First Exploit On Quantum Cryptography Confirmed 86
Vadim Makarov writes "Physics World reports on researchers demonstrating a full eavesdropper on a quantum key distribution link. Unlike conventional exploits for security vulnerabilities that are often just a piece of software, spying on quantum cryptography required a box full of optics and mixed-signal electronics. Details are published in Nature Communications, and as a free preprint. The vulnerability was known before, but this is the first actual working exploit with secret-key recording confirmed. Patching this loophole is in progress. Disclosure: I am one of the researchers who worked on this."
Oh well. (Score:1)
That's that then.
Re:Oh well. (Score:5, Funny)
Re: (Score:1)
Re: (Score:3)
Re: (Score:2, Insightful)
The problem is there are always implementation details.
The basic design of QC says:
1) Assume that we can build these perfect emitters and detectors
2) Now we've got something that's perfectly secure
It's like saying:
1) Assume I can create an invincible dragon
2) Lets use it to distribute crypto keys
This is not to say s that QC is useless, but rather that it's capabilities are severely overhyped.
To put it another way, these "implementation details" are all part of the "underlying physics". Every piece of physi
Re: (Score:3)
You're exaggerating your point (eg. by talking about dragons and warp drive). One of the articles suggests you might mitigate this attack with a relatively simple extra verification step. This attack depends explicitly upon "blinding" a detector with light "above the intensity threshold" (certainly this is oversimplified). That's an attack on implementation details. Certainly I didn't mean to say that building a QC system is all "implementation details"; that would just be stupid. This one point that was at
Re: (Score:1)
I think I made the point well.... since neither perfect emitters/detectors, dragons or warp drives exist.
Since these items don't exist, then the problem needs be be examined in the light of what actually does exist.
The fact that the detector has an intensity threshold isn't an implementation detail, it a part of the underlying physics. Point me to a detector that doesn't have one.
You can't just replace the detector with a different one that doesn't have this problem, you have to make the QC system more com
Re: (Score:2)
People are used to regular crypto, where the task of computing the result of a basic mathematic function can be safely left to hand-waving. You can do RSA with a computer, or longhand on a piece of paper. The properties of the computer aren't an assumed part of the way the system works. With QC, it is assumed that pieces of hardware behave in very specific ideal ways. You can't buy parts that work like that, you have to use real parts. Therefore the system design, and explanations of how a real system works need to account for that.
I still think (from my fuzzy understanding of this attack) that it uses a specific implementation detail that depends upon the system used, and might be relatively easy to patch. Maybe they can use different wavelengths of photons, one for a test and one not--I don't have the expertise to say how much of a redesign is necessary. The article makes it sound like it's not a huge deal, and the Toshiba guys say in one of the other articles that their system isn't susceptible
Re:Oh well. (Score:5, Informative)
I still think (from my fuzzy understanding of this attack) that it uses a specific implementation detail that depends upon the system used, and might be relatively easy to patch. Maybe they can use different wavelengths of photons, one for a test and one not--I don't have the expertise to say how much of a redesign is necessary. The article makes it sound like it's not a huge deal, and the Toshiba guys say in one of the other articles that their system isn't susceptible to these attacks when properly operated.
Currently the problem is quite general, because most quantum cryptosystems today use detectors of the vulnerable type. We think it is patchable, just not by the approach the Toshiba group practices, but patchable. (We dislike Toshiba's approach for not being general and thorough, but more of a quick band-aid.) During the past 20 years there were a couple problems of similar magnitude in quantum crypto, and they were solved. Note that similar problems periodically show in implementations of classical crypto.
The future of quantum crypto will now be decided, from one side, by the market, and from another side, by publicly disclosed mathematical developments on various classical ciphers (which can be cracked overnight, but can also be proven more secure... I'm not a mathematician so I won't venture a guess for the odds of either). In quantum cryptography there is at least one well-engineered commercial system, several advanced commercial prototypes (Toshiba has one), and the hacking efforts are going to eliminate all easy loopholes in a reasonable time. It is also important how well quantum cryptography can be meshed into networks with many nodes and links. There have been several demonstrations of quantum crypto networks, the latest in Japan last year.
