New Quantum Cryptography Speed Record

Roland Piquepaille writes "Physicists from the National Institute of Standards and Technology (NIST) have established a world's speed record for 'unbreakable' encryption with their cryptographic system based on the transmission of single photons. With this kind of method, messages cannot be intercepted without detection, meaning transmission is always safe. The NIST 'quantum key distribution' (QKD) system was used between two buildings located 730 meters apart for transmitting a stream of photons at a rate of 1 million bits per second. While it might not look very fast, its 100 times faster than with previous quantum distribution systems. This overview contains more details and references about information theory."

Always?

[mrgrey]

meaning transmission is always safe

Always is a powerful word. Nothing is totally secure.

Re:Always?

Indeed, but if it were possible to eavesdrop without detection, implications for physics would be just as great as for cryptology.

Ya cannae change the laws of physics
- Scotty, Chief Engineer

Re:Always?

Blah, blah, blah. Haven't we gotten tired of these trolls? In the context of the transmission itself, it is, actually, totally secure. It's obvious to anyone without an icepick in their frontal lobe that there are other potential weaknesses. However, in this important respect, QC is provably secure in a way that classical crypto cannot be.

Feel free to look into the past 2-3 weeks of /. for a more eloquent response (and reresponse and rereresponse and...).

Re:Always?

There are various methods to perform a man-in-the-middle attack due to imperfections in the equipment used I believe, something to do with firing multiple photos off at once.

Re:Always?

The use of 'always' in this context is similar to "An apple always falls downwards when you let it go."

Re:Always?

[PhuCknuT]

Yes, but even if they fire multiple photons, you can't pick out individual photons from the stream without disturbing others, and you especially can't pick out only the ones that are duplicates, which would be necessary to pull off a man in the middle attack undetected.

Re:Always?

[leonardluen]

just like we once thought that the sun revolved around the earth? or that the earth was flat?

always is a very strong word if your basic assumptions are wrong from the beginning. i have not seen the proof that qc is so safe as they say it is...though i would like to.

Re:Always?

NO IT'S NOT. If you (Eve) manage to guess the basis correctly every time, then detecting eavesdropping is not impossible. The probability of eavesdropping successfully is 1/(2^n) (where n is the length of the message. THIS IS NOT ZERO. Quantum cryptography is not "unbreakable"; the reason it's cool is that its security is (a) very good (1/(2^n) is a small number); and (b) not based on assumptions of computational "hardness" in any way.

It is in no way "always" secure though!

Re:Always?

[theLOUDroom]

Blah, blah, blah. Haven't we gotten tired of these trolls? In the context of the transmission itself, it is, actually, totally secure. It's obvious to anyone without an icepick in their frontal lobe that there are other potential weaknesses. However, in this important respect, QC is provably secure in a way that classical crypto cannot be.

Actually, quantum crypto is not "provably secure" anymore than standard cryptography.

QC relies on the ability to emit photons, and to known probability distribution of those photon emissions. The problem is, there is no hardware out there than can emit one and only one photon 100% of the time. I wouldn't be suprised if it turns out to be totally impossible to build hardware that does. (Like building hardware to perfectly measure a particle's position and speed is impossible.)

This means that an "undetectable" attack is totally possible. What needs to be done is the use of statistical methods and "privacy amplification" to make the probability of a significant undetected attack as low as possible. (Sort of like trying to make your keyspace really big with normal crypto.)

Re:Always?

Some people just have to be asses...

According to our current theories, quantum cryptography is always safe in the sense that you'll detect if someone has been eavesdropping. I wonder if that statement is precise enough for you?

Re:Always?

[rokzy]

you and all the others in here who doubt quantum mechanics just got on my foe list.

next time find something that ISN'T the most successful (possbile tie with relativity) theory ever developed by humans to whine about.

you (plural) are the science-technology equivalent of the "think of the children" politcs trolls.

Re:Always?

[MS_is_the_best]

QC relies on the ability to emit photons, and to known probability distribution of those photon emissions. The problem is, there is no hardware out there than can emit one and only one photon 100% of the time. I wouldn't be suprised if it turns out to be totally impossible to build hardware that does. (Like building hardware to perfectly measure a particle's position and speed is impossible.)

This is total nonsense. Are you a cryptographer afraid to loose your job, with no physical background? Then please read the article before you respond.

I agree that the text and title posted to Slashdot is kind of misleading. All this QC does is making a channel on which eavesdropping impossible, without detection. Point. And it is.

This has actually nothing to do with crypto (you can breathe again, your salary is safe), it can be used as a nice method for key exchange in a crypto -solution. The solution in total can be hacked (do something nasty on the sending or receiving end, but the transmission cannot be listened to undetected.

Re:Always?

Ah give them a break, they've obviously skimmed an SF book or two and now they know what they're talking about...they can use their computars really gud honest! They probably even have a "wheelchair guy" book on their bookshelf! They r uber-smrt!

Re:Always?

[BalloonMan]

"With this kind of method, messages cannot be intercepted without detection, meaning transmission is always safe."

How about if I said, "With this kind of armored vehicle, passengers cannot be intercepted without detection, meaning transport is always safe." Now, the fallacy should be a bit easier to spot.

The passengers are not really safe at all, in fact they might be D.O.A., or maybe they just got interrogated along the way, or perhaps they were replaced by pod replicants. Whatever, if they were carrying sensitive information, you cannot "save" them or the information they were carrying, i.e. you cannot prevent a compromise of the data, just by proving that the vehicle was intercepted. At best you can say, "better call off the invasion, they're probably onto us now."

Re:Always?

[leonardluen]

yes and current theories are always correct now aren't they? sure your statement is plenty precise, but that doesn't mean it is correct. instead of just attacking me it would have been better/nicer if you could provide some proof to back up your claim and prove me wrong, such as a primer on qc that shows that it is unbreakable. sure i would like to believe, but i don't like taking things on blind faith alone.

and my point was that, if qc were proved breakable in some way, it certainly would not be the first time that some basic scientific assumption has been proven to be inaccurate. always and never are extremely strong words to use.

Some people just have to be asses...

apparently you are one of them...

Re:Always?

Well, yes, you can raise that philosophical objection to the concept of "always", and I would actually agree with you.

A better statement would be: "undetected eavesdropping on this quantum channel would require finding a physical situation that does not conform to the Schroedinger Equation". Instead of saying "X cannot be broken", one can say "X is at least as strong as Y", where Y is well-known to be very strong.

Re:Always?

[S3D]

The problem is, there is no hardware out there than can emit one and only one photon 100% of the time. I wouldn't be suprised if it turns out to be totally impossible to build hardware that does. Such hardware exist for decades ago and called laser. Laser emits photons in the same quantum state, that in some sence "single" photon.

Re:Always?

[m.koch]

"With this kind of method, messages cannot be intercepted without detection, meaning transmission is always safe."

How about if I said, "With this kind of armored vehicle, passengers cannot be intercepted without detection, meaning transport is always safe." Now, the fallacy should be a bit easier to spot.

No. If the passengers are intercepted it would have been like they had never been sent.

It's not like there is an "intercepted"-flag attached to the message. The information is destroyed when intercepted.

Re:Always?

[CrosbieFitch]

It's also an 'Emperor's New Clothes' problem.

If I sell you two black boxes that communicate via optical fibre and I say they use Quantum Cryptography and that the price is $500,000. How do you know that QC really is involved?

With PGP you might just think you'd be able to throw a mathematician/programmer at the kit and get them to check it.

How easy is it to get hold of a particle physicist to give the kit a once over?

Any time a big chunk of money is involved and the purchaser has to rely on trusting the vendor's word that the product does what it says it does... well, beware of charlatans.

"Oh yes, sir, this is the finest intangible cloth available - only the basest of philistines are unable to appreciate its fine lustre and colour".

Re:Always?

[theLOUDroom]

This is total nonsense. Are you a cryptographer afraid to loose your job, with no physical background? Then please read the article before you respond.

Please read my post and understand the topic before responding. It wouldn't seem like nonsense to you if you did.

I agree that the text and title posted to Slashdot is kind of misleading. All this QC does is making a channel on which eavesdropping impossible, without detection. Point. And it is.

No it's not. That's what I was explaining.
In order to be perfectly secure, you would need to be able to transmit one and only one photon, every time. This does not happen. Because this does not happen, you can't say "uh-oh I didn't get my photon, someone's listening". You cannot detect an eavsedropper until he causes a statistically significant change in the way you're receiving photons.

This has actually nothing to do with crypto (you can breathe again, your salary is safe)

I know that, I was making a frickin analogy. While schemes like RSA rely on the difficulty of factoring a product of large primes, QC relies on statistics and privacy amplification. You try to make is so that in oder to receive a significant portion of the message, the person would noticably affect the statistics and therefore be detected.

but the transmission cannot be listened to undetected.

Yes it can. If I receive a single photon from the transmission line and then stop listening, you aren't going to be able to tell if the transmitter actually emitted that photon or not. The only way go can tell I'm grabbing your photons is if I start grabbing enough of them so that I start messing up the statistics.

You should get a better understanding of this subject before flaming people.

Re:Always?

[firephreek]

While we might not be able to change the laws, even dear Scotty bent them all to hell at times.

I can't imagine any form of communication being absolutly secure, especially in transmission. While we might not be able to do so now, new technologies and theorys are always emerging. We can do things now that would've been impossible 50 years ago. Even ten years ago. I would've thought that my CRT monitor was safe from viewing (short of hidden cameras) but then I read some article awhile ago that talked about being able to read the scanlines projected because they extend beyond the mounting...something along those lines...

I know less than anything about higher levels of physics and photon transmissions etc... but what is it exactly that makes this form of transmission secure?

Re:Always?

[theLOUDroom]

Such hardware exist for decades ago and called laser. Laser emits photons in the same quantum state, that in some sence "single" photon.

No, a laser emits a beam of coherent light. It does NOT allow you to transmit one and ONLY one photon with 100% reliability.

If you have a piece of hardware that solves this problem I imagine a lot of physicists would like to talk to you.

Re:Always?

Can anyone here actually prove QC, or is it the new one true religion and anyone denouncing it will be marked down as a troll?

Re:Always?

[ComaVN]

I can eavesdrop on any thought in your mind from right here with a successrate of 1/(2^n), so that makes me quite the cryptographer, doesn't it.

Re:Always?

This is bullshit.

There's no way for Eve to know that what she's guessed is right. If someone sends one bit of information through the channel (i.e. yes/no), even though there is a 50% chance of getting it right, you're not any closer to the truth after you've made the guess.

Re:Always?

[gpinzone]

It's been proven mathmatically that a random string of bits XORed with a "meaningful" stream of bits produces an uncrackable string of encrypted bits that can only be decrypted with the original random string of bits. This has been know for years. What makes it unfeasible is the act of exchanging keys. That's why PGP is so great. Not because it's encryption is strong(er), but because of the key exchange issue. Quantum transmission methods allow for a totally secure key exchange. That, coupled with an unbreakable encryption, means 100% secure communication...always. Now all we need is a foolproof way to generate 100% random numbers and we'll be in business.

Re:Always?

[S3D]

check this: laser can be used as source of entangled photons

Re:Always?

[m.koch]

Yes it can. If I receive a single photon from the transmission line and then stop listening, you aren't going to be able to tell if the transmitter actually emitted that photon or not. The only way go can tell I'm grabbing your photons is if I start grabbing enough of them so that I start messing up the statistics.

So what? If you intercept one photon you cannot derive the message. If you grab enough photons to derive the message you are detected.

QC is not unsafe just because "statistics" is involved. You can push the probability for undetected eavesdropping to a point where it doesn't matter anymore.

I can guess any message with a probability of 2^-bitlength. If the probability of eavesdropping is lower, it's just a moot point.

Re:Always?

[gpinzone]

Your analogy is all wrong. I don't know if I can come up with a physical analogy to describe what's going on, but here goes.

You're not sending the passengers, you're sending a bunch of suicide messengers with the magic password to open the impenitrable armor of the vehicle around their neck. If anyone comes into contact with the suicide messenger, they explode, destroying the information. You know someone tampered with your messengers because they show up dead. If that happens, you just change the password. When you get the password without any dead messengers, the armored vehicle can pass safely no matter who's firing at it.

Re:Always?

"Indeed, but if it were possible to eavesdrop without detection,"

There are no eaves on Slashdot, and that's a fact.

Re:Always?

[iwein]

I know less than anything about higher levels of physics and photon transmissions etc... but what is it exactly that makes this form of transmission secure?

it depends on single photon transmission. if one photon is measured, no transmission occurs.

that way the reciever is always certain that the data he recieves is not viewed before. it's kind of like those messages that selfdestruct shortly after arrival. if you have intercepted them you would have to reproduce them to make yourself a man in the middle

if the reciever finds out there is a delay in the transmission (i.e. photons seeming to go below the speed of light). he will know there is something goin' on.

something like that...

Re:Always?

[theLOUDroom]

check this: laser can be used as source of entangled photons

That's neat, but it talks about using lasers as a source for pairs or photons and it gives no mention of the controllability of the transmission.

Re:Always?

[acgetchell]

Any physical theory we come up with now always (ie "must") reduce to observable behavior now. The earth is flat is a good local approximation considering the earth's curvature, until you start sailing and cover continental distances.

The example of "An apple always falls from a tree" is very good. We do not need to know the details of quantum gravity (whatever that may be) in order to predict and describe an apple falling, even though quantum gravity supercedes general relativity and quantum field theory, which supercedes special relativity, flat Minkowski space, and quantum mechanics, which supercedes classical mechanics.

Any theory we come up with had better be reducible to classical mechanics at the right energy scales. All theories have a domain of application, and we keep widening the domain by introducing more and more general theories.

