Top

No matter what Elon Musk says about it, I don’t subscribe to Simulation hypothesis, the idea that we’re living in a Matrix of sorts. The recent Spectre/Meltdown computer security vulnerability got me thinking, though. If the universe doesn’t want us to escape it, it needs to protect its secrets. From this perspective, the Heisenberg Uncertainty Principle looks like an attempt by our simulators to prevent timing attacks against the universe. God may not play dice with the universe, as Einstein said, but one would assume He does use proper security practices.

Let’s start by examining the computer version of this, and then we’ll look at the analogous physical phenomena.

Timing attacks have been on the mind recently in computing. It turns out that the privacy of many of our processors can be violated with shocking ease using techniques called Spectre and Meltdown. Without going into excruciating detail — get off me, pedantic security nerds — the basic idea is that if you can create a timer, you can measure how long it takes the processor to perform a task. Once you can measure processor timings, you can time it looking up lots of different pieces of data and see which ones go faster than others. If a piece of data can be retrieved much more quickly than the others, it means the data required for that task was already sitting around in the processor cache, so the processor didn’t have to go fetch it from RAM, which takes a few thousand times longer.

If you can figure out what’s in the processor cache, you can infer data the operating system is using, which is supposed to be privileged so that user code (e.g. a website running in your browser, sending your personal information back to the Russian mob) doesn’t have access to it. This vulnerability is so pervasive and severe that some experts have said it invalidates the past two decades of processor design, along with a whole field called LangSec, or language security. Part of what makes this attack so pernicious is that as soon as you can create a sufficiently granular timer, you can replicate the attack.

Security researchers don’t like to make bold claims about the fortitude of their systems for fear of invoking the wrath of Poseidon, so they don’t say they can prevent Spectre/Meltdown, only that they can “mitigate” its danger. One primary mitigation technique is to add randomness to the timers available to unprivileged code. When the code asks the system what time it is, the system generates a random number and adds that to the reported time to keep the program in the dark. Google Chrome, for example, has fuzzed their timers to bring their resolution down about a factor of a thousand, from sub-nanosecond to half a microsecond.

One interesting aspect of this mitigation technique is that fuzzing the explicit timers isn’t enough. There are a bunch of other pieces of programs that can be used to MacGyver a timer out of other building blocks, such as chunks of memory shared by multiple concurrently executing processes. Since browsers routinely execute untrusted code — remember, a website is someone else’s program running on your computer — they have to protect against any jerry-rigged timer.

This brings us to the physics. Many laypeople are at least somewhat familiar with one formulation of the Heisenberg Uncertainty Principle: namely, that one can never know both the position and momentum of a particle simultaneously. This, however, is only one special case of the principle. The more general statement is that for any two conjugate variables (I’ll describe those shortly), if you multiply the uncertainty in one variable by the uncertainty in the other variable, you’ll always get a number greater than a constant called ħ, the reduced version of Planck’s constant. Position and momentum form a pair of conjugate variables, so that means the uncertainty in position times the uncertainty in momentum never goes down to zero.

Conjugate variables, basically, are any pair of variables such that if you knew both of them exactly, you could use that to predict the future perfectly. For position and momentum, if you know both where something is right now and how fast it’s going, you can foretell its position at some future time. Angle and angular momentum form a pair of conjugate variables, and there are other pairs relating to electromagnetism, gravity, and fluid dynamics.

One lesser-known pair of conjugate variables is energy and time. This is a bit more complex than position and momentum because you can’t really measure time in an absolute way — get off me, pedantic physics-nerds — but one analogy for thinking about this is to think about musical notes. A similar uncertainty principle holds there: you can never exactly know both the frequency (the pitch) of a note and its location in time. It’s really just a poorly defined question: a bass note at 20Hz will take 1/50th of a second in order to undergo a full cycle. The longer someone holds the note, the more exactly you can state its frequency, but its “location in time” spans from the time you hit the note until the time it stops, so a longer note has more uncertainty in time.

By preventing us from knowing the exact time-span of an event, physics protects its hidden future against timing attacks. If we were able to time events and know their energy simultaneously — or to know position and momentum simultaneously, or any other pair of conjugate variables — we’d be able to predict the future. No matter what pair of variables we look at that we could use to predict the future, Heisenberg Uncertainty kicks in and mitigates our attempt by reducing the accuracy of our measurement.

Heisenberg Uncertainty prevents us from performing a timing attack against the universe. It also doesn’t just prevent direct timing attacks, but it also prevents us from knowing any pair of variables that would allow us to fully understand what’s going on, just as browsers have to prevent the construction of do-it-yourself timers using other means.

Why does physics behave this way? One reason could be that it doesn’t want us to know everything. After all, when humanity failed to prevent accurate access to time measurement, or other variables that could be converted into a time measurement, millions of computers became vulnerable. Maybe the universe limits our information so we can’t learn its secrets.

Let’s just hope our simulators aren’t upset that we figured this out. I don’t want to run afoul of the cosmic antivirus.

Ted Blackman is a software engineer based in San Francisco. He holds an S.B. in physics from the Massachusetts Institute of Technology.