Slashdot Mirror

← Back to Stories (view on slashdot.org)

How To Build a Quantum Eavesdropper

Posted by kdawson on from the perfection-is-not-a-requirement dept.

KentuckyFC writes "Quantum encryption is perfectly secure, in theory. In practice, however, there are loopholes. Now Japanese scientists have designed a quantum eavesdropper that exploits one of these loopholes to listen in to quantum conversations. QC's security arises from the impossibility of making a perfect copy of a quantum object without destroying it — so the sender and receiver can always tell if they've been overheard. But it turns out that an eavesdropper can make imperfect copies and use them to extract information from a quantum message without alerting sender or receiver (abstract). The Japanese design does just this. That should worry banks and government agencies that have begun to use some of the commercial quantum encryption systems now available."

67 comments

  1. Oh no. by interstellar_donkey · · Score: 4, Funny

    But Al, why haven't I leaped?

    Ziggy says there's a 98.5% chance that your security is flawed.

    --
    The Internet is generally stupid
    1. Re:Oh no. by TomRK1089 · · Score: 3, Funny

      Also, when your account info went into the test chamber, it....sorta got swiss cheesed.

  2. Not so hard by Ancient_Hacker · · Score: 2, Informative

    You don't need anything so fancy. The quanta are, like packets, not guaranteed to get tot he destination every time. All you have to do is sidetrack every random(N)'th photon to your receptor.

    1. Re:Not so hard by hostyle · · Score: 1

      Even better, you could tag each one so you can group them together more easily. May I be so bold as to suggest something like "thisoneisneeded" and "thisoneisadupe". See, folksonomies make everything better. No wonder Web 2.0 won.

      --
      Caesar si viveret, ad remum dareris.
    2. Re:Not so hard by Anonymous Coward · · Score: 0, Redundant

      but are they on trucks or in some sort of series of tubes?

    3. Re:Not so hard by mea37 · · Score: 3, Interesting

      If N is too high, you don't get enough information.

      If N is too low, you drive the error rate high enough that the communication is no longer regarded by the parties as secure.

      N is always either too high, too low, or both.

    4. Re:Not so hard by Anonymous Coward · · Score: 3, Insightful

      I thought quantum encryption first established a one-time pad for secure communications. It uses a protocol to ensure that any quanta not arriving or changed in any way are discarded. Only the quanta verified between Alice and Bob get used for the pad. So, a)diverting quanta during the pad-establishing time gains you nothing, and b)diverting quanta during communication gets you quanta randomly encrypted according to a pad about which you have now knowledge.

      It seems copying quanta such that no change is detectable is the only way to make this work.

    5. Re:Not so hard by Hektor_Troy · · Score: 1, Offtopic

      N is always either too high, too low, or both.
      This IS quantum mechanics ... why can't it be both?
      --
      We do not live in the 21st century. We live in the 20 second century.
  3. Long time lurker, first time poster by Anonymous Coward · · Score: 1, Interesting

    Having been involved in abstract quantum physics in my college grad student days, I can say that this is quite a tall order. The whole point of quantum cryptography is that the observation changes the system to the point that (a) eavesdropping disturbs the communications to the point of making it unusable and (b) due to (a) it is detectable oh what the hell am I talking about. First post. That's right, I just nailed a frosty.

    1. Re:Long time lurker, first time poster by Anonymous Coward · · Score: 0

      My observation of your attempted frosty posty has apparently ass-raped it into the failure zone. Detection of your transmission seems to have destroyed your opportunity to pwn the thread, making you look like a complete dickweasel.

      My sincere apologies...

    2. Re:Long time lurker, first time poster by thatskinnyguy · · Score: 1

      I observed your first post attempt therefore it became !first post.

      --
      The game.
  4. This is not important... by ThisIsAnonymous · · Score: 0

    That should worry banks and government agencies that have begun to use some of the commercial quantum encryption systems now available. Banks and Government agencies! Whatever! That data is nowhere near as important as movie and music and game data. Please tell me that we can still use this to protect that content!
  5. Better Candidate for the South Park Defense by PawNtheSandman · · Score: 1

    I think this story is a better candidate for the "South Park" defense than the Chinese Gov't Hackers.

