Slashdot Mirror

← Back to Stories (view on slashdot.org)

First Exploit On Quantum Cryptography Confirmed

Posted by Soulskill on from the never-trust-the-photons dept.

Vadim Makarov writes "Physics World reports on researchers demonstrating a full eavesdropper on a quantum key distribution link. Unlike conventional exploits for security vulnerabilities that are often just a piece of software, spying on quantum cryptography required a box full of optics and mixed-signal electronics. Details are published in Nature Communications, and as a free preprint. The vulnerability was known before, but this is the first actual working exploit with secret-key recording confirmed. Patching this loophole is in progress. Disclosure: I am one of the researchers who worked on this."

13 of 86 comments (clear)

  1. I think I get it by alfplayer · · Score: 2

    O_____>-|o _____O

  2. Re:Oh well. by Anonymous Coward · · Score: 5, Funny

    No wait! The line is both perfectly secure and being eavesdropped on, at the same time. It's not until we hear the message that it becomes one or the other.

  3. Worth noting by Anonymous Coward · · Score: 2, Insightful

    This is not an exploit of quantum cryptography.

    It is an exploit in the implementation of the detectors.

    They can't tell the difference between the quantum signal they are supposed to be detecting and a faked signal using classical light pulses. Man-in-the-middle attacks are fairly straightforward for classic light signals since they aren't changed when someone else intercepts them.

    1. Re:Worth noting by lgw · · Score: 4, Insightful

      This is not an exploit of quantum cryptography

      It is an exploit in the implementation of the detectors

      LDO. People seem in t rush to point this out on every /. crypto story. "This wasn't a problem with the math, but a problem with the implementation". Yes, that's how almost all attacks work. Attackers don't generally go after the strongest link in your cryptosystem, you know.

      My silly RSA tokens (2 on them cluttering my keyring now!) are worthless not because the math was bad, but because the attackers found a better avenue of attack. That's not in any way comforting.

      --
      Socialism: a lie told by totalitarians and believed by fools.
  4. Disclosure? by dk90406 · · Score: 3, Funny

    "Disclosure: I am one of the researchers who worked on this."
    Disclosure is an interesting word here. I would have used the word "brag" - and I think you are fully entitled to brag about that feat.

  5. Impact on Bitcoin? by turkeyfeathers · · Score: 3, Funny

    Does this have any impact on the security of my bitcoin wallet? If not, who cares.

    1. Re:Impact on Bitcoin? by GameboyRMH · · Score: 2

      That's not all there is to care about! What about the iPad supply!?

      --
      "When information is power, privacy is freedom" - Jah-Wren Ryel
  6. Re:Oh well. by FrootLoops · · Score: 2

    This is an attack on implementation details, not the underlying physics of quantum mechanics. The title could have been a little better. This is (apparently; my only source is the submitter, as he's also the source in the article) the first working exploit of a quantum cryptography system that was able to steal the key without being detected.

  7. Re:Oh well. by Anonymous Coward · · Score: 2, Insightful

    The problem is there are always implementation details.
    The basic design of QC says:
    1) Assume that we can build these perfect emitters and detectors
    2) Now we've got something that's perfectly secure

    It's like saying:
    1) Assume I can create an invincible dragon
    2) Lets use it to distribute crypto keys

    This is not to say s that QC is useless, but rather that it's capabilities are severely overhyped.

    To put it another way, these "implementation details" are all part of the "underlying physics". Every piece of physics that gets from a human usable bit on one end to a human usable bit on the other end is "underlying physics".

    You may as well claim to have designed the starship enterprise and the call the warp drive "implementation details".
    What color to paint the walls... that's an implementation detail. The basic technology to make something work... that's an integral part of the problem.

  8. Re:Oh well. by FrootLoops · · Score: 2

    You're exaggerating your point (eg. by talking about dragons and warp drive). One of the articles suggests you might mitigate this attack with a relatively simple extra verification step. This attack depends explicitly upon "blinding" a detector with light "above the intensity threshold" (certainly this is oversimplified). That's an attack on implementation details. Certainly I didn't mean to say that building a QC system is all "implementation details"; that would just be stupid. This one point that was attacked is an implementation detail.

