Swedish Researchers Break 'Unbreakable' Quantum Cryptography (eurekalert.org) 101
New submitter etnoy writes: Quantum key distribution is supposed to be a perfectly secure method for encrypting information. Even with access to an infinitely fast computer, an attacker cannot eavesdrop on the encrypted channel since it is protected by the laws of quantum mechanics. In recent years, several research groups have developed a new method for quantum key distribution, called "device independence." This is a simple yet effective way to detect intrusion. Now, a group of Swedish researchers question the security of some of these device-independent protocols. They show that it is possible to break the security by faking a violation of the famous Bell inequality. By sending strong pulses of light, they blind the photodetectors at the receiving stations which in turn allows them to extract the secret information sent between Alice and Bob.
Re: (Score:2)
And apparently nobody donated. Your point relevant to this story being...?
It just shows that... (Score:1)
It just shows that nothing is unbreakable or at least, it tends to prove it.
Re:It just shows that... (Score:5, Insightful)
No, it shows that this method of key distribution might be borked, nothing more.
Short logic lesson, your reasoning is indistinguishable in form from: 3 is prime, therefore all numbers are prime.
Or more bluntly: (Ex) P(x) --> (Ax) P(x)
is falsifiable in first-order logic. In English, this is "if there exists some x such that P(x), then for all x it is the case that P(x)."
Re: (Score:2)
There is theoretically unbreakable crypto and crypto that is provably hard enough to break as to be unbreakable practically for a long, long time. The quantum-snake-oil "encryption" is neither. First, it has the requirement that some physical models are absolute truth. That would be a first in physics, so far there were always inaccuracies, and circumstances where the theoretical models failed. And second, it relies on a physical, analog implementation being perfect. That is uisually not possible to achieve
Re: (Score:2)
Aside from the one-time pad, there is no crypto that is provably hard to break.
All practical decryption is in NP, in that we can verify the correctness of the decryption in polynomial time. Therefore, the most we can say about crypto algorithms is that they may be (but, AIUI, are not provably) NP-complete. This means that they may be efficiently solvable. It seems unlikely, but we can't prove it otherwise. Alternately, we might find other ways to crack a given cipher. Again, it seems unlikely, but
Re: (Score:2)
You are very, very wrong on this. With a good key-schedule and a maximum message size used per key, even the Enigma is provable "hard to break", or rather impossible to break. It requires random keys and something like a maximum of 4k characters encrypted per key (if I remember the numbers right).
Your NP argument completely misses the point in several regards: First, for practical attacks, P is not "efficient". Second, what makes you think you can verify the correctness of decryption in the first place? Tha
Re: (Score:2)
True, there is a minimum text length to break ciphers, based on what is known of the cipher and the amount of redundancy in the language. (I don't think you'd have any real difficulty reading that last sentence with vowels omitted, for example, which means the vowels primarily provide redundancy.) A break requires a certain minimum of text.
As far as recognizing plaintext, this is automatic in cases with known plaintext or forced plaintext, and cipher experts want them to resist these attacks as well.
quantum crypto is not "unbreakable" (Score:1)
The point of quantum crypto is to be able to detect whether someone is eavesdropping on you. Blinding detectors is kind of a tell-tale sign that something is wrong and parties should stop transmitting.
Re:quantum crypto is not "unbreakable" (Score:5, Informative)
The point of quantum crypto is to be able to detect whether someone is eavesdropping on you. Blinding detectors is kind of a tell-tale sign that something is wrong and parties should stop transmitting.
Paper author here. You can try detecting my specific attack, but it won't help. Sooner or later I'll find a way around your countermeasure and break it again. What we actually show in the paper is that the security proof is flawed. Fix the security proof and I won't ever be able to break it.
Re:quantum crypto is not "unbreakable" (Score:4, Informative)
You probably read the paper from Makarov: http://www.nature.com/nphoton/... [nature.com]
Our attack is performed on a different system, but our level of control is much higher (and also works with near 100% efficiency) than in Makarov's paper.
Measuring the optical power is not a solution to this attack. Sure, it'll detect it, but the attacker would just adapt. Instead, fix the actual flaw at hand, the incorrect security proof.
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
somebody anonymous woke up on the wrong side of the bed.
Re: (Score:2)
Re: (Score:2)
You misunderstand what is supposed to happen here. As soon as any form of attack is detected, communication stops. You can not adapt to that.
Sure I can. I just have to figure out how your detection mechanism works and then circumvent it so that no detection occurs.
Re: (Score:2)
Re: (Score:3)
You can keep shifting phase angles, halting the blinding attack, but there may be a pre-emptive method as you mention of pre-arranging sufficient tautology of concurrent streams where a valid stream is channelized, not unlike how frequency-shift-keying works. n>2 is a possibility, and perhaps even desired.
