Forgot your password?
typodupeerror
Encryption Science

First Exploit On Quantum Cryptography Confirmed 86

Posted by Soulskill
from the never-trust-the-photons dept.
Vadim Makarov writes "Physics World reports on researchers demonstrating a full eavesdropper on a quantum key distribution link. Unlike conventional exploits for security vulnerabilities that are often just a piece of software, spying on quantum cryptography required a box full of optics and mixed-signal electronics. Details are published in Nature Communications, and as a free preprint. The vulnerability was known before, but this is the first actual working exploit with secret-key recording confirmed. Patching this loophole is in progress. Disclosure: I am one of the researchers who worked on this."
This discussion has been archived. No new comments can be posted.

First Exploit On Quantum Cryptography Confirmed

Comments Filter:
  • That's that then.

    • Re:Oh well. (Score:5, Funny)

      by Anonymous Coward on Saturday June 18, 2011 @12:40PM (#36485766)
      No wait! The line is both perfectly secure and being eavesdropped on, at the same time. It's not until we hear the message that it becomes one or the other.
    • This is an attack on implementation details, not the underlying physics of quantum mechanics. The title could have been a little better. This is (apparently; my only source is the submitter, as he's also the source in the article) the first working exploit of a quantum cryptography system that was able to steal the key without being detected.
      • Re: (Score:2, Insightful)

        by Anonymous Coward

        The problem is there are always implementation details.
        The basic design of QC says:
        1) Assume that we can build these perfect emitters and detectors
        2) Now we've got something that's perfectly secure

        It's like saying:
        1) Assume I can create an invincible dragon
        2) Lets use it to distribute crypto keys

        This is not to say s that QC is useless, but rather that it's capabilities are severely overhyped.

        To put it another way, these "implementation details" are all part of the "underlying physics". Every piece of physi

        • You're exaggerating your point (eg. by talking about dragons and warp drive). One of the articles suggests you might mitigate this attack with a relatively simple extra verification step. This attack depends explicitly upon "blinding" a detector with light "above the intensity threshold" (certainly this is oversimplified). That's an attack on implementation details. Certainly I didn't mean to say that building a QC system is all "implementation details"; that would just be stupid. This one point that was at

          • by Anonymous Coward

            I think I made the point well.... since neither perfect emitters/detectors, dragons or warp drives exist.
            Since these items don't exist, then the problem needs be be examined in the light of what actually does exist.

            The fact that the detector has an intensity threshold isn't an implementation detail, it a part of the underlying physics. Point me to a detector that doesn't have one.
            You can't just replace the detector with a different one that doesn't have this problem, you have to make the QC system more com

            • I wish I could mod this paragraph up:

              People are used to regular crypto, where the task of computing the result of a basic mathematic function can be safely left to hand-waving. You can do RSA with a computer, or longhand on a piece of paper. The properties of the computer aren't an assumed part of the way the system works. With QC, it is assumed that pieces of hardware behave in very specific ideal ways. You can't buy parts that work like that, you have to use real parts. Therefore the system design, and explanations of how a real system works need to account for that.

              I still think (from my fuzzy understanding of this attack) that it uses a specific implementation detail that depends upon the system used, and might be relatively easy to patch. Maybe they can use different wavelengths of photons, one for a test and one not--I don't have the expertise to say how much of a redesign is necessary. The article makes it sound like it's not a huge deal, and the Toshiba guys say in one of the other articles that their system isn't susceptible

              • Re:Oh well. (Score:5, Informative)

                by Vadim Makarov (529622) <makarov@vad1.com> on Saturday June 18, 2011 @05:17PM (#36486956) Homepage

                I still think (from my fuzzy understanding of this attack) that it uses a specific implementation detail that depends upon the system used, and might be relatively easy to patch. Maybe they can use different wavelengths of photons, one for a test and one not--I don't have the expertise to say how much of a redesign is necessary. The article makes it sound like it's not a huge deal, and the Toshiba guys say in one of the other articles that their system isn't susceptible to these attacks when properly operated.