But in the end, we test our general theories against specific observations. There is a beautiful theory of Higg's scalars produced from Nambu-Goldstone bosons "eating" photons in the Standard Model Lagrangian which generates massy and massless fields (and hence mass for all particles which have mass); however, finding the Higg's boson doesn't invalidate the simple observation that an apple "always" falls.

Oh, and by the way, Quantum Field Theory (ie, fully covariant Quantum Mechanics or QM + GR) is proven and tested to a fantastic order of accuracy, 11 or twelve decimal places. It's the most accurately known theory we have, which is why we can tell immediately what cosmological theories are right or wrong by their effect on the Standard Model. We could confirm or eliminate certain string theories if we knew gravitational interactions as accurately as QFT.

So there's a slim to none chance that QFT will prove invalid at anything less than ~10E15 GeV energies, which is the Planck scale at the Big Bang.

--Adam

Re:Always?

[theLOUDroom]

So what? If you intercept one photon you cannot derive the message. If you grab enough photons to derive the message you are detected. QC is not unsafe just because "statistics" is involved. You can push the probability for undetected eavesdropping to a point where it doesn't matter anymore.

I never said QC was "unsafe", my point is that it's not "prefectly secure". See if I can get even a single bit and get away with it, technically, I'm eavesdropping without detection (which you said was impossible).

In the end the claims one has to make about QC's security sound remarkably similar to those you hear regarding normal crypto. Like this one:

I can guess any message with a probability of 2^-bitlength. If the probability of eavesdropping is lower, it's just a moot point.

You end up relying of the knowedge that the probability of an undetected interception of a significant amount of information is very low , as opposed to of the probablility of someone guessing your RSA key which is also very low.

Anyways, it's seems like you actually read the post you replied to and realized that it's not the "total nonsense" you claimed it was. The are legitimate issues that make QC NOT PERFECT, as much as people would like to claim that it is.

Re:Always?

[gregorio]

The use of 'always' in this context is similar to "An apple always falls downwards when you let it go."

Not if someone else prevents the fall. =]

Re:Always?

[firephreek]

ok, but if you intercept and then reproduce the transmission from the very start, and say your delay isn't too unreasonable (little less than the sol) how could any delay truly be measured? Betty wouldn't have any frame of reference to measure the delay against right? Even if the send signal was synched any other way, besides within the transmission itself, there would be a delay because the sync signal (I'm thinking a guy on the phone or some such "ready? and now.") isn't at the sol. And if you need line of sight for this kind of protocol, how useful is it going to be? anything besides sol is slower, and well, how do you compensate for low flying bugs/birds?

Re:Always?

it would be nice if you would try to help educate us. i doubt quantum mechanics quite possibly out of ignorance because i know nothing about it.

if someone somewhere can decrypt a message it darn well means that it isn't uncrackable now does it? the hard part for me to believe though is that the message is not interceptable. i don't know how this works, so please enlightent me so i don't have to believe this on blind faith alone.

Re:Always?

[m.koch]

I never said QC was "unsafe", my point is that it's not "prefectly secure".

This is not going to be a discussion about semantics, is it? If I can push the probability below mere guessing, many people would call it "secure". Not in a mathematical sense, of course.

You end up relying of the knowedge that the probability of an undetected interception of a significant amount of information is very low , as opposed to of the probablility of someone guessing your RSA key which is also very low.

"Low" is relative. Just because me and my friend go home, that doesn't mean we go to the same place. Guessing an RSA key is not the same as guessing the whole message. With this argumentation even an one-time-pad would not be secure, because the message could be guessed.

Anyways, it's seems like you actually read the post you replied to and realized that it's not the "total nonsense" you claimed it was.

I did not.

Re:Always?

[theLOUDroom]

I did not.

My bad. Though you were the other guy, sorry.

This is not going to be a discussion about semantics, is it? If I can push the probability below mere guessing, many people would call it "secure". Not in a mathematical sense, of course.

See, but I am talking in a mathematical sense. QC is neat, but I too often hear: "Unlike conventional crypto, QC in unbreakable/provably secure/etc."

The reality is, there a trade off between probability of undetected intercept, probability of false alarm, and message size. If the message is say, normal english prose, I don't need to get 100% of it to figure out what you're saying. As I understand it, you counter this problem by using privacy amplification.

Re:Always?

[Allen+Zadr]

Is this like the "Submarine to Satellite" communications that Tom Clancy talked about in his books? Maybe the photon method would be secure anyway under such a scenario - very little chance of someone knowing the transmission site in advance.

Someone further down the list suggested that a timestamp system is also used, and someone else suggested that it uses parity share over some other protocol (i.e. two connections).

I should have read the artile, instead of scanning it, but clarification would be helpful. Is this solution going to be open sourced?

Re:Always?

[m.koch]

See, but I am talking in a mathematical sense. QC is neat, but I too often hear: "Unlike conventional crypto, QC in unbreakable/provably secure/etc."

"Provably secure" in this context means that the probability of eavesdropping can be computed exactly based on the laws of physics and no gain in computing power can change this. The security of RSA is not proven and depends on the speed of factoring algorithms. Using smart protocols the security of QC can be pushed beyond any reasonable doubt.

Of course we can discuss the mathematical sense of words like "always" or "never". Speech is inherently non-mathematical and we would end up with discussions about provability of human perception and such. Sorry, I see this just as a sort of nitpicking.

Re:Always?

[kasperd]

Nothing is totally secure.

You'd need to change the laws of physics to break it. I wish you luck.

Re:Always?

[NoOneInParticular]

Foolproof way to generate 100% random numbers? Does a geigerteller count?

Re:Always?

[Minna+Kirai]

With PGP you might just think you'd be able to throw a mathematician/programmer at the kit and get them to check it.

Nope. With GPG you could do that. But PGP is closed source, so you have to trust the vendor that a particular executable does what it claims. (Unless you're willing to disassemble the binary, which is difficult, error-prone, and sometimes illegal)

Re:Always?

[Lord+Kano]

Always is a powerful word. Nothing is totally secure.

Then you need to read up on quantum cryptography.

An attacker may be able to intercept a bit or two out of the message but because these are single photons if you intercept one it will be obvious that someone has intercepted the photon.

Because you can never be 100% sure of the position of the photon it would take a fair bit of trial and error just to intercept one and all of those other photons that you blocked in your attempt to catch one will be missed by the recipient of the message.

Remember the difference between the words "safe" and "secure" when dealing with crypto. The transmission may not be secure, because it is possible to intercept some of the photons involved. Transmission is safe because no one can intercept it without tipping you off.

LK

Re:Always?

It's very hard to educate people about QM with text-only messages, in a noisy channel with people making jokes and trolling and arguing on the side. Plus there is always a strong temptation for people doing the explaining to fall into "macho flashing".

I would recommend "Mr. Tompkins in Paperback" by George Gamow. There's probably other cool books but I can't think of any that I would just give to a friend and say "here, read this, it's an intuitive explanation of relativity and quantum mechanics."

Re:Always?

Many laws of physics have not been proven, and anything that depends on them is not PROVABLY secure.

Re:Always?

[Karhgath]

The submitter is wrong, he should have said:

"The quantum key exchange mothod is always safe."

Actually, an even stronger claim could be:

"The quantum key exchange method is totally secure."

That would be true. If you can generate a key as long as the message you want to send, and the key exchange is totally secure, it means that no one can decrypt the message (one-time pad).

The encrypted message is never sent over quantum channels, so it could be intercepted, but it would be impossible to decrypt it, as the key is totally secure and is as long as the message itself.

Re:Always?

[Karhgath]

Wrong. Quantum cryptographic is provably TOTALLY secure(UNCONDITIONALLY SECURITY is the term used). The complete proof was done 2-3 years ago I believe, under the guidance of Gilles Brassard from the University of Montreal, who is the forefather of quantum computing. This is IIRC.

The proof is BASED on the fact that we cannot measure the state of a photon accurately, or even send exactly one photon. Remember, quantum encryption is only about key exchange, not sending the actual message over quantum channels.

And, I'm pretty sure we CAN send one photon accuratly now. Here's a quote form a 2002 article:

"Quantum encryption isn't new, but the problem with current methods is that they rely on single-photon receivers and transmitters. This means sending encrypted information is slow.

"They have to run their technology on a single-photon regime -- they can only transmit data one photon at a time," said Prem Kumar, professor of electrical and computer engineering at Northwestern and a leader of the quantum encryption project."

Now, the current article said that they speeded that up greatly, which is awesome.

Nothing that haven't been done before

[lofoforabr]

It's just like morse code, just waaaaaaaaaaaay faster!

(it's a joke)

Re:Nothing that haven't been done before

[Nuclear+Elephant]

I hope their web server's not using it. Nothing like a good slashdotting over a slow photonically encrypted connection.

Re:Nothing that haven't been done before

[__aagctu1952]

It's just like morse code, just waaaaaaaaaaaay faster!

Nah, it's like morse code, only if you look at what you receive the probability wave collapses and the cat dies. This means quantum cryptography uses up a heck of a lot of cats, and this is why there's a limit on its practical usability and speed in the real world...

*cough*

Re:Nothing that haven't been done before

[The+Ultimate+Fartkno]

> Nah, it's like morse code, only if you look at what you receive the probability wave collapses and the cat dies.

I'm not waiting 'til Friday to say it - that's the funniest thing I've read all week! Welcome to my quote file, fella.

Re:Nothing that haven't been done before

[volve]

So we've progeesed from LOC/sec to CATS/sec... man, those crazy scientistics really need to get some therapy or else we might soon be in for MOTHER/sec, MOTHER-AND-AUNT-JANE/sec, UNCLE-TOMMY-AND-MUMMY/sec, MY-FIRST-PET-RALPH/sec...

Erm, but I digress...

*cough*

Re:Nothing that haven't been done before

[JurgenThor]

Now I envision a chain of QC centres (like Western Union I guess - or the old west morse telegraph stations), but with adjoining chinese restaurants.

A little star trek humor

[Nuclear+Elephant]

[Kirk] Fire photon torpedoes
[Scotty] I can't sir, the bloody computer's still encrypting a message to my girlfriend - I got no power!
[Romulans] b4w h4w h4w w3 0wnz j00!
[Kirk] W3 b3 0wn3d!

Hmmm

[odano]

I always thought this process was over some sort of fiber, I had no idea it was through the air.

in KB/s

[moberry]

1,000,000 / 8 = 125,000
125,000 /1024 = 122.1

Not to bad for not using wireless undetectable (so far) encryption.

Re:in KB/s

[jockm]

Actually you need to divide by 10 bits not 8. You still need the start and stop framing bits. So:

1,000,000 / 10 = 100,000
100,000/1024 = 97.65

Still not bad...

Re:in KB/s

[Vihai]

Hey, RS-232 is not the only transmission encoding system :)

Re:in KB/s

[jockm]

True however framing bits are still required by most.

Man in the Middle?

[Allen+Zadr]

While Quantum physics certainly allows for scientific detection of observation (which would help you detect if someone is merely viewing your stream)

However, with all technology, this could be a common pocket-sized device some-day. So, would this not also fall under the problem of Man-in-the middle attacks? Read the quantum stream (eliminating the existance of said stream), and recreate the stream to the other point. This would create a delay, but without other forms of detection, it would not necessarily be as safe as wires... (as wires, at least, can be physically secuired. Hard to secure open air).

Re:Man in the Middle?

[Cyclopedian]

I think your premise fails because you are using an established methods that worked for certain electrical and computer principles. Quantum Cryptography (QC) is something entirely different than what's been done in the past. Current methods cannot merely just be used on QC just because it worked in the past for other levels of physics.

-Cyc

Re:Man in the Middle?

RTFA:

"Compared to previously described QKD systems, the major difference in the NIST system is the way it identifies a photon from the sender among a large number of photons from other sources, such as the sun. To make this distinction, scientists time-stamp the QKD photons, then look for them only when one is expected to arrive."

Replaying the stream later (even _if_ it was possible) would make it arrive at the WRONG TIME. Hence, the stream was messed with.

Re:Man in the Middle?

[t_allardyce]

+3 insightful??

You don't actually explain why it doesnt work. QC might work very differently from other systems but correct me if im wrong, it still works on the premise that A sends something to B through an insecure channel X? unless im wrong and A & B somehow know what they wanted to transmit before hand and X is some randomly chosen other-dimension. Can you explain?

Re:Man in the Middle?

[i_should_be_working]

the cryptogrophy scheme could fail if a human screws up, but it can't fail the way mention in parent.

if someone reads the stream of photons, and tries to recreate it for the receiver, the original sender and receiver will know. After the message was sent, they publicly share, over classical channels, a small portion of the key. If the receiver's is different at all from the sender's they know someone intercepted it. The recreated quantum stream has to be different from the original for quantum reasons.

Re:Man in the Middle?

[bogusbrainbonus]

from the article:

Compared to previously described QKD systems, the major difference in the NIST system is the way it identifies a photon from the sender among a large number of photons from other sources, such as the sun. To make this distinction, scientists time-stamp the QKD photons, then look for them only when one is expected to arrive. "To be effective, this observation time has to be very short," says NIST physicist Joshua Bienfang. "But the more often you can make these very brief observations, then the faster you can generate keys.

Assuming "very short" means milliseconds, then without some other even honking faster send/receive technology there is no way you can intercept the photons and resend them without the receiver noticing.

Rats, foiled again...

Re:Man in the Middle?

[Theaetetus]

Why QC is immune to Man in the middle attacks is that once viewed by anyone - even the middle-man - the data is changed and cannot be reproduced the same way. The way it works is that A sends B a stream of data plus some parity bits. B deciphers the data and sends the parity bits back in clear. A compares B's parity bits to original parity bits, and if different, then someone has viewed the QC data. At which point, they know they've been intercepted. The best part is, B never needs to look at the parity bits - by sending them back as quanta, A can combine them with the original parity bits and should get no interference. If X (or B) looks at the parity bits, they become locked in a configuration and can't be compared to A's without interference.

