Hackers Eavesdrop On Quantum Crypto With Lasers

Martin Hellman writes "According to an article in Nature magazine, quantum hackers have performed the first 'invisible' attack on two commercial quantum cryptographic systems. By using lasers on the systems — which use quantum states of light to encrypt information for transmission —' they have fully cracked their encryption keys, yet left no trace of the hack.'"

It seems that you could detect this

[MichaelSmith]

Eve gets round this constraint by 'blinding' Bob's detector — shining a continuous, 1-milliwatt laser at it.

So Bob could just detect the blinding signal and stop transmitting.

Re:

[Haedrian]

I'm sure its not as simple as that. Then agian I didn't understand half the technical stuff of this article.

Re:It seems that you could detect this

[PseudonymousBraveguy]

Yes, and if I understand the article correctly, the manufacturers developped a patch to fix the hole.

However, the hack shows (once again), that a system may be secure in theory, but actual implementations of that system may, and will, have bugs that render them insecure. This negates one of the most strong arguments for quantum crypto, i.e. the "proveable" security. If that argument does not hold, you could as well use any common "classical" key exchange algorithm, which also delivers "good, but not 100%" practical security, does not need fixed point-to-point fiber and expensive equipment, and is probably much better tested than the quantum systems.

Re:

[beelsebob]

This negates one of the most strong arguments for quantum crypto, i.e. the "proveable" security

No it doesn't – it just makes the software more expensive to write. It's entirely possible to write software that has key properties proved to be correct and bug free, it's just hard, time consuming, and done by people who get paid a very large amount of money.

Re:It seems that you could detect this

[PseudonymousBraveguy]

No it doesn't – it just makes the software more expensive to write. It's entirely possible to write software that has key properties proved to be correct and bug free,

It's not only the software. There's a lot of hardware involved, most of which could have bugs of some kind (e.g. for this hack you'd have to prove that your sensor can reliably detect that it's still in "quantum mode"). And after you have proven a lot of properties off all your hard- and software, you'll have to prove that all those properties are actually sufficient for achieving perfect security.

Re:

[sjames]

No it doesn't – it just makes the software more expensive to write. It's entirely possible to write software that has key properties proved to be correct and bug free, it's just hard, time consuming, and done by people who get paid a very large amount of money.

And then gets undercut by slightly cheaper snake oil coded by the lowest bidder in a sweatshop. Everyone cheers the invisible hand and the triumph of the free market, especially Eve.

Re:

[MichaelSmith]

So Bob could just detect the blinding signal and stop transmitting.

Alice is the transmitter, Bob is the receiver (from A to B, see?).

Yes I can see my mistake, though once Bob knows the link is compromised he can ignore the contents, so the hacker can't predict his behaviour. Also Bob could use a different channel to notify Alice of the problem.

Re:

[PseudonymousBraveguy]

Actually quantum crypto requires Bob to communicate with Alice over an authenticated channel anyways (e.g. to check which polarisation filter was used for each measurement, and to check for eavesdropper). This channel can trivially be used to signal failures and/or attacs. (However, quantum crypto does not tell you where to find a perfectly secure authenticated channel)

So OK...

[hyades1]

...maybe they've cracked it in this universe, but what about all the others?

Re:So OK...

[thijsh]

I would take a look, but I'm too afraid I'll kill the cat... And you all know how much Slashdot-geeks love that inter-dimensional pussy.

Re:

[MarkRose]

That's going to take some time. None of the other universes have sharks or ill-tempered mutant sea bass to control the lasers.

What flavors have the hackers copied?

[celtic_hackr]

I'm curious, how many flavors does this hack comes in?

not really that bad

[mogness]

The problem isn't really with quantum encryption, it's with the technical implementation. And anyway, according to the article, they've already figured out a way to detect the hack and defeat it, so it's still pretty solid.

Makorov informed both companies of the details of the hack before publishing, so that patches could made, avoiding any possible security risk.

