So for km long links they send what they call "weak" pulses of photons, and still call it QKD.
Yes, but the weak pulses still have an average number of photons well below 2. The loss in a long fiber only means that perhaps only 0.1 % to 1 % of the photons arrive at their destination, but those arriving may still be used to generate a secret key.
Nobody can say if a more precise model of reality will open up ways to intercept single photon transmissions without leaving traces.
No, but we also know that in a world where this is possible (sufficiently well), lots of other cool possibilities will open up, such as superluminal communication and time machines. The currently known laws of physics describe pretty much everything possible on earth (and other places in the universe with weak gravity) today. But of course if you could integrate a couple of black holes and maybe a few wormholes into your interception device, we cannot quite rule out that an attack is impossible.
The part about future privacy is spot on.
The following to statements in the last paragraph are wrong:
1. It fails if I send lots of photons each time (which I really need to do)
2. [It fails if] our attacker has better equipment than we do
As for 1, the performance certainly degrades quickly if you send more than one photon or each signal, but it is still possible to get a secret key from two- and three-photon pulses provided a protocol ruling out photon-number-splitting attack is used (such as decoy-state or SARG).
As for 2, in QKD setups, it is always assumed that an attacker may do anything to the signals allowed by the laws of physics. For example, a photon-number-splitting attack is unfeasable with current technology, but it is still taken into account.
What is usually challenging in practice is avoiding side-channels. An attacker with better technology may attack side channels that the designers of the QKD equipment did not realize were there (or have the capability to test for). In principle, QKD based on entanglement may rule out many of the possible side channels (but it is still possible to get it wrong).
"they came long before and had an easy to use (and powerful) desktop back when it was almost unheard of"
I used Madrake up to version 9.0. Unlike other distributions it worked out of the box without hours of fiddling to get a working setup. When I installed 9.2, that experience was gone and the Windows partition I hardly ever used before, suddenly became my default choice for a while. Then Ubuntu came along. Hope it doesn't reinvent itself away from usefulness.
Not Linux. Randomness comes from the time (hardware, persistent), but also from the randomness of network traffic and other driver miscellanea such as HDD head seek times, mouse movements, keystrokes, CPU temperature data, electrical noise on the power supply (with the right hardware)...
If you start the LiveCD only to use online banking there isn't much time between the startup and the time you need randomness for a secret key. The question is if there is enough time to gather sufficient entropy from the environment.
Others have suggested to seed with the current time, but that is easy to guess for an attacker. Netscape's original SSL implementation was broken because the PRNG used only the current time (in microseconds) and the PID as a random seed ([1], [2]).
Since a LiveCD doesn't save anything between reboots, it doesn't have a random seed that it keeps changing. Therefore the random number generator is initialized to the same state every time a system is booted (and probably to the same state for all computers using a specific LiveCD image). When the random number generator is in a predictable state, isn't the security of SSL essentially gone?
To work around this, one can add some randomness to the random number generator on boot, but it is extra hassle. Something like "echo ssj s lsl sfi random hits on keyboard shdflsh sl fhlinaw nvnai dnsi >/dev/random"
Quantum mechanics has been tested over several decades and has been found to describe the world we live in very accurately. Any post-quantum deviations would be very minor.
I agree to that. However a very minor deviation could be enough. Cryptography is very, very sensitive to information leaks, far more than pysical measurements. This could well mean that you can break messages later. And, incidentially, you still have a conventional network and conventional encryption for the actual message. This means you have to maintain two networks and one of them is pretty expensive.
During the "hardware phase" of a quantum key exchange there is a certain amount of noise that has to be corrected due to imperfections in the channel and that means that there is in practice always possible with some information leakage. The apparatus therefore estimates the maximum possible amount of information leakage (making sure it is overestimated rather than underestimated) and performs "privacy amplification" to make sure that this information is useless to an eavesdropper (this lowers the key rate and is one of the reasons it is only 1 kbps). Now say an eavesdropper finds a new source of information leakage. This is only a problem if the total information leakage is greater than the estimated maximum leakage.
Here is a thought experiment for the key exchange: Say you can exchange 1kB of key material per second. Alternatively, say you have 1TB disks with one-time pads as key sources. This gives you enough key material for 31 years at the speed of the quantum link. Now, do you suppose creating these HDDs is cheaper or building and operating the quantum link is cheaper? I would say the pre-arranged one-time pads are several orders of magnitude cheaper. In addition, they are more reliable, easier to secure, well understood and use only proven technology.
