Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Communications Encryption United Kingdom Science Technology

Quantum Cryptography Now Fast Enough For Video 69

cremeglace sends in news of a major advance in the speed of quantum key distribution. "Researchers at the Cambridge Lab of Toshiba Research Europe have solved the problem of transferring highly sensitive data at high speed across a long distance network. The team were able to demonstrate the continuous operation of quantum key distribution (QKD) — a system that allows the communicating users to detect if a third party is trying to eavesdrop on the data communication — at a speed greater than one megabit/sec over a 50 km fibre optic network, thanks to the use of a light detector for high bit rates and a feedback system which maintains the high bit rates during data transfer. ... The faster one megabit/sec data handling will allow the one-time pad to be used for the encryption of video — a vast step forward over the current ability to only encrypt voice data."
This discussion has been archived. No new comments can be posted.

Quantum Cryptography Now Fast Enough For Video

Comments Filter:
  • by BadAnalogyGuy ( 945258 ) <BadAnalogyGuy@gmail.com> on Tuesday April 20, 2010 @03:44AM (#31907480)

    So if someone is eavesdropping, I won't be able to watch the video?

    • by Chrisq ( 894406 ) on Tuesday April 20, 2010 @03:58AM (#31907542)
      That's absolutely correct. For some purposes it is better that you terminate the video session than have someone listening in undetected
      • by mooglez ( 795643 ) on Tuesday April 20, 2010 @04:07AM (#31907584)

        Would this be vulnerable to the man in the middle attack on quantum key distribution described in this earlier slashdot article:

        http://it.slashdot.org/story/09/12/30/2118250/Quantum-Encryption-Implementation-Broken [slashdot.org]

        They seem to be attacking the hardware rather than the software

        • by Chrisq ( 894406 )
          That's a good question, and not answerable from the article. The method given was as you say an attack on the hardware, by sending strong pulses of light the eavesdropper could force the detectors to register ones (and zeros?). The article does not say whether a similar type of detector is being used and whether it is subject to this attack.
          • Or just keep eves dropping to introduce a denial of service condition unless utilizing a switched environment
            • That would give away that there is someone listening. what you are trying to do is stay under the radar and peek inside the line, not disrupt the line.

              • So development of a secure communications channel utilizing quantum crypto being inherently susceptible to a denial of service condition due to specialized hardware necessary for transmission which would have to wait for someone to stop listening before re-generating key pairs then transmitting?

                I hope this is not in development to replace the 911 infrastructure or monetary data transmissions on a winder scale until that is addressed.

                Perhaps a fiber switch/router hardware solution to allow switched routes an

      • As soon as the MPAA tries to check what you are watching, the connection is closed and they don't know who you are.

    • Yes, but that's no surprise. If they were eavesdropping then necessarily they have to have physical access to the fibre. They could just cut it.
  • MPAA dream? (Score:3, Insightful)

    by sznupi ( 719324 ) on Tuesday April 20, 2010 @04:04AM (#31907574) Homepage

    I wonder if some interesting contributors could be noticed in founding sources...

  • by FuckingNickName ( 1362625 ) on Tuesday April 20, 2010 @04:20AM (#31907650) Journal

    So, do we still need the magic secondary channel which everyone doing transfers over this "theoretically perfect" channel conveniently forgets?

    • How cute, someone complaining about buzzwords.

      • If you were to stretch your mind beyond the subject, you'd see I was actually complaining about a fundamental problem with setting up a practical quantum transmission line.

    • You need a secondary channel, but it doesn't have to be magic. You can use, like, pigeons, or mail, or a phone call, or if you're technologically inclined, the internet.

      It is distributing a one-time pad that is difficult. Once you have that, communication is easy.
      • by FuckingNickName ( 1362625 ) on Tuesday April 20, 2010 @05:13AM (#31907868) Journal

        The secondary classical channel verifies the integrity of the quantum channel. How are we assured of the integrity of the classical channel? We're back to the same weak point we had in the first place: the integrity of a classical channel. If that's insecure, then there's no hope of being assured that both quantum and classical channels aren't being created by Eve. Unless I'm missing something, but it hasn't been pointed out to me yet.

