Slashdot Mirror

← Back to Stories (view on slashdot.org)

Swedish Researchers Break 'Unbreakable' Quantum Cryptography (eurekalert.org)

Posted by Soulskill on from the everything's-vulnerable-somewhere dept.

New submitter etnoy writes: Quantum key distribution is supposed to be a perfectly secure method for encrypting information. Even with access to an infinitely fast computer, an attacker cannot eavesdrop on the encrypted channel since it is protected by the laws of quantum mechanics. In recent years, several research groups have developed a new method for quantum key distribution, called "device independence." This is a simple yet effective way to detect intrusion. Now, a group of Swedish researchers question the security of some of these device-independent protocols. They show that it is possible to break the security by faking a violation of the famous Bell inequality. By sending strong pulses of light, they blind the photodetectors at the receiving stations which in turn allows them to extract the secret information sent between Alice and Bob.

8 of 101 comments (clear)

  1. Re:quantum crypto is not "unbreakable" by etnoy · · Score: 5, Informative

    The point of quantum crypto is to be able to detect whether someone is eavesdropping on you. Blinding detectors is kind of a tell-tale sign that something is wrong and parties should stop transmitting.

    Paper author here. You can try detecting my specific attack, but it won't help. Sooner or later I'll find a way around your countermeasure and break it again. What we actually show in the paper is that the security proof is flawed. Fix the security proof and I won't ever be able to break it.

    --
    Quantum hacker.
  2. Why are people always picking on Alice and Bob? by AndyKron · · Score: 5, Funny

    Why are people always picking on Alice and Bob? All they want to do is live in peace, but they're thrown into black holes, sucked into whirlpools, and subjected to all sorts of unimaginable things.

  3. Re:Submitter has no clue what QC is. by etnoy · · Score: 5, Informative
    Paper author here.

    Submitter has no clue what QC is.

    Oh, sorry. I confess I know nothing about quantum cryptography, I just happened to break it.

    First of all, quantum key distribution is not a method for encrypting information. As its name judiciously indicates, it is a method to securely exchange encryption keys. This is not the same thing at all.

    Semantics. QKD is a way of obtaining a secure key which we then use to perform one-time pad encryption. In other words, we use it for encrypting information.

    Second, the speed of the attacker's computer has no role in this attack and quantum key distribution has never claimed a code is unbreakable since there is no code to break here.

    It's a layman's definition of the concept of information-theoretic security (ITS). Normal crypto is secure under certain hardness assumptions (i.e. hard to factor integers, hard to do discrete logarithms). If you give the attacker an infinitely fast computer, all those crypto methods will be broken. QKD on the other hand remains secure.

    Of course, if you are blinding the receiver, it may be possible to tamper with the key, however, the blinded party should notice it has been blinded.

    This is a very good question and there is a very good answer (one I even answer in the paper itself!) You can surely detect my attack by using an optical power meter, but eventually I'll figure out a way around this as well. What our paper really shows is that there is a missing link in the security proof. Fix the proof and you'll be safe forever.

    The whole thing rests on very low luminosity photons exchange. If the light beam is too strong, it clearly no longer depicted the quantum characteristics needed to secure the key exchange.

    Which makes our attack even juicier. We don't even need to use quantum phenomena to break the security of the QKD device, we just good ol' classical pulses of light.

    And finally, it seems to me this is old news.

    Please tell me more!

    --
    Quantum hacker.
  4. Re:quantum crypto is not "unbreakable" by NormalVisual · · Score: 3, Informative

    Blinding detectors is kind of a tell-tale sign that something is wrong and parties should stop transmitting.

    FTA: "An intuitive countermeasure to our attack is to add a power monitor to the analysis station that detects if the incoming light is too bright. If such an anomaly is detected, Alice and/or Bob are alerted and discard the relevant measurement outcomes. This modified Franson interferometer would not be vulnerable to the specific attack as described so far; however, it does not solve the postselection loophole, which is the actual issue at hand. "

    --
    Please stand clear of the doors, por favor mantenganse alejado de las puertas
  5. Re:quantum crypto is not "unbreakable" by etnoy · · Score: 3, Informative

    You probably read the paper from Makarov: http://www.nature.com/nphoton/...