I agree that creating and securing these HDDs is much cheaper, but a QKD system would fail more gracefully if you have a security breach in some realistic scenarios. Imagine that in month 2 you had an employee with malicious intent at your secure site. If this employee would be able to copy the 1 TB HDD, anyone outside would be able to decrypt anything during the next 31 years. The same person would only be able to leak information from his period of employment if a continuously generated key is used. (This is a somewhat oversimplified version of an argument made by a MagiQ representative)
If you really, really need high security, one-time pads do the job relatively cheap and with known properties. If you need more regular security, conventional encryption is fine. Quantum key exchange has no place in this.
QKD probably has a place in niche markets (companies like MagiQ and IdQuantique actually have customers). An intersting observation regardig the cost of QKD devices is that the cost of a full system is not much higher than the single photon detectors they contain. This means that if somebody finds a way to manufacture single photon detectors cheaply, the cost of QKD devices will drop drastically. If the devices are not very expensive and you already have fibers, why not use them?
Disclaimer: I have benefited from SECOQC funding, but have not worked on anything related to the implemented network or any other QKD implementations.
Perhaps the mort important weakness is that you cannot really route traffic, but need point-to-point links.
Well, the point of the SECOQC network is to demonstrate a network with routing capabilities. It is a network that consists of many point-to-point links.
All pysical theories have proven inaccurate so far. This could fall over with one PhD student having a bright idea.
Quantum mechanics has been tested over several decades and has been found to describe the world we live in very accurately. Any post-quantum deviations would be very minor. We cannot exclude the possibility that if someone is able to put the fiber through a wormhole, something strange would happen, but from a bright PhD student imagining this possibility to this becoming realistic there is probably a span of several decades.
Also, a quantum cryptography protocol will have to be broken at the time of the key exchange. If someone realizes two minutes later how it could have been broken it's too late. With modern cryptography the encrypted messages may be intercepted and stored until some bright PhD student in computer science makes a breakthrough, so that all messages sent in the past can be decrypted.
I thought you there was no copyright on data under US law. C.f. the OpenStreetMap legal issues http://www.opengeodata.org/?p=262. There may be contractual rights in the picture, but only if those were negotiated already.
The title and summary gets this paper all wrong. It does not propose that ocean currents are causing the earth's magnetic field. In proposes that many of the small scale variations of the field is caused by variations in ocean currents. The main field is still produced by the core.
Interesting, but the paper seems to have a nasty habit of simply redefining what "capacity" means in a quantum context
The quantum capacity is defined completely analogous to the classical capacity of the channel; the number of error free qubits you can transfer per signal. Since a quantum channel can also be used to transfer classical information (by measuring the output), it also has a classical capacity. Since quantum information cannot be copied without errors it also has a private (or secret) capacity. All capacities are the number of error free quantum/private/classical bits per signal, optimized over all possible encodings.
Clearly the channels had SOME capacity for information transfer.
Yes, both channels have a non-zero capacity of transferring classical information. One of them even has a non-zero capacity for transferring secret information. What is not possible is to trasfer even a single qubit of quantum information without significant error, given as many uses of the channel you like and any quantum error correction procedure you can imagine.
My (preliminary) understanding of the example is that one of the channels (the symmetric one) allows the secret information of the other to be converted into quantum information. Btw, this is one of the best written papers I have read recently.
Why not use a more conventional, strong encryption method and then use quantum encryption on top of that?
Believe it or not, this is actually done in some commercial systems. The rationale is not that it is necessary more secure, but that there are certification standards for conventional cryptography and the quantum crypto devices can then be certified.
But it turns out that an eavesdropper can make imperfect copies and use them to extract information from a quantum message without alerting sender or receiver (abstract). The Japanese design does just this.
This is wrong. The eavesdropper gets imperfect copies and so does the receiver. If the quality of the receiver's copies are as bad as the eavesdropper's, any working quantum crypto setup will abort and not try to make a secret key out of it.
That should worry banks and government agencies that have begun to use some of the commercial quantum encryption systems now available.
Nobody needs to worry about these kinds of attacks, as the software in all commercial quantum crypto systems automatically checks and takes care of these kinds of attacks. What the paper shows is how to implement in practice a class of attacks that has been known for years how to do in theory.
There are other attacks on quantum crypto systems that actually attack loopholes in the implementation, and some of these have previously been discussed on slashdot here
Slashdot Mirror
So for km long links they send what they call "weak" pulses of photons, and still call it QKD.