    1. Re:Better Candidate for the South Park Defense by DeadDecoy · · Score: 2, Informative

      Not really. The whole point of the South Park defense was to get out of trouble by being humble and flattering the enemy. In the Chinese hacking incident, the big penis joke was more analogous to having Americans being told that they have hardened systems that couldn't be cracked (pun sorta intended). In the case of this article, the Japanese scientists are being perfectly transparent in showing that there is a hole with quantum cryptography. Just having Japanese people in the subject is not sufficient for saying the two articles are equivalent or even relate to the same joke.

  6. Ob. LOTR by HungSoLow · · Score: 5, Funny

    I've been droppin' no eaves sir.

    1. Re:Ob. LOTR by kestasjk · · Score: 3, Funny

      A little late for doing quantum physics experiments don't you think Sam?

      --
      // MD_Update(&m,buf,j);
  7. Logical disconnect by jandersen · · Score: 4, Insightful

    How can one say that it is "theoretically impossible", when somebody has made a practical counterexample? It just means that the theory wasn't good enough - or more likely, that the wrong conclusions were made from the theory.

    1. Re:Logical disconnect by Anonymous Coward · · Score: 0

      What that phrase means is that it is perfectly secure if given a perfect implementation, which never happens in the real world. One-time pads are similar, they are "unbreakable" in theory but practical considerations make them very weak.

    2. Re:Logical disconnect by tnk1 · · Score: 1

      Saying "theoretically impossible" is perfectly fine, it just leaves out the fact that in order to obtain the desired results, you have to have a system where you expect to always be able to get complete, undamaged messages/packets.

      What bothers you, is not that they say "theoretically impossible", its that such a term morphs into "completely impossible in all implementations" in the minds of the general public and gives them overblown expectations. That's not really the fault of the people who use the term, it just means that people take a word like impossible, and ignore the modifier.

      You could argue that they should say that it is "theoretically impossible, but not necessarily in practice", but if you think about it, that is almost a redundant statement. By using the modifier "theoretically", they have already stated clearly that they cannot vouch for practical difficulties.

    3. Re:Logical disconnect by johannesg · · Score: 1

      That's because people routinely misunderstand theory.

      For example: "it is impossible to write a program that can determine if another program will halt or not" is often reworded as "it is impossible to determine if a specific, given program will halt or not", which is patently untrue.

      The theory in this case appears to be, if I understand correctly: "it is impossible to make a complete copy of a message without it being detected." So they just figured they can make a partial copy, thereby side-stepping detection, but still getting a lot of information.

      The theory is right; the implications of that theory (that therefore all communication using it must be secure) is not.

    4. Re:Logical disconnect by mea37 · · Score: 1

      That's not actually the problem.

      They aren't exploiting an implementation weakness. They're exploiting the fact that you don't have to do what's "theoretically impossible" to extract information from the message. Look at it this way: Somebody said:

      1) You can't copy the quantum communication without visibly disturbing the original
      2) ???
      3) QC can't be broken!

      But there was hand-waving at step 2, and it apparently isn't valid (if this technique turns out to be a practical exploit, which is yet to be seen).

    5. Re:Logical disconnect by mea37 · · Score: 1

      The counterexample has only been theorized, not actually built and tested.

      But if we assume they will build it, and if we assume it will work... Well, it doesn't do anything that's "theoretically impossible". What it violates isn't the theory -- what it violates is the glib assumptions of those who interpreted the theory to mean they could end what is probably an endless arms race.

    6. Re:Logical disconnect by Anonymous Coward · · Score: 0

      It is not, partial fragments of a traditionally encrypted stream are good for nothing if you use the right algorithm. You would only be compromised if you sent your data unencrypted hoping for the quantum magic to protect it.
      I doubt real complex quantum technology is possible, at least with the properties described by enthusiast theorists. If the banks are trusting snake oil vendors using "quantum" encryption when we have nothing above the quantum toy level yet, they deserve anything they get.

