Commercial Quantum Cryptography System Hacked

KentuckyFC writes "Any proof that quantum cryptography is perfect relies on idealized assumptions that don't always hold true in the real world. One such assumption is related to the types of errors that creep into quantum messages. Alice and Bob always keep a careful eye on the level of errors in their messages because they know that Eve will introduce errors if she intercepts and reads any of the quantum bits in a message. So a high error rate is a sign that the message is being overheard. But it is impossible to get rid of errors entirely, so Alice and Bob have to tolerate a small level of error. This level is well known. Various proofs show that if the quantum bit error rate is less than 20 percent, then the message is secure. However, these proofs assume that the errors are the result of noise from the environment. Now, physicists have come up with an attack based on the realization that Alice also introduces errors when she prepares the required quantum states to send to Bob. This extra noise allows Eve to intercept some of the quantum bits, read them and then send them on, in a way that raises the error rate to only 19.7 percent. In this kind of 'intercept and resend attack,' the error rate stays below the 20 percent threshold and Alice and Bob are none the wiser, happily exchanging keys while Eve listens in unchallenged. The physicists say they have successfully used their hack on a commercial quantum cryptography system from the Geneva-based startup ID Quantique."

Breaking news!

[2.7182]

The primary application, which was preventing first posters, has been compromised.

Wouldn't it be better...

[jd]

...to e-mail Alice and Bob, rather than advertise that their love-letters are being snooped on?

Re:Wouldn't it be better...

[SomeJoel]

I'm not even sure why Eve cares... unless she is Bob's wife, or Alice's husband (Alice still calls "her" Steve).

Re:Wouldn't it be better...

[ta+bu+shi+da+yu]

Alice is a man.

Re:Wouldn't it be better...

[SomeJoel]

Alice is a man.

I disagree, as per TFS:

Alice also introduces errors when she prepares the required quantum states to send to Bob

Re:Wouldn't it be better...

[obarel]

It's about Alice Cooper.

"she" is a typo (extra 's').

Bob is Bob Ezrin.

Re:Wouldn't it be better...

[WrongSizeGlass]

Excellent 70's rock reference. You deserve a point for "great memory" ;-)

Re:Wouldn't it be better...

[WrongSizeGlass]

...to e-mail Alice and Bob, rather than advertise that their love-letters are being snooped on?

Why not just post it on one of their Facebook pages?

Re:Wouldn't it be better...

[jd]

And here I was thinking that it was the Alice you're supposed to ask when she's ten feet tall.

Re:Wouldn't it be better...

[ls671]

Here is more for you then. The lyrics mentioning Alice Cooper from "What Kind Of Girl Do You Think We Are?" written by Frank Zappa. It seems on topic with this thread ;-)

http://www.lyricstime.com/frank-zappa-what-kind-of-girl-do-you-think-we-are-lyrics.html ...
Mark:
Well, I'll tell ya
Well I get off bein' juked
With a baby octopus
And spewed upon with creamed corn . . .
An' my girlfriend, she digs it
With a hot Yoo-hoo bottle
While somebody's screamin':
CORKS 'N SAFETIES
PIGS 'N DONKEYS
ALICE COOPER, baby . . .
WAAAAH!

Bob:
Well, it gets me so hot
I could scream

Chorus:
ALICE COOPER, ALICE COOPER! WAAAAH!
ALICE COOPER, ALICE COOPER! WAAAAH! ...

Re:Wouldn't it be better...

[martin-boundary]

Well, it depends. If Alice doesn't patch her love letters within two days of receiving the warning email, I think it's fair to post the snooped letters all over the 'net, don't you?

Re:Wouldn't it be better...

[Mal-2]

Time to apply the Crocodile Dundee test!

Mal-2

Re:Wouldn't it be better...

[davester666]

She just so happens to be a slut AND bi.

Re:Wouldn't it be better...

Anyone with a great memory of the '70s wasn't really there.

Re:Wouldn't it be better...

[silentcoder]

Smokie would just ask: Alice ? Who the fuck is Alice ?

Which (for some obscure reason - possibly the incurable lack of good taste of mankind) remains the best selling song ever with "Fuck" in the title.

the less sensational headline...

is probably that the cumulative error rate (channel + noise introduced by each party) is over the threshold. i imagine if they just lower the threshold for attacks they will catch the MITM. Of course it may necessitate using a less noisy channel (to keep the false-positive rate down)

Re:the less sensational headline...

[Ethanol-fueled]

They could develop more sophisticated measurement techniques, similar to those utilized in modern data/telecom, as error thresholds become lower.

They could call it the Quantum Bit Error Rate Test, or Q-BERT for short.

Re:the less sensational headline...

[palegray.net]

The ability to control external noise in real-world operating environments, at least to the degree necessary to mitigate this issue, would seem to represent a rather nasty challenge. This may be a severely constraining factor on the potential for practical usefulness of quantum cryptography, at least for the time being.

Re:the less sensational headline...

[WrongSizeGlass]

A 20% error rate isn't good enough to launch a missile, but it's better than a weatherman's accuracy. This tells us that Alice, Bob and Eve don't work for NORAD or the National Weather Service. That narrows down the field considerably. It won't be long before their identities are discovered, posted on TMZ and they won't need these silly quantum encrypted messages anymore.

Re:the less sensational headline...

[bertok]

The ability to control external noise in real-world operating environments, at least to the degree necessary to mitigate this issue, would seem to represent a rather nasty challenge. This may be a severely constraining factor on the potential for practical usefulness of quantum cryptography, at least for the time being.

Can someone explain to me why anybody is even bothering with this technology?

Are existing cryptographic algorithms so untrustworthy that it's better to use an untested technology that a) makes the already very expensive line equipment significantly more expensive, b) may prevent the use of certain kinds of repeaters or active splices, c) is so insanely complex that nobody except a select few physicists understand the details.

Also, unlike current cryptographic techniques, quantum cryptography is strictly one hop instead of end-to-end, which is a big issue in many cases, like when one ISP tunnels their data over another ISP's link.

More importantly, it doesn't actually encrypt any of the data in the traditional sense. The data goes across the wire unencrypted, the quantum system just detects a man-in-the-middle attack. If someone comes up with a technique for reading the data without interference (like the article says), then you're screwed. With a traditional crypto solution, it might be sufficient to just increase the key size parameter in a config file somewhere!

