Slashdot Mirror
Swedish Researchers Break 'Unbreakable' Quantum Cryptography (eurekalert.org)
New submitter etnoy writes: Quantum key distribution is supposed to be a perfectly secure method for encrypting information. Even with access to an infinitely fast computer, an attacker cannot eavesdrop on the encrypted channel since it is protected by the laws of quantum mechanics. In recent years, several research groups have developed a new method for quantum key distribution, called "device independence." This is a simple yet effective way to detect intrusion. Now, a group of Swedish researchers question the security of some of these device-independent protocols. They show that it is possible to break the security by faking a violation of the famous Bell inequality. By sending strong pulses of light, they blind the photodetectors at the receiving stations which in turn allows them to extract the secret information sent between Alice and Bob.
The point of quantum crypto is to be able to detect whether someone is eavesdropping on you. Blinding detectors is kind of a tell-tale sign that something is wrong and parties should stop transmitting.
Paper author here. You can try detecting my specific attack, but it won't help. Sooner or later I'll find a way around your countermeasure and break it again. What we actually show in the paper is that the security proof is flawed. Fix the security proof and I won't ever be able to break it.
Quantum hacker.
"Quantum key distribution is supposed to be a perfectly secure method for encrypting information. Even with access to an infinitely fast computer, an attacker cannot eavesdrop on the encrypted channel since it is protected by the laws of quantum mechanics. In recent years, several research groups have developed a new method for quantum key distribution, called "device independence." This is a simple yet effective way to detect intrusion. Now, a group of Swedish researchers question the security of some of these device-independent protocols. They show that it is possible to break the security by faking a violation of the famous Bell inequality. By sending strong pulses of light, they blind the photodetectors at the receiving stations which in turn allows them to extract the secret information sent between Alice and Bob."
First of all, quantum key distribution is not a method for encrypting information. As its name judiciously indicates, it is a method to securely exchange encryption keys. This is not the same thing at all.
Second, the speed of the attacker's computer has no role in this attack and quantum key distribution has never claimed a code is unbreakable since there is no code to break here.
Third, quantum key exchange is a protocol, not a cipher. It relies on quantum mechanics features to tell Alice or Bob the just receive key is compromised or not since it is not possible for a man in the middle to observe the key without being noticed. That is the idea behind this mechanism. Once keys are securely exchanged between both parties, a classically encrypted communication can take place between both parties.
Of course, if you are blinding the receiver, it may be possible to tamper with the key, however, the blinded party should notice it has been blinded. The whole thing rests on very low luminosity photons exchange. If the light beam is too strong, it clearly no longer depicted the quantum characteristics needed to secure the key exchange. I don't really see where the problem is here since it is easy to determine the exchange can no longer be trusted due to high luminosity.
And finally, it seems to me this is old news.
Achille Talon
Hop!
Why are people always picking on Alice and Bob? All they want to do is live in peace, but they're thrown into black holes, sucked into whirlpools, and subjected to all sorts of unimaginable things.
Too bad FBI director James Comey doesn't read /. He'd see how insecure even the most thuoght to be secure secure things - like backdoors - are and perhaps lose the impulse to make things even less secure and start moving in the other direction.
You know, it's possible that somewhere in the FBI there's one highly capable James Corney who is right now mopping floors in the basement because every time he and James Comey were evaluated by their superiors, personnel mixed up their reviews, owing to an unfortunate choice of fonts on the review forms.
Blinding detectors is kind of a tell-tale sign that something is wrong and parties should stop transmitting.
FTA: "An intuitive countermeasure to our attack is to add a power monitor to the analysis station that detects if the incoming light is too bright. If such an anomaly is detected, Alice and/or Bob are alerted and discard the relevant measurement outcomes. This modified Franson interferometer would not be vulnerable to the specific attack as described so far; however, it does not solve the postselection loophole, which is the actual issue at hand. "
Please stand clear of the doors, por favor mantenganse alejado de las puertas
You probably read the paper from Makarov: http://www.nature.com/nphoton/...
Our attack is performed on a different system, but our level of control is much higher (and also works with near 100% efficiency) than in Makarov's paper.
Measuring the optical power is not a solution to this attack. Sure, it'll detect it, but the attacker would just adapt. Instead, fix the actual flaw at hand, the incorrect security proof.
Quantum hacker.
Read the paper. QKD is secure. In fact, it's so secure that we can prove it will never be cracked. However, we found a flaw in the proof for a class of QKD devices, and the paper shows how to exploit that. Big difference to IT security where we can't prove security, just aim for the best.
Quantum hacker.
You can keep shifting phase angles, halting the blinding attack, but there may be a pre-emptive method as you mention of pre-arranging sufficient tautology of concurrent streams where a valid stream is channelized, not unlike how frequency-shift-keying works. n>2 is a possibility, and perhaps even desired.
Go ahead, blind the detectors, make them think they're valid, except that ones that stop you aren't the ones you desired until your blind so many channels that the time domain rats out your actual physical location in the chain, and we send Guido.
---- Teach Peace. It's Cheaper Than War.
I've read about ways to handle this myself.
One way is to use the quantum connection channel to negotiate a session key via Diffie-Hellman, but each side also has a pre-shared key or a chunk from a one-time-pad that gets XOR-ed or combined with the session key. Then the Internet or conventional channels is used for the bulk transmissions. The attacker would have to find the pre-shared info, as well as decode the quantum crypto, each alone would score nothing.
Another way is to use the quantum channel for sending info... but wrap the info in an existing crypto protocol, be it IPSec or a VPN tunnel, SSH, SSL/TLS, or something else. This way the data is still protected, end to end. Since the quantum channel is relatively slow, adding another encryption layer wouldn't create much of a performance decrease.
What it boils down to is not trusting one form or layer as absolute, especially if the data going over the pipe is sensitive and valuable enough to warrant high security in the first place. The physical equivalent would be something valuable being placed in a sealed security container, then taken via armored car to the destination. If the armored car is compromised, the security container and the GPS on the container would still protect the contents. Similar if the security container is the weakest link.
No, it shows that this method of key distribution might be borked, nothing more.
Short logic lesson, your reasoning is indistinguishable in form from: 3 is prime, therefore all numbers are prime.
Or more bluntly: (Ex) P(x) --> (Ax) P(x)
is falsifiable in first-order logic. In English, this is "if there exists some x such that P(x), then for all x it is the case that P(x)."