Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Encryption Security Science

How To Build a Quantum Eavesdropper 67

KentuckyFC writes "Quantum encryption is perfectly secure, in theory. In practice, however, there are loopholes. Now Japanese scientists have designed a quantum eavesdropper that exploits one of these loopholes to listen in to quantum conversations. QC's security arises from the impossibility of making a perfect copy of a quantum object without destroying it — so the sender and receiver can always tell if they've been overheard. But it turns out that an eavesdropper can make imperfect copies and use them to extract information from a quantum message without alerting sender or receiver (abstract). The Japanese design does just this. That should worry banks and government agencies that have begun to use some of the commercial quantum encryption systems now available."
This discussion has been archived. No new comments can be posted.

How To Build a Quantum Eavesdropper

Comments Filter:
  • Oh no. (Score:5, Funny)

    But Al, why haven't I leaped?

    Ziggy says there's a 98.5% chance that your security is flawed.
  • Not so hard (Score:3, Informative)

    by Ancient_Hacker ( 751168 ) on Friday June 13, 2008 @08:43AM (#23777359)
    You don't need anything so fancy. The quanta are, like packets, not guaranteed to get tot he destination every time. All you have to do is sidetrack every random(N)'th photon to your receptor.

    • by hostyle ( 773991 )
      Even better, you could tag each one so you can group them together more easily. May I be so bold as to suggest something like "thisoneisneeded" and "thisoneisadupe". See, folksonomies make everything better. No wonder Web 2.0 won.
    • Re:Not so hard (Score:4, Interesting)

      by mea37 ( 1201159 ) on Friday June 13, 2008 @09:48AM (#23778245)
      If N is too high, you don't get enough information.

      If N is too low, you drive the error rate high enough that the communication is no longer regarded by the parties as secure.

      N is always either too high, too low, or both.
      • Re: (Score:2, Offtopic)

        by Hektor_Troy ( 262592 )

        N is always either too high, too low, or both.
        This IS quantum mechanics ... why can't it be both?
    • Re: (Score:3, Insightful)

      by Anonymous Coward
      I thought quantum encryption first established a one-time pad for secure communications. It uses a protocol to ensure that any quanta not arriving or changed in any way are discarded. Only the quanta verified between Alice and Bob get used for the pad. So, a)diverting quanta during the pad-establishing time gains you nothing, and b)diverting quanta during communication gets you quanta randomly encrypted according to a pad about which you have now knowledge.

      It seems copying quanta such that no change is dete
  • by Anonymous Coward
    Having been involved in abstract quantum physics in my college grad student days, I can say that this is quite a tall order. The whole point of quantum cryptography is that the observation changes the system to the point that (a) eavesdropping disturbs the communications to the point of making it unusable and (b) due to (a) it is detectable oh what the hell am I talking about. First post. That's right, I just nailed a frosty.
  • I think this story is a better candidate for the "South Park" defense than the Chinese Gov't Hackers.
    • Re: (Score:2, Informative)

      by DeadDecoy ( 877617 )
      Not really. The whole point of the South Park defense was to get out of trouble by being humble and flattering the enemy. In the Chinese hacking incident, the big penis joke was more analogous to having Americans being told that they have hardened systems that couldn't be cracked (pun sorta intended). In the case of this article, the Japanese scientists are being perfectly transparent in showing that there is a hole with quantum cryptography. Just having Japanese people in the subject is not sufficient for
  • Ob. LOTR (Score:5, Funny)

    by HungSoLow ( 809760 ) on Friday June 13, 2008 @08:59AM (#23777527)
    I've been droppin' no eaves sir.
  • Logical disconnect (Score:5, Insightful)

    by jandersen ( 462034 ) on Friday June 13, 2008 @09:07AM (#23777613)
    How can one say that it is "theoretically impossible", when somebody has made a practical counterexample? It just means that the theory wasn't good enough - or more likely, that the wrong conclusions were made from the theory.
    • by tnk1 ( 899206 )
      Saying "theoretically impossible" is perfectly fine, it just leaves out the fact that in order to obtain the desired results, you have to have a system where you expect to always be able to get complete, undamaged messages/packets.

      What bothers you, is not that they say "theoretically impossible", its that such a term morphs into "completely impossible in all implementations" in the minds of the general public and gives them overblown expectations. That's not really the fault of the people who use the term,
      • by mea37 ( 1201159 )
        That's not actually the problem.

        They aren't exploiting an implementation weakness. They're exploiting the fact that you don't have to do what's "theoretically impossible" to extract information from the message. Look at it this way: Somebody said:

        1) You can't copy the quantum communication without visibly disturbing the original
        2) ???
        3) QC can't be broken!