Re:

[DrXym]

"And anyway, according to the article, they've already figured out a way to detect the hack and defeat it, so it's still pretty solid."

if (continuousLaserBeam) hack = true;

Re:

[boxwood]

Yeah the good guys inform the company of the hack. The question is how many bad guys were aware of this before now, and for how long?

It took these guys two months in a university lab to figure this out. How long do you suppose it took the NSA (and their counterparts in other countries) who have much bigger budgets?

This research proves that if you're using these devices, the NSA has your data.

Re:

[DoofusOfDeath]

they've already figured out a way to detect the hack and defeat it, so it's still pretty solid.

Perhaps, but there's a larger issue. Quantum crypto was supposed to be the end of the story, iirc. It was supposed to be theoretically impossible to crack. Discussion over.

Now, it appears that quantum crypto is engaged in the same kind of more arms race that other crypto mechanism are subject to. So it might be pretty solid, but it's apparently no silver bullet.

Re:

[Rich0]

Yup. The detectability is the whole point of quantum crypto.

You don't send secrets over quantum crypto. You send encryption keys, and then if they weren't intercepted you use those keys to send encrypted secrets over a channel of your choosing. If the keys are intercepted you simply discard them - an unused encryption key is just a random number, so nothing is lost.

It almost sounds to me like a bunch of vendors decided to turn quantum crypto into a marketing term, without thinking hard about security. I

Re:

[noidentity]

The problem isn't really with quantum encryption, it's with the technical implementation.

Yes, exactly. This is like saying that one-time pad encryption has been broken because someone found a bug in an implementation (or rather, an implementation of something other than one-time pad encryption).

Description of the hack by its authors

[romiz]

There are some photographs of the hacked hardware and the hacking tools on the page [iet.ntnu.no] of the researchers.

A massive implementation flaw?

[Securityemo]

So, the attack works like this: the middle man sends a continuous laser down to one of the recievers, and simultaneously reads off the transmitted photons (disrupting their state). When "blinded" by this laser light, the reciever still reads the information from the transmitted photon data, but ignores it's quantum state. I don't know the limitations and techniques behind constructing quantum-state detecting photon recievers, but this just has to be a flaw in this particular construction? Maybe the state de

Re:

[Vadim Makarov]

The attack workflow has been slightly simplified for the hews article. The actual Eve's workflow is: 1. Blind Bob with a continuous laser, 2. Intercept all photons coming from Alice using a copy of Bob's setup, 3. Every time Eve has a detection, she activates another laser to send a strong light pulse to Bob that tricks Bob's detectors to produce the same detection outcome. I wish there were 4. Profit!, but as for now our lab is running out of grant money with no other funding in sight :)).

Re:

[Securityemo]

I have not "mastered quantum physics", I simply understand single-photon quantum state checked lines in the context of computer security. Thus, I get to manhandle grammar however I wish.

Quantum is for Quacks

[Anonymous Coward]

This is what you get when even educated men can't make sense of your technology.

Pretty obvious now we need to return to traditional cryptosystems such as rot13 etc.
Arguably not the most secure, but it is efficient. And for military use, where security
requirements are higher, triple-rot13 is an option.

alice and bob

[brainscauseminds]

Poor Alice and Bob, they do not have a chance ever to live normal lives without hordes of geeky cryptographers debating/fighting over every bloody bit they exchange.

Re:

[Provocateur]

...until they met Ted and Alice, the couple that moved in next door. Then the sex became even more interesting.

(boy I feel so old)

quantum hackers?

[dominious]

oh boy, am I getting old?

Is anyone REALLY surprised?

[Phoenix]

And here is the biggest problem with dealing with anything that evolves. Someone or something else will come along and evolve a way to defeat it. This happens in the world of biological viruses and bacteria, this happens in the world of animals, this happens in the world of Electronic Viruses and Spyware, and this happens with encryption.

I remember when the contest was to crack either the 56-bit or the 64-bit (do not remember exactly which) and it was done in a matter of days and not the years it was though

Re:

[Fnord666]

And here is the biggest problem with dealing with anything that evolves. Someone or something else will come along and evolve a way to defeat it. This happens in the world of biological viruses and bacteria, this happens in the world of animals, this happens in the world of Electronic Viruses and Spyware, and this happens with encryption. e

xcept that in cryptography that doesn't always happen [wikipedia.org].