                Currently the problem is quite general, because most quantum cryptosystems today use detectors of the vulnerable type. We think it is patchable, just not by the approach the Toshiba group practices, but patchable. (We dislike Toshiba's approach for not being general and thorough, but more of a quick band-aid.) During the past 20 years there were a couple problems of similar magnitude in quantum crypto, and they were solved. Note that similar problems periodically show in implementations of classical crypto.

                The future of quantum crypto will now be decided, from one side, by the market, and from another side, by publicly disclosed mathematical developments on various classical ciphers (which can be cracked overnight, but can also be proven more secure... I'm not a mathematician so I won't venture a guess for the odds of either). In quantum cryptography there is at least one well-engineered commercial system, several advanced commercial prototypes (Toshiba has one), and the hacking efforts are going to eliminate all easy loopholes in a reasonable time. It is also important how well quantum cryptography can be meshed into networks with many nodes and links. There have been several demonstrations of quantum crypto networks, the latest in Japan last year.

                The current commercial systems (like ID Quantique's Cerberis [idquantique.com]) use quantum cryptography as an extra security layer on top of classical crypto. To get to the master key used to encrypt the data, one needs to crack both quantum key distribution and classical key distribution at the same tme. We temporarily compromised the quantum layer in this work, but in a commercial installation the data security would hang on the classical crypto, until the quantum layer is patched. Of course the security of the symmetric ciphers (normally AES with frequent key changes) used for high-speed data encryption is another question, but I think there is also an option to establish a low-bandwidth highly-secure channel encrypted by one-time-pad. The whole reason AES is offered with quantum crypto is that the performance of the classical crypto has spoiled everybody, and the users do not want to separate communication into high-security and low-security categories. They just want to encrypt the whole 10 Gbps link, so this is the default option.

                • Thank you for the informative reply!
                • by owlstead (636356)

                  Of course the security of the symmetric ciphers (normally AES with frequent key changes) used for high-speed data encryption is another question

                  Especially since AES can be quite vulnerable to side channel attacks, maybe even more so if implemented in hardware. AES should be used for less blocks than triple DES. Then again, it might be hard to come by another hardware accellerated cipher that has been researched as extensively - I suppose triple DES is out of the question. Maybe one of the other AES candidates or even Threefish could be used instead (or on top of AES, we're talking highly secure systems here).

  • O_____>-|o _____O
    • by grcumb (781340)

      O_____>-|o _____O

      Two things:

      1. Your box is two-dimensional;
      2. That doesn't look anything like a cat.
  • What next? Havind done perfect eavesdropping, weâ(TM)re now working on a perfect countermeasure to it, to secure once and for all against any device imperfections. This will take some effort, too.

    There is no 'once and for all' for anything and anyone that believes that is misguided.

  • Quantum computing, quantum cryptography, etc. are pretty common categories here on /. and I really don't know anything about either. Now, the question is... should I be alarmed for not being up to date here? Or is this stuff that really won't become relevant for 90% of software engineers outside academia for quite a long while? (I mostly develop web services and mobile applications but I still expect to work in this field for quite a few decades and if this is something that software engineers should unders

    • should I be alarmed for not being up to date here?

      You both should and shouldn't be alarmed.

    • The original patent on quantum cryptography was for a banknote with trapped photons. These could only be read once, so you had to know the polarization axis of the of the photons to read their state. This was a wonderfully batty idea, and a useful explanation of what is known and what isn't known about a quantum state.

      However, when you go into actual implementations of quantum communications, you find the hacking techniques are much the same. Here, they are trying to send out a single photon. If a real l

  • Worth noting (Score:2, Insightful)

    by Anonymous Coward

    This is not an exploit of quantum cryptography.

    It is an exploit in the implementation of the detectors.

    They can't tell the difference between the quantum signal they are supposed to be detecting and a faked signal using classical light pulses. Man-in-the-middle attacks are fairly straightforward for classic light signals since they aren't changed when someone else intercepts them.