The current commercial systems (like ID Quantique's Cerberis [idquantique.com]) use quantum cryptography as an extra security layer on top of classical crypto. To get to the master key used to encrypt the data, one needs to crack both quantum key distribution and classical key distribution at the same tme. We temporarily compromised the quantum layer in this work, but in a commercial installation the data security would hang on the classical crypto, until the quantum layer is patched. Of course the security of the symmetric ciphers (normally AES with frequent key changes) used for high-speed data encryption is another question, but I think there is also an option to establish a low-bandwidth highly-secure channel encrypted by one-time-pad. The whole reason AES is offered with quantum crypto is that the performance of the classical crypto has spoiled everybody, and the users do not want to separate communication into high-security and low-security categories. They just want to encrypt the whole 10 Gbps link, so this is the default option.
Re: (Score:2)
Re: (Score:2)
Of course the security of the symmetric ciphers (normally AES with frequent key changes) used for high-speed data encryption is another question
Especially since AES can be quite vulnerable to side channel attacks, maybe even more so if implemented in hardware. AES should be used for less blocks than triple DES. Then again, it might be hard to come by another hardware accellerated cipher that has been researched as extensively - I suppose triple DES is out of the question. Maybe one of the other AES candidates or even Threefish could be used instead (or on top of AES, we're talking highly secure systems here).
I think I get it (Score:2)
Re: (Score:2)
O_____>-|o _____O
Two things:
A permanent fix? (Score:1)
What next? Havind done perfect eavesdropping, weâ(TM)re now working on a perfect countermeasure to it, to secure once and for all against any device imperfections. This will take some effort, too.
There is no 'once and for all' for anything and anyone that believes that is misguided.
Re: (Score:1)
Re: (Score:2, Funny)
Dammit, more quantum stuff... Should I understand? (Score:1)
Quantum computing, quantum cryptography, etc. are pretty common categories here on /. and I really don't know anything about either. Now, the question is... should I be alarmed for not being up to date here? Or is this stuff that really won't become relevant for 90% of software engineers outside academia for quite a long while? (I mostly develop web services and mobile applications but I still expect to work in this field for quite a few decades and if this is something that software engineers should unders
Re: (Score:3)
should I be alarmed for not being up to date here?
You both should and shouldn't be alarmed.
Understand it for fun, but not for use just yet. (Score:2)
The original patent on quantum cryptography was for a banknote with trapped photons. These could only be read once, so you had to know the polarization axis of the of the photons to read their state. This was a wonderfully batty idea, and a useful explanation of what is known and what isn't known about a quantum state.
However, when you go into actual implementations of quantum communications, you find the hacking techniques are much the same. Here, they are trying to send out a single photon. If a real l
Worth noting (Score:2, Insightful)
This is not an exploit of quantum cryptography.
It is an exploit in the implementation of the detectors.
They can't tell the difference between the quantum signal they are supposed to be detecting and a faked signal using classical light pulses. Man-in-the-middle attacks are fairly straightforward for classic light signals since they aren't changed when someone else intercepts them.
Re:Worth noting (Score:5, Insightful)
This is not an exploit of quantum cryptography
It is an exploit in the implementation of the detectors
LDO. People seem in t rush to point this out on every /. crypto story. "This wasn't a problem with the math, but a problem with the implementation". Yes, that's how almost all attacks work. Attackers don't generally go after the strongest link in your cryptosystem, you know.
My silly RSA tokens (2 on them cluttering my keyring now!) are worthless not because the math was bad, but because the attackers found a better avenue of attack. That's not in any way comforting.
Re: (Score:1)
But the attack wasn't on quantum cryptography as the title claims.
It is just as silly to say that the attack was on quantum cryptography here as it would be to say an armored truck was robbed when someone pretending to be from the armored truck company convinced the bank to give them the money before the truck arrived.
Re: (Score:2)
The US national debt: $129,000 per taxpayer
It's ok, rich people can pay for it. If we tax them enough.
Re: (Score:2)
Ha, nice one. That's been studied in depth of course: there just aren't enough rich people to make that work (and people have a historically proven tendancy to either hide or defer income, or just be lazy, if you crank the marginal rates up too high). I believe the medicare liability exeeds the combined net worth of all American citizens, companies, and corporations - but we'll just fail to pay that out, as opposed to the $130k each we're stick owing.
Re: (Score:2)
I believe the medicare liability exeeds the combined net worth of all American citizens, companies, and corporations
Really? Do you have a citation on that? It would be good to know. That would resolve the question of whether we are (potentially) solvent or not.
- but we'll just fail to pay that out, as opposed to the $130k each we're stick owing.
Yeah, for all the talk of defaulting on the national debt, it is forbidden by the constitution. Unless we can get a constitutional amendment, we'll be letting old people die in the streets before we default.
