Refining Quantum Cryptography

Recent hacking efforts on quantum cryptography systems have resulted in new approaches for more secure communication networks. With its promise of security rooted in the laws of physics, quantum cryptography has seen tremendous growth as a worldwide research activity and the emergence of start-up commercial ventures since its invention 27 years ago. But in 2010, quantum hacking results (1, 2) appeared to call into question the validity of the entire endeavor. Instead, the ensuing vigorous debate, combined with major network testbed results in Japan (3) and China (4, 5), is defining a new, much brighter future for quantum crypto graphy research.

M. tuberculosis ( 4). In the bacterium, prodrug activation is catalyzed by pyrazinamidase, an enzyme encoded by the pncA gene that converts the amide to pyrazinoic acid (POA), a weak carboxylic acid. Almost all PZA-resistant strains of M. tuberculosis have pncA mutations that reduce enzyme activity and abolish POA production ( 5). It has not been clear, however, why the loss of POA production confers resistance, or what target POA is acting against.
To clarify matters, Shi et al. used affi nity chromatography and mass spectrometry to identify four proteins that were potential POA targets. Using a variety of methods, including genetic analysis of PZA-resistant mutants, the researchers identifi ed the ribosomal protein S1 (RpsA) as a previously unrecognized target of POA. RpsA plays two important roles in ribosome function. When M. tuberculosis is living in conditions that enable it to reproduce exponentially, RpsA binds to upstream sequences of mRNA to ensure connectivity to the 30S ribosomal subunit and thus effi cient translation. In contrast, when times are hard-during starvation, for instance-RpsA engages in trans-translation, which "spares" ribosomes by restarting those that "stalled" while in the process of decoding mRNA ( 6). In this case, RpsA's C terminus specifically binds to a transfer-messenger RNA (tmRNA), and a complex forms with SmpB (small protein B) and EF-Tu·GTP (elongation factor Tu containing guanosine triphos-phate) ( 7). This complex restarts translation by switching to the tmRNA template from the mRNA template; protein synthesis then resumes by incorporation of an Ala residue (see the fi gure). This ribosome-sparing role appears to be critical to enabling dormant bacteria to survive stress.
To establish whether POA blocked classical translation, trans-translation, or both, Shi et al. used an elegant cell-free in vitro translation assay. They concluded that POA only inhibits trans-translation and that this inhibition strictly depended on wild-type M. tuberculosis RpsA. This finding has important ramifi cations for TB drug discovery, which in the past decade has had limited success using genome-inspired targetbased screening to generate potential leads ( 8) and for fi nding new antimicrobial compounds. Pharmacological validation of a potential target is an important prerequisite for drug discovery ( 9), and few such targets are known in M. tuberculosis ( 10). Now, investigators can add the trans-translation apparatus to this short list and, in particular, the RpsA protein.
It is anticipated that the power of x-ray crystallography and structure-assisted drug design will be brought to bear on the RpsA-POA complex, as well as other components of the trans-translation system, as there is considerable room for improving the efficacy of PZA. The challenge will be fi nding a compound that has effects at nanomolar levels and can penetrate the mycobacterial cell.
Overcoming this challenge, however, could have widespread and potentially profi table implications. It could lead to a drug that kills the latent form of TB, which affl icts much of the world's population. In addition, if pharmaceutical companies consider the TB market to be insuffi ciently lucrative to justify the R&D investment, they should not overlook the possibility that research in this area could lead to a new broad-spectrum antibiotic. Indeed, on the basis of genetic validation in Helicobacter pylori, a pathogen of the human stomach, researchers have already proposed that the trans-translation machinery is an excellent target for the development of novel antibacterials ( 11). W ith its promise of security rooted in the laws of physics, quantum cryptography has seen tremendous growth as a worldwide research activity and the emergence of start-up commercial ventures since its invention 27 years ago. But in 2010, quantum hacking results ( 1,2) appeared to call into question the validity of the entire endeavor. Instead, the ensuing vigorous debate, combined with major network testbed results in Japan ( 3) and China ( 4,5), is defi ning a new, much brighter future for quantum crypto graphy research.
Encryption enables users traditionally referred to as "Alice" and "Bob" to prevent eavesdropper "Eve" from learning the content of their communications. Authentication prevents Eve from impersonating either Alice or Bob, or substituting her own messages for theirs. Both confidentiality and authenticity are possible if Alice and Bob share secret random number sequences (unknown to Eve), known as cryptographic keys, used as parameters in their encryption and authentication algorithms. Communications security is thereby reduced to the problem of secret key distribution between Alice and Bob.
