BBN Announces Functional Quantum Encrypted Network

anzha writes "BBN Technologies has announced that under DARPA's Quantum Network Project to have built in conjunction with Harvard University the world's first functional quantum encrypted network. This is probably funded under DARPA's Quantum Information Science and Technology Program."

Patents.. UCK

[Ckwop]

Patent-pending BBN protocols pave the way for robust quantum networks on a larger scale by ...

AND

We were ahead of the technology curve with the ARPANET and the first router, and our quantum network exemplifies the same kind of forward thinking and innovation that has made BBN a technology leader for over 50 years

All this would be just fine if it wasn't for the horrible P word. They've automatically, like all people who patent cryptography, made their entire idea completly unprofitable and made sure that no-one ever implements it. The thing is.. there's no market pressure to adopt this stuff.. we already have secure communication. Sure.. it's improved but so was eliptic curve cryptography but no-one uses that because of patents.

What a waste of time!

Simon.

Re:Patents.. UCK

Doesn't "DARPA sponsorship" mean that they contributed $ to the project, $ which are derived from taxpayers?

Re:Patents.. UCK

[pedantic+bore]

They've automatically, like all people who patent cryptography, made their entire idea completly unprofitable and made sure that no-one ever implements it.

Yes, just like RSA, and Diffie-Hellman key exchange, SHA-1... C'mon. You use patented stuff all the time.

there's no market pressure to adopt this stuff.. we already have secure communication.

Oh, where to begin... we don't have secure communications, what we have are communications that nobody knows how to break yet. Quantum cryptography is a different ballgame. It can't be broken without changing the laws of physics.

Re:Patents.. UCK

[mi]

what we have are communications that nobody knows how to break yet. Quantum cryptography is a different ballgame. It can't be broken without changing the laws of physics.

Aren't at least some of the widely used security algorithms proven to be likewise unbreakable without changing the laws of, mmmm, mathematics?

Re:Patents.. UCK

[Fnord]

Not all the laws, just P != NP.

Re:Patents.. UCK

[DrLZRDMN]

All this would be just fine if it wasn't for the horrible P word.
You mean pending? I jest but it is good that it does say pending because that means there is a chance it will be throughn out.

Re:Patents.. UCK

[pedantic+bore]

Aren't at least some of the widely used security algorithms proven to be likewise unbreakable without changing the laws of, mmmm, mathematics?

None, except for one-time pads (which have other problems). For example, many schemes depend on the fact that it's impractical to factor large numbers. The truth is that nobody knows how to factor large numbers today, but it's also true that nobody knows how hard this problem really is. Perhaps someone clever will figure out how to do it tomorrow... and in the meanwhile, someone already has figured out how to factor large numbers using quantum computing. Nobody has built a quantum computer large enough to run the algorithm, but once they do, you can kiss all these schemes goodbye.

Re:Patents.. UCK

But RSA didn't take off until the patents expired a couple of years ago!

Re:Patents.. UCK

[Ckwop]

Yes, just like RSA, and Diffie-Hellman key exchange, SHA-1...

None of those are in patent. RSA was patented but that patent expired a few years back. SHA-1 was never patented nor was Diffie-Helman.

we don't have secure communications, what we have are communications that nobody knows how to break yet

Well, not exactly we have the One time pad but that aside: What makes physics different to mathematics? You can't prove a physical theory is true like you can a theorem. There is a small chance quantum mechanics is wrong and there is an alternate theory that describes the photons in a deterministic way.

Yes, it's a small chance.. but don't forget that there's also a small chance that you can find a quick algorithm to solve AES. Changing the laws of physics tends to happen once a century - Theorems on the other hand last forever.

Simon.

Re:Patents.. UCK

[Afty0r]

what we have are communications that nobody knows how to break yet. Quantum cryptography is a different ballgame. It can't be broken without changing the laws of physics.

What you should have said is that It can't be broken without changing the laws of physics as we know them (yet) . The "Laws" of physics change all the time, as we make new discoveries and adopt new theories.

Re:Patents.. UCK

[sysopd]

The "Laws" of physics change all the time, as we make new discoveries and adopt new theories.

Well the Laws don't change at all, we just get closer and closer to fully understanding them as time goes on. As in, there is a truth that we observe as X. The truth is elusive, and the best way we can describe it currently is X. We call this the 'Laws of Physics' which are the simplest explanation for what is happening, and generally correct to a certain fidelity. This fidelity increases as our understanding of the actual Law increases.

So really, what you should have said was "Our understanding of the Laws of physics change all the time as we make new discoveries and adopt new theories".

Re:Patents.. UCK

Wrong.
Yes you can, give me a prime number, let's call it P.
It's factors are P and 1.
Done, factored.

What you meant is that a prime number cannot be factored into smaller prime numbers, which is true.

What the parent meant to say that it is believed to be computationally difficult to factor the product of large prime numbers without knowing additional information.

If you are going to get anal retentive about a post, at least do it right.

Re:Patents.. UCK

[Tim+C]

"Insightful", hmmm...

The Laws don't change at all. You may or may not have noticed that there have been no new Laws of Physics in at least a hundred years, if not longer. Physics the science has long since recognised that there are few if any absolutes, and so stopped calling things "laws" a long time ago. Even Relativity (very actively investigated, yet to be disproved) is "only" a theory.

Re:Patents.. UCK

[leerpm]

The parent post you replied to, never mentioned factoring prime numbers, he said large numbers.

That is the whole issue with quantum computing, once it becomes easy to factor large numbers, it is much easier to figure out which numbers cannot be factored and are therefore primes. Thus much of today's encryption techniques will not stand up against a quantum computing device.

Re:Patents.. UCK

[cft_128]

Are you an idiot just like Bill Gates?? You *cant* factor a prime number no matter how large it is. The definition of a prime number is that, you cant factor it.

Uhhh, he didn't say anything about prime numbers, just factoring large numbers which is close enough to the truth for the current discussion on conventional encryption. People in glass houses should not throw stones.

Re:Patents.. UCK

[chill]

Details, details, details.

Quantum cryptography, at least in this application, only uses the quantum network to exchange KEYS to conventional symmetric crypto.

The same crypto algorithms are used, this is just a "secure" method of key exchange. PKI was invented because of the problem of exchanging keys securely -- this is just a fancy way of doing the same thing.