Re: (Score:2)
This is not an exploit of quantum cryptography.
Correct. It's an exploit of the snake oil currently being sold as "quantum cryptography".
Math (Score:2)
Why do they spend all this money, all this effort on systems that cost more and offer less security than a large RSA or ECC public key system?
Especially when RSA and ECC are so very well studied and don't rely on what amounts to lab grade optics with unknown exploits, weaknesses, and requirement for over paid professionals?
Why? I don't see the benefit. It is slower, harder to use, more expensive, the list goes on!
16K bit RSA keys are slow to generate but offer 256 bits of private key material equivalent sec
Re: (Score:2)
I have a lot of friends in the field. Not one of
Re: (Score:2)
The fact that they had to invent a name for a bit on quantum computers is where I knew to jump off the train.
Its a bit, there is no need to call it a qbit, it represents the same thing, the smallest amount of information we use in computers. It is either 1 or 0.
The fact that it gets called a qbit instantly lets anyone with a clue know that this is a marketing gimmick and there is no useful value to quantum computing at this time. You don't have to call useful things by new entirely different wanna be tren
Re: (Score:2)
Not ... will ever be ...
Historically, statements like that tend to be false.
Anyway, all it takes is qbit count to hit the "~doubling every ~two years" phase typical of many technologies, and we'll be in kiloqbit range in no time (well, to decades, but anyway). Of course it could be that in our universe, this is impossible, but if it's merely very difficult, then there tend to be workarounds found for practical problems, after technlogy becomes commercially profitable and regular R&D cycle gets properly started.
Re: (Score:2)
Of course there could be a breakthrough. But even then things like the factoring of numbers still needs a massive amount of qbit operations in addition to classical operations. On top of all that we have only a handful of useful algorithms on these
Re:Math (Score:5, Insightful)
They are not. Even though this type of BS can be read in the press quite often. Unless you assume we get quantum computers than can hold arbitrarily long entangled state. If we do not have that, just make the RSA key length one single bit longer than the longest entangled state that computations can be done on and the quantum computer is useless. (Dirty secret of quantum computing: You cannot combine calculations on large elements from computations on smaller elements.)
Ad for symmetrical ciphers, brute-forcing with quantum computers requires 2^(n/2) tries instead of 2^n tries. You still have to do each try and you have to model the whole cipher, which requires, e.g. for AES-256 in a known-plaintext-attack (which is the easiest one) to hold 2x128 bits for known plaintext and ciphertext, 256 bit for the key. That is already 512 qbits you need. Then you need to represent AES internal state and do computation. This easily adds another 512 qbits of state. Then you need to do something like 8000 x 2^128 quantum computations, retaining entanglement. As far as I can tell, each of this computation steps will be vastly slower than a conventional step as you need to manipulate the entangled set of qbits from the outside. And you cannot parallelize! Throwing two quantum computers at the same problem takes exactly the same time as when using only one.
We are currently where? 5 entangled bits when actual computations are done on them? After 2 decades of research. This leads me to believe that if they will ever work at all, quantum computers will not be able to crack current crypto for a very, very long time.
Re: (Score:2)
It might have to do with the fact that if/when someone gets a quantum computer RSA and ECC are effectively hosed. At that point, without a viable replacement, the world economy as we know it would disappear.
If we ever invent a real QC capable of running shors algorithm to break useful codes before our sun turns into a white dwarf the worlds economy is in for one hell of a roller coaster ride at warp 9 into the future.
My money is on it never being possible due to the decoherence tax. It stinks of something for nothing. I hope I'm wrong.
Re: (Score:2)
They do not have a quantum computer. They have something expensive with a label that says "quantum computer", but they really were ripped off.
Re: (Score:2)
There is no sane reason. RSA may be eventually broken, as there is still no security proof for it. But ElGamal has a strong mathematical security proof and is unlikely to ever be broken. ECC serves to reduce key-sizes and, afaik, has at least weaker security proofs. The important thing is however that they do scale, i.e. longer key gives better security. No such property is present in Quantum signaling. (No, it is not crypto.)
Then there is a second dirty secret: Quantum signaling is only for key distributio
Re: (Score:2)
Then there is a second dirty secret: Quantum signaling is only for key distribution. The actual communication is done with conventional block ciphers like AES. This completely invalidates the concept, even if you assume Quantum signaling to be eavesdropper-proof, because RSA/ElGamal is likely much more secure
That's insane... what they should do is use public key crypto secured transmission of private keys.