Re:

[sjames]

The method at the theoretical level isn't breakable, but actual real world implementations are. Either people re-use the OTP or the pad itself is intercepted. The interception starts with the sender presuming it's absolutely safe/

Re:

[jd]

One suggestion for "practical unbreakable OTPs" was to gather noise from live radio astronomical observations. Alice sends to Bob the pseudo-random radio source location and the precise time to start gathering the OTP. This information need only be secure until that start time plus the baseline for the observers. After that, the pad is no longer retrievable by any third party. Since the pad itself is never transmitted, the risk of the OTP falling into the wrong hands is greatly reduced.

This is, admittedly,

Re:

[jd]

any sort of crypt can eventually be cracked

And that is what makes the undead so dangerous.

There's still better privacy

[VincenzoRomano]

Don't write or talk anything. None will intercept it.

Re:

[John Hasler]

> Don't write or talk anything. None will intercept it.

They are working on that...

Obligatory

[ewhenn]

There is a crack, a crack in everything, that's how the light gets in.

Can we get truth in advertizing?

[BlueCoder]

How about hacked quantum systems downgraded to std transmission?

There was no hacking of quantum crypto here.

Why 'hackers' and not 'researchers'?

[RevWaldo]

Even respecting the working-all-day-and-night-in-the-basement-computer-lab origin of the term, using 'hacker' in the article seems like a blatant attempt to jazz it up, making it at first glance seem to be more about something akin to bank heist than a story about funded researches working in a university lab trying to find flaws in a security system, with the manufacturer's full approval to boot.

.

Re:Why 'hackers' and not 'researchers'?

[Vadim Makarov]

with the manufacturer's full approval to boot

I'm not sure the manufacturers would approve the existence of our lab [iet.ntnu.no] if they could dictate it. Thankfully we are independent and need not seek their approval. The manufacturers did appreciate responsible disclosure, though. I don't know how this hacking affects their business in the short term (may as well be detrimental to sales), even though it is surely good for business in the long term as it leads to more secure systems.

Re:

[RevWaldo]

(A reply from the man himself - Cheers!) I didn't intend to imply you're lab was working for the manufacturers. There are certainly many manufacturers who do *not* encourage others to try and find flaws in their products, much less appreciate them for pointing them out; quite the opposite it usually seems. That's all I meant by your group having their "approval". (And by "funded" I meant as opposed to some guy in his garage figuring out how to jailbreak a smartphone.) I was more questioning the use of langu

The USA Industry & Congress....

[OldHawk777]

The USA Defense Industry and Congress will write a law that will prevent anyone (except .Com, .Gov & .Mil) from criminally hacking qEncrypt, making USAll safe from Norwegian Hacker Scientist. Also, US, EU, RU, CN... people and governments will be happy to comply with more legal control.

%~P=WeRFycked+*

Tank

[Anonymous Coward]

Unfortunately, not everyone has the space required for an aquarium to contain the sharks with those fricken lasers.

Quantum Key Generation

[Doc Ruby]

I'm more interested in quantum computing to generate encryption keys that can't be broken by other quantum computing. Is there even a theoretical model for that?

Article Makes No Sense

[SeekerDarksteel]

The article is either missing massive details or these researchers are vastly overstating the power of their technique. The entire _point_ of quantum key exchange is that if Eve intercepts the signal she cannot tell if she read a 0 or a 1 because she does not know which basis the 0 or 1 was generated in. Even IF Eve passed a 1 along every time she read a 1, when Alice and Bob go to do the basis comparison over the standard channel they will notice errors because Eve read the signal in the wrong basis and passed along an incorrect value.

I've tried reading the actual journal paper, but unfortunately they just seem to handwave this problem away. Maybe there's a reason they can, but its sure as hell not explained as far as I can see unless they're assuming Eve has also compromised the classical channel as well as the quantum channel.

