New Quantum Cryptography Speed Record

Roland Piquepaille writes "Physicists from the National Institute of Standards and Technology (NIST) have established a world's speed record for 'unbreakable' encryption with their cryptographic system based on the transmission of single photons. With this kind of method, messages cannot be intercepted without detection, meaning transmission is always safe. The NIST 'quantum key distribution' (QKD) system was used between two buildings located 730 meters apart for transmitting a stream of photons at a rate of 1 million bits per second. While it might not look very fast, its 100 times faster than with previous quantum distribution systems. This overview contains more details and references about information theory."

Always?

[mrgrey]

meaning transmission is always safe

Always is a powerful word. Nothing is totally secure.

Re:Always?

Indeed, but if it were possible to eavesdrop without detection, implications for physics would be just as great as for cryptology.

Ya cannae change the laws of physics
- Scotty, Chief Engineer

Re:Always?

Blah, blah, blah. Haven't we gotten tired of these trolls? In the context of the transmission itself, it is, actually, totally secure. It's obvious to anyone without an icepick in their frontal lobe that there are other potential weaknesses. However, in this important respect, QC is provably secure in a way that classical crypto cannot be.

Feel free to look into the past 2-3 weeks of /. for a more eloquent response (and reresponse and rereresponse and...).

Re:Always?

The use of 'always' in this context is similar to "An apple always falls downwards when you let it go."

Re:Always?

[MS_is_the_best]

QC relies on the ability to emit photons, and to known probability distribution of those photon emissions. The problem is, there is no hardware out there than can emit one and only one photon 100% of the time. I wouldn't be suprised if it turns out to be totally impossible to build hardware that does. (Like building hardware to perfectly measure a particle's position and speed is impossible.)

This is total nonsense. Are you a cryptographer afraid to loose your job, with no physical background? Then please read the article before you respond.

I agree that the text and title posted to Slashdot is kind of misleading. All this QC does is making a channel on which eavesdropping impossible, without detection. Point. And it is.

This has actually nothing to do with crypto (you can breathe again, your salary is safe), it can be used as a nice method for key exchange in a crypto -solution. The solution in total can be hacked (do something nasty on the sending or receiving end, but the transmission cannot be listened to undetected.

A little star trek humor

[Nuclear+Elephant]

[Kirk] Fire photon torpedoes
[Scotty] I can't sir, the bloody computer's still encrypting a message to my girlfriend - I got no power!
[Romulans] b4w h4w h4w w3 0wnz j00!
[Kirk] W3 b3 0wn3d!

in KB/s

[moberry]

1,000,000 / 8 = 125,000
125,000 /1024 = 122.1

Not to bad for not using wireless undetectable (so far) encryption.

Man in the Middle?

[Allen+Zadr]

While Quantum physics certainly allows for scientific detection of observation (which would help you detect if someone is merely viewing your stream)

However, with all technology, this could be a common pocket-sized device some-day. So, would this not also fall under the problem of Man-in-the middle attacks? Read the quantum stream (eliminating the existance of said stream), and recreate the stream to the other point. This would create a delay, but without other forms of detection, it would not necessarily be as safe as wires... (as wires, at least, can be physically secuired. Hard to secure open air).

Re:Man in the Middle?

[Cyclopedian]

I think your premise fails because you are using an established methods that worked for certain electrical and computer principles. Quantum Cryptography (QC) is something entirely different than what's been done in the past. Current methods cannot merely just be used on QC just because it worked in the past for other levels of physics.

-Cyc

Re:Man in the Middle?

[Kainaw]

So, would this not also fall under the problem of Man-in-the middle attacks?

The way to avoid the man-in-the-middle has to do with the filters for the photons. It is confusing in the code, but easier to understand from a completely fabricated example.

First, you need to understand that photons are becoming 1 and 0 based on spin. That spin is aligned so that 1 is 90 degrees off of 0. The filters have to be aligned as well (sure makes portable devices hard, but I'm sure we'll figure that out later). Assume we cycle through 8 filters. The first four look like + so that vertical is a 1 and horizontal is a 0. The next four look like x so that diagonal one way is a 1 and the other is a 0. If you shoot a photon aligned to + through a x filter, it will become either a 1 or 0, but not necessarily the correct value.

What does that mean? It means that you and I can decide to use the following filter sequence: x++xx+x++. Now, a man in the middle must use the same sequence or he will scramble the message. If he scrambles the message, he cannot retransmit it. Also, he cannot decode it because he doesn't know which bits are correct and which ones are incorrect.