    7. Re:Logical disconnect by Anonymous Coward · · Score: 0

      For example: "it is impossible to write a program that can determine if another program will halt or not" is often reworded as "it is impossible to determine if a specific, given program will halt or not", which is patently untrue. But what about
      #!/bin/bash
      killall $1
      echo $1 && echo "will now halt."
    8. Re:Logical disconnect by mea37 · · Score: 1

      Two things:

      1) You're assuming that by "partial copy" they mean they only get some of the encoded information; that may be what they mean, but it isn't what they say.

      2) What you're saying also implies that the message itself is sent via quantum crypto; this is not the typical case. QC is used to distribute keys. Is getting part of a key useful? I'd think so, as long as you know which part you have.

    9. Re:Logical disconnect by johannesg · · Score: 1

      What about it? The theory only states that programs exist for which halting cannot be determined. That is not the same as saying that halting cannot be determined for every last single program, which is usually how uninformed undergraduates tend to understand it. Just to give two quick examples:

      10 rem this will never halt
      20 goto 20

      Or this one:

      10 rem this will always halt

      There are two interesting things here: first, I'd bet that for 99.9% of all programs in real life, it is not only possible to determine if it will halt or not, but it is in fact trivial.

      And second, thank you for proving my point that people frequently misunderstand the implications of any given theory.

    10. Re:Logical disconnect by Anonymous Coward · · Score: 0

      Whether you transmit the key or the plaintext doesn't matter much in cryptography. OTPs are ultimate security, but when you have some of it read by the enemy it is equal to having handed them chunks of plaintext.
      If they can silently get some of it, quantum cryptography is only useless in that simplified setup.
      If they can get all the silently read bytes, then they are getting the whole key and QC is utterly useless.

    11. Re:Logical disconnect by KDR_11k · · Score: 1

      There are two interesting things here: first, I'd bet that for 99.9% of all programs in real life, it is not only possible to determine if it will halt or not, but it is in fact trivial.

      I think it's not quite that easy or we would be able to catch almost all crashbugs automatically. We can catch some but the tricky ones don't get caught automatically.

      --
      Justice is the sheep getting arrested while an impartial judge declares the vote void.
    12. Re:Logical disconnect by kmac06 · · Score: 1

      Because the summary is wrong. This "loophole" has been well-known for some time now. It can be compensated for very easily, and in fact is compensated for with current QC implementations.

  8. Theory by Iamthecheese · · Score: 1, Redundant

    IANAP, but can someone please tell me how the theoretically impossible became theoretically possible? Did the theory change, or was the math wrong, or did His Great and Wonderful Noodliness screw with the results?

    --
    If video games influenced behavior the Pac Man generation would be eating pills and running away from their problems.
    1. Re:Theory by cybrangl · · Score: 1

      IANAP, but can someone please tell me how the theoretically impossible became theoretically possible? Did the theory change, or was the math wrong, or did His Great and Wonderful Noodliness screw with the results? It is still theoretically impossible to get a perfect copy without alerting the sender and listener. However, this technique essentially reads the "noise" around the conversation and rebuilds the data from that. This is much like a damaged hard drive. While you cannot get the data directly, you can rebuild the data with the bits you do get.
    2. Re:Theory by MbM · · Score: 1

      It's easier to argue the corollary -

      It's theoretically possible to produce a machine that implements perfect quantum security. The exploit above does not disprove the theory, only the implementation.

      Oh, you want to know why the implementation was flawed?

      --
      - MbM
    3. Re:Theory by kalirion · · Score: 1

      In theory, FTL communication is impossible.
      In theory, wormholes allow FTL communication.

      Different theories.

    4. Re:Theory by MadKeithV · · Score: 1

      In theory, there's no difference between theory and practice. But in practice, there is.

    5. Re:Theory by Anonymous Coward · · Score: 0

      Funny you mention FTL comms under a topic of Quantum mechanics.

      In simple terms, quantum particles completely allow FTL comms. All you need to do is build two radios or terminals or whatever and get them talking via said particles.

      Send one terminal to the other side of the galaxy or a nicer place. The two terminals will still be able to talk to each other nicely. No problems, and far faster than light speed.

      The only downside is the bitrate is a bit low and it's not perfect but it works well enough.