        Your one-time pad distribution problem comes down to the same thing. Every practical implementation of quantum transmission lines relies on a classical transmission line in some way.

        • No, that's the whole point of the protocol. Even if the secondary channel is insecure, it cannot be faked.

          -If a spy tries to fool you by taking control of the secondary channel (for example by impersonating Alice), then the protocol will fail as the spy cannot reproduce the correlations you expect to see.
          -If the channel is just listened to, it does not matter because no information about the one-time pad is exchanged on it. The only information Eve can get is "It seems their transmission succeeded" or
          • by FuckingNickName ( 1362625 ) on Tuesday April 20, 2010 @05:32AM (#31907916) Journal

            (1) Neither of your scenarios covers the case where both the quantum and the secondary channel are created by Eve, not just the secondary channel;

            (2) How is the relationship between quantum and classical channels informed to Bob by Alice?

            (3) If your solution is to transport a one time pad at some earlier point "by some other means", then you're copping out twice over, as now we need another classical channel to transmit one time pads long enough for message exchanges.

            • (1) Neither of your scenarios covers the case where both the quantum and the secondary channel are created by Eve, not just the secondary channel;

              Yes, they do. If Eve eavesdrop on the quantum channel, the correlations will not be there and the OTP will not be established. If the channel is created by Eve, it does not matter. If Eve completely replaces the data sent by Alice, then the correlations will not be there. There is no way to fake these correlations.

              (2) How is the relationship between quantum and classical channels informed to Bob by Alice?

              You mean, which channel is quantum and which is classical? That can be public knowledge.

              (3) If your solution is to transport a one time pad at some earlier point "by some other means", then you're copping out twice over, as now we need another classical channel to transmit one time pads long enough for message exchanges.

              There you are right. The protocol must work without being seeded first.

            • by itsdapead ( 734413 ) on Tuesday April 20, 2010 @07:10AM (#31908330)

              (1) Neither of your scenarios covers the case where both the quantum and the secondary channel are created by Eve, not just the secondary channel;

              In other news, no encryption system, even some hypothetical mathematically perfect cypher, will guarantee that Bob is not actually Eve with a pair of socks stuffed down her jeans. No encryption system will tell Alice that Bob really is Bob. No encryption system will warn Alice that Bob is shagging Eve and talks in his sleep. No encryption system will warn you that Eve has tampered with your hardware. No encryption system will magically turn Alice and Bob into experienced cryptographers who will spot tampering.

              Of course, you can use encryption to set up something like a trust network to validate identity, but at some point in the chain a human being has to positively identify Bob and Alice and hand them their "credentials". Likewise, no encryption system can be secure against arbitrarily sophisticated hardware/software tampering.

              When you have a sexy cypher which the math says is uncrackable its easy to forget that the math depends on a whole raft of assumptions and assertions.

              • Re: (Score:3, Insightful)

                by dissy ( 172727 )

                Very well said.

                The main confusion that could so easily be avoided, is that when using the ABC names of Alice Bob and Carl (+ Dave and Eve if needed), people speak as if these are people, when they should out right and explicitly state those are the names of the key pairs.

                Once you realize the encryption only exists between named key-pairs, there shouldn't be confusion as to whom can send/read what.

                If I use my Bob key pair to encrypt a message for Alice, I can actually be pretty sure that only the Alice key p

            • 1. If all communication channels are created by an attacker and there is neither pre-shared randomness nor a trusted third party, you cannot guarantee that you're talking to anyone in particular as you have no way of cryptographically verifying their identity. I believe this is unavoidable, quantum crypto or no. 2. However you please. Email, telephone call, in person, etc. Authentication happens during the communication; if the notice of which channel to use were modified, the authentication will fail. 3.
        • by grumbel ( 592662 )

          The secondary classical channel verifies the integrity of the quantum channel. How are we assured of the integrity of the classical channel?