The security of traditional key distribu-tion methods is based on computationally intractable problems. Unfortunately, it has proven much more diffi cult to reliably estimate their future security than either the encryption or authentication algorithms that rely on those keys. And with knowledge of the key, a future adversary could break the encryption of past communications, introducing a retroactive vulnerability. The invention of quantum key distribution (QKD) by Charles Bennett of IBM and Gilles Brassard of the University of Montreal in 1984 provided a solution to this problem. In QKD, Alice and Bob use single-photon (quantum) communications to establish shared secret keys whose security rests on Los Alamos National Laboratory, Los Alamos, NM 87545, USA. E-mail: hughes@lanl.gov PERSPECTIVES fundamental quantum principles. Whereas Eve will have better future algorithms and computers to attack conventional key distribution methods, the security of QKD is future proof: It can only be attacked with technology in existence at the time the photons are transmitted. Because Eve can never break the laws of physics, QKD has the potential to provide unconditional security.
QKD has been demonstrated across optical fi ber paths of more than 200 km, and over multikilometer line-of-sight atmospheric paths, establishing the feasibility of satellite-to-ground quantum communications. Since 2003, small start-up companies have offered conventional encryption devices in which QKD supplies the keys. The cost, size, and point-to-point nature of these products has limited their commercial success, in spite of their asserted unconditional security. These assertions were greeted skeptically among applied cryptographers, and this opinion received dramatic confi rmation with quantum hacking research results in 2010. These results exposed design weaknesses in commercial QKD products, which could in principle allow an adversary to compromise the keys. However, rather than revealing a fundamental problem with quantum cryptography, the quantum hacking results instead point to the brittle security of particular designs.
The design weakness at the root of the quantum hacking was that the classical devices used to prepare and measure the quantum states required for QKD were simply trusted to perform correctly. In the adversarial setting of cryptography this trust was misplaced, potentially allowing Eve to gain suffi cient control over these devices to compromise the keys produced. Two clear research paths are now emerging.
A fundamental physics research path will seek to establish security even with untrusted devices. In the widely used "prepare and measure" form of QKD, Alice sends single-photon states to Bob. In 1991 Artur Ekert showed an equivalent approach in which Alice and Bob each receive one of a pair of photons from an entangled photon source. The security of QKD is then related to the Einstein-Podolsky-Rosen paradox where the act of eavesdropping introduces changes in the photons' quantum state. These changes would be apparent from a measurement of the quantum correlations between the photons. At present, establishing the trustworthiness through such correlations requires a "fair sampling" assumption to argue that the detected pairs are a fair sample of all the pairs. But in cryptography, Eve is not constrained to be fair. However, for system effi ciencies above a given threshold, this assumption is not required, and the security of QKD could be established even if Alice and Bob use untrusted devices. With recent advances in very high effi ciency single-photon detectors, the elusive goal of unconditional security using this device-independent QKD ( 6) appears to be within experimental reach.
A second, more applied research path accepts that unconditional security can be relaxed in favor of a "trust but verify" approach, which offers other, important value propositions. For example, QKD has forward security (future keys have no dependence on past ones), and has a much lighter computational footprint than conventional methods of key distribution. Once it is accepted that unconditional security need not be an essential requirement, additional quantum cryptographic protocols such as secure identifi cation and secret sharing become possible. This opens up the possibility of new cryptosystems constructed from quantum and classical cryptographic ingredients.
Quantum cryptography is also wellaligned with the trend toward increasing capacity of optical fi ber networks through

PERSPECTIVES
greater transparency. This raises the possibility that quantum cryptography could be incorporated into future networks to provide cybersecurity at the physical layer for new application areas such as the SmartGrid and data centers. Deployment of transparent network infrastructure is most advanced in the Asia-Pacifi c region, where the potential value of quantum cryptography has been recently demonstrated. For example, Japan's quantum cryptography testbed is a component of a national optical communications program and involves the research arms of several major Japanese corporations, which provide the commercial "heft" for successful future deployment (see the fi gure). Japan also plans to draw on its sat-ellite optical communications capability to overcome the current metro-area range limitation of optical fi ber quantum cryptography. With one or more space-based quantum communications nodes, geographically separated ground-based domains could be linked, even on a global scale. Japan has announced plans for a combined quantum and optical communications demonstration satellite for launch in 2013 ( 7), and China will launch its own experimental quantum communications satellite in 2016 ( 8).
Quantum cryptography research has been reinvigorated by quantum hackers. The fundamental connection between security and quantum mechanics is now more clearly defi ned. And with new clar-ity brought to its value proposition, quantum cryptography has a bright future within applied communications research as a physical-layer security technology for protecting the networks of the future.