      In theory.

      Not every intelligent race feels the need to "talk" as often as humans do or in the sort of way we do.

    6. Re:Theory by kalirion · · Score: 1

      In simple terms, quantum particles completely allow FTL comms. All you need to do is build two radios or terminals or whatever and get them talking via said particles.

      That sounds a lot simpler than it really is. The only way I can see to do it is to shoot entangled particles from point A to points B and C, and when someone at B tampers with it's particles, C sees the diffusion pattern disappear instantaneously (or even faster, if B is farther from A than C is.... which means communicating with the past :))

      In theory.

      From what I hear, most scientists believe it's impossible to use entanglement for FTL communication.

    7. Re:Theory by Terje+Mathisen · · Score: 1

      The theory is still good, it depends on all QC channels having a non-zero error rate, even when nobody is trying to eavesdrop, so the protocol used must be able to deal with those errors, right?

      If the real error rate is well below the communication error ceiling (where it stops working), then Charlie sitting in the middle can extract a few bits out of each packet.

      OTOH, assuming this channel is used to exchange the 256-bit AES key to be used for the bulk communication, then the parties can simply set the acceptable error rate very close to the real limit, and then discard any packet (and the corresponding key!) which goes above this limit, even if the contents are recoverable using ECC coding.

      Doing this would make it possible to guarantee that maximum X bits (approximately equal to the channel error rate) can ever be eavesdropped out of the 256-bit key, leaving more than enough unknown bits as to make the communication link totally secure.

      Terje

      --
      "almost all programming can be viewed as an exercise in caching"
  9. Banks using modern crypto? Hah! by StandardCell · · Score: 3, Interesting

    The banking sector is probably one of the slowest in terms of uptake of new crypto technologies. A huge number are still using 3DES or RC4 for symmetric to protect customers transactions. If you don't believe me, check out Citibank's Online Banking with "highly modern" RC4. I've seen 40-bit encryption on current express-pay keytags at a certain coffee chain which is almost trivial to crack with little cost by today's computers. In too many cases, it's the same old HSMs accelerating crypto transactions in servers as were in the last decade.

    Granted, 3DES is actually not truly that bad in terms of its 112-bit effective security compared to AES-128 (though it's not the weak point when you use 80-bit effective RSA1024). However, just because ANSI X9 has started including modern technologies like ECC and AES or other technologies like quantum crypto are promising, you can bet that the banking industry will be one of the last groups to take up more modern crypto technology. Heck, even the NSA is mandating Suite B with ECC and AES by 2010 for government security! It's one of the few government agencies to actually act faster than the private sector.

    Finally, I wonder if the original poster could show the relevant ANSI X9 aka banking security standard which calls out quantum crypto. I don't think I've seen one, and the banking industry typically lives and dies by X9.

  10. You fool! by scipiodog · · Score: 5, Funny

    By listening in with the Quantum eavesdropper, you've changed what they were actually saying!

    --
    http://clightnirish.wordpress.com/
    1. Re:You fool! by Anonymous Coward · · Score: 0

      Listening in with the Quantum eavesdropper you are changing what they actually said!

    2. Re:You fool! by Anonymous Coward · · Score: 0

      Listening in with the Quantum eavesdropper you are changing what they actually said!

      Listening in with the Quantum eavesdropper you are changing what they actually said! Yes, they're quantum entangled.
  11. Multi-layered security by janvo · · Score: 1, Interesting

    If the 'eavesdropper' can only make 'imperfect' copies then it seems to me using multiple levels of security would defeat the eavesdropper. For example private key encrypted data being tunneled over the quantum channel. Using this technique they would get a copy of imperfect encrypted data - which would be impossible to decrypt even if you had the private key .

    1. Re:Multi-layered security by againjj · · Score: 1

      If the 'eavesdropper' can only make 'imperfect' copies then it seems to me using multiple levels of security would defeat the eavesdropper. For example private key encrypted data being tunneled over the quantum channel. Using this technique they would get a copy of imperfect encrypted data - which would be impossible to decrypt even if you had the private key . Remember that, even in the ordinary case, the receiver does not receive a perfect transmission, which implies that there must be some tolerance for error. An encrypted data stream would require error correction so the receiver could decrypt it. Therefore, for your idea to work, the level of error correction available must be such that the receiver can recover from errors, but the distortion from the imperfect copies makes error recovery impossible for the eavesdropper.