I don't see how this can compete with standard crypto. If someone is that paranoid, it should be more than enough to just nest a couple of different algorithms together, and use the maximum keysizes for all of them. There's just no way anybody is breaking that at 2Tbps line rates any time soon, no matter what conspiracy theories you subscribe to about the NSA's capabilities!

Think about it this way: with traditional crypto, it's at least possible, in principle, for an end-user to use an open source software stack using an open, publicly tested algorithm, and completely verify the implementation. With quantum crypto, you get a black box with some physics in it that no IT administrator will understand and be able to test. It'll send data unencrypted across a wire that you now hope is hack proof. For all anybody knows, it'll be sending data as-is with no protection, and nobody will be able to even tell. If you were the NSA and wanted access to fibre optic links, wouldn't this be the best thing ever?

Re:the less sensational headline...

[fishexe]

They could call it the Quantum Bit Error Rate Test, or Q-BERT for short.

Once we come up with a way to justify replacing a hyphen with an asterisk in an acronym, we'll be all set. Hmmm...

I seem to remember...

[razathorn]

...stopping reading the blurb on slashdot last week about the new position based system being secure because the people who previously said it wasn't secure changed their mind and said it was provably secure and then proceeded to use the words "cannot easily" to justify it being secure. Now, this week I see a commercial system that has been cracked because some how thresholds of likely hood were once again used. Anyone else see a trend?

So, quantum cryptography is fundamentally flawed?

If this article is correct, all an eavesdropper has to know is the proper error threshold to stay under to remain undetected.

Doesn't seem so secure to me.

Quantum Bullshit

[sexconker]

The core idea of using quantum communication security (or, in general, quantum communication) is that you'll be able to tell when the message has been altered.

All a man in the middle attack has to do is read the message, recreate it, and send out a spoofed message instead of the original message.

Reading the message is trivial.

Recreating the message, while introducing tolerable levels of noise is trivial once you have the key. Alice does it all the time.

Blocking the original message is not trivial, but it is also not hard. It just requires physical access to the network. Be it jamming a wireless signal, splicing your attack node between two routers, whatever.

Sending out the spoofed message is trivial. The internet is slow and laggy. You can easily read, alter, and resend the message without the delay being noticed.

The only thing stopping a man in the middle attack is the need to have the key to resign an altered message as to make it appear that it came from Alice. This is a key-sharing problem. All digital security problems boil down to a key-sharing problem.

The only thing the quantum nature of communication adds is the ability to detect when people might be listening. This only gets around eavesdropping, not an actual MITM attack.
Indeed, the quantum nature of the "security", as this paper shows, actually opens the door to attacks, as the communication medium is not perfect and there is now a threshold for tolerable noise. Attacks can play around in that threshold all day long.

Re:Quantum Bullshit

[arndawg]

It's not just that you can tell when a message have been altered. It's that you can tell if someone have been eavesdropping.

Re:Quantum Bullshit

[sexconker]

Uh, read my entire post please?
And someone has to successfully eavesdrop for that protection to kick in. You can't control when they'll eavesdrop, so information can still get out, so it's far from a "secure" communication channel.

And with a noise tolerance of X, eavesdropping without being detected is not only possible, but likely very easy. Remember that Alice has to generate noise-free signals in the first place. Alice isn't made of magic. Eve can do anything Alice can.

And if you have a perfect network and zero tolerance, all eavesdropping attacks simply become denial of service attacks.

Alice: Hey Bob, let's talk.
Eve: Looks like Alice and Bob are gonna talk.
Bob: Sorry Alice, can't talk. Someone might be listening in. Maybe try again later?

Re:Quantum Bullshit

Alice isn't made of magic.

You've obviously never read Alice in Wonderland.

Re:Quantum Bullshit

[fuzzyfuzzyfungus]

In a sense, though it is called "cryptography", quantum crypto is basically about link integrity detection, rather than anything resembling cryptography in the classical sense.

Basically, if you have a fiber run that you want to make sure nobody is tapping, you can either station trustworthy guys with guns every few yards along its length or you can put a quantum crypto box at each end. Given that the guys-with-guns approach is largely impractical(especially for buried or undersea lines) the potential to get the same effect just by putting a pricey network box on each end is rather attractive. Almost wholly unlike classical crypto, which is designed around keeping information useless without the key, even across known-untrusted links.

Re:Quantum Bullshit

[arndawg]

Communication is usually two-ways and each packet in it's own is useless. It's not like your sending the entire library of congress in one packet.

Re:Quantum Bullshit

[Hurricane78]

All a man in the middle attack has to do is read the message, recreate it, and send out a spoofed message instead of the original message.

Reading the message is trivial.

You don’t understand quantum physics AT ALL, do you? Or you’re just a troll.

Read up on entanglement.

There is no way to recreate the message. Because you can’t entangle the photons again. It’s literally physically impossible.

Re:Quantum Bullshit

[Lehk228]

or you can use strong encryption on the line with the assumption that 5000 years from now your messages won't be terribly important

Re:Quantum Bullshit

[fuzzyfuzzyfungus]

And endure the outside chance that the prime factorization guys will come up with something useful in the real world in 10...

Obviously, for the vast majority of applications it is total overkill. Quick quiz: Do you own/seriously lease the actual fiber over which you are transmitting? If not, you are definitely not a candidate. If so, you are probably not a candidate.

There are, though, probably some applications where the risk of future disclosure is simply unacceptable.

Re:Quantum Bullshit

[Interoperable]

Sending out the spoofed message is trivial.

No it isn't. It's impossible to do it with better than 50% accuracy, which will make the man-in-the-middle very, very detectable. None of the useful information is ever sent using quantum bits, it's only one-time-pad style key. If a man-in-the-middle is detected, the key is not used and no secure information is breached. I mentioned it in an above post, but the best that a "hacker" could ever do is get a few random bits of information out of every hundred, even with this attack. That isn't enough information about the key to extract any information about the message.

Alice and Bob compare measurement results before send the message. There is theoretically no way to intercept and resend bits or eavesdrop without introducing errors.

Re:Quantum Bullshit

the paper is definitely a view to a kill.

i suppose its a quantum of solace that only highly sophisticated, high-level operatives are able to use hacks like this...

ill die another day when its released as a plugin for meta-sploit...

in the meantime, live and let die.
-0.