Re:Patents.. UCK

[pedantic+bore]

Diffie-Hellman -- US patent 4200770
The SHA-1 algorithm is not patented, but many uses of the algorithm are.
Do your reading.

Re:Patents.. UCK

Here ya go:

N=1

Re:Patents.. UCK

The parent mentioned factoring large numbers, not prime numbers. Perhaps you have made the mistake of believing that all large numbers are prime, but I assure that this is not true. There are many numbers that are large but not prime.

And there's also something called an apostrophe that you might want to use here and there.

Re:Patents.. UCK

[xyzzy]

The point of quantum cryptography is not to make the crypto unbreakable, but to make attempts to eavesdrop on it detectable.

The network consists of fibre optic cables over which SINGLE PHOTONS are transmitted back and forth between "Alice" and "Bob". If anyone is trying to spy on you -- poof, your bits disappear, and you notice.

The actual crypto that's used on the network is fairly normal. The quantum part protects the key exchange.

Re:Patents.. UCK

[king-manic]

It can't be broken without changing the laws of physics.

You mean it can't be broken with in a reasonable amount of time.

Re:Patents.. UCK

[pedantic+bore]

No, I mean unbreakable in the sense that you can't even make a copy of the encrypted message. You can't see the encrypted bits unless you already have the decryption key. Therefore you can't take the encrypted message and use it as input to any super-powerful decoder and then just wait for a long time. You can't even do trial and error.

Re:Patents.. UCK

Not all the laws, just P != NP

You should add, "in specific cases, for specific mathematical operations, as far as we know or anyone will admit, and as long as the users of said encryption adhere to correct operating procedures, use strong keys which are not generated according to a guessable or calculable pattern, and the security of the cryptosystem itself is not compromised."

The mathematics of Enigma looked very ugly until the Allies got a model, found some weaknesses, developed some powerful approaches to the problem, exploited operator error, and used a lot of brute force. Then it was just possible to get enough to be useful. On the other hand, the generally similar US machine, which the Germans never cracked, was used with some modifications into the '60s.

Re:Patents.. UCK

[Frizzle+Fry]

Would you care to explain then how you would go about breaking this, given an "unreasonable" amount of time?

Re:Patents.. UCK

[Ayaress]

Not impossible, just impractical. It's only a matter of how much processing power and time you can throw at any of them before it breaks. They may take months or years or decades to break with today's systems, but ten, fifteen, twenty years from now, they may take days or weeks or months, which isn't nearly as good. Of course, by that time, we'll have better encryption that will still take years to break, but instead of fighting a constant arms race to make sure our current encryption is strong enough that it's impractical to crack (but not impossible), why not just short circuit the whole mess and make them impossible to crack.

Re:Patents.. UCK

[s88]

P != NP is not a law; it is only suspected to be true and remains an open problem, not yet proven.

Re:Patents.. UCK

[SEWilco]

You can always do trial and error.

Is your password "banana"?
JiffPortxy32?
oi7ytb87t?

Was your last email "Sell the stock at $43 and buy eggs"?

Re:Patents.. UCK

Not to be a pedantic bore, but...

Blah, I'm not even going to bother.

Whoever modded this guy this so far up obviously knows very little about crypto...

Okay...never mind, I'll bite.

OTP's are insanely (and some will say the only provably) secure crypto, if you make sure your pad generation is truly random. They're just inconvenient and impractical in some (or most) situations and everyday use.

For example, many schemes depend on the fact that it's impractical to factor large numbers

Have you ever studied prime numbers and factoring? Do so, you'll learn a lot. While it may be possible, theoretically, to come up with a magic prime number algorithm - if that happens, it's a breakthrough in math systems akin to the development of Calculus and algebra. :P

The truth is that nobody knows how to factor large numbers today, but it's also true that nobody knows how hard this problem really is.

That's a funny statement, in more ways than one. I know how to factor large primes. I know how hard it is to factor large primes. It's not that difficult, it's just computationally expensive to "brute force" them - even with various sieving technologies. See the magic alg statement a few lines up...

someone already has figured out how to factor large numbers using quantum computing. Nobody has built a quantum computer large enough to run the algorithm, but once they do, you can kiss all these schemes goodbye.

Heh, contradicting yourself as well... Nobody has built one that big because they quite simple don't know how yet. It's been a bit since I've looked up the latest white papers, but even if they do, and it's simply a matter of building a bigger machine - it will still pretty much only be limited to government level financial entities.

Commercial crypto is quite safe, and for the foreseeable future - if you don't have anything to hide from $INSERT_THREE_LETTER_AGENCY_HERE. But then they've had the resources to break anything MS has put out for years.

Okay, end rant. And I thought you were the pedantic bore? Anyway, please learn something about crypto before spouting off in a public forum about it though - there's so much FUD and misunderstanding around concerning it anyway.

Re:Patents.. UCK

[DrFalkyn]

Factoring large primes (which RSA is based off of) has not been proven to be NP complete.

Re:Patents.. UCK

[Slinky+Saves+the+Wor]

RSA, DH and SHA-1 are not patented (anymore).

For RSA the US patent has expired (Sep 2000). The expiration of the patent was one of the drivers which made RSA appear in more products than ever.

For DH the US patent has expired (Apr 1997).

SHA-1 is not patent-encumbered.

Of course, those were US patents. If anything is not patented in your country, a US patent doesn't really touch you.

Re:Patents.. UCK

[Antique+Geekmeister]

The RSA patent held up the general use of safely encrypted communications for many years, in conjunction with US laws classifying encryption as materials of war and preventing its export. Take a look at the legal history of PGP and Phil Zimmerman for more explanation of the issues.

Because RSA held the patent so closely and refused to even *discuss* single use licenses, PGP and SSH basically lost 15 years of development time and modern network communications suffered profoundly for it, and both criminals and law enforcement agencies find it trivial to eavesdrop at their whim on various network communications.

I see why they want the patents, they want to license and sell the equipment and technology. I hope they'll handle any such patents far better than RSA did: RSA's approach actually cost them a hell of a lot of business, but probably helped keep the US federal government from interfering with their business even more.

Re:Patents.. UCK

[Hansu]

>OTP's are insanely (and some will say the only
>provably) secure crypto, if you make sure your
>pad generation is truly random. They're just
>inconvenient and impractical in some (or most)
>situations and everyday use.

