Abstract
Protecting confidential data is a major worldwide challenge. Classical cryptography is fast and scalable, but is broken by quantum algorithms. Quantum cryptography is unclonable, but requires quantum installations that are more expensive, slower, and less scalable than classical optical networks. Here we show a perfect secrecy cryptography in classical optical channels. The system exploits correlated chaotic wavepackets, which are mixed in inexpensive and CMOS compatible silicon chips. The chips can generate 0.1 Tbit of different keys for every mm of length of the input channel, and require the transmission of an amount of data that can be as small as 1/1000 of the message’s length. We discuss the security of this protocol for an attacker with unlimited technological power, and who can access the system copying any of its part, including the chips. The second law of thermodynamics and the exponential sensitivity of chaos unconditionally protect this scheme against any possible attack.
Introduction
With an information society that transfers an increasingly large amount of personal data over public channels, information security is an emerging worldwide challenge^{1,2}. Conventional cryptographic schemes based on data encryption standard (DES), advanced encryption standard (AES), and Rivest, Shamir, and Adleman (RSA) encode messages with public and private keys of short length. The main advantage of these algorithms is speed, and the main disadvantage is their security, which relies on computational and provable security arguments and not on unconditional proofs. A major threat lies in the development of quantum computers, which are predicted to crack any of these ciphers in a short period of time^{3}.
A perfect secrecy cryptography, known as a onetime pad (OTP) was invented at the time of the telegraph and then patented by Vernam^{4,5,6}. The Vernam cipher encodes the message via a bitwise XOR operation with a random key that is as long as the text to be transmitted, never reused in whole or in part, and kept secret. Shannon demonstrated that this scheme, properly implemented, is unbreakable and does not offer any information to an attacker, except the maximum length of the message^{6}. Almost a century later, despite its proven absolute security, the OTP is still not adopted for lack of a practical and secure way for users to exchange the key.
Since the 1980s, research efforts have been dedicated towards solving this problem with pointtopoint quantum key distribution (QKD) algorithms, which leverage on the unclonability of single photons^{7}. While the progress of QKD in the past decades has been enormous^{8,9,10,11,12}, there are still critical challenges derived by the limits of quantum communications^{13,14,15,16,17,18,19}. Due to the impossibility of amplifying single photons^{20}, quantum networks are currently unable to scale up globally; their data transfer is considerably slower than classical optical communications, which already count with hundreds of highbandwidth intercontinental lines, communication speed close to the light limit, and massive investments for the next years^{21,22,23,24,25,26}.
Here we develop a physical realization of the OTP that is compatible with the existing optical communication infrastructure and offers unconditional security in the key distribution.
Results
Protocol scheme of Vernam cipher on classical channels
It is well known that chaos generates time varying signals that are mathematically unpredictable^{27,28}. This originates from the sensitivity to input conditions: two nearby states \({\bf{x}}(t=0)\) and \({\bf{x}}^{\prime} (0)={\bf{x}}(0)+\epsilon\), even when \(\epsilon \to 0\), always originate exponentially diverging trajectories \(\Delta (t)= {\bf{x}}(t){\bf{x}}^{\prime} (t) \sim {e}^{\mu t}\), with \(\mu\) the largest Lyapunov coefficient^{27}. By leveraging on this property, we show that it is possible to create a bidirectional communication channel for securely exchanging random keys of arbitrary length.
In this system (Fig. 1a), the two users—Alice and Bob—possess two chips that generate chaotic light states that are transmitted on a public classical optical channel. Each light state, indicated as \({A}_{n}\) for Alice and \({B}_{n^{\prime} }\) for Bob, is a random superposition of optical waves^{29} at different frequencies:
with uncorrelated random amplitudes \({a}_{nm}\), \({b}_{n^{\prime} m}\), and phases \({\phi }_{nm}\), \({\psi }_{n^{\prime} m}\). These states are generated from the chaotic scattering of broadband pulses with different frequencies \({\omega }_{1},...,{\omega }_{m}\), and diverse input conditions \(n\) and \(n^{\prime}\) (position, angle, polarization, time modulation,...) arbitrarily chosen by Alice and Bob. Alice and Bob’s pulses are not required to be identical: their differences constitute the main source of uncertainty and set the desired communication bit error rate (BER) in the communication. The scattering system satisfies the following four conditions: (1) the scattering process inside each chip is fully chaotic^{30}: any launching condition follows a chaotic dynamics; (2) Alice and Bob’s chips are in thermodynamic equilibrium with the environment, with no structural change appreciable for light propagation during the communication of each state; (3) any modification to the distribution of scatterers leads to a new chaotic system with exponentially diverging trajectories with respect to the previous one; (4) the chips are structurally modified in time before and after each communication by two physical irreversible processes (e.g., deformations, addition of scatterers, etc.), chosen and applied independently by Alice and Bob, creating a new chaotic scattering system in which all trajectories are exponentially different from the previous one.
The use of static light scatterers in information security is introduced in ref. ^{31} and offers computational and probable security in both authentication problems and cryptographic key generation, providing advantages over electronic schemes in terms of volumetric physical data storage versus standard electronic databases^{32,33,34,35,36,37,38,39,40,41}. The security of schemes based on complex scattering structures relies on two conditions: (i) the physical scattering object is kept secret to an adversary, (ii) the assumption that this structure cannot be cloned. These arguments do not offer unconditional security and are subject to the same security concerns of electronic schemes. While recent work demonstrated that it is indeed experimentally possible to clone a physically unclonable function^{42}, perfect secrecy requires proving the system security in the limit where the adversary accesses the system before or after the communication, copying all the system’s parts. In this work, as we are discussing the limit of perfect secrecy, we remove conditions (i)–ii) and we consider an adversary with the technology to clone any type of scatterer.