And encrypt the data payload in a CBC mode, with random shared quantum inputs used to manipulate th
Re: (Score:2)
Using what you describe, you have produced random unusable gibberish on the output.
You can't throw randomness into cryptography, contrary to common belief. Everything has to be known or calculatable in order for the original data to be extracted from the encryption.
Cryptography is VERY complex math, nothing more at this point, with the general idea intended to be to make it take a minimum amount of time to decrypt the data, but making that time long enough to prevent brute forcing from being viable and not
Re: (Score:2)
Using what you describe, you have produced random unusable gibberish on the output.
Not really. If you generate some random data and transmit it over the quantum channel, both endpoints to the communication have the shared quantum secret, with an agreed upon hash, and agreed upon method of using the data and proper synchronization of the two data streams, they will both come up with the same thing, and the recipient will be able to inverse a simple XOR.
The whole point of quantum crypto is it can't be
Re: (Score:2)
Read up on Quantum Encryption. It is really REALLY cool.
In case you've tried and hit one of the many hand-waving walls here is the brief because I'm not the type to just be snide and say RTFM:
So you have a sender and a pair of receivers. You (sender) have one of the receivers. You send an entangled pair of photons down the lines. Here is trick one: those two photons will have the same polarization but you don't know what it is till you measure it.
Now polarization isn't just one direction, photons can be po
Re: (Score:2)
, because RSA/ElGamal is likely much more secure (with reasonable key-lenghts) than AES.
Show me someplace that uses RSA for encryption of raw data.
What you have in the real world EVERYWHERE is that RSA is used for key exchange/session key generation/identity verification ... and AES is used to encrypt the payload data.
Why? asymmetric encryption is extremely processor intensive, too much so to do on any practical scale.
So this quantum stuff is not useless for the reasons you state (although there are actual reasons why its useless) because the reasons you state are how pretty much every crypto
Disclosure? (Score:4, Funny)
Disclosure is an interesting word here. I would have used the word "brag" - and I think you are fully entitled to brag about that feat.
Re: (Score:2)
Re: (Score:2)
Agreed. This article will advance his career, so getting it on Slashdot leads, indirectly, to financial benefit for him. That said, I agree with the GP that it's deserved - and it really is news for nerds.
I'll bite this troll. I typed this submission because
1. I think what we do is cool, and is interesting to Slashdot readers (I read Slashdot daily myself). :). Unfortunately, really, I do not think anybody is going into science for money.
2. I can formulate what we have done better and include most relevant links, comparing a random submitter who has just read a news story.
3. Yes! I am 37 and I do not nave a tenure yet! Every bit helps
Re: (Score:2)
Its okay dude, what he was saying is that even if it was a slashvertisment, its okay because this one ACTUALLY BELONGS on slashdot as it truely is news for nerds, regardless of the slavertising part.
This sort of article being submitted to slashdot in an attempt to gain attention for the subject of the article is perfectly acceptable because this is the kind of stuff we WANT to see.
Anyone bitching about slashvertisments in this cause is just being a douche, and the guy you were replying too is basically say
Re: (Score:1)
Impact on Bitcoin? (Score:3, Funny)
Re: (Score:3)
That's not all there is to care about! What about the iPad supply!?
Re: (Score:1)
I doubt the technology will ever be there. Physics always comes with uncertainty margins and plain errors. So far quantum theory is not well founded enough (1. It is incomplete, see e.g. the Higgs-Boson 2. It is inconsistent with Relativity) to base any strong security guarantees on it. Also, encryption done well (no, the quantum stuff is not crypto) does the job and fits neatly into the layer model at different places, depending on your application. There is absolutely no sane reason to do security at lay
Re: (Score:2)
I've worked on anonymous trusted networks.
No you haven't. Anonymous and trusted are mutually exclusive, and thats why you keep failing.
Seems fairly clear you don't even understand how humans naturally build trust in the real world. Your failure to understand that pretty much precludes you from augmenting it in any working way.
So much for "unbreakable" (Score:2)
As with most recent vulnerabilities in Cryptography (no, the quantum stuff is not crypto, it is signaling with special physical properties), the attack goes against the implementation. This did not stop several companies and a lot of fanbois to claim "unbreakability". I hope you have learned something.
Re: (Score:2)
As with most recent vulnerabilities in Cryptography (no, the quantum stuff is not crypto, it is signaling with special physical properties), the attack goes against the implementation. This did not stop several companies and a lot of fanbois to claim "unbreakability". I hope you have learned something.
