Slashdot Mirror
First Exploit On Quantum Cryptography Confirmed
Vadim Makarov writes "Physics World reports on researchers demonstrating a full eavesdropper on a quantum key distribution link. Unlike conventional exploits for security vulnerabilities that are often just a piece of software, spying on quantum cryptography required a box full of optics and mixed-signal electronics. Details are published in Nature Communications, and as a free preprint. The vulnerability was known before, but this is the first actual working exploit with secret-key recording confirmed. Patching this loophole is in progress. Disclosure: I am one of the researchers who worked on this."
No wait! The line is both perfectly secure and being eavesdropped on, at the same time. It's not until we hear the message that it becomes one or the other.
This is not an exploit of quantum cryptography
It is an exploit in the implementation of the detectors
LDO. People seem in t rush to point this out on every /. crypto story. "This wasn't a problem with the math, but a problem with the implementation". Yes, that's how almost all attacks work. Attackers don't generally go after the strongest link in your cryptosystem, you know.
My silly RSA tokens (2 on them cluttering my keyring now!) are worthless not because the math was bad, but because the attackers found a better avenue of attack. That's not in any way comforting.
Socialism: a lie told by totalitarians and believed by fools.
They are not. Even though this type of BS can be read in the press quite often. Unless you assume we get quantum computers than can hold arbitrarily long entangled state. If we do not have that, just make the RSA key length one single bit longer than the longest entangled state that computations can be done on and the quantum computer is useless. (Dirty secret of quantum computing: You cannot combine calculations on large elements from computations on smaller elements.)
Ad for symmetrical ciphers, brute-forcing with quantum computers requires 2^(n/2) tries instead of 2^n tries. You still have to do each try and you have to model the whole cipher, which requires, e.g. for AES-256 in a known-plaintext-attack (which is the easiest one) to hold 2x128 bits for known plaintext and ciphertext, 256 bit for the key. That is already 512 qbits you need. Then you need to represent AES internal state and do computation. This easily adds another 512 qbits of state. Then you need to do something like 8000 x 2^128 quantum computations, retaining entanglement. As far as I can tell, each of this computation steps will be vastly slower than a conventional step as you need to manipulate the entangled set of qbits from the outside. And you cannot parallelize! Throwing two quantum computers at the same problem takes exactly the same time as when using only one.
We are currently where? 5 entangled bits when actual computations are done on them? After 2 decades of research. This leads me to believe that if they will ever work at all, quantum computers will not be able to crack current crypto for a very, very long time.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
I still think (from my fuzzy understanding of this attack) that it uses a specific implementation detail that depends upon the system used, and might be relatively easy to patch. Maybe they can use different wavelengths of photons, one for a test and one not--I don't have the expertise to say how much of a redesign is necessary. The article makes it sound like it's not a huge deal, and the Toshiba guys say in one of the other articles that their system isn't susceptible to these attacks when properly operated.
Currently the problem is quite general, because most quantum cryptosystems today use detectors of the vulnerable type. We think it is patchable, just not by the approach the Toshiba group practices, but patchable. (We dislike Toshiba's approach for not being general and thorough, but more of a quick band-aid.) During the past 20 years there were a couple problems of similar magnitude in quantum crypto, and they were solved. Note that similar problems periodically show in implementations of classical crypto.
The future of quantum crypto will now be decided, from one side, by the market, and from another side, by publicly disclosed mathematical developments on various classical ciphers (which can be cracked overnight, but can also be proven more secure... I'm not a mathematician so I won't venture a guess for the odds of either). In quantum cryptography there is at least one well-engineered commercial system, several advanced commercial prototypes (Toshiba has one), and the hacking efforts are going to eliminate all easy loopholes in a reasonable time. It is also important how well quantum cryptography can be meshed into networks with many nodes and links. There have been several demonstrations of quantum crypto networks, the latest in Japan last year.
The current commercial systems (like ID Quantique's Cerberis) use quantum cryptography as an extra security layer on top of classical crypto. To get to the master key used to encrypt the data, one needs to crack both quantum key distribution and classical key distribution at the same tme. We temporarily compromised the quantum layer in this work, but in a commercial installation the data security would hang on the classical crypto, until the quantum layer is patched. Of course the security of the symmetric ciphers (normally AES with frequent key changes) used for high-speed data encryption is another question, but I think there is also an option to establish a low-bandwidth highly-secure channel encrypted by one-time-pad. The whole reason AES is offered with quantum crypto is that the performance of the classical crypto has spoiled everybody, and the users do not want to separate communication into high-security and low-security categories. They just want to encrypt the whole 10 Gbps link, so this is the default option.
17779 eligible voters in a district, 17779 'vote' as one. This is Russia.