During each step of the communication, Alice and Bob randomly choose an input condition \(n\) and \(n^{\prime}\), respectively, send light signals, and measure the output (Fig. 1b). After Alice and Bob choose randomly either to keep the launching condition or to change it, the process is then repeated.
Due to the reciprocity^{43} of the communication network connecting Alice and Bob, if Eve does not perform active eavesdropping, the users measure identical optical observables (intensity, power density spectra (PDS), etc.). For instance, when Alice sends a chaotic wavepacket \({A}_{n}\) to Bob, he measures an optical observable, for example, the intensity \( {A}_{n}\oplus {B}_{n^{\prime} }{ }^{2}\) associated with the combined light state \({A}_{n}\oplus {B}_{n^{\prime} }\) (\(\oplus\) is the operator that combines the states after the propagation over the channel). When Alice measures the output at her end, she measures the reciprocal state \({B}_{n^{\prime} }\oplus {A}_{n}\) with an identical observable \( {A}_{n}\oplus {B}_{n^{\prime} }{ }^{2}= {B}_{n^{\prime} }\oplus {A}_{n}{ }^{2}\).
At the conclusion of the sequence, Alice and Bob communicate on the public line all cases of the acquired data that did not change, extracting an OTP key from overlapping repeated sequences. The key is generated by converting the exchanged intensities or PDS into binary sequences with the adaptive high boost (AHB) technique^{44}. The key is then used at each user side to encode and decode data via bitwise XOR, following the Vernam cipher (Fig. 1c).
The communication protocol described in Fig. 1 can be regarded as a classical version of the original BB84 QKD scheme developed by Bennett and Brassard^{45}, in which the scatterers act as generator of random states, and the reciprocal communication line provides correlated measured states to the users Alice and Bob.
At variance with classical schemes based on complex scatterers^{40,41}, the protocol presented here does not require first encounter or initial secure communication among the users (apart from authentication), thus providing a classical alternative to QKD.
In the quantum limit, when a user (say Bob) launches a single photon in the chip, the receiver (Alice) measures a photon emerging at a random position from the chip. If Alice injects the photon back in the same scattering channel, the reciprocity theorem of quantum mechanics^{46} guarantees that Bob measures the emerging photon in the same input channel he originally used. This process shares some similarities to the quantum BB84 scheme, with scattering channels playing the role of random polarization states. However, there are also differences. For the users to exchange the same sequence of bits, they need to initially agree on a common dictionary that associates the same string of bit to correlated input–output positions in Alice and Bob’s chips. This operation is not required in the classical limit (as the users measure the outcome of large ensemble of photons on all channels) and in the BB84 scheme.
Perfect secrecy of the cipher
The Vernam cipher has the perfect secret property if: (i) the key exchanged is as long as the message, (ii) each key is used only once and is uncorrelated to the new one, and (iii) the key is known only by the users. The scheme of Fig. 1a exchanges keys of arbitrary length on a classical optical channel at full speed. It therefore offers a viable implementation of the first requirement.
The covariance matrix \({K}_{nn^{\prime} }=\langle {A}_{n}{A}_{n^{\prime} }\rangle\) of the correlation among Alice chaotic wavepackets, with \(\langle ...\rangle\) denoting averaging over amplitudes and phases, is a delta function:
with \({\sigma }_{n}^{2}={K}_{nn}\). Equation (2) arises from the fact that amplitudes are uncorrelated, with \(\langle {a}_{nm}{a}_{n^{\prime} m^{\prime} }\rangle =0\) for \(n\ \ne \ n^{\prime}\) and \(m\ \ne \ m^{\prime}\). The same condition holds at Bob’s end, with \({B}_{nn^{\prime} }=\langle {B}_{n}{B}_{n^{\prime} }\rangle ={\chi }_{n}^{2}{\delta }_{nn^{\prime} }\). This implies that both Alice and Bob states are uncorrelated, and keys generated from combined states \({A}_{n}\oplus {B}_{n}\) are also uncorrelated. Therefore, the protocol of Fig. 1 satisfies the second requirement.
Perfect secrecy of the key distribution
We now consider the ideal case (Kerckhoff principle) in which the system falls in the hands of the adversary, who knows all the details of the enciphering/deciphering process and has access to the ciphertext. The only unknowns are the key and the input conditions (including the arbitrary chosen transformations) of the users.
As the system is classical, Eve can store all the signals launched by Alice and Bob and then she can attempt a search on each user’s chip for the input conditions that generated the states she measured. Once Eve knows the input conditions, she can launch the same states and recreate the key.
The second law of thermodynamics prevents this attack. Every time Alice and Bob change the chip with an irreversible process, they increase the total entropy of the system and the environment, creating new chaotic structures exponentially different from the ones used in the communication (conditions 3 and 4). If Eve accesses the system, it is impossible to recreate the initial chips and to perform any search, as this requires reverting the transformation of Alice and Bob with an entropy decrease, thus violating the second law.
