, who's a German poet. He hated the letter R, so he was
obsessed to the point that he even avoided this letter in daily conversation for almost 17 years.
There are strange people there. So if one-to-one, so monoalphabetic cipher, is easy to break,
then the next big step in the history of secret writing was a polyalphabetic cipher. Obviously if
one-to-one correspondence is, easy then let's try one to many. Again, there is a debate. Who was the
first to try it? Most likely Leone Battista Alberti, who is probably known to you as a
famous architect of the Renaissance period. So he came up with idea that maybe as you go
along you can use different substitutions. So the first letter in your text can be encrypted
with one substitution. You move to the second letter and you use different substitution, and so
on and so forth. So he came up with the idea of an encryption disk where you can see on the perimeter
of the disk you have two alphabets, and you can rotate those two concentric disks. For example,
if you want to encrypt a message you may consider a sequence of substitutions. For example, you may
choose three different substitutions, shifting the alphabet by seven for the first character,
shifting by 14 for the second character and shifting by 19 for the third character. When you
go to the fourth character, you repeat the whole thing. So that is more complex, certainly a more
complicated way of encrypting messages. It took a while for people to come up with a systematic way
of breaking polyalphabetic ciphers. Again, to the best of my knowledge,
historians attribute it to Charles Babbage, the Charles Babbage. So he in the 19th century came
up with a way of breaking polyalphabetic ciphers. The whole Alberti's idea of having this encryption
disk which you have two alphabets, you can rotate one disk with respect to the other and have a
substitution rule, was actually taken a little bit further, and with electromechanical devices
that was essentially the principle behind a very famous encryption device called Enigma, the Enigma
machine, where you don't have just one disk but you can have many. Three, four, five. So that was
designed by Dutch engineers, and it was broken in a rather spectacular way by Polish cryptologist
Marian Rejewski. So if you think that Turing did it, that's not quite true. Rejewski. Whenever you
hear Turing think about Rejewski. It's a pity. The Polish surname doesn't help in this particular
case, but Rejewski was an ingenious mathematician who was hired by the Polish Bureau of Ciphers
in the late 1930s to work on Enigma with two colleagues of his and then, of course, Turing
of course did an amazing job breaking even more complicated Enigma later on. At least he knew that
Enigma could be broken. So the message here, if you just go through the history of encryption and
decryption, sorry, of code-making and code-breaking, you may ask yourself the
question, 'Is there a method that can offer you a truly unbreakable cipher?'
We can see that monoalphabetic ciphers, well, Al-Kindi, the statistical analysis. Then more
complicated ciphers, for example polyalphabetic ciphers or Enigma ciphers, we have Rejewski,
we have Turing, we have Zygalski. We have a few other brilliant cryptologists.
So the question is, is it possible to design a system so that you cannot break it? Can you
design a perfect cipher? So it seems like the answer is no, but I try to convince you that it
is the case. So actually there is a cipher that is considered to be absolutely secure, and is known
as a one-time pad. So that's an extreme example of a polyalphabetic cipher where essentially you
have a message. Imagine that it's a sequence of zeros and ones in some kind of Ascii alphabet,
and then you have a random sequence of characters and two individuals - we usually call them Alice
and Bob - who want to communicate secretly. They have to establish this random sequence of zeros
and ones, completely meaningless. Assume that there's no pattern there. So once they
have this cryptographic key, then Alice can send a message to Bob by taking the message,
taking the key and doing binary addition. So you see, the message has, of course,
a certain statistical characteristic of characters that is attributed to a natural
language, but the key is completely random. This randomness of the key in binary addition,
if you add one bit from the message to one bit of the key and you get the cryptogram, so this
binary addition goes like zero plus zero is zero, zero plus one is one, one plus zero is also one,
but one plus one is zero. So the randomness of the key in this process is transformed
into the randomness of the cryptogram. So the cryptogram is completely random, and therefore
no statistical analysis can actually reveal the message that the key is masking. So Alice can send
this cryptogram over any unprotected channel. On the Bob side, Bob receives the cryptogram,
takes the key and applies the same operation binary addition. That will recover the message.
So you add this randomness from cryptogram by applying the key and doing the binary addition.
So one can show that under certain assumptions, if the key is truly random, is truly secret,
as long as the message, and it's used only once - that's why it's called one-time pad - then the
system is absolutely secure. You cannot break it. There's no statistical analysis that allows you
to break this particular method of encryption. So what's the problem, you may say. You might as
well end the story here. The thing is that there is a problem here. And the problem is because we
cannot reuse the key. Reusing the key is actually a big mistake, and it happened a few times in
history where the keys were reused because there was a problem with distributing the key and it
was a big mistake, because it allowed people to in fact break certain messages that were
