How many Mhash do we get per Joule of energy spent? If it can't compete with ASIC miners on this, there is absolutely no point in doing it (other than juicy Slashdot headlines, of course)
Semantics. QKD is a way of obtaining a secure key which we then use to perform one-time pad encryption. In other words, we use it for encrypting information.
I don't understand this. Sending a one-time pad key is equivalent to sending the plaintext, as far as information transfer goes. (Otherwise, it isn't a real one-time pad.) The only advantage of the 1TP is that we can send the pad when we can get a secure communications channel, and then send messages at arbitrary times over insecure channels. If you have a reliable and persistent secure channel, why bother with the 1TP key?
Excellent question! QKD is just what it means, key distribution. There is actually no transmission between sender and receiver, instead it randomly establishes a secret, shared key at Alice's and Bob's place. Therefore, to do transmission, you use OTP to perform encryption.
Makarov's group attacked the E91 protocol, our paper attacks the Franson system. A significant difference is that we show the Franson system to be insecure even if the device is implemented with perfect devices. Makarovs papers are very well-written and interesting to read. I recommend starting to watch one of his YouTube lectures: https://www.youtube.com/watch?... , it is entertaining, highly interesting and is on a reasonable level for the average./ reader.
It's hard to argue about QKD without understanding how it works. Your starting point about QKD transmitting keys in the clear is wrong, as the information does not even exist in the quantum channel. Alice's and Bob's measurement operations are what create the secret key. That key is then used in a one-time pad. Also, OTP is exactly what we use after finishing a QKD session. The key requirements you talk about is exactly what makes OTP 100% secure.
The Franson interferometer is a QKD system that many (including senior researchers in the field!) believe is perfectly secure. Our paper shows it isn't and never will be. Also, there is no "general" QKD system, only a number of protocols, each with a corresponding security proof. The headline is correct.
In the QKD picture, the security proofs place no restriction on the computational power of the attacker, so Diffie-Hellman, IPSec, VPN Tunnels, SSH, SSL/TLS all become broken. The one crypto method that remains safe is the one-time pad. (We call this information-theoretic security). What QKD does is allow Alice and Bob to randomly and secretly generate a key. Therefore, the system is completely safe. In fact, we can prove this mathematically, so the QKD layer is absolute...well, except for the system we just showed to have a flawed security proof;)
From our paper: "An intuitive countermeasure to our attack is to add a power monitor to the analysis station that detects if the incoming light is too bright. [or, counts photons] If such an anomaly is detected, Alice and/or Bob are alerted and discard the relevant measurement outcomes. This modified Franson interferometer would not be vulnerable to the specific attack as described so far; however, it does not solve the postselection loophole, which is the actual issue at hand. " (emphasis added)
We're talking security here, so it is beneficial to look at it from Alice's and Bob's point of view. They can only relax when they use a QKD system with a complete security proof which guarantees security. If they use a system with a flawed security proof (what we show in the paper) they can never be secure. No matter how many blinding-detectors they apply and Guidos they hire, they can not be really sure that the system is attacked. In essence, we are back to the good old classical security picture which is a giant cat-and-mouse game.
Then, why would they use QKD in the first place? Either switch back to classical security measures, or choose a QKD system with a complete security proof. Our paper does list a system that has all the good properties of the Franson interferometer, but with a valid security proof. Read more here: http://www.nature.com/ncomms/2...
There is no such thing as "QC" in general, only a number of protocols. Each one of these protocols has their own security proof, and we've utterly broken the security of one of those protocols. You try to make a distinction between "QC" in general (which does not exist) and a certain implementation. But even if you build a machine out of ideal components, the protocol we attacked will not be secure since it's security proof is flawed.
So which part of that story have you attacked? And leave out the bits about the Frigembroten Sniggens defrobulation principals.
In QKD, you don't need any "extras" to be secure, it is information-theoretically secure all on its own. No need for signatures. We have found class of QKD devices that have a flaw in the security proof which allows an attacker to evade detection. We exploit this flaw by sending pulses of light to Alice and Bob which 1) allows the attacker to dictate the key and 2) evades detection. We never intercept the qubits, we replaced the source device with a trojan device of their own. Ordinarily, the security test should detect that the source device is misbehaving, but due to the flaw we found, it doesn't.