Another possibility is to make an identical copy of the system in all its parts, and to attempt the search at the next communication. This is a major vulnerability of all current classical cryptographic schemes. The system presented in this work, on the contrary and due to the use of irreversible thermodynamic transformations, is protected by such attack. The search task, in fact, requires Eve to generate the same chaotic scatterers as of Alice and Bob’s, so that their transformations are cloned prior to the communication. As the chips are in equilibrium with the environment (point 2), this task requires replicating the surroundings of Alice and Bob’s chips. This condition is essential for enabling Eve’s copied chips to reach the same equilibrium state of the original chips of Alice and Bob. The second law of thermodynamics makes this operation not physically possible. Eve, in fact, cannot replicate the exact time at which Alice and Bob perform their transformations. If Eve does the transformation after Alice or Bob, the environment will be different, as it existed at least one irreversible transformation in time (the one of Alice or Bob) that increased its entropy, and vice versa if Eve performs the transformation before the users. It will be therefore impossible for Eve to clone the transformation of Alice and Bob. Due to points 3 and 4, Eve will generate new chaotic scatters that are exponentially different from the ones that Alice or Bob are using and, as such, useless.
This leaves to the attacker just one possibility: extract the key from the information available on the system.
In any possible attack, the data available to an attacker are the observables related to the chaotic wavepackets \({A}_{n}\) and \({B}_{n^{\prime} }\) transmitted. Eve can measure these states and attempt to reconstruct Alice and Bob’s key. In the analysis below, we demonstrate that the outcome is always a key in which each bit has 50% probability of being correct and 50% probability of being wrong, regardless of the type of attack. This implies perfect secrecy^{6}: the a posteriori probabilities of Eve’s key representing Alice and Bob’s key is identically the same as the a priori probability of guessing Alice and Bob’s key before the interception.
In the scheme of Fig. 1a, the solely experimental observables are noninstantaneous quantities in frequency or time, such as PDS or intensities, while instantaneous values of amplitude and phase are of traveling photons, which are not observable. This limitation also applies to interferometric detection and time gating^{47,48,49}, which require periodic signals in time or precise knowledge in advance of the pulse’s properties. To measure the instantaneous state of a randomly generated chaotic wavepacket \({A}_{n}\) or \({B}_{n^{\prime} }\) that is never replicated, the only possibility is to accelerate electrons at relativistic speed in order to follow the dynamics of photons, but this requires an infinite amount of energy^{50}.
Security against timedomain attacks
We analyzed the limit in which Eve developed a technology to access instantaneous values of intensity, and considered a scenario independent from the source and channel used, which are set to mathematical Dirac delta \(\delta (t)\). In this case, the intensity of the combined state \({I}_{{A}_{n}{B}_{n^{\prime} }}(t)= {A}_{n}\oplus {B}_{n^{\prime} }{ }^{2}= {A}_{n}(t)\otimes {B}_{n^{\prime} }(t){ }^{2}\), with \(\otimes\) the convolution operator.
During each step of the communication, Eve stores the intensities \( {A}_{n}(t){ }^{2}\) and \( {B}_{n^{\prime} }(t){ }^{2}\) of transmitted states, and attempt the reconstruction of the state \( {A}_{n}\otimes {B}_{n^{\prime} }{ }^{2}\) by combining the states at disposal via \( {A}_{n}{ }^{2}\oplus  {B}_{n^{\prime} }{ }^{2}\), with \(\oplus\) a chosen operator. We here considered all the possible cases of \(\oplus =+,\cdot ,\otimes\) (sum, product, convolution).
The outcome of this attack is quantified by the average Shannon information entropy contained in each bit measured by Eve, and calculated from the average Shannon information entropy \(H=d {\mathrm{log}}_{2}\,d(1d){\mathrm{log}}_{2}(1d)\) per bit, with \(d\) the difference in bits between the key of one user (Alice) and the key reconstructed by Eve. The Shannon entropy \(H\) quantifies the uncertainty of Eve for every bit measured. When \(d=0\) or \(d=1\) (Eve measures the same or the opposite of Alice), the information entropy of Eve is zero, because Eve predicts the key with no uncertainty. In the other cases, \(H\) is a positive function with maximum of \(H=1\). In this condition, Eve has 1 bit of uncertainty for every bit measured and zero information on the key.
Figure 2a shows the average uncertainty of Eve when Alice and Bob mix random wavepackets described by Eq. (1) and containing an increasing number of different frequencies \({\omega }_{1},...,{\omega }_{M}\). Computational details are furnished in Supplementary Note I. A chaotic wave, arising from chaotic scattering, obeys a universal Gaussian statistics for the intensity^{29,30} \(P(I)=\alpha {e}^{\alpha I}\) (\(I={A}_{n}^{2}\) for Alice and \(I={B}_{n^{\prime} }^{2}\) for Bob), and it is attained at large M, where the states \({A}_{n}\) and \({B}_{n^{\prime} }\) are completely randomized. At lower M, the wavepackets \({A}_{n}\) and \({B}_{n^{\prime} }\) are aperiodic superpositions of waves with no general behavior.
In the limit of small M, the statistics of the wavepackets are different, and Eve’s uncertainty oscillates in a large interval with situations in which the attacker can infer the key by combining her measurements via \(\otimes\) (Fig. 2b). Using different operators, as intuitively expected, yields no information. When the number M of frequencies increases and the states \({A}_{n}\) and \({B}_{n^{\prime} }\) become chaotic, each realization shows the same universal features (Fig. 2c) and the variance of the uncertainty collapse (Fig. 2a). In this limit, the uncertainty of Eve becomes unitary (\(H\ge 0.998\pm 0.01\)): the information accessible is not sufficient to reconstruct the complex state being formed at Alice and Bob’s end and the system is unconditionally secure.