Now, just do that quickly and repeatedly, with parity checks every few bits, and the man in the middle can't interecept more than one block... which might be enough for just a handful of digits, but not enough to decode message.

Re:Man in the Middle?

[Kainaw]

So, would this not also fall under the problem of Man-in-the middle attacks?

The way to avoid the man-in-the-middle has to do with the filters for the photons. It is confusing in the code, but easier to understand from a completely fabricated example.

First, you need to understand that photons are becoming 1 and 0 based on spin. That spin is aligned so that 1 is 90 degrees off of 0. The filters have to be aligned as well (sure makes portable devices hard, but I'm sure we'll figure that out later). Assume we cycle through 8 filters. The first four look like + so that vertical is a 1 and horizontal is a 0. The next four look like x so that diagonal one way is a 1 and the other is a 0. If you shoot a photon aligned to + through a x filter, it will become either a 1 or 0, but not necessarily the correct value.

What does that mean? It means that you and I can decide to use the following filter sequence: x++xx+x++. Now, a man in the middle must use the same sequence or he will scramble the message. If he scrambles the message, he cannot retransmit it. Also, he cannot decode it because he doesn't know which bits are correct and which ones are incorrect.

Now, what if the man in the middle knows your filter sequence? Now you hit the key-sharing problem that cryptology has had since the start. There's no point in assuming that's a new problem.

Re:Man in the Middle?

[acgetchell]

The point is you cannot recreate the stream once you measure it.

A qubit from the stream comes in with a value a|0> + b|1>. This means the odds of measuring |0> are a^2 and the odds of measuring |1> are b^2. If you measure a |0> you have just discarded the amplitude |b>; this is what is meant by wavefunction collapse. You would then try to "recreate" the stream by sending out a |0>. However, this is distinguishable from the original a|0> + b|1>, and so your attack fails.

Quantum mechanics involves Hilbert spaces, and they are very very large. A classical bit has only two values, 0 or 1. A qubit has an infinite number of values for a and b, subject to Unitarity, which means their total amplitude doesn't exceed 1. It's possible for the phase information of a qubit to store the entire works of Shakespeare, but you would only ever recover 1 bit.

A 500-qubit system has more information stored in it than there are elementary particles (quarks, leptons, photons, neutrinos, vector bosons, gluons) in the Universe.

The applications to physics is very interesting, especially in Cosmology, where the same idea goes by the name Holography. There seems to be a limit on how much information can be stored in spacetime; the classic example is the Beckenstein limit on entropy for a black hole's surface area. Nowadays, Cosmology and Quantum Field Theory are tied strongly together. For example, in some QFT Lagrangians there are massless scalar axions that couple to photons and can cause distant supernovae to appear fainter, thereby throwing the whole "Universe is accelerating" proposition into question. (I know the above example from a paper my Cosmology professor, Nemanja Kaloper, wrote.)

Oh, by the way, the poster indicating "we can't reliably send 1 photon" is wrong. The original Quantum Cryptography test bed sent out effectively 1/10 photon, using weak amplitudes.

--Adam

Re:Man in the Middle?

[wwest4]

> So, would this not also fall under the problem
> of Man-in-the middle attacks?

No, not unless there is something fundamentally wrong with the implementation. If the stream is eavesdropped, that OTP/key is discarded. Read the article for how QM helps to ensure this assumption.

That said, it should be obvious that this scheme is potentially vulnerable to DoS attacks. Just keep eavesdropping, and the sneaky bastards using QKD can't exchange keys.

Re:Man in the Middle?

[shimmin]

Under the usual setup for single-photon data transmission, only half the bits sent do any useful communicating. Both the sender and the receiver have to choose between one of two measurements to make on the bits; if they make the same measurement, they get the same answer, and so have usefully communicated a bit. If they make opposite measurements, they don't have comparable data, and so have communicated nothing. So Alice measures some photons and sends them to Bob, who also measures them. Afterwards, they tell each other what measurements they made (but not what answers they got) over an open channel, and so they know what secret info they both share without ever broadcasting that info.

Now, if we introduce a man in the middle, the middleman doesn't know what measurements to make on the quantum channel. He can do what Alice and Bob do, which is guess randomly, but every time he guesses wrong, he destroys a bit of information. So, he only gets half the quantum channel from Alice, and so can send only a quarter of the info to Bob.

The tampering will become immediately apparent aftwerwards, if Alice and Bob compare a fraction of their shared secret and find that they didn't actually get the same answer when they made the same measurement. This is patent evidence that they have been evesdropped, and so they then throw all their bits away.

The method isn't actually useful for sending messages, so the fact that the middleman intercepted part of the message is irrelevant. It's a method for creating a shared secret, which can then be used for communicating the actual message. A middleman cannot acquire the shared secret without leaving evidence that the secret is more widely shared than believed, and so the secret can be rejected as the basis for sharing sensitive data before that sensitive data is actually shared.

Re:Man in the Middle?

[19thNervousBreakdown]

1/10th of a photon? Huh?

Re:Man in the Middle?

[Allen+Zadr]

That answers my question without belittling me, and I really appreciate that.

So, if I interpret this correctly - it's set up more like Kerberos, with a Quantum twist.

Re:Man in the Middle?

Ah but there are other attacks than just intercepting the key.

There's nothing preventing E from negociating a key with A (while impersonating B), while at the same time negociating a different key from B (while impersonating A). Then E uses both keys to translate back and forth between encryptions. A and B both get their messages encoded with the key they expect, and E gets a peek at the plain text.

Re:Man in the Middle?

Wrong. There is nothing in quantum cryptography preventing a man-in-the-middle (MITM) attack. Sure, you are right that the MITM cannot measure the photons and then retransmit them, but that is not enough. The crucial step you are missing is that when Alice and Bob share what measurements they made (but not the results), there is no guarantee that what Alice believes comes from Bob doesn't actually come from the MITM. An open, unsecure, channel is _not_ enough, you need an authenticated channel.

Once more: Alice and Bob really needs to authenticate the messages when they tell each other what measurements they made. With a shared key, that's easy, but you definately need something secret.

Re:Man in the Middle?

[Theaetetus]

There's nothing preventing E from negociating a key with A (while impersonating B), while at the same time negociating a different key from B (while impersonating A). Then E uses both keys to translate back and forth between encryptions. A and B both get their messages encoded with the key they expect, and E gets a peek at the plain text.

(why I am I replying to an AC anyways?)

Doesn't work that way in QC... The key is built out of the data that Alice transmits to Bob - but the key itself is never transmitted in clear.

Alice sends Bob a string of qubits, some with horizontal polarization and some with diagonal polarization [+ vs X... really they're either (| or -) XOR (\ OR /)] with the polarization determining a 1 or a 0. Bob receives all of the bits and applies a random filter to it. Where his random filter doesn't match the random transmission that Alice sent, he loses the bits. Where his does match, he receives the bits. This ends up working to 25% of bits getting received. He then replies back to Alice and says "Bit 1, 6, 7, 11, etc. were received successfully". Alice and Bob now both know that bit 1=0 (for example), bit 6=0, bit 7=1, but 11=0, etc. so the key is 0010etc.

Eve can't intercept the bits going from Alice to Bob, because if she does, she changes them and Bob receives a different set of 'accurate' bits. He responds back to Alice with which bits were right, she sends a message encrypted with that key, and it's indecipherable to Bob (and Eve), so they know that someone is trying to tap their qubits. However, Eve still can't read the message. Even if she intercepts the message from Bob to Alice saying bit 1, bit 6, bit 11, etc. she doesn't know whether those were 1s or 0s, so she can't decipher the one-time-pad key.

-T

Re:Man in the Middle?

[jesser]

I have the same objection/question as the AC, and you did not answer it.

Re:Man in the Middle?

[Stray7Xi]

Err man-in-the-middle attacks don't work because A and B don't know C is there... but because A thinks that C is B and because B thinks C is A. Your post describes why eavesdropping can't happen, but eavesdropping and man-in-the-middle attacks are completely different.

What's stopping C from pretending to be B. If B can send back to A the parity bits without looking at them, so can C. A will say "Phew thank god that didn't get intercepted" (although B never received it at this point).

If C has the data it can generate a quantum stream that contains that data (it may not be the same in the quantum layer as the one intercepted, but it represents the same data). B will happily receive that quantum stream from C (thinking it was A) and send back the parity bits. To which C can respond "Phew thank god that didn't get intercepted" to B and still be telling the truth.

You're looking at it like AB (that's eavesdropping), but a man-in-the-middle attack looks like AC, CB. To stop this, they need a way to identify the person they're communicating with is in fact the person they think it is.

Re:Man in the Middle?

[ssssmemyself]

No, you have it all wrong. According to other QC articles I have read from Discover, SciAm, etc. it is impossible to eavesdrop when being detected because the photons can spin in one of four ways, and you can only detect for two of the spin types. So, half the photons you intercept you didn't measure for the right spin, so you know that the spin is one of the other two spins you didn't check for. Then, the only thing left to do is send another photon and randomly pick one of the two spins. This works out to 1/4 photon loss, which will show up easily to the sender and receiver. This level of photon loss indicates that there is an eavesdropper. So, it really is impossible to eavesdrop QC without detection.

Re:Man in the Middle?

[Theaetetus]

I'll try again...

The reason Eve can't intercept by negotiating one key with Alice and a different key with Bob is that the key itself is never transmitted in QC.

Instead, the qubits are transmitted and can't be intercepted without knowledge. Bob then communicates to Alice which qubits he received correctly and will use as the key - but while Eve can intercept the message "bit 1, bit 5, bit 7, bit 12" she doesn't know that that means "1101". Even if she intercepts it and sends a different "bit 2, bit 4, bit 8, bit 10" message to Alice, Eve still doesn't know that bit 2 is a 1 or a 0. So, while Eve can successfully DoS Alice and Bob's communication, she can't actually intercept and interpret the data.

QC is very easy to DoS - simply intercept and look at the data stream. But then, it's going over fiber or some other optical link... they're easy to DoS with a hacksaw anyway. Thing is, even if you DoS it, you can't successfully intercept the data.

Better?

Re:Man in the Middle?

[Theaetetus]

If C has the data it can generate a quantum stream that contains that data (it may not be the same in the quantum layer as the one intercepted, but it represents the same data). B will happily receive that quantum stream from C (thinking it was A) and send back the parity bits. To which C can respond "Phew thank god that didn't get intercepted" to B and still be telling the truth.

Ah, you misunderstand. The data isn't transmitted through a quantum stream. Eve can't intercept the quantum stream and expect the data to be there.

So, more in depth...

Alice has a random-number generator that polarizes her photon transmitter, either in vertical-horizontal polarity (+) or in diagonal polarity (X).
In reality, it's either - or | OR / or \, but there are reasons that you can't build a polarizing filter to go for perfectly coherent streams... Orthongonal ones are easy, though...

Anyways, so Alice creates a random stream, say 101100 which her transmitter spits out as |/-|\/ ('cause her filters are set to +X++XX).

Bob receives the |/-|\/ stream. He uses another random number generator to generate a string, say 001001, which he sets his filters to: XX+XX+
When Bob runs the quantum stream through his filters, he gets the following (where a 0 is no photon passing through): 0X+0X0, so he knows that Alice has sent ?01?0?. He then writes back to Alice (in cleartext) that he got bits 2, 3 and 5. Alice uses 010 as her one-time key, encodes her data, and sends it off to Bob through the internet.

1) Eve intercepts the encoded data - doesn't know the key. Can't decode.
2) Eve intercepts that, plus the note from Bob to Alice... She has the coded data, and she knows it was coded with bits 2, 3 and 5, but doesn't know what they were. Can't decode.

Or finally...
3) Eve intercepts quantum stream from Alice of |/-|\/. She sets her random detector to 011010 (X++X+X) and gets out 00+00X and thus ??1??0. Having either blocked or observed all the photons passing through, she needs to create a new quantum stream to send to Bob (and she knows 2 of the digits), say 011100, which after Bob receives it, he interprets as 0?1?0?. He tells Alice to use bits 1, 3 and 5, and she encodes with 110. Neither Bob nor Eve can read the message, so no one but Alice has the data, and Alice and Bob know they've been compromised.

Finally, if Eve bumps off Bob and completely replaces him (so she both receives and sends the note to Alice telling her which bits to use), then Eve successfully intercepts, but this is no longer a man-in-the-middle attack... Instead, it's a full compromise of one end of the communications.

That better?

-T

Re:Man in the Middle?

[Stray7Xi]

3) Eve intercepts quantum stream from Alice of |/-|\/. She sets her random detector to 011010 (X++X+X) and gets out 00+00X and thus ??1??0. Having either blocked or observed all the photons passing through, she needs to create a new quantum stream to send to Bob (and she knows 2 of the digits), say 011100, which after Bob receives it, he interprets as 0?1?0?. He tells Alice to use bits 1, 3 and 5, and she encodes with 110. Neither Bob nor Eve can read the message, so no one but Alice has the data, and Alice and Bob know they've been compromised.

Close but not quite.. the problem with quantum cryptography is key exchange. If Bob and Alice have a key exchanged at start.. then yes Quantum Cryptography is secure from man in the middle. Lemme explain the flaw in your example here.

Alice Eve
Alice sends the |/-|\/ and Eve gets it as X++X+X or ??1??0 as you say. Immediately Eve sends back and says I received bits 3 and 6, and the one time key is formed. So their key is 10.

Eve Bob
At the same time Eve sends the 011100 to Bob to form their key. Bob interprets it as 0?1?0? and tells EVE (this is where you made the error, because he can't tell alice directly) the bits to use are 1,3,5. So their key is 010.

So whenever Eve receives data from Alice.. Eve decrypts it with the 10 key and re-encrypts it with the 010 key before sending to Bob.
When Eve receives data from Bob, vice versa.