      As I did not read the paper, I do not know if this simply reduces to the original problem or not.

    2. Re:Multi-layered security by godz_magnum_opus · · Score: 1

      There is a huge terminolgoy confusion - the actual encryption algorithms are pretty much your usual classical ones only... it's only the "key distribution" mechanism that has a quantum aspect to it. So, getting an "imperfect" copy of the key (and with a phase-covariant cloner as mentioned in the article, you can do that with a fidelity of ~0.83) means you've broken into the entry level already. Now, if the key was being utilized to encrypt say, an-already-encrypted-data, then it's down to your classical cryptographic schemes to break open that cipher

  12. Oh, come on by kvezach · · Score: 1, Funny

    20 comments on a quantum mechanics article, and still no Schroedinger's Cat superposition jokes? What's Slashdot coming to these days?

    1. Re:Oh, come on by fosterNutrition · · Score: 2, Funny

      I think you mean "what is Slashdot either coming to, or not coming to, these days?"

  13. The obvious question is... by clonan · · Score: 1, Troll

    How imperfect is the snooped data?

    Just because you COULD get data out doesn't mean it is actually usefull to do so.

    1. Re:The obvious question is... by gweihir · · Score: 2, Informative

      As Quantum Modulation (the term ''encryption'' has absolutely no place here) is used for key exchange, any data gained will make attacks on the keys used for the later conventional exchange easier. How bad that is depends on the actual parameters used, it can be anything from ''not a problem'' to ''cpmplete practical system compromise''.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    2. Re:The obvious question is... by Firkragg14 · · Score: 1

      Also doesnt neccessarily mean its easy to do so. If this attack requires you to sneak a whole lab into a bank without anybody noticing then id say its a pretty much acceptable risk

    3. Re:The obvious question is... by locofungus · · Score: 1

      IIRC with quantum cloning you can get 5/6 fidelity in a universal quantum cloning machine. This is an upper limit. Any higher and weird, impossible, things like faster than light communication become possible. Lab implementations have made it into the 80%+ fidelity bracket.

      Non universal quantum cloning has been less studied. In some cases it's obvious and trivial what the best implementation is (100% for cloning a photon in a known polarization state - just put a lightbulb behind a polarization filter at the correct angle). In other cases it's not obvious (I think unknown) what the best approach might be.

      For an ideal UCM, 83.3% of the time you get the same result as the original would have done.

      Although this sounds very high, it's not that high when you consider a naive UCM that doesn't touch the original but just creates a second particle/photon in a random state gets 75% fidelity - 50% of the time both measurements will come out correct and 50% of the time one of them will so 3/4 measurements give the correct result.

      Tim.

      --
      God said, "div D = rho, div B = 0, curl E = -@B/@t, curl H = J + @D/@t," and there was light.
  14. So what? by Anonymous Coward · · Score: 0, Redundant

    Okay, so you receive some imperfect data... isn't it still encrypted??

    I know this isn't quite the same, but I can pull loads of data from surrounding wireless networks.. of course, it's still encrypted with WPA, so it's not of much use.

    So what's the real threat?

  15. i gotta headache by nozzo · · Score: 1

    I thought quantum encryption was just getting past the theory stage, now some boffins have already 'cracked' it. I'm so like, you know?, wow!, you know?

  16. You can make perfect copies of the messages by Anonymous Coward · · Score: 0


    http://www.research.ibm.com/quantuminfo/teleportation/

  17. tough abstract by Main+Gauche · · Score: 3, Interesting

    It's a lucky thing the summary was good, because the only thing I could learn from the linked abstract is that "Francesco" is a Japanese name.

  18. not all banks. by DrYak · · Score: 1

    there are countries which do have decent banks.
    like switzerland.

    even government agencies have started testing quantum cryptography, to help secure the transmission of vote results.