Re:

[Vadim Makarov]

As you correctly notice, Eve does not know Alice's basis and will half the time choose a wrong basis for measurement. We just bite the problem from the other end: we make sure Bob's basis always matches Eve's. Alice and Bob always compare their bases after the transmission and then discard the bits where their bases did not match. During this comparison all bits where Eve has chosen a wrong basis will be discarded. What remains in the key are the bits where Alice, Eve and Bob all have the same basis.

We h

Re:

[SeekerDarksteel]

Ok, I must be missing how exactly you're controlling Bob's basis then. I guess that's what your blinding trick is supposed to be doing, but my physics is too weak to understand why. (I studied QC from a computer engineer standpoint, not a physics standpoint). My impression from the Nature article was that you could force Bob to see a 0 or a 1. If that's all you could do, then Eve's interference would have been detectable since she would have passed on bad bits when Alice and Bob's bases agreed but Eve's

Re:

[Vadim Makarov]

Good. We are not controlling Bob's basis: he chooses his detection basis randomly. What we do is to send a bright-light state that does not cause a detection event if Bob chooses a basis not matching Alice's, but causes a detection event in a specific detector if Bob chooses the same basis as Eve. See figure 2 in the paper [nature.com] for illustration. Thus, half the time our bright-light state failes to induce any detection, which translates to just 50% detection efficiency. This would be a problem if Bob's photon det

So you exploited TWO flaws.

[Ungrounded Lightning]

We are not controlling Bob's basis: he chooses his detection basis randomly. What we do is to send a bright-light state that does not cause a detection event if Bob chooses a basis not matching Alice's, but causes a detection event in a specific detector if Bob chooses the same basis as Eve.

So you're actually exploiting the combination TWO flaws:

- One in Bob's detector - which you can get to efficiently mimic the reception you achieved despite your lack of knowledge of Bob's expected polarization.

Re:

[Vadim Makarov]

Your first item is correct, however for the second one I think you need to study a good description of the QKD protocol.

The QKD protocol is designed to cope with a huge bit loss, both due to detector inefficiency and the loss in the fiber line; in fact, in a typical setup only 1 in 1000 Alice's photon's may be detected by Bob. The loss in the line is the killer item: the best optical fiber is has loss about 0.2 dB per km. This means over 50 km, nine out of ten photons sent by Alice will be lost. (In our

Re:

[Ungrounded Lightning]

Thanks. (I figured that out after posting. B-b ).

If I've got it correctly:

- Normally Bob loses 50% of the bits by not being aligned with Alice.
- Eve loses 50% of the bits by not being aligned with Alice, then
- Bob loses 50% of the bits by not being aligned with Alice, but
- The classical signal from Eve to Bob is strong and does not lose
(a significant number of) bits in the Eve->Bob stretch of fiber.
This (along with other allowa

Re:

[SeekerDarksteel]

Ah, ok. That's making a lot more sense. It really didn't come across in the Nature article that way to me. But I guess that's scientific reporting for ya, :P

Re:pwned

[neumayr]

Not really. From the article:

"We have exploited a purely technological loophole that turns a quantum cryptographic system into a classical system, without anyone noticing," says Makarov.

Re:pwned

[PseudonymousBraveguy]

No, it IS a huge problem. If you turn a quantum computing system into a classical system, you basically revert it to sending the key in plaintext. While it does not break the theory of quantum encryption, breaking all (commonly) available implementations of quantum crypto should be enough to be qualified as "huge kick in the balls".

a kick in the balls

[davidwr]

A kick in the balls (breaking all current implementations) is not the same as cutting them out and mounting them in a trophy case (proving there can be no secure implementation).

Either one hurts though.

Re:

[Z00L00K]

Which also means that it may end up being more predictable and sensitive to attack.

As soon as a crypto is predictable the road left to crack a given message is shorter. Not that it's easy, it will still require some computing power.

Re:

[GameboyRMH]

This wouldn't even work if this quantum link weren't so simple. This system is at least as simple as a serial link, and what they've done is like unplugging that link from the intended recipient computer and plugging it into their own.