encrypted as well. So the problem is that for this system to work we have to generate fresh
keys all the time. So Alice and Bob, who may be just miles away from each other, have to have
access to a certain well-protected channel which is only used to distribute the keys.
So you see the key itself, and it's very important, is meaningless. It doesn't convey
any information. It's just a random string of zeros and ones without any meaning to it,
except that it's perfectly correlated. So if two people share randomness that's actually
a powerful result for cryptographic purposes. How to distribute those keys is a big problem.
How to establish a really secure line between two different locations, and how to make sure
that nobody is eavesdropping on that line, is an essentially impossible task. At least,
I will argue in a moment, within sort of a classical domain, it cannot be done.
So the key distribution problem, today we have essentially two solutions to the key distribution
problem. One is just to kind of avoid the key distribution problem, so go around the problem,
and it's a beautiful mathematical invention of public key cryptosystems. There are many of them,
and that would be a topic for another lecture. So I'm just saying that there is a mathematical
solution. However, it's not entirely perfect because it relies on something that computer
scientists call computational complexity. It relies on the fact that certain mathematical
problems are considered to be difficult like, for example, factoring large integers. However,
usually we assume that something is difficult without even being able to prove that it is truly
difficult. So we don't know whether, for example, factoring is inherently difficult and will always
remain so, at least for classical devices, or is it just simply we are not clever enough to find
a good algorithm? We know, for example, that having quantum computers we can find efficient
algorithms for factoring. So that means that a huge class of public key cryptosystems that we
use today is not going to be secure once we have quantum devices such as, say, quantum computers.
So the security is a little bit uncertain in these things and usually cannot be proven. It's based on
the assumptions that certain things are simply difficult. However, public key cryptosystems are
very convenient to use. Another solution is fixing the key distribution problem by using
quantum phenomena. So then that will take us in the direction of quantum cryptography,
and essentially I'll be taking this route today to show you how we can use physics to solve the
problem. So think about public key cryptosystem as a mathematical solution. Very elegant. However,
security is not proven. We also have quantum physical solution to the key distribution problem,
which is secure. We can prove it is secure, or given our knowledge how the world works. However,
it's probably at this stage of development less convenient, and maybe a little bit more
difficult to… Well, not a little but probably much more difficult to implement in certain cases.
Okay, well, let me then switch to the other narrative. So I told you about our quest to find
a perfect cipher, and we identify the problem. The problem is the key distribution. So now let's
start another narrative and talk about how people try to understand the notion of randomness in
quantum physics. Then I'll just bring that to together. So again, talking about randomness,
whether randomness is something objective or something subjective, whether it's your
perception, whether it's your lack of knowledge, one can again give another lecture on this,
and it's a wonderful and interesting problem that is still largely unresolved. With quantum physics,
quantum brought an additional twist to the whole attempts to understand randomness.
So essentially, when you look at quantum phenomena most of the time you cannot
say what's going to happen for sure in a given experiment. So you set up a quantum experiment,
like a very simple experiment here where you have a photon - this yellow sphere is supposed
to represent a photon, my drawing - and you have a half-silver mirror, a beam splitter.
So this photon can be either reflected or transmitted, and I say either reflected
or transmitted by thinking about the following experiment where you can put two photodetectors,
one here and one here, so one in the reflected beam and one in the transmitted beam. So it will
be always the case that one of the photodetector will click and register a photon. So in this sense
the photon is either reflected or transmitted. We don't observe like a fraction of a photon.
The interesting thing is that when we prepare this experiment - well, at least a platonic vision
of this experiment, ideal experiment - so in in exactly the same way, so you position the photon
and the beam splitter in the same way, and it has the same frequency and everything is exactly the
same, the outcome can still be different. So it can be either reflected or transmitted. So we have
identical preparation. At least, quantum physics tells us that they're identical, the quantum state
before is identical, but the final outcome can be different. That is actually something that is
against our way of trying to understand nature. We usually try to think about cause and effect,
and we think if we know exactly, at least in principle, if we know exactly the initial state we
should be able to predict what's going to happen. Here we know the initial state and this doesn't
help us. Many things can happen, like in this particular experiment two things can happen.
The photon can be either reflected or transmitted. In the early days of quantum physics people really
were very uncomfortable with this. Well, at least Albert Einstein was one of those who thought, 'No,
it cannot be like this.' I mean, he accepted that there is a need for quantum theory, but he thought