Re:Quantum Bullshit

[cashdot]

No.
The core idea of quantum communication security is that it is impossible to decipher a quantum message unless you destroy the quantum state nature of the communication media (photons, electron, ... whatever).
Unlike with classical communication you just have *one* try to decrypt the message. If the wrong key is used, the message is lost, forever. That even Bob (with the correct key) wont be able to decrypt/read the message afterward (and hence will notice the eavesdropping) is just a side effect.

Re:Quantum Bullshit

[cashdot]

A key is also involved in quantum cryptography, and not having it renders the message useless just as with classical cryptography.
The only difference is that with classical crypto you can guess infinitely, while with quantum crypto you can guess only once.

Re:Quantum Bullshit

[cashdot]

What you are saying doesn't make much sense for me. Are you just trolling?
If you have have physical access to the communication line, and you want to inhibit the communication between Alice and Bob, you can just as well cut the cable.

Re:Quantum Bullshit

I think his point is that traditional MITM will always succeed. Say Alice wants to talk to Bob, using QC. Evil Mallory sits in the middle, posing as Bob for Alice and Alice for Bob. When Alice sends the quanta to what she thinks is Bob, she's actually negotiating a connection with Mallory; and so is Bob. Thus, Alice encrypts, sends to "Bob" (Mallory), Mallory decrypts, re-encrypts, and sends to Bob.

No system, quantum or classical, can protect against this unless Alice and Bob have a shared secret. If they do, they can negotiate a key that Mallory doesn't know, and so his interception is pointless. In the quantum world, this might be prior entangled particles in a Penning trap or something like that.

Thus, quantum encryption can't do anything that classical public key encryption can't -- except provide provable security for the "key". The entire quantum crypto setup can be considered akin to a key that cannot be broken (at least not in ideal systems - some current implementations may leak photons and so let Eve infer the superpositions or add noise below the threshold like what's being shown here).
  If you have a public key system whose keys cannot be broken, you can still intercept communication between two parties who haven't exchanged any keys yet; you just make yourself look like the other party to each of them so they'll exchange keys with you.

Re:Quantum Bullshit

[selven]

50% accuracy? Isn't that just transmitting random data?

Re:Quantum Bullshit

[Interoperable]

Ah, 75% accuracy I suppose. 50% of the data is would be retransmitted correctly, 50% would be random so 75% of the bits would end up appearing correct.

Re:Quantum Bullshit

[DrXym]

It seems that anyone capable of tampering with a quantum link (i.e. they know where the equipment and the cable are), it seems they have a simpler solution. Just "accidentally" run a digging machine through the link, or otherwise damage the connection and then just wait for the sender & recipient to use a less secure method of communication.

Re:Quantum Bullshit

[radtea]

Alice and Bob compare measurement results before send the message. There is theoretically no way to intercept and resend bits or eavesdrop without introducing errors.

There's something here that one of us isn't understanding. Either you're missing the OP's point, or I'm missing yours.

The OP's point seems to me to be that the exchange between Alice and Bob necessarily goes like this:

1) Get individual quanta from an entangled source such that they have a shared secret that cannot have been interfered with.

2) Use that shared secret to encrypt in a conventional way and communicate.

The OP is pointing out that the MTM attack is just as practical against step 1 as step 2 by having Eve use two separate sources of entangled pairs, one for Alice and one for Bob. This requires that Eve have physical access to the source that Alice and Bob are using, so she can pretend to be Alice for Bob and Bob for Alice.

This is equivalent to Eve having both Alice and Bob's private keys in a public key scheme, but rather than requiring access to Alice and Bob's secrets individually, it requires instead access to the source of entangled quanta they are using, or rather the fiber that links them to that source.

One imagines a network setup for Alice and Bob to "compare meeasurement results before sending the message" that looks like:

Alice----------Source---------Bob

And for an MTM attack on the quantum key exchange becoming:

Alice-------ESA-Eve-ESB-------Bob

where "ESA" and "ESB" are both sources of entangled quanta.

You can argue that Eve getting physical access to the source is unlikely or unrealistic. You cannot argue that it is physically impossible. The communication between Alice and Bob is only as secure as the source, which is somewhat less secure than the laws of physics.

Selling quantum crytography as being "as secure as the laws of physics" is extremely misleading. Systems are only as secure as their weakest component, and one could easily argue that the entangled source is considerably more easily hacked than discoverying Alice and Bob's private keys would be.

Unless, of course, I'm missing something...

Re:Quantum Bullshit

[sexconker]

The intertrons is a switching network, not a mass of dedicated circuits.

If you want to take someone down, you probably want to make sure that they can't re-route around your cut, and you probably want to do it without taking yourself down.

Are you proposing that quantum communication gets adopted and we actually have dedicated circuits for every host pair?

Re:Quantum Bullshit

[Interoperable]

I was basing my description on the BB84 cryptographic protocol. That protocol does not use an entangling source, rather it sends single q-bits along a quantum channel to be detected by Bob. I interpreted a man-in-the-middle attack to be an intercept-resend attack in that channel. So:

Ideal: Alice --------> Bob

MITM: Alice ------> detect - read - resend ------> Bob

If the channel is noise-free, the detectors are ideal and the states are prepared perfectly, this is theoretically secure against if error rates are lower than 20%. The article exploits imperfectly prepared states in a first-generation commercial system to gain full access to information using an elaborate intercept resend attack.

A system that uses entangled sources is employed to boost transmission distances by sending entangled pairs to Alice and Bob from a central source, thus reducing distances:

Alice ------- Pair Source -------> Bob

In simple schemes, the source has to be trusted because it is vulnerable to MITM attacks; however, the scheme can be secured using more elaborate techniques. For example, if Alice and Bob each generate an entangled pair and send one side of those pairs to a central location, then no party at that location can break into the information. This is called entanglement swapping.

The system developed by Id Quantique is a very simplistic implementation of the BB84 protocol using time-bin encoded q-bits. It uses no entangled pairs, just a source at Alice and a detector at Bob. It uses imperfect sources, detectors and channels and is in no way theoretically secure against all attacks.

I once attended a presentation made by an Id Quantique representative to a room of experts (among them was Brassard, one of the "B"s of the BB84 protocol). The representative made a list of what was needed to build a quantum cryptography system. It included: books on TCP/IP protocols, Linux driver manuals and fiber optic cable. Absent was a source of quantum light (they use weak lasers, not true quantum sources), or a text on quantum optics.