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
  19. No need to worry about this by QuantumV · · Score: 5, Informative
    But it turns out that an eavesdropper can make imperfect copies and use them to extract information from a quantum message without alerting sender or receiver (abstract). The Japanese design does just this.

    This is wrong. The eavesdropper gets imperfect copies and so does the receiver. If the quality of the receiver's copies are as bad as the eavesdropper's, any working quantum crypto setup will abort and not try to make a secret key out of it.

    That should worry banks and government agencies that have begun to use some of the commercial quantum encryption systems now available.

    Nobody needs to worry about these kinds of attacks, as the software in all commercial quantum crypto systems automatically checks and takes care of these kinds of attacks. What the paper shows is how to implement in practice a class of attacks that has been known for years how to do in theory.

    There are other attacks on quantum crypto systems that actually attack loopholes in the implementation, and some of these have previously been discussed on slashdot here

    1. Re:No need to worry about this by Anonymous Coward · · Score: 0

      You have setup an account named QuantumV just to say that. I am afraid you are forced by your wallet to say that and that your opinion is biased and/or BS

  20. Double Up On That Encryption by b4upoo · · Score: 0, Troll

    Why not use a more conventional, strong encryption method and then use quantum encryption on top of that? Getting an imperfect copy of a deeply encrypted message ought to be enough to drive anyone to drink including large numbers of enemy spies working in concert.

    1. Re: Double Up On That Encryption by QuantumV · · Score: 1

      Why not use a more conventional, strong encryption method and then use quantum encryption on top of that?

      Believe it or not, this is actually done in some commercial systems. The rationale is not that it is necessary more secure, but that there are certification standards for conventional cryptography and the quantum crypto devices can then be certified.

  21. Re:Banks using modern crypto? Hah! by kestasjk · · Score: 1

    This is because old crypto is often a lot more secure than people would have you think. Many attacks even against very old algorithms remain impractical against a securely implemented scheme.

    Even RC4 and DES can be secure when used correctly in situations where there isn't time to brute-force anything, and at least the insecurities and algorithms themselves are well understood, which isn't necessarily true for more modern algorithms. (I think this article is a good example of the latest buzz in crypto still being given a healthy poking and prodding prior to production use.)

    The problems with RC4 and DES occur when someone who doesn't know anything about them decides to use RC4 with a password as the initializer to encrypt a document for long-term storage for their proprietary data format.

    Amateur use of old crypto is worse than old crypto itself; lots of stuff encrypted using WW2 ciphers is still unrecoverable.

    --
    // MD_Update(&m,buf,j);
  22. Please hit 'Reload' more often. Thank-you. by Fantastic+Lad · · Score: 1
    Fortunately, the question is instantly answered the moment he clicks on his bookmark for this site. Until that point, there is no Slashdot. --And I don't know about you, but personally, I find being in a superposition confusing and frustrating because I have things I want to get on with, and I never know when I'm allowed to use the washroom. People should reload more often, just out of courtesy.


    -FL

  23. Oh come on! by Abuzar · · Score: 0

    Like, I don't know ANYONE with a quantum computer, and these nerds are making and breaking quantum encryption already? What use is it if no one has the quantum machines to download movies anyway?! Where can I go to get myself an AMD Quantum Processor for under $300, huh?

    Seriously though, one day you hear "Quantum Cryptography is UNBREAKABLE!", the next day you hear "Quantum Cryptography BROKEN!", it's just a circus. Can we solve the world hunger crisis first, anyone?! Sheesh.

  24. old news by bigkahunah · · Score: 1

    buried as redundant.

  25. Vapourware: ID Quantique by pcardno · · Score: 1

    I rarely trust any company that can't spell their own technology:

    "id Quantique is the leader in the development of advanced encryption solutions based on classical and quantum cryptograhy."

    cryptograhy?

    Oooh, maybe they're trying to hide themselves through dodgy spelling! Cunning!

    --
    --- Band: Joey Ultra
    1. Re:Vapourware: ID Quantique by ErkDemon · · Score: 1

      Maybe they //think// they're the market leaders, because they Googled "quantum crytograhy" and couldn't find anyone else doing it.

      --
      Eric Baird