Quantum Cryptography Ready For Wide Adoption?

An anonymous reader points us to an interview with the founder of quantum cryptography pioneer MagiQ Technologies. From the article: "Q: When do you think we'll see service providers offer quantum cryptography services to their end-customers? A: This will happen within one year and we'll see fairly wide adoption within the next three years. We are working with big carriers such as Verizon and AT&T as well as some companies that own fiber networks. The goal is to embed quantum cryptography into the technology infrastructure so it becomes totally transparent to the end-user..." The cost of a pair of MagiQ boxes to implement point-to-point encryption on a 120-km link is $100,000 plus service.

SNAKE OIL!

[LiquidCoooled]

The only way to see if this works is to break the fibre connection and see if it notices.
Oh lookie, the amazing thing is - a normal fucking fibre circuit will notice as well.

There is no quantum tech yet.

This is just going to increase our month subscriptions without giving any benefits, we will still use encryption on every required connection and will still have open holes alopng the way (last mile), so who exactly does it benefit?

I suggest any carrier should pay them with money stored in a quantum envelope. You are certain it contained $100,000 before you sealed it up, if its not there now it must have been intefered with.

Re:SNAKE OIL!

[vertinox]

The only way to see if this works is to break the fibre connection and see if it notices.

What happens if you splice the line and put a repeater in that also reads the data passing through it?

Fiber optics are tappable you know.

You may notice a short downtime...

Re:SNAKE OIL!

[Amouth]

or you can just bend the fiber and catch what little bit makes it out.. or you could splice in a larger pice of glass like -|- and read it from the edge of the incerted glass - sure you would notice the beem being weaker but that amount depends on the size of the glass inserted - if you are looking up close you only need to divert alittle of the light to read it.. and the link wouldn't ever have to go down for it to happen - fiber is leaky.. just read the leaks or make your own.. no need to read and repeat just read

Re:SNAKE OIL!

What happens if you splice the line and put a repeater in that also reads the data passing through it?

I don't know, let's ask the NSA: bomb kill president dirty bomb panties assassination murder terrorist nukular boom boom anthrax

Re:SNAKE OIL!

[orgelspieler]

In true quantum cryptography, you cannot use a repeater. This is due to the Observer Effect. By measuring the quantum state of a particle, you change it. A professor explained it to me back in the 90s, but I can't remember all the details.

Re:SNAKE OIL!

[da+cog]

The "data" that is being sent is not classical information, but quantum information in the form of "qubits". Ergo, you cannot intercept and then "read" it in the sense that your post is describing.

Specifically, what is being sent is one half of two perfectly entangled qubits. The fact that they are "entangled" means that if the two people involved each measure their qubit using the same basis, they will always get the same answer.

When you intercept one of the two qubits, you can measure it but in the process you destroy it, and you cannot create a new qubit that is entangled with the one kept by the sender. Thus, the final recipient of the qubit will no longer get qubits entangled with the original sender's, and so even when the two of them measure with the same basis they are no longer guaranteed to get the same result. In fact, on average 50% of the time they will disagree -- equivalent to what would happen if they both just generated independent random strings of bits.

Now you might say: why not have the repeater just generate a qubit such that the recipient will get the same measurement result as you did? The answer is that you cannot do this because you cannot know in advance what basis he will use to measure the qubit. In the case of photons, he could measure it in a horizontal/vertical basis, or he could measure it in a diagonal basis. (For each measurement he will pick one or the other on a random basis.) If you polarize your photon horizontally (which might correspond to a classical value of "0"), then the other guy will get a random result when he measures it in the diagonal basis. You can only hope to guess right 50% of the time.

Part of the QC protocol is to share selected strings of bits to make sure that they are in fact in ownership of a common secret. If these strings differ 50% of the time, then they know that someone was reading them in the middle.

Thus, the whole point of QC is that it is impossible to put repeaters in the middle to intercept the data without this resulting in a detectable error rate in the shared secret.

Re:SNAKE OIL!

[Mr.+Firewall]

...if you can get physical access to the line you can bend it and with the right equipment read all the data off the line without any interruption of the normal service.

Nope. Not with quantum crypto. First, you can't read the data because it destroys the data. Second, it will DEFINITELY interrupt the normal service! (because you've destroyed the data)

There are videos of this being done, where they capture a broadcast on a fiber wire and there is no noticeable difference on the original signal.

You're thinking ordinary fiber-optics. Quantum is a whole different world.

Re:SNAKE OIL!

[skarphace]

And that's the problem with quantum encryption: it's far too susceptible to DOS attacks.