The point was that the commercial systems are not attempting to implement the elaborate privacy-increasing techniques that are being thought out by the academics in quantum information. They are simple, first-generation devices that aren't trying to keep up with attacks devised by the academic community.

Quantum cryptography absolutely can be theoretically secure if proper sources and detectors are used. Such sources are difficult to build and are very expensive at the moment but much effort is being directed towards that goal. The other side of the coin is that much effort is going into determining exactly what attacks can be leveled against particular imperfections in equipment and how those attacks can be countered.

Re:Quantum Bullshit

[sexconker]

Read my post.

The entire point of it being quantum means nothing.

If someone has the key, you won't know.

If someone doesn't have the key, you often won't know because they can fudge around in that tolerance level, and you'll just resend your message anyway because the network is not reliable, etc.

The only practical application which would give you any benefit from the quantum nature would be a dedicated circuit for each host pair. That is simply not feasible.

All.
Digital.
Security.
Ever.
Boils.
Down.
To.
A.
Key.
Sharing.
Problem.

Re:Quantum Bullshit

[sexconker]

But the channel is NOT noise free.

And for it to have any measure of security provided by the quantum nature, it needs to be a dedicated circuit between all host pairs.

When you have a dedicated circuit, you need physical access to perform any attacks. Quantum or regular, it doesn't matter.

Given a dedicated circuit and an attacker with physical access, any unsuccessful MITM attack becomes a successful DOS attack.

Any successful MITM attack will require the private keys of one of the parties. You need both if you want to hear the replies, but you only need Alice's keys to have Alice say "Bob, you're a fag.".

Getting the key is the "hard" part. Just like it's "hard" to get someone's house keys. You can develop various attacks against the algorithm by playing in the noise threshold. It may take you months, years, or longer. It may not. But if you may have physical access to the source and detector, you could exploit all sorts of weaknesses in implementation, take the damned things, or just sit at Alice's terminal. Kind of like walking up to someone's door and trying to pick their lock, get in through a window, etc.

In the end it's all a key sharing problem, regardless of where you source your keys from.
If you have a dedicated circuit network, then you require physical access to launch an attack. Just as you need physical access to attack a dedicated circuit network using copper cable. Quantum stuff doesn't come into play.

And, as always physical access = Win.

The "security" of quantum communications comes not from the quantum nature, but from the fact that you're going to be using dedicated circuits between each host pair. This will never scale to the masses. Quantum communication along a dedicated circuit will pretty much only work in truly local networks and from Obama's to Putin (let's face it, Putin's in charge).

Re:Quantum Bullshit

[sexconker]

Literally physically impossible assuming you have a dedicated circuit for each host pair.
Otherwise you have to trust the nodes and routers.

It is infeasible to have a dedicated circuit for each node pair on the internet.

It is only feasible for small local networks, or one off pairs.

For a copper network using a dedicated circuit, you get the same boost in security. Quantum bullshit adds nothing.

And if you do have a quantum dedicated circuit, any failed MITM attack is a successful DOS attack. Any successful MITM attack remains successful. You don't need to worry about the entangled photons when you have physical access to the circuit - you can simply fuck with the initial entanglement.

You have physical access, you win.
End of story.

The only security benefit comes from requiring dedicated circuits.

Re:Quantum Bullshit

[sexconker]

Each packet on it's own is not useless.
And for two-way communication you just need both keys.

And an attacker pretending to be Alice saying "Bob, you're a fag." would be pretty successful.

So would "Obama" telling Putin "Duck and cover, here it comes!" and then severing the communication line.

Re:Quantum Bullshit

[sexconker]

The only difference is that with classical crypto you can guess infinitely, while with quantum crypto you can guess only once.

You can copy a signal - any signal.
You can copy a quantum signal and test against it forever.

Reading said signal is probably detectable on the other end, so they SHOULD stop communicating.
You get one small piece of the message when you get the key (brute force or otherwise) and you have performed a successful denial of service attack.

If the two hosts then try to reestablish communication, they need to generate new keys. You can DOS them indefinitely since they're using a dedicated line that you have physical access to.

If you have physical access to the ends of the line, you can attack the key generation / tansceiving mechanism.

The same is true of any copper-based dedicated circuit.

The quantumness only affords you one thing: Oh no, I may have been snooped!
Knowing you've been snooped only prompts you to stop talking. It does nothing to stop the snooper from listening to what was already sent. The packetization of information means they're less likely to get any useful amount of information, but the noise tolerance means they're more likely to snoop for a longer period of time undetected.

Neither a small piece of info leaking nor a failed eavesdropper performing a DOS attack is acceptable when talking about actual security, let alone security that costs billions.

Re:Quantum Bullshit

[cashdot]

You can copy a quantum signal and test against it forever.

No, you can't due to the no-cloning theorem, see http://en.wikipedia.org/wiki/No-cloning_theorem

Please do yourself a favor and learn some basics about quantum mechanics. The no-cloning theorem is a vital ingredient in quantum cryptography. The eavesdropping detection is a nice bye-effect, but QC offers much more than that. You simply cannot decrypt a 'quantum message' unless you know the key, period. If you try a wrong key the message is lost, hence the eavesdropping detection.

Let me illustrate this with a simplified model. Suppose I send you photons that are polarized either parallel or perpendicularly to the z-axis. You could distinguish the two states by using a polarization filter, and we could use those photons to exchange information (parallel = 0, perpendicular = 1). Now if Eve wants to intercept our communication, she has to use a filter as well. She will see exactly the same thing as you see, as long as her filter is aligned the same way as ours. If her filter is rotated by 45 degrees (let's called it the z' axis), she would notice that there are photons that are either polarized parallel or perpendicularly to the z' axis, and after the filter the photons will in fact be polarized with respect to the z' axis. But she won't be able to extract any information content, since the polarization along the z' axis is not related to the polarization along the z axis.

Now, if we use different polarization orientations (say z and z') for every photon, Eve would have to use the same sequence of orientations in order to be able to read our data.
In this QC model, the sequences of orientations is our encryption key. If unknown to Eve, she won't be able to decrypt our communication. It would violate fundamental principles of quantum mechanics, if Eve would be able to make backup copies of the photons before she uses the polarization filter or otherwise obtain the complete quantum state of the photons.