that the quantum description which tells you that the state of this photon, the initial state,
is exactly the same is not complete. There is probably a deeper, more precise description. So we
are missing something. So that means that quantum theory to Einstein was like a provisional concept.
So it was just a construct that works, but it requires maybe a little bit further investigation.
Hopefully when we work harder we should be able to design or to propose a theory where those
states are more precisely defined, and we should be able to make more precise predictions whether
something will be reflected or transmitted. So that was Einstein's unhappiness. He thinks,
'Okay, this description is fine maybe.' He accepted the quantum theory as it was, but he
considered it not complete. He thought that there that there may be some extra better description in
terms of some variables that are hidden, and they describe, for example, the initial state of the
photon. So Einstein played with the notion of, in the paper that I just showed you, in this paper,
a famous paper written by Einstein, Podolsky and Rosen in 1935. He came up with a very interesting
argument saying that if you take this view, if you think this is the best description, is it really
the best what you can have, then there are some consequences. He drew some consequences related
to having two particles which are correlated in a certain way. We'll come to this in a moment,
but I think later on it was rephrased and rephrased and rephrased, and I think perhaps
in a more modern language we talk about… Einstein used position and momentum of particles, but it's
probably easier to use a later translation of this argument in terms of polarisation.
So you may think about the following problem. You have a photon, a particle of light, and it has a
property that you can measure called polarisation. The polarisation, you cannot just measure a
polarisation, but you have to choose a direction, and with the respect of one particular direction
you can measure your polarisation. When you measure it, it has essentially two different
outcomes, say plus one or minus one in the units of h-bar. So it is something that you can measure.
So obviously, if you can measure it, it is a property. You attribute this property to the
object, and the question is, when you measure this, is the measurement really uncovering
preexisting property or is the measurement doing something, that this thing comes into
existence somehow during the interaction of the photon with the measuring device?
It's a natural way of thinking, of a measurement being a passive thing. So we measure something
and we learn about something that is already there. There is a preexisting property of
something that that we learn about in the act of measuring something. So in the Einstein
argument he questioned that, in some sense. So he said, 'Well we have a problem. If you take
the quantum mechanical description of nature, then you may conclude that either there is,
if you analyse not one but, say, two particles that that are separated,' today we use the words
they come from entangled state, so somehow they are correlated and when you measure
them they respond to those measurements in a very correlated way, those correlations can
only be explained either through some kind of a superluminal communication, or simply by assuming
that there is inherent randomness in nature. This EPR paper from 1935 was essentially a
philosophical paper. I mean, it's a beautifully written paper actually. You know, Einstein writes
very, very clearly so the argument is really well presented. It is a pleasure to read this paper
even today. However, at the time it was not clear what is the status of this proposition. I mean it
looked like, fine, Einstein has some views on quantum physics, but so what? Can we verify
it? Is it a testable proposition? About 30 years later John Bell looked at this again and said,
'Actually, yes, it is a testable proposition.' So he managed to translate the EPR argument into
something that you can verify. At least you can refute a certain worldview, the local realistic,
local realism, or the existence of local hidden variables using physicist lingo. So as you can
see, this… I don't know exactly who took this picture, possibly Alain Aspect. Here's John
Bell somewhere in Geneva looking at or discussing this, what we know today as Bell's inequality.
You can see that there is a certain figure of merit that you can measure. If that quantity
is less or equal to two, then he wrote Einstein, meaning Einstein is right,
so this local hidden variable does exist. However, if you violate, if you go beyond two - and quantum
mechanics predicts two square root of two, so it is more than two - then you refute
the view that was proposed by Einstein. So that means that either we have to accept instantaneous
communication, which is difficult to swallow, or we have to accept inherent randomness in nature.
So I'm not going to go through the derivation of the Bell inequalities, but actually it is a very
simple statement. So from a mathematical point of view it's absolutely trivial.
You just set up an experiment in two different locations. You measure polarisation of photons
coming from a source that could be placed somewhere in between, and you have Alice that
is going to choose randomly between measuring two different types of polarisation, say A1 and A2,
meaning along different directions, and you have Bob that is going to choose directions B1 and B2.
Then A1, A2, B1 and B2 are essentially random variables that can take two values, plus one
or minus one, so the values of the polarisation. So if the polarisation can be attributed to every
single type of polarisation, so that means A1, A2, B1 and B2 have definite values in each run of this