Any way to counter this requires outside tramission of info (whether it be a key, protocol, or something similar) that HASN'T been compromised by Eve.

Once a secure link is formed, it can't be compromised. But if it's compromised from the very start, it won't be detected.

Exxon?

[Nuclear+Elephant]

Didn't they try and use this same technology to deliver oil over the Internet a few years ago? I don't recall that working very well.

**YAWN**

[l0ungeb0y]

Wake me up when they get it going faster than the speed of light. Now, that would be a speed record worthy of a slashdotting.

Re:**YAWN**

[HD+Webdev]

Wake me up when they get it going faster than the speed of light. Now, that would be a speed record worthy of a slashdotting.

If it went faster than the speed of light, it would also be going faster than the speed of time. That would cause quite a bit of technical difficulties on the receiving end.

Re:**YAWN**

[missing000]

This does go faster than the speed of light to a certain extent - once the photons arrive at each side the key is created instantaneously at the secondary site when it is first observed at the primary site.

One small cravat though - the key is random so there is little use for faster than light meaningful communication.

Re:**YAWN**

[missing000]

Speed of time? Excuse me, but can I get some of what you're smoking? How would you define a concept like that?

Speed is defined in physics as "Distance traveled divided by the time of travel", so that would make time a derivative of it's self?

Re:**YAWN**

[noselasd]

Please read the relativity theory perhaps you'd know what he talks about..

Re:**YAWN**

[HD+Webdev]

Speed is defined in physics as "Distance traveled divided by the time of travel", so that would make time a derivative of it's self?

You stopped pasting the definition at a crucial point. Here is where you left off from your own reference link::
The limit of this quotient as the time of travel becomes vanishingly small; the first derivative of distance with respect to time.

Re:**YAWN**

[missing000]

You're still defining speed in terms relative to time it's self... I'm not sure where you're going here.

Re:**YAWN**

[HD+Webdev]

You're still defining speed in terms relative to time it's self... I'm not sure where you're going here.

Ok, let's not define speed in terms relative to time. We'll take time out of the equation.

But wait, we can't do that. Speed doesn't exist without time. On top of that, time isn't a constant.

Here is more information:

http://en.wikipedia.org/wiki/General_relativity

Re:**YAWN**

One small nitpick though - you can't spell. "Cravat"? Caveat maybe?

Re:**YAWN**

[slamb]

> > If it went faster than the speed of light, it would also be going faster than the speed of time. That would cause quite a bit of technical difficulties on the receiving end.

> Speed of time? Excuse me, but can I get some of what you're smoking? How would you define a concept like that?

You're right; "speed of time" is nonsense.

Maybe he's trying to say is that object's world line would become space-like rather than time-like. (Which is true.) Mathematical definition here. Some information about the consequences here. (Not much, though. But I'm too tired to find a better link and much too tired to think independently.)

Re:**YAWN**

[missing000]

Speed doesn't exist without time.

Quite right, and my point exactly. You therefore cannot measure the "speed of time" That would be absurd.

Re:**YAWN**

[French+Mailman]

You therefore cannot measure the "speed of time" That would be absurd.

Wow, I can't believe it's Monday already. Time flies !

Re:**YAWN**

[HD+Webdev]

Quite right, and my point exactly. You therefore cannot measure the "speed of time" That would be absurd.

That would be absurd if I mentioned measuring the speed of time. But of course, I said nothing about that.

Re:**YAWN**

[missing000]

f it went faster than the speed of light, it would also be going faster than the speed of time.

Your words, not mine.

Re:**YAWN**

[euxneks]

That would be something.. A website that can transmit data at the speed of light, and it gets slashdotted.

Re:**YAWN**

[HD+Webdev]

Your words, not mine

Yes, those were my words. 'Faster' is not a measurement.

It's possible that my use of 'faster' in that context accidentally implied measurement, but I assure you that was not my intention.

Wouldn't this make DOS easier though?

[foidulus]

This is the thing I don't understand about quantum cryptography(maybe someone can explain it to me). If someone were to try to listen in, would you still be able to read the information being sent? If not, wouldn't this make DOS attacks relatively easy? The information isn't any good if you cannot transport it.

Re:Wouldn't this make DOS easier though?

DOS attacks are very easy. But in order to perform a DOS attack (i.e., listen in), you would need physical access to the cable. At this point (stealing a phrase from a previous Slashdot article), DOS is best performed with a large axe :)

Re:Wouldn't this make DOS easier though?

[Tmack]

The deal with quantum transmission is you are sending the data as single photons (smallest divisible unit of light, like a molecule of a compound, or a single cell of a living thing). Meaning, if you read it, you absorb the message (recievers transform the optical signal, ie: photons of light, into electrical ones), or at least change it in some way. The only way to possibly intercept the transmission is to completely intercept it, keeping any form of it from reaching the true reciepient, knowing the protocol enough to keep the sender thinking it is sending to the original target (sending encrypted keys or something), or acting as a repeater while recording the values as they pass through. Since they are being broadcast, you would have to put your device directly in line-of-site between sender and target, something probably notacable. Keeping the sender and reciever unaware of a repeater would be difficult, as adding such a device would add a time delay to the transmission, something the encryption might be dependant on. As for transmission, you would have to have a repeater device along a long or complex span, something knowing the encryption method and is known to both sides of the span. It is easier to secure single points of transmission than entire cable or enven fiber cables, since you dont have to worry about people splicing into it without knowing about it. The only worry would be a DOS, somehow blocking the path of the transmission, something easily remidied with a large enough cannon.

tm

Re:Wouldn't this make DOS easier though?

[TeknoHog]

No no no, the point about quantum cryptography is that if you try to act as a repeater, you will always distort the signal. Merely using single photons is not enough.

Re:Wouldn't this make DOS easier though?

Yes. If Alice sends to Bob, and Eve listens in, then Bob does not receive the transmission (and Bob knows it, which is where the security comes in. Bob and Alice can have a conversation where they can figure out whether anyone listened in or not. However, if Eve listened in, then Bob doesn't get the message, and Eve has DOS'ed Bob.

The security feature is that Alice just retransmits until Bob gets a provably private message.

All these messages are just large random bit strings. Once Bob has the provably private large random bit string, Alice uses that as a one-time-pad key to send the *real* message. Eve gets no advantage from all her intercepted messages because Alice and Bob know that they were compromised.

As far as the physical practicality of Eve operating a detector to pick up the photons that Alice emits, that depends on the actual transmitting/receiving equipment used. A radio-style broadcast would be easy to mess up; a laser would be harder; a fiber would be very hard.

Re:Wouldn't this make DOS easier though?

[m.koch]

If Alice sends to Bob, and Eve listens in, [...]

Eve? What happened to Carol and Dave?

Re:Wouldn't this make DOS easier though?

Assuming that's a serious question: the name Eve evokes the word "eavesdropper", someone who listens to a private conversation without authorization. So in a simple scenario, Alice is talking to Bob ("A" and "B"), but they don't want Eve (the "eavesdropper") to know what they are saying.

Re:Wouldn't this make DOS easier though?

[Tmack]

Which was my point about destroying the original signal (ie: intercepting it completely without letting any of the original pass your interception point), and creating a completely new signal (repeating the data only while building a new encryption around it). By acting as the origin, if you intercept the signal in its entirety, and have the ability to perfectly masquerade as both ends (as far as identity and encryption methods are concerned) so the sender thinks it is still talking to the recipient, and recipient thinks its still talking to sender, you can create an independant transmission that will not show signs of tampering, since you are creating your own new transmission. You will not distort the signal, you will destroy the original and create a new one. If you can read the data, you can create a new transmission from it. If you block the original signal, the quantum encryption from the original source will validate to your interception point*, and your transmission will validate from you to the original target.

*This assumes the sending and recieving ends do not encrypt based on physical path length or other values solely dependant on physical location, which given the transmission method should be easy to do (calculate time of transmission between target and source, etc). If the encryption includes such values, and part of the encryption is done by the recieving end reflecting a portion of the signal (purely reflecting, not reading and re-sending) this would not work (given today's technology), as the sending time would not match, and an attempt to re-send the incoming signal with a delay would alter the quantum state as would attempting to create a delay with mirrors (reflecting alters the state itself). It would also only work in the perfect world where the interception point is in place from the begining, as any disturbance would notify both ends something is going on, your interception/resending device would have to be invisible and airborne and perfectly stationary, since this is line-of-site communications along a path the width of a narrow laserbeam, and you know all the possible keys and encryption methods in use. But as this is a somewhat theoretical discussion of this being an absolutely un-breachable form of communication....Im not saying interception of this is actually possible, just saying claiming something as 100%secure that is still in its infancy as this is, is shortsighted, and theoretically unfounded. Who knows, there could be new discoveries in the future to enable reading and sending perfect quantum replicas. Seeing as we can already teleport them, creating exact coppies shouldnt be much more difficult.

TM

Re:Wouldn't this make DOS easier though?

[corvi42]

The whole point of quantum crypto is that if someone did try to act as a repeater, then they would be detected. This is not because you would "see" them standing there intercepting your data ( although that would be a possibility ), but because the protocol used to transmit the information securely would reveal the fact that the data had been intercepted and then retrasmitted.

The basics are like this. Small particles ( like photons of light ) have a property called spin. You can set the spin of a particle when you transmit it by using the right kind of gear. You can test the spin of the particle in several different ways, but not all spins can be detected correctly by all tests. So if you have no idea what the spins are, you can't know which test to use. So if you use a random sequence of tests, you will sometimes have the right test, and sometimes not. So to transmit information, our protocol works like this ( taken from "The Code Book" by Simon Singh, p.346-7 ):

1) Alice sends Bob a series of photons, and Bob measures them.

2) Alice tells Bob on which occasions he measured them in the correct way. Although Alice is telling Bob when he made the correct measurement, she is not telling him what the correct result should have been, so this conversation can be tapped without any risk to security ).

3) Alice and Bob discard the measurements that Bob made incorrectly, and concentrate on those that he made correctly in order to create an identical pair of onetime pads.

4) Alice and Bob test the integrity of their onetime pads by testing a few of the digits.

5) If the verification procedure is satisfactory, they can use the onetime pad to encrypt a message; if the verification reveals errors, they know that the photons were being tapped by Eve, and they need to start all over again.

It is true that Eve could listen in on the line, intercepting photons sent by Alice and try to recreate the same stream of photons to Bob with the same spins. However, she can only use a test once, she can't copy a photon and test it using several different tests. So she will inevitably use the wrong test on a number of photons, and so not know what the true spin ought to be, and so can't reproduce them. She also can't know what series of tests Bob will use to test the photons he is receiving. So inevitably what would happen is this: Eve uses the wrong test on some photons, doesn't know what their spins ought to be, sends out some with different spins; Bob however uses the correct tests on some of those photons that Eve "made up", but gets different results from Alice ( because some of the spins are different from what Alice originall sent ), so when they compare results it becomes obvious that they don't have the same sequence of results. Furthermore, Eve can't know where the errors are going to come up and how she should fix them, so she couldn't intervene successfully in this verification step to make it seem correct when its not.

Long story short - you can't make a successful repeater ( down side to this is you can't use any network for transmitting the photons, as a network necessarily involves repeaters - aka routers/gateways - you must have a direct line from sender to receiver so the photons don't get altered ).

Re:Wouldn't this make DOS easier though?

[corvi42]

No - this won't work because you don't conduct the entirety of the communications via this one communication channel. Essentially the "quantum" channel is used only for creating a key that one can use to communicate securely over another channel. Furthermore, as part of the verification step in the quantum protocol, the sender and receiver check the results of the quantum exchange over an open channel, and any repeater wouldn't know how to spoof this verification step successfully to fool both sides. See my reply to your original post ( http://slashdot.org/comments.pl?sid=106190&cid=904 0839 ) for details of the protocol to see why this works.

Re:Wouldn't this make DOS easier though?

No matter how easy DOS gets, I still prefer un*x!

Encryption error!

[Phidoux]

Error -3647194 - An error occurred during the encryption of your file - Pigeon

Obligatory Futurama quote!

[Daath]

Farnsworth: "No fair! You changed the outcome by measuring it!"

heheh :)

World Record?

And the message?

fckil eht ghtlis fi uyo gte thsi !

Unless you are talking one-time pads....

[Halo-]

The whole "unbreakable" thing is a little bit of a misnomer. Yes, you can detect if someone observes the transimission of the key, but that doesn't mean the encryption is unbreakable. In fact, it's not really encryption at all. It's simply a fancy type of secure, out-of-band key exchange. Once the key is exchanged, the parties will generally use it to key a symmetric algorithm like 3DES or AES. (At which point the encryption is only as strong as those algorithms...)

I realize I'm being painfully pendantic here, but when the self-proclaimed nerds start abusing a term, the general public is going to be hopelessly confused. (Think the whole hacker/cracker thing...)

Quantum key exchange is unbeleivably cool, but doesn't guanentee secure crypto. It just takes one of the weakest links in the chain, and makes it the strongest.

Re:Unless you are talking one-time pads....

[Glock27]

Unless you are talking one-time pads....

Of course they're talking one-time pads... ;-)

Re:Unless you are talking one-time pads....

Your point that this is all about Quantum Key Distribution, and not Quantum Cryptograhy, is well taken.

Of course, if Alice and Bob use their expensive-to-distribute keys as a one-time-pad for their real messages, their real messages are mathematically secure. If they use the keys as keys for some other cipher, their messages are as secure as that cipher.

Re:Unless you are talking one-time pads....

[deblau]

You use random data as your key (which is basically all you'll get with a QC photon stream), then one-time pad for encryption. Not just practically, but theoretically unbreakable. Both parties use the key to encrypt their messages, which are then sent over non-secure channels (i.e., the Internet).

Crypto thinking in the past has been that if your cryptosystem is strong enough, you can tolerate key exchange over insecure channels. What many people don't realize is that with perfectly secure key exchange, you get unbreakable crypto for free.