That beeing said, I agree with most of your other statements:
1. The key-sharing problem still exists
2. Best we can do today is a dedicated connection between to partners, an entire network is not possible.
3. Quantum crypto, while very interesting in theory, does not offer much benefit in practice.*

If it takes 5000 years to decrypt a classical crypto message, this is has the same impact as with quantum crypto, where decryption isn't possible at all. From a practical point of view, the eavesdropping detection might be the only added value.
Things might change, when classical cryptography is defeated by quantum computing, but this is another topic...

Re:Quantum Bullshit

[sexconker]

Quantum communication occurs how, by magic?
No, you measure the signal. Analyze it, modulate it, decode it, and present it to the user.

Write down the measurements once, test against them forever.

You can't measure the signal without disrupting the legitimate people trying to communicate, but you have still measured the signal.

Alice and Bob measure the signals all the fucking time in order to communicate.

5000 years for classical crypto to be brute forced? Massively parallel FPGAs (or GPUs if you're cheap) say a few weeks or months. And it's getting faster all the time.

Please, learn something about ANYTHING.

Re:Quantum Bullshit

[cashdot]

Quantum communication occurs how, by magic?

Yes, quantum mechanics has some implications that indeed appear magical with our classical understanding of the world.

Write down the measurements once, test against them forever.

You did not read the article about the non-cloning theorem, did you? If you are familiar with the Heisenberg principle and are willing to accept it as a fact, the informal proof is quite easy to understand.

You can't measure the signal without disrupting the legitimate people trying to communicate, but you have still measured the signal.

The point that you don't seem to understand is the fact, that in quantum cryptography, the measurement of the signal corresponds to a key guess in classical crypto. If in quantum crypto your guess is wrong, the measurement failed and there is no way you can measure again.

Alice and Bob measure the signals all the fucking time in order to communicate.

Yes, but they use the correct key.

5000 years for classical crypto to be brute forced? Massively parallel FPGAs (or GPUs if you're cheap) say a few weeks or months. And it's getting faster all the time.

5000 years was just an example. The time required for brute forcing depends on the key length. If the key is long enough, it takes 5000 years or more, no matter what hardware you use.

Please, learn something about ANYTHING.

No need to be rude here.

When I was saying that you should learn some basics about QM, it was because I really think it would be a benefit for you. The quantum mechanics lectures changed my view of the world completely and I'm very happy I can understand fascinating things like quantum cryptography now.

But well, you can still say it's all bullshit what I'm saying, and stick with your Newtonian view of the world. But believe me, you miss something.

Re:Quantum Bullshit

[sjames]

The problem is MUCH more fundamental. The commercial systems want you to believe that it's a magic bullet because it's quantum. In fact, it DOES prevent simple eavesdropping but it does NOT stop an attack where Eve controls both channels of communication.

Re:Quantum Bullshit

[radtea]

Thanks! That's one of the most informative and useful replies I've ever had on /.

Sure, sure, paint me as the bad one again

Really, is a little fidelity in this relationship too much to ask for? I've caught Bob kissing that skank Alice so many fucking times and he always says he's sorry and he'll stop seeing her, but still I can tell they're exchanging information through hidden channels.

But what I really hate is when people act like I'm so unreasonable by trying to find out what is going on and who my allegedly significant other is seeing behind my back. What the fuck.

-
Cryptographically Signed,

Eve.

(Inspired by xkcd, of course.)

I don't think "prove" means what you think...

[pla]

Various proofs show that if the quantum bit error rate is less than 20 percent, then the message is secure. However, these proofs assume that the errors are the result of noise from the environment.
Then they do not "prove" anything.

When you start from a false premise, you produce "garbage", not "proofs" (Actually, you can produce some really useful counterfactuals that way, but you wouldn't present it in the context of a proof of the original concept). Particularly when talking about security, what moron would assume any sources of error come from the environment rather than the attacker???

Re:I don't think "prove" means what you think...

So your system would only work in a lab setting, if even there.

Errors are everywhere.

Re:I don't think "prove" means what you think...

[divisionbyzero]

Various proofs show that if the quantum bit error rate is less than 20 percent, then the message is secure. However, these proofs assume that the errors are the result of noise from the environment.

Then they do not "prove" anything.

When you start from a false premise, you produce "garbage", not "proofs" (Actually,
you can produce some really useful counterfactuals that way, but you wouldn't present it in the context of a proof of the
original concept). Particularly when talking about security, what moron would assume any sources of error come from
the environment rather than the attacker???

Wow, it's obvious you have no idea what you are talking about. The premise may have been non-physical but that doesn't affect the proof. The proof is fine. It just happens not to be true. There's only a problem here, if you assume proof means true or more specifically physically true.

Errors are inevitable. It's a little something called the Heisenberg Uncertainty Principle. Have you heard of it? No?

Re:I don't think "prove" means what you think...

[Opportunist]

Errors are inevitable. It's a little something called the Heisenberg Uncertainty Principle. Have you heard of it? No?

I guess the correct answer is maybe. But only possibly so.

Re:I don't think "prove" means what you think...

[Dthief]

The Physical device they hacked works under this 20% assumption.....this 20% is due to limitations between reality and the ideal-world

If you RTFA you will see they openly discuss that this attack works only for this real world device, and that it is easy to stop:

Moreover, in our attack, Eve only sends two states to Bob. Alice and Bob can detect this attack by estimating the statistics of the four BB84 states. Note that, once a security loophole has been found, it is often easy to develop countermeasures. However, the unanticipated attacks are the most fatal ones.

Re:I don't think "prove" means what you think...

It's a little something called the Heisenberg Uncertainty Principle. Have you heard of it? No?

Have you? This is not what the Uncertainty Principle is about, and has nothing to do with your comment on the post. The GPP is right in that this 'proof' is damn near useless in real-life; if you assume the interference is from the environment then you're really not secure. It'd be like seeing many mal-formed packets being received by your router, and writing it off as a fluke instead of a deliberate attempt to alter the system.

Re:I don't think "prove" means what you think...

[Interoperable]

Those "morons" have doctorates in math and physics. What do you have?

The idea is that if you can account for all known systemic noise sources then anything left will be from the attacker. The proofs set bounds for what error thresholds rule out the possibility of an attacker under given, known sources of noise in the system. The proofs are not wrong, they were simply done using particular sets of assumptions. If those assumptions are not applicable to a particular system, then obviously those calculations wouldn't be used.