Now, what if the man in the middle knows your filter sequence? Now you hit the key-sharing problem that cryptology has had since the start. There's no point in assuming that's a new problem.

**YAWN**

[l0ungeb0y]

Wake me up when they get it going faster than the speed of light. Now, that would be a speed record worthy of a slashdotting.

Wouldn't this make DOS easier though?

[foidulus]

This is the thing I don't understand about quantum cryptography(maybe someone can explain it to me). If someone were to try to listen in, would you still be able to read the information being sent? If not, wouldn't this make DOS attacks relatively easy? The information isn't any good if you cannot transport it.

Re:Wouldn't this make DOS easier though?

[Tmack]

The deal with quantum transmission is you are sending the data as single photons (smallest divisible unit of light, like a molecule of a compound, or a single cell of a living thing). Meaning, if you read it, you absorb the message (recievers transform the optical signal, ie: photons of light, into electrical ones), or at least change it in some way. The only way to possibly intercept the transmission is to completely intercept it, keeping any form of it from reaching the true reciepient, knowing the protocol enough to keep the sender thinking it is sending to the original target (sending encrypted keys or something), or acting as a repeater while recording the values as they pass through. Since they are being broadcast, you would have to put your device directly in line-of-site between sender and target, something probably notacable. Keeping the sender and reciever unaware of a repeater would be difficult, as adding such a device would add a time delay to the transmission, something the encryption might be dependant on. As for transmission, you would have to have a repeater device along a long or complex span, something knowing the encryption method and is known to both sides of the span. It is easier to secure single points of transmission than entire cable or enven fiber cables, since you dont have to worry about people splicing into it without knowing about it. The only worry would be a DOS, somehow blocking the path of the transmission, something easily remidied with a large enough cannon.

tm

Re:Wouldn't this make DOS easier though?

[corvi42]

The whole point of quantum crypto is that if someone did try to act as a repeater, then they would be detected. This is not because you would "see" them standing there intercepting your data ( although that would be a possibility ), but because the protocol used to transmit the information securely would reveal the fact that the data had been intercepted and then retrasmitted.

The basics are like this. Small particles ( like photons of light ) have a property called spin. You can set the spin of a particle when you transmit it by using the right kind of gear. You can test the spin of the particle in several different ways, but not all spins can be detected correctly by all tests. So if you have no idea what the spins are, you can't know which test to use. So if you use a random sequence of tests, you will sometimes have the right test, and sometimes not. So to transmit information, our protocol works like this ( taken from "The Code Book" by Simon Singh, p.346-7 ):

1) Alice sends Bob a series of photons, and Bob measures them.

2) Alice tells Bob on which occasions he measured them in the correct way. Although Alice is telling Bob when he made the correct measurement, she is not telling him what the correct result should have been, so this conversation can be tapped without any risk to security ).

3) Alice and Bob discard the measurements that Bob made incorrectly, and concentrate on those that he made correctly in order to create an identical pair of onetime pads.

4) Alice and Bob test the integrity of their onetime pads by testing a few of the digits.

5) If the verification procedure is satisfactory, they can use the onetime pad to encrypt a message; if the verification reveals errors, they know that the photons were being tapped by Eve, and they need to start all over again.

It is true that Eve could listen in on the line, intercepting photons sent by Alice and try to recreate the same stream of photons to Bob with the same spins. However, she can only use a test once, she can't copy a photon and test it using several different tests. So she will inevitably use the wrong test on a number of photons, and so not know what the true spin ought to be, and so can't reproduce them. She also can't know what series of tests Bob will use to test the photons he is receiving. So inevitably what would happen is this: Eve uses the wrong test on some photons, doesn't know what their spins ought to be, sends out some with different spins; Bob however uses the correct tests on some of those photons that Eve "made up", but gets different results from Alice ( because some of the spins are different from what Alice originall sent ), so when they compare results it becomes obvious that they don't have the same sequence of results. Furthermore, Eve can't know where the errors are going to come up and how she should fix them, so she couldn't intervene successfully in this verification step to make it seem correct when its not.

Long story short - you can't make a successful repeater ( down side to this is you can't use any network for transmitting the photons, as a network necessarily involves repeaters - aka routers/gateways - you must have a direct line from sender to receiver so the photons don't get altered ).

Encryption error!

[Phidoux]

Error -3647194 - An error occurred during the encryption of your file - Pigeon

Obligatory Futurama quote!

[Daath]

Farnsworth: "No fair! You changed the outcome by measuring it!"

heheh :)

Re:Nothing that haven't been done before

[__aagctu1952]

It's just like morse code, just waaaaaaaaaaaay faster!

