Quantum Cryptography Now Fast Enough For Video 69
cremeglace sends in news of a major advance in the speed of quantum key distribution. "Researchers at the Cambridge Lab of Toshiba Research Europe have solved the problem of transferring highly sensitive data at high speed across a long distance network. The team were able to demonstrate the continuous operation of quantum key distribution (QKD) — a system that allows the communicating users to detect if a third party is trying to eavesdrop on the data communication — at a speed greater than one megabit/sec over a 50 km fibre optic network, thanks to the use of a light detector for high bit rates and a feedback system which maintains the high bit rates during data transfer. ... The faster one megabit/sec data handling will allow the one-time pad to be used for the encryption of video — a vast step forward over the current ability to only encrypt voice data."
And if there's a man in the middle? (Score:3, Insightful)
So if someone is eavesdropping, I won't be able to watch the video?
Re:And if there's a man in the middle? (Score:5, Insightful)
Re:And if there's a man in the middle? (Score:4, Interesting)
Would this be vulnerable to the man in the middle attack on quantum key distribution described in this earlier slashdot article:
http://it.slashdot.org/story/09/12/30/2118250/Quantum-Encryption-Implementation-Broken [slashdot.org]
They seem to be attacking the hardware rather than the software
Re: (Score:2)
Re: (Score:1)
Re: (Score:1)
That would give away that there is someone listening. what you are trying to do is stay under the radar and peek inside the line, not disrupt the line.
Re: (Score:1)
So development of a secure communications channel utilizing quantum crypto being inherently susceptible to a denial of service condition due to specialized hardware necessary for transmission which would have to wait for someone to stop listening before re-generating key pairs then transmitting?
I hope this is not in development to replace the 911 infrastructure or monetary data transmissions on a winder scale until that is addressed.
Perhaps a fiber switch/router hardware solution to allow switched routes an
Re: (Score:2)
As soon as the MPAA tries to check what you are watching, the connection is closed and they don't know who you are.
Re: (Score:2)
Re:Any grammar Nazis around? (Score:5, Informative)
Re: (Score:1, Informative)
I think you need some kind of punctuation mark in between '"the team was"' and 'otherwise'.
Re: (Score:1)
Take the word 'class', for example. "The class was dismissed", vs "The class were interviewed one by one". Or government - "The government was defeated", vs "The government were forced to increase interest rates".
MPAA dream? (Score:3, Insightful)
I wonder if some interesting contributors could be noticed in founding sources...
Re: (Score:2)
Re: (Score:2)
Don't give them any more ideas.
sigh, the "quantum" buzzword (Score:3, Insightful)
So, do we still need the magic secondary channel which everyone doing transfers over this "theoretically perfect" channel conveniently forgets?
Re: (Score:2)
How cute, someone complaining about buzzwords.
Re: (Score:3)
If you were to stretch your mind beyond the subject, you'd see I was actually complaining about a fundamental problem with setting up a practical quantum transmission line.
Re: (Score:3, Interesting)
And howd'ja verify the integrity of your transmission? In a possibly equivalent formulation, Bob, how do you make sure Alice is the source of your channels, not Eve?
Re: (Score:2)
Problem 1: Bob, are you sure you are talking to Alice, and not Eve?
Problem 2: Bob, even if you were talking to Alice, are you sure Eve is not listening?
Just because problem 1 is tricky does not mean that solving the second one is completely useless.
Re: (Score:2)
Problem 1: Bob, are you sure you are talking to Alice, and not Eve?
Problem 2: Bob, even if you were talking to Alice, are you sure Eve is not listening?
Sounds like one of those 'Facebook-couple' arguments I see on Lamebook :-). Needs more profanity.
Re: (Score:2)
My understanding is the quantum cryptography assures you that the person you are communicating with is connected to the receiver side of the "quantum connection". Whether the person sitting there is Alice or Eve depends on how many men with guns you've hired to guard the receiver side of the communication.
If you're satisfied with the security of the receiver side then the quantum connection means you never have to hand-deliver another one-time pad in briefcase.
Re: (Score:2)
It is distributing a one-time pad that is difficult. Once you have that, communication is easy.
Re:sigh, the "quantum" buzzword (Score:4, Insightful)
The secondary classical channel verifies the integrity of the quantum channel. How are we assured of the integrity of the classical channel? We're back to the same weak point we had in the first place: the integrity of a classical channel. If that's insecure, then there's no hope of being assured that both quantum and classical channels aren't being created by Eve. Unless I'm missing something, but it hasn't been pointed out to me yet.
Your one-time pad distribution problem comes down to the same thing. Every practical implementation of quantum transmission lines relies on a classical transmission line in some way.
