Scientists Make Quantum Encryption Breakthrough

Madas writes "Scientists working in Cambridge have managed to make quantum encryption completely secure (registration required) by putting decoy pulses in the key transmission stream. According to the story this paves the way for safe, encrypted high-speed data links. Could this allow completely private transmission of data away from snooping eyes and ears? Or will it mean film studios can stop movies from being copied when traveling on the internet?"

it is an intrusion detection breakthorough

[harkabeeparolyn]

... not encryption. Quantum encryption or even computing is as pie in the sky as ever.

Full Text

[Anonymous Coward]

Researchers have managed to close a loophole in quantum cryptography that could allow a hacker to determine a secret key transmitted using the technology.

Working at Toshiba Research Europe in Cambridge, scientists found that laser diodes used to transmit keys used to encrypt data, known as Quantum Key Distribution (QKD), sometimes transmitted more than one photon at a time. Quantum encryption works by transmitting key data as a stream of single photons.

Should an eavesdropper try to intercept the transmission, monitoring a single photon would change the state of that photon, and this would make both ends of the transmission aware that the data had been eavesdropped. However, the laser diodes can sometimes transmit more than one photon and so a hacker could monitor the second photon, leaving the first photon unchanged and this would not alert anyone that the key transmission had been compromised.

But scientists have now added decoy photons to the key data. When an eavesdropper now tries to monitor extra photons, they will also monitor the decoy photons. Scientists said these decoy photons or "decoy pulses" are weaker on average and so very rarely contain two or more photons.

If an eavesdropper attempts a pulse-splitting attack, they will transmit a lower fraction of these decoy pulses than signal pulses. By monitoring the transmission of the decoy and signal pulses separately this type of intervention can be detected, according to scientists.

By introducing decoy pulses, the researcher found that stronger laser pulses could be used securely, increasing the rate at which keys may be sent. By using this method keys could be transmitted securely over a 25km fibre to an average bit rate of 5.5kbits/sec, a hundred-fold increase on previous efforts.

"Using these new methods for QKD we can distribute many more secret keys per second, while at the same time guaranteeing the unconditional security of each," said Dr Andrew Shields, Quantum Information group leader at Toshiba Research Europe. "This enables QKD to be used for a number of important applications such as encryption of high bandwidth data links."

The researchers also discovered a second method to push bit-rates even higher for QKD. The scientists have created the first semiconductor diode that can be controlled with electrical signal input to emit only single photons at a wavelength compatible with optical fibres. This 'single photon source' method eliminates the problem of multi-photon pulses altogether, claimed the research.

The single photon diode has a structure similar to an ordinary semiconductor light emitting diode (LED), but measures just 45 nm in diameter and 10 nm in height. The dot can hold only a few electrons and so can only ever emit one photon at a time at the selected wavelength. The source operates with only electrical signals, which is essential for practical applications such as QKD. Initial trials with the new device, reported recently in the scientific journal Applied Physics Letters, showed the multi-photon rate from the device to be fives times lower than that of a laser diode of the same intensity.

Mod parent up - it's easy to steal from servers...

[xxxJonBoyxxx]

If you're only protecting the transport from spying eyes (with quantum encryption or whatever), that's only a part of what you need to protect your data.

This is the same reason why many, if not most, "SSL-protected" or "SSH-protected" servers are really sitting ducks: interesting data is still sitting in the clear on the endpoint servers' hard drives. (And don't get me started about "AUTH TLS" email forwarding...)

Re:Stop piracy?

[eklitzke]

With quantum encryption you cannot conduct a meaningful MITM attack. This is called the observer effect, and is a very well known and studied phenomenon of quantum mechanics.

ahem

[GlitchyBits]

Quantum encryption is quite a misleading expression since the quantum mechanics is only used to securely transmit a cryptographic key ... not encrypting the message.

Point to point

[nickovs]

The biggest drawback of this technology is not that it is in fact a key distribution method rather than an encryption scheme. It is that, as with pretty much all QKD systems, this only works if you have a continuous fibre-optic cable from one end to the other. That might be fine for linking two embassies or two military facilities but it makes it a bit useless for the Internet.

Re:ahem

[dido]

Public key encryption is, in practice, used pretty much the same way as well. Public key algorithms are generally used as part of a secure key exchange protocol rather than encrypting a message as directly.