Nah, it's like morse code, only if you look at what you receive the probability wave collapses and the cat dies. This means quantum cryptography uses up a heck of a lot of cats, and this is why there's a limit on its practical usability and speed in the real world...

*cough*

Unless you are talking one-time pads....

[Halo-]

The whole "unbreakable" thing is a little bit of a misnomer. Yes, you can detect if someone observes the transimission of the key, but that doesn't mean the encryption is unbreakable. In fact, it's not really encryption at all. It's simply a fancy type of secure, out-of-band key exchange. Once the key is exchanged, the parties will generally use it to key a symmetric algorithm like 3DES or AES. (At which point the encryption is only as strong as those algorithms...)

I realize I'm being painfully pendantic here, but when the self-proclaimed nerds start abusing a term, the general public is going to be hopelessly confused. (Think the whole hacker/cracker thing...)

Quantum key exchange is unbeleivably cool, but doesn't guanentee secure crypto. It just takes one of the weakest links in the chain, and makes it the strongest.

Hang on...

[m00nun1t]

I don't understand all this stuff about quantam cryptography. Let's get to the core of the issue:

Can it help me download pr0n faster or not?

Implications for the Government?

[caitsith01]

This area really interests me, because it seems to fundamentally change the playing field regarding the use of encryption for simple privacy. Up until now, it has been a pretty safe bet that anything the Government (or Governments) wants to read, it can. Eventually most (all?) standard encryption can be broken with brute force,* and if there's one thing that governments have and like to use it's brute force.

*(yeah, yeah, your favourite open source encryption is unbreakable, I know, but come on, the government isn't going to enter any 'break this encryption' contests to show what a kewl ha>or it is and thereby advertise the fact that communications using said encryption are not actually secure, is it?)

However, with unbreakable encryption they can no longer just spend money until they are able to break it - it's actually impossible, they can't even intercept it. So it changes the situation in a quite fundamental way. Whether it's someone violating copyright between quantum encrypted locations, just talking without being eavesdropped on (you know, exercising their rights), or Osama and his friends planning the next September 11, it will be impossible to work out the contents of a communication.

I feel that over the middle-term this will lead to some or all of the following government responses:
- stronger laws allowing seizure of computers (i.e. the start and end points of an encrypted communication)
- even stronger laws about exporting or possibly even publishing information about this type of encryption 'in the national interest'
- laws requiring the divulging of passwords to law enforcement/intelligence officers with harsh penalties for a refusal to cooperate (this is already the case in some places I believe)
- possibly a lower standard of proof required before police/spies can act to exercise the above powers, in light of the difficulties they will have getting any evidence at all about encrypted communications
- an increase in 'why are you using encryption, are you a terrorist/communist/thought criminal or something' type rhetoric

What do others think? Does this really change the privacy landscape over the next 10-20 years? Will governments react regressively in the ways I suggest? How should pro-privacy people respond and fight such changes?

Re:Implications for the Government?

[m.koch]

*(yeah, yeah, your favourite open source encryption is unbreakable, I know, but come on, the government isn't going to enter any 'break this encryption' contests to show what a kewl ha>or it is and thereby advertise the fact that communications using said encryption are not actually secure, is it?)

Pardon? The known encryption algorithms are insecure because the government doesn't say it can't break them? Reminds me of a little story where a man claps his hands to get rid of elephants in his house. The proof that it works? There are no elephants in his house.

Also it seems strange to imply that Schneier et al are just a bunch of idiots.

The reason the man-in-the-middle attack fails

[amalcon]

The reason the man-in-the-middle attack fails is that in order to recreate the stream accurately, you need more information than you can accurately read from the stream at once. IANAPhysicist, so you'll have to google it if you want to know the specifics, but basically to read the datastream one must make a bunch of guesses. Now, Bob has the luxury of being able to guess wrong without problems, but a man in the middle must guess correctly every time or risk corrupting the datastream.

QC and evesdropping

[some+guy+I+know]

eavesdrop without detection

Even if you can detect the evesdropping, by that time, it's too late; the evesdropper already has part of the message.
Granted, it's only a single bit, but it might be the most important bit of the message.

More seriously, depending on the protocol, the evesdropper may be able to intercept many bits before the intrusion is detected.
For example, if TCP/IP is implemented over the QC stream, the intruder may be able to get an entire packet before the receiver sends a "Stop; we're being evesdropped!" message back to the transmitter.
(Maybe more, with TCP/IP's sliding window.)
If the entire message fits in one packet ("Attack at dawn."), then the message has been compromised.
One way to avoid this would be to use a comm layer lower than TCP/IP that ACKs each bit, but this could be slow.
Another way would be to use the QC channel to exchange very large keys, then use them in another encryption layer if eavesdropping has not occured during key exchange.

