The encryption that we rely on to secure network transactions is based on a simple computational challenge: it's hard to find two prime numbers when you're only given the big number that they produce when multiplied. Although the growth in computer processing power means we've needed to shift to bigger numbers, we can continue to do so as needed. This leaves eavesdropping as the biggest risk; to secure communication, each partner needs to get a copy of the relevant keys. If someone can break in on the key distribution process, they save themselves the need to do any math.

Quantum key distribution (QKD) is intended to be a way around this problem. By exchanging bits encoded in a quantum system—typically a photon—two parties can generate a unique key that can be used to encrypt communications. If anyone tries to eavesdrop on the process, their measurement of the photons used will leave a mark on the process that's easy to spot. (We have a more detailed description of the process in a past article.)

So far, QKD has largely remained a research project, although some progress is being made. Just last week, some researchers from Los Alamos National Lab described a system they've had working for almost two years. It's not especially novel (which is why it actually works), but it uses some clever tricks to shift most of the burden to a central server while putting less expensive hardware into the clients.

The basic idea behind the Los Alamos solution is that creating single photons for use in the key distribution has become relatively easy, and it can be done on inexpensive hardware. So the team built a bit of hardware slightly larger than a house key. It contains a true random number generator to set the bits it transmits and a single-photon source to produce them and send them directly into an optical fiber.

In contrast, detectors sensitive enough to measure individual photons tend to be expensive and bulky, so the authors used only one set of receivers, hooked up to a trusted server that, in traditional encryption speak, gets a name (Trent, in this case). That setup measured the individual bits coming in from the receiver and then publicly disclosed which ones it had measured. If there were no signs of interference with the transmission (caused by an eavesdropper), Trent used the bits to build a key, which it and the transmitter could then use to encrypt data broadcast over normal channels.

The best part is that it all works. One of the nodes that successfully negotiated encryption did so over a 50km long fiber optic link, and when the fiber isn't being used to negotiate keys, it could be used for regular networking traffic. Trent easily handled three nodes at the same time. The authors estimate that by scaling up the hardware they could get Trent to exchange keys with up to 1,000 clients.

In most circumstances, this sort of network topology—individual clients connected to a single server—isn't the sort of communication that most of us engage in. Still, the authors note that this is exactly the sort of thing electric utilities need in order to have a centralized control system talk to various grid components.

The system could still be used to negotiate encryption for two clients to talk directly to each other as well. If each client negotiates a set of three keys with Trent, then Trent can publicly reveal enough information to allow the two clients to calculate an encryption key that's secure. (Basically, by revealing a number that's the product of two clients' keys, the clients can use what they know about their own keys to calculate the other client's.)

The authors clearly worked to miniaturize the hardware involved, and they are already talking about further steps to shrink its size ("an order of magnitude in each dimension") and boost its performance. The Los Alamos team even suggests it might be possible to use their setup for "handheld security," although it's not entirely clear how much value there is in a handheld device that needs to be plugged into a fiber optic cable for security. What's never mentioned, however, is how much it might cost to mass produce the client hardware. Ultimately, that will determine what sort of devices this system will find a home in.

The arXiv. Abstract number: 1305.0305 (About the arXiv).