Re: (Score:2)
-If a spy tries to fool you by taking control of the secondary channel (for example by impersonating Alice), then the protocol will fail as the spy cannot reproduce the correlations you expect to see.
-If the channel is just listened to, it does not matter because no information about the one-time pad is exchanged on it. The only information Eve can get is "It seems their transmission succeeded" or
Re:sigh, the "quantum" buzzword (Score:5, Insightful)
(1) Neither of your scenarios covers the case where both the quantum and the secondary channel are created by Eve, not just the secondary channel;
(2) How is the relationship between quantum and classical channels informed to Bob by Alice?
(3) If your solution is to transport a one time pad at some earlier point "by some other means", then you're copping out twice over, as now we need another classical channel to transmit one time pads long enough for message exchanges.
Re: (Score:2)
(1) Neither of your scenarios covers the case where both the quantum and the secondary channel are created by Eve, not just the secondary channel;
Yes, they do. If Eve eavesdrop on the quantum channel, the correlations will not be there and the OTP will not be established. If the channel is created by Eve, it does not matter. If Eve completely replaces the data sent by Alice, then the correlations will not be there. There is no way to fake these correlations.
(2) How is the relationship between quantum and classical channels informed to Bob by Alice?
You mean, which channel is quantum and which is classical? That can be public knowledge.
(3) If your solution is to transport a one time pad at some earlier point "by some other means", then you're copping out twice over, as now we need another classical channel to transmit one time pads long enough for message exchanges.
There you are right. The protocol must work without being seeded first.
Encryption will only do so much (Score:5, Insightful)
(1) Neither of your scenarios covers the case where both the quantum and the secondary channel are created by Eve, not just the secondary channel;
In other news, no encryption system, even some hypothetical mathematically perfect cypher, will guarantee that Bob is not actually Eve with a pair of socks stuffed down her jeans. No encryption system will tell Alice that Bob really is Bob. No encryption system will warn Alice that Bob is shagging Eve and talks in his sleep. No encryption system will warn you that Eve has tampered with your hardware. No encryption system will magically turn Alice and Bob into experienced cryptographers who will spot tampering.
Of course, you can use encryption to set up something like a trust network to validate identity, but at some point in the chain a human being has to positively identify Bob and Alice and hand them their "credentials". Likewise, no encryption system can be secure against arbitrarily sophisticated hardware/software tampering.
When you have a sexy cypher which the math says is uncrackable its easy to forget that the math depends on a whole raft of assumptions and assertions.
Re: (Score:3, Insightful)
Very well said.
The main confusion that could so easily be avoided, is that when using the ABC names of Alice Bob and Carl (+ Dave and Eve if needed), people speak as if these are people, when they should out right and explicitly state those are the names of the key pairs.
Once you realize the encryption only exists between named key-pairs, there shouldn't be confusion as to whom can send/read what.
If I use my Bob key pair to encrypt a message for Alice, I can actually be pretty sure that only the Alice key p
Re: (Score:1)
Re: (Score:2)
The secondary classical channel verifies the integrity of the quantum channel. How are we assured of the integrity of the classical channel?
If you distribute the one time pad securely over the quantum channel and then encrypt the secondary channel with the one time pad, then it is secure. That is the beauty of the one time pad encryption, its very simple but also provable 100% secure.
But in the end it is still snake oil. When was the last time an attack worked on breaking strong encryption? It just doesn't happen, security breaks tend to happen at the weakest links, not the strongest one, and classic encryption is pretty damn strong. Also the r
Re: (Score:2)
If you distribute the one time pad securely over the quantum channel and then encrypt the secondary channel with the one time pad, then it is secure.
If you're not sure of the security of the initial send of the one time pad (and you need the classical channel to be sure of it, don't you?), you ought not to use the pad for encrypting further communication. And if you are sure of the security of the initial send, why haven't you gone straight to sending your message by this method?
Re: (Score:2)
Re: (Score:2)
Does 64-bit elliptic curve cryptography count as strong?
Re: (Score:2)
Re: (Score:2)
once you have this authenticated external channel (e.g someone giving you data in person) then eavesdropping in the middle of the line becomes physically impossible.
Erm, part of the key quantum key setup process requires a classical channel after transmission in order to exchange information about the quantum bits which were just sent. This isn't just about some password being whispered in advance. If you're talking about some other algorithm, e.g. for general secured data transfer, could you give more specifics?