Active attacks (see Supplementary Note II) introduce deterministic errors in the communication sequence between Alice and Bob with no information for Eve. Errors are small and scale as \(1/N\), with \(N\,\gg\,1\) being the number of chaotic states available in Alice and Bob’s chips. These errors can also be eliminated by using information reconciliation and privacy amplification^{51,52,53,54}, both conducted over the public authenticated channel. With information reconciliation, Alice and Bob obtain an identical key at each user’s side by the exchange of minimal information (such as the mere bit parity of block key sequences). The second phase, privacy amplification, is then applied to eliminate effectively the information acquired by Eve during the reconciliation step. Privacy amplification is typically performed by using universal hash functions, which generate a new shorter key, on which Eve has zero information.
Security against spectral attacks
The transfer function \(H(\omega )\) of the system connecting Alice and Bob is represented as follows:
with \({H}_{A}^{(n)}(\omega )\), \({H}_{B}^{(n)}(\omega )\) the transfer function of the chip of Alice and Bob, respectively, \(C(\omega )\) the contribution of the transmission system, \(S(\omega )\) the spectrum of the input source, and \(\alpha (\omega )\) the coupling coefficient with spectrum analyzer, with \( \alpha (\omega ) \le 1\) for energy conservation. For reciprocity, the coefficient \(\alpha (\omega )\) is the same for both users. The random PDS \({P}_{A}= {H}_{A}^{(n)}(\omega ){ }^{2}\) and \({P}_{B}= {H}_{A}^{(n)}(\omega ){ }^{2}\) change at every transmission step, due to the different input conditions selected by each user.
In a spectral attack, Eve measures the spectra \({P}_{EA}\) and \({P}_{EB}\) transmitted over the communication line with identical copies of the users’ spectrum analyzers, and then attempts a reconstruction of the combined state via \({P}_{EA}{P}_{EB}/{P}_{S}\), with \({P}_{S}\) the spectrum of the source. In the best ideal scenario for Eve, this operation returns the following estimate (Supplementary Note III):
with \(\left\langle {P}_{\mathrm{Bob}}\right\rangle\) the mean value of the combined state \({P}_{\mathrm{Bob}}\) measured by Bob and \(\Delta\) the uncertainty measured by Alice and Bob in their combined states. We analyze the security of the system in the worst case for the users, in which \( \alpha (\omega ){ }^{2}=1\). This limit is practically impossible to achieve: it implies a technology that can measure a state without perturbing it, and this would at least violate the projection postulate of quantum mechanics.
We considered different communications scenario, in which Alice and Bob measure correlated spectra with different statistical fluctuations, and developed a multibit AHB transform (detailed in Supplementary Note IV), which optimizes the extraction of information from acquired users spectra. Commercially available detectors furnish at least 16 bits for each spectral point: if this information is maximized, the key generation workload is highly reduced.
In the security analysis, we considered statistical fluctuations between Alice and Bob PDS with standard deviation \({\sigma }_{AB}\le 8 \%\), which is typically met in classical communication networks. We set the maximum tolerable BER equal to the statistical fluctuations in the spectra \({\sigma }_{AB}\). This implies that the BER is lower than the tolerable limit of 11% set for QKD^{7}.
Figure 2d–f shows the outcomes in terms of BER and adversary uncertainty per bit resulting from a spectral attack for different \({\sigma }_{AB}\). Results are calculated from a statistical set of \(1{0}^{6}\) different chaotic PDS measured by Alice \({P}_{\mathrm{Alice}}\), Bob \({P}_{\mathrm{Bob}}={P}_{\mathrm{Alice}}+\Delta\) and reconstructed by Eve \({P}_{E}={P}_{\mathrm{Alice}}+\Delta ^{\prime}\) at the theoretical limit, with: \(\langle \Delta \rangle =\langle \Delta ^{\prime} \rangle =0\), \(\sqrt{\langle {\Delta }^{2}\rangle }={\sigma }_{AB}\), \(\sqrt{\langle {\Delta }^{^{\prime} 2}\rangle }=\sqrt{3}{\sigma }_{AB}\).
Figure 2d–f demonstrates that independently from the communications scenario considered, when the BER reaches \({\sigma }_{AB}\), the users can distill an OTP key with \({N}_{b}\,> \,10\) bits per spectral point measured, while maintaining a unitary uncertainty to the attacker (uncertainty per bit higher than 0.99 bit). As in Fig. 2a, the variance in Eve’s uncertainty is negligible. This arises from the use chaotic spectra with universal statistics: the outcomes are independent on the particular sequence considered.
If we set \({N}_{b}\) to the point where the BER equals \({\sigma }_{AB}\), \({N}_{b}\) increases from (d) \({N}_{b}=11\) to (e) \({N}_{b}=12\), and then to (f) \({N}_{b}=14\), and can be controlled by acting on \({\sigma }_{AB}\).
These results demonstrate that at the theoretical limit and in the worst case for the users, the attacker has zero information on the key and the system is unconditionally secure.
Supplementary Note V demonstrates that in the absence of active eavesdropping and by using the multibit AHB transform, the number of pulses \({N}_{\mathrm{p}}\) to be transmitted for generating an OTP key can be reduced to \(\approx\! 1/1000\) of the length of the message.