        But there was hand-waving at step 2, and it apparently isn't valid (if this technique turns out to be a practical exploit, which is yet to be seen).
    • That's because people routinely misunderstand theory.

      For example: "it is impossible to write a program that can determine if another program will halt or not" is often reworded as "it is impossible to determine if a specific, given program will halt or not", which is patently untrue.

      The theory in this case appears to be, if I understand correctly: "it is impossible to make a complete copy of a message without it being detected." So they just figured they can make a partial copy, thereby side-stepping detect
    • by mea37 ( 1201159 )
      The counterexample has only been theorized, not actually built and tested.

      But if we assume they will build it, and if we assume it will work... Well, it doesn't do anything that's "theoretically impossible". What it violates isn't the theory -- what it violates is the glib assumptions of those who interpreted the theory to mean they could end what is probably an endless arms race.
    • by kmac06 ( 608921 )
      Because the summary is wrong. This "loophole" has been well-known for some time now. It can be compensated for very easily, and in fact is compensated for with current QC implementations.
  • Theory (Score:2, Redundant)

    IANAP, but can someone please tell me how the theoretically impossible became theoretically possible? Did the theory change, or was the math wrong, or did His Great and Wonderful Noodliness screw with the results?
    • IANAP, but can someone please tell me how the theoretically impossible became theoretically possible? Did the theory change, or was the math wrong, or did His Great and Wonderful Noodliness screw with the results?

      It is still theoretically impossible to get a perfect copy without alerting the sender and listener. However, this technique essentially reads the "noise" around the conversation and rebuilds the data from that. This is much like a damaged hard drive. While you cannot get the data directly, you can rebuild the data with the bits you do get.

    • by MbM ( 7065 )
      It's easier to argue the corollary -

      It's theoretically possible to produce a machine that implements perfect quantum security. The exploit above does not disprove the theory, only the implementation.

      Oh, you want to know why the implementation was flawed?
    • In theory, FTL communication is impossible.
      In theory, wormholes allow FTL communication.

      Different theories.
      • In theory, there's no difference between theory and practice. But in practice, there is.
    • The theory is still good, it depends on all QC channels having a non-zero error rate, even when nobody is trying to eavesdrop, so the protocol used must be able to deal with those errors, right?

      If the real error rate is well below the communication error ceiling (where it stops working), then Charlie sitting in the middle can extract a few bits out of each packet.

      OTOH, assuming this channel is used to exchange the 256-bit AES key to be used for the bulk communication, then the parties can simply set the acc
  • by StandardCell ( 589682 ) on Friday June 13, 2008 @09:18AM (#23777727)
    The banking sector is probably one of the slowest in terms of uptake of new crypto technologies. A huge number are still using 3DES or RC4 for symmetric to protect customers transactions. If you don't believe me, check out Citibank's Online Banking [citibank.com] with "highly modern" RC4. I've seen 40-bit encryption on current express-pay keytags at a certain coffee chain which is almost trivial to crack with little cost by today's computers. In too many cases, it's the same old HSMs accelerating crypto transactions in servers as were in the last decade.

    Granted, 3DES is actually not truly that bad in terms of its 112-bit effective security compared to AES-128 (though it's not the weak point when you use 80-bit effective RSA1024). However, just because ANSI X9 has started including modern technologies like ECC and AES or other technologies like quantum crypto are promising, you can bet that the banking industry will be one of the last groups to take up more modern crypto technology. Heck, even the NSA is mandating Suite B with ECC and AES by 2010 for government security! It's one of the few government agencies to actually act faster than the private sector.

    Finally, I wonder if the original poster could show the relevant ANSI X9 aka banking security standard which calls out quantum crypto. I don't think I've seen one, and the banking industry typically lives and dies by X9.
    • there are countries which do have decent banks.
      like switzerland.

      even government agencies have started testing quantum cryptography, to help secure the transmission of vote results.
    • This is because old crypto is often a lot more secure than people would have you think. Many attacks even against very old algorithms remain impractical against a securely implemented scheme.

      Even RC4 and DES can be secure when used correctly in situations where there isn't time to brute-force anything, and at least the insecurities and algorithms themselves are well understood, which isn't necessarily true for more modern algorithms. (I think this article is a good example of the latest buzz in crypto st
  • by janvo ( 639733 )
    If the 'eavesdropper' can only make 'imperfect' copies then it seems to me using multiple levels of security would defeat the eavesdropper. For example private key encrypted data being tunneled over the quantum channel. Using this technique they would get a copy of imperfect encrypted data - which would be impossible to decrypt even if you had the private key .
    • If the 'eavesdropper' can only make 'imperfect' copies then it seems to me using multiple levels of security would defeat the eavesdropper. For example private key encrypted data being tunneled over the quantum channel. Using this technique they would get a copy of imperfect encrypted data - which would be impossible to decrypt even if you had the private key .

