month

The recent headlines about financial-data theft, including hacking of credit card and check data from retailers' point-of-sale systems, throws the spotlight on a new twist in cryptography that could protect this kind of information with a shield that would frustrate today's savviest hackers. It all depends on how badly banks and networks want this technology-and on how fast they can deploy it.

Public-key encryption, arguably, is one of the three conceptual building blocks of the entire profession. Invented in 1976, it still underlies most major ciphersystems, and protocols. The earlier earth-shaking idea, called 'One-Time Pad', or the Vernam cipher, was invented by Gilbert Vernam as early as 1917! And the latest bombshell was introduced in 1984 by Bennett and Brassard: the idea of quantum computing.

First, a reality check: You can't yet buy a tiny nifty quantum computer from your processor, or even in your neighborhood computer store. But when the embryonic models now being test-driven around the world develop and mature, the world of cryptography will change forever.

Here's why. All the encryption systems now in common use rely on the slowness of today's computers. Increased computing speed would crack them all. Since quantum computers are much faster, they would readily decommission RSA, DES, AES, and everything else, with no exceptions.

This would be a hackers' delight, would it not?

Well, not quite. Because the new quantum idea combined with the old Vernam idea would usher in unbreakable cryptography. Unbreakable in the sense that no matter how powerful the hacker's computers, and no matter how advanced their knowledge of mathematics, quantum encryption cannot be broken. How can one be so cocksure?

The difference between stealing your financial data and stealing your wallet is that, if stolen, your wallet would be missing, setting off all kinds of alarms the next time you reach for it. But if your data were stolen, it would still be there in the computer that holds it, and there would not be even a dim fingerprint to indicate the theft. It is this attribute that disturbs the sleep of legions of security officers. They never know for sure whether the financial data they store has been stealthily copied by the bad guys.

Quantum computing changes all that. Data expressed in quantum fashion cannot be stolen without leaving a mark of the theft. This is all based on a principle first identified by the German physicist Heisenberg: If you measure something in the subatomic world, you change the reading of your measurement. So you never know what the reading would have been absent the measurement. To steal data is akin to measuring it. Hence, if data were written in a subatomic alphabet, a hacker would corrupt the data with even the slightest attempt to read it. Conversely, if a sender and a receiver confirm to each other that they have the same data, they can be absolutely sure that no hacker has peeked into it.

When quantum data are handled ('touched"), it changes stochastically-that is, in ways that can't be predicted with any certainty. The change is a matter of probability. This uncertainty is not due to human ignorance, it is built in by God or nature (depending on how you prefer to see it). This remarkable observation is the foundation of quantum mechanics, and it has been consistent with all our experiments for about a century now. Such uncertainty means that when the intended reader reads the data he might get a different reading than the hacker!

One of the basic protocols now in development calls for the financial institution or processor and the customer to exchange data in a quantum mode. The data would be used as a one-time key for the old Vernam encryption, which is unbreakable, and this would drive hackers away from math and computing to physical theft and robbery.

Still, two things might yet bail out the hackers. First, it will take some time before quantum connections become standard. Second, and more important, banks have time and again proven their conservative inertia in these matters. It might take a financial catastrophe to unseat the RSA, DES, and AES protocols.