Quantum Cryptography Broken, and Fixed

schliz writes in with research out of Sweden in which researchers showed that, looking at a quantum cryptographic system as a whole, it was possible for an eavesdropper to extract some information about the QC key, thus reducing the security of the overall system. The team then proposed a cheap and simple fix for the problem. "The advanced technology was thought to be unbreakable due to laws of quantum mechanics that state that quantum mechanical objects cannot be observed or manipulated without being disturbed. But a research team at Linköping University in Sweden claim that it is possible for an eavesdropper to [get around the limitations] without being discovered. In a research paper, published in the international engineering journal IEEE Transactions on Information Theory (abstract), the researchers propose a change in the quantum cryptography process that they expect will restore the security of the technology."

So is the cat dead?

[EmbeddedJanitor]

Quantum stuff is so illogical to us mortals that you'd expect attempting to break it would just make it stronger.

Re:So is the cat dead?

[Tackhead]

> Quantum stuff is so illogical to us mortals that you'd expect attempting to break it would just make it stronger.

Which is precisely what happened.

In a research paper, published in the international engineering journal IEEE Transactions on Information Theory (abstract), the researchers propose a change in the quantum cryptography process that they expect will restore the security of the technology.

By being sufficiently precise about the nature of the insecurity, they changed the probability of its being insecure!

Furthermore, now that we know it's secure again (that is, we've proven it to be secure, effectively computing the probability of insecurity to be precisely zero), we no longer know anything about the nature of the system's security holes again!

That was all supposed to be a lead-up to a Heisenberg Uncertainty Principle joke, but it's actually a pretty good description of how computer security works in even the non-quantum world. The more secure you think your system is, the more likely it is you'll get 0wn3d in some completely unexpected way. The known unknowns aren't the ones you've gotta worry about, and nailing them down doesn't do anything about the unknown unknowns, other than to collapse the joke's waveform into something resembling a Don Rumsfeld speech.

In anything other than a Slashdot quantum crypto discussion, that sort of whiplash-inducing change of joke subjects would be highly improbable. As it stands, I'm going to shift gears a third time and hand it off to Douglas Adams.

Zaphod: Tackhead, is this sort of thing going to happen every time you post using the Infinite Improbability joke drive?
Tackhead: Very probably, I'm afraid.

Re:So is the cat dead?

[NotQuiteReal]

You can increase the complexity by using a tri-state cat.

It can be either alive or dead or both alive and dead.

We call these three states alive, dead and zombie.

There, I hope that sheds some photons on the matter.

Re:So is the cat dead?

[tzanger]

I thought a tri-state cat would be alive, dead and high-impedance.

Re:

[fahrbot-bot]

I thought a tri-state cat would be alive, dead and high-impedance.

Actually, "high-impedance" is how'd I'd describe the alive state for most cats - yikes!

Re:

[Linker3000]

I'd ROT13 the cat too, just to be sure

Re:So is the cat dead?

[bh_doc]

*sigh* Dude, the whole point of the bi-state cat is that both alive and dead is exactly the state the cat ends up in. It's a superposition until you measure it. That's why it's so bizarre. Schrodinger's cat is a zombie.

Re:

[evanbd]

To quote one of my favorite games [kingdomofloathing.com]:

The cat looks up at you and, noticing a certain hungry gleam in your eye that it doesn't like one bit, jumps from the divan and hides in a box under the coffee-table. Just before the lid clicks shut, you see a tiny pendulum inside, and wonder if the cat's going to be alive for much longer. You reason that, since the cat could be either alive or dead, and you can't know which without opening the box, then therefore the cat must be both alive and dead -- or in other words, undead. That must be what funerals are for -- so that everyone knows for certain that the person going into the coffin is definitely dead, and you don't have to worry about quantum uncertainty causing zombies to burst out of the ground.

Re:So is the cat dead?

[Thanshin]

The tri-state cat should be alive, dead or dog.

Re:

[Daimanta]

More like alive and terrified, alive and not terrified or dead. And do NOT combine dead and terrified, or you'd have a scared zombie cat.