Re:QC and evesdropping

[OblongPlatypus]

But if you sent "attack at dawn", then realized an enemy had been eavesdropping, wouldn't you just attack at dusk instead?

Then again, the enemy would know that you knew he was eavesdropping, so he might anticipate that...

Somehow, this reminds me of Vizzini.

Re:QC and evesdropping

Your last paragraph is the way that QC is actually used (or so I have read in some random QC article):

(1) Sender generates long random key
(2) Sender transmits key
(3) Receiver receives key
(4) Received acks that the key has been received securely
(4A) Design of a secure "ack" channel is an interesting question, don't know the answer for that off the top of my head!
(5) Sender computes (message XOR key)
(6) Sender transmits (message XOR key)
(7) Receiver receives (message XOR key)
(8) Receives computes ((message XOR key) XOR key) == message

Re:QC and evesdropping

[gpinzone]

Even if you can detect the evesdropping, by that time, it's too late; the evesdropper already has part of the message. Granted, it's only a single bit, but it might be the most important bit of the message.

No, no, no, no. All you're sending is the key. If the key is compromised, all you have to do is throw that key away and send another key. No actual data from the message is sent. Once the key is received, and you know it hasn't been comprimised, you can send the encrypted data through any unsecure channel you like at any speed. You could cache the keys in advance so the transmission can be unaffected by a DOS attack on the quantum transmission.

Re:QC and evesdropping

[Karhgath]

The actual way it works is the following. (simplified to bits instead of qubits for the sake of simplicity, and I probably forgot some details here and there)

1) Alice generates a random number of bits.

2) Bob generates a random number of bits.

3) Alice sends bits sequence to Bob, and Bob reads them, noting the place where both are equal.

4) Bob tells Alice every place the bits are equal, over a CLASSICAL channel.

NOTE:
This is the part that needs understanding. The proof that you cannot evesdrop is as follow:

4a)If the bit that Alice sent is the same as Bob, but was intercepted at 3), Bob will see it as different, so the bit will be discarded.
4b)If the bit that Alice sent isn't the same as Bob, but was intercepted at 3), Bob will register it as the same and will try to use it. See 5).

5) Alice and Bob test a couple of bits to check the integrity, over a CLASSICAL channel. This is the critical part, you need a big enough sample to prove that it is equal, but not too big so that the attacker knows too much about the key. The sample needed isn't actually that big. If you have one bit wrong, it was eavesdropped or corrupted along the way. If you do not detect any wrong bit, it means that the attacker doesn't have much information about the key, if at all. If 4b) happened, this part will detect those 'bad bits' with accuracy.

6) Alice encrypt the message with the key and sends it to Bob as if it wasa one-time pad.

If you want more info about quantum computing, see a introduction by one of the forefathers of quantum computing, Gilles Brassard, who I had the joy to have a class with.

http://www.iro.umontreal.ca/~brassard/SSGRR.html

What about keyloggers and stuff?

[joda]

Even thought that in theory, the encrypted messages (or whatever is sent) can't be read, you still have the problems before and after encryption.
Especially these days with worms and trojans affecting even the most _secure_ environments (*bad memories about some american nuclear power plant*). You can expect someone somewhere to get some spyware or keylogging-thingie onto a sender or reviever's system. (or sometimes even enough with just getting it onto the network on each end in question.)
I recall visiting a webshop somewhere who sold a small (read less than half an inch) plug, which you put in between the keyboard and the comp, which could log several megs of typed in text. Later it's just to harvest ...

Maybe I'm just paranoid, but if you can't trust your coworkers 130% in these cases, you're still toast unless you put the machine (and yourself) in a vault and throw away the key. /joda

the weakest link in the chain

[WormholeFiend]

is human.

while it's true that cryptography like this improves security, those encrypted messages are still transmitted between people, and people are not corruption-proof.

Original article

[Vadim+Makarov]

Here is the original article (PDF, should be downloadable) in Optics Express.

Aaahhh! and it runs Linux. Mod me up.

("We are currently using a Linux operating system with custom drivers for the boards.")

Re:Always? The Copenhagen interpretation...

[turnstyle]

"Indeed, but if it were possible to eavesdrop without detection, implications for physics would be just as great as for cryptology."

Perhaps when somebody eavesdrops, a cat is killed?

Or does the universe split in two, one in which the eavesdrop has occured, and one in which it has not?