It astounds me that people think they know better than an entire discipline and even more so that they get modded up for doing it. But then again...it is the internet.

Re:I don't think "prove" means what you think...

[pla]

It astounds me that people think they know better than an entire discipline and even more so that they get modded up for doing it. But then again...it is the internet.

Funny thing about the internet... Believe it or not, some of us do actually count as experts in the domain of knowledge in question, fully capable of calling BS even on all those magically-always-right PhDs out there.

In this case, I can't claim myself an expert (merely have a minor in math, concentrating on, of all things, proof theory). But I stand by my statement - A proof with easily violated premises doesn't "prove" anything. It may remain valid for some subset of input sets, but validity does not equal truth. And when your input set equals the real world, you can't just arbitrarily constrain it and still call it true.

Re:I don't think "prove" means what you think...

[Interoperable]

I happen to have have read a number of such papers because it is related to the field that I work in and I have some idea of what is involved in determining bounds on error rates. They are absolutely proofs in the very strictest sense of the word. They state up-front what the assumptions are and derive rigorous proofs within the conditions that were laid out.

The mathematical premises are completely sound. The only question is what physical system the assumptions used to arrive at those premises apply to. The idealized system is clearly laid out in the paper and can be assessed for how applicable it is to a given physical system. To say that the premises are unsound because the simplifying assumptions may not apply to real systems is to reject any mathematical analysis of the physical world.

You are confusing the ideas of a premise in mathematics and an assumption in physics. What has been done is the different between a correct analysis of an idealized system. What you claim is that an incorrect analysis of a realistic model has occurred, which is incorrect.

Re:I don't think "prove" means what you think...

[silentcoder]

You know what's sad... I actually agree with your conclusion but your entire argument consists of a call-to-authority. A fallacy.

Don't you think it's a bit of an insult to the discipline that your best defense for it is a false argument ?

Especially since history (even RECENT history) is filled with examples of untrained outsiders spotting a fatal flaw in the work of a discipline, which then needs to be corrected leading to a paradigm shift. Scientists consider the call-to-authority one of the worst fallacies of all, and a hell of a lot of the scientific method is specifically designed to root it out.

Your actual points about how proofs work are informative and accurate. Prepending them with a declaration about how one shouldn't question the authority of the scientists weakens that argument, and if those scientists are any good - they would consider it an insult to be cited as authorities, science by it's very nature despises authority.

Re:I don't think "prove" means what you think...

[Interoperable]

It's not the questioning of conclusions that I disagree with. Scientists love informed debate, but don't appreciate being called "morons." Anyone with the insight about the discipline to make a shrewd observation about the correctness of the work would recognize that the people involved are not morons.

It's important to keep an open mind, but the vast, vast majority of "OMG, how can you sheeple be so stupid?" posts about quantum physics can be safely ignored without any loss to the body of knowledge.

Re:I don't think "prove" means what you think...

[radtea]

What you claim is that an incorrect analysis of a realistic model has occurred, which is incorrect.

And yet for reasons that escape me these correct analyses of unrealistic models have been used in the marketing of quantum cryptography as a realistic solution to the problem of secure communication.

Can you provide any insight into how that situation has come about?

Re:I don't think "prove" means what you think...

[divisionbyzero]

Errors are inevitable. It's a little something called the Heisenberg Uncertainty Principle. Have you heard of it? No?

I guess the correct answer is maybe. But only possibly so.

:-)

Re:I don't think "prove" means what you think...

fully capable of calling BS even on all those magically-always-right PhDs out there.

Or it could be that many people, PhDs included, realize how low of a bar the PhD sets.

n this case, I can't claim myself an expert (merely have a minor in math, concentrating on, of all things, proof theory). But I stand by my statement - A proof with easily violated premises doesn't "prove" anything.

Your attempt at Internet humility has failed.

Re:I don't think "prove" means what you think...

[sjames]

The whole field of practical quantum encryption (as opposed to fun games) is riddled with real world problems. So much so that I'd say most of the applications are snake oil. Currently it's usefulness is confined to cases where the endpoints are close enough to use an unamplified fiber and there exists a second communications channel that cannot be subjected to a MITM attack even by someone determined enough to dig up and splice into that fiber in the first place. If the information isn't valuable enough for that, just send it over the fiber as-is, use public key encryption if it makes you feel better. This would have to be a specific situation where in spite of the end-points being fairly close it's somehow not practical to just write the one time pad to a pile of HDs and drive them over AND the data, in spite of it's clearly very high value is NOT valuable enough to justify schlepping the HDs over (which is more secure).

I wouldn't go so far as to say there is NO scenario where quantum cryptography is the answer, but I will say there are very few even if the hardware was perfect at the quantum level.

As soon as errors are tolerated at all (as is necessary in a real-world system), the security becomes a much more shaky proposition. TFA demonstrates that rather clearly. That car full of hard drives looks better all the time (and cheaper too).

Re:I don't think "prove" means what you think...

[sjames]

And that's the whole problem! Proving that given a set of conditions A is true is just fine mathematically. But as soon as you try to use it in engineering, you face the potentially much more difficult problem of proving that the real world matches those conditions. If the conditions are things like approximately 1 earth gravity and ambient temperatures don't exceed 300C you're on fairly solid ground, when you start having to worry about exact levels of quantum noise, you can easily get into trouble.

Isn't this obvious?

[mrsteveman1]

Eve is a fucking spy, arrest her.

I'm not too sure about Alice and Bob either, seems they're always around when these things happen.

Re:Isn't this obvious?

[Actually,+I+do+RTFA]

Eve is a fucking spy, arrest her.

Eve is clearly spying on fucking, but it's not clear that she herself is fucking to do so.

Re:Isn't this obvious?

[Monkeedude1212]

It's not that easy.

She wears a mask.

Re:Isn't this obvious?

[MRe_nl]

It's not that easy.

She's only called Eve online.

Re:Isn't this obvious?

Eve is a fucking spy, arrest her.

Indeed... and NOW she is here to f**k us! So listen up, boy, or pornography starring your mother will be the SECOND worst thing that happens to you today...

Re:Isn't this obvious?

[Hurricane78]

But she’s also insanely hot. I can haz hawt bittsecks wif her??

Re:Isn't this obvious?

[mrsteveman1]

Remember buddy, eve is the spy...she knows all about your life size furry porn dolls and hello kitty sex toy collection.