It looks like the only real security in the system 100% depended on MITMs being impossible - which is still true (from what I understand) - they've just diverted the traffic altogether rather than doing a MITM.

If there were any authentication involved or the data being sent wa

Re:

[Vadim Makarov]

I'm not sure what's your concern, but this is not a man-in-the-middle attack. We do intercept-resend in the quantum channel (photons) but leave the classical channel alone, just listen to it. Of course Alice and Bob do authentication of the classical channel (this is a part of the QKD protocol), but that passes just fine as we do not alter the classical authenticated traffic.

Re:

[sortius_nod]

Unfortunately without that caveat the article isn't as scary.

Come on editors, Do a better job, don't just put the article through, read it yourself.

Re:

[Peach Rings]

You mean with that caveat?

Re:pwned

[WED Fan]

Why the GP was modded troll is beyond me. This is a "huge kick in the balls". Isn't the point of QC to make it easy to detect if someone has even listened in, let alone broken anything? I'd have to say that what it means is the current implementation of QC is an epic fail. Back to the old drawing board.

Re:

[yahwotqa]

From TFA:

Quantum cryptography is often touted as being perfectly secure. It is based on the principle that you cannot make measurements of a quantum system without disturbing it.

So, I guess the encryption system used here isn't really "quantum", since above doesn't apply, is it?

Re:pwned

[Unipuma]

If you read the article, you'll notice that the 'hack' is a classic man in the middle attack, and the receiving end can receive both classic and quantum messages. The man in the middle (after reading the quantum message) passes it on as a classic message, and the receiving device does not give a warning that the message received is a classic message, instead of a quantum message.

So it's really an design error on the device side, not a true hack in that quantum states were undisturbed regardless of reading them.

Re:

[radtea]

So it's really an design error on the device side, not a true hack in that quantum states were undisturbed regardless of reading them.

Thanks for pointing that out! It makes the system so much more secure, knowing that...

This is a "true hack" in the same way that the cost of sending a mission to Mars is a "real problem": scientists and engineers often want to simplify the world by restricting the domain of "real problems" to ones they know how to solve. But reality doesn't care about human domain boundaries.

In this case, they have hacked the system, which has the effect of being able to read the communications that pass through it. No

Re:

[jonaskoelker]

not a true hack in that quantum states were undisturbed regardless of reading them.

Dammit, I had hoped to base my perpetuum mobile on these hackers' violation of the laws of physics :(

Re:

[foobsr]

"100% security" ... "100% minus any bugs in the implementation"

I truly wonder if there is anything like "100% security". Probably if there is no 'security' at all (if it is not needed? impossible to observe?).

CC.

Re:

[arose]

One time pad with a truly random key. Getting good entropy is a problem, but not a deal breaker. Key exchange is the weak point (quantum crypto is supposed to fix that, but who can afford dedicated, well guarded fiber from each location to each location? or have a working system for that matter...), but with with multi-gigabyte MicroSD it is a realistic alternative to symmetric encryption for reasonably sized messages.

Re:pwned

[maxwell demon]

Well, there are several points here:

• Every cryptographic security is only up to possible bugs in the implementation (remember the Debian ssh problem?), so exactly 100% security is impossible. However, one difference betweeen the classical and quantum case is that in the quantum case any possible exploit has to be "online" (i.e. you have to actually intercept the actual sent message and manage to manipulate the receiving system), while for classical key exchange the breaking can also be after the fact (i.e. if all you want is the exchanged information, you can passively record all data and then try to break it afterwards). This means that
  1. all communications performed before that exploit was found remains secure (unlike classical protocols where you only need the recorded data to apply any exploit), and
  2. since the attacker has to manipulate the systems during operation, as soon the exploit is known you can take additional measures in order to detect it (e.g. in this case, I think it should be quite easy to detect a relatively strong laser which is continuously shining at the receiving device), thus detecting whether someone tries to exploit it (unlike classical systems, where you have no clue if someone tries to attack your cryptographic system). That is, instead of replacing your whole cryptographic infrastructure (which may be expensive), you can simply add detectors for the manipulation needed for the exploit, so that you only transmit confidential information in case the exploit isn't applied.
• As the article mentions, the commercial systems add the quantum cryptography on top of the classical cryptography. So if the quantum cryptography is broken, you still have the security of the classical system. On the other hand, if the classical system used is broken (be it because the underlying cryptographic scheme is broken, or be it by exploiting a bug in the specific implementation) then you still have the security of the quantum cryptography.