Read the paper. QKD is secure. In fact, it's so secure that we can prove it will never be cracked. However, we found a flaw in the proof for a class of QKD devices, and the paper shows how to exploit that. Big difference to IT security where we can't prove security, just aim for the best.
Oh, now I understand what you mean. If I am discovered, you will of course stop communicating. The next time you try to communicate, I might have discovered a way around your nifty attack-detector-thing. Or I might not. The point is that you can not guarantee that I won't attack your system unless you correct the flaws in the security proof. All of this is in the paper, but Makarov has an excellent write-up to your very question: http://scitation.aip.org/conte...
You can surely detect my attack by using an optical power meter, but eventually I'll figure out a way around this as well. What our paper really shows is that there is a missing link in the security proof. Fix the proof and you'll be safe forever.
Could you explain your attack in laymans terms? From what you said here, you've not really "broken" quantum encryption and worked around the wave function collapse, rather you've discovered that quantum encryption as currently defined is flawed and immune to the observer effect?
Any QKD protocol relies on a security proof, and the observer effect is only a small part of the puzzle. In this case, we attack the Franson interferometer which uses a security test in the form of a Bell inequality violation to make sure no attack is occurring. We have discovered a way to fake this Bell inequality violation.
Bell's theorem is a very interesting part of physics on it's own, I really recommend looking into the recent Vienna and NIST experiments (good writeup here). The short version is that it allows us to distinguish between "quantum" things and "classical" things with a surprisingly powerful tool, Bell's inequality.
In essence, when measuring Bell's inequality you need data on the form of Probability(A,B), where A is the setting Alice uses for her box and B the setting Bob uses for his box. However, the Franson interferometer is very deceptive here and gives you data on the form Probability(A,B | coincidence), which means you condition on coincidence, i.e. you remove half of the events from the statistical ensemble.
The net result is that you don't really measure Bell's inequality, but a similar but (unfortunately) useless cousin. This paper shows why this happens. Therefore, we can start attacking the system and at the same time, fool the security test. Again, the Franson interferometer removes half of the events, which means the apparent detector efficiency is 50% even in the ideal case.
Correct, and this is the same short explanation as I usually give, too. As always, the answer is much more complex (including the fact that we're not dealing with polarization in the Franson interferometer), but it gets the point across.
I just happened to break it....
You can surely detect my attack by using an optical power meter, but eventually I'll figure out a way around this as well.
First you say you broke it (past tense), then you say you will break it (future tense), yet your stated accomplishment is
Let me put it this way: I broke it (past tense), I break it (current) and will break it (future). Unless you re-establish full, provable security (which the Franson interferometer lacks) this is what will happen.
QE never promised to guarantee key exchange, so you are not causing it to break any promises.
QKD promises a secret key shared between Alice and Bob, what is your point?
QE promises Alice and Bob will know if/when the key is intercepted.
That is the function of the security test. In the Franson interferometer, the security test is a Bell inequality violation. We then show how to fake a Bell inequality violation, which makes the security test believe everyting is alright.
But you never extracted the key
Not only does our attack extract the key, it allows Eve to dictate the key to Alice and Bob.
you simply interrupted communications. Seems like a strawman to me.
We never claim to interrupt communication, we claim that we find and/or dictate the key. You are the one throwing strawmen.
You make up a non-existent claim of QE simply so you can tear that down, ignoring the actual claims QE makes.
Ditto.
Until you obtain the key in such a way that Alice and Bob do not know the key was intercepted, quite the opposite of preventing communications such as you have done, then you can claim you have broken QE.
As per above, we do obtain the key in such a way that Alice and Bob do not know the key was intercepted. Therefore I claim to have broken QKD:
You should read our paper before trying to discredit it.
Slashdot Mirror
Well, I can mine Bitcoin on an old 286 if I wanted to, but why would I? Sure, proof of concept, but still.
Because otherwise, any sane miner would buy an ASIC to use the solar power instead of wasting it away on (several orders of magnitude) worse phones.
How many Mhash do we get per Joule of energy spent? If it can't compete with ASIC miners on this, there is absolutely no point in doing it (other than juicy Slashdot headlines, of course)
In the EU, the GDPR will give EU citizens roughly the same powers. The UK is leaving the EU, so this law will be a replacement for it.