Re:Isn't this obvious?

[youn]

What the heck is alice doing out of wonderland anyway?

shouldn't it be Alice & Bunny?

Re:Isn't this obvious?

[sjames]

That should be good enough to get a search warrant rubber stamped. So tell me Alice and Bob, just how good is your precious security NOW! We'll just rip out the sheet rock to be sure!

any lock made by a man

[circletimessquare]

can be broken by a man

depending upon your current situation in life, this is either a wonderfully hopeful or horribly depressing realization

Re:any lock made by a man

[Opportunist]

I was thinking the same. But my train of thought was more along the lines of "no matter how secure a system, some doofus will stick a post-it with his key next to the monitor".

The weakest link in almost all security systems is still the human.

Re:any lock made by a man

It's obvious then we need to get rid of the weakest link.

Hardware Arms Race

The third paragraph from the end of TFA is the key. Alice/Bob will be in an arms race with Eve. Alice/Bob will need better single-photon detectors and generators to stay ahead of Eve. As Alice/Bob improve the quality of their hardware and increase the probability of being to emit and then detect a single photon increase, Eve has to keep pace with the quality of her hardware. Over time as Alice/Bob increase the quality of their hardware, the attack surface available to Eve shrinks, and it will take her longer to intercept without being discovered. Eve will also need an accurate assessment of Alice/Bob's hardware capability to mount a credible threat.

Quantum waste-of-money

[eBisnaes]

I don't get why anyone even bother with the so-called quantum encryption*, a simple pre shared key scheme is perfectly safe, a lot cheaper, well understood and well tested.

*The quantum part has nothing to do with encryption, it's just an over the top high tech attempt at preventing wire taps.

Re:Quantum waste-of-money

You're overlooking the obvious problem that sharing a OTP through some kind of secure side-channel doesn't scale well, whether we are talking about carrier pigeons, sneaker-net USB keys, or secure-courier DVDs.

Re:Quantum waste-of-money

[eBisnaes]

One time pads are not required for safe encryption, with modern computer cryptography that method is obsolete. A short key string can be used to initiate a scrambling function that generates an endless pseudo-random string. Which effectively cannot be distinguished from random without knowing the key used.

Re:Quantum waste-of-money

Where by "knowing" you apparently mean "guessing" -- even if your scrambling function is _perfect_, the "short key string" had better not _really_ be short, or you're hosed. And keys of a given length are shorter and shorter as technology advances, even if no cryptographic advances break the system.

This is markedly unlike a OTP, because only one key will decode to plaintext, and once you can read the message, you know it's decrypted. With OTP, there's one OTP to make that message into any message of the same length, so you never know when you've got it right.

Re:Quantum waste-of-money

[eBisnaes]

"Short" as in you can transfer it once and be done with it. Given current computers 128 bit will suffice. If you want it unbreakable for eternity use 512 bits. While it is hard to predict how fast computers will be in distant future, it is easy to tell how fast they will not be, there are simple physical limits dictating how many state changes a particle may go through in a given time, current estimates are around 10^40 per second. By that figure, a 1000 000 000 ton computer would in 1000 000 000 years only be able to undergo ~2^300 state changes, where more than 2^512 is required to break a 512 bit encryption.

As clever as the advances of OTP may seem, they are only theoretical relative to a strong key based encryption.

Re:Quantum waste-of-money

[ghjm]

More than 2^512 state changes are required ON AVERAGE to break 512 bit encryption USING BRUTE FORCE.

Are we at the end of cryptographic history? What are the odds that in your notional billion years of computation, some weakness or new technique will be discovered that makes our current methods trivially breakable?

For that matter, are we at the end of physics? Are "current estimates" guaranteed not to later turn out to be wildly incorrect, as they have done many times before? Are these estimates making the assumption that all the state changes are to be observed, and if so, why is it impossible to build a computational device that relies on non-observed phenomena, which (as I understand it) are not subject to such limits?

Over a timeframe like a billion years, is it not possible that the owners of our universe could show up and say "hey guys, quantum physics is weird because it exposes all the shortcuts we took when creating the simulator that runs your universe, sorry about that, by the way here's the key to your encrypted code?"

Show a little humility. IT'S A BILLION YEARS. Our understanding of physical reality has been altered dramatically in just a couple hundred years. There's no reason to suppose that we are today at the end of that process.

Re:Quantum waste-of-money

[eBisnaes]

I'd say that all the assumptions I have made are far more likely to hold than the assumptions you need to make for quantum key sharing to be safe. That is not to say that I find the quantum key sharing technique highly likely to be broken, but many new discoveries in the field of quantum mechanics are yet to be made.

Why is it impossible to build a computational device that relies on non-observed phenomena, which (as I understand it) are not subject to such limits?

We simply can't tell what limits apply to non-observed phenomena, that doesn't mean there ain't limits, but since we can't observe non-observed phenomena it is quite hard to know their exact nature. That said, it doesn't really matter how many of them there may be, for computation a non-observed phenomena is as good as a TTL gate with no output pins, even if it is doing the right thing on the inside, we have no way of obtaining the generated data.

Quantum key sharing by the way builds on non-observed phenomena, if the so-called non-observed phenomena should somehow prove observable, and thus theoretically useful in computers, quantum key sharing would be broken.

I have already shown humility by saying 512 bits, I highly doubt that 256 bits will ever be breakable, and certainly not within a time frame where encrypted information snatched now would be useful, but the 512 bits argument is a lot easier to lead.

By the way, for anyone not totally into the concept of non-observed phenomena, it is not non-observed as in "We didn't bother to look.", but as in "It is only physically possible to retrieve one piece of data from this dataset, when we retrieve a piece of data the rest is lost, nothing has been influenced by that data, and nothing ever will be, it might as well never have existed.".

NIST achieved 99% detection efficiency last month

[ortholattice]

One the main contributors to the error rate is the photon detection efficiency, where 80% or better is considered "good". In a major breakthrough last month, NIST (yes, the National Institute of Standards and Technology, not some startup company's marketing hype) has achieved a record single-photon detection rates of 99% - and possibly better, since there currently exists no metrology to test that level of efficiency. So in terms of that source of error, things are looking up.