Which is why the tech should only be used on networks that value confidentiality more then service. Quantum Cryptography is NOT a technology for the internet and if anyone tries to convince you of that, they're wrong.

Re:SNAKE OIL!

[MrNaz]

It's known as the Heisenberg Uncertainty Principle. It states that with regards to any particle, you can know either its location or its state of motion but not both. This is due to the fact that in order to observe something, you need to "see" it, which requires that at least one photon touch it. If a photon touches a particle, it will impart energy to it, changing its state. Thus, you will know its location, but you cannot know how the photon has changed the particle's state unless you bounce another photon off it, causing another change.

The way I understand so-called "quantum cryptography", is that it sends a known number of photons with known states down the fiber. Any attempt to intercept them will change their state and/or their number. A repeater will not be able to reproduce exactly the photonic pattern that the sender sent. This, combined with a kind of hashing or packet digest, will tell the receiver if the data packets were tampered with along the way. The message is not sent as a series of light pulses, but as individual photons which are polarised in one direction or another, representing 0s and 1s, with carrier photons that indicate the representational state at any given point in time. Because photons are discrete, there can be no leakage, hence any attempt to "tap" into or read the data en route will be detected.

That is the theory. I am very, very skeptical that the real units actually work that way, as the precision required, it would seem to me, is not currently feasible in commercial products. Counting and measuring photons and whatnot are the preserve of facilities like CERN.

I read this in bits and pieces, I know very little about quantum cryptography, so my understanding may be flawed. In fact, it may be that I have just pulled all this straight out of my arse. It wouldn't be the first time.

Short answer

[Rob+T+Firefly]

Quantum Cryptography Ready For Wide Adoption?

Yes and/or no.

Cryptography != Security

[mpapet]

As a component of a broader security system, cryptography is valuable and solves many problems.

History shows that the weak links in systems employing cryptography is usually some other part of the system. DVD's are an obvious example.

Outside of gov't agencies and the mega-corps that service them, I don't see this taking off like the ipod. The PHB's in the banking world certainly won't understand why this is better than the systems they have now.

Re:Cryptography != Security

[mcrbids]

Outside of gov't agencies and the mega-corps that service them, I don't see this taking off like the ipod. The PHB's in the banking world certainly won't understand why this is better than the systems they have now.

Funny that. When I read the price, my first thought was that this would very possibly explode!

It all comes down to benefits vs. cost. When there are billions of dollars on the line, protecting it with a mere $100,000 seems like chump change. And each $100,000 purchase helps prove a marketplace that will then lower costs.

With every new technology, there's an "adoption curve" where the price drops to a point where it makes sense at high economic levels. So the wealthy and the megacorps adopt the technology because it pays to do so. By doing so, the inventor/developer recoups their initial investments into the technology, and it begins to pay to reduce the price in order to encourage a larger marketplace.

Wash, rinse, repeat, and soon the new technology is available at very affordable prices to average people.

This doesn't happen to *all* technologies. For example, general aviation (EG: light, 1-12 person aircraft) is still pretty firmly entrenched in the ranks of the wealthy, for a variety of reasons. All too few people talk about the "family plane". But even in this case, commercial aviation is very reachable by the average Joe, a la SouthWest airlines.

So, to have perfectly unbreakable encryption over a 120 km link for just $100,000? I think that would get the attention of quite a number of large and middle-sized organizations, banks, and perhaps data warehouses.

I'm sure they could do it.

[Daniel_Staal]

But I'd rather the lines were upgraded to support faster speeds first. That should be a higher priority than embedding encryption into the network. There is little pressing need for better encyption, but more data bandwidth would help a lot of things.

Funny thing is

[rbunce]

by definition Quantum cryptography can not be run on real networks were you have to do things like routing.

Totally useless

[Jimmy_B]

In practice, quantum cryptography doesn't achieve anything that regular crypto systems like SSL or ipsec don't. Quantum cryptography is theoretically unbreakable, whereas SSL is believed but not mathematically proven to be unbreakable. In either case, it's easiest for an attacker to compromise one of the endpoints, so it's not a big difference. SSL is cheap, easy and widely deployed. So why would anyone spend $100,000+ per link on untested quantum cryptography hardware, when you could roll out ipsec much more cheaply?

Re:Totally useless

[Chirs]

The benefit of quantum cryptography is in secure key exchange. With regular systems you don't know if someone is sniffing the packets going through your fiber.

With quantum key exchange, the very act of diverting a photon to "sniff" it disturbs the signal enough that the far end can detect it.

Once you've exchanged keys (at a low bit-rate) you then use standard encryption techniques to exchange the actual data.