Re:

[caveman]

There is yet another state that the cat can be in, as alluded to in 'Lords and Ladies' by Terry Pratchett..

From Wikipedia [wikipedia.org]:

Greebo had spent an irritating two minutes in that box. Technically, a cat locked in a box may be alive or it may be dead. You never know until you look. In fact, the mere act of opening the box will determine the state of the cat, although in this case there were three determinate states the cat could be in: these being Alive, Dead, and Bloody Furious.

Shawn dived sideways as Greebo went

Re:

[Viperpete]

Referring to your signature: But how many cubits per epoch can you go?

Re:

[SEWilco]

Did someone actually see quantum cryptography while it was broken? If it was not observed, was it ever broken?

Re:Wah?

[mrbluze]

The advanced technology was thought to be unbreakable due to laws of quantum mechanics that state that quantum mechanical objects cannot be observed or manipulated without being disturbed.

Well the worst thing about an encrypted stream is that you trust it, not really knowing if someone is listening half way down the line. If you get a hint that it's being listened to, you can start sending garbage (or misinformation) down the line so as to confuse the hell out of the eavesdropper, whilst taking up alternative methods of communication or something.

This makes me wonder if cryptography needs to become cleverer. I mean, depending on the type of data you're sending, might there be a role in padding encrypted streams with 'honeypot' data, like random bits of vaguely interesting crap that the expected listener might want to be interested in. Sort of a live equivalent of Truecrypt's plausible deniability.

What do people think about that?

Re:

[Darkness404]

However what happens if that "randomness" doesn't become all that random? First there is a possibility of an attacker using the same algorithm and managing to have a list of "garbage data" to ignore. Second there is a possibility of using a similar method to determine info about the system (for example, MS's version of it would probably be totally different then the Linux/*NIX version) and then move on to another attack.

Now, I admit I don't know that much about cryptography and this probably couldn't ha

Re:

[MadnessASAP]

It doesn't matter. The moment he tries to read the stream to see whether the data is garbage or not he has changed the quantum properties and the receiver will know someone is listening. It is theoretically impossible to discern anything about the stream without being detected.

Re:

[Brian Gordon]

I don't really get it.. why can't eve read the stream (altering it or destroying it or whatever) and send out the exact same stream- at least one that collapses to the same message (I don't know much about quantum waveforms but that at least seems possible).. a classic man in the middle

Re:

[MadnessASAP]

Errrr.... Well you see that... Well Uhmmmm... *runs away*

But seriously, there is a good reason unfortunately I haven't yet taken enough physics to adequately understand it much less explain it.

Re:

[cnettel]

Eve can read the stream if she already has the key and state of the transaction. She cannot read the stream in a hope to apply brute-force cracking, or similar, to it later. Naturally, if she has the key(s), and access to the medium, she can fake the identity of the sender more or less perfectly.

Re:

[catprog]

The stream they are talking about is the key.

Re:Wah?

[something_wicked_thi]

1. Alice sends the key to Bob, in the open, unencrypted, but using a random base-4 encoding. There are two states for a 1 bit and two states for a 0 bit.

2. Bob reads the key, but, due to the random encoding, he can read only half of it (you can read only if the receiver is in the same state as the sender), so Bob sees some random subset of the bits. This random subset is the key. Alice does not know which subset this is.

3. Bob transmits the configuration he used to read the stream back to Alice. Alice compares the configuration to her own configuration for sending data and derives which bits Bob saw. They now both know the key.

It is impossible to read the bits without changing them, in which case Bob will see something different from what was sent, so the keys won't match.

It is also impossible to derive the key from the configuration that is sent back by Bob because it only specifies how the bits were read, not what the bits were.

This is, of course, vulnerable to a man-in-the-middle attack, however.

Re:Wah?

[catprog]

The thing is you can only accurately read about 50% of the photons.

When Eve reads the message changes to 50% correct, 50% incorrect.

When Bob gets the photons his 50% will consist of 25% correct and 25% incorrect ones. (assuming true randomness)

When Alice and Bob compare there keys they will see the discrepancy.