Physical implementation
We developed chaotic chips from human fingerprints. After biometric scanning (Fig. 3a, b), the digital fingerprint image is transformed into a chaotic microresonator composed by a series of point scatterers made by reflective nanodisks of constant radius \(r\) (Fig. 3c). The microresonator acts as a chaotic billiard^{55,56,57,58,59,60}. In Figure 3c–e we optimized the resonator chaos against conditions 1 and 3 from the communication protocol (Supplementary Note VI).
The fingerprint resonator is characterized by a large number of disjoint convex bodies, representing a finite version of the Lorentz gas billiard, which is known to possess a strongly chaotic behavior^{55}. Figure 3c shows the propagation of light rays of two input conditions \(({{\bf{x}}}_{0},{\bf{n}})\) (solid red line) and \(({{\bf{x}}}_{0}+\epsilon ,{\bf{n}})\) (solid green line), having the same initial orientation \({\bf{n}}\) and spatially displaced by a random vector \(\epsilon\) with \( \epsilon  ={\epsilon }_{\mathrm{min}}=2.2\,\times 1{0}^{16}\), the smallest floating point number representable at the computer. After few collisions, the dynamics diverges exponentially.
Figure 3d calculates the average Lyapunov exponent \(\langle \mu \rangle\), which quantifies the average exponential grow of different input conditions, and the volume of phase space of input conditions filled by chaotic dynamics as a function of the scatterers’ radius \(r\) (Supplementary Note VI). The designed fingerprint resonator with \({n}_{s}=322\) scatterers is fully chaotic (as requested at point 1) for \(r\ge 0.008L\), with L being the resonator width along \(y\). Figure 3e analyzes the fingerprint structure against conditions 3 and 4. The plot shows the dynamics of three identical input conditions (solid blue, red, and green lines) launched in three different fingerprint resonators implemented by randomly shifting the positions of each scatterer \({{\bf{s}}}_{i}\) by a vector with random orientation \({\epsilon }_{i}\), with \( {\epsilon }_{i} ={\epsilon }_{\mathrm{min}}\). An infinitesimal transformation in the fingerprint’s scatterers leads to a chaotic structure with exponentially diverging trajectories with respect to the old one. This is a general result, demonstrated in Supplementary Note VII, along with other possible transformations that satisfy requirements 3 and 4.
Figure 4a shows the typical dynamics of light in a fully chaotic fingerprint resonator with L = 7 μm and \(r=0.012L\), calculated from finitedifference timedomain simulations for a structure of air holes on a Silicon substrate excited by a TE polarized, 150fslong pulse centered at λ = 1550 nm. Chaotic scattering randomizes the wavefront, generating wavepackets with universal Gaussian statistics (Fig. 4b).
Figure 4a–d analyzes the correlations among chaotic states extracted from transmitted PDS. Spectra are advantageous over intensity signals, favoring less expensive implementations. We calculated transmitted electromagnetic spectra for both TE and TM polarized point sources of 150 fs duration, centered at the wavelength λ = 1550 nm, and launched at \(x=y=0\) with displacements \({y}_{1},{y}_{2},...\) along \(y\) within 1 μm range with 20 nm resolution. For each input position, we computed the transmitted energy spectrum and transformed it into a binary sequence by the AHB technique. We then computed the entropy correlation matrix \({\mathcal{H}}\), with elements \({{\mathcal{H}}}_{ij}={d}_{ij}\,{\mathrm{log}}_{2}\,{d}_{ij}(1{d}_{ij}){\mathrm{log}}_{2}(1{d}_{ij})\) being the Shannon information entropy of the hamming distance \({d}_{ij}\) among the bit sequences \(i\) and \(j\) arising from PDS obtained by input shifts \({y}_{i}\) and \({y}_{j}\). The entropy correlation matrix is strongly diagonal (Fig. 4c), showing that the generated bit sequences are completely uncorrelated. A displacement beyond 200 nm provides uncorrelated sequences (Fig. 4d).
In the system of Fig. 1, by using displacement and two polarizations, we can generate \({(1000/0.2\, \times2)}^{2}=1{0}^{8}\) different spectra for every millimeter of chip length \(L\). If we measure each spectrum with 1024 pixel and convert each pixel into \({N}_{b}\) bits, we can generate \(0.1\cdot {N}_{b}\) Tbit of different keys for every millimeter of chip unit length \(L\), and for every communication.
In the following experimental demonstration, fingerprint chips are fabricated by ebeam lithography, patterning the fingerprint resonator structure onto a silicon substrate developed with a silicononinsulator platform that is CMOS (complementary metal–oxide–semiconductor) compatible and operating in the standard telecommunication C + L band^{47}. Figure 5a shows a scanning electron microscope of a fingerprint chip. The structure is L = 40 μm wide and 100 μm long.
Figure 5b, c shows an example of an irreversible process^{61} that can be applied to the chips. It consists in first depositing on top of the sample a nonpurified drop of water, which naturally contains colloidal occlusions that act as additional scatterers (Fig. 5b). When the chip dries out naturally, we obtain another distribution of impurities on the chip’s surface (Fig. 5c). In commercial applications, this step can be accomplished by solidstate scatterers, such as, for example, doped hydrogels, which are dynamically deformable^{62,63,64}.
To characterize the chips in (a–c), we launched light signals of 100 nm bandwidth, centered around the communication wavelength 1550 nm, by end fire coupling with a ×60 aspheric lens, mounted on a XYZ stage with repeatable spatial shifts of 0.5 μm.