I seriously doubt it. In my experience, people's memories are selective - anyone who's made that claim (and yes, I remember reading several such statements) likely will deny it now.
Re: (Score:2)
Re: (Score:2)
Also principles of theoretical physics are really hypotheses. They tend to change every few decades and often the old "principles" look quite silly then.
Re: (Score:1)
Re: (Score:2)
In terms of physical theory, Quantum Theory is not old. Nor is is well-proven, as there are a few new discoveries every year at the moment. So far, it mostly pans out, but there are no guarantees. Think mechanics. For a long time it was the perfect theory. Then some people started to measure more precisely than ever before, and suddenly it turned out to be a rough approximation. So, for example "Doc" E.E. Smiths idea of interstellar travel looks quite silly today. There is absolutely no reason Quantum theo
Re: (Score:2)
So, in summary, it is not a good idea to rely on physical theory, which has the status of Hypotheses when it comes to practical implementations, when we have actual mathematical theory (which is still hard fact when implemented digitally) that already solves the problem well.
Except that we don't really have "actual mathematical theory", either. No one currently knows how to factor products of large primes efficiently, but it has not been proven that integer factorization is NP-complete, nor are we entirely sure what NP-completeness means (c.f. P=NP). Worse, we haven't even proven that factorization is the only way to defeat RSA -- it's possible there's another way. Finally, RSA and other asymmetric ciphers also suffer from practical implementation issues. RSA in particular
Re: (Score:2)
For RSA you are right. For ElGamal your information is outdated, as a solid lower bound proof exists. There are also proofs for other DLog based crypto. It is just a bit harder to implement and a bit slower. Also, I guess, RSA had more commercial backing with the (IMO bogus) patent on it.
Quantum Signaling has neither and is eminently impractical in addition. As to plain hard, when we at least have mathematics, that is something solid. For the Quantum stuff we do not have complete observations, we have imple
Re: (Score:1)
I'm not sure why you say "th
Re: (Score:2)
P!=NP is convenient, but not needed for one-way functions. It is enough that you have a scalable higher effort in one direction, p!=NP merely gives you a set of easy ways to get that.
Saying "quantum information theory is shaky" is not crazy at all. History shows that any physical theory was disproven, except the at that time current one. There is absolutely no reason (except arrogance) to assume we not have it right.
As to why this is not encryption: From Wikipedia: "encryption is the process of transforming
Re: (Score:2)
Wups, should be: "... we now have it right."
Re: (Score:1)
What physical theory was disproven? The principle
Spinning (Score:1)
Re: (Score:1)
Nothing is fool proof, fools are too persistent and too clever.
On the other hand the idea that Truecrypt is compromised is quite a claim.
Eavesdroppers-Only Channels (Score:2)
When the eavesdropping is "in channel", doesn't require material access to the transmitting medium, the eavesdropping could be the fastest, preferred, mode of signaling on the link. Spinning the quantum wheel of "how associated" is the linked topology is going to precede what state info gets distributed most widely, therefore presenting the highest possibility of sync to another signal in the system - dominating it. So modulating the the wheel's state is going to get ahead, leaving everyone on the signal an
Can the benefits of quantum crypto be proved? (Score:2)
Lets assume for a second the quantum hardware itself works perfectly as advertised and cannot be compromised.
You still need classic (Such as a symmetric key) information to prove alice and bob are talking to each other rather than to malices quantum MITM proxy server.
Has anyone proved a perfect quantum OTP source improves actual security vs use of a zero knowledge algorithm to establish the same? Even if such an algorithm does not yet exist... Is it possible to construct one? Has it been shown this is not
Re: (Score:2)
Zero-knowledge authentication is impossible by definition. If you know nothing secret about someone, you can never verify his identity.
A small pre-shared key is used for initial authentication, in all classical and quantum crypto alike, to preclude a man-in-the-middle (MITM) attack. In the classical public-key infrastructure (PKI), this authentication key comes from the certicficate authority with, e.g., your copy of the web browser. If it is spoofed at the distribution step, MITM attack becomes possible.
In
Re: (Score:2)
Zero-knowledge authentication is impossible by definition. If you know nothing secret about someone, you can never verify his identity
See http://en.wikipedia.org/wiki/Zero-knowledge_proof [wikipedia.org]
In quantum crypto, the initial key is small, because once the quantum-generated key begins to grow, its small fraction is used for further authentication keys
Can it be proven a perfectly random, private yet untrusted OTP source would necessarily be better than any possible encryption algorithm given the same initial trust?