Inside the Starburst-sized box that could save the Internet

Cybercrime is costing us millions. Hacks drain the average American firm of $15.4 million per year, and, in the resulting panic, companies often spend more than $1.9 million to resolve a single attack. It’s time to face facts: Our defenses aren’t strong enough to keep the hackers out.

But there is hope. Companies can encrypt data so that what is stolen remains useless to the attacker. However, right now, most forms of cryptography can be broken with the right tools — but what if there were a development in the works that could change the game completely?

At Los Alamos National Laboratory, scientists have taken the first step toward exactly that. It’s a device the size of a Starburst candy, which fits on a small circuit board the size of a video card. Inside that unassuming exterior is a crazily fluctuating quantum light field — the quickest and most reliable true random number generator ever made.

What’s so hard about generating random numbers?

Most people don’t know it, but they use random numbers every day when they use the Internet to log into websites, send emails and shop, among other instances. They’re a key component of the mechanism that makes websites with “https” in the URL more secure than ones with just “http,” for instance: on an “https” site, your computer uses random numbers to encrypt its messages to the server, so it’s harder for hackers to intercept them. Random numbers are also applied in different ways to protect everything from the credit card number you input on Amazon.com to top-secret files at the NSA.

When I first heard about the quantum random number generator, I didn’t understand its significance, either. I was on my first trip to Los Alamos, in 2012, to identify technology being developed in the lab that could be licensed to private industry — part of my job as Program Manager at the Transition to Practice (TTP) program in the Department of Homeland Security.

Our defenses aren’t strong enough to keep the hackers out.

At that time, I was given a briefing more focused on quantum key exchange, a different and even more complicated technology than the quantum random number generator. Beth Nordholdt and Richard Hughes, then-co-leaders of the Los Alamos quantum communications team, had little time to prepare for my visit and decipher how to distill more than 20 years of research into terms a newcomer to the worlds of quantum physics and cryptography would understand. They dropped phrases like “Diffie-Hellman protocol” and “quantum entanglement” until my head spun. Random number generation was only an afterthought.

On my next visit, a year later, the importance of the quantum random number generator became much more clear. Beth and Richard showed me their then-current prototype, which was around the size of a microwave (much more compact than their original refrigerator-sized prototype, which I hadn’t gotten a chance to see the year before). And they explained what difficult cryptographic problems the device could solve. Once I understood what they were working on, we selected them for the next class of TTP.

The importance of entropy, or how to use lava lamps for cryptography

Most cryptography systems in use today employ keys: long strings of random or near-random numbers. This includes the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols that “https” sites use to secure user data. SSL and TLS open a secure connection to a server using a pair of keys: one publicly known, and one that’s private and secret. If the digits in the public key aren’t random enough, hackers can use it to predict the digits in the private key and gain access to floods of personal information.

Cybercrime is costing us millions.

That’s why generating good keys is so important. And the longer your key, the stronger the encryption; when you hear someone refer to “256-bit encryption,” they’re referring to encryption that uses a key 256 digits long. You can also make a key stronger by increasing its entropy: the randomness of the digits within it. Because true randomness in the world is hard to come by, keys are generated by so-called pseudo-random number generators: devices that “stretch out” the entropy of a smaller, truly random “seed” sequence. A true random number generator is what generates that seed sequence.

It’s hard being random

Random number generators have been built that extract entropy from almost everywhere: atmospheric data, radio waves, even the movement of wax blobs in a lava lamp. (That last technique worked well until one night a janitor switched off the lamp, and the supposedly random number sequence became a string of straight 0s.)

Most sources of entropy are more mundane. Intel chips usually have built-in random number generators that take their entropy from electrical “noise” inside the chip. A Linux kernel tracks chaotic events on the computer itself, like the time between clicks of a mouse or strikes on a keyboard. In any case, the computer or server will pool all that random information into a reservoir of entropy that the system dips into — for instance, when generating digital signatures or keys.

Only, unfortunately, this reservoir of randomness isn’t always as random as it seems. For instance, if there isn’t enough network traffic on a server, its Linux kernel’s supply of entropy may be depleted over time. Nor are hardware random number generators like Intel’s necessarily better. A hacker can affect the electrical “noise” inside a chip by messing with the temperature inside your computer or its power supply. Local radiation and other naturally occurring phenomena can decrease its entropy, too.

Moreover, it’s extremely hard to test whether outputs of systems are really random. The digits of pi pass every known statistical test for randomness — but they’re of course completely predictable. These factors make quality control for random number generators extremely difficult.

A quantum solution to quantum computing

That’s why the quantum random number generator was so innovative. It’s based on natural processes that are always random, by definition. Even environmental factors like a change in temperature or a burst of radiation won’t make quantum fluctuations lose their entropy. They’re incredibly reliable sources of randomness and, what’s more, a random number generator based on them runs extremely quickly. (This is what allows Whitewood, the company that now markets the technology commercially, to offer sufficient entropy to supply whole data centers.)

It’s the wave of the future — one that will soon be making everything from online shopping to driverless cars a little bit more secure.

With contribution by Nathalie Lagerfeld of Hippo Reads.