          If you distribute the one time pad securely over the quantum channel and then encrypt the secondary channel with the one time pad, then it is secure. That is the beauty of the one time pad encryption, its very simple but also provable 100% secure.

          But in the end it is still snake oil. When was the last time an attack worked on breaking strong encryption? It just doesn't happen, security breaks tend to happen at the weakest links, not the strongest one, and classic encryption is pretty damn strong. Also the r

          • If you distribute the one time pad securely over the quantum channel and then encrypt the secondary channel with the one time pad, then it is secure.

            If you're not sure of the security of the initial send of the one time pad (and you need the classical channel to be sure of it, don't you?), you ought not to use the pad for encrypting further communication. And if you are sure of the security of the initial send, why haven't you gone straight to sending your message by this method?

            • Because Eve CAN intercept the message. If she intercepts the OTP, then you will know it, therefore you will not use it and no information is compromised. If you transmit the message directly, however, she can listen in and you will only realize it when it's too late.
          • When was the last time an attack worked on breaking strong encryption?

            Does 64-bit elliptic curve cryptography count as strong?

        • It's not so much that it relies on a classical transmission line as that it relies on authentication. Obviously, no maths or physics can tell you which human is at the other end of the line. This is inherently true of any cryptosystem, no matter how strong or how quantum. To prevent man-in-the-middle attacks you'll always need to ultimately rely on someone giving you a key through some external channel. The advantage with quantum cryptography is that, once you have this authenticated external channel (e.g
          • once you have this authenticated external channel (e.g someone giving you data in person) then eavesdropping in the middle of the line becomes physically impossible.

            Erm, part of the key quantum key setup process requires a classical channel after transmission in order to exchange information about the quantum bits which were just sent. This isn't just about some password being whispered in advance. If you're talking about some other algorithm, e.g. for general secured data transfer, could you give more specifics?

            Regardless, classical crypto is about the strength of encryption, and cares little for people reading ciphertext. The quantum crypto promise is of a totally di

            • Erm, part of the key quantum key setup process requires a classical channel after transmission in order to exchange information about the quantum bits which were just sent. This isn't just about some password being whispered in advance. If you're talking about some other algorithm, e.g. for general secured data transfer, could you give more specifics?

              The classical exchange serves to authenticate some of the qubits that were sent, and those qubits are emphatically NOT used to generate the key. The qubits used for that purpose are not exchanged through the classical channel.

              Regardless, classical crypto is about the strength of encryption, and cares little for people reading ciphertext. The quantum crypto promise is of a totally different flavour, promising physical obscurity. If its response is "well of course we can only guarantee that Eve is not intercepting once we have guaranteed that Eve is not intercepting!" then, etc.

              More specifically, it guarantees that if Eve intercepts the message, you will know it, and therefore you will throw away whatever OTP you have generated without using it. Yes, this means Eve is able to completely break communication (which she could also do, for example, with an axe).

    • by drolli ( 522659 )

      Well the point is that QKD only extends a now-existing secure key exchange into the future. This means: if you assume a public key scheme is safe for lets say a few hours for breaking the code then the key which you exchanged at that time using this channel is safe also in the future *even if* the classicla key is broken.

      But the simple answer to you question is: yes. usually they conveniently forget it.

  • You only need secure transmission of keys. After that you don't care.

    (I guess this is just "research"...)

    • You only need secure transmission of keys. After that you don't care.

      Almost. Classical cryptography works on the assumption that a brute force attack is impractical (even if possible in pseudo infinite time.)

      Quantum cryptography has no such restriction. This means that unless our understanding of the laws of physics change, no increase in computing firepower will help Eve.