The drawbacks others haven't mentioned

[Beryllium Sphere(tm)]

Elsewhere in the comments people have correctly pointed out that it isn't encryption at all and that it is fundamentally incompatible with any router, switch, bridge or even repeater.

There's also the limit of 5.5 kbps, though that might be improved.

The issue that should have killed this idea ten years ago when Shamir pointed it out is that an attacker who has spliced the fiber can read the polarizer without ever looking at a single one of the transmitted photons.

Send the $#$@! key material by bonded courier in a tamper-evident package if it's that important. If for some reason that's not enough then split (e.g. Blakely-Shamir) the key material into shares, send each separately, and recombine when needed.

Re:ahem

[GlitchyBits]

The problem with popular public key algorithms is that they are based on the assumption that the opponent doesn't have enough computationnal power in order to break it in a reasonnable amount of time, or he doesn't know a polynomial determinist algorithm to do so.

The big advantage of using quantum key distribution is that it will (ideally) ensure that the cryptographic key you get has not been sniffed, and that you can securely exchange a key which is long enough in order to use a one time pad (which is an unconditionnaly secure way of encrypting a message).

Re:ahem

[swillden]

"Unconditionally secure" assumes you have a perfectly random generator for your one-time pad. If I can find a way to predict the next number your RNG gave you, I may be able to defeat your one-time pad.

Good random numbers are easy to obtain. There are any number of physical phenomena whose randomness is quantum in origin and therefore unpredictable. Just use one of them in a heavily-shielded room to ensure that none of your data leaks and you're golden.

The hard part of using OTPs isn't generating the pads, it's transmitting and storing them securely. QC addresses secure transmission (though you still have to take care to avoid MITM attacks).

Re:Stop piracy?

[Arancaytar]

From what I've read, quantum encryption only really becomes necessary if common prime-number algorithms are rendered ineffective by unforeseen advances in computing power (say, quantum computing or other stuff now considered science fiction). It's basically a one-time-pad - it is proven to be completely secure if used correctly, but in most cases, other theoretically breakable technologies are enough.

And the only thing you need to transfer the signal is apparently an uninterrupted fibre-optic line.

But this is basically Google and Wikipedia speaking, so I'm waiting for a real expert to correct me on this.

Quantum cryptography and man-in-the-middle

[Anonymous Coward]

See e.g. Wikipedia [wikipedia.org]:

Quantum cryptography is still vulnerable to a type of MITM where the interceptor (Eve) establishes herself as "Alice" to Bob, and as "Bob" to Alice. Then, Eve simply has to perform QC negotiations on both sides simultaneously, obtaining two different keys. Alice-side key is used to decrypt the incoming message, which is reencrypted using the Bob-side key. This attack fails if both sides can verify each other's identity.

Re:Stop piracy?

[gkhan1]

No this is basically true (there is a quantum computing algorithm called Shor's algorithm [wikipedia.org] which could crack prime numbers in O((log N)^3) time, a vast improvement over current algorithms) that would make prime-number algorithms obsolete. In that case, quantum cryptography could be something worth looking into (although by that time something else might have come along, quantum computing is at least 100 years from being practically able to do what is needed). I was just making fun of the idea that you would use quantum cryptography to achieve authentication. There are so many easier ways :)

Re:They're different things

[Anonymous Coward]

QC is not bullshit from a mathematical perspective; there are well know algorithms(such as the Shor factoring algorithm)..and IBM tested it back in 2001.

The problem w/ QC is having enough entangled qubits to get up to useful capacity..and its an insanely difficult engineering challenge.
http://en.wikipedia.org/wiki/Quantum_computing [wikipedia.org] is a good intro to QC.

While I agree that VC's will hype anything, your post is FUD crossed witha bit of 'get off my lawn, young whippersnappers'; its also clear that you didn't spend 5 minutes researching QC before you held forth on it. Yes, it will be specialized and won't replace normal digital computers.

Don't take this personally, but the fact that I can find complete nonsense at 5 insightful is one of the reasons that I don't read slashdot comments much; there is rarely a more misleading source of information available.