Go ahead, blind the detectors, make them think they're valid, except that ones that stop you aren't the ones you desired until your blind so many channels that the time domain rats out your actual physi
Re: (Score:2)
We're talking security here, so it is beneficial to look at it from Alice's and Bob's point of view. They can only relax when they use a QKD system with a complete security proof which guarantees security. If they use a system with a flawed security proof (what we show in the paper) they can never be secure. No matter how many blinding-detectors they apply and Guidos they hire, they can not be really sure that the system is attacked. In essence, we are back to the good old classical security picture which i
Give us a decent descritption please. (Score:2)
With the available information it is impossible for technical people like those that read SlashDot to make sense of anything. There is either the paper itself, which would require slogging through dozens of other papers to even make sense of it, or there is journalistic fluff that is completely meaningless. When you write for an academic audience in your discipline area you should be terse and obscure. But not for a general but technical audience.
My understanding of Quantum encryption is that two qubits
Re: (Score:2)
So which part of that story have you attacked? And leave out the bits about the Frigembroten Sniggens defrobulation principals.
In QKD, you don't need any "extras" to be secure, it is information-theoretically secure all on its own. No need for signatures. We have found class of QKD devices that have a flaw in the security proof which allows an attacker to evade detection. We exploit this flaw by sending pulses of light to Alice and Bob which 1) allows the attacker to dictate the key and 2) evades detection. We never intercept the qubits, we replaced the source device with a trojan device of their own. Ordinarily, the security test
Re: (Score:2)
I'm sorry, I have no idea what you are talking about.
If you do not have some kind of pre shared data it becomes trivial to insert a man in the middle, whatever mystical properties qbits have.
If there is substance to your claims, then a semi-technical paper would make your results much more widely known, if that is helpful. As it is all that I have got out of the discussion is that "somebody has done something with quantum crypto". Not very interesting.
(I have never read anything that makes a lot of sense
Re: (Score:2)
Re: (Score:3)
I've read about ways to handle this myself.
One way is to use the quantum connection channel to negotiate a session key via Diffie-Hellman, but each side also has a pre-shared key or a chunk from a one-time-pad that gets XOR-ed or combined with the session key. Then the Internet or conventional channels is used for the bulk transmissions. The attacker would have to find the pre-shared info, as well as decode the quantum crypto, each alone would score nothing.
Another way is to use the quantum channel for se
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
What we actually show in the paper is that the security proof is flawed. Fix the security proof and I won't ever be able to break it.
Unless physical reality turns out to not quite follow the theoretical models precisely. So far that has always been the case.
Re: (Score:2)
Re: (Score:2)
Re:quantum crypto is not "unbreakable" (Score:4, Informative)
FTA: "An intuitive countermeasure to our attack is to add a power monitor to the analysis station that detects if the incoming light is too bright. If such an anomaly is detected, Alice and/or Bob are alerted and discard the relevant measurement outcomes. This modified Franson interferometer would not be vulnerable to the specific attack as described so far; however, it does not solve the postselection loophole, which is the actual issue at hand. "
Re: (Score:2)
Submitter has no clue what QC is. (Score:3, Insightful)
"Quantum key distribution is supposed to be a perfectly secure method for encrypting information. Even with access to an infinitely fast computer, an attacker cannot eavesdrop on the encrypted channel since it is protected by the laws of quantum mechanics. In recent years, several research groups have developed a new method for quantum key distribution, called "device independence." This is a simple yet effective way to detect intrusion. Now, a group of Swedish researchers question the security of some of these device-independent protocols. They show that it is possible to break the security by faking a violation of the famous Bell inequality. By sending strong pulses of light, they blind the photodetectors at the receiving stations which in turn allows them to extract the secret information sent between Alice and Bob."
First of all, quantum key distribution is not a method for encrypting information. As its name judiciously indicates, it is a method to securely exchange encryption keys. This is not the same thing at all.
Second, the speed of the attacker's computer has no role in this attack and quantum key distribution has never claimed a code is unbreakable since there is no code to break here.
Third, quantum key exchange is a protocol, not a cipher. It relies on quantum mechanics features to tell Alice or Bob the just receive key is compromised or not since it is not possible for a man in the middle to observe the key without being noticed. That is the idea behind this mechanism. Once keys are securely exchanged between both parties, a classically encrypted communication can take place between both parties.
Of course, if you are blinding the receiver, it may be possible to tamper with the key, however, the blinded party should notice it has been blinded. The whole thing rests on very low luminosity photons exchange. If the light beam is too strong, it clearly no longer depicted the quantum characteristics needed to secure the key exchange. I don't really see where the problem is here since it is easy to determine the exchange can no longer be trusted due to high luminosity.