Figure 5d shows transmission optical spectra recorded at different input positions, indicated on the right, and the corresponding generated bit sequences, each of 1024 bits, for the original chip (a). Figure 5e shows the entropy correlation among 40 different input positions shifted by 1 μm each. In agreement with the theoretical predictions of Fig. 4c, d, generated bit sequences are uncorrelated with each other. Figure 5f verifies the optical reciprocal behavior of the chip against condition 2. The figure shows the correlation among bit sequences created by launching signals from the input and collecting transmission spectra at the output, versus the bit sequences measured by launching signals from the output and collecting spectra at the input. The chips have correlated bit sequences obtained in direct and reciprocal launching conditions (Fig. 5f, diagonal), and uncorrelated to each other (Fig. 5f, yellow area).
Figure 5g analyzes the entropy correlation between the bit sequences created from the same positions in the chips at (a) and (b), before and after the transformation, respectively, while Fig. 5h shows the correlations among sequences generated from chips at (a), (b), and (c). The sequences are uncorrelated with each other, with an average correlation entropy per bit of \(\langle {\mathcal{H}}\rangle =0.998\pm 0.001\) bit, experimentally demonstrating that the irreversible transformation (a, b, c) generated different chip responses.
Figure 5g, h experimentally proves that the chips satisfy the conditions 3 and 4 of the communication protocol.
Cryptographic transmission
We used the setup of Fig. 6a, assembled with inexpensive classical optical components. We employed a standard single mode telecommunication fiber SMF28 that connects two fully chaotic fingerprint chips with L = 40 μm. We chose different input conditions by using XYZ translation stages with 1 μm spatial shifts. Supplementary Note VIII discusses an integrated structure with onchip coupling from end to end of the communication line. As in the previous experiments, we employed light pulses with 100 nm bandwidth and measured PDS with 0.1 nm resolution.
Figure 6b shows a typical communication with a list of input positions selected by each user. Figure 6c, d analyzes the transmission for one set of input conditions showing: (c) the PDS sent by Alice and Bob and (d) the spectra measured at the distal end by the users. The PDS of the combined state \({\mathrm{PDS}}_{{B}_{22}{A}_{30}}\) measured by Alice is correlated to the spectrum \({\mathrm{PDS}}_{{A}_{30}{B}_{22}}\) measured by Bob. The solid blue line in Fig. 6e quantifies the difference between the data measured by Alice and Bob.
The solid orange line in Fig. 6e shows the difference between the spectrum measured at Bob’s end and the one reconstructed by Eve with a spectral attack, by measuring transmitted spectra \({P}_{{B}_{22}}\), \({P}_{{A}_{30}}\) and combining them via \({P}_{{B}_{22}}{P}_{{A}_{30}}/{P}_{S}\), with \({P}_{S}\) the spectrum of the source (Supplementary Fig. 1). All Eve’s measurements are performed with the users’s spectrum analyzers, without using any component that is not present in the setup. Even in this scenario, there are significant differences between Bob and Eve’s spectra.
Figure 6f–h visualizes these results with encryption and decryption experiments. Alice encodes the data being sent out (f) with a key generated from the sequence of repeated spectra with the multibit AHB transform optimized for \({\sigma }_{AB}=7 \%\), which is the average standard deviation generated in the system of Fig. 6a.
The ciphertext generated is then transmitted to Bob end, who decodes it with his own generated key. The image decoded by Bob is correctly retrieved from the original (Fig. 6g). Conversely, the image decoded by Eve is just white noise. With this elementary setup and with the chips designed (L = 40 μm), we can extract \(4{0}^{2}\cdot {N}_{b}\cdot 1024=2\cdot {N}_{b}\) Mbit of different keys at each communication.
In Supplementary Fig. 2 we report the results of the NIST statistical test suite applied to the keys generated with the system of Fig. 6. The key generated passed all the tests, validating the scheme against the NIST standards for realworld applications.
Discussion
We have demonstrated a protocol for a perfect secrecy cryptography that uses CMOScompatible fingerprint silicon chips, which transmit information on a public classical optical network. The system’s security is evaluated following the Kerckhoff principle. The second law of thermodynamics and the exponential sensitivity of chaos prevents the attacker from getting any information on the key being exchanged by the users. The protocol proposed is fully compatible with the techniques of privacy amplification and information reconciliation already developed for QKD. Beyond the initial communication required for authenticating the users, the system does not require electronic databases, private keys, or confidential communications. Combined with the technological maturity, speed, and scalability of classic optical communications, the results show a open pathway towards implementing perfect secrecy cryptography at the global scale with contained costs.
References
Adam, D. Cryptography on the front line. Nature 413, 766–767 (2001).
Chen, S. Random number generators go public. Science 360, 1383–1384 (2018).
Shor, P. W. Algorithms for quantum computation: discrete logarithms and factoring. In Proc. 35th Annual Symposium on Foundations of Computer Science, 124–134 (1994).
Bellovin, S. M. Frank miller: inventor of the onetime pad. Cryptologia 35, 203–222 (2011).
Vernam, G. S. Secret signaling system. US Patent 1,310,719 (1919).
Shannon, C. E. Communication theory of secrecy systems. Bell Syst. Tech. J. 28, 656–715 (1949).
Lo, H.K., Curty, M. & Tamaki, K. Secure quantum key distribution. Nat. Photon. 8, 595–604 (2014). Review Article.
Bernstein, D. J. & Lange, T. Postquantum cryptography. Nature 549, 188–194 (2017).