Hm.. one everyday use for one time pads is network banking, and it works for me. Admittedly it has it's flaws and problems (mostly in the logistics department ), but it is quite useful and works for me and thousands of other customers.

Re:Patents.. UCK

[Minna+Kirai]

You can always do trial and error.

No you can't. You will get plausible-looking false positives with equal frequency to the actual secret message. (And a password which you can attempt to guess has NOTHING to do with crypto)

Re:Patents.. UCK

Oh, Christ. I hope that was meant to be a joke. If so, it wasn't very funny. If not, then I suggest that you read up on P != NP.

Re:Patents.. UCK

OTP's are insanely (and some will say the only provably) secure crypto, if you make sure your pad generation is truly random. They're just inconvenient and impractical in some (or most) situations and everyday use.

That inconvenience is probably what the GP was referring to when he/she wrote: "(which have other problems)". In fact, there have been cases where "one-time" pads have been reused (breaking the one-time rule) because of this "inconvenience", because an encrypted message needed to be sent, but the sender ran out of pad. This allowed the encryption to be broken. I would call this a problem.

I know how to factor large primes.

So do I. The factors of a large prime are itself and 1. The GP was referring to large numbers in general, not large primes.

Anyway, please learn something about crypto before spouting off in a public forum about it.

Re:Patents.. UCK

Factoring large primes (which RSA is based off of) has not been proven to be NP complete.

Too right, matey!

Re:Patents.. UCK

Admittedly it has it's flaws

"its".
No apostrophe.

Re:Patents.. UCK

You *cant* factor [...] you cant factor it

"can't".

Re:Patents.. UCK

[firephreek]

I'm gonna go out on a limb here but: how is this of any practical use? Unless Alice and Bob have an absolute direct connection, then the signal has to travel through nodes, and each of those nodes will act as a relay. For each node to succesfully pass on the correct key, then it has to observer the packet, which in this case, should change the photon (observation = interaction) right? So then what? it passes on a packet that is similar but not the same, ruining the key? or does it pass on a 'copy' of the same photon? And if it does that, then whats there to say that a man in the middle attack wouldn't be successful in intercepting the data. If anything, this whole schema seems less practical and more susceptible to multiple type of vulnerablity because now (hesienberg?) you fundamentally can't now if what you see is what they sent. But I confess that IANAS. Somebody enlighten me please.

Re:Patents.. UCK

[joshmccormack]

If only everyone was willing to admit that not everything assumed scientifically true, particulary by non-scientists, is absolutely, certainly true, there would be a lot more investigation and a lot less supression of people's right to dissent.

Re:Patents.. UCK

> Oh, Christ.

who told you? was it st. peter? that fucker - i'll have my dad fix him good.

Re:Patents.. UCK

tsk, tsk... you geeks are so smart, but you don't have enough common sense to spot a troll.

Re:Patents.. UCK

[Doctor+O]

No, you got it all wrong. Enigma was broken because this crypo guy fucked this spy chick. Haven't you seen that documentary?

Re:Patents.. UCK

[pedantic+bore]

I am mildly distressed that so many people who have read my posting saw "large numbers" and somehow interpreted that as "prime numbers". I guess I should just let that go.

Have you ever studied prime numbers and factoring? Do so, you'll learn a lot.

You're not a very good troll.

While it may be possible, theoretically, to come up with a magic prime number algorithm - if that happens, it's a breakthrough in math systems akin to the development of Calculus and algebra. :P

These are both developments that have happened. Thus your argument is that it is only a matter of time before your "magic prime number algorithm" (whatever you mean by that) is discovered. I merely stated that it was possible, but you seem to think that it is inevitable.

Re:Patents.. UCK

[SEWilco]

Ah, but if I think that your last message was "Send 43 tons of coal to Newcastle." then I can act based on that information. As you said, there may be false positives, but I can attempt to guess your last message. Maybe my buying the Newcastle port and raising unloading fees will not affect you, but maybe it will. But trial and error is always available, whether it is likely to be successful or not.

Lots of DARPA projects doing network stuff...

[tcopeland]

...one of the DARPA IXO programs, Cougaar, has developed a fair number of message transport techniques over the last few years. Good times.

What's wrong with IPSEC?

I guess IPSEC or plain ol' SSH tunneling is more difficult to understand than quantum mechanics.

Re:What's wrong with IPSEC?

[Minna+Kirai]

I guess IPSEC or plain ol' SSH tunneling is more difficult to understand than quantum mechanics.

No... quantum "cryptography" has certain concrete advantages over normal mathematical encryption.

For IPSEC, SSH, or anything normal, a spy can record years worth of traffic between two victims. Then much later, burglarize or interrogate one of them to learn the password. (Or even spend 100 years of brute-force CPU crunching) With that, all of the logged messages become retroactively readable.

QC protects against this. There is no way a spy can record the data stream, because to view is to cut it (so the recipient will know something's wrong).

Maybe, Quantum Cryptography should be renamed "Quantum Wiretap Detection"...

Re:What's wrong with IPSEC?

[Soul-Burn666]

Actually I think this specifically is NOT the case. I have recently learnt that IPSEC/IKE does indeed give you PFS, perfect forward secrecy. This means that even if you find out the main password later, the data you encrypted and sent can NOT be decrypted easily using it.

Just google for IKE and Perfect Forward Secrecy.

Re:What's wrong with IPSEC?

[abb3w]

I have recently learnt that IPSEC/IKE does indeed give you PFS, perfect forward secrecy.

Tsk, tsk. Even that only uses a 1024 bit key, so I only need to try 1.8e+308 or so possible keys to find the right one-- not currently practical, but a few years of Moore's law might render the problem solvable within the lifetime of the known universe, even precluding a major breakthrough in quantum computing.

There's a difference between problems that are absurdly difficult, and problems that are outright impossible.

Re:What's wrong with IPSEC?

[Soul-Burn666]

The ONLY thing which is outright impossible is One Time Pad, but that's impractical for wide use, where there is a lot of data being transferred.

Regardless of it using "only a 1024bit key", the fact you need to try 1.8e+308 keys for EACH message since each one uses a different key, it's not truly practical, unless ofcourse quantum computing or a nondeterministic turing machine is developed.

Re:What's wrong with IPSEC?