  9. Re:Dammit, more quantum stuff... Should I understa by Intrepid+imaginaut · · Score: 2

    should I be alarmed for not being up to date here?

    You both should and shouldn't be alarmed.

  10. Re:Math by gweihir · · Score: 4, Insightful

    They are not. Even though this type of BS can be read in the press quite often. Unless you assume we get quantum computers than can hold arbitrarily long entangled state. If we do not have that, just make the RSA key length one single bit longer than the longest entangled state that computations can be done on and the quantum computer is useless. (Dirty secret of quantum computing: You cannot combine calculations on large elements from computations on smaller elements.)

    Ad for symmetrical ciphers, brute-forcing with quantum computers requires 2^(n/2) tries instead of 2^n tries. You still have to do each try and you have to model the whole cipher, which requires, e.g. for AES-256 in a known-plaintext-attack (which is the easiest one) to hold 2x128 bits for known plaintext and ciphertext, 256 bit for the key. That is already 512 qbits you need. Then you need to represent AES internal state and do computation. This easily adds another 512 qbits of state. Then you need to do something like 8000 x 2^128 quantum computations, retaining entanglement. As far as I can tell, each of this computation steps will be vastly slower than a conventional step as you need to manipulate the entangled set of qbits from the outside. And you cannot parallelize! Throwing two quantum computers at the same problem takes exactly the same time as when using only one.

    We are currently where? 5 entangled bits when actual computations are done on them? After 2 decades of research. This leads me to believe that if they will ever work at all, quantum computers will not be able to crack current crypto for a very, very long time.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  11. Re:Oh well. by Vadim+Makarov · · Score: 4, Informative

    I still think (from my fuzzy understanding of this attack) that it uses a specific implementation detail that depends upon the system used, and might be relatively easy to patch. Maybe they can use different wavelengths of photons, one for a test and one not--I don't have the expertise to say how much of a redesign is necessary. The article makes it sound like it's not a huge deal, and the Toshiba guys say in one of the other articles that their system isn't susceptible to these attacks when properly operated.

    Currently the problem is quite general, because most quantum cryptosystems today use detectors of the vulnerable type. We think it is patchable, just not by the approach the Toshiba group practices, but patchable. (We dislike Toshiba's approach for not being general and thorough, but more of a quick band-aid.) During the past 20 years there were a couple problems of similar magnitude in quantum crypto, and they were solved. Note that similar problems periodically show in implementations of classical crypto.

    The future of quantum crypto will now be decided, from one side, by the market, and from another side, by publicly disclosed mathematical developments on various classical ciphers (which can be cracked overnight, but can also be proven more secure... I'm not a mathematician so I won't venture a guess for the odds of either). In quantum cryptography there is at least one well-engineered commercial system, several advanced commercial prototypes (Toshiba has one), and the hacking efforts are going to eliminate all easy loopholes in a reasonable time. It is also important how well quantum cryptography can be meshed into networks with many nodes and links. There have been several demonstrations of quantum crypto networks, the latest in Japan last year.

    The current commercial systems (like ID Quantique's Cerberis) use quantum cryptography as an extra security layer on top of classical crypto. To get to the master key used to encrypt the data, one needs to crack both quantum key distribution and classical key distribution at the same tme. We temporarily compromised the quantum layer in this work, but in a commercial installation the data security would hang on the classical crypto, until the quantum layer is patched. Of course the security of the symmetric ciphers (normally AES with frequent key changes) used for high-speed data encryption is another question, but I think there is also an option to establish a low-bandwidth highly-secure channel encrypted by one-time-pad. The whole reason AES is offered with quantum crypto is that the performance of the classical crypto has spoiled everybody, and the users do not want to separate communication into high-security and low-security categories. They just want to encrypt the whole 10 Gbps link, so this is the default option.

    --
    17779 eligible voters in a district, 17779 'vote' as one. This is Russia.