      • by Joce640k ( 829181 ) on Tuesday April 20, 2010 @09:53AM (#31910228) Homepage

        There's no reason to believe a brute force attack on AES128 will ever succeed.

        • by nickco3 ( 220146 ) *

          There's no reason to believe a brute force attack on AES128 will ever succeed.

          Even if I use a quantum computer?

          • If you use a quantum computer, it can be brute-forced approximately as though it were AES-64. The only thing needed to 'defeat' a quantum computer (for symmetric encryption) is to double the length of your symmetric key. Algorithms like AES won't be going anywhere (though AES itself, with the theoretical weaknesses in AES-256, probably will be replaced sooner rather than later).

            What's actually in danger is RSA (and some other public key algorithms), though the record for factoring on a quantum computer is s

        • There's no reason to believe a brute force attack on AES128 will ever succeed.

          You use the word "believe". Does that mean you're not 100% certain? That's exactly what I'm trying to say! Quantum cryptography is uncrackable at the physical level.

        • by Viadd ( 173388 )

          There's no reason to believe a brute force attack on AES128 will ever succeed.

          There's no reason to believe a brute force attack on AES128 will never succeed.

        • A brute force attack will always succeed, it will just take a long time. Never is a very long time and computers just keep getting faster.

          Maybe you meant to say that there will never be a shortcut (cipher collisions, back door, etc...) to brute forcing AES128, but that is just a widely held opinion at this point, just waiting to get disproven.

          Here's a quote for anybody that wants to live (and die) by their own powers of estimation:
          "They couldn't hit an elephant at this dis-"
          final words of General John Sedgw

          • I wasn't able to find the quote I was looking for, but I remember reading somewhere that even if you made a theoretical computer out of all the matter on earth it would take more time than the universe has existed to crack basic encryption with a brute force method. Here is a similar description on wikipedia [wikipedia.org].

            The amount of time required to break a 128-bit key is also daunting. Each of the 2^128 (340,282,366,920,938,463,463,374,607,431,768,211,456) possibilities must be checked. A device that could check a billion billion keys (10^18) per second would still require about 10^13 years to exhaust the key space. This is a thousand times longer than the age of the universe, which is about 13,000,000,000 (1.3×10^10) years.

            Even using only AES128, brute force is impossible. If you use AES256, then it will take the square of that time to crack.

            • "An underlying assumption of this analysis is that the complete keyspace is used to generate keys, something that relies on an effective random number generator. For example, a number of systems that were originally thought to be impossible to crack by brute force have nevertheless been cracked in this way because the key space to search through was found to be much smaller than originally thought, due to a lack of entropy in their pseudorandom number generators. These include Netscape's implementation of S

            • I may be corrected on this, but as I understand it, a classical computer, I agree, would take a very very long time to brute force AES256.

              A quantum computer with enough qbits (one doesn't exist yet, but it may do in the future) would crack it before my tea's finished brewing.

      • by gweihir ( 88907 )

        Quantum cryptography has no such restriction. This means that unless our understanding of the laws of physics change, no increase in computing firepower will help Eve.

        1. Looking at the history of physics, it seem very likely that our understanding of physics will change
        2. The devices implementing these exchanges are still hardware and subject to faults and bad design

        Only fools will use this technology, when other technology is available that gives both better assurances and far better cost.

        • 1. Looking at the history of physics, it seem very likely that our understanding of physics will change

          I agree, which is why I didn't ignore the issue. However, if we were to invent a devise in which all the quantum states of an object could be simultaneously extracted, our /entire/ understanding of the world would fall like a pack of cards (the philosophical problem of determinism would rear its ugly head again.)

          2. The devices implementing these exchanges are still hardware and subject to faults and bad design

          Only fools will use this technology, when other technology is available that gives both better assurances and far better cost.