I don't understand this. Sending a one-time pad key is equivalent to sending the plaintext, as far as information transfer goes. (Otherwise, it isn't a real one-time pad.) The only advantage of the 1TP is that we can send the pad when we can get a secure communications channel, and then send messages at arbitrary times over insecure channels. If you have a reliable and persistent secure channel, why bother with the 1TP key?
Excellent question! QKD is just what it means, key distribution. There is actually no transmission between sender and receiver, instead it randomly establishes a secret, shared key at Alice's and Bob's place. Therefore, to do transmission, you use OTP to perform encryption.
The link to our paper is right there in TFS: http://advances.sciencemag.org...
Makarov's group attacked the E91 protocol, our paper attacks the Franson system. A significant difference is that we show the Franson system to be insecure even if the device is implemented with perfect devices. Makarovs papers are very well-written and interesting to read. I recommend starting to watch one of his YouTube lectures: https://www.youtube.com/watch?... , it is entertaining, highly interesting and is on a reasonable level for the average ./ reader.
It's hard to argue about QKD without understanding how it works. Your starting point about QKD transmitting keys in the clear is wrong, as the information does not even exist in the quantum channel. Alice's and Bob's measurement operations are what create the secret key. That key is then used in a one-time pad. Also, OTP is exactly what we use after finishing a QKD session. The key requirements you talk about is exactly what makes OTP 100% secure.
The Franson interferometer is a QKD system that many (including senior researchers in the field!) believe is perfectly secure. Our paper shows it isn't and never will be. Also, there is no "general" QKD system, only a number of protocols, each with a corresponding security proof. The headline is correct.
Someone read TFA? Pinch me ;)
We actually do blind the detector by flooding it with photons.
You'd be surprised, entanglement was in fact proven correct just the other day: http://physics.aps.org/article... Full paper here: http://journals.aps.org/prl/ab...
See my other replies to this question.
In the QKD picture, the security proofs place no restriction on the computational power of the attacker, so Diffie-Hellman, IPSec, VPN Tunnels, SSH, SSL/TLS all become broken. The one crypto method that remains safe is the one-time pad. (We call this information-theoretic security). What QKD does is allow Alice and Bob to randomly and secretly generate a key. Therefore, the system is completely safe. In fact, we can prove this mathematically, so the QKD layer is absolute...well, except for the system we just showed to have a flawed security proof ;)
From our paper: "An intuitive countermeasure to our attack is to add a power monitor to the analysis station that detects if the incoming light is too bright. [or, counts photons] If such an anomaly is detected, Alice and/or Bob are alerted and discard the relevant measurement outcomes. This modified Franson interferometer would not be vulnerable to the specific attack as described so far; however, it does not solve the postselection loophole, which is the actual issue at hand. " (emphasis added)
We're talking security here, so it is beneficial to look at it from Alice's and Bob's point of view. They can only relax when they use a QKD system with a complete security proof which guarantees security. If they use a system with a flawed security proof (what we show in the paper) they can never be secure. No matter how many blinding-detectors they apply and Guidos they hire, they can not be really sure that the system is attacked. In essence, we are back to the good old classical security picture which is a giant cat-and-mouse game.
Then, why would they use QKD in the first place? Either switch back to classical security measures, or choose a QKD system with a complete security proof. Our paper does list a system that has all the good properties of the Franson interferometer, but with a valid security proof. Read more here: http://www.nature.com/ncomms/2...
There is no such thing as "QC" in general, only a number of protocols. Each one of these protocols has their own security proof, and we've utterly broken the security of one of those protocols. You try to make a distinction between "QC" in general (which does not exist) and a certain implementation. But even if you build a machine out of ideal components, the protocol we attacked will not be secure since it's security proof is flawed.
So which part of that story have you attacked? And leave out the bits about the Frigembroten Sniggens defrobulation principals.
In QKD, you don't need any "extras" to be secure, it is information-theoretically secure all on its own. No need for signatures. We have found class of QKD devices that have a flaw in the security proof which allows an attacker to evade detection. We exploit this flaw by sending pulses of light to Alice and Bob which 1) allows the attacker to dictate the key and 2) evades detection. We never intercept the qubits, we replaced the source device with a trojan device of their own. Ordinarily, the security test should detect that the source device is misbehaving, but due to the flaw we found, it doesn't.