Then the 1 and 0 are XORs with the message and then the result is sent.

http://en.wikipedia.org/wiki/Quantum_cryptography#Polarized_photons_-_Charles_H._Bennett_and_Gilles_Brassard_.281984.29 [wikipedia.org]

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[dotancohen]

Again in English please?

It just means that they were using Debian.

I know the solution

[jollyreaper]

They were connecting the computers via cat-5 cable. Everyone knows you're supposed to use Schrödinger's cat-5 cable in that sort of application.

Re:

[dotancohen]

They were connecting the computers via cat-5 cable. Everyone knows you're supposed to use Schrödinger's cat-5 cable in that sort of application.

No, the solution was already posted here:
http://article.gmane.org/gmane.linux.debian.security.announce/1614 [gmane.org]

Re:

[Metasquares]

Warning: Windows may or may not be connected to any networks. Please look at your router.

Re:

[mrmeval]

"When using quantum communications I always use Schrödinger's cat-5 cable. A quality product of the Jollyreaper company."

I lol'd really.
 

There is no such thing as absolute security

[Anonymous Coward]

If data is stored, with the intent and purpose of actually being retrievable at some time in the future, and a mechanism exists to access said data, then it is not absolutely secure because it has been designed to be retrieved.
As long as there is even one access method there exists the opportunity to expoloit it somehow.

Re:

[Slashdot Suxxors]

So how do you retrieve something that's not retrievable?

Re:

[Anne_Nonymous]

If you love your data, let it go. If it returns to you, it's yours.

Re:

[marcosdumay]

That is why i save all my documents into /dev/null, and read them from /dev/urandom.

By the way, my documents don't seem to like me very much... Am I feeding them wrongly?

Re:

[lakeland]

As long as there is even one access method there exists the opportunity to expoloit it somehow.

No. In Mathematics, 1 + 1 = 2. It doesn't just usually equal 2, except in cases that you can't think of right now. Similarly, the computer program:

x = 0
x = x + 1

We know with absolute certainty that x = 1.

Returning to access methods, you need to parse the requested object and retrieve it from storage. For both of those operations it is possible to break them down into simple, irrefutable steps much like x = x + 1 amd prove conclusivly that the program has no security flaws.

Re:

[Metasquares]

In theory, yes, x will always be 1. However, there are a number of practical cases which can screw this up, since the computer is a mechanical device. For example, cosmic radiation can flip one of the bits in the memory location x was being stored in after it's assigned 0 but before the addition takes place, which can cause a dramatically different result. More realistically, you could have multiple threads running at once and you could be preempted anywhere (including in the middle of that addition) betwee

Re:

[lakeland]

Perhaps.

I'll ignore threads - it's hard enough to prove a simple deterministic program is correct so I'll assume that this is running without an OS.

As for bit flips due to cosmic radiation, there are plenty of algorithms that ensure a bit hasn't been flipped in a transmission and I would suspect they could be applied to a situation like this. Google pops up helpful hints too, e.g. http://csdl2.computer.org/persagen/DLAbsToc.jsp?resourcePath=/dl/mags/co/&toc=comp/mags/co/2002/01/r1toc.xml&DOI=10.110 [computer.org]

Re:

[ultranova]

If data is stored, with the intent and purpose of actually being retrievable at some time in the future, and a mechanism exists to access said data, then it is not absolutely secure because it has been designed to be retrieved.

Yes, but AFAIK quantum cryptography is not about storing and later retrieving data, it is about communicating data between two parties. AFAIK it simply lets the sender and recipient to know if anyone else besides them got the data. From there it is a simple matter of using an inse

That wacky quantum cryptography

[Anonymous Coward]

It was actually broken AND fixed at the SAME TIME!

Re:That wacky quantum cryptography

[mrbluze]

It was actually broken AND fixed at the SAME TIME!

Kind of like a Windows Update.

Re:

[MadnessASAP]

Well 1,2 and 4 happen at the same time all the time but 3 only happens in advanced university physics labs under very carefully controlled conditions.

Re:That wacky quantum cryptography one in a

[davidsyes]

... So, this quantum break-fix happening in this way, is what, a one-in-a-gwee-zillion event? Does that make it statistically a ... Quantum Singularity?