          Well, yes, it's still prone to go wrong, but I would be very surprised if any brand new technology could appear with bulletproof reliability these days. Refining it might be tricky, but I'm sure the

  • by gweihir ( 88907 ) on Tuesday April 20, 2010 @05:49AM (#31907994)

    And will remain so. Key exchange is not the issue. The issue is the symmetric encryption used afterwards (and that is present with quantum key exchange as well). Even if you disregard that, Quantum key Exchange will never be economically or security wise superior to existing solutions.

    If you spend what this quantum BS costs on distributing one-time pads, you are a) provable secure b) need no new infrastructure and network links c) have no problems with routing (Quantum key exchange can only be routed optically and only for a limited distance, signal amplification is not possible) and d) spend a lot less money.

    This comparison is unfair, you say, because one-time pads for n participants have size n*n? Unfortunately that is what you likely will end up for the infrastructure for Quantum Key Exchange as well, unless you have a very low number of participants. In that case the one-time pad becomes very cheap too.

    Let me give you an example:
    Say, we have 10 participants. Say we need 100'000 keys a day. Say a key has 256 bit, i.e. 32 bytes. A single DVD-ROM of random bits can then last for about 4 years. Generating 5GB of high-quality randomness can be done relatively cheaply, I would estimate that a generator using junction-noise can be built that gives you about 50kB/sec of random bits for less than $5000 (32 junction generators at $100 each, one 32 bit digital I/O card, one standard PC. My prototype for a junction generator is about $2 in parts, but has no shielding or filtering). That one takes a bit more than a day for the DVD. Say $10'000 overall, including labor. Then you have costs of couriering the DVDs to the destination. Say something like $100'000 per year. For a larger net, say 100 participants, use 1TB HDDs for 31 years at 1'000'000 keys/day. Or 3 years at 10'000'000 keys/day for 1000 participants.

    While this is simplified, the numbers are realistic. They are several orders or magnitude cheaper than any quantum solution. Do not forget that this quantum stuff only works with people you know and that have the right (expensive) hardware already installed and are on a direct optical or optically routed link with you that is below a certain length.

    And here is the killer: There are working key exchange solutions that can be made far more secure than the symmetrical encryption and that do not need any change to the network infrastructure at all. In addition, they do not have the risk that the physical theory (and it is just a theory, not fact) has a slight error that then leaks key material.

    In short: This technology makes no sense whatsoever form a security or economic point of view and very likely never will.

    • Then you have costs of couriering the DVDs to the destination.

      Let me fix that for you :

      Then you have costs of securely couriering the DVDs to the destination.

      It's not a matter of just slipping the OTP DVD in a normal envelope and shipping it. You should be 100% trusting the whole route the DVD is taking, and you should be 100% trusting your storage and on-site security for the next 4 years of that DVD's useful time. This even more so as there will be a lot of DVD being transported around in your solution. You always need a secure channel, no mater what.
      The trick is, with quantum key exchange, the quantum channel is inherently secure due

      • by gweihir ( 88907 )

        Quite obvious that this meant dedicated couriers under your control. Otherwise I would have said "shipping". Also note that "tamper evident" transportation is quite enough. And in addition, of course you would encrypt these DVDs. So, no, getting them distributed is not a problem and not that expensive. And as to secure storage, you do know that breaking into computers allows you to access data stored there, even if it was transported encrypted?

        A second problem is that these "laws of physics" you quote are n

  • Ridiculous.

    The quantum-cryptography part is almost indubidably used for the preliminary exchange of keys.

      The actual data is then sent by normal, non-quantum channels.

  • And make sure that nobody can steal it. Isn't that the point?

  • Quantum Leap, of course. What else?

  • I agree with the math wizards here: It hardly matters whether this channel is secure or not since the attack will come in the form of a man-in-the-middle with both parties (incorrectly) convinced they are talking to the other. This is an attack on the certification system, not the encryption system.

    With CAs already caught handing out faked certs to the authorities so they can MITM an SSL channel, the ship has already sailed on any encryption system where remote trust is required.

Avoid strange women and temporary variables.

Working...