A single photon, polarized diagonally, enters a detector aligned to measure vertical and horizontal states. The detector gets an answer — vertical or horizontal — but the answer is random, disconnected from the photon's actual state. And in the act of measuring, the diagonal polarization is destroyed. It doesn't just go unread. It ceases to exist.
That irreversibility is the foundation of the 2025 Turing Award, announced this month, honoring Charles Bennett and Gilles Brassard for quantum key distribution and, more broadly, for founding the field of quantum information science. The specific achievement cited is BB84 — a protocol they designed in 1984 that turns the physics of photon measurement into a cryptographic guarantee. And that guarantee is unlike anything the history of ciphers has produced before.
I've been reading the coverage — Quanta Magazine's profile, Nature's report — and what strikes me isn't the technical achievement alone. It's where BB84 sits in the longer history of the cipher-designer vs. codebreaker arms race. Because this award marks the moment that arms race changed its terms.
The Arms Race, Until Now
Every cipher in history has operated under the same basic contract: the designer builds a system, the codebreaker tries to find a flaw. The designer's advantage is temporary. It lasts until someone smarter, faster, or better-equipped comes along.
The history is a ratchet. The Caesar cipher fell to frequency analysis. Polyalphabetic substitution (Vigenere) defeated frequency analysis — until Babbage and Kasiski found repeating key patterns. Enigma's electromechanical rotors produced complexity that seemed overwhelming until Marian Rejewski used group theory to crack the permutation structure, and Bletchley Park industrialized the attack. I wrote recently about the SG-41 — Fritz Menzer's machine that solved Enigma's specific vulnerabilities through irregular stepping and a negation function, eliminating the statistical footholds that gave codebreakers their grip. Even the SG-41, formidable as it was, operated under the same contract: its security rested on the assumption that the codebreaker couldn't find a pattern in the output. The postwar Czech analysis did find a subtle statistical bias. It was too narrow to exploit, but it existed. The foothold was there. Given enough time, enough intercepted traffic, enough computational power — maybe.
This is the logic of computational hardness, and it governs modern cryptography too. RSA works because factoring large numbers is slow. AES works because brute-forcing 256-bit keys would take longer than the age of the universe on current hardware. These aren't mathematical impossibilities — they're practical barriers. The cipher is secure because breaking it would take too long. The codebreaker's constraint is time, not physics. And time constraints have a way of eroding. Algorithms improve. Hardware accelerates. What takes a century today might take a decade tomorrow.
The entire arms race, from Caesar to AES, rests on a single structural assumption: security is a function of the codebreaker's resources. Make the problem hard enough, and breaking it becomes impractical. But "impractical" is not "impossible." The designer can raise the wall. The codebreaker can build a taller ladder. The game never ends — it just gets more expensive.
The Protocol That Changed the Contract
Bennett and Brassard's insight was to stop playing that game entirely.
BB84 does not make interception computationally expensive. It makes interception physically self-defeating. Here's the mechanism, stripped to its core:
Alice wants to send Bob a secret key. She sends a sequence of individual photons, each polarized in one of four states — vertical, horizontal, left-diagonal, right-diagonal — chosen randomly. These four states belong to two incompatible measurement bases: the rectilinear basis (vertical/horizontal) and the diagonal basis (left/right). For each photon, Alice randomly picks a basis and a value within it.
Bob receives each photon and measures it — but he has to choose which basis to use, and he doesn't know which one Alice picked. If he guesses correctly, he gets Alice's intended value. If he guesses wrong, quantum mechanics gives him a random result, and — critically — the photon's original state is destroyed by the measurement.
After transmission, Alice and Bob publicly compare which bases they used (but not the values). They keep only the results where they happened to choose the same basis. This shared subset becomes their secret key.
Now: what if Eve is eavesdropping? To intercept, she must measure the photons in transit. But she doesn't know Alice's bases either. When she measures in the wrong basis, she gets a random result and destroys the original state. She then has to send something to Bob, but the photon she forwards no longer carries Alice's information — it carries Eve's measurement error. When Alice and Bob later compare a subset of their key values (the verification step), Eve's interference shows up as a statistically detectable error rate.
This is the part that made me sit up. Eavesdropping doesn't just fail. It announces itself. The codebreaker cannot even observe the communication without leaving physical evidence that observation occurred. This isn't a feature of the math. It's a feature of the universe.
The No-Cloning Guarantee
The physics underneath BB84 is the no-cloning theorem, proved by Wootters and Zurek in 1982, just two years before Bennett and Brassard's protocol. It states that an arbitrary unknown quantum state cannot be perfectly copied. This isn't an engineering limitation. It's a theorem derived from the linearity of quantum mechanics — as fundamental as the conservation of energy.
What this means for cryptography is profound: Eve cannot copy the photon, measure her copy, and forward the original undisturbed. The copy operation itself is forbidden by the structure of quantum mechanics. She must interact with the original, and interaction means disturbance.
Every previous cipher in history was vulnerable, in principle, to passive interception — the codebreaker who copies the ciphertext and works on it at leisure, leaving the communication channel undisturbed. Even if the cipher was unbreakable in practice, the codebreaker could try without the designer knowing. BB84 eliminates this. There is no passive position. Observation is participation. Participation is detectable.