You might then reasonably ask, why not just exchange the messages securely, instead of just the key? The answer is that we can't predict the polarizations of the entangled photons before they're measured. What we can do is guarantee a correlation between the polarizations after they are measured, and we can guarantee that third party observation is detectable. So what we get is perfectly secure transmission of data, but it's only random data. We're just lucky that random data happens to be ideal for encryption via one-time pad.

Re:Unless you are talking one-time pads....

[nihilogos]

They are talking one-time pads. The quantum key distribution protocol simply allows you to keep generating an endless one time pad, and lets you know whether someone else has eavesdropped on it.

Re:Unless you are talking one-time pads....

[Karhgath]

Wrong. We are talking one-time pad here. The key is going to be as long as the data needed to be sent.

Quantum Encryption allows you to exchange a key in TOTAL security. Not just theorically, total security(this is the strongest possible). No one can eavesdrop the key. If they do, they will, at most(if they eavesdrop every 'packet'), prevent you from exchanging a key, in which case you can try again until you succed. If you succeed in exchanging a key, the eavesdropper CANNOT know, due to the algorithm and quantum properties, any information about the key.

Then, with a key generated that is as long as the data needed to be sent, it is already proven secure. That's the one-time pad proof.

So, if the one-time method pad is proven secure(which it is), and there is NO way to know the key(totally secure, remember), it means that quantum encryption is secure beyond all doubts.

With faster quantum bandwith, it means that it is slowly becomes easier and easier to do quantum encryption. This is a GOOD THING, as you do not have to rely on unsecure algorithms like 3DES, etc.

Hang on...

[m00nun1t]

I don't understand all this stuff about quantam cryptography. Let's get to the core of the issue:

Can it help me download pr0n faster or not?

Re:Hang on...

[rokzy]

no but it means your gf/mum will catch you doing it!

Re:Hang on...

[rokzy]

er, missed out the "never" which changes the meaning quite a bit...

Re:Hang on...

[next1]

i don't know either, but i guarantee it's faster than freenet.

Re:Hang on...

[Surt]

No, but it might help you ensure that the government isn't watching you download it.

Implications for the Government?

[caitsith01]

This area really interests me, because it seems to fundamentally change the playing field regarding the use of encryption for simple privacy. Up until now, it has been a pretty safe bet that anything the Government (or Governments) wants to read, it can. Eventually most (all?) standard encryption can be broken with brute force,* and if there's one thing that governments have and like to use it's brute force.

*(yeah, yeah, your favourite open source encryption is unbreakable, I know, but come on, the government isn't going to enter any 'break this encryption' contests to show what a kewl ha>or it is and thereby advertise the fact that communications using said encryption are not actually secure, is it?)

However, with unbreakable encryption they can no longer just spend money until they are able to break it - it's actually impossible, they can't even intercept it. So it changes the situation in a quite fundamental way. Whether it's someone violating copyright between quantum encrypted locations, just talking without being eavesdropped on (you know, exercising their rights), or Osama and his friends planning the next September 11, it will be impossible to work out the contents of a communication.

I feel that over the middle-term this will lead to some or all of the following government responses:
- stronger laws allowing seizure of computers (i.e. the start and end points of an encrypted communication)
- even stronger laws about exporting or possibly even publishing information about this type of encryption 'in the national interest'
- laws requiring the divulging of passwords to law enforcement/intelligence officers with harsh penalties for a refusal to cooperate (this is already the case in some places I believe)
- possibly a lower standard of proof required before police/spies can act to exercise the above powers, in light of the difficulties they will have getting any evidence at all about encrypted communications
- an increase in 'why are you using encryption, are you a terrorist/communist/thought criminal or something' type rhetoric

What do others think? Does this really change the privacy landscape over the next 10-20 years? Will governments react regressively in the ways I suggest? How should pro-privacy people respond and fight such changes?

Re:Implications for the Government?

*N*obody *S*aid *A*nything about govmt root-kits, &c. going away...

Re:Implications for the Government?

Basically it means that rightful or other eavesdroppers have to concentrate on people again rather than technology. Maybe that would be a good idea anyway, since it's also people who place bombs or fly planes into buildings rather than technology.

Re:Implications for the Government?

[m.koch]

*(yeah, yeah, your favourite open source encryption is unbreakable, I know, but come on, the government isn't going to enter any 'break this encryption' contests to show what a kewl ha>or it is and thereby advertise the fact that communications using said encryption are not actually secure, is it?)

Pardon? The known encryption algorithms are insecure because the government doesn't say it can't break them? Reminds me of a little story where a man claps his hands to get rid of elephants in his house. The proof that it works? There are no elephants in his house.

Also it seems strange to imply that Schneier et al are just a bunch of idiots.

Re:Implications for the Government?

[mec]

I agree with the general drift of your predictions. Some thoughts:

AFAIK, all the QC machines are point-to-point devices, and I don't see any obvious way to make relays and gateways out of them. So it's not like you can do QC-over-IP tunnels. And with point-to-point devices, the government can do traffic analysis (if you're talking Mohammad Atta's ex-roommate regularly, who cares what you're saying, you get heightened surveillance and maybe disappear without trial for interrogation).

There are already plenty of technological devices which are illegal for citizens to possess or that require stringent licenses to possess: weapons and drugs, for example. QC tranceivers may be regulated this way.

More government-mandated back doors. The NSA comprised a Swiss company, CryptoAG, and placed backdoors in their crypto. Perhaps they've also compromised Microsoft and Apple. On this level, open source operating systems are a radical paradigm shift, as they are much harder to backdoor. I've got a bit of a tinfoil hat streak, and I expect that the government has already backdoored most of the ISP's in the country (DCS-1000 just for starters), which enables them to do traffic analysis even when they can't read the content.

On the political level, remember that NSA has another mission: to provide secure cryptography for American government agencies and companies. It's in American interests if American organizations can communicate securely without eavesdropping by foreign organizations. So they might welcome some forms of QC, just as they distribute SE Linux and help IBM make their crypto more secure.

Lastly, note how fast and smooth and transparently strong crypto got deployed for e-commerce, because there are lots of $$$ to be made; but encrypted e-mail is still a hodge-podge of mailers and standards.

Re:Implications for the Government?

[mmusson]

The implications of quantum encryption are not a strong as you suggest. The basic idea is that no eavesdropper can get between to points that are trying to communicate and successfully listen in without being detected. But this applies to anything that might be between those two points like a switched network. This means that you are not going to use this technique for something general purpose like normal internet connections. To do this, the two points must create a direct physical connection, for instance a laser.

Also a basic tenet of security is that the attacker will attack the weakest link. I'm sure a government would have a far easier time compromising a person on either side of the connection.

The reason the man-in-the-middle attack fails

[amalcon]

The reason the man-in-the-middle attack fails is that in order to recreate the stream accurately, you need more information than you can accurately read from the stream at once. IANAPhysicist, so you'll have to google it if you want to know the specifics, but basically to read the datastream one must make a bunch of guesses. Now, Bob has the luxury of being able to guess wrong without problems, but a man in the middle must guess correctly every time or risk corrupting the datastream.

MOD PARENT UP

informative link, see for yourself.

QC and evesdropping

[some+guy+I+know]

eavesdrop without detection

Even if you can detect the evesdropping, by that time, it's too late; the evesdropper already has part of the message.
Granted, it's only a single bit, but it might be the most important bit of the message.

More seriously, depending on the protocol, the evesdropper may be able to intercept many bits before the intrusion is detected.
For example, if TCP/IP is implemented over the QC stream, the intruder may be able to get an entire packet before the receiver sends a "Stop; we're being evesdropped!" message back to the transmitter.
(Maybe more, with TCP/IP's sliding window.)
If the entire message fits in one packet ("Attack at dawn."), then the message has been compromised.
One way to avoid this would be to use a comm layer lower than TCP/IP that ACKs each bit, but this could be slow.
Another way would be to use the QC channel to exchange very large keys, then use them in another encryption layer if eavesdropping has not occured during key exchange.

Re:QC and evesdropping

[OblongPlatypus]

But if you sent "attack at dawn", then realized an enemy had been eavesdropping, wouldn't you just attack at dusk instead?

Then again, the enemy would know that you knew he was eavesdropping, so he might anticipate that...

Somehow, this reminds me of Vizzini.

Re:QC and evesdropping

Your last paragraph is the way that QC is actually used (or so I have read in some random QC article):

(1) Sender generates long random key
(2) Sender transmits key
(3) Receiver receives key
(4) Received acks that the key has been received securely
(4A) Design of a secure "ack" channel is an interesting question, don't know the answer for that off the top of my head!
(5) Sender computes (message XOR key)
(6) Sender transmits (message XOR key)
(7) Receiver receives (message XOR key)
(8) Receives computes ((message XOR key) XOR key) == message

Re:QC and evesdropping

[gpinzone]

Even if you can detect the evesdropping, by that time, it's too late; the evesdropper already has part of the message. Granted, it's only a single bit, but it might be the most important bit of the message.

No, no, no, no. All you're sending is the key. If the key is compromised, all you have to do is throw that key away and send another key. No actual data from the message is sent. Once the key is received, and you know it hasn't been comprimised, you can send the encrypted data through any unsecure channel you like at any speed. You could cache the keys in advance so the transmission can be unaffected by a DOS attack on the quantum transmission.

Re:QC and evesdropping

[jdrugo]

Did you RTFA?

It clearly states that the keys won't be used if evesdropping was detected. Hence, no part of the message will be sent when evesdropping was detected and so the evesdropper won't have anything except for a worthless key.

Re:QC and evesdropping

[brufleth]

TCP/IP is not used over fiber. The TCP frames would be repackaged before going over the fiber line. I'd assume they use a specialized protocol for QC which send informationless "is anyone listening bits."

Re:QC and evesdropping

Hey, I know this is Slashdot, but read the whole comment before you reply. Especially the last paragraph, which talks about using the quantum channel to send keys instead of messages. The guy you're replying to *does* get it.

Re:QC and evesdropping

[19thNervousBreakdown]

Um...

0 ^ 0 == 0
0 ^ 1 == 1
1 ^ 0 == 1
1 ^ 1 == 0

So,
(5) Sender computes (message XOR key) -- The message is encrypted.
(6) Sender transmits (message XOR key) -- The message is not encrypted
(7) Receiver receives (message XOR key) -- The message is encrypted
(8) Receives computes ((message XOR key) XOR key) == message -- The message is unencrypted then encrypted again.

Huh?

Re:QC and evesdropping

[the_1000th_Monkey]

The article describes quantum key exchange -- what an eavesdropper would actually be reading would be the key to encrypt with before the message has been sent.

When the receiver would ordinarily reply to indicate that it got the key, it would instead indicate that the key was compromised and they would try again. Then the actual "Attack at dawn." message would be sent over normal mediums encrypted with the key they finally agreed on.

Re:QC and evesdropping

[iabervon]

Actually, this doesn't work for anything other than key distribution anyway, because half of your bits will be lost due to guessing the mode wrong (let alone noise, interference, etc). If you were actually trying to send a message, you would have to contend with a whole lot of errors. However, it's possible to determine after the fact exactly which bits were lost due to quantum, so the ends can determine the secret that they share, even though it's impossible to say when you're picking the bits which ones will get through.

The important thing about this scheme is that, after the transfer, the ends can determine where the deletions (bits that got randomized) were, but they can't determine this until after the bits have been transferred. If the receiver could find errors without assistance (due to use of error correction), then the scheme would not have any security, because an active adversary could repair the message to cover the intrusion. Of course, without error correction, transferring your data isn't going to work.

Of course, you have to verify that you actually agree on the key by sending random bits from it to check. Otherwise, an attacker could have intercepted the whole thing and sent on junk, such that the attacker has half the key and the receiver has random data, and the attacker will get half the message and the receiver will get nothing.

Re:QC and evesdropping

[deblau]

Actually, the data interchanged with QC is normally a one-time pad, not the actual message. If an observer interferes with the transmission, it is detectable on both ends. Sender and receiver both know not to use that bit, with no further synchronization necessary. The actual message is sent over normal comm channels (Internet) after being XORed with the one-time pad, but if it's intercepted now, it's impossible to break.

Re:QC and evesdropping

[eddeye]

Even if you can detect the evesdropping, by that time, it's too late; the evesdropper already has part of the message.

Actually you use quantum crypto to exchange key material. It's just meaningless random data at that point. You run the evesdropping detection protocol before you send any real data. The attacker may get a few bits of the key undetectably, but with a strong cipher that won't help him much.

Quantum crypto is a solution looking for a problem. It's only advantage over conventional methods is the "gee whiz" factor.

Re:QC and evesdropping

[gpinzone]

No, he doesn't get it. You don't send the data until the key has been received and verified. There's no reason to send the key and data simultaneously.

Re:QC and evesdropping

You say: no, he doesn't get it. You don't send the data until the key has been received and verified.
The original poster said: Another way would be to use the QC channel to exchange very large keys, then use them in another encryption layer if eavesdropping has not occured during key exchange.
And I said: you failed to read what the original poster wrote.
It looks you still fail it!

I'm not making this up. Look in the original poster's comment, in the last paragraph. That's an exact quote.

Re:QC and evesdropping

Steps (6) and (7) are marked 'transmit' and 'receive'; they describe activities that occur on an eavesdroppable, but authenticated channel.
Steps (5) and (8) are marked 'computes', they are steps that happen entirely inside Alice's private computer, and later, inside Bob's private computer.
In other words, in (8), Bob is decrypting the message on his own computer. If Eve has got spyware on Bob's computer then Eve can read the message, but if Eve is just running Carnivore on an ISP, the contents of (6) and (7) are available to Eve but no good to her.

Re:QC and evesdropping

[Karhgath]

The actual way it works is the following. (simplified to bits instead of qubits for the sake of simplicity, and I probably forgot some details here and there)

1) Alice generates a random number of bits.