experiment, then you can construct this figure of merit, this quantity that John Bell had on his
blackboard, which you can see written here. It's A1 times B1 plus B2, and A2 times B1 minus B2.
So you can clearly see, if A's and B's can only take two values, plus one or minus one,
then one of the two terms, either B1 plus B2 or B1 minus B2 is equal to zero,
then the other one has to be plus or minus two. It's very easy to see that S can only take two
values. It's either plus two or minus two. So if you run this experiment many, many times, the
average will be somewhere between minus two and two - so that's essentially the Bell inequality,
known also as the CHSH inequality because it was reformulated by four other people - and
violate this, that means you refute Einstein's worldview. Here comes a number of experiments. To
me personally, the most convincing one when I was a student, the one that was popular at the time,
was the one performed by Alain Aspect in Orsay, where he essentially showed
in still a rudimentary experiment, but he showed that as S to be greater than two, and that was
confirmed by a number of beautiful experiments. So it's kind of official. The Nobel Prize in 2022
went to Anton Zeilinger, John Clauser and Alain Aspect for their work on experimental violation
of Bell inequality. So it's official now. It's violated. I should mention that there
are many other people who also contributed to this. The Nobel Prize usually goes to
not more than three people, but I would say Nicolas Gisin or Jianwei Pan or Ronald Hansen,
and the two favourite of mine with whom I worked, John Rarity and Paul Tapster. I think they would
have equally good case to be considered for the Swedish award. So I'll come to John and
Paul later, because they will feature in this story later on. Anyway, the message so far
is that the world is not what we thought it is, so it cannot be really explained completely in
terms of cause and effect. That there are random phenomena in nature. Things can just happen,
and that brings us to quantum crypto. So I'm going to bring the Bell inequality with
the story of secrecy in a moment, but just to say that me realising that the two can be connected
was independent from earlier work of my colleagues and friends, Charlie Bennett and Gilles Brassard,
who were looking at the key distribution problem from a quantum perspective. They
were thinking about and they proposed a system where they use quantum phenomena,
in their particular case Heisenberg uncertainty principle or what is called a conjugate coding,
to distribute the key. So there was a sequence of papers, but that was long before the internet. The
first paper that was written about using quantum phenomena for secure communication is attributed
to Steven Wiesner, who unfortunately passed away about two years ago, a very interesting
character. Charlie Bennett knew Steve quite well, and he took the idea of conjugate coding and,
together with Gilles Brassard, they developed a scheme for the key distribution using the
conjugate coding that was published in rather obscure conference proceedings.
The rest of the world didn't know about it. So my inspiration came from somewhere else, from
reading actually the EPR paper. I learned about the work of Charlie and Gilles after I had this
idea. As a student, that was both a disappointment and a little bit of maybe also satisfaction,
because as a student you are not quite sure whether your idea about connecting some Bell
equalities with ciphers is a good idea or bad. So I didn't have enough confidence to think whether
it's a good thing or bad thing. So when I learned about the work of Charlie and Gilles, that was
interesting because it was a mixture of saying, 'Oh well, someone else thought about it before,'
but not exactly the same way, in a different way. Then there was also this element of,
'Oh well, maybe those big guys, they thought about something and I'm thinking in the same direction.
So maybe there is something interesting there.' So that was the chronological sequence of getting
quantum into crypto, but the real fusion of the foundations and the search for perfect cipher,
well, I guess I can take credit for that. This came in a way from reading the Einstein paper, the
EPR paper, but reading it not as a physicist, but reading it more like a mathematician or someone
who is interested in secure communication. In this paper Einstein, who wants to be quite clear
what it means that things do exist, he defines something that is called the element of reality.
Never mind what it is, but if you if you read this, what he wrote, just essentially he wrote,
'If without any way disturbing a system we can predict with certainty the value
of a physical quantity, then there exists an element of physical reality corresponding to
this physical quantity.' Then you think, okay. Any information is physical, right? So it's
encoded in the properties of physical objects. If we can learn about this physical property,
about the value of this physical property without disturbing it, that's perfect eavesdropping.
That's the definition of perfect eavesdropping. So hence, if we can set up a system in which we
can see the violation of Bell's inequality, we don't have this element of reality. That's the
way to go. Why don't we just turn the table and use the Bell experiment for the purpose of testing
for eavesdropping? So that was essentially the idea. Rather simplistic, right? So if photons do
not carry predetermined values of polarisation, so those values didn't exist prior to the
measurement, they were not available to anyone including the eavesdropper, absolutely nobody in
the entire universe, any third party is not aware what was there because there was nothing there,
so testing for the violation of Bell inequalities is equivalent to testing for eavesdropping. So
that was like a naive way of thinking on one of those days in Oxford where there's nothing