    Our attack is performed on a different system, but our level of control is much higher (and also works with near 100% efficiency) than in Makarov's paper.

    Measuring the optical power is not a solution to this attack. Sure, it'll detect it, but the attacker would just adapt. Instead, fix the actual flaw at hand, the incorrect security proof.

    --
    Quantum hacker.
  6. Re:Submitter has no clue what QC is. by etnoy · · Score: 3, Informative

    I just happened to break it. ... You can surely detect my attack by using an optical power meter, but eventually I'll figure out a way around this as well.

    First you say you broke it (past tense), then you say you will break it (future tense), yet your stated accomplishment is

    Let me put it this way: I broke it (past tense), I break it (current) and will break it (future). Unless you re-establish full, provable security (which the Franson interferometer lacks) this is what will happen.

    QE never promised to guarantee key exchange, so you are not causing it to break any promises.

    QKD promises a secret key shared between Alice and Bob, what is your point?

    QE promises Alice and Bob will know if/when the key is intercepted.

    That is the function of the security test. In the Franson interferometer, the security test is a Bell inequality violation. We then show how to fake a Bell inequality violation, which makes the security test believe everyting is alright.

    But you never extracted the key

    Not only does our attack extract the key, it allows Eve to dictate the key to Alice and Bob.

    you simply interrupted communications. Seems like a strawman to me.

    We never claim to interrupt communication, we claim that we find and/or dictate the key. You are the one throwing strawmen.

    You make up a non-existent claim of QE simply so you can tear that down, ignoring the actual claims QE makes.

    Ditto.

    Until you obtain the key in such a way that Alice and Bob do not know the key was intercepted, quite the opposite of preventing communications such as you have done, then you can claim you have broken QE.

    As per above, we do obtain the key in such a way that Alice and Bob do not know the key was intercepted. Therefore I claim to have broken QKD:

    You should read our paper before trying to discredit it.

    --
    Quantum hacker.
  7. Re:Submitter has no clue what QC is. by etnoy · · Score: 3, Insightful

    You can surely detect my attack by using an optical power meter, but eventually I'll figure out a way around this as well. What our paper really shows is that there is a missing link in the security proof. Fix the proof and you'll be safe forever.

    Could you explain your attack in laymans terms? From what you said here, you've not really "broken" quantum encryption and worked around the wave function collapse, rather you've discovered that quantum encryption as currently defined is flawed and immune to the observer effect?

    Any QKD protocol relies on a security proof, and the observer effect is only a small part of the puzzle. In this case, we attack the Franson interferometer which uses a security test in the form of a Bell inequality violation to make sure no attack is occurring. We have discovered a way to fake this Bell inequality violation.

    Bell's theorem is a very interesting part of physics on it's own, I really recommend looking into the recent Vienna and NIST experiments (good writeup here). The short version is that it allows us to distinguish between "quantum" things and "classical" things with a surprisingly powerful tool, Bell's inequality.

    In essence, when measuring Bell's inequality you need data on the form of Probability(A,B), where A is the setting Alice uses for her box and B the setting Bob uses for his box. However, the Franson interferometer is very deceptive here and gives you data on the form Probability(A,B | coincidence), which means you condition on coincidence, i.e. you remove half of the events from the statistical ensemble.

    The net result is that you don't really measure Bell's inequality, but a similar but (unfortunately) useless cousin. This paper shows why this happens. Therefore, we can start attacking the system and at the same time, fool the security test. Again, the Franson interferometer removes half of the events, which means the apparent detector efficiency is 50% even in the ideal case.

    For even more info, see our previous paper: http://iopscience.iop.org/1751...

    --
    Quantum hacker.
  8. Re:It just shows that... by gtall · · Score: 4, Insightful

    No, it shows that this method of key distribution might be borked, nothing more.

    Short logic lesson, your reasoning is indistinguishable in form from: 3 is prime, therefore all numbers are prime.

    Or more bluntly: (Ex) P(x) --> (Ax) P(x)

    is falsifiable in first-order logic. In English, this is "if there exists some x such that P(x), then for all x it is the case that P(x)."