Move Over, Quantum Cryptography: Classical Physics Can Be Unbreakable Too

MrSeb writes "Researchers from Texas A&M University claim to have pioneered unbreakable cryptography based on the laws of thermodynamics; classical physics, rather than quantum. In theory, quantum crypto (based on the laws of quantum mechanics) can guarantee the complete secrecy of transmitted messages: To spy upon a quantum-encrypted message would irrevocably change the content of the message, thus making the messages unbreakable. In practice, though, while the communication of the quantum-encrypted messages is secure, the machines on either end of the link can never be guaranteed to be flawless. According to Laszlo Kish and his team from Texas A&M, however, there is a way to build a completely secure end-to-end system — but instead of using quantum mechanics, you have to use classical physics: the second law of thermodynamics, to be exact. Kish's system is made up of a wire (the communication channel), and two resistors on each end (one representing binary 0, the other binary 1). Attached to the wire is a power source that has been treated with Johnson-Nyquist noise (thermal noise). Johnson noise is often the basis for creating random numbers with computer hardware."

Hehehe

[Hatta]

Johnson noise.

Re:Hehehe

Or vagina.

Real Geniuses

[Overzeetop]

I want to know if the Laszlo in this story also has an underground room where he prepares and sends in entries to the publishers clearing house sweepstakes. And who's dorm room closet does he come out of?

Unbreakable encryption is easy!

[Kenja]

Unbreakable encryption that can be decrypted is much harder.

Kish again?

[Dwonis]

I remember when this was posted on Slashdot 7 years ago.

Re:Kish again?

[reebmmm]

It's not a dupe, that one was based on Kichoffs's Law. This one is based on Johnson-Nyquist noise.

It's totally different. // Doesn't actually know if it's different /// Is really, really impressed with Dwonis' memory. //// Is general Slashdot commentter with know knowledge of the things upon which he comments.

A coincidence?

Is it a coincidence that Johnson-Nyquist noise sounds exactly like an accordion and bagpipe duo playing La Marseillaise?

Re:A coincidence?

[DMUTPeregrine]

As a bagpipe player, I am highly offended! Thermal noise would be a step up for the accordion.

unbreakable been around for a while

Claude Shannon proved in the 1940's that the Vernam cipher with a key the same size as the message, aka one time pad, has perfect security. The USA built the world first digital audio system during WWII in order to give such perfect security to voice communications between Roosevelt and Churchill, among others.

Re:unbreakable been around for a while

[JoshuaZ]

Yes, that's true in a trivial sense. What that essentially amounts to is that one has unbreakable encryption if one has a shared source of randomness that the eavesdropper lacks. So if you can do things like have physical couriers carry bits back and forth between set locations you can do that sort of thing. The problem is that such situations aren't very common. Most encryption contexts that would be much too inefficient or outright impossible (you don't want to be in a situation where in order to securely give your credit card number to Amazon they have to send someone over with a flash drive full of random bits). The key is making practical and close to unbreakable or outright unbreakable crypto that doesn't rely on such ridiculously strong assumptions.

Re:unbreakable been around for a while

[PatDev]

The important point that people seem to be missing is that quantum encryption *is* one-time pad. The system of quantum encryption consists of using entangled particles to be the shared source of randomness. Because both parties would be aware if anyone besides the two of them were observing the shared randomness, they can't exactly communicate via entanglement, but they can reach an arbitrary (ie. not decided by either of them) consensus on the values in a random stream. This random stream is then used as the key of a one-time-pad where the ciphertext is transported over a traditional channel of communication.

For this reason, I consider the term "quantum encryption" to be a bit of a misnomer - nothing about the actual en/de cryption is quantum. A better name would be "quantum key distribution" or "quantum consensus generation"

Re:unbreakable been around for a while

[bh_doc]

Funnily enough, "quantum key distribution" is what it's actually generally referred to in the field.

Re:unbreakable been around for a while

[jmorris42]

> send someone over with a flash drive full of random bits

No, they would just have to send a mailman over every few years with a new credit card which they already do. I just did some back of the envelope math and if you assume a transaction could be sent in 64 bytes and you store only 1Gib of random pad in the card you could almost make a transaction per minute with it and even with a 5year expiration date you wouldn't have to reuse the pad and break the security. The problem is Visa would need to retain that gigabit of data until the card expires and it might cost a bit to keep that much key material secure but it would be a very secure system. Apparently they believe the fraud losses are cheaper.

Something to keep in mind next time you hear em whining. Or hear a Lifelock ad. It is only cheaper for them because they offload so much of the expense for their being cheap bastards onto us.