else to do and the weather is horrible. Then I was lucky enough, because here comes
two of my experimental heroes, John Rarity and Paul Tapster. At the time that was an idea that
was a purely theoretical idea, but I happened to meet John Rarity in Cortina d'Ampezzo. We
were skiing together. Of course we were supposed to be attending lectures, but sometimes you're
better off science-wise as well if you just go and meet someone outside the lecture hall. So
we talked. John worked at the time at what used to be called Defence Research Agency in Malvern,
and he was actually quite interested in the ideas that I was telling him about. So he suggested,
'Why don't you just come along?' and we tried to set it up. They were doing quantum optics, but the
management at the time were… It was quite clear. The directions were, 'If you don't point your
laser at a tank or something like this, you're not doing research,' as far as the DRA was concerned.
So it took a while actually to persuade the management in Malvern that actually setting
up Bell inequalities makes sense. Then there was another obstacle, because the management said,
'Well, this is a defence establishment. Crypto. Those guys in Cheltenham do crypto. You don't
do crypto in Malvern.' Finally, you know, there's always a sensible person somewhere,
and so John and Paul and I managed to set up an experiment where we demonstrated… Well, I say we,
but all kudos goes to Paul Tapster who is one of those amazing experimentalists nobody heard
about because Paul essentially lives between three points. That is his house, his bridge
club and his lab, and he doesn't travel. So John was the one who travelled and told people about
all those experiments at the time. Well, I mean, they were supposed to be classified for a while,
but then Charlie and Gilles and myself wrote a popular piece for Scientific American,
so it was a bit silly to classify something that was published in Scientific American.
Of course, you know that the simple line of argument was a simple line of argument. In
order to prove that you can use Bell test to generate the key it required a little
bit of mathematical gymnastics. So you have to estimate something that is called mean entropy,
so the amount of randomness. How much of the key could have leaked, because the violation
of Bell inequalities is never perfect. There's noise in the system, and there's lots of yada,
yada, yada, yada, mathematical yada-yada to this story. Computer scientists and cryptologists know
how to do privacy amplification, but in order to start this process you really have to have
a certain number. So, for example, you should really be able to estimate this mean entropy,
essentially how much true randomness you have, how much of this key was leaked.
In the classical domain that's impossible because one can never exclude the possibility of passive
eavesdropping. In the quantum domain you can look at the degree of violation of the Bell inequality,
and from that you can deduce the amount of secrecy that you have. Then you can use some
classical techniques to amplify the privacy and to get the key. So that was the beginning of the
whole thing. Now, 30 years later, all those things went to use satellites to distribute the key. I'm
not saying that this is a mainstream in crypto, by all means not. I mean hardcore crypto guys
are very sceptical about all quantum techniques that are used, and they have limitations. So you
cannot use them in the same way as you would use public key cryptosystems for digital signatures,
for example, and things. When it comes to point-to-point communication,
those things are extremely, good and secure, and the technology is improving all the time.
So quantum crypto is essentially getting a real commercial possibility. In fact, you can. There
are companies that can sell you quantum random number generators or systems for secure key
distribution. With this alone I wouldn't be giving this lecture, because that comes to a conclusion
that yes, the idea was good. You can use the Bell inequalities. You can bring foundations together
with crypto. The Bell inequalities are good for something else. They have practical application
in this particular case. That's great. Is there anything else? Yes, there is. There
is an interesting continuity to this. Of course, when I when I tell you about the violation of Bell
inequalities and how they can be used to certify the security, there are some assumptions. There
are always some assumptions, and those assumptions are in this particular case that Alice and Bob
control and trust devices in the labs. They know exactly what they have, the
photodetectors and filters and everything. There is a need to make random choices to test the Bell
inequalities. You have to switch randomly from measuring one type of polarisation to another.
Of course, you have to have a secure lab so the information is not leaking from the lab, so they
have to be in a secure environment. The local environment has to be secure. What I knew at the
time is at least that the source doesn't have to be controlled, so you can have an external source
and that can be controlled by anyone. You can even ask an eavesdropper, your adversary, to distribute
those photons. It doesn't really matter because the test for the Bell inequalities will tell you
whether they come from a genuine source or not. It looked to me at the time that the three other
assumptions are absolutely critical, but they are not. That's the whole beauty here.
It turns out sometimes you come up with the idea, and the idea is more clever than
you are. You don't realize all the consequences of this idea. So in this particular case, what I
didn't realize was that the violation, or at least maximal violation, of Bell inequalities is rigid
in the sense that… So here is a diagram, which again I don't want to go into technical details,