    • Re:Worth noting (Score:5, Insightful)

      by lgw (121541) on Saturday June 18, 2011 @12:56PM (#36485864) Journal

      This is not an exploit of quantum cryptography

      It is an exploit in the implementation of the detectors

      LDO. People seem in t rush to point this out on every /. crypto story. "This wasn't a problem with the math, but a problem with the implementation". Yes, that's how almost all attacks work. Attackers don't generally go after the strongest link in your cryptosystem, you know.

      My silly RSA tokens (2 on them cluttering my keyring now!) are worthless not because the math was bad, but because the attackers found a better avenue of attack. That's not in any way comforting.

      • by Anonymous Coward

        But the attack wasn't on quantum cryptography as the title claims.

        It is just as silly to say that the attack was on quantum cryptography here as it would be to say an armored truck was robbed when someone pretending to be from the armored truck company convinced the bank to give them the money before the truck arrived.

      • The US national debt: $129,000 per taxpayer

        It's ok, rich people can pay for it. If we tax them enough.

        • by lgw (121541)

          Ha, nice one. That's been studied in depth of course: there just aren't enough rich people to make that work (and people have a historically proven tendancy to either hide or defer income, or just be lazy, if you crank the marginal rates up too high). I believe the medicare liability exeeds the combined net worth of all American citizens, companies, and corporations - but we'll just fail to pay that out, as opposed to the $130k each we're stick owing.

          • I believe the medicare liability exeeds the combined net worth of all American citizens, companies, and corporations

            Really? Do you have a citation on that? It would be good to know. That would resolve the question of whether we are (potentially) solvent or not.

            - but we'll just fail to pay that out, as opposed to the $130k each we're stick owing.

            Yeah, for all the talk of defaulting on the national debt, it is forbidden by the constitution. Unless we can get a constitutional amendment, we'll be letting old people die in the streets before we default.

    • by Dwonis (52652) *

      This is not an exploit of quantum cryptography.

      Correct. It's an exploit of the snake oil currently being sold as "quantum cryptography".

  • Why do they spend all this money, all this effort on systems that cost more and offer less security than a large RSA or ECC public key system?

    Especially when RSA and ECC are so very well studied and don't rely on what amounts to lab grade optics with unknown exploits, weaknesses, and requirement for over paid professionals?

    Why? I don't see the benefit. It is slower, harder to use, more expensive, the list goes on!

    16K bit RSA keys are slow to generate but offer 256 bits of private key material equivalent sec

    • by gweihir (88907)

      There is no sane reason. RSA may be eventually broken, as there is still no security proof for it. But ElGamal has a strong mathematical security proof and is unlikely to ever be broken. ECC serves to reduce key-sizes and, afaik, has at least weaker security proofs. The important thing is however that they do scale, i.e. longer key gives better security. No such property is present in Quantum signaling. (No, it is not crypto.)

      Then there is a second dirty secret: Quantum signaling is only for key distributio

      • by mysidia (191772) *

        Then there is a second dirty secret: Quantum signaling is only for key distribution. The actual communication is done with conventional block ciphers like AES. This completely invalidates the concept, even if you assume Quantum signaling to be eavesdropper-proof, because RSA/ElGamal is likely much more secure

        That's insane... what they should do is use public key crypto secured transmission of private keys.

        And encrypt the data payload in a CBC mode, with random shared quantum inputs used to manipulate th

        • by BitZtream (692029)

          Using what you describe, you have produced random unusable gibberish on the output.

          You can't throw randomness into cryptography, contrary to common belief. Everything has to be known or calculatable in order for the original data to be extracted from the encryption.

          Cryptography is VERY complex math, nothing more at this point, with the general idea intended to be to make it take a minimum amount of time to decrypt the data, but making that time long enough to prevent brute forcing from being viable and not

          • by mysidia (191772) *

            Using what you describe, you have produced random unusable gibberish on the output.

            Not really. If you generate some random data and transmit it over the quantum channel, both endpoints to the communication have the shared quantum secret, with an agreed upon hash, and agreed upon method of using the data and proper synchronization of the two data streams, they will both come up with the same thing, and the recipient will be able to inverse a simple XOR.

            The whole point of quantum crypto is it can't be

            • Read up on Quantum Encryption. It is really REALLY cool.