Still breakable

[Metabolife]

This approach assumes that only Alice and Bob know the current and voltage of the power source. This can be brute forced until a tangible message is found. Next...

Re:Still breakable

[PatDev]

Tampering detection is all that is required for perfect security. The trick is that you do not transmit the message itself over this channel, you instead transmit a random stream of bits. Once both sides share a random stream of bits that they know has not been overheard, they can use that random stream as the key to a one-time-pad that can be transmitted over any traditional eavesdrop-able channel. You could just email the ciphertext over the public internet, since you know that you have an (unknown to any attacker) shared secret key, you have perfect secrecy.

Re:Still breakable

[MozeeToby]

Maybe I'm just being silly, but if you also encrypt the message using standard means it will look identical to random noise, making it impossible to tell if you stumbled upon the correct current and voltage in the first place. Alternatively, Alice and Bob are able to detect your trying to intercept their communications, which means they can alter their behavior long before you stumble upon the correct settings.

Re:Still breakable

[PatDev]

The resistor stuff solves an orthogonal problem to OTP. OTP gives you perfect secrecy when you share an unknown secret key with the other party you are communicating with. This "resistor stuff" is how you get an unknown shared secret key with the other party. OTP still requires key distribution, which is what this does. The two are complementary, neither replaces the other.

Re:Still breakable

[Baloroth]

No, you can't. There is nothing to "brute force": the current and voltage is essentially random. You can't brute-force that for the same reason you can't brute-force a one-time pad: there is nothing to brute-force. Also, while I'm not sure, I don't think Alice needs to know the current and voltage: it looks to me like only Bob does (Alice attaches a resistor with the resistance she wants, Bob does so randomly, Bob compares the current he sees with what it was originally minus the resistor he attached: only Bob needs to know the original current). The only way to decrypt the data stream is if you know what resistor either side attached, and you can't do that without adding energy to the system, which Bob will notice (Alice too if she knows what the current was originally, but that would mean Alice and Bob already have a shared randomness, which means they don't need any tricks to encode a message: they can just use that randomness as a one-time pad).

Re:Still breakable

[sjames]

Knowing V and I don't help you because you don't know how much of the R that resulted in I given V was from Alice's end and how much from Bob's. Only they know that.

Re:Still breakable

[swillden]

If you can decrypt something that means there is a method to do so. You pass the message and one-time pad into this "function" and receive output.

Yes, but how do you know when the output is correct?

This is why an OTP provides perfect secrecy, if the key is secret. For a given ciphertext, there is some key that transforms it into every possible plaintext of the right length. This means that the result of brute force searching the keyspace for an n-bit ciphertext is every possible n-bit message. Thus, the only information you can get out of an OTP-encrypted message is the message length -- assuming it wasn't padded. With padding, the only information you can get is the maximum length.

The same problem actually occurs with "normal" ciphers and short messages. If I use AES to encrypt a one-bit message (perhaps padding the rest of the block with random bits), every possible AES key will result in an apparently-valid decryption -- the first bit will be either 0 or 1. But I have no way to tell which is right, even though I know that 2^128-1 of them are wrong. Claude Shannon defined the concept of the "unicity distance" to describe this, "unicity distance" being, basically, the length of the smallest amount of ciphertext which an attacker with infinite resources needs in order to determine the correct key, by examining resulting plaintexts. With an OTP, the unicity distance is infinite because as the message grows so dos the key, without bound.

Assuming the key is secret... which is the hard part with one-time pad protocols.

Re:Still breakable

[harlows_monkeys]

IMHO, the fallacy in the claim of unbreakable one-time pad encryption is the reliance that all computed plain-texts for the key space are equally possible to be the correct plain-text for the cipher text.

Imagine you are being that exists beyond time and space and can experience all possibilities at the same time. I would think that all possible computed plain-texts would mostly look a huge pile of crap, but an exceedingly few amount are going to look like something you recognize, and then one of them will look like an Apple.

Once again, that does not mean one-time pads are not very secure. They are very secure, just not truly unbreakable.

No, a one time pad with a true random key is truly unbreakable.

What you've overlooked is that when your hypothetical Godlike being sees all possible computed plain texts, that consists of every possible message of the length of the cipher text.

Note that what the Godlike being sees when he tries all possible decryptions does not depend on what the message is (other than the length). Thus, he gets absolutely no information from the cipher text (other than the length).

Try thinking about it with a small example and that should help you see it. For instance, do a 3 bit message. We've got 8 possible messages: 000, 001, 010, 011, 100, 101, 110, and 111. Let's say you know that only 001, 010, and 100 make any sense. Alice sends to Bob the encrypted message 110.