but in this diagram you can visualize the type of correlations that you have. So this is like
a joint probability distribution of getting certain outcomes for certain inputs. It can
be represented in configuration space or a vector space where you have a point which would actually
identify the type of correlation that you have. Then you have a class of classical correlations,
which is a subset - a strict subset - of quantum correlations, and the violation of
Bell inequalities, the inequalities or in this particular case are represented by hyperplanes
so they represent the functional. So you take the point, and whether this point is below or above
the hyperplane says whether its value of S is below two or above two. Anyway. So when you have
extremal point in the set of those correlations that can only be achieved in one particular way,
there is no other option. There's a unique way of violating this Bell inequality. If you see S
equals, say, two square root of two, there's no other way, but you had to have a certain
entangled state and you had to use a certain type of measurements. How much more do I have? A few
more minutes.
Okay. I'm just about to conclude. That tells you that if you see a certain number, this number
tells you much, much more, namely that there was no other way to violate Bell inequalities,
but devices, whatever they were doing, they had to be doing something that was essentially isomorphic
to performing the Bell measurement that gives you the full violation of Bell inequalities.
So that was actually an interesting step towards what we call today device-independent crypto. So
the colleagues who noticed that was John Barrett, Lucien Hardy, Adrian Kent, and then a number of
people modify this concept. Essentially, it is exactly the same protocol, but the conclusion,
the security analysis, is completely different. So in this case you simply do not assume that Alice
and Bob control and trust devices in the lab. You simply know that if you see the violation
of the Bell inequality, then there's only one way that could have happened. So if you purchase
your devices from your enemy and you run the statistical test on those devices, they respond
to certain outputs in a certain way, and you see the violation, fine, those devices are legit.
You don't have to open them. You don't have to inspect them. There is no Trojan
horse. There's no side channel. That's really a beauty of this. So you drop this assumption,
and it's amazing that you can do it. To some extent you can also drop the assumption that
you have perfect randomness or perfect free will, but not completely. So you can weaken
this assumption. Proving the security though in this particular case was not an easy task. It
took a while for my colleagues actually to come with a satisfactory proof, not only when you have
a maximal violation of Bell inequalities but if you have a partial violation of Bell inequalities.
There's a beautiful paper by Renato Renner, Thomas Vidick and Rotem Arnon-Friedman, who actually use
a certain number of interesting mathematical techniques to prove the security in this case.
The other thing is, it's for real. So it's a good example that it's not true that nothing
changes in Oxford, because when I worked on my idea in the 90s I was so happy to see
the experimental implementation in Clarendon Lab using a system of trap ions, and in David Lucas,
and one person who was a driving force was David Nordlinger, and they managed to show
that it works. Actually, it's for real that you can achieve device-independent security. Well,
fair enough. Other people did it as well. There was a Chinese group. There was a group
in Germany. The interesting thing is that you can see now an interesting feedback that crypto
gives to the foundations. In order to be able to prove security for device independent crypto you
have to run Bell inequalities without any of the so-called loopholes, detection loopholes,
communication loopholes, you name it. Now, in the foundations of quantum physics, most
physicists said, 'Okay, you show the violation of Bell inequalities. We know that the nature is
as it is,' and most physicists would just shrug their shoulders and say, 'Well, there's no point
to close another loophole because nature is not malicious. It will not cheat on you by doing this
and this and this,' but in an adversarial scenario where you have no nature but your eavesdropper,
the eavesdropper can be malicious. So one reason why people like Anton Zeilinger and Ronald Hansen
decided to go further and show that to close the loopholes in the violation of Bell inequalities
was because of the crypto applications. So the reason why people were still testing Bell
inequalities was exactly because of the crypto thing. Of course, apart from genuine curiosity.
So is it the end of the story? Well, essentially there are two different interpretations here of
Bell inequalities that may still question the whole thing. One is superdeterminism,
because if you assume that everything is deterministic including your choices, so that you
don't have free will, you don't have those random number generators - they are also preprogramed,
so everything is preprogramed - you cannot exclude this possibility, it is a possibility,
but if everything is predetermined… I don't see even the sense to talk about
the privacy of the world where everything is determined, because why value secrecy in the
world where it's quite clear that something will happen anyway, no matter what you do?
The other option is to look at… I think this is an interesting way of analysing and understanding
security, is to take the Everett interpretation of quantum theory, which essentially says
that whatever can happen happens in those… This interpretation takes quantum superpositions very