              In case you've tried and hit one of the many hand-waving walls here is the brief because I'm not the type to just be snide and say RTFM:

              So you have a sender and a pair of receivers. You (sender) have one of the receivers. You send an entangled pair of photons down the lines. Here is trick one: those two photons will have the same polarization but you don't know what it is till you measure it.

              Now polarization isn't just one direction, photons can be po

      • by BitZtream (692029)

        , because RSA/ElGamal is likely much more secure (with reasonable key-lenghts) than AES.

        Show me someplace that uses RSA for encryption of raw data.

        What you have in the real world EVERYWHERE is that RSA is used for key exchange/session key generation/identity verification ... and AES is used to encrypt the payload data.

        Why? asymmetric encryption is extremely processor intensive, too much so to do on any practical scale.

        So this quantum stuff is not useless for the reasons you state (although there are actual reasons why its useless) because the reasons you state are how pretty much every crypto

  • Disclosure? (Score:4, Funny)

    by dk90406 (797452) on Saturday June 18, 2011 @01:04PM (#36485884)
    "Disclosure: I am one of the researchers who worked on this."
    Disclosure is an interesting word here. I would have used the word "brag" - and I think you are fully entitled to brag about that feat.
    • I think "disclosure" is appropriate. His name appears in several of the articles, and it would be awkward had he not mentioned it in the summary.
    • Just because you're jealous YOU didn't work on it, doesn't mean his disclosure was inappropriate. (note: full disclosure: I am very rich.)
  • by turkeyfeathers (843622) on Saturday June 18, 2011 @01:06PM (#36485902)
    Does this have any impact on the security of my bitcoin wallet? If not, who cares.
  • As with most recent vulnerabilities in Cryptography (no, the quantum stuff is not crypto, it is signaling with special physical properties), the attack goes against the implementation. This did not stop several companies and a lot of fanbois to claim "unbreakability". I hope you have learned something.

    • As with most recent vulnerabilities in Cryptography (no, the quantum stuff is not crypto, it is signaling with special physical properties), the attack goes against the implementation. This did not stop several companies and a lot of fanbois to claim "unbreakability". I hope you have learned something.

      I seriously doubt it. In my experience, people's memories are selective - anyone who's made that claim (and yes, I remember reading several such statements) likely will deny it now.

    • Unbreakable in principle and unbreakable in reality are two very different claims. One is reasonable, assuming some principles of theoretical physics, while the other is silly to mildly informed people.
      • by gweihir (88907)

        Also principles of theoretical physics are really hypotheses. They tend to change every few decades and often the old "principles" look quite silly then.

        • by token0 (1374061)
          I wonder what principle of quantum information ever changed? Or can you give any example of a few-decades-old principle of theoretical physics that looks silly today? Theories embrace new details, the underlying interpretation and math can totally change, but in 'normal' conditions (low gravity, low speeds or macroscopic scales, depending on the theory), they converge to classical principles. So all you need to assume in quantum cryptosystems is its pretty simple old principles and "Eve doesn't have a super
          • by gweihir (88907)

            In terms of physical theory, Quantum Theory is not old. Nor is is well-proven, as there are a few new discoveries every year at the moment. So far, it mostly pans out, but there are no guarantees. Think mechanics. For a long time it was the perfect theory. Then some people started to measure more precisely than ever before, and suddenly it turned out to be a rough approximation. So, for example "Doc" E.E. Smiths idea of interstellar travel looks quite silly today. There is absolutely no reason Quantum theo

            • by swillden (191260)

              So, in summary, it is not a good idea to rely on physical theory, which has the status of Hypotheses when it comes to practical implementations, when we have actual mathematical theory (which is still hard fact when implemented digitally) that already solves the problem well.

              Except that we don't really have "actual mathematical theory", either. No one currently knows how to factor products of large primes efficiently, but it has not been proven that integer factorization is NP-complete, nor are we entirely sure what NP-completeness means (c.f. P=NP). Worse, we haven't even proven that factorization is the only way to defeat RSA -- it's possible there's another way. Finally, RSA and other asymmetric ciphers also suffer from practical implementation issues. RSA in particular

              • by gweihir (88907)

                For RSA you are right. For ElGamal your information is outdated, as a solid lower bound proof exists. There are also proofs for other DLog based crypto. It is just a bit harder to implement and a bit slower. Also, I guess, RSA had more commercial backing with the (IMO bogus) patent on it.