Liao, S.K. et al. Satellitetoground quantum key distribution. Nature 549, 43–47 (2017). Article.
Yin, J. et al. Satellitebased entanglement distribution over 1200 kilometers. Science 356, 1140–1144 (2017).
Korzh, B. et al. Provably secure and practical quantum key distribution over 307 km of optical fibre. Nat. Photon. 9, 163–168 (2015).
Jain, N. et al. Attacks on practical quantum key distribution systems (and how to prevent them). Contemp. Phys. 57, 366–387 (2016).
Mailloux, L. O., Grimaila, M. R., Hodson, D. D., McLaughlin, C. V. & Baumgartner, G. B. Quantum key distribution: Boon or bust? J. Cyber Security Inform. Syst. 4, 18–26 (2016).
Scarani, V. & Kurtsiefer, C. The black paper of quantum cryptography: real implementation problems. Theor. Comput. Sci. 560, 27–32 (2009).
Jogenfors, J., Elhassan, A. M., Ahrens, J., Bourennane, M. & Larsson, J.Å. Hacking the bell test using classical light in energytime entanglementbased quantum key distribution. Sci. Adv. 1, e1500793 (2015).
Yuen, H. P. Security of quantum key distribution. IEEE Access 4, 724–749 (2016).
Sun, S.H. et al. Effect of source tampering in the security of quantum cryptography. Phys. Rev. A 92, 022304 (2015).
Scarani, V. et al. The security of practical quantum key distribution. Rev. Mod. Phys. 81, 1301–1350 (2009).
Lütkenhaus, N. Security against individual attacks for realistic quantum key distribution. Phys. Rev. A 61, 052304 (2000).
Wootters, W. K. & Zurek, W. H. A single quantum cannot be cloned. Nature 299, 802–803 (1982).
Agrell, E. et al. Roadmap of optical communications. J. Opt. 18, 063002 (2016).
van Uden, R. G. H. et al. Ultrahighdensity spatial division multiplexing with a fewmode multicore fibre. Nat. Photon. 8, 865–870 (2014).
Poletti, F. et al. Towards highcapacity fibreoptic communications at the speed of light in vacuum. Nat. Photon. 7, 279–284 (2013).
Hu, H. et al. Singlesource chipbased frequency comb enabling extreme parallel data transmission. Nat. Photon. 12, 469–473 (2018).
Wabnitz, S. & Eggleton, B. AllOptical Signal Processing: Data Communication and Storage Applications. Springer Series in Optical Sciences (Springer International Publishing, 2015).
Hermans, A. et al. Integrated silicon nitride electrooptic modulators with atomic layer deposited overlays. Opt. Lett. 44, 1112–1115 (2019).
Ott, E. Chaos in Dynamical Systems (Cambridge University Press, 2002).
Sciamanna, M. & Shore, K. A. Physics and applications of laser diode chaos. Nat. Photon. 9, 151–162 (2015). Review Article.
Stöckmann, H. J. Quantum Chaos: An Introduction (Cambridge Univ., Cambridge, 2006).
Liu, C. et al. Enhanced energy storage in chaotic optical resonators. Nat. Photon. 7, 473–478 (2013).
Pappu, R., Recht, B., Taylor, J. & Gershenfeld, N. Physical oneway functions. Science 297, 2026–2030 (2002).
Herder, C., Yu, M.D., Koushanfar, F. & Devadas, S. Physical unclonable functions and applications: a tutorial. Proc. IEEE 102, 1126–1141 (2014).
Helfmeier, C., Boit, C., Nedospasov, D. & Seifert, J. P. Cloning physically unclonable functions. In 2013 IEEE International Symposium on HardwareOriented Security and Trust (HOST), 1–6 (IEEE, 2013).
Nedospasov, D., Seifert, J.P., Helfmeier, C. & Boit, C. Invasive puf analysis. In 2013 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), 30–38 (IEEE, 2013).
Škorić, B., Tuyls, P. & Ophey, W. Robust key extraction from physical uncloneable functions. In International Conference on Applied Cryptography and Network Security, 407–422 (Springer, 2005).
Goorden, S. A., Horstmann, M., Mosk, A. P., Škorić, B. & Pinkse, P. W. H. Quantumsecure authentication of a physical unclonable key. Optica 1, 421–424 (2014).
Zhang, J., Qu, G., Lv, Y.Q. & Zhou, Q. A survey on silicon pufs and recent advances in ring oscillator pufs. J. Comput. Sci. Technol. 29, 664–678 (2014).
Strudley, T., Zehender, T., Blejean, C., Bakkers, E. P. A. M. & Muskens, O. L. Mesoscopic light transport by very strong collective multiple scattering in nanowire mats. Nat. Photon. 7, 413–418 (2013).
Rührmair, U. & van Dijk, M. Pufs in security protocols: attack models and security evaluations. 2013 IEEE Symposium on Security and Privacy, 286–300 (2013).
Horstmeyer, R., Judkewitz, B., Vellekoop, I. M., Assawaworrarit, S. & Yang, C. Physical keyprotected onetime pad. Scientific Rep. 3, 3543 (2013).
Grubel, B. C. et al. Secure communications using nonlinear silicon photonic keys. Opt. Express 26, 4710–4722 (2018).
Helfmeier, C. & Boit, C. Cloning physically unclonable functions. In 2013 IEEE International Symposium on HardwareOriented Security and Trust (HOST), 1–6 (IEEE Computer Society, Los Alamitos, 2013).