      Remember that, even in the ordinary case, the receiver does not receive a perfect transmission, which implies that there must be some tolerance for error. An encrypted data stream would require error correction so the receiver could decrypt it. Therefore, for your idea to work, the level of error correction available must be such that the receiver can recover from errors, but the distortion from the imperfect copies makes error recovery impossible for the eavesdropper.

      As I did not read the paper, I do

    • There is a huge terminolgoy confusion - the actual encryption algorithms are pretty much your usual classical ones only... it's only the "key distribution" mechanism that has a quantum aspect to it. So, getting an "imperfect" copy of the key (and with a phase-covariant cloner as mentioned in the article, you can do that with a fidelity of ~0.83) means you've broken into the entry level already. Now, if the key was being utilized to encrypt say, an-already-encrypted-data, then it's down to your classical cry
  • Oh, come on (Score:1, Funny)

    by kvezach ( 1199717 )
    20 comments on a quantum mechanics article, and still no Schroedinger's Cat superposition jokes? What's Slashdot coming to these days?
    • Re: (Score:3, Funny)

      I think you mean "what is Slashdot either coming to, or not coming to, these days?"
      • Fortunately, the question is instantly answered the moment he clicks on his bookmark for this site. Until that point, there is no Slashdot. --And I don't know about you, but personally, I find being in a superposition confusing and frustrating because I have things I want to get on with, and I never know when I'm allowed to use the washroom. People should reload more often, just out of courtesy.


        -FL

  • How imperfect is the snooped data?

    Just because you COULD get data out doesn't mean it is actually usefull to do so.
    • Re: (Score:3, Informative)

      by gweihir ( 88907 )
      As Quantum Modulation (the term ''encryption'' has absolutely no place here) is used for key exchange, any data gained will make attacks on the keys used for the later conventional exchange easier. How bad that is depends on the actual parameters used, it can be anything from ''not a problem'' to ''cpmplete practical system compromise''.

    • Also doesnt neccessarily mean its easy to do so. If this attack requires you to sneak a whole lab into a bank without anybody noticing then id say its a pretty much acceptable risk
    • IIRC with quantum cloning you can get 5/6 fidelity in a universal quantum cloning machine. This is an upper limit. Any higher and weird, impossible, things like faster than light communication become possible. Lab implementations have made it into the 80%+ fidelity bracket.

      Non universal quantum cloning has been less studied. In some cases it's obvious and trivial what the best implementation is (100% for cloning a photon in a known polarization state - just put a lightbulb behind a polarization filter at th
  • I thought quantum encryption was just getting past the theory stage, now some boffins have already 'cracked' it. I'm so like, you know?, wow!, you know?
  • tough abstract (Score:4, Interesting)

    by Main Gauche ( 881147 ) on Friday June 13, 2008 @10:19AM (#23778849)
    It's a lucky thing the summary was good, because the only thing I could learn from the linked abstract is that "Francesco" is a Japanese name.
  • by QuantumV ( 1307135 ) on Friday June 13, 2008 @10:32AM (#23779045)
    But it turns out that an eavesdropper can make imperfect copies and use them to extract information from a quantum message without alerting sender or receiver (abstract). The Japanese design does just this.

    This is wrong. The eavesdropper gets imperfect copies and so does the receiver. If the quality of the receiver's copies are as bad as the eavesdropper's, any working quantum crypto setup will abort and not try to make a secret key out of it.

    That should worry banks and government agencies that have begun to use some of the commercial quantum encryption systems now available.

    Nobody needs to worry about these kinds of attacks, as the software in all commercial quantum crypto systems automatically checks and takes care of these kinds of attacks. What the paper shows is how to implement in practice a class of attacks that has been known for years how to do in theory.

    There are other attacks on quantum crypto systems that actually attack loopholes in the implementation, and some of these have previously been discussed on slashdot here [slashdot.org]

  • buried as redundant.
  • I rarely trust any company that can't spell their own technology:

    "id Quantique is the leader in the development of advanced encryption solutions based on classical and quantum cryptograhy."

    cryptograhy?

    Oooh, maybe they're trying to hide themselves through dodgy spelling! Cunning!
    • Maybe they //think// they're the market leaders, because they Googled "quantum crytograhy" and couldn't find anyone else doing it.

Promising costs nothing, it's the delivering that kills you.

Working...