Yes, but the weak pulses still have an average number of photons well below 2. The loss in a long fiber only means that perhaps only 0.1 % to 1 % of the photons arrive at their destination, but those arriving may still be used to generate a secret key.
Nobody can say if a more precise model of reality will open up ways to intercept single photon transmissions without leaving traces.
No, but we also know that in a world where this is possible (sufficiently well), lots of other cool possibilities will open up, such as superluminal communication and time machines. The currently known laws of physics describe pretty much everything possible on earth (and other places in the universe with weak gravity) today. But of course if you could integrate a couple of black holes and maybe a few wormholes into your interception device, we cannot quite rule out that an attack is impossible.
1. It fails if I send lots of photons each time (which I really need to do)
2. [It fails if] our attacker has better equipment than we do
As for 1, the performance certainly degrades quickly if you send more than one photon or each signal, but it is still possible to get a secret key from two- and three-photon pulses provided a protocol ruling out photon-number-splitting attack is used (such as decoy-state or SARG).
As for 2, in QKD setups, it is always assumed that an attacker may do anything to the signals allowed by the laws of physics. For example, a photon-number-splitting attack is unfeasable with current technology, but it is still taken into account.
What is usually challenging in practice is avoiding side-channels. An attacker with better technology may attack side channels that the designers of the QKD equipment did not realize were there (or have the capability to test for). In principle, QKD based on entanglement may rule out many of the possible side channels (but it is still possible to get it wrong).
"they came long before and had an easy to use (and powerful) desktop back when it was almost unheard of"
I used Madrake up to version 9.0. Unlike other distributions it worked out of the box without hours of fiddling to get a working setup. When I installed 9.2, that experience was gone and the Windows partition I hardly ever used before, suddenly became my default choice for a while. Then Ubuntu came along. Hope it doesn't reinvent itself away from usefulness.
Not Linux. Randomness comes from the time (hardware, persistent), but also from the randomness of network traffic and other driver miscellanea such as HDD head seek times, mouse movements, keystrokes, CPU temperature data, electrical noise on the power supply (with the right hardware)...
If you start the LiveCD only to use online banking there isn't much time between the startup and the time you need randomness for a secret key. The question is if there is enough time to gather sufficient entropy from the environment.
Others have suggested to seed with the current time, but that is easy to guess for an attacker. Netscape's original SSL implementation was broken because the PRNG used only the current time (in microseconds) and the PID as a random seed ([1], [2]).
[1]: http://marc.info/?l=bugtraq&m=87602167418753&w=2
[2]: http://www.cs.berkeley.edu/~daw/papers/ddj-netscape.html
Since a LiveCD doesn't save anything between reboots, it doesn't have a random seed that it keeps changing. Therefore the random number generator is initialized to the same state every time a system is booted (and probably to the same state for all computers using a specific LiveCD image). When the random number generator is in a predictable state, isn't the security of SSL essentially gone? To work around this, one can add some randomness to the random number generator on boot, but it is extra hassle. Something like "echo ssj s lsl sfi random hits on keyboard shdflsh sl fhlinaw nvnai dnsi >/dev/random"
Quantum mechanics has been tested over several decades and has been found to describe the world we live in very accurately. Any post-quantum deviations would be very minor.
I agree to that. However a very minor deviation could be enough. Cryptography is very, very sensitive to information leaks, far more than pysical measurements. This could well mean that you can break messages later. And, incidentially, you still have a conventional network and conventional encryption for the actual message. This means you have to maintain two networks and one of them is pretty expensive.
During the "hardware phase" of a quantum key exchange there is a certain amount of noise that has to be corrected due to imperfections in the channel and that means that there is in practice always possible with some information leakage. The apparatus therefore estimates the maximum possible amount of information leakage (making sure it is overestimated rather than underestimated) and performs "privacy amplification" to make sure that this information is useless to an eavesdropper (this lowers the key rate and is one of the reasons it is only 1 kbps). Now say an eavesdropper finds a new source of information leakage. This is only a problem if the total information leakage is greater than the estimated maximum leakage.
Here is a thought experiment for the key exchange: Say you can exchange 1kB of key material per second. Alternatively, say you have 1TB disks with one-time pads as key sources. This gives you enough key material for 31 years at the speed of the quantum link. Now, do you suppose creating these HDDs is cheaper or building and operating the quantum link is cheaper? I would say the pre-arranged one-time pads are several orders of magnitude cheaper. In addition, they are more reliable, easier to secure, well understood and use only proven technology.