Regardless, classical crypto is about the strength of encryption, and cares little for people reading ciphertext. The quantum crypto promise is of a totally di
Re: (Score:2)
Erm, part of the key quantum key setup process requires a classical channel after transmission in order to exchange information about the quantum bits which were just sent. This isn't just about some password being whispered in advance. If you're talking about some other algorithm, e.g. for general secured data transfer, could you give more specifics?
The classical exchange serves to authenticate some of the qubits that were sent, and those qubits are emphatically NOT used to generate the key. The qubits used for that purpose are not exchanged through the classical channel.
Regardless, classical crypto is about the strength of encryption, and cares little for people reading ciphertext. The quantum crypto promise is of a totally different flavour, promising physical obscurity. If its response is "well of course we can only guarantee that Eve is not intercepting once we have guaranteed that Eve is not intercepting!" then, etc.
More specifically, it guarantees that if Eve intercepts the message, you will know it, and therefore you will throw away whatever OTP you have generated without using it. Yes, this means Eve is able to completely break communication (which she could also do, for example, with an axe).
Re: (Score:2)
Well the point is that QKD only extends a now-existing secure key exchange into the future. This means: if you assume a public key scheme is safe for lets say a few hours for breaking the code then the key which you exchanged at that time using this channel is safe also in the future *even if* the classicla key is broken.
But the simple answer to you question is: yes. usually they conveniently forget it.
Isn't this a waste of time? (Score:2)
You only need secure transmission of keys. After that you don't care.
(I guess this is just "research"...)
Re: (Score:1)
You only need secure transmission of keys. After that you don't care.
Almost. Classical cryptography works on the assumption that a brute force attack is impractical (even if possible in pseudo infinite time.)
Quantum cryptography has no such restriction. This means that unless our understanding of the laws of physics change, no increase in computing firepower will help Eve.
Re:Isn't this a waste of time? (Score:4, Interesting)
There's no reason to believe a brute force attack on AES128 will ever succeed.
Re: (Score:2)
There's no reason to believe a brute force attack on AES128 will ever succeed.
Even if I use a quantum computer?
Re: (Score:2)
If you use a quantum computer, it can be brute-forced approximately as though it were AES-64. The only thing needed to 'defeat' a quantum computer (for symmetric encryption) is to double the length of your symmetric key. Algorithms like AES won't be going anywhere (though AES itself, with the theoretical weaknesses in AES-256, probably will be replaced sooner rather than later).
What's actually in danger is RSA (and some other public key algorithms), though the record for factoring on a quantum computer is s
Re: (Score:1)
There's no reason to believe a brute force attack on AES128 will ever succeed.
You use the word "believe". Does that mean you're not 100% certain? That's exactly what I'm trying to say! Quantum cryptography is uncrackable at the physical level.
Re: (Score:2)
There's no reason to believe a brute force attack on AES128 will ever succeed.
There's no reason to believe a brute force attack on AES128 will never succeed.
Are you kidding? (Score:2)
A brute force attack will always succeed, it will just take a long time. Never is a very long time and computers just keep getting faster.
Maybe you meant to say that there will never be a shortcut (cipher collisions, back door, etc...) to brute forcing AES128, but that is just a widely held opinion at this point, just waiting to get disproven.
Here's a quote for anybody that wants to live (and die) by their own powers of estimation:
"They couldn't hit an elephant at this dis-"
final words of General John Sedgw
Re: (Score:2)
I wasn't able to find the quote I was looking for, but I remember reading somewhere that even if you made a theoretical computer out of all the matter on earth it would take more time than the universe has existed to crack basic encryption with a brute force method. Here is a similar description on wikipedia [wikipedia.org].
The amount of time required to break a 128-bit key is also daunting. Each of the 2^128 (340,282,366,920,938,463,463,374,607,431,768,211,456) possibilities must be checked. A device that could check a billion billion keys (10^18) per second would still require about 10^13 years to exhaust the key space. This is a thousand times longer than the age of the universe, which is about 13,000,000,000 (1.3×10^10) years.
Even using only AES128, brute force is impossible. If you use AES256, then it will take the square of that time to crack.
From the same wikipedia article you used (Score:2)
"An underlying assumption of this analysis is that the complete keyspace is used to generate keys, something that relies on an effective random number generator. For example, a number of systems that were originally thought to be impossible to crack by brute force have nevertheless been cracked in this way because the key space to search through was found to be much smaller than originally thought, due to a lack of entropy in their pseudorandom number generators. These include Netscape's implementation of S
Re: (Score:1)
I may be corrected on this, but as I understand it, a classical computer, I agree, would take a very very long time to brute force AES256.
A quantum computer with enough qbits (one doesn't exist yet, but it may do in the future) would crack it before my tea's finished brewing.