When your Godlike being considers all possible decryptions, he gets 000, 001, 010, 011, 100, 101, 110, and 111, depending on whether the key was 110, 111, 100, 101, 010, 011, 000, or 001.

So he looks at these, and picks out 001, 010, and 100 as the only meaningful messages. Now what? He has no idea which is the right message.

Now perhaps he knows that some of the meaningful messages are more likely than others. Maybe he knows that 99% of the time, Alice sends 010. So he will probably be right if he guesses that this message was 010.

However, he'd have had exactly the same chance of being right if he had guessed 010 without even looking at Alice's message!

The fundamental idea

[JoshuaZ]

The basic idea of the key exchange is a variant of an older key exchange idea. The very basic idea involves Alice and Bob having a wire that goes between them. Each of the two has two resistors one with very low resistance and one with high resistance. To gain a series of random bits, Alice and Bob both randomly choose a resistor and connect it to the wire and then measure the resistance through the whole system. If they both used the high or both used the low resistance resistors they throw out those exchanges. Whenever they have one medium and one high, they will both know which one had a low and which one had a high because they'll know their own. But Eve the evil eavesdropper even if she has a connection into the line won't be able to get this just from knowing the total resistance. In some weak respects this resembles a physical analog of the Diffie-Hellman http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange. The process being proposed here though, a Kish key exchange http://en.wikipedia.org/wiki/Kish_cypher does some clever stuff with the thermodynamics end to deal with man-in-the-middle and other related attacks.

Re:The fundamental idea

[History's+Coming+To]

But given that the noise is fundamentally based on quantum mechanical events, can this really claim to be classical rather than a clever way to generate a quantum key?

Welp

[tanujt]

I don't know about y'all, but I like my cats dead when I open the box.

Re:Welp

[newcastlejon]

I don't know about y'all, but I like my cats dead when I open the box.

Agreed. Considering the default state of a cat, which is a cold hatred for all human life, dead is infinitely preferable to the third alternative: bloody furious.

It's been proposed, and it won't work.

[Animats]

As someone pointed out, this was on Slashdot 7 years ago. Here's the referenced paper.

The idea is simple. At both ends of the wire, random data modulated with content is being emitted. At any point on the wire, you see the sum of two random sources. But each end knows their own random data, and can subtract it out.

To break the system, you need two taps on the wire, some distance apart. Now you get to see the sums of the signals from each end, but with different time shifts between them due to propagation delay. With that data, you can separate out what's coming from each end. This allows recovering the original signals.

"No new encryption system is worth looking at unless it comes from someone who has already broken a very hard one." - Friedman.

Re:It's been proposed, and it won't work.

[JesseMcDonald]

The idea is simple. At both ends of the wire, random data modulated with content is being emitted. At any point on the wire, you see the sum of two random sources. But each end knows their own random data, and can subtract it out.

Actually, the proposal (which you linked to) does not involve transmitting the content on the wire at all. The circuit consists of a loop with resistors in two places, and no power source. The random signal consists of induced current from thermal noise or an external noise source; the power distribution of the noise is affected by the resistors. Supposedly there is no way to know from measuring the noise where each resistor is in the circuit.

I'm not prepared to claim that the system is as secure as the paper suggests, but I think you need to look more closely before saying it's flawed.

Re:It's been proposed, and it won't work.

[bazmonkey]

To break the system, you need two taps on the wire, some distance apart. Now you get to see the sums of the signals from each end, but with different time shifts between them due to propagation delay. With that data, you can separate out what's coming from each end. This allows recovering the original signals. From Wikipedia on the Kish cypher, just cut the signal during resistor switches. Or, more practically, note that recording noise accurately takes more time than switching the resistors would.

Ridiculous, quantitatively.

[Ancient_Hacker]

A ridiculouos idea, if you're an electrical engineer, for many reasons:

(1) The noise on the wire, for reasonable values of resistors and bandwidth, is down in the low microvolts. If the cable is unshielded, it's going to pick up several microvolts of radio signals per foot. Even if it's really well shielded, we're still talking microvolts per kilometer.

(2) Eve can put a probe signal on the wire, it just has to be random noise. Alice and Bob have no way of proving that a small spike of random noise, only half a standard deviation above the average, isn't perfectly fine Johnson noise coming from the other end. Eve knows the amplitude of the noise she is putting on the wire, so she can subtract that amount, and the difference reveals the values of the resistors.

(3) For any moderately long wire, in the kilometer range, there is a time delay, allowing Eve to inject short bursts of noise and get the resistor info from each end coming back, spread out in time.

(4) Bell Labs proposed this idea, the part about injecting noise inn from both ends, back around 1955.