seriously, and this tacit assumption in the Bell test that we have one outcome of the measurement
is not quite justified in this interpretation, because all possible outcomes happen. I like this
interpretation a lot, but it requires to think a little bit what the notion of security means in
this case. I think going in that direction may give us some better understanding of quantum
crypto. So I think let me just conclude that, in the world where you cannot trust anything,
that if you have a little bit of trust in yourself, you believe you have a little bit
of free will, then you should try quantum crypto and you'll be on the safe ground. Thank you.
Okay. Thank you. This was a fascinating lecture, especially this. I know that we
are running out of time, but I will allow a few questions. So if you have a question,
please can you raise your hand. There is a person in a colourful
jumper with a microphone. Does anyone have any questions? There is one at the back.
Probably a very ignorant question. I've been out of the loop for a while. You mentioned you were
talking about the classical and nonclassical, or classical and quantum state. Has there been
any thought, or is there any usefulness, within non-classical correlations within cryptography?
Sorry. Can you say again?
I didn't get the last point of your question. So, are there any practical applications of…
Non-classical correlations. So if you think about things that are measured by discord
or entropy of quantumness, or whatever measure you want to use, so not quite entanglement.
Well actually, the Bell inequality… Okay, so let me just go back to this diagram here. So
that shows you a class of all possible correlations which are non-signalling
correlations. So they include classical, this simplified diagram of course, the inner part the
square. Everything outside is non-classical. Call it non-local. So that includes quantum,
which is which is essentially where our experiment stopped. The only non-classical correlations that
we see in nature are of quantum origin. You may consider non-signalling correlations, correlations
which do not allow you instantaneous signalling. So it's a larger subset, and it's actually quite
useful to study them. They give you some insight. It's an interesting question why nature doesn't
actually allow this kind of correlation. They would be perfectly fine, because they don't
allow you to send messages instantaneously. Nonetheless, all we know is that it just stops
somewhere. The quantum set is somewhere in between the full set of non-signalling correlations and
quantum correlations. So I was describing the applications that you can get using the Bell
inequality. So essentially, Bell inequality will be violated as soon as you are outside the set of
classical correlation, so that the figure of merit S will be greater than two. So you can think about
a hyperplane and you have a polytope of classical correlations, and the faces of these polytopes
represent Bell inequalities. You go outside the polytope, you violate Bell inequalities.
Then there is something that is called the Tsirelson bound, that quantum correlations have
limits and you cannot go beyond two square root of two. So you can see on this diagram… I mean,
this is simplified. The real thing lives in 16-dimensional vector space or something,
but if you move from this classical to this red point, so that's the edge of the set of
quantum correlations. Any further, we don't see anything of that type. So we don't see
anything that violates that Tsirelson bound. I don't know. It was probably an
overcomplete answer to your question, but I don't know whether it addressed the point.
Okay. We have one more question at the very back.
So how did they come up with quantum cryptography in the first place?
Well, you know, how do you come with quantum cryptography in the first place? You don't
know. Usually those things happen. The ideas, the crazy ideas that you have sometimes cannot
be preprogramed, that you do trivial things like you take your shower and you think,
'How about this and how about this?' and quite often a healthy ignorance and curiosity help,
because you ask yourself interesting and crazy questions. I don't know how my colleagues like
Steve Wiesner or Charlie and Gilles came. In my case it was just thinking about this EPR paper
and connecting dots. So it's quite interesting that sometimes all it requires to come up with
something new is to connect dots. You know about something and you know about something else,
and those things seem to be unrelated. One day you have a good cup of coffee and then,
bingo. Then you see the connection.
last question.
superdeterministic world, two independent closed systems would still lack information. So a sense
of lack of information where privacy still exists, unless you are a possessed demon
and you just know the whole state.
that you know everything. So in particular there is an entity. It could be an eavesdropper. We just
give all the power to eavesdropper. There is an entity which essentially knows all the random
numbers. Well, the random… They're not random anymore because the choices that will be made, or
the measurements that will be made, and also the measurement outcome that will be seen. So in this
sense, the security is completely compromised. So what is important here is that the choices, what
is going to be measured, should be independent from the measurement. So in other words, you
have to have a bit of genuine randomness in this game, otherwise in the superdeterministic world we
assume that everything is known to someone. You're right that there may be entities that
only have a partial knowledge. In this case, if you can determine that then then you are
fine. You can actually use techniques to isolate them, but you cannot exclude that
possibility that there is an entity that knows everything and in this case it's not secure.