[abb3w]

The ONLY thing which is outright impossible is One Time Pad

Well, yes, which is the point: Quantum encryption is a one time pad, furthermore with absolutely guaranteed security in pad generation and distribution. There are several possible non-algorithmic weaknesses to an ordinary one-time pad:
* Alice must make a truly random pad.
* The pad must not be intercepted and copied by Eve when Alice attempts to securely send it to Bob.
* The pad must NEVER be reused.

The laws of quantum mechanics insure that the QE pad is random and non-reusable, and that any interception of a QE message precludes the message from being transmitted, while alerting Alice and Bob to Eve's presence.

it's not truly practical, unless...

EXACTLY! It's that "unless" that some people are worried about. Some secrets need to be kept secure against even 50 years or more of advancing technology. Quantum encryption seems to be the trump card, taking code breaking that final step from the impractical to the impossible. The only attack remaining is interception of the plain text that exists at either end-- a weakness of all encryption methods that do not use Write-Only Memory storage. =)

Re:What's wrong with IPSEC?

[cbreaker]

This whole thing protects data TRANSFER, and unless you somehow keep 50 years of records in transit without storing them anywhere, Quantum encryption won't do shit to help you.

Might as well get this out of the way...

Once you find your files on the net, you'll never be able to tell what size they are

Little more explanation please

[koniosis]

They say that because viewing a photon causes its properties to change you can tell if a message has been evesdropped, which is nice, but what good is that if you just sent the launch codes for a nuclear warhead? Hmmm... well George the codes were intercepted and the missles launched, but erm... we KNEW that it had happened!! No, just kidding, can someone explain why this is such a good thing, does it render that data unreadable or something, how does it work, the article is pretty bare, thanks in advance.

Re:Little more explanation please

As the word cryptography emplies, the data is turned into something that is undecipharable.

Re:Little more explanation please

[koniosis]

when has cryptography ever stopped someone reading a message? Do you meant that it is unbreakable?

Re:Little more explanation please

[missing000]

That's a big bite.

Try this first.

Re:Little more explanation please

[14erCleaner]

Essentially, they use the photons to transmit a one-time pad, which is then used to encrypt the actual message (as I understand the press release, anyway). They notice if anybody intercepts their key transmission, and then don't use it at all.

This scheme might be subject to denial-of-service attacks by eavesdroppers, but I'm sure they've thought of that in their network design. Probably they can send the keys via alternate routes in case of interruption of a link.

Re:Little more explanation please

[koniosis]

oh I see, but didn't private & puplic key exchange sort that problem out anyway?

Re:Little more explanation please

It's unbreakable given our current understanding of quantum mechanics. Also, it's important to remember that even an unsuccessful interception attempt is detected. So, not only will you know right away if someone read your message, you know right away if someone is trying.

Re:Little more explanation please

[JamesD_UK]

No, you still have the problem of working out how to exchange the public key and know that it has not been interfered or tampered with during transit. Quantum Encryption can be more correctly thought of as Quantum Key Exchange. It provides a means of transfering keys together with the knowledge of whether that key has been intercepted in transit or mot.

Re:Little more explanation please

Yes, except that quantum computing can also make it relatively easy to factor large numbers. So public-key crypto is killed by quantum stuff - it's a stroke of luck (good or bad depending on your moral viewpoint) that quantum stuff also provides an alternative.

Re:Little more explanation please

[LnxAddct]

Simple... I send you a key to use in some symmetric encryption algorithm which will then be used to encrypt the message. If we detect that the key has been seen, then we know something is up and can either send another key or go shoot whoever is listening in on us. Either way, we know someone knows, before any data or information is sent, therefore that data or information won't be sent until we know that a key was transmitted securely. The thing that most people seem to miss here, at least as I understand it, is that QN (quantum networking) only works on a point to point basis, once you bring in nodes and routers and whatnot, then its just as susceptible to man in the middle attacks as any other algorithms, and thats what we are trying to avoid. So as far as I know, and please someone correct me if i'm wrong, this is no different then connecting two computers with ethernet cable, except now we can detect if someone else has split the cable and is listening. This will not be the end-all-be-all which most people jsut don't get. If the data needs to be sent to another node on the network and it isn't a direct connection, but must pass through some other entity first, then its only slightly more secure then today's methods. For point to point connections though, it is unbreakable, but how feasible is it to have every computer connected directly to everyother computer?
Regards,
Steve
P.S. One example of a point-to-point connection is the White House to the Pentagon which has been known to have a quantum encrypted line running underground for nearly 5 years.

Re:Little more explanation please

[yngwie0]

Sounds like a nice denial of service opportunity to me....

Re:Little more explanation please

[dilvish_the_damned]

Once observed could you not recreate the photons within a super secret insertable relay device? Like a ummm, photon tap I guess. /me runs off to patent the idea.
The buzzwords can be debugged later.

Re:Little more explanation please

[canajin56]

Yeah. And if there is a normal ethernet connection that you have phyiscal access to, you can denial of service it by cutting it with some cable cutters. The ability to disable a device if you have the ability to hack it up physically is not really a problem. The point is, with a regular ethernet, you could either tap it or diable it. With a quantum connection, you can ONLY disable it, and cannot tap it ;)

Re:Little more explanation please

[Minna+Kirai]

Once observed could you not recreate the photons within a super secret insertable relay device?

No. That's where the quantumness comes in. Each photon has multiple attributes to it... two different axes of polarization, let's say. The only way to measure one of those values is to bounce something off the photon, which would screw up the other value. So it's like there is a stream of bit-pairs {(01)(11)(00)(10)(10)(11)}, but you can only read one of the bits from each pair.

There is no way to reproduce a photon, because you cannot have measured it enough to know what both the values should be. (This doesn't bother the intented recipient, because he already knows which bits to try reading and which to ignore)

The concept is like Heisenberg's Uncertainty Principle... the more accurately you measure one attribute of a particle, the more you mess up the other characteristics.

Stupid question

[JessLeah]

I know the theory is that quantum encryption is totally secure, as observing the data in transit actually changes it.

Can someone please explain how on earth this works?

Re:Stupid question

[YetAnotherName]

Check the Wikipedia my dear.

Or alternatively, see this (goatse-free) image.