Re:So, quantum cryptography is fundamentally flawe

[Interoperable]

It's hardly fundamentally flawed. Even if the eavesdropper knows the error threshold and can intercept a few bits without detection thanks to errors in the system, the information gain is very minimal. You might be able to get a few percent of the transmitted bits in a key. Three out of every hundred bits in a one-time pad isn't going to break the encryption. The parties can always XOR some bits until the information that an eavesdropper could extract is negligible.

A flaw....but fixable....

[Dthief]

Insightful FTA:

Moreover, in our attack, Eve only sends two states to Bob. Alice and Bob can detect this attack by estimating the statistics of the four BB84 states. Note that, once a security loophole has been found, it is often easy to develop countermeasures. However, the unanticipated attacks are the most fatal ones.

Re:NIST achieved 99% detection efficiency last mon

[Interoperable]

But at what dark-count rate? There are always trade-offs.

Re:NIST achieved 99% detection efficiency last mon

[ortholattice]

But at what dark-count rate? There are always trade-offs.

The dark count is essentially zero. That's what makes this breakthrough so impressive.

FTA I linked:

"When these detectors indicate they've spotted a photon, they're trustworthy. They don't give false positives," says Nam, a physicist with NIST's Optoelectronics division. "Other types of detectors have really high gain so they can measure a single photon, but their noise levels are such that occasionally a noise glitch is mistakenly identified as a photon. This causes an error in the measurement. Reducing these errors is really important for those who are doing calculations or communications."

Re:NIST achieved 99% detection efficiency last mon

[Interoperable]

Oh wow, I'll have to grab a hold of the publication. That is impressive.

Re:So, quantum cryptography is fundamentally flawe

[TheLink]

Thing is nowadays TB drives are quite cheap. Generate a huge OTP, spread it over three drives at A, spread it over another three drives and send all three to B via three different couriers/paths. Add ECC if you want.

If they all made it safely without interception. You've got your secure channel. 1TB/128kbps = 2 years. 1TB/256kbps = 1 year.

You could send more than one set of drives. When they all arrive, you tell the "B" let's start with drive set #5.

Re:NIST achieved 99% detection efficiency last mon

Unfortunately this only detects if the photon hits. It does not measure anything like spin. So while useful, it does not seem directly transferable to a quantum cryptography application.

Beat Bob with a shovel

[ghjm]

until he tells you what was in the message.

Of course you can't beat Alice because she's a girl. If Alice had sent the message to Eve then you'd be out of luck.

Dump Alice

[fyoder]

I say Bob should dump Alice and go with Eve. Bad girls are hot.

Though dumped good girls can be trouble as well, so the original problem remains.

Sadly, as long as Eve (or Alice) are sufficiently determined to intercept Bob's communications, he's got problems. The only answer may be to become a celibate monk in a monastery committedly observing a vow of silence.

Re:Dump Alice

The only answer may be to become a celibate monk...

Or join Slashdot.

Who the f#ck is Alice?

[slashmojo]

Does she live next door to Bob?

Had to be asked.. ;)

Re:NIST achieved 99% detection efficiency last mon

[ortholattice]

Unfortunately this only detects if the photon hits. It does not measure anything like spin.

No photon detector "measures anything like spin". The polarization is determined by a filter prior to detection. Which direction the filter should be oriented is part of the quantum cryptography protocol, and the filter is followed by a detector that needs only to determine the presence or absence of a photon passing through the filter.

Re:NIST achieved 99% detection efficiency last mon

[ortholattice]

I should clarify that by "filter" I mean a birefringent filter such as calcite, where the photon decides on one of two paths based on its polarization. Two detectors, one in each path, determines which was taken by the photon. So the compound setup of filter + 2 detectors is in effect the "detector that measures spin" that you refer to.

The juicy secrets are safe.

The data goes across the wire unencrypted, the quantum system just detects a man-in-the-middle attack. [...] If someone comes up with a technique for reading the data without interference (like the article says), then you're screwed.

Not really: this is why they only transmit the key across the quantum crypto link. Any bits that are intercepted are known and are simply not used. The actually interesting information is then transmitted across a classical link of any type and is encrypted using the quantum link-exchanged key. If you transmit a OTP-sized key across the quantum link and discard any bits that were intercepted, then there is no theoretical (or practical) way to decrypt the subsequent OTP-encrypted data exchange. That is to say, there is no way to intercept any of their juicy, juicy secrets.

PS. The commonly accepted mental image to associate with juicy secrets is a multi-colored wad of saliva-soaked chewing gum, approximately fifty pieces in mass, each piece from a different person. Now, imagine squeezing it in your hand and feeling the saliva running through your fingers and down your arm in a lukewarm manner somewhat evocative of mucus. Observe the rivulets of drool as they run together and eventually start to drip off your elbow in a slightly viscous manner. This is why people always have the urge to share juicy secrets!

Re:So, quantum cryptography is fundamentally flawe

[MoeDumb]

Screw quantum, I'm sticking with ROT-13.

Guess I don't read enough crypto talk

I guess I don't read crypto examples enough the first time I read this, I didn't get what the reference was.

I... I feel dumb now.

Re:So, quantum cryptography is fundamentally flawe

[Interoperable]

Quantum cryptography really isn't being proposed as a practical solution right now (hush, don't tell Id Quantique) but what's fun about it is that it's theoretically secure. If the person whose wrist your briefcase of disks is handcuffed to is bought out, you'd never know it and your enemies just gained access to all your secure communications. Two to four decades from now quantum cryptography might be practically competitive with carrying disks around, but for now, it's just for fun.

Re:So, quantum cryptography is fundamentally flawe

Problem is, the drives could be intercepted and copied without your knowledge. Roughly speaking, this is a problem quantum cryptography does not have, due to the no-cloning theorem.

Re:So, quantum cryptography is fundamentally flawe

[TheLink]

> If the person whose wrist your briefcase of disks is handcuffed to is bought out,

1) You would need all three disks to reconstruct the original OTP that will be used.
2) If I send more sets of three and only use some sets, that makes it even harder.
3) I could even send 9 disks over time and over different couriers/channels and then randomly choose different combinations of them to construct the actual OTP.

I have said this before

[mordred99]

Human ingenuity cannot concoct a cipher in which human ingenuity cannot break. --- Edgar Alan Poe

that's what arrogance gets ya.

wait... what? arrogant researchers who proclaimed to find something that's the perfect, flawless, definite solution to a problem are wrong? holy geocentrism, batman! get the global warming phlogiston spontaneous generation out of here! AI singularity in 2008!