Fundamental Flaw in Quantum[Anything]

[thinktech]

The whole thing strikes me as a theory in a vacuum, I don't believe that ANY quantum object is invulnerable to observation. At it's core, this is a theory on paper that has no real-world solution. It's like the perfect gas. It simply doesn't exist. And any "fix" will invariably need fixing again. When did common-sense stop making sense in science?

Re:

[maxume]

Lasing is a quantum effect. If they weren't positively blase, we would probably call them quantum lasers, and then you would be in trouble.

Re:

[geekoid]

Except for the stuff that actually works and they have proven.

"I don't believe.."
How about some thinking, eh?

Re:

[Anonymous Coward]

Quantum mechanics is very real I am afraid.
From superconductors to Aspect experiments

BTW a Superconductor doesn't lose energy because QM makes it impossible for the electrons to scatter of the nuclei. Again something entirely impossible according to our common intuitions, which, alas, the world does not care about all that much.

See also:
http://en.wikipedia.org/wiki/No_cloning_theorem

Re:

[fred fleenblat]

>> When did common-sense stop making sense in science?

If something already makes sense then there is less of a need to study it scientifically. So science will gravitate towards non-intuitive things like neutrinos, recessive genes, bose-einstein condensates, etc.

Re:

[kestasjk]

The whole thing strikes me as a theory in a vacuum, I don't believe that ANY quantum object is invulnerable to observation.

Someone's beliefs are at odds with well founded, empirically established physical laws?!

I just hope this doesn't catch on..

Re:

[nerdacus]

Someone's beliefs are at odds with well founded, empirically established physical laws?! I just hope this doesn't catch on..

Too late, it caught on long ago. It's called religion.

Re:

[Dekker3D]

they've proven that at least some things aren't immune to observation. who says the rest are? it's harder to prove that something can't be observed or altered or whatever, than it is to prove that it can be.

there's no empirical evidence that proves that he's wrong. and as long as there isn't, he's free to believe what he wants.

Spooky Decryption

[bevoblake]

It's quantum right? So there's really just a probability of it being broken or fixed at any given point in time...

Schroedinger's Key

[Speare]

Wait, so it was both broken AND not broken? Don't open the box! Just leave it as it is and we can have a half-cryptographic solution forever.

Re:

[skiddy]

I've just introduced a new form of cryptography at work which I belive is very similar to what you're discussing. Basically, I write something (that I don't want people to see) on a piece of paper. I put it in a box. I close the box. People can no longer read it. Where do I get a job with this Quantum company?

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[bh_doc]

While I agree it seems to be surrounded in hype, and while I'm unfortunately unable to access the paper itself (my university doesn't subscribe to IEEE Transactions on Information Theory, apparently), your comment about evesdroppers seeing the key is without merit. The whole point of quantum cryptography is that by employing superposition and state collapse, a key can be negotiated between two parties with an exponentially high probability that any evesdropper listening in will be detected, due to their bac

Re:

[fatphil]

Of course, one thing that's often forgotten is that an evesdropper is indistinguishable from noise, so as long as the evesdropper is prepared to snoop on a proportion of the signal that's less than the noise floor, he'll not get detected. Of course, he won't get much information either.

Re:

[Anonymous Coward]

So you shouldn't have to worry about an evesdropper because they will make themselves known just by listening in.

So that means, as far as I understand:

I can safely exchange a key, because I can detect eavesdroppers and replace the sniffed parts of the key with new ones?

But if someone is continuosly does that, doesn't he effectively prevent me from communicating at all??

Re:

[jalar]

It points out that even if you use the full QC machinery to prevent the eavesdropper from seeing the key, that is not enough when using the key for authentication within QC.

Article is a dupe...

[The Master Control P]

Just like the last time, the laws of quantum physics still work and it is still impossible to observe a quantum system without altering it. The researchers found that the classical authentication protocols that prevent man-in-the-middle attacks were insufficient.