Re:Stupid question

[ajayg]

...as observing the data in transit actually changes it

Quantum mechanical systems, unlike classical systems, can exist in a superposition of states. A classical bit for example, can only be either 0 or 1, while a quantum bit, or qubit, can exist as both 0 and 1 at the same time with some probability. Hence, when you 'observe' a quantum system, the system is forced to be (I won't use the word collapse here!) in a new state consistent with the apparatus or observable you used to observe it. That's an oversimplified explanation. Go to the tutorials section at the Cambridge Quantum Computing website for more tutorials and simple reading on how this stuff works, including some very cool articles by Artur Ekert, who independantly discovered quantum crypto

Re:Stupid question

a one time pad, is basically a great big bitfield that is XORed over the message. it is unbreakable if the pad is a secret (and the same size or larger than the message, ie, not repeated), since a given encrypted message can be decrpyted into any possible message by some pad.

by knowing if a communication has been eavesdropped, two parties can share a randomly generated pad, and know whether it is secure or not. worst comes to worst, the network is compromised and they can never communicate securely, but at least they havent compromised secure information.

of course, in reality, one time pads tend to get repeated over the message length, and repeated pads are *very slighty less* than absolutely unbreakable, since there might be a limited number of pads which produce non-gibberish in more than one block of the message; and one might be able to make a guess at what the correct message is by examining choices that seem likely to be correct. of course, this requires some idea of what the message should look like (ascii? binary? language? character set? format?), and would require looking at every single possible pad, so its provably exponential in the size of the pad, and thus as or much more difficult than NP-complete (eg factoring primes)

Re:Stupid question

[Sweetshark]

Maybe some old post from me might help you getting the basic idea.

Couldn't you eavesdrop by creating entanglement...

[Assmasher]

...pairs at some point during the transmission (for instance when pumping the signal strength over distance)? Observing the entangled photon(s) would not change the originals...

Functional?

[students]

I assume this means it works, not that it does something useful. Or was the practical application so heavily incrypted noone could find out what it was?

Misspelling in link in article

[ajna]

Harvard should link to http://www.harvard.edu/ or http://www.fas.harvard.edu/ if you want the Faculty of Arts and Sciences (the undergraduate institution that everybody loves) not "hardvard.edu".

Re:Misspelling in link in article

[koniosis]

or Harvard and Faculty if you want to get picky :P

Re:Misspelling in link in article

I graduated from Hardvard, you insensitve clod!

Re:Misspelling in link in article

BBN Technologies Web site

Re:Misspelling in link in article

Get back to work, Dubya.

What's your threat model?

[Wesley+Felter]

Before I can get excited about quantum crypto, I want to know what attacks real networks suffer from and how quantum crypto prevents them.

Re:What's your threat model?

[lancomandr]

The traffic on conventional networks can be passively or actively observed and recorded, often without the communicating parties noticing. This apparently cannot happen with quantum communication because if a photon is observed in transit, its state changes and hence the eavesdropping is obvious to the communicating parties.

Quantum Encrypted Network?

[Crypto+Gnome]

While technologically do-able, I'm uncertain as to whether this will succeed in the commercial world.

I think we'll all just have to wait and see.

heisenberg

[JeanBaptiste]

Heisenberg's uncertainly principle

and he's the leading suspect in the murder of Schroedinger's cat.

Interdimensional Routers

[Frigid+Monkey]

Great, so now if my router goes down my boss won't say "The internets gone!" Instead he'll say:
"Holy Fuck! There's a giant squid crawling out of a rip in space-time near the water cooler!"

Re:Interdimensional Routers

[OverlordQ]

Ahahaha, that made my day.

Re:Interdimensional Routers

"We are not in the Eighth dimension. We are over New Jersey."

Re:Interdimensional Routers

[McWilde]

I never thought I'd see a resonance cascade, let alone create one.

Simple explanation

[SuperKendall]

Well you see, the network is protected in this way - whenever you make an attempt to observe traffic on the network, you get scratched by a very angry cat whose position is superimposed with your own by way of quantum fluctuation. As there are an infinite number of cats, theoretically there are enough cats to scratch any number of would-be interlopers.

Re:Simple explanation

If a cat created by inspection of random quantum fluctuation appears in the woods, with nobody to scratch, is the data still encrypted?

Re:Simple explanation

Don't forget--the cat has a very long tail, and doesn't exist.

Rejoice!

[Omicron32]

P2P filesharers everywhere have just creamed themselves.

Re:Rejoice!

[Jahf]

Just because you know someone hasn't intercepted your message doesn't mean the person you -sent- it to wasn't undercover.

Re:Rejoice!

It's a joke. Laugh.

I've been wondering.

[Retep+Vosnul]

I have been reading (snippets) about this subject for... well just as long as /. has been covering it. But I understand that the tapping of this data means that the information is lost . Isn't this the perfect dos attack ? ( just thought I'd plant a silly question )

Re:I've been wondering.

[Woy]

Well if you have access to the media, you might as well do the old Big-Axe-D.O.S. attack on the cable.

Re:I've been wondering.

[FooAtWFU]

Erm, if you can go "tap" the data, that probably means that you have physical access to the cable, and you can take a pair of scissors (or wirecutters or other cutting implement) to the cable. Which is also an effective DOS.

Buckaroo

[Prince+Vegeta+SSJ4]

John Bigboote: We've had our chance. Your Overthruster's for shit. We're lost.

Lord John Whorfin: One more word out of you, Big-booty...

John Bigboote: BIG BOO-TAY. TAY. TAY.

Authentication a problem?

[Fiz+Ocelot]

"Hybrid QKD-public key schemes, on the other hand, inherit the possible vulnerabilities of public key systems to cracking via quantum computers or unexpected advances in mathematics.

Hey it looks like they're really thinking ahead on this one. But a big issue seems to be how to deliver secret keys? You must make sure you give them to the right person. I would think since you're going this far with security, wouldn't biometric be the best way? Maybe combined with some posessed object like an implanted rfid chip?

Re:Authentication a problem?

[meringuoid]

But a big issue seems to be how to deliver secret keys?

Um... no. Delivering secret keys is the whole point of quantum cryptography. You send the secret key down the quantum channel, and you know whether or not it's been compromised. If it has, throw it away and try again. If it hasn't, great - you've successfully and securely delivered your secret key.

It's for the governments.

[Colin+Smith]

So that the head of state can surf for porn in complete security.

Eventually...

Some kid on the apartment block will claim he's got a box that can break this encryption for $25, and he'll throw in all the 24-hour soft-porn channels on satellite for another $15.

Re:Eventually...

[PCM2]

Some kid on the apartment block will claim he's got a box that can break this encryption for $25, and he'll throw in all the 24-hour soft-porn channels on satellite for another $15.