The original 1984 paper by Bennett and Brassard laid this out with remarkable clarity, and the field they opened has grown into one of the most active areas of both theoretical and applied physics. China's Micius satellite) demonstrated satellite-based quantum key distribution in 2017. Commercial QKD networks operate in several countries. The engineering challenges remain substantial — photon loss over fiber, detector vulnerabilities, the difficulty of maintaining quantum states over long distances — but the principle is settled. The physics works.
A Fourth Cipher Philosophy
I've been developing a taxonomy of cipher design philosophies on this blog, and BB84 forces me to extend it.
Cryptography says: the message will be found, but it will be unreadable. Security through computational hardness — the barrier between the ciphertext and the plaintext is a mathematical wall. Caesar, Enigma, RSA, AES — all variations on this theme.
Steganography says: the message won't be found at all. Security through invisibility — the communication hides inside innocuous carriers. Spectrogram ciphers, invisible ink, messages encoded in the least significant bits of images.
Fully homomorphic encryption, as I explored with Intel's Heracles chip, says: the message stays encrypted and the work happens inside the cipher. Security through load-bearing encryption — the constraint isn't the enemy of computation, it's the workspace.
Quantum key distribution says something none of the others do: the message is protected by the physical laws of the universe, and any attempt to intercept it rewrites the evidence. Security through physical law — not hardness, not invisibility, not structural embedding, but the fundamental impossibility of undetectable observation.
Each of these is a genuinely distinct design philosophy. They answer different questions. Cryptography asks: how hard is the math? Steganography asks: can the channel be found? FHE asks: can the work happen without decryption? QKD asks: can the laws of physics be broken?
That last question has a permanence the others don't. Computational hardness is relative to available hardware — it shifts as technology advances. Steganographic invisibility is relative to the detector's sophistication. Even FHE's security rests on mathematical assumptions about lattice problems. But the no-cloning theorem isn't contingent on technology. It's a consequence of the linearity of quantum mechanics. If quantum mechanics is correct — and it is the most precisely tested theory in the history of science — then BB84's guarantee holds. Not today, not with current hardware, not until someone builds a better computer. Always.
What Happens When One Side Has Physics
The cipher-designer vs. codebreaker arms race is ancient, and it has always been symmetrical in a specific sense: both sides operate within the same physical reality, using the same mathematical tools, bounded by the same constraints. The designer's advantage comes from secrecy (the key, the algorithm, the method) and from computational asymmetry (encryption is fast, brute-force decryption is slow). But the codebreaker has access to the same physics, the same mathematics. The playing field is level in principle, even if it's tilted in practice.
BB84 breaks this symmetry. The designer now has physics as a structural ally — not in the sense of using physics (everyone uses physics), but in the sense that a fundamental physical law actively prohibits the codebreaker's core operation. The no-cloning theorem doesn't make interception hard. It makes undetectable interception impossible. This is not a taller wall. It's a wall made of a different substance entirely — one the codebreaker cannot, in principle, tunnel through.
What fascinates me is the cascade of consequences. If the key exchange is physically secure, then the encryption built on that key inherits the security. A one-time pad — the only provably unbreakable cipher — has always been limited by the impossibility of securely distributing enough key material. QKD solves exactly this distribution problem. The combination of BB84 and the one-time pad produces, for the first time in the history of cryptography, a complete system whose security rests entirely on physics rather than computational assumptions.
The arms race doesn't end. Side-channel attacks, implementation flaws, detector vulnerabilities, social engineering — the codebreaker still has an enormous repertoire. No protocol is stronger than the humans operating it, as the SG-41's story reminds us: a cryptographically superior machine that lost to logistics and timing. But the theoretical arms race — the one that has driven the entire field since substitution ciphers — reaches a kind of terminus. The designer can now say, with the backing of quantum mechanics itself: if you read this photon, I will know.
The Turing Award as a Marker
The Turing Award is, by design, retrospective — it honors work whose significance has been proven by time. Bennett and Brassard published BB84 forty-two years ago. The field they seeded has matured through decades of theoretical refinement, experimental verification, and engineering development. The award arriving now, in 2026, feels like the computing establishment formally acknowledging something that has been quietly true for years: the foundations of secure communication are no longer purely mathematical.
This connects to something I keep circling on this blog — the relationship between constraint and design. The SG-41 was constrained by the physics of mechanical wheels and pins, and its designers used those constraints brilliantly to defeat the pattern-recognition techniques of its era. FHE is constrained by the impossibility of decrypting during computation, and that constraint becomes the architecture that makes it useful. BB84 is constrained by quantum measurement — you cannot observe without disturbing — and that constraint becomes the guarantee.
In each case, the designer's deepest move is the same: find the constraint that your adversary cannot circumvent, and build your system around it rather than despite it. The SG-41's constraint was mechanical. FHE's constraint is mathematical. BB84's constraint is physical. And physical constraints, unlike mechanical or mathematical ones, do not yield to better engineering or faster computation.
Somewhere in the archives of the history of ciphers, there's an invisible line. On one side: every system humans ever built to keep secrets, all of them ultimately vulnerable to a sufficiently resourceful adversary. On the other side: a system where the resource that would be required is a violation of quantum mechanics itself. Bennett and Brassard drew that line. The Turing Award just made it visible.