Re:

[arose]

all communications performed before that exploit was found remains secure (unlike classical protocols where you only need the recorded data to apply any exploit)

That isn't necessarily the case for side channel attacks, as the side channel to capture isn't known in advance of exploits. Similarly man in the middle attacks need to be live.

Re:

[Ungrounded Lightning]

However, one difference betweeen the classical and quantum case is that in the quantum case any possible exploit has to be "online" (i.e. you have to actually intercept the actual sent message and manage to manipulate the receiving system), while for classical key exchange the breaking can also be after the fact (i.e. if all you want is the exchanged information, you can passively record all data and then try to break it afterwards).

But note that these systems only use quantum encryption to perform a key ex

Re:

[nospam007]

Inigo:
You keep using that word. I do not think it means what you think it means.

Re:

[vlad30]

The bigger they are the harder they fall or in encryption the more complicated the easier to crack

Re:

[Muad'Dave]

Scotty: "The more complicated the plumbing, the easier it is to stop up the drain."

Re:

[stonewallred]

So you say. In reality, torture does work wonders, and provides really solid information. Problem is that true torture is not quick, easy or cheap. It requires a great deal of time, energy and information. Everyone has some breaking point and finding that point using the right key is paramount. While some folks might resist physical pain for long periods of time, the same person may break within minutes if subjected to sensory deprivation or spiders or being in very tight confinement. Threat of death might

Re:

[tibit]

You would be right if you weren't so wrong :(

The problem with torture is that it has a way of making up information where there is none. If you're convinced your guy has the information, but he doesn't, then torture is an element of a random story generator. And there's pretty much no way of telling the quality of information that you receive.

Case in point: I think that a big problem with some Gitmo inmates is that they were set up by bounty hunters, and they are simply wrong people in a wrong place at the

Re:

[stonewallred]

No, that is why the disclaimer is that it is not easy, quick or cheap. Any and all information has to be verified, every time. And brute force pain is never as efficient as using what causes the subject the most fear or torment mentally, rather than emotionally. You are thinking pliers and blowtorches in a dimly lit basement, to extract solid information in a short period of time when it is actually usable. That type doesn't work that well. I am speaking of methodical, relentless psychological torture done

Re:

[tibit]

Logic whoosh.

No matter how uneasy, not-quick and not-cheap the torture is, you won't get information that isn't there. That's all I claim, yet you somehow feel the need to muddy the waters.

I'm very clear: I claim that there is/was a bunch of people in Gitmo who in fact know nothing, and who are held solely on an informant's paid (in money or in kind) claim that they, to the contrary, do know something.

You can have $1 billion per detainee and use all the tricks that anyone knows, or had known (think ancient

Re:

[tibit]

I'm not claiming that it doesn't work universally. But it can only work when the subject knows what you're after. What you're saying that it universally works, or else I just don't understand your rather plain words. It can't be true, unless you can magically ensure that everyone knows everything.

I think I have an example that shows cracks in your argument. Say I supposedly broke into a safe, containing highly sensitive papers, that uses 1000th through 2000th decimal digits of PI as the combination. From ot

Re:

[tibit]

Nope.

You torture them because you believe they have the information. As long as you hold on to that belief no matter what (IOW, you're stupid even when told so), then there's nothing for the prisoner to do other than to make stuff up. If they don't, they will presumably die -- they don't have the information in the first place.

So, it's not a delay if you torture someone who feeds you misinformation for lack of the real information you seek. It's your problem, not prisoner's problem. You will either kill the

Re:

[TheCarp]

You have evidence of that? I am not actually aware of any incidents where this was shown to be the case... and many incidents where information was given up without torture.