Unfortunately, as soon as you try to watch the porn, the channel will mysteriously change.

How does this work?

[logicnazi]

If they are using entagled photons it seems they can't ever use a repeater or amplify the signal. How do they get this to cover any reasonable distance...or do they just send a whole bunch of photons knowing some will get lost...if so I wonder how low the bit rate is.

Re:How does this work?

[kinzillah]

They're only sending one time pads.

so what?

[jjeffries]

I built one just last week, using some old fiber-optic christmas trees, a vintage Kaypro luggable, and a pipin' hot cup of tea.

Oh, you said functional quantum encrypted network. My bad.

Soooo...basically it's less about encryption...

...and more about intrusion detection? So you now *know* when your data is being snooped. 'Scuse my naivete, but isn't that a bit late?

Re:Soooo...basically it's less about encryption...

[Sweetshark]

You transmit onetime pads via the QC channel for a transmission via a public channel. If you are being snooped, you just dont use the onetime pad..

that's all well and good...

[abscondment]

... but something about this type of cryptography seems a little bit fishy. what about a man in the middle attack? if you simply pass along exactly what you found, how can one computer tell that a change has been made from the original?

Re:that's all well and good...

[mdecerbo]

what about a man in the middle attack? [...] How can you tell...?

Answers to lots of your questions at quantum.bbn.com, which is the actual document repository used by the development team. I think it's pretty cool that they make so much material publically available. There's also an overview linked from the BBN homepage.

Re:that's all well and good...

"if you simply pass along exactly what you found"

In order to find it you must look at it. In order to look at a photon you must make it collide with the back of your eye thus destroying the photon. No two people can look at the same photon.

Likewise, no two machines can look at the same photon because in order for a machine to look at a photon it must measure it. In order to measure it, the photon must collide with a sensor which destroys the photon.

So sure, a man in the middle can intercept a photon but will not understand it's meaning and destroy it in the process preventing it from reaching it's original destination.

Re:that's all well and good...

[abscondment]

theoretically, if the photon was sent by a computer, another computer could mimic that transmission.

you measure it. you destroy it. so what? you've got all there is to know about the data that's been sent; use that info to send out an exact replica.

i'm sure there's something i don't understand here. explain it.

Re:that's all well and good...

By reading it in the first place you alter it. Hence the photon you replicate is not the photon that was originally sent.

Re:that's all well and good...

so, two essentially different photons can communicate the same data? how does that work?

Re:that's all well and good...

[Jacked]

Perhaps the piece of the puzzle you are missing is the fact that in quantum cryptography, a single photon does not represent a single piece of information (or bit). It actually contains many pieces of measurable data, such as the level of polarization.

You can't simply read it (and therefore destroy it) and then send a duplicate to the destination since you would have to manufacture a photon with all of the same properties of the original.

Re:that's all well and good...

[Basje]

I think it's pretty cool that they make so much material publically available

Two reasons:
1. In the crypto world, anything not open is eyed suspiciously. Providing information and testing the lock are important.

2. That's the blessing of patents. While it is generally viewed here as patents==bad, it does make sure inventions are published.

Re:that's all well and good...

Read up on the no-cloning theorem.

Probably?

[tbjw]

This is probably funded under DARPA's Quantum Information Science and Technology Program.

Because the more accurately we know the funding the less accuratly we know the results?

Truly this is quantum computing.

Re:Probably?

[mendepie]

Due to the Quantum nature of this project if we knew who funded it, that information would be disrupted (and someone else would claim to have funded it)

Re:Probably?

[FooAtWFU]

No, due to the quantam nature of the project, you could either know exactly who funded it, or exactly how much funding they got... just not both at once.

And the first quantum-encrypted message was:

[jlowery]

"What hath Heisenberg wrought?"

Re:And the first quantum-encrypted message was:

[Spudley]

And the first quantum-encrypted message was:
"What hath Heisenberg wrought?"

Are you certain of that?

Any interference changes the photon, right?

[jbischof]

Wouldn't things like bouncing the photon inside the fiber-optic cable or sending the packet through a router/switch change the quantum signature of the photon and hence ruin the Quantum Cryptography?

The encryption is never the problem...

[JasonB]

Although this is taking a page out of the Good Book by Bruce Schneier: The encryption algorithm/mechanics is never the weak link. There have been robust encryption algo's around for a very long time now.

When was the last time a security breach occured that was the result of someone brute-forcing an encrypted message or key?

The end-to-end system is what matters, as always. A keystroke sniffer installed via spyware is a vastly more economical approach to breaking an encrypted message. Which is exactly what happened to Half-Life 2, remember?

This 'quantum crypto' can ensure that the integrity of the encryption was not breached while in-transit...but then some goober will accidentally leave his WinXP laptop at some airport security screening location and POOF! there goes your unbreakable security.

Re:The encryption is never the problem...

[Antique+Geekmeister]

JasonB wrote: When was the last time a security breach occured that was the result of someone brute-forcing an encrypted message or key? Umm, every day? Old encrypted password cracking tools are still in force to grab passwords of systems that only use DES for encrypting passwords, and plenty of sites regularly have folks break into them by what is nearly brute-force guessing of a list of likely passwords.

Re:The encryption is never the problem...

[Minna+Kirai]

.but then some goober will accidentally leave his WinXP laptop at some airport security screening location and POOF! there goes your unbreakable security.

No, the levels of loss are different.
When the laptop is stolen by enemies, they gain access to all data on the laptop, which gives them a password they can use to view data the rest of your organization is currently transmitting... OR to decrypt any data they've logged you transmitting before.

If the organization used QC, that last threat is taken away. The damage from a compromised password is reduced, because the spies can't revist any old wiretap logs- for wiretapping QC is impossible.

If you are transmitting data across the internet using any kind of encryption besides OTP, then somebody can be sniffing it to a log. 50 years later, he can brute-force it with a Beowulf cluster of 40 terahertz cellphones. QC is immune to that too.

So if you're paranoid that a future historian will try to open your email, look into QC.

A few flaws in the system...

After reading the article (yeah, yeah, I know, this is /. - what was I thinking?) a couple of things jumped out at me.