2) Bob generates a random number of bits.

3) Alice sends bits sequence to Bob, and Bob reads them, noting the place where both are equal.

4) Bob tells Alice every place the bits are equal, over a CLASSICAL channel.

NOTE:
This is the part that needs understanding. The proof that you cannot evesdrop is as follow:

4a)If the bit that Alice sent is the same as Bob, but was intercepted at 3), Bob will see it as different, so the bit will be discarded.
4b)If the bit that Alice sent isn't the same as Bob, but was intercepted at 3), Bob will register it as the same and will try to use it. See 5).

5) Alice and Bob test a couple of bits to check the integrity, over a CLASSICAL channel. This is the critical part, you need a big enough sample to prove that it is equal, but not too big so that the attacker knows too much about the key. The sample needed isn't actually that big. If you have one bit wrong, it was eavesdropped or corrupted along the way. If you do not detect any wrong bit, it means that the attacker doesn't have much information about the key, if at all. If 4b) happened, this part will detect those 'bad bits' with accuracy.

6) Alice encrypt the message with the key and sends it to Bob as if it wasa one-time pad.

If you want more info about quantum computing, see a introduction by one of the forefathers of quantum computing, Gilles Brassard, who I had the joy to have a class with.

http://www.iro.umontreal.ca/~brassard/SSGRR.html

Re:QC and evesdropping

[ReVeR5408]

You see the funny thing about quantum theory is that the state of molecules change upon observation. So that means that even if a person did eavesdrop, it wouldn't matter because the bit would change and become useless to the eavesdropper

Just thought i would add my two cents

Re:QC and evesdropping

[deVoid99]

No, you can't even get the first bit of the message. You might intercept it, but you'd have a 50% probability it was correct - so it's useless!!

Re:QC and evesdropping

[gpinzone]

What a troll. You do not resend the keys encrypted in another channel! You should try reading your own post before replying anonymously.

But it's fast enough now.

[Thinkit4]

That's a decent speed to do the whole data transfer this way. No mathematical encryption at all.

Re:But it's fast enough now.

[Halo-]

Yeah, I agree that the speed is getting to where it would be possible. But, the question is still one of terminology. If I'm relying solely on the integrity of the transmission channel, I'm not doing "cryptography" any more.

One of the hallmarks of cryptography is that it is medium independant. If I encrypt something, I can print the output on paper, copy it to a floppy, etc and the security isn't weakened. With a simple secure channel, I lose all my protection as soon as the message stops being photons on the fiber and becomes an electrical signal in my computer.

The German Navy suffered huge leaks of information when their Enigma machine was "broken", but the "breaks" were due in large part to captured key material and human factors. The Germans investigated these areas a few times, but always concluded that their machine was too strong to be broken, so their codes were secure. And, to a certain degree they were correct. In periods when the Allies didn't have captured keys, the time to break a message was often in the weeks, rendering the majority of the messages out of date. But when they had the key material, they could solve messages in hours.

I totally agree this is a really cool technology, and it make crypto much harder to crack, but it may breed dangerous over-confidence.

One last example: SSL. Sites often refer to themselves as being protected with 4096 bit RSA (or whatever....) But this is really only partly true. The initial key exchange may be in RSA, but the actual data is usually 112 bit 3DES. It would take a really long time to brute force either factor, but I suspect if I had magical NSA-type teraflops at my disposal, I'd start with the 3DES.

Re:star what?

[pseudochaotic]

Why use photon torpedoes when we could have Photon Laser Beams!

What about keyloggers and stuff?

[joda]

Even thought that in theory, the encrypted messages (or whatever is sent) can't be read, you still have the problems before and after encryption.
Especially these days with worms and trojans affecting even the most _secure_ environments (*bad memories about some american nuclear power plant*). You can expect someone somewhere to get some spyware or keylogging-thingie onto a sender or reviever's system. (or sometimes even enough with just getting it onto the network on each end in question.)
I recall visiting a webshop somewhere who sold a small (read less than half an inch) plug, which you put in between the keyboard and the comp, which could log several megs of typed in text. Later it's just to harvest ...

Maybe I'm just paranoid, but if you can't trust your coworkers 130% in these cases, you're still toast unless you put the machine (and yourself) in a vault and throw away the key. /joda

Re:What about keyloggers and stuff?

[Karhgath]

The beauty is that you cannot intercept the key in this way(keylogger, spywares, etc.) That's because key exchange in quantum encryption is proven TOTALLY secure. First because the keylogger won't log anything(the key isn't typed), and a spyware or eavesdropper will interfer with the key exchange and either prevent the key exchange, or will end up having useless information that isn't used in the creation of the key.

However, yes, you could read the actual message before it is encrypted(check over your coworker's shoulder, etc). But then if you can do that, whatever the encryption used, you'll always be able to see the message, so encryption is not a solution.

Encryption as a whole is never a silverbullet =)

the weakest link in the chain

[WormholeFiend]

is human.

while it's true that cryptography like this improves security, those encrypted messages are still transmitted between people, and people are not corruption-proof.

Re:the weakest link in the chain

[vuo]

It seems we're approaching another kind of "technology singularity" in the cryptology arms race: trust is reduced back into the human. In the stone age, trust was based only on humans, because all communications were conducted in interpersonal meetings. Now, with all this measure and countermeasure, we've gone thru a full circle: trust is in the human, not in technology.

On the other hand, the curl was nonzero: there was a net privacy and distance increment when integrating around the full circle. That is, for secure communication, meeting is not necessary. The rest of this "development" is not real development but measure and countermeasure.

Re:the weakest link in the chain

[extremecenter]

The engineering is also awfully hard. There was a good article in New Scientist last year (doesn't seem to be online though) that explained some of the weaknesses that occur in quantum crypto implementations. Nicholas Gisin, the Swiss researcher who holds the distance record for QKD, was quoted as saying that quantum crypto will probably never be totally secure in practice, even if it is in theory. The underlying physics is bulletproof, but the protocols, hardware, and software used to implement key distribution are where vulnerabilities creep in. The situation is analogous to conventional crypto in a lot of ways. The underlying math of AES, RSA and other algorithms, is really solid, but there are lots of ways to attack the software and hardware used in implementations.

Original article

[Vadim+Makarov]

Here is the original article (PDF, should be downloadable) in Optics Express.

Aaahhh! and it runs Linux. Mod me up.

("We are currently using a Linux operating system with custom drivers for the boards.")

Re: Original article

[Vadim+Makarov]

Also, not to diminish the achievements which I applaud, but to point out: the demonstration they did (B92 protocol with no reference pulse) in fact is not secure at all. These states can be detected unambiguously probabilistically and those where detection was successful can be re-sent with increased energy, which makes eavesdropping possibly given the low detection probability at Bob. They better do it with BB84 next time :)

Re:Always? The Copenhagen interpretation...

[turnstyle]

"Indeed, but if it were possible to eavesdrop without detection, implications for physics would be just as great as for cryptology."

Perhaps when somebody eavesdrops, a cat is killed?

Or does the universe split in two, one in which the eavesdrop has occured, and one in which it has not?

First Proven Useful Application?

[dmomo]

To crack the Curse of the Bambino for the Boston Red Sox.

Newtonian = struct; Quantum = object-oriented

[mec]

That's essentially correct: there is more information inside a quantum system than anybody can measure.

Quantum Cryptography: Privacy Through Uncertainty

Here's how I think about it as a computer programmer. Newtonian+Maxwell physics are like C data structures, where every member is public, and an experimenter can 'get' and 'set' arbitrary values. But quantum objects are like O-O objects: the internals are private; the objects have methods; and you can only use the methods; and there are no raw "set" and "get" methods!

So consider an electron with a 'measure_position' method and a 'measure_momentum' method. Calling e1.measure_position() affects the internal state of the electron (there are no const methods in nature -- everything you do to measure an object affects the object).

QC is based on the construction of quantum objects where there is no set of method calls that are sufficient to create a second object which is indistinguishable from the first one. In the Newtonian universe, you just memcpy() more objects, but in the quantum world, there is no memcpy() -- there are only the object methods found in nature.

Re:Newtonian = struct; Quantum = object-oriented

Can't you just have a multitude of detectors though? Wouldn't the photon pass through them all at once allowing you to collect as much information about the stream as you want?

Re:Newtonian = struct; Quantum = object-oriented

[mec]

What is a detector?

A detector is a physical object that interacts with the target object. For example, if you want to measure how long something is, you lay it next to a ruler and look at it. However, to see the object next to the ruler, light must be coming off it, which means that light must be interacting with it.

Think of how you would measure the speed of a bullet: with a series of cameras, maybe. The only way the cameras can see the bullet is if photons are bouncing off the bullet, knocking the bullet around.

If you want to measure properties of a photon, the photon has to interact with the detector. The more precisely that you measure a property, the more interaction you have to do, and the more effect on the target object you have.

At this point you can try: "well I'll just build a more ingenious detector that has less and less disturbance on the target particle", but it turns out there are limits. The Uncertainty Principles are all about those limits. If you have a target system of a given mass, and want to measure its velocity to X% or better, then you must disturb its position for Y% or more. You can't ever measure both properties with arbitrarily good precision.

In C++ terms, there are no detectors which are really const methods.

Re:Newtonian = struct; Quantum = object-oriented

If you place 2 (or more) detectors side by side will the photon interact with them simultaneously (as in the 2 slit experiment)? If so, will they produce different results? Could you not then (assuming the above is true) set up a whole load of detectors all with slightly diffenerent alignments and use the distribution of measured photons (all of them the same actual photon if you don't believe quantum physics to be an idealist philosophy) to make a good guess at the original alignment allowing you to mount a man in the middle attack?

Re:Newtonian = struct; Quantum = object-oriented

[mec]

There are two dimensions of "original alignment", represented by non-commutative operators. Any attempt to extract precise information about one dimension will fuzz out the other dimension, and vice versa. This includes systems of multiple detectors.

Put it this way: suppose you had a bunch of position detectors, and a bunch of momentum detectors, and you combined them somehow. Do you think you could beat the Heisenberg Uncertainty Principle that way? I doubt it.

It's like trying to build a perpetual motion machine. The laws of thermodynamics are very general and don't tell us how any specific machine cannot generate energy for free, but they do indicate that every machine must fail to produce free energy. It would require extraordinary evidence from an actual machine to upset those laws.

Similarly, the laws of observables in QM prevent two observables from being measured with high precision if the operators for those observables do not commute. The onus is on a challenger to produce a machine that simultaneously measures two such observables with high precision. It will take a lot more than "hey, let's glue N detectors together" to upset such a well-tested physical theory.

Re:Newtonian = struct; Quantum = object-oriented

Unfortunately I don't have the budget to build such a machine :-( Has anyone tested/got plans to test such a machine. What does quantum theory predict would happen? Would the photon hit all the detectors but produce completely random results(i.e. no correlation between the emmitted photon and measured photon), or only hit one detector? Or would it do something weird and quantum and aquire the polarization of the first detector it hit and register this on the second even though it hasn't actually passed though the first to get to the second. Just to be clear I'm talking about placing the detectors side by side, but obviously you can't get them both (or however many there are) exactly the same distance from the emitter.

And wouldn't the machine I describe only be testing one observable, or does the photon's polarization become multiple observables when measured by different detectors simultaneously (if such a thing is possible)?

Re:Newtonian = struct; Quantum = object-oriented

[mec]

The easy part first: there are two observables per photon, the horizontal polarization axis and the vertical polarization axis. Alice sends four types of photons: vertical (1,0); horizontal (0,1); diagonal (sqrt(2)/2,sqrt(2)/2); other diagonal (sqrt(2)/2,-sqrt(2)/2). One of the points of QKD is that when Bob chooses an axis to measure on, half the photons line up with that axis and are measured deterministically, but half of the photons are slantwise to the axis that Bob chose for that photon, so they come out as random gunk.
For example, Alice sends a diagonal (sqrt(2)/2, sqrt(2)/2) photon, but Bob uses a (1/0) axis. Bob has a 50% chance of seeing a "vertical" and 50% chance of seeing "horizontal".

The hard part: what if Eve takes the photon and sends it through two detectors in parallel? That's really where I don't understand the nitty gritty, either. I suspect that when Eve sends the photon through two detectors in parallel, the two parts of the photon are entangled, so that a measurement on the vertical/horizontal detector ruins (randomizes) the measurement on the diagonal-diagonal detector. But I don't really understand entanglement at all.

Perhaps someone who is fluent and bra and ket notation could tackle this?

Re:Newtonian = struct; Quantum = object-oriented

Ah that makes sense (in as much as quantum mechanics makes sense). Thanks :-)

This just in

[psyconaut]

Researchers have just discovered the quantum cryptography can be "broken" by viewing the stream of photons in a mirror. Scientists are naturally rather embarassed by this.

-psy

Re:This just in

[timothv]

You'll only get the photon if you intercept the path of the photon. It doesn't work like putting a mirror next to a desklamp. But I know you know that.

Re:This just in

[psyconaut]

It was a reference to, when as kids, we'd write secret messages that could be "decoded" with a mirror ;-)

I understand entanglement, mainly thanks to "Entanglement" by Amir. D. Aczel...decent book for those wanting to understand quantum mechanics without reading anything too dry.

-psy

"Always" and other key issues

[trezor]

By your logic there are no rules which "always" applies. Noone can claim correctness on anything.

You fail to see that the assumption that something was correct (as in correct enough) is what has driven science further, by alloving new and more correct truths to be established, and bringing humans away from myths and into a more scientific mindset.

But you are right. We are now such am evovled species that's lets ban the word "always" out of any known languages imidiatly. After all there is no legitemate (or perpetually correct) use for it.

Say goodbye to gravity, lightemission and electromagnetic waves. They will be gone by the next century I tell you.