                Quantum Signaling has neither and is eminently impractical in addition. As to plain hard, when we at least have mathematics, that is something solid. For the Quantum stuff we do not have complete observations, we have imple

                • by token0 (1374061)
                  ElGamal's proof assumes the Diffie–Hellman assumptions, which are quite strong. Actually every modern asymmetric key encryption algorithm's security would imply the existence of one-way functions, which in turn would imply P!=NP - as far as my outdated information goes, we don't have a proof of that yet. But even if I'd trust P!=NP, there's a lot of other ways the strongers assumptions could fail, e.g. maybe your particular key is one of those 10% that's easy to revert.

                  I'm not sure why you say "th
                  • by gweihir (88907)

                    P!=NP is convenient, but not needed for one-way functions. It is enough that you have a scalable higher effort in one direction, p!=NP merely gives you a set of easy ways to get that.

                    Saying "quantum information theory is shaky" is not crazy at all. History shows that any physical theory was disproven, except the at that time current one. There is absolutely no reason (except arrogance) to assume we not have it right.

                    As to why this is not encryption: From Wikipedia: "encryption is the process of transforming

                    • by gweihir (88907)

                      Wups, should be: "... we now have it right."

                    • by token0 (1374061)
                      Which part of "The existence of one-way functions would imply P!=NP." don't you understand? On the other hand P!=NP doesn't imply the existence of one-way functions (one-way is a _stronger_ assumption), so no, even P!=NP doesn't give you easy encryption (as far as our knowledge goes today). And ElGamal's security is based on an _even stronger_ assumption that the discrete logarithm is a one-way function - there's no simple reason to believe that it's true.

                      What physical theory was disproven? The principle
  • Is Heisenberg spinning in his grave? I do have serious doubts that governments will ever allow fool proof encryption to be in the hands of the public.
    • by maxume (22995)

      Nothing is fool proof, fools are too persistent and too clever.

      On the other hand the idea that Truecrypt is compromised is quite a claim.

  • When the eavesdropping is "in channel", doesn't require material access to the transmitting medium, the eavesdropping could be the fastest, preferred, mode of signaling on the link. Spinning the quantum wheel of "how associated" is the linked topology is going to precede what state info gets distributed most widely, therefore presenting the highest possibility of sync to another signal in the system - dominating it. So modulating the the wheel's state is going to get ahead, leaving everyone on the signal an

  • Lets assume for a second the quantum hardware itself works perfectly as advertised and cannot be compromised.

    You still need classic (Such as a symmetric key) information to prove alice and bob are talking to each other rather than to malices quantum MITM proxy server.

    Has anyone proved a perfect quantum OTP source improves actual security vs use of a zero knowledge algorithm to establish the same? Even if such an algorithm does not yet exist... Is it possible to construct one? Has it been shown this is not

    • Zero-knowledge authentication is impossible by definition. If you know nothing secret about someone, you can never verify his identity.

      A small pre-shared key is used for initial authentication, in all classical and quantum crypto alike, to preclude a man-in-the-middle (MITM) attack. In the classical public-key infrastructure (PKI), this authentication key comes from the certicficate authority with, e.g., your copy of the web browser. If it is spoofed at the distribution step, MITM attack becomes possible.

      In

      • Zero-knowledge authentication is impossible by definition. If you know nothing secret about someone, you can never verify his identity

        See http://en.wikipedia.org/wiki/Zero-knowledge_proof [wikipedia.org]

        In quantum crypto, the initial key is small, because once the quantum-generated key begins to grow, its small fraction is used for further authentication keys

        Can it be proven a perfectly random, private yet untrusted OTP source would necessarily be better than any possible encryption algorithm given the same initial trust?

Chemist who falls in acid is absorbed in work.

Working...