Patent-pending BBN protocols pave the way for robust quantum networks on a larger scale by providing "any to any" networking of quantum cryptography through a mesh of passive optical switches and cryptographic key relays. Well, well... in previous posts, Assmasher and logicnazi noted the problem with repeaters and routers. It sounds like they are using passive switches, that is, purely optical switching (lenses, say) rather than "optical to electrical, do the switching, and back to optical". When that fails, they use a "cryptographic key relay" (I haven't found out what one of those is yet, but I'm guessing that it's a tamper-resistant harware gizmo that supposedly can handle cryptographic material securely).

Well, this is neat, but it's going to be a lot harder to build a network this way. Optical routers (purely optical, no converting to electrical) are pretty expensive. And every place you can't use an optical router or you need a repeater, you also need a cryptographic key relay.

And after all that, it's still going to be easier to compromise an endpoint or a cryptographic key relay, or to use ARP poisoning to set up a man-in-the-middle attack (what good is all that spiffy quantum crypto if the router routes it to the wrong recipient?)

Yeah

[segfault7375]

...BBN Announces Functional Quantum Encrypted Network...

...This is probably funded under DARPA's Quantum Information Science and Technology Program."

Yeah, well duh. :)

Slashdot patented quantum websites...

Once you look at them, they cease to be useable. Also known as Schroedinger's Site...

broken link in story

um fix the harvard link from http://www.hardvard.edu/ ?

The worlds biggest carbon security flaw

[FrostByte12]

Unless you are in a world where humans do not operator the CompuTar machine, you will always be sujbect to human error and the best password ever... 'password'... Sshhh pass it on.

Re:Couldn't you eavesdrop by creating entanglement

[Digicaf]

Right, just let me wihp out my handy pocket subatomic particle entangler.

a question...

Is it Good or is it Whack?

boston university credit

damnit. boston university was the third collaborator on this project. (i know b/c i wrote alignment software for fiber stages that are used.) let's get a little BU credit.

but how long have the millitary had it

If its just now announced to the public then the millitary have probably had it for 30 or 40 years!

Re:Couldn't you eavesdrop by creating entanglement

[Assmasher]

lol, only $9.99 at your local radio shack (in the year 2044...)

Re:Couldn't you eavesdrop by creating entanglement

[assaultriflesforfree]

To answer several questions at once, the short answer about how it works is a consequence of the uncertainty principle: when you observe a photon (or any particle, for that matter), you have to interact with it in some way. When you do that, you change some of its properties.

"Observing the entangled photon(s) would not change the originals..."

Not exactly true. Look into the EPR experiment and what's known as "spooky action." It turns out acting on one entangled photon instantaneously (faster than light) affects its partner. For what you're saying, though, this doesn't really matter, as no information can be transmitted this way (luckily). However, entangling photons requires letting them interact, which will disrupt the original.

In other news today...

[The+Master+Control+P]

Dateline 1969: Military announces "ArpaNET" system to connect universities across continent."

Who knows where THIS one will be in 35 years.

Re:Couldn't you eavesdrop by creating entanglement

[Assmasher]

DOH! Oh yeah, I forgot... That was the entire value of the entanglement to begin with, LOL! Dumbass (me)... That was the basis for faster than light communications ;).

My Work Is Done Here.

[SEWilco]

They have a dandy network, but they don't know what it is doing. It is working, because each time they connect to it they get an error, so it obviously is detecting that a listener is present and making the data unavailable.

Low information content...

[Shardis]

It's amazing how low the information content is in this - especially considering how much some people are getting whipped up and making sweeping generalizations.

How many qbits? What kind of bandwidth? All optical point to point or switched? Transmission distance? What materials are being used for transport?

I'd love to know how many qbits they're playing with here to at least have a minor clue as to where the SOTA is...

4:30am and IANAP, but...

[Fweeky]

You can't measure all the properties of the photon -- for instance, if you measure one kind of polarization (diagonal, say), you forfit the ability to measure the other two (rectilinear and circular) because you destroyed the photon in order to measure it.

Both sides of the communications channel pick what polarization matters at random; that is the sender picks a polarization type at random to encode a random bit, and the receiver picks a type at random to detect. After sending and detecting the photon, they can tell each other what type they picked over an insecure (but authenticated) channel; if they picked the same type, they both add the bit to their one time pad; otherwise it's just discarded.

As an evesdropper, the best you can do is also pick types of polarization to detect at random; you can retransmit *a* photon with the polarization you detected encoded in it, but you have no way of knowing if it's the same one the sender and recipient are using.

Most of the time it won't matter; neither party will have picked the same polarization and the information is discarded. When they do pick the same one, chances are you haven't -- the photon you've retransmitted will then be incorrect, introducing lots of errors into the data, and although you'll get lucky some of the time, it'll become obvious that the errors that are introduced are not just a result of line noise or so.

The more bits that are transmitted across the channel, the lower the probability that an evesdropper went undetected out of blind luck.

That's what I gathered from Wikipedia, anyway. Now I need to sleep ;)

Quantum encryption still can be broken.

[James4765]

Man-in-the-middle attacks are still (theoretically) possible against quantum encryption. You just splice two quantum transceivers in the middle of the cable, and there's no way to tell if the transceiver is communicating end-to-end, or is being intercepted in the middle. Not without using tamper-resistant cable, armed guards and whatnot.

Plus, you need dedicated fiber for the quantum channel. Any relays, repeaters or switches in the channel and you lose the end-to-end quantum effect AFAIK.

Seems like a cool technology that is completely impractical right now - kind of like carbon fiber in the early 80's. Let the military play with it, work the bugs out, and by the time I'm over the hill (2017 or so) it might be actually worth it for someone who doesn't have a DoD-level budget.

Objectivity

[freejung]

Basically, Quantum Mechanics destroys the classical distinction between the observer and the system to be observed. In quantum mechanics, it is impossible to observe a system without affecting it.

For instance, if you measure the polarization of a photon, which was previously in a superposition of polarization states, in some sense you have created the new polarization of the photon, you have made it be what you measured it to be. So if I send you a diagonally polarized photon, and you measure it straight up and down, after it passes through your measuring device it will be purely straight up or straight down, whichever you measured it to be. So if somebody taps the line, we will be able to tell, because they will change the polarization of the photons I send you and you will get gibberish.

This is of course a bit simplistic, but that's the heart of the matter. Objectivity is dead. You are part of the system. If you observe it, you will inevitably have an effect on it. It's kind of cool.