/nitpick the nitpick

No smoke, but actual fire

[trezor]

This is the theory of relativety in practice boy.

A quick, but probably inacurate description:

• Time is an actual dimension (let's say #4) which we move trough. We move consistantly trough this dimension at the speed of light (more or less, no relativety-zealots please), if I remeber correctly.
• Transmitting faster than the speed of light would be moving something faster than we move trough time, thus "faster than the speed of time"

If this doesn't help, maybe relativety-physics wasn't intended for you *smug*

If you really wan't to make this dirty, you could add the insecurity (probability issues) of quantum-physics and the fact that we do exist in the times that have passed.

This is where the nutcases start going beyond anything usefull, but what the hell. If you're interested in these perspectives read up on "The hitchikers guide to the galaxy" with focus on the "probability dimensions" and the "everything everywhere exists"-theory :)

Re:No smoke, but actual fire

[missing000]

Most of what you state is quite valid for relativity, but that is not the subject at hand. Rather, we are talking about quantum physics, and in that realm the speed of light and the nature of time are very separate principals.

If you are interested in the mechanics of quantum physics and the separation of locality and time, I suggest you read up on the Einstein-Podolsky-Rosen Paradox

So would "Tamper Evident" be a better term

[SnappingTurtle]

I'm still trying to grasp this whole concept, but it sounds to me like it's not so much "unbreakable" as "tamper evident". Like a shrink-wrapped bottle of pills, you *can* break into it, but once it's broken into, everybody *knows* it's broken and so doesn't use it (i.e. the pills or the channel of communication) anymore.

Right? Wrong? Clueless?

Re:So would "Tamper Evident" be a better term

Right. Photons are very fragile, and QKD uses some of the "tamper evident" properties of photons.

Bob and Alice and ... Eve?

[Evil+Schmoo]

Not to pile on to the other posters, but:

As has been elucidated elsewhere here, the physical nature of QC prevents eavesdropping because of the nature of quantum mechanics. Traditional cryptography is based on bits, as you are no doubt aware; bits exist in purely binary format.

Quantum bits, or qubits, on the other hand, are physical photons, not binary data, and as such, they exist in several states at once; you might have a single qubit that is right circularly polarized, or left vertically polarized. The point is, you have far more to work with than a single binary digit -- theoretically, since the mechanical equations are complex (in the mathematical sense), you have an infinite number of possible values for any one qubit. (This is the quantum principle of superposition, btw.)

What this means is that you can send a photon of light polarized in a particular fashion to represent an ordinary bit. If your partner on the far end uses a polarizer to "read" your photon, he will either affect it or not, depending on whether his polarizer is oriented in the same direction as yours.

So what you ("Alice", in crypto-speak) do is, you randomly switch polarizers on the photon you shoot towards Bob, your crypto-speak partner. Now let's say that Alice uses "up" and "down" as her binary states, and that she alternates random polarizers of vertical or diagonal condition. Vertical polarizers don't affect vertical particles; diagonal ones do. (I think.) Therefore, when Alice polarizes vertically, the original state is unchanged, but when she polarizes diagonally, the original state changes.

Moreover, when the diagonal polarizer changes the data, it does so randomly. This is a basic principle of quantum mechanics; the vertical photon can become EITHER northeast-southwest OR southeast-northwest (the two diagonal states), and until it is measured, it has an exactly equal chance of becoming either when it is polarized. So what Bob sees on the other end is a seemingly random collection of vertical and diagonal data. And if, in combination with alternating her polarizers randomly, Alice randomly alternates her original data between vertical and diagonal states (again, choosing one of the two binary diagonal conditions to be "1" or "0"), then her data is impossible to detect.

Or is it? Because, of course, Bob has to be able to read it. So Bob slaps on a polarizer of his own, again, randomly alternating them. So some of Bob's polarizers will match Alice's, and some of them will be different -- about 50% of the time, they'll match. And if Bob's polarizer matches Alice, then the original data can be reconstructed, since we know how polarizers treat photons.

So how does Bob know if Alice and he have the same polarizers? Simple. He calls and asks her. They go through a list of each photon (usually several thousand, although there's no reason why it couldn't be millions) and compare polarizer choices. Those that match, they keep. Those that don't, they toss. They'll have, on average, about half the original data left -- and that becomes the basis of the secret key for their traditional crypto transmission. (Because you toss out so much data, you can't really use quantum to transmit plaintext in itself.)

But wait, you say. Since Bob calls Alice over the telephone (gasp!) or uses email (horrors!) to request and send his polarizer data, couldn't that be obtained by an eavesdropper? Sure. It's virtually guaranteed to be intercepted. But so what? Eve can't do anything about it.

Let's say that Eve gets in the middle of the exchange and puts in her own polarizers. (Since that's the only way to read the data.) Now, she doesn't know which polarizer Alice is using at any one time, so she has to randomize them herself, just like Bob. And if she guesses right, she will not affect the data that Alice is sending Bob. The problem, though, is if she guesses wrong. At that point, she changes the data that Bob reads.

So when Bob and Alice compare their dat

No, the grandparent is right

Sorry, I'm calling bullshit on YOU.

Study the protocol: Alice chooses a set of polarization choices such as x++xx+x++. Bob chooses his set of polarization choices; then they compare the two sets over an open channel and use only the matching choices.

Here is an algorithm for Eve: Eve chooses a random set of polarization choices, reads all the photons, and then re-emits all the photons.

If Eve's polarization choices EXACTLY MATCH those of Alice, then Eve has succeeded. This will happen with probabibility 2^(-n). When this happens, Alice and Bob will agree that their exchange went all right, and Eve is in like flynn.

2^(-n) is a very small number, of course, but Eve knows when it happens. Of course, Alice and Bob also notice they have a very noisy channel most of the time!

Re:No, the grandparent is right

my bad :)

This is a test, only a test ....

[BrownDwarf]

.... but do we have any idea what sort of range might be possible down the road? I ask because I suspect that a stream of photons would have to be amplified somewhere along the way, fine under almost any other circumstances -- but here the original photons _must_ make it to the recipient, or the message will show that it's been tampered with. Unless we are talking about distances significantly greater than a few hundred meters, the old-fashioned sneaker net might be a cost-effective alternative.

Certainly adds to your geek score

[erik_norgaard]

Really, quantum encryption just takes cryptography to another level. Like skipping rot13 in favour of RSA. It's practically unbreakable with a normal computer, just as trying to brute-force RSA with pen and paper.

So, using quantum cryptography secures against those who still has this ancient siliconbased thing called a microcomputer. Researchers are working on quantum computers whose power will be million or billionfold that of normal computers.

Using quantum cryptography will not protect you for long, then every one will have quantum computers. The only really benefit is your geek score! :-)

Re:Certainly adds to your geek score

You are so wrong. Quantum computers will not help in breaking quantum cryptography. Ever. We need a big change in our understanding of physics to break quantum cryptography. (NOTE: This does not mean that a system using quantum cryptography will be unbreakable. It most likely will be breakable, but the weakness is not in the quantum cryptography part.)

This is not cryptography

[thomasa]

cryptography is the process of encrypting information. This is just
like putting a wax seal in your message - you can tell if it is read. Not encryption.

Re:This is not cryptography

Wrong. Quantum cryptography is about key exchange, which is definately part of cryptography.

Apart from that, cryptography does not only deal with encryption. Integrity and authentication are just as important (if not more).

Re:This is not cryptography

[thomasa]

It might be adjunctive to cryptography but this is
not quantum computation or anything near Shor's
algorithm. Saying this is cryptography is like saying
putting guards near telegraph lines is cryptography.

speed is not relevant

[flok]

Just use it to transmit session keys on a regular base. 3DES keys for example and if that is too breakable, make it 4DES 5DES or even 128DES. The last one only needs 1024 bytes of keys to transmit.
(replace DES with BLOWFISH if you like)

Completely Fucking Retarded

[pyth]

Stop worshipping Quantum Mechanics as magically overturning trivial truths. Get a damn textbook and learn what it is.

How about you look at the basics of Quantum Encryption? It's really quite simple. There are two communication pathways. One is conventional. The second is the probabilistic.

Eavesdropping the second line requires interception. The information of the second line can only be half-decoded with readonly access to the first. The remainder is inherently garbage, which is normal.

Thus to get the remaining parts, you must requisition a retransmission of the garbage. Again, this is normal. The sender expects this.

Intercepted transmissions must be retransmitted to the intended recipient. If it's not re-transmitted in full, they'll notice.

Just grab full control over both lines and you are able to impersonate the recipient and sender.

EVERY COMMUNICATION SYSTEM IS SUSCEPTIBLE TO MAN-IN-THE-MIDDLE

Re:Completely Fucking Retarded

[Karhgath]

Wrong. You should get a textbox or take a course on quantum computing and encryption.

You cannot act as a repeater without changing the quantum data. It is IMPOSSIBLE to recreate accurately a qubit, so retransmiting exactly the same data is impossible. This is not classical science.

QKD (Quantum key distribution) is UNCONDITIONALLY SECURE. It CANNOT be intercepted with a man-in-the-middle scheme, or ANY other scheme for that matter.

The worst that can happen, is that you can prevent both parties from communicating. However, you cannot eavesdrop a successful communication.

Re:Completely Fucking Retarded

[pyth]

Listen. The reciever has some way of getting at the data, right? If even the RECIEVER is unable to use the transmission, it's pretty damn useless. Well, the attacker just has to sit in the reciever's place, and then also impersonate being a sender. I fail to see how Quantum Magic gets around this. Sender and Reciever are inherent in every communication scheme. Thus every communication scheme is vulnerable to man-in-the-middle.

Re:Completely Fucking Retarded

[Mikeydude750]

Yes, but do you think someone's going to be able to go up to a fiber-optic cable and just split it like that? Someone would notice, and by then, the connection would certainly be shut down.

Re:Completely Fucking Retarded

Ballcocks. By that logic public key distribution over a fiber link is secure because someone would have to cut it in order to MIM it.

The fine print

[menscher]

Sure, it can transfer at 1 megabit. But that means they need to be able to generate crytographically strong random numbers at the 2MHz level, while changing polarizations to match. It's not a trivial statement. So... this might not be quite as safe as they're claiming. But those are just details which everyone hopes can be trivially solved in the near future.

Everything Can Be Hacked

[Long-EZ]

Hacker Rule #1: Everything can be hacked.

The Quantum Man In The Middle
To prevent the man-in-the-middle attack where a photon is intercepted and an identical photon is transmitted in its place, the sender and receiver rely on a very tight window in time. Any photons received outside that window are rejected. If you want to grab the quantum secured key, why not put a receiver in the middle that emits a quantum entangled photon? You intercept the sender's photon, and once you know its state you can change the state of the captured photon so its entangled twin has the same quantum state as the intercepted photon, and arrives at the correct time. You essentially use quantum entanglement to change the state of the imposter photon while it's in transit.

Quantum Brute Force
Quantum computing is emerging almost as fast as "quantum cryptography" (actually "quantum tamper resistant key transmission"). In the near future a good quantum computer will be fast enough to quickly break today's strong encryption. This is the same old game of making sure encryption is just strong enough that commercial users can't crack it but governments can. It's a moving target. Make your own VERY secure encryption algorithm that jumps fifty years down the path of Moore's Law. Add 32 bits to your key and you're secure. That'll piss off your government. So will tying up several hours on their massive supercomputers to learn that you used your favorite commercial encryption algorithm to send your grandmother's cream candy recipe to an internet cafe in South Africa. I'd never do that, but I'd be very tempted to send The Constitution and The Bill of Rights.

Re:Everything Can Be Hacked

[Karhgath]

Hacker Rule #1: Everything can be hacked.

The Quantum Man In The Middle
To prevent the man-in-the-middle attack where a photon is intercepted and an identical photon is transmitted in its place, the sender and receiver rely on a very tight window in time. Any photons received outside that window are rejected. If you want to grab the quantum secured key, why not put a receiver in the middle that emits a quantum entangled photon? You intercept the sender's photon, and once you know its state you can change the state of the captured photon so its entangled twin has the same quantum state as the intercepted photon, and arrives at the correct time. You essentially use quantum entanglement to change the state of the imposter photon while it's in transit.

That's not how it works. First, quantum encryption doesn't rely on entanglement. Second, you CANNOT reproduce quantum information, so you cannot intercept it and re-emit it without changing the value. Third, it doesn't work 'based on a short window of time'. Quantum Key Distribution (QKD) is proven unconditionally secure. You cannot intercept the key, only prevent both parties from exchanging a key.

Quantum Brute Force
Quantum computing is emerging almost as fast as "quantum cryptography" (actually "quantum tamper resistant key transmission"). In the near future a good quantum computer will be fast enough to quickly break today's strong encryption. This is the same old game of making sure encryption is just strong enough that commercial users can't crack it but governments can. It's a moving target. Make your own VERY secure encryption algorithm that jumps fifty years down the path of Moore's Law. Add 32 bits to your key and you're secure. That'll piss off your government. So will tying up several hours on their massive supercomputers to learn that you used your favorite commercial encryption algorithm to send your grandmother's cream candy recipe to an internet cafe in South Africa. I'd never do that, but I'd be very tempted to send The Constitution and The Bill of Rights.

You are right. However, quantum encryption ISN'T based on an algorithm. It's based on the one-time pad principle. If you generate a key that is as long as the message, and use it only once, it cannot be decrypted. You even use XOR to encrypt the message! And since the key distribution is totally secure, you have a totally secure encryption, not using any algorithm.

So, yes, quantum computing can break classical encryption algorithm easily, but it cannot decrypt a message encrypted with a one-time pad method, and a key as long as the message.

Re:Everything Can Be Hacked

[OzRoy]

Quantum Brute Force

You would not use any of the standard encryption systems currently used on the internet to send information using quantum cryptography. If you had a quantum cryptography system you would return to an old system called the One Time Pad, which is impossible to break using any method including a brute force attack.