Re:

[Anonymous Coward]

Quantum cryptography is a misnomer. Really it should be called quantum key exchange. Classical encryption technology must still be used for authentication, and (in practical terms) to encrypt the actual message once a key exchange has occurred. Neither of the classical components is invulnerable. Only the key exchange itself is protected by quantum physics. The article simply describes an error in the implementation of the authentication, and a fix for that error. The issue really has nothing to do wi

Initialization vector

[andrewsb]

This bit from the article sounds like they just added an initialization vector (see wikipedia for definition):

"The researchers propose an additional, non-quantum exchange of a small amount of random bits that are separate from the quantum key."

The End of The Science of Cryptography

[Whiteox]

There was an interesting book on cryptography which I loaned to a friend, that surmised that the law of cryptography which state that every code can be broken is now defunct due to quantum cryptography.
This in effect means that the science of cryptography has met its end in terms of development.
Like the game of checkers, there are no more moves to make.
At the time of publication (2002?), the longest distance an encrypted quantum message sent and received was approximately 50kms and considered to be impossible to break.

Re:

[Anonymous Coward]

That book was full of shit. Cryptography is no where near finished. I wish people would stop making such a big God damned fuss about quantum cryptography. All it does is make eavesdropping detectable. In any secure application you still don't want the eavesdropper to be able to understand what they overhear, even if you can immediately detect them overhearing it, so you still need to scramble your message somehow, i.e. using actual cryptography. Furthermore, quantum cryptography works exclusively over

Re:

[Tmack]

...It will never be applied to cat 5 LANs....

Unless of course (as was pointed out above), that lan is using Shrödinger's cat-5...

tm

Re:

[catprog]

Quantum cryptography gives you a secure way to pass the key to the person your communicating with.

Wireless communications are not fundamentally incompatible with Quantum cryptography

No, not really

[Moraelin]

No, not really. QC only works over dedicated, point-to-point fibre optic lines.

Do you understand that one crucial aspect? If I want to talk to you completely securely, with quantum handshake, and able to detect eavesdroppers, I would need one uninterrupted strand of fibre from Germany to wherever you are. Screw 50kms, we're talking potentially tens of thousands of kilometres.

Or a chain of routers along the way that we both trust blindly to not be compromised, because each breaks that quantum handshake, and each is a point where someone could eavesdrop. You can't tunnel QC over such a hop, so it's a bit like having SSL only from your computer to your ISP, then have it decrypted there and re-encrypted to the next hop, and so on.

It's also pretty much against the whole idea of a network like the Internet. Since again, it needs dedicated uninterrupted point-to-point connections, not a loose mesh of routing machines. (You _could_ transmit the rest over the internet once you negotiated a key over QC, but: 1. you still need a dedicated connection for that handshake, and 2. you still need normal cryptography for the actual transmission then.)

For two John Does like us it's already pretty infeasible to go QC all the way.

Even for someone like the US Army:

1. Good luck having an all-QC connection from Washington to Baghdad. Even in 50 km segments, you need a lot of basically routers every 50 km on the ocean floor, each of them being a potential eavesdropping point. So if you ditch normal cryptography, you'd need to do... what? Park a couple of submarines near each of them to make damn sure the Russkies and Chinese don't tamper with them? Have permanent manned bases on the ocean floor every 50 km, with a company of soldiers watching each router, and watching each other so none of them can be a double agent and tamper with it?

2. And what do you do if someone drops a depth charge on one of those? You sure you don't want some regular crypto as backup?

3. That still doesn't help your communication to your airplanes, tanks, cruise missiles, etc, there. You can't tie a cable from each of them to Washington.

Etc.

So basically... well, let me put it mildly: I don't know what book you've read, or by what author, but I'd bet it wasn't written by someone who knows much about cryptography. It sounds more like the kind of predictions made by self-styled "pundits" like Cringely or Dvorak. Or, of course, any other of the many like them.

Re:

[taylor]

Actually, quantum cryptography can work with non-secured intermediate repeater stations. In essence, rather than attempting to send the random bits directly, one attempts to build an entangled pair of quantum bits, one at each end of the repeater chain. This is trying to build a specific state, which can be verified before use. The random key is generated using the non-classical correlations of the entangled pair (for more info, one can google "Ekert quantum repeater").

As you might expect, the protocol f

Re:

[IdeaMan]

Laser bounce from a satellite in orbit?

