Whenever data are being transferred over the Internet, encryption methods keep PIN (personal identification number) codes secret, store medical information securely, watch over the confidentiality of online transactions, permit electronic voting, and verify digital signatures. In principle, cryptographic methods rely on the irreversibility—or at least on the difficult reversibility—of a mathematical operation. They depend on the fact that no algorithms exist that can invert a certain operation within a reasonable amount of time.

Operations that are solvable in one direction only are called one-way functions. A “one-way function with a trapdoor” is a mathematical function that is also solvable in the other direction but only if one possesses an additional piece of information—the encryption key. For example, it is a simple task to multiply two numbers. Dividing the result is much more difficult: Various candidates must be tested until a divisor is found that leaves no remainder after the division.

This is why the multiplication of prime numbers is nowadays used to encrypt messages. The intended recipient chooses two prime numbers, multiplies them, and publishes the product. Whoever wants to send her a secret piece of information will use this number to encrypt the message. The inverted operation—that is, the division of the product into its prime factors—is currently impossible if the number is large enough. Only a recipient who has the keys—who knows the two prime numbers—can decrypt the message. Thus the multiplication of large prime numbers is a one-way function with a trapdoor because the division of the product into its prime

factors is impossible … unless one knows one of the factors.

Actually, nobody has ever been able to prove rigorously that it is impossible to factorize large numbers within a reasonable amount of time. And as ever-faster computers appear on the market, and ever-more-sophisticated algorithms are developed, searches for the appropriate keys become more efficient. These developments threaten the encryption methods that are currently in use. In 1970 the factorization of a 37-digit number was still a sensation. Today’s world factorization record already stands at 160 digits: on April 1, 2003 (no April Fools’ Day joke), five mathematicians at the German Federal Office for Security in Information Technology in Bonn managed to factorize such a number into its two 80-digit components. And no end to the developments is in sight. Could it be that the CIA, the MI5, or the Mossad already are in possession of an effective key search algorithm and just do not let on? In any case, for security reasons, numbers with at least 300 digits are currently recommended for encryption.

But a new technology—quantum computers—threatens to make numbers with 300 or even 3,000 digits vulnerable. In contrast to binary digits (bits) that can only take on the two states zero and one consecutively, quanta can simultaneously exist in more than one state. This means that, in principle, quantum computers could perform an enormous amount of mathematical operations simultaneously. Computations like the factorization of a large number, which would take centuries on a classical computer, could be performed within seconds.

For the time being quantum computers are still pie in the sky. Nevertheless, information technology officers, Web designers, and security professionals are on the lookout for encryption methods whose security is not a question of technology but would be guaranteed by the laws of nature. Recently two Swiss mathematicians suggested a method that may prove immune against attacks even by quantum computers. In a recent issue of the journal Elemente der Mathematik, which is devoted to articles about de-

velopments in mathematics in Switzerland, Norbert Hungerbühler of the University of Fribourg and Michael Struwe of the Federal Institute of Technology in Zurich presented an encryption method that relies on the second law of thermodynamics. This law, one of nature’s most basic tenets, states that certain physical processes are not reversible. For example, while it is a simple task to prepare a café au lait—brew coffee, add milk, stir—it is quite impossible to separate café au lait into its components. Hence the preparation of a café au lait is a one-way function … without a trapdoor.

Another example of the second law is heat flow. Think of a hot plate under which several candles are lit. If the initial conditions—the locations of the candles—are known, the propagation of heat can be easily computed. On the other hand, according to the second law, it is quite impossible to trace the heat distribution back to its starting points; that is, you can never determine which parts of the hot plate have been heated by the candles. Even if the distribution of heat in a hot plate is well known at a certain moment in time, the initial positions of the candles cannot be deduced.

Hungerbühler and Struwe make use of this fact to suggest a novel “public key” encryption method. Let us say Alice wants to send an encrypted message to Bob. The two partners choose configurations of candles under their hot plates. These are their secret keys, α and β. Then Alice and Bob use the heat flow operator (H) to compute—each for him/herself—the heat distributions in the hot plates after, say, one minute (α*H and β*H). These heat distributions represent the public keys, and Alice and Bob publicize them in a directory or transmit them over public channels. Since the heat distribution can only be computed in the forward direction, a potential eavesdropper will find it impossible to deduce the initial positions of the candles from knowledge of the public keys.

Now Alice encodes her message, using her secret candle configuration and Bob’s heat distribution (α*β*H). This is the heat distribution that occurs if both sets of candles are put under the hot plate. Because of the commutativ-

ity of the heat flow operator—it does not matter which set of candles is set up first—Bob can then decode the message with the help of his secret candle configuration and Alice’s publicized heat distribution (β*α*H). At the same time he can verify that Alice was the sender. The proposed encryption method does not depend on technology. It is based on the classical laws of nature and on the mathematical properties of thermodynamics. Therefore, it cannot be threatened by novel computing methods.

Unfortunately, it will not be possible to implement ThermoCrypto in the foreseeable future. The reason is that the equations describing the heat flow are continuous functions. Computing them with digital computers means truncating the numbers. The inevitable rounding errors could provide a starting point for eavesdroppers, and absolute security would no longer be guaranteed. Ironically, it is the quantum computers that could come to the rescue. In the mid-1980s the physicists Richard Feynman and David Deutsch had pointed out that due to its infinite states a quantum computer would be able to simulate continuous physical systems by making rounding errors infinitely small. So quantum computers, which may make conventional encryption methods obsolete one day, may also be the tool for the next generation of encryption methods.