Generally speaking, torture is used to produce confessions and convictions no matter what, not to produce truth. Thats how its been used for a long time now, its what the techniques were developed to produce.

SO far the only "evidence" to the contrary has been by the Dick Cheney's vague "trust us this works" statement that he conveniently

Re:

[radtea]

While it's not reliable in general, it is reliable in cases where you can easily check whether the information given to you is correct.

You realize you've just defined extracting information under torture as an NP-Complete problem... and then implied that this was the "easy" case.

Re:

[Tacvek]

Not quite.

He was describing a system that gives a result probabilistically, with the probability of a correct response being proportional to the ease of verifying it.
There are two cases, one in which the result can be easilly verified. That case would be NP, and realistically BPP. The other case has no easy way to verify, making it emphatically not NP, but the exact category is not determined. Needless to say though that it has problems much harder than NP-complete problems.

Re:

[Raenex]

You can make it easy. If you're willing to undergo an hour of torture without cracking then you can keep your secret key (if you have it).

Re:

[radtea]

I actually debated with myself if it was NP or NP-complete or NP-hard, and I'll stand by the NP-Complete designation. If you tortured a travelling salesman for the optimal route he could easily spit out (along with his teeth, presumably) various possibles, which you could then "easily check" (including keeping an eye out for repetitions, of course.) Ergo: NP-Complete.

I also debated with myself about the word "easy", which is why I put it in scare-quotes. By "easy" I meant "imaginable that you might get r

Re:

[radtea]

Since a salesman (or anyone else) generally doesn't know the optimal solution to the travelling salesman problem, torturing him will not reliably get you the correct solution, despite being able to check the solution.

Sure it will. It'll just take a very long time.

And since you never really know if the person you're torturing has the information you want--and in all practical cases your degree of uncertainty is extremely large, so this isn't some semantic quibble about "really knowing"--you never know if you're trying to solve an NP-complete problem or not. Good luck wit that.

Re:Lessons

[neumayr]

The underlying principle still is valid, those people exploited a technical loophole - in a process that's part of

[..] years of dedicated effort in an open environment.

Re:

[buchner.johannes]

And that's why quantum based voting fails. No citizen can verify that they don't just use classic computers.

Re:

[Artifakt]

Should it be called just a loophole?
Actually getting a physical object to behave like quantum entanglement is present is a challenging task, much like getting an object to reliably store data in a form that doesn't degrade with repeated access in the first place. There are only a few ways to store data in forms that can take 100,000+ access cycles, give the date back quickly enough to be useful to other parts of the system, or have low enough rates of corruption to be gen

Re:

[Interoperable]

It's a pretty damn big loophole. They used a 1 mW beam which is about as powerful as a laser pointer. That's many orders of magnitude larger than a single-photon level signal and should be very easy to detect. Not noticing a milliwatt of light hitting the detector in a quantum scheme is something like leaving a key written in plain text on a sticky note on your monitor and being shocked when your key is "hacked."

Re:

[Ungrounded Lightning]

The underlying principle still is valid, those people exploited a technical loophole ...

As I recall, the underlying principle of quantum cryptography was that you can't intercept the information in the FIRST PLACE to make a clone of it. These guys intercepted it, cloned the information from it, then made a signal that fooled the receiving detector.

The idea was that your signal either encoded a bit on a single photon as 0/90 degrees or +-45 degrees. The receiver had to know (from a previously distributed s

Re:

[Ungrounded Lightning]

Upon further reading I see that the quantum cryptosystems are doing key exchange - so they don't have a shared secret from which to generate a shared idea of which polarization to use when looking. They have to throw away half the bits due to looking wrong and sort it out later.

The flaw is still partly rooted in their excessive redundancy to cover for sufficiently large losses in the data path. But the crack also depends on being able to stimulate "Bob"'s receiver by something that does not correspond to

Commercial Systems

[iYk6]

I was surprised to discover that there were commercial systems of quantum cryptography. Quantum cryptography is academic at this point. It is not as strong as old fashioned cryptography (like AES) and is much more expensive. Then I realized that there is no reason that someone can't use both. It would be pretty ridiculous if someone were using quantum cryptography as their only security, and not encrypting the data first with old fashioned cryptography.