Re:ahem

[Anonymous Coward]

No, they would know. That's the whole point of quantum key exchange. Each photon sent has both linear and circular polarisation. The Heisenberg uncertainty principle states that measuring one of these states destroys all information about the other. This is the basis for QKE.

Alice sends a stream of photons to Bob with random linear and circular polarisation. Call the string of bits represented by the linear polarisation 'a' - up is 1 and down is 0. The string represented by the circular polarisation we'll call 'b' - clockwise is 1 and anticlockwise is 0.

Once Bob has received all the photons he tells Alice and she publicly announces all the bits of b. Bob discards the bits for 'a' which were transmitted in a photon for which his value for 'b' differs from what Alice announced. For example if Alice says b(i) = 1 but Bob has received b(i) = 0 he discards a(i). Bob also notifies Alice of which bits he has discarded.

The line will have noise so a number of b(i) are expected not to match. However if a large number do not match it can be assumed that an attacker is listening in. If an attacker had been listening they would have only been able to measure a(i) or b(i) but not both. They would have to retransmit the photon and guess the value of whichever of a(i) or b(i) they did not measure. Due to the randomness of a and b they would have only a 0.5 probability of being sucessful for each photon. This becomes exponentially small as the number of photons is increased. When they are unsuccessful at reconstructing the photon Bob notices and discards that bit.

If Alice and Bob agree on enough bits of b then it can be safely assumed there is no attacker and the remaining bits of 'a' are a key known only to them. This is a rather simplified description of what actually happens, but it should be enough to demonstrate that naive man-in-the-middle attackers like cutting the wire won't work.

Re:Stop piracy?

[Prune]

There are a number of things wrong with your post. First of all, no one has in blind testing been able to distinguish 256 kb/s mp3 from the original CD version, even with very high end equipment. For most people 192 is also indistinguishable. So the answer is simple, just don't use lower than 192 bitrate. Second, playback and re-recording, besides the distortion of the analog stages, results in increased distortion from jitter effects in the A/D and D/A conversions (jitter in the digital stream going into the converter results in amplitude errors in the analog signal, and humans can hear less than 5 picoseconds of signal-correlated jitter).

Re:ahem

[fenderized]

Your link states:

Quantum cryptography is still vulnerable to a type of MITM where the interceptor (Eve) establishes herself as "Alice" to Bob, and as "Bob" to Alice. Then, Eve simply has to perform QC negotiations on both sides simultaneously, obtaining two different keys. Alice-side key is used to decrypt the incoming message, which is reencrypted using the Bob-side key. This attack fails if both sides can verify each other's identity.

which is pretty much what was stated.

Re:They're different things

[qcomp]

Since the whole idea here is to elliminate the possibility for a man in the middle, intrusion detection is something valuable. Mind you, if the sending single photons was as un-interceptable as originally claimed, intrusion should be simply not possible, so I'm a bit stumped as to why would they want to detect something impossible. Maybe they know something we don't about how impossible it really is? (E.g., come to think of it, a laser kind of device inserted on the line could multiply that original photon thousands of times, all the clones having the exact same phase, polarisation, whatever.)

The point is not that intrusion is impossible - but that it is always possible to detect intrusion (and hence abort the key distribution process if it is not secure).
The point of the decoys is, AFAIK, essentially bandwidth: it makes it easier to detect intrusion nd less of the "key" has to be sacrificed for that purpose.

The basic point of quantum key distribution (QKD) is that any eavesdropping attempt will unavoidably (by, at your preference, the uncertainty principle, the no-cloning principle, or monogamy of entanglement) introduce noise into the data shared by the two communication partners -- and that the amount of noise in the transmitted data (which is in practice also unavoidable, even if there is no eavesdropping at all) allows one to put a strict upper bound on any information a possible eavesdropper might have obtained. If the bound is sufficiently low, further classical "privacy amplification" can then make the shared key as secret as desired, otherwise the protocol must be aborted.

In the first protocols, a random sequence of only four quantum states was sent from A to B and used both for intrusion detection and key generation. It may not be surprising that sending other states as well (and monitoring what becomes of them) may tell A and B more about the eavesdroppers actions.

BTW: the process behind the "kind of laser device" is "stimulated emission", which has indeed be shown to work in some cases as an "optimal cloning device". But even optimal cloning does not break QKD, since it can only clone half of the states faithfully and introduces noise in the other half.