Re:Totally useless

[jomama717]

I was about to post the same thing after reading this from the "MagiQ" website, linked from the article. The paragraph entitled "Quantum Cryptography" is very informative, assuming it is accurate.

Re:Totally useless

[bcrowell]

OK, so this company will sell a big ISP a way to build a line that's immune to theoretical future attacks using quantum computing. The problem is that it costs a large amount of money, and those attacks are only theoretical. Their web site says the threat is that someone could collect a large amount of SSL-encrypted data, then decrypt it someday in the future using a quantum computer. Well:

1. Most criminals aren't in the habit of undertaking gigantic economic efforts for uncertain returns at some unknown date in the future.
2. Hypothetical criminals who want to collect SSH packets for later analysis can collect terabytes worth any time they like, simply because the nature of the internet is that it's designed so that packets are passed through machines that aren't trusted. An ISP could spend $100k to get quantum encryption on 100 miles worth of fiber, but realistically, criminals don't need and don't have physical access to the fiber anyway.
3. Very little data has the kind of long-term economic value that would justify this kind of effort by criminals. Their web site gives the example of medical data. WTF? Suppose I have gonorrhea. Thirty years from now, a Russian gangster says, "we have medical records from 2006, is proving you had gonorrhea; you pay us money, or we tell family." Is this a realistic threat?

It's strictly point-to-point.

[porkchop_d_clown]

Worse, they talk about "repeaters" to extend the range past 120km - which is scary, because it implies they are decrypting/recrypting at the repeater.

Can you say "Physical Security"? I knew you could.

Re:It's strictly point-to-point.

[raftpeople]

If the repeater decrypts and then re-encrypts the message for further transmission then you can extend the range. Clearly that opens up the problem of tapping into the repeater, but with good physical security it's better than nothing.

In Other News ...

[Diglielo]

Founder of quantum cryptography company predicts widespread adoption within three years.
Inventor of Segway predicts widespread adoption within three years.
Executive of personal hovercraft company predicts widespread adoption within three years.
Early investors in free energy scheme predict widespread adoption within three years.

More Than One Way To Do It Again

[Doc+Ruby]

Perl already does QM programming. Maybe the entanglement timemachine experiment in Spring 2008 will have been successful, and Perl hackers willam haven been sending code through the loop back to the 2002 CPAN?

Quantum Crypto does not solve anything!

[tradeoph]

I can't stand all the hype around Quantum Crypto. If you have a close look at it, you'll see that it doesn't solve anything...

When you transmit bits with QC the law of physics guarantee that nobody will see them, even if some genius breaks all the math behind classical crypto. This is all very well but the throughput is too low, thus QC is used to transmit a key which is then used to encrypt the data. Thus you still need symmetric crypto to encrypt your data.

Now, something everybody seems to ignore: QC does not authenticate the transmission. I can buy two magiQ boxes and set up a man in the middle attack. QC can not prove whether you are exchanging bits with the original sender or with some monkey in the middle. To solve this problem the QC vendors suggest:

• Physical monitoring of the fiber: if you can guarantee nobody touches your fibre, you don't need any crypto!
• Using certificates: Ooops, so now we need asymmetric crypto too, so our QC system relies both on symmetric and asymmetric crypto. Why do we need QC for then?
• Use a shared secret that is programmed into the boxes when they are delivered: If you already have a shared secret, you don't need to exchange a key with QC, you can derive the key from your shared secret...

So even if you use QC, you still need to rely on all the classical crypto to make it work. So it is just as good as classical crypto, without routing.

Re:Quantum Crypto does not solve anything!

[da+cog]

You post sounds like it is based on a misconception that QC is allowing Alice to transmit to Bob a secret. This is not what is going on at all; rather, a shared secret is being generated that Alice does not even know until the end of the process. In classical crypto, a man could sit in the middle and figure out the secret that is shared between Alice and Bob. In properly implemented quantum crypto, however, this is not possible. The best he could do -- using the very man in the middle attack that you described -- is to have one secret that is shared with Alice, and a separate secret that is shared with Bob, when Alice and Bob both think that they have a secret that is shared with each other. It is unlikely that Alice and Bob would take very long to notice that they are using different keys, given that this would produce garbage in every single message that they exchanged.

It's true that he could then hijack ALL communication channels between Alice and Bob, decrypt messages using one key and then re-encrypt them using the other, but... it would probably be easier just to bribe the people doing the transmitting and receiving to tell him what the messages were. I don't think that most people who are serious about security are claiming that QC is a miricule cure, just that it makes one part of the system much, much more secure.

It might be the case that the benefit is not worth the cost, given that the weakest link tends to be the human element, but this is much different than it being "just as good as classical crypto", or a form of "snake oil".