I agree that creating and securing these HDDs is much cheaper, but a QKD system would fail more gracefully if you have a security breach in some realistic scenarios. Imagine that in month 2 you had an employee with malicious intent at your secure site. If this employee would be able to copy the 1 TB HDD, anyone outside would be able to decrypt anything during the next 31 years. The same person would only be able to leak information from his period of employment if a continuously generated key is used. (This is a somewhat oversimplified version of an argument made by a MagiQ representative)
If you really, really need high security, one-time pads do the job relatively cheap and with known properties. If you need more regular security, conventional encryption is fine. Quantum key exchange has no place in this.
QKD probably has a place in niche markets (companies like MagiQ and IdQuantique actually have customers). An intersting observation regardig the cost of QKD devices is that the cost of a full system is not much higher than the single photon detectors they contain. This means that if somebody finds a way to manufacture single photon detectors cheaply, the cost of QKD devices will drop drastically. If the devices are not very expensive and you already have fibers, why not use them?
Disclaimer: I have benefited from SECOQC funding, but have not worked on anything related to the implemented network or any other QKD implementations.
Perhaps the mort important weakness is that you cannot really route traffic, but need point-to-point links.
Well, the point of the SECOQC network is to demonstrate a network with routing capabilities. It is a network that consists of many point-to-point links.
All pysical theories have proven inaccurate so far. This could fall over with one PhD student having a bright idea.
Quantum mechanics has been tested over several decades and has been found to describe the world we live in very accurately. Any post-quantum deviations would be very minor. We cannot exclude the possibility that if someone is able to put the fiber through a wormhole, something strange would happen, but from a bright PhD student imagining this possibility to this becoming realistic there is probably a span of several decades.
Also, a quantum cryptography protocol will have to be broken at the time of the key exchange. If someone realizes two minutes later how it could have been broken it's too late. With modern cryptography the encrypted messages may be intercepted and stored until some bright PhD student in computer science makes a breakthrough, so that all messages sent in the past can be decrypted.
Interesting. This detector probing could break the whole thing..
Yes, it could if if devices allow for this. This has been known for years and no modern device that lets this happen will be taken seriously.
I thought you there was no copyright on data under US law. C.f. the OpenStreetMap legal issues http://www.opengeodata.org/?p=262. There may be contractual rights in the picture, but only if those were negotiated already.
The title and summary gets this paper all wrong. It does not propose that ocean currents are causing the earth's magnetic field. In proposes that many of the small scale variations of the field is caused by variations in ocean currents. The main field is still produced by the core.
Interesting, but the paper seems to have a nasty habit of simply redefining what "capacity" means in a quantum context
The quantum capacity is defined completely analogous to the classical capacity of the channel; the number of error free qubits you can transfer per signal. Since a quantum channel can also be used to transfer classical information (by measuring the output), it also has a classical capacity. Since quantum information cannot be copied without errors it also has a private (or secret) capacity. All capacities are the number of error free quantum/private/classical bits per signal, optimized over all possible encodings.
Clearly the channels had SOME capacity for information transfer.
Yes, both channels have a non-zero capacity of transferring classical information. One of them even has a non-zero capacity for transferring secret information. What is not possible is to trasfer even a single qubit of quantum information without significant error, given as many uses of the channel you like and any quantum error correction procedure you can imagine.
My (preliminary) understanding of the example is that one of the channels (the symmetric one) allows the secret information of the other to be converted into quantum information. Btw, this is one of the best written papers I have read recently.
Believe it or not, this is actually done in some commercial systems. The rationale is not that it is necessary more secure, but that there are certification standards for conventional cryptography and the quantum crypto devices can then be certified.
This is wrong. The eavesdropper gets imperfect copies and so does the receiver. If the quality of the receiver's copies are as bad as the eavesdropper's, any working quantum crypto setup will abort and not try to make a secret key out of it.
That should worry banks and government agencies that have begun to use some of the commercial quantum encryption systems now available.Nobody needs to worry about these kinds of attacks, as the software in all commercial quantum crypto systems automatically checks and takes care of these kinds of attacks. What the paper shows is how to implement in practice a class of attacks that has been known for years how to do in theory.
There are other attacks on quantum crypto systems that actually attack loopholes in the implementation, and some of these have previously been discussed on slashdot here