Join us for the Royal Society Milner Prize Lecture by Professor Artur Ekert.

Among those who make a living from the science of secrecy, worry and paranoia are just signs of professionalism. Can we protect our secrets against those who wield superior technological powers? Can we trust those who provide us with tools for protection? Can we even trust ourselves and our own freedom of choice? Recent developments in quantum cryptography show that some of these questions can be addressed and discussed in precise and operational terms, suggesting that privacy is indeed possible under surprisingly weak assumptions. The lecture will provide an overview of how quantum entanglement, after playing a significant role in the development of the foundations of quantum mechanics, has become a new physical resource for all those who seek the ultimate limits of secrecy.

About the Royal Society
91TV is a Fellowship of many of the world's most eminent scientists and is the oldest scientific academy in continuous existence.
/

Subscribe to our YouTube channel for exciting science videos and live events.

Find us on:
Bluesky:
Facebook:
Instagram:
LinkedIn:
TikTok:

Transcript

Tags

royal society science scientists scientific policy scientific research science uk science research international international science science education science policy Professor Brian Cox Brian Cox

Email updates

We promote excellence in science so that, together, we can benefit humanity and tackle the biggest challenges of our time.

Email updates

Subscribe to our newsletters to be updated with the latest news on innovation, events, articles and reports.

First name *

Last name *

Email *

Name

What subscription are you interested in receiving? _{(Choose at least one subject)}

What subscription are you interested in receiving?

Public Newsletter - Summer Science, events, videos and news

Scientists newsletter - Grants, scientific meetings, and journals

Librarians newsletter - News and features for librarians

I am happy to receive the selected communications by email from the Royal Society, as set out in our privacy policy. I understand I can unsubscribe at any time. Review privacy policy *