Re:Commercial Systems

[PseudonymousBraveguy]

Quantum cryptography is academic at this point. It is not as strong as old fashioned cryptography (like AES) and is much more expensive. Then I realized that there is no reason that someone can't use both.

Quantum crypto (at this point) is a key exchange mechanism. Thus, it doesn't compare to AES at all. You HAVE to use quantum crypto together with a classical exncryption algorithm. However, if you use quantom crypto you care about 100% theoretical security. Else you would simply use DH or any other well-known classical key exchange. And if you care about 100% theoretical security, there is no alternative to OTP.

Re:

[KiloByte]

Except that to be able to use quantum crypto at all, you need to provide a physical way to pass the quantum state. And with that requirement, why won't you just pass the key the good old fashioned way? Strictly more secure, and much cheaper.

Re:Commercial Systems

[julesh]

Except that to be able to use quantum crypto at all, you need to provide a physical way to pass the quantum state. And with that requirement, why won't you just pass the key the good old fashioned way? Strictly more secure, and much cheaper.

More secure? Hardly. All you have to do is eavesdrop on the key exchange and you have the key. In a real world scenario, typically this means bribing a few security guards, breaking into one of the communicators' homes or offices and retrieving the key from their computer, or intercepting a message sent over a physical line, probably encrypted via a non-100%-reliable cryptographic system, with the (at least) theoretical possibility that the encryption on the key exchange can be broken.

In a properly implemented quantum crypto system, this is theoretically impossible: the key passes directly from one endpoint to the other, and any interference between the two is easily detectable. It isn't stored for longer than the message takes to be sent, so breaking in to retrieve it is impractical. Done properly, the quantum crypto system is as secure as it is possible to be. As it happens, the system here was not done properly; it failed to detect interference on the line (and as ability to detect interference is, essentially, the point of quantum crypto, this is bad news).

Re:

[KiloByte]

If your endpoint has been compromised, there isn't anything you can do.

Re:

[Anonymous Coward]

In a real world scenario, typically this means bribing a few security guards, breaking into one of the communicators' homes or offices and retrieving the key from their computer, or intercepting a message sent over a physical line

Using the old fashioned way, you divide the key into 5 or 6 pieces before it leaves the cryptosystem, you distribute responsibility of the pieces. The pieces are stored on devices, and given to guards.

The guards have physical possession of the devices, but not the PIN number f

Re:

[Rakshasa Taisab]

Quantum crypto is about passing a key and being sure it wasn't read by a third party (or borking if it has been). Old fashion plaintext passing of that key does not have that particular property which makes it _NOT_ more secure even if it is cheaper.

That the system would have an error mode where it just starts ignoring the overloaded quantum state sensor seems like braindead design to me...

Re:

[kvezach]

But that's also rather strange. For quantum crypto to make sense, there must be an adversary who can crack Diffie-Hellman (or the key exchange of your choice), but who isn't able to just physically get on the line and insert a man-in-the-middle device. Even if you have perfect quantum crypto, unless you and your intended other party shares a secret, it's impossible to determine if the key negotiation is between you and your intended other party or with Mallory masquerading as that other party, impersonating

Re:

[Sycraft-fu]

Well I'd hazard a guess that most people who are buying in to this don't know what the fuck they are doing. They are the types that believe the NSA has secret evil cracking machines that ban break all current crypto (and that the NSA gives a shit about what they are doing). They also hear stories about amazin' new unbreakable quantum crypto. They see it on the market and say "We need to have that!"

For that matter, I don't know if these products are actual quantum crypto. Just because they call it that doesn

Re:

[IndustrialComplex]

(and that the NSA gives a shit about what they are doing)

Well for one, it isn't generally the NSA that 'gives a shit', it's other agencies.

Two: If you make it a point to collect and store everything, even if it isn't of immediate interest to you NOW, it might be LATER.

Re:

[VincenzoRomano]

Really neat, really.

Re:

[couchslug]

Where's an Arc Light strike when you need one?