This method was actually used by business and the military (and is probably still used by the miltary) before the development of public key encryption systems. The reason why it can't be used over the internet is because the same key is used to encrypt and decrypt. But by using the quantum cryptography method it is possible to send a key to the recipient and know that no one else has intercepted it.

Re:Everything Can Be Hacked

[Long-EZ]

First, quantum encryption doesn't rely on entanglement.

I know that. But my proposed method of defeating it does. Their detector wouldn't know the photon my system emitted was entangled with one that I controlled.

Second, you CANNOT reproduce quantum information, so you cannot intercept it and re-emit it without changing the value.

I'm not re-emitting anything. I'm determining the quantum state of their photon. Their detector does that, so mine can too. I'm changing the quantum state of my own photon. They're transmitter does that, so mine can too. The only difference is, I'm changing the state of a photon that causes a quantum state change in an entangled photon, but I don't see a problem with that. In fact, while I'm not a quantum physicist, what I propose seems only slightly more difficult than what they're already doing. Breaking encryption is almost always more difficult than encrypting and decrypting. That's the only purpose of encryption - to make it more difficult, not completely impossible as the researchers seem to be claiming.

Third, it doesn't work 'based on a short window of time'.

Yes, it does. The linked article specifically mentioned this. Actually, I think it might have been a link from the linked article. The critical time window was the method they use to determine which arriving photon was the key photon, as opposed to a photon emitted by the sun.

Quantum Key Distribution (QKD) is proven unconditionally secure.

That's been claimed for many of the various encryption schemes. Remember the foolish bravado of the company that claimed their video encoding technology was unbreakable? I know more people who enjoy pirated satellite TV than I do those who purchase the service. I'm not saying most of their viewers are pirating the service. That statistic probably says more about me, based on my shady geek associates. But a significant number of people are surely enjoying this "proven unconditionally secure" system. At the risk of repeating myself, it's a fundamental law. Everything can be hacked. Claiming it can't just causes it to happen sooner rather than later.

If you generate a key that is as long as the message, and use it only once, it cannot be decrypted.

The brute force method can make some assumptions. If you were transmitting a message with no information content (noise, random characters), I'd agree. But to be useful, the system must be able to transmit information. If a short key is used for a long message, the key can be guessed by brute force. Eventually, real words will result instead of gibberish, and it's easy for a decrypting routine to detect that as a successful brute force decryption. If the key is as long as the message then I agree that the message would be as secure as the key, but I still argue that my previous statements indicate that the key is not as secure as we are being told. Even the DOD won't give someone a grant for a more complicated and expensive method that doesn't improve on the success of previous efforts. Geeks gotta eat. And they're naturally enthusiastic about their work. So their grant proposals and public statements reflect undue optimism.

Or are you suggesting that this is going to be the first unhackable system ever built? That notion seems laughable to me. If I had a religion, the idea of something being unhackable would be heresy.

Re:Everything Can Be Hacked

[Long-EZ]

But by using the quantum cryptography method it is possible to send a key to the recipient and know that no one else has intercepted it.

This is only true if the key is secure. Unless you can prove otherwise, I'll stick with my hypothetical device that emits a quantum entangled photon at exactly the same time as their key photon is received. Once the key is obtained, it's a simple matter of XORing. Even if the first several characters of the key were lost calibrating the timing, it would be a trivial matter to guess them. Not much brute force would be needed to guess five characters.

Re:Everything Can Be Hacked

"I'll stick with my hypothetical device that emits a quantum entangled photon at exactly the same time as their key photon is received."

The problem is that you don't understand how the technology works, here is an example:

There are 4 possible spins on a given photon, there are two testing measures to determine these.
One test covers 2 spins, and the other test covers the other 2 spins. If you use the wrong test, then not only will you fail to measure the spin, but you will have destroyed the photon because by testing the spin you erase it's "true" spin.

So even if you guess right 50% of the time, the other 50% you will have to guess on which spin to give it, and then you have a 50% of being right, so 25% of the time you will mess up and give an invalid photon. This will tip off that you have been eavesdropping, and it is currently impossible to even THINK about a way to test photons that would get around this.

Here is how the basic sequence works:

Sender sends a bunch of photons with random(but recorded) spin and values, reciever records them with the test he used, and what result he got.

Reciever then tells the sender what test he used on what photon, and sender tells him which test he got right. Since he used the correct test, and both recorded the values of the photons, each should have the exact same string of binary.

Now, they compare part of this string openly, since it's random. If they match perfectly, then they know that the rest of the string matches too, and therefore they have a matching key without ever transmitting the key or talking about it's data.

If however the test strings don't match up, then they know that somewhere along the way someone eavesdropped and they can start again with a new key.

So the problem with your hypothetical device, is that it can never correctly recieve 100% of the photons, and therefore couldn't transmit 100% right, so it can be detected.

Now, this is all based on current Quantom Mechanics and physics using conventional theories on EM stuff.

If you found a way(sub-space, like the trekkies perhaps?) to observe the physical world with un-phyisical or meta-physical methods, you could concievably measure something without distubing it.... but that is completly impossible given today's thinking.(So far out there that even the gov. couldn't keep it a secret).

So the deal is that you can never eavesdrop using this technique, because it's impossible for you to recreate the photons after you have incorrectly measured them, because you don't get a second shot.

Re:Everything Can Be Hacked

[Karhgath]

I know that. But my proposed method of defeating it does. Their detector wouldn't know the photon my system emitted was entangled with one that I controlled.

This is a clever idea, but it doesn't help breaking the key. See below.

I'm not re-emitting anything. I'm determining the quantum state of their photon. Their detector does that, so mine can too. I'm changing the quantum state of my own photon. They're transmitter does that, so mine can too.

Like I said, clever idea, but it won't help. As soon as either you or the receiver 'reads' the qubit, the qubit of the other has his value set. But this doesn't change anything, because the key distribution DOES NOT send the key, just random bits from the sender, and both side 'marks' equal bits. So, if you entangle a photon with one of your own, the 2 entangle photon have 'random' value. Sure, both will be read as opposite 'values' when as soon as one of them is read, but you cannot do the following:

For example you receive |0>. You cannot be able to entangle it AND keep the |0> photon and get an entangled |1> on your side. The entangle photon will become something like a|00> + a|11> maybe. HOWEVER, QKD doesn't use qubits in the strict sense. For example, we could say 0 is a vertical spin "|" and 1 is a diagonal spin "/". We're not really working on qubits. Entanglement would change those spins. |00> != |0>

So when Bob will receive the entangled photon, it will NOT be the original photon, so in the end, he will interpret it wrong, and either reject the photon because it's not equal to his own, or think it's equal to his own, in which case he's either wrong or right. So when they will verify a sample of the key, they will detect the error if their is one, with pretty high accuracy, OR, they will think it's ok and their communication will fail. You cannot entangle all the photons going thru and get a good reading at the end, the communication will most cetainly fail, because entanglement doesn't recreate the original value in either the entangled photon. So, in the end, you can only prevent 2 people from communicating, you cannot intercept the key. I'm not going to post a complete proof.

One thing people forget is that QKD is a mix of QC and Classical Computing. This is the strength. It prevents QC attacks and Classical Attacks.

The only difference is, I'm changing the state of a photon that causes a quantum state change in an entangled photon, but I don't see a problem with that. In fact, while I'm not a quantum physicist, what I propose seems only slightly more difficult than what they're already doing. Breaking encryption is almost always more difficult than encrypting and decrypting. That's the only purpose of encryption - to make it more difficult, not completely impossible as the researchers seem to be claiming.

The problem is that, EVEN in classical science, the one-time pad method with a key as long as the message IS totally secure. It's proven. However, logistically, it's nearly impossible to use, and someone could 'steal' the one-time pad and get all the keys, so that's why we use algorithms and such to have 'good' encryption.

QKD is NOT a new encryption algorithm. It's the one-time pad method, WITHOUT the logistical problems(although it's kinda slow right now) and WITHOUT having to worry about the key being intercepted. QKD CANNOT be intercepted, with complete mathematic proof that were double checked often. We proved it as strongly as we proved other theorems and such in mathematics. Whether you agree or thrust mathematics is another thing.

Third, it doesn't work 'based on a short window of time'.

Yes, it does. The linked article specifically mentioned this. Actually, I think it might have been a link from the linked article. The critical time window was the method they use to determine which arriving photon was the key photon, as opposed to a photon emitted by the sun.

Oh yeah, for reading purpose, yes, photons are

Re:Everything Can Be Hacked

[Long-EZ]

I really don't believe that I thought of a technical solution that *real* quantum physicists didn't. I know the people working on this are WAY smarter than me, and based on their confidence, I know they must be very proud of what is being called quantum computing. As others have pointed out, it's actually quantum key hiding. That isn't a criticism. As you stated, if you're willing to use a key as long as the message, there is a very nice mathematical neatness to the theoretical security. Of course, in practice, people do not want keys as long as the message, and using a key even half the length of the message results in a brute force decryption for real world messages containing native language text. In other words, try to imagine a paragraph that can be decrypted into English, with all the words spelled correctly, proper sentence structure, and a meaningful message. What are the odds that any other key in the set of all possible keys will do that? The neat theoretical security very quickly dissolves for key lengths less than or equal to half the message length.

As for your attempt to educate me on the technical side of WHY the theorists are so certain of the security on the mechanical side of quantum key protection, I'm sorry to say I completely failed to follow it. It sounded like a lot of technical hand waving, followed by "therefore it's 100% secure. QED." As I said, I'm obviously not a quantum physicist. As such, I'm willing to take it on faith that there is a good mathematical proof. My only option is to spend a day researching it, which I'm not willing to do. And I seem to remember reading about quantum encryption 2-3 years ago in an article (Scientific American?) that presented it in a manner that I could grasp without a strong quantum mechanics background. I vaguely recall being convinced of the soundness of the theory by the previous article.

However, as much as I like math, I'm an engineer and not a mathematician. If a mathematician is told that he can move halfway toward a pile of money across the room every second, he'll never play the game because he knows he can never reach the money. The less-theoretical engineer will quickly realize that within five seconds, he'll be close enough that he can reach the cash.

Nope, it's NEVER going to be unhackable. Hacking implies also using social engineering, physical intrusion, etc. The method here doesn't prevent this, so 'hacking' is still possible. Also, never say never =) You cannot say it's never going to be hackable...

If you're willing to admit to these two aspects of hackability, I'm willing to retire my argument, more on philosophical grounds than mathematical merits.

People have been trying to hide messages almost as long as we've grunted gutteral vowels at each other. We're still trying. The best attempts have resulted in methods that delay decryption long enough to be useful in the real world. That's ultimately all that's needed. And for that, 512-bit RSA over SSL TCP/IP will suffice for a long time to come, and without the expense and complexity of quantum receivers and transmitters. Sure, you can't send the key immediately prior to the message, but it does use a public key, which is pretty damn clever and useful.

Please don't think I'm against quantum cryptography research. I'm not. It appeals to the math/science guy within, to the extent I've stopped to understand it. Heck, any field of study that starts with "quantum" gets bonus points for style. But quantum mechanics is still new enough and sufficiently nonintuitive that I believe we can't be too sure of our proofs. Sort of like a proof based on Newtonian physics before any understanding of relativity. As an engineer, I say that's all the more reason to build devices and test them. The real world is an important laboratory, and building quantum encryption devices will teach us new things. Advancing the state of the art is almost always a good thing. Even in the unlikely event that it's a total waste of time, it'd be a lot better than the many examples of spending a lot of money and inadvertently making the world a less happy place. Unless there's a chance of a quantum photon detector or transmitter collapsing nearby stars, I say go for it.

next hurdle ...

okay so it's safe as long as no one invents
a time maschine :P or figures out how to locally
make time slower/faster (fusion) ...

oh and there was summting about the weak force and
the electronmagnetic force being of the same source.
maybe a W or a Z can help listening in on QC chat?

MOD PARENT UP!

[Karhgath]

Mod parent up, that's exactly what I was going to write. Good job corvi.

The long story short is that, quantum encryption is used to create a key. It is proven, due to the quantum properties and the algo that corvi posted above, that the key CANNOT be intercepted. At worst, it will fail, until you're able to suceed in creating a key.

So, a spy can ONLY prevent you from exchanging a key with someone, he can never intercept the actual key. So he's not really as much a spy as a roadblock.

Re:MOD PARENT UP!

[corvi42]

what can I say - great minds roll in the same gutter =)

inconceivable

[pluvia]

It's kind of a recursive problem, and yet, somehow it always works out.

Wow, I just looked it up -- you spelled "Vizzini" correctly. :)

Dread Pirate Roberts: You guessed wrong.

Vizzini: You only THINK I guessed wrong! - that's what's so funny! I switched glasses when your back was turned! Ha-ha! You fool! You fell victim to one of the classic blunders, the most famous of which is "Never get involved in a land war in Asia", but only slightly less well known is this: "Never go in against a Sicilian, when *death* is on the line.". Hahahahahah.
[Vizzini falls over, dead]

Re: Actually reading the articles

[some+guy+I+know]

Did you RTFA?

Of course not.
This is Slashdot.

Popular Misconception

Quantum Cryptography is not invulnerable to a complete Man in the Middle attack. By "complete" you should consider the case where a repeater is installed on all communication channels.

In this case, a known verification step (unless it possesses surprising "details" you have withheld) is subvertible and the entire communication is compromised.

The only new technology in question is the optical channel, so it should be assumed that the remaining channels are as weak as they have been. Think of it as the fundamental chicken and egg/mal genie problem of authenticity. Public key exchange is vulnerable to it as well, but enjoys the substantial benefit of *publicity* of keys. One may announce his key in the newspaper or the radio. This distributes the channel pretty wide and happily increases the cost of attack.

Would some "Quantum Computation" fad maniac like to respond?