Re:Quantum Crypto does not solve anything!

[kyb]

Only benefit of QCrypto over classical crypto: It stops evesdropping. Problem: It doesn't stop some forms of man in the middle. All this stuff you've said is true, but I don't think it really contradicts the parent. QCrypto is hyped as being unbeatable, which it clearly isn't. The massive effort you think it would take to hijack ALL communications channels between Alice and Bob, is really not that big a deal- you wouldn't man in the middle the QCrypto link unless you knew the other channel the message is going over and could MitM that too. I'm still massively unimpressed with QCrypto. On top of that, there are other ways that may be just as effective at stopping evesdropping, see "hold the photons" by Bruce Scheier in wired.

Re:Quantum Crypto does not solve anything!

[Vellmont]

It's true that he could then hijack ALL communication channels between Alice and Bob, decrypt messages using one key and then re-encrypt them using the othe

I thought this is EXACTLY what a man-in-the-middle attack was. If you have another communication channel that doesn't have an attacker between Alice and Bob, Alice and Bob are always going to figure out that they aren't sharing the same key.

but... it would probably be easier just to bribe the people doing the transmitting and receiving to tell him what the messages were

Well sure.. but it's also easier to do that than crack conventional cryptography. So given this, what advantage does quantum cryptography have?

Re:Huh?

[pdbaby]

Assuming you're not Bruce Schneier making a joke, the point of quantum cryptography is to try and bring perfectly mathematically secure encryption to a point-to-point connection. Normal encryption is good enough but not perfect (i.e. given an infinite amount of time and money, you can break any standard encryption algorithm)

The only perfectly secure algorithm is one where the key is:

• The same length as the key (or "never reused, even within the message" if you want to think of it that way)
• Completely Random

A one time pad satisfies this (and that's the basic idea Quantum Cryptography is based on

Because the resulting ciphertext then is just as random. The problem is that you've replaced a secret with another secret of the same size -- which is only a benefit if you've securely transported a briefcase with a copy of the random key you used.

In terms of practical application for you and me, encrypting traffic with VPNs is practical and really secure. Quantum Cryptography depends on being physically point-to-point, which is its flaw... making it unsuitable for most communication

Of course, there are better ways to find secrets sent across a perfectly secure link. Like infiltrating the organisation and reading the secret on the noticeboard :)

Troll is almost entirely incorrect

[billstewart]

Quantum Cryptography is established real technology. It's not particularly *useful*, but it's real.

You won't have gaping security holes in the last mile if you buy this stuff - it's designed to work on end-to-end dark fiber. You'll still need crypto for other reasons, and you'll still have gaping holes inside your wiring closets, but last mile won't be a problem. The range of the system is 120km, so if you're trying to connect buildings together that are farther apart than that, you do have a physical security problem you'll need to manage at your repeater locations.

This won't increase your phone bills unless you buy it. It's not a system designed for carriers to put in their network backbones - it's designed for an end-user customer to buy dark fiber service between a pair of buildings and put these boxes on the ends. The carriers generally charge a pile of money for that kind of service, and the more people buying it, the better their economies of scale, so if you're a consumer who's not buying this, that's slightly positive for you.

The carriers won't need to pay them with quantum money - the end customers will need to pay in real money...

You're argument is incorrect

[wwwrench]

I had mod points, but what the hell, this is an important point....

You are correct in pointing out (as most responsible qcrypto people do), that qcrypto needs authentication.

However, your argument doesn't follow


So even if you use QC, you still need to rely on all the classical crypto to make it work. So it is just as good as classical crypto, without routing.


The reason is that:

1) The authentication only needs to be secure for a second or two. I just use it foil a man-in-the-middle-attack or authenticate part of the protocol. So, if I use public key authentication, and the public key is then cracked, no problem, I've already used it to authenticate. The cracked key is now useless to the attacker. So, my attacker may even have a quantum computer, but she would still need more than a few seconds to crack the classical crypto.

2) Authenticating a message uses a very small amount of key (logarithmic), so if I start off with a small key from magicQ, then I can expand it, thus generating an arbitrary large amount of secret key from a tiny "seed". Thus sometimes, qcrypto is called "key expansion".

So, if you want to protect your data against future attacks (who knows how good algorithms and computers will get), or when we start needing to worry about quantum computers, then we will have to switch to quantum crypto-- it is just a matter of time.

As an aside, no responsible qcrypto person would suggest monitoring the fibre as a solution.

SSL is quite breakable

[ab762]

as it relies only on being intractable. Throw enough (quantum) resources at it, and it is directly breakable. The fact that on average it takes CPU-centuries is irrelevant to "unbreakable".