Re: (Score:2)
1. Looking at the history of physics, it seem very likely that our understanding of physics will change
2. The devices implementing these exchanges are still hardware and subject to faults and bad design
Only fools will use this technology, when other technology is available that gives both better assurances and far better cost.
Re: (Score:1)
1. Looking at the history of physics, it seem very likely that our understanding of physics will change
I agree, which is why I didn't ignore the issue. However, if we were to invent a devise in which all the quantum states of an object could be simultaneously extracted, our /entire/ understanding of the world would fall like a pack of cards (the philosophical problem of determinism would rear its ugly head again.)
2. The devices implementing these exchanges are still hardware and subject to faults and bad design
Only fools will use this technology, when other technology is available that gives both better assurances and far better cost.
Well, yes, it's still prone to go wrong, but I would be very surprised if any brand new technology could appear with bulletproof reliability these days. Refining it might be tricky, but I'm sure the
Still purely academic (Score:5, Interesting)
And will remain so. Key exchange is not the issue. The issue is the symmetric encryption used afterwards (and that is present with quantum key exchange as well). Even if you disregard that, Quantum key Exchange will never be economically or security wise superior to existing solutions.
If you spend what this quantum BS costs on distributing one-time pads, you are a) provable secure b) need no new infrastructure and network links c) have no problems with routing (Quantum key exchange can only be routed optically and only for a limited distance, signal amplification is not possible) and d) spend a lot less money.
This comparison is unfair, you say, because one-time pads for n participants have size n*n? Unfortunately that is what you likely will end up for the infrastructure for Quantum Key Exchange as well, unless you have a very low number of participants. In that case the one-time pad becomes very cheap too.
Let me give you an example:
Say, we have 10 participants. Say we need 100'000 keys a day. Say a key has 256 bit, i.e. 32 bytes. A single DVD-ROM of random bits can then last for about 4 years. Generating 5GB of high-quality randomness can be done relatively cheaply, I would estimate that a generator using junction-noise can be built that gives you about 50kB/sec of random bits for less than $5000 (32 junction generators at $100 each, one 32 bit digital I/O card, one standard PC. My prototype for a junction generator is about $2 in parts, but has no shielding or filtering). That one takes a bit more than a day for the DVD. Say $10'000 overall, including labor. Then you have costs of couriering the DVDs to the destination. Say something like $100'000 per year. For a larger net, say 100 participants, use 1TB HDDs for 31 years at 1'000'000 keys/day. Or 3 years at 10'000'000 keys/day for 1000 participants.
While this is simplified, the numbers are realistic. They are several orders or magnitude cheaper than any quantum solution. Do not forget that this quantum stuff only works with people you know and that have the right (expensive) hardware already installed and are on a direct optical or optically routed link with you that is below a certain length.
And here is the killer: There are working key exchange solutions that can be made far more secure than the symmetrical encryption and that do not need any change to the network infrastructure at all. In addition, they do not have the risk that the physical theory (and it is just a theory, not fact) has a slight error that then leaks key material.
In short: This technology makes no sense whatsoever form a security or economic point of view and very likely never will.
For a few users, it does matter. (Score:2)
Then you have costs of couriering the DVDs to the destination.
Let me fix that for you :
Then you have costs of securely couriering the DVDs to the destination.
It's not a matter of just slipping the OTP DVD in a normal envelope and shipping it. You should be 100% trusting the whole route the DVD is taking, and you should be 100% trusting your storage and on-site security for the next 4 years of that DVD's useful time. This even more so as there will be a lot of DVD being transported around in your solution. You always need a secure channel, no mater what.
The trick is, with quantum key exchange, the quantum channel is inherently secure due
Re: (Score:2)
Quite obvious that this meant dedicated couriers under your control. Otherwise I would have said "shipping". Also note that "tamper evident" transportation is quite enough. And in addition, of course you would encrypt these DVDs. So, no, getting them distributed is not a problem and not that expensive. And as to secure storage, you do know that breaking into computers allows you to access data stored there, even if it was transported encrypted?
A second problem is that these "laws of physics" you quote are n
Ridiculous (Score:2)
Ridiculous.
The quantum-cryptography part is almost indubidably used for the preliminary exchange of keys.
The actual data is then sent by normal, non-quantum channels.
Comcast can encrypt video (Score:1)
And make sure that nobody can steal it. Isn't that the point?
The first thing I will watch via Quantum Video? (Score:2)
Quantum Leap, of course. What else?
Re: (Score:2)
Certs will still be vulnerable (Score:2)
With CAs already caught handing out faked certs to the authorities so they can MITM an SSL channel, the ship has already sailed on any encryption system where remote trust is required.