The neat thing about this is that, assuming QM is correct, there is no way to circumvent it with new technology or more powerful computers or anything else. No matter how cool your tech is, you can't observe a system without changing it.

Dumb headlines

Please try to get headlines right.

This is not quantum encryption. Photon entanglement simply allows the recipient to detect if someone was listening. It's much like a signature, only stronger (signatures only go bad if someone tries to modify the data; quantum state of entangled photons changes if anyone even looks at the data).

You don't want to send critical information over such a link. You use that link to send a symmetric encryption key. Then you use crypto.

Eve, a passive MITM (WITM), can prevent you from ever using crypto by keeping the link tapped. You keep sending crypto keys across, but each time you realize they've been compromised. You cannot get anywhere in that situation unless you use public key crypto, at which point the quantum-entangled nature of the link gets you no extra security.

Network or link?

[renoX]

As far as I know, the 'quantum encryption' which allow secure communication, also prevent routing..

So I don't think that it is really a network..

OK, a fully meshed network is a network, but having to put a link between each node is not a very usable network when the number of node increase!

Or am I missing something? The article is quite low on detail..

Man-in-the-middle is not possible against QC

[Sweetshark]

Man-in-the-middle attacks are still (theoretically) possible against quantum encryption.
No they are not. QC is resistent against man-in-the-middle-attacks. See this post for explanation.

Re:Man-in-the-middle is not possible against QC

[Minna+Kirai]

No they are not.

Yes they are. The post you reference is talking about practicalities, not theoretics. It describes a communication system using two channels: a quantum one and a public one. Information describing which attributes of the quantum stream should be read are transmitted publiclly.

If the MIM could replace traffic on both the public and quantum streams, he can make a successful attack (both victims think they're talking to each other, but are really talking to MIM). But the assumption in that post is that the public channel will be a traditional radio broadcast, which would be difficult to block without detection (you'd need to secretly build giant antennas/faraday cages between the victims...)

So, the question reduces to "Is an MIM attack possible for FM radio broadcast?" And the answer to that is theoretically yes, although unlikely in practice.

Re:Man-in-the-middle is not possible against QC

[Sweetshark]

Yes they are. The post you reference is talking about practicalities, not theoretics. It describes a communication system using two channels: a quantum one and a public one. Information describing which attributes of the quantum stream should be read are transmitted publiclly.
You cant use QC using only the QC-channel, so the is public channel is part of the theory.
However you are right: In theory a MIM is possible if the MIM has access to the public channel, can inpersonate the sender/reciever and intercept any attempted communication between the sender and the reciever. There are various means of commutication where this practically is hardly possible: radio, p2p networks (just ask the RIAA) for example. You could even require the reciever to reply via multiple channels - the MIM has to intercept all communication on all channels. The more channels you add the harder it gets - at some point, it will be easier to brute-force the onetime pad (if it is shorter than the message, every cryto is breakable in theory).
Social engineering or physical access to the sender/reciever are far bigger vulnerabilities at this point.

What about idQuantique?

[ggravier]

Isn't all this what idQuantique ( http://www.idquantique.com/ ) has been working on and has products for, for a couple of years now?

Rabin's Hyper Encryption and Everlasting Secrets

Rabin's Hyper Encryption and Everlasting Secrets is an interesting alternative. - Austin

Quantum vs. Quantum

[Scratch-O-Matic]

I have a question about this.

My sole knowledge on the subject came from a book called "The Code Book", if I remember correctly -- an EXCELLENT READ for the layman, by the way. Anyway, I recall reading about two things: a quantum network using polarized photons as bits, and a quantum computer, which somehow embodied the Schroedinger's Cat principle of processing all possibilities at once. The first was secure because it was impossible to eavesdrop without detection, because the simple act of observing the photons would change their state and result in detection. The second enabled super-powerful encryption and decryption, just because of sheer processing power.

If I understood correctly, the two ideas are mostly unrelated in terms of how they provide security, yet they seem to be intermingled in this thread. Did I misunderstand?

Re:Quantum vs. Quantum

It sounds to me like you understand it perfectly.

It's not so easy ... entrapment etc

As long as you use P2P protocols that require a pull by the recipient, the undercover person will not be able to witness an alleged infringement unless they perpetrate the "crime" themselves, and furthermore it would probably entail both wilful deception and entrapment as well.

Trusted Relay = Perfect Security Breaking?

[kushnir]

"Building the quantum network" discusses possibility to use Trusted relay to transmit key over large distances (currently 50km). But would not the mere existance of such a device mean that one can intercept the message and quickly dump the copy back into the network. Then the only question would be how quickly you can technically do it (They probably synchronize clocks and transmit time in the message). If you can do it quickly enough (there is no PHYSICS law to limit that AFAIK) then the whole scheme fails.

Re:Trusted Relay = Perfect Security Breaking?

[kps]

Sigh. At the risk of a -1 Redundant, the whole point of quantum-encrypted communication is that there is a "PHYSICS law" that makes it impossible to monitor a message.

Biometrics are NOT secure. AND they don't look

like they're ever going to be.

Every system devised so far has had a workaround
developed so quickly it's pathetic.

If the pay off is worth it, crime will do it.

Improved transmission security, exactly.

[abb3w]

Yes, yes, quantum encryption precludes interception; ergo, unlike with IPSEC, "Eve" can't duplicate the QE message during its transfer, store the encoded message for 50 years, and then crack the code with Any Sufficiently Advanced Technological Improvement. So yes, it's useless for protecting storage-- as I noted, the plaintext on either end is still vulnerable-- but it does provide an improvement over IPSEC/IKE PFS transmission, which was what Soul-Burn666 was originally talking about.

And if you think "Eve" wouldn't keep working at a Sufficiently Important message for decades, then you have not studied enough history.

Re:Improved transmission security, exactly.

[cbreaker]

I think that strong encryption today is enough for today and the forseable future. Not to say that one shouldn't seak stronger encryption but it's not absolutely vital to the survival of our civilization.

Some people go crazy over it. They don't like computer generated keys, because they are psuedo random. They don't like 1024-bit encryption because when they are dead and buried, someone might crack the key and find out what they had for dinner last night.

I feel as though that given enough time, secrets shouldn't need to be secrets anymore. I don't want my government holding secrets from my great great grandkids.

Enough is enough... get over yourselves. Calling a properly implimented strong encryption IPSEC tunnel "insecure" makes me want to slap people.