And finally, it seems to me this is old news.
Re: (Score:2)
Re:Submitter has no clue what QC is. (Score:5, Informative)
Submitter has no clue what QC is.
Oh, sorry. I confess I know nothing about quantum cryptography, I just happened to break it.
First of all, quantum key distribution is not a method for encrypting information. As its name judiciously indicates, it is a method to securely exchange encryption keys. This is not the same thing at all.
Semantics. QKD is a way of obtaining a secure key which we then use to perform one-time pad encryption. In other words, we use it for encrypting information.
Second, the speed of the attacker's computer has no role in this attack and quantum key distribution has never claimed a code is unbreakable since there is no code to break here.
It's a layman's definition of the concept of information-theoretic security (ITS). Normal crypto is secure under certain hardness assumptions (i.e. hard to factor integers, hard to do discrete logarithms). If you give the attacker an infinitely fast computer, all those crypto methods will be broken. QKD on the other hand remains secure.
Of course, if you are blinding the receiver, it may be possible to tamper with the key, however, the blinded party should notice it has been blinded.
This is a very good question and there is a very good answer (one I even answer in the paper itself!) You can surely detect my attack by using an optical power meter, but eventually I'll figure out a way around this as well. What our paper really shows is that there is a missing link in the security proof. Fix the proof and you'll be safe forever.
The whole thing rests on very low luminosity photons exchange. If the light beam is too strong, it clearly no longer depicted the quantum characteristics needed to secure the key exchange.
Which makes our attack even juicier. We don't even need to use quantum phenomena to break the security of the QKD device, we just good ol' classical pulses of light.
And finally, it seems to me this is old news.
Please tell me more!
Re:Submitter has no clue what QC is. (Score:4, Informative)
I just happened to break it. ...
You can surely detect my attack by using an optical power meter, but eventually I'll figure out a way around this as well.
First you say you broke it (past tense), then you say you will break it (future tense), yet your stated accomplishment is
Let me put it this way: I broke it (past tense), I break it (current) and will break it (future). Unless you re-establish full, provable security (which the Franson interferometer lacks) this is what will happen.
QE never promised to guarantee key exchange, so you are not causing it to break any promises.
QKD promises a secret key shared between Alice and Bob, what is your point?
QE promises Alice and Bob will know if/when the key is intercepted.
That is the function of the security test. In the Franson interferometer, the security test is a Bell inequality violation. We then show how to fake a Bell inequality violation, which makes the security test believe everyting is alright.
But you never extracted the key
Not only does our attack extract the key, it allows Eve to dictate the key to Alice and Bob.
you simply interrupted communications. Seems like a strawman to me.
We never claim to interrupt communication, we claim that we find and/or dictate the key. You are the one throwing strawmen.
You make up a non-existent claim of QE simply so you can tear that down, ignoring the actual claims QE makes.
Ditto.
Until you obtain the key in such a way that Alice and Bob do not know the key was intercepted, quite the opposite of preventing communications such as you have done, then you can claim you have broken QE.
As per above, we do obtain the key in such a way that Alice and Bob do not know the key was intercepted. Therefore I claim to have broken QKD:
You should read our paper before trying to discredit it.
Re: (Score:2)
alice: I want to talk to bob
admin: its not secure
alice: fix it
admin: will take x days
alice: fix it in 1 hour or look for another job
and sometimes A and B will need to talk even if they do know itis not secure, otherwise as a attacker you will have achived the secondary mission, making the parties not be able to talk to each other at all and loose, this is a damned if we do damned if we dont situation
Re: (Score:2)
No need to be smug about anything.
That was never my intention, however am replying to needless accusations and need to be clear with my answers.
You claim to have broken QC while in fact, you have broken an implementation under certain circumstances.
Which is exactly what our paper says.
This is what your parent meant when he said it was old news.
This is the first attack of this kind on the Franson interferometer.
There have been multiple hardware vulnerabilities in the past.
Correct! The vulnerabilities found by Makarov et al. are excellent examples and have been an inspiration for us.
You really need to work on your discussion style. Proof by intimidation never works.
Again, not my intention.
Re: (Score:2)
Re:Submitter has no clue what QC is. (Score:4, Insightful)
Could you explain your attack in laymans terms? From what you said here, you've not really "broken" quantum encryption and worked around the wave function collapse, rather you've discovered that quantum encryption as currently defined is flawed and immune to the observer effect?
Any QKD protocol relies on a security proof, and the observer effect is only a small part of the puzzle. In this case, we attack the Franson interferometer which uses a security test in the form of a Bell inequality violation to make sure no attack is occurring. We have discovered a way to fake this Bell inequality violation.