Potton, R. J. Reciprocity in optics. Rep. Progr. Phys. 67, 717–754 (2004).
Rührmair, U. Optical pufs reloaded. Eprint.Iacr.Org (2013).
Bennett, C. H. & Brassard, G. Quantum cryptography: public key distribution and coin tossing. In Proceedings of IEEE International Conference on Computers, Systems, and Signal Processing, 175–179 (1984).
Deák, L. & Fülöp, T. Reciprocity in quantum, electromagnetic and other wave scattering. Ann. Phys. 327, 1050–1077 (2012).
Liu, C. et al. Triggering extreme events at the nanoscale in photonic seas. Nat. Phys. 11, 358–363 (2015).
Morita, R., Yamane, K. & Zhang, Z. Amplitude and Phase Characterization of FewtoMono OpticalCycle Pulses (Springer, Berlin, Heidelberg, 2005).
Bazargani, H. et al. Onchip, singleshot characterization of ghzrate complex optical signals. IEEE Photon. Technol. Lett. 26, 2345–2348 (2014).
Landau, L. D. & Lifshitz, E. M. The Classical Theory of Fields (ButterworthHeinemann, 1980).
Elkouss, D., MartinezMateo, J. & Martin, V. Information reconciliation for quantum key distribution. Quantum Inf. Comput. 11, 226–238 (2011).
Jouguet, P. & KunzJacques, S. High performance error correction for quantum key distribution using polar codes. Quantum Inf. Comput. 14, 329–338 (2013).
Bennett, C. H., Bessette, F., Brassard, G., Salvail, L. & Smolin, J. Experimental quantum cryptography. J. Cryptol. 1, 3–28 (1992).
Watanabe, Y. Privacy amplification for quantum key distribution. J. Phys. A 40, F99–F104 (2007).
Chernov, N. & Markarian, R. Chaotic Billiards (American Mathematical Society, 2006).
Stein, J. & Stöckmann, H.J. Experimental determination of billiard wave functions. Phys. Rev. Lett. 68, 2867–2870 (1992).
Kudrolli, A., Kidambi, V. & Sridhar, S. Experimental studies of chaos and localization in quantum wave functions. Phys. Rev. Lett. 75, 822–825 (1995).
Gräf, H.D. et al. Distribution of eigenmodes in a superconducting stadium billiard with chaotic dynamics. Phys. Rev. Lett. 69, 1296–1299 (1992).
Harayama, T. & Shinohara, S. Twodimensional microcavity lasers. Laser Photon. Rev. 5, 247–271 (2011).
Gmachl, C. et al. Highpower directional emission from microlasers with chaotic resonators. Science 280, 1556–1564 (1998).
Gaspard, P. et al. Experimental evidence for microscopic chaos. Nature 394, 865–868 (1998).
Shin, D. et al. Scalable variableindex elastooptic metamaterials for macroscopic optical components and devices. Nat. Commun. 8, 16090 (2017).
Ionov, L. Hydrogelbased actuators: possibilities and limitations. Mater. Today 17, 494–503 (2014).
Walker, E. L., Wang, Z. & Neogi, A. Radiofrequency actuated polymerbased phononic metamaterials for control of ultrasonic waves. NPG Asia Mater. 9, e350 (2017).
Rachmaninoff, R. commons.wikimedia.org/wiki/File:Fingerprint_scanner_identification.jpg (2009).
Acknowledgements
A.D.F. acknowledges support from EPSRC (EP/L017008/1). A.F. acknowledges support from KAUST (OSR2016CRG52995). The research data underpinning this publication can be accessed at https://doi.org/10.17630/19156fc3cc1f4ee3b553f02042cf89a0.
Author information
Authors and Affiliations
Contributions
A.F. directed the work and developed the main theory. A.D.F. fabricated and measured the samples. V.M. helped on the experiments and contributed to the design of the communication protocol. A.C. provided conceptual comments. A.F. wrote the manuscript, with equal input from all authors.
Corresponding author
Ethics declarations
Competing interests
A provisional patent application (US Patent USPTO16132017) has been filed on the subject of this work on which all of the authors are listed as inventors.
Additional information
Peer review information Nature Communications thanks Junho Cho and the other, anonymous, reviewer(s) for their contribution to the peer review of this work. Peer reviewer reports are available.
Publisher’s note Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Supplementary information
Rights and permissions
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made. The images or other third party material in this article are included in the article’s Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this license, visit http://creativecommons.org/licenses/by/4.0/.
About this article
Cite this article
Di Falco, A., Mazzone, V., Cruz, A. et al. Perfect secrecy cryptography via mixing of chaotic waves in irreversible timevarying silicon chips. Nat Commun 10, 5827 (2019). https://doi.org/10.1038/s4146701913740y
Received:
Accepted:
Published:
DOI: https://doi.org/10.1038/s4146701913740y
This article is cited by

Singleshot polarimetry of vector beams by supervised learning
Nature Communications (2023)

Scalable and CMOS compatible silicon photonic physical unclonable functions for supply chain assurance
Scientific Reports (2022)

Physical security in the postquantum era
Journal of Cryptographic Engineering (2022)

A new image encryption algorithm based on the OFLSTMS and chaotic sequences
Scientific Reports (2021)
Comments
By submitting a comment you agree to abide by our Terms and Community Guidelines. If you find something abusive or that does not comply with our terms or guidelines please flag it as inappropriate.