Read the paper. QKD is secure. In fact, it's so secure that we can prove it will never be cracked. However, we found a flaw in the proof for a class of QKD devices, and the paper shows how to exploit that. Big difference to IT security where we can't prove security, just aim for the best.
QKD doees not work if you use a repeater station, unfortunately you need direct line-of sight.
Oh, now I understand what you mean. If I am discovered, you will of course stop communicating. The next time you try to communicate, I might have discovered a way around your nifty attack-detector-thing. Or I might not. The point is that you can not guarantee that I won't attack your system unless you correct the flaws in the security proof. All of this is in the paper, but Makarov has an excellent write-up to your very question: http://scitation.aip.org/conte...
Could you explain your attack in laymans terms? From what you said here, you've not really "broken" quantum encryption and worked around the wave function collapse, rather you've discovered that quantum encryption as currently defined is flawed and immune to the observer effect?
Any QKD protocol relies on a security proof, and the observer effect is only a small part of the puzzle. In this case, we attack the Franson interferometer which uses a security test in the form of a Bell inequality violation to make sure no attack is occurring. We have discovered a way to fake this Bell inequality violation.
Bell's theorem is a very interesting part of physics on it's own, I really recommend looking into the recent Vienna and NIST experiments (good writeup here). The short version is that it allows us to distinguish between "quantum" things and "classical" things with a surprisingly powerful tool, Bell's inequality.
In essence, when measuring Bell's inequality you need data on the form of Probability(A,B), where A is the setting Alice uses for her box and B the setting Bob uses for his box. However, the Franson interferometer is very deceptive here and gives you data on the form Probability(A,B | coincidence), which means you condition on coincidence, i.e. you remove half of the events from the statistical ensemble.
The net result is that you don't really measure Bell's inequality, but a similar but (unfortunately) useless cousin. This paper shows why this happens. Therefore, we can start attacking the system and at the same time, fool the security test. Again, the Franson interferometer removes half of the events, which means the apparent detector efficiency is 50% even in the ideal case.
For even more info, see our previous paper: http://iopscience.iop.org/1751...
No need to be smug about anything.
That was never my intention, however am replying to needless accusations and need to be clear with my answers.
You claim to have broken QC while in fact, you have broken an implementation under certain circumstances.
Which is exactly what our paper says.
This is what your parent meant when he said it was old news.
This is the first attack of this kind on the Franson interferometer.
There have been multiple hardware vulnerabilities in the past.
Correct! The vulnerabilities found by Makarov et al. are excellent examples and have been an inspiration for us.
You really need to work on your discussion style. Proof by intimidation never works.
Again, not my intention.
Correct, and this is the same short explanation as I usually give, too. As always, the answer is much more complex (including the fact that we're not dealing with polarization in the Franson interferometer), but it gets the point across.
I just happened to break it. ...
You can surely detect my attack by using an optical power meter, but eventually I'll figure out a way around this as well.
First you say you broke it (past tense), then you say you will break it (future tense), yet your stated accomplishment is
Let me put it this way: I broke it (past tense), I break it (current) and will break it (future). Unless you re-establish full, provable security (which the Franson interferometer lacks) this is what will happen.
QE never promised to guarantee key exchange, so you are not causing it to break any promises.
QKD promises a secret key shared between Alice and Bob, what is your point?
QE promises Alice and Bob will know if/when the key is intercepted.
That is the function of the security test. In the Franson interferometer, the security test is a Bell inequality violation. We then show how to fake a Bell inequality violation, which makes the security test believe everyting is alright.
But you never extracted the key
Not only does our attack extract the key, it allows Eve to dictate the key to Alice and Bob.
you simply interrupted communications. Seems like a strawman to me.
We never claim to interrupt communication, we claim that we find and/or dictate the key. You are the one throwing strawmen.
You make up a non-existent claim of QE simply so you can tear that down, ignoring the actual claims QE makes.
Ditto.
Until you obtain the key in such a way that Alice and Bob do not know the key was intercepted, quite the opposite of preventing communications such as you have done, then you can claim you have broken QE.
As per above, we do obtain the key in such a way that Alice and Bob do not know the key was intercepted. Therefore I claim to have broken QKD:
You should read our paper before trying to discredit it.