Bell's theorem is a very interesting part of physics on it's own, I really recommend looking into the recent Vienna and NIST experiments (good writeup here [aps.org]). The short version is that it allows us to distinguish between "quantum" things and "classical" things with a surprisingly powerful tool, Bell's inequality.
In essence, when measuring Bell's inequality you need data on the form of Probability(A,B), where A is the setting Alice uses for her box and B the setting Bob uses for his box. However, the Franson interferometer is very deceptive here and gives you data on the form Probability(A,B | coincidence), which means you condition on coincidence, i.e. you remove half of the events from the statistical ensemble.
The net result is that you don't really measure Bell's inequality, but a similar but (unfortunately) useless cousin. This paper [aps.org] shows why this happens. Therefore, we can start attacking the system and at the same time, fool the security test. Again, the Franson interferometer removes half of the events, which means the apparent detector efficiency is 50% even in the ideal case.
For even more info, see our previous paper: http://iopscience.iop.org/1751... [iop.org]
Re: (Score:2)
You didn't break any encryption here. Sorry to said so, but you still persist with this nonsense. The quantum key distribution is not encrypting anything, it transmits in clear the keys and the quantum effect is what tell you if the keys were compromised or not by someone looking at them. That's it and that's all. Whatever the keys are, one-time pad or anything else, the encryption will proceed thru another communication channel with classical encryption.
Worst, it seems you do not understand at all why one-
Re: (Score:2)
Re: (Score:2)
Excuse me, are you claiming that Slashdot editors wrote a misleading headline? I'm shocked, shocked I tell you.
Re: (Score:2)
I don't understand this. Sending a one-time pad key is equivalent to sending the plaintext, as far as information transfer goes. (Otherwise, it isn't a real one-time pad.) The only advantage of the 1TP is that we can send the pad when we can get a secure communications channel, and then send messages at arbitrary times over insecure channels. If y
Re: (Score:2)
I don't understand this. Sending a one-time pad key is equivalent to sending the plaintext, as far as information transfer goes. (Otherwise, it isn't a real one-time pad.) The only advantage of the 1TP is that we can send the pad when we can get a secure communications channel, and then send messages at arbitrary times over insecure channels. If you have a reliable and persistent secure channel, why bother with the 1TP key?
Excellent question! QKD is just what it means, key distribution. There is actually no transmission between sender and receiver, instead it randomly establishes a secret, shared key at Alice's and Bob's place. Therefore, to do transmission, you use OTP to perform encryption.
Re: (Score:2)
Thank you. That was a good explanation.
Re: (Score:3)
The paper addresses this.
Re: (Score:2)
Why are people always picking on Alice and Bob? (Score:5, Funny)
Re: (Score:1)
Ted and Carol are looking for them...
Re: (Score:2)
Alice should go back to that restaurant.
Re: (Score:3)
One time they even had a threesome with a man-in-the-middle.
Re: (Score:2)
What Bob doesn't know is that Bruce Schneier is having torrid affairs with Alice and Eve.
Poor Alice and Bob (Score:2)
When will they figure we are all plying games with them, and they believe they are talking in secret about secrets, secretly.
Too bad Comey doesn't read slashdot (Score:3)
Too bad FBI director James Comey doesn't read /. He'd see how insecure even the most thuoght to be secure secure things - like backdoors - are and perhaps lose the impulse to make things even less secure and start moving in the other direction.
You know, it's possible that somewhere in the FBI there's one highly capable James Corney who is right now mopping floors in the basement because every time he and James Comey were evaluated by their superiors, personnel mixed up their reviews, owing to an unfortunate choice of fonts on the review forms.
The real question is... (Score:2)
... allows them to extract the secret information sent between Alice and Bob.
See something, say something people ! - geesh.
Interesting for some nations (Score:2)
The way around having to use very public, foreign owned networks and satellites sourced from many different providers for gov and mil communications was often thought to be emerging quantum cryptography.
Australia is spending huge amounts of time, funding and effort to try and keep the idea of national
Re: (Score:2)
Déjà vu (Score:2)
This has a strong smell of déjà vu. Something is secure within a domain of application. Attacker push the system outside of domain of application.
I am almost certain I did read something similar several years ago with quantum crypto and blinded receptor
Re: (Score:2)
I knew it... (Score:2)
I just knew Alice was up to something with Bob.
That fucking skank whore...
No method of quantum encryption is truly secure (Score:1)
"Even with access to an infinitely fast computer, an attacker cannot eavesdrop on the encrypted channel since it is protected by the laws of quantum mechanics."
No method of quantum encryption is truly secure. The problem with these methods of quantum encryption is that they take too narrow a view of quantum physics and do not deal with the potential for attackers also using quantum techniques. If your quantum system has more energy and the right configuration it should be possible to break virtually any qua
Me & Alice (Score:2)