Only way I could see to MITM attack it would be to put a blimp drone or maneuver a satellite between the two.

Re:

[Vadim Makarov]

Distance improves steadily. The current record for a point-to-point link is over 200 km in fiber (albeit not installed but spools in a lab) and 144 km of free space (between two mountains on islands in the Pacific). Never mind that the 144 km experiment uses passively-quenched single-photon detectors which I think I have successfully broken [arxiv.org]. Also, I think at least one group is seriously working on a link with some sort of quantum repeaters in middle nodes.

Re:

[wodon]

Remember that the quantum Cryptography bit is only there to generate the one time pad which will then be used with an algorythin to encrypt the message.

There is the potential to have secured pad generation links which you could take your keys away from and then encrypt over the recular internet.

Re:

[SeekerDarksteel]

Quantum cryptography is quantum cryptography only in the sense that it is quantum and is used in cryptographic protocols. It is literally no different than having a guaranteed secure line over which to transmit a private key. The protection quantum cryptography lends to you is the guarantee of that line security. Nothing else.

Re:

[evanbd]

As long as people have a need to exchange messages with people they can't actually send photons to directly, there will be a need for cryptography.

Oh,

[oliverk]

What's really going to bake your noodle later on is, would you still have broken it if I hadn't said anything?

Alice and Bob are sick today. We need some answers

[failedlogic]

As I don't know what I'm supposed to know about quantum cryptography, where can I find Alice and Bob to explain it to me? I feel sorry for them though. I'm always bugging them for an explanation and they always oblige. I'm really pissed off though. Every time, I want a different opinion, there they are in every book - Alice .... and .... Bob. Why must *they* always explain to me the most difficult concept in computing. If they aren't doing their jobs, as is obvious with QC, we need some new instructors. If I were either of them, I'd quit my day job. Since nobody understands QC, and anyone that does can't simplify it for the rest of us, they're setting themselves up for massive overtime or heart attack.

Re:Alice and Bob are sick today. We need some answ

[bh_doc]

[N]obody understands QC, and anyone that does can't simplify it for the rest of us

You've just summed up the entirety of quantum physics. Really, it's impossible to simplify it enough for the general public to both know what it means (as in, the behaviours it predicts) and "understand" it in any intuitive way. Hell, most physicists don't understand it in that sense. It just isn't intuitive (for common definitions of the word). So some of the time (probably more than we'd like to admit) we just plug in the math. And it works.

Re:

[bh_doc]

You are (mostly) correct. However, your example is of one relatively simple aspect of quantum mechanics. You haven't even touched on the real meat of quantum mechanics: Superposition, entanglement, action at a distance, wave-particle duality, many worlds interpretation... all that "spooky" junk. I'd like to see an intuitive, understandable explanation of that. Honestly, I would.

Re:Alice and Bob are sick today. We need some answ

[catprog]

In a sense.

A number of Polarised photons are sent.

The person receiving uses one of 2 filters/readers .

Use the right filter and you get the correct bit.

Use the wrong filter and half of the time you get the correct bit and the other time you get the wrong one. This means if you incept the key you can not send the same set of photons on.

Discard the ones that you used the wrong filter on and then compare your key with the other person. (over an un-encrypted line). If there are too many errors then it

Re:Alice and Bob are sick today. We need some answ

[catprog]

Simple answer.

a one-time-pad is unbreakable but needs keys to be distrubted.

QC is used to send the keys and if it is incepted it can be detected and the key discarded.

I've made one other comment on Slashdot, but...

[skiddy]

Again, I think I have a quantum girlfriend.

Broken QC FAQ

[jalar]

See http://www.mai.liu.se/~jalar/qkg/faq.html?lang=en [mai.liu.se]

Re:One time pad

[dotancohen]

Just use a one time pad.

That way she won't know where to find you when he wants his daddy?

Re:One time pad

[bh_doc]

But how do you transmit that pad between parties?

That is exactly the point of quantum cryptography. The cryptographic key is the one time pad, negotiated between two parties, using superposition (and in some cases entanglement) in order to come to agreement on the pad and at the same time detect evesdroppers.