Commercial quantum cryptography system broken
http://www.technologyreview.com/blog/arxiv/25189/ Not at all to my surprise, they broke it by exploiting a difference between a theoretical system and a real-world implementation. --Steve Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
quantum cryptography broken?
http://www.kurzweilai.net/news/frame.html?main=/news/news_single.html?id%3D8471 Quantum cryptography broken KurzweilAI.net, April 20, 2008 Two Swedish scientsts, Jorgen Cederlof, now of Google, and Jan-Ake Larsson of Link In a paper published in IEEE Trans. Inf Theory, 54: 1735-1741 (2008), they point out that an eavesdropper could gain partial knowledge on the key in quantum cryptography that may have an effect on the security of the authentication in the later round. By accessing the quantum channel used in quantum cryptography, the attacker can change the message to be authenticated (since the message is influenced by attacker-initiated events on the quantum channel). This, combined with partial knowledge of the key (transmitted on the quantum channel), creates a potential security gap, they suggest. Their proposed solution: simply transmit an extra exchange of a small amount of random bits on the classical (Internet) channel. FAQ: http://www.mai.liu.se/~jalar/qkg/faq.html -- Crypto ergo sum. https://www.subspacefield.org/~travis/ My password is easy to remember; it's the digits of Pi. All of them. If you are a spammer, please email [EMAIL PROTECTED] to get blacklisted. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Quantum Cryptography
On 07/01/2007 05:55 AM, Peter Gutmann wrote: One threat model (or at least failure mode) that's always concerned me deeply about QC is that you have absolutely no way of checking whether it's working as required. With any other mechanism you can run test vectors through it, run ongoing/continuous self-checks, and (in the case of some Type I crypto) run dual units in parallel with one checking the other. With QC you've just got to hope that everything's working as intended. That alone would be enough to rule out its use as far as I'm concerned, I can't trust something that I can't verify. That's partly true, but there's more to the story. Let's start by looking at the simple case, and then proceed to a more sophisticated analysis: By analogy: -- baseball pitchers should be evaluated on things like ERA, while -- football halfbacks should be evaluated on things like yard per carry, ... and not vice versa. By that I mean: -- the integrity of DH depends fundamentally on the algorithm, so you should verify the algorithmic theory, and then verify that the box implements the algorithm correctly; while -- in the simple case, the integrity of quantum cryptography depends fundamentally on the physics, so you should verify the physics theoretically and then verify that the box implements the physics correctly, ... and not vice versa. Don't complain that you cannot verify the physics the same way you would verify the algorithm; it's not a relevant complaint. There are some beautiful operational checks that *can* be made on a simple quantum crypto system. For starters, you can insert a smallish amount of attenuation in the link, as a model of attempted eavesdropping. The system should detect this, shut down, and raise the red flag; if it doesn't, you know it's broken. == A more sophisticated analysis takes into account the fact that in the real world (as opposed to the ultra-specialized laboratory bench), there is always some dissipation. Therefore any attempt to do anything resembling quantum crypto (or even quantum computing) in the real world uses some sort of error correction. (These error correction schemes are some of the niftiest results in the whole quantum computation literature, because they involve /analog/ error correction, whereas most previous modern error-correcting codes had been very, very digital.) So there is some interesting genuine originality there, from a theory-of-computation standpoint. From a security standpoint though, this raises all sorts of messy issues. We now have a box that is neither a pitcher nor a fullback, but some weird chimera. To validate it you would need to verify the physics *and* verify the algorithms *and* verify the interaction between the two. Needless to say, an algorithm intended for crypto requires much stricter scrutiny than the same algorithm intended for ordinary computation. In particular, the oft-repeated claim that quantum cryptography detects eavesdropping may be true on the lab bench, but it does _not_ follow in any simple way that a usable long-haul system will have the same property. === I agree with Steve that there is a difference between bona-fide early-stage research and snake oil. I did research in neural networks at a time when 90% of the published papers in the field were absolute garbage, such as claims of solving NP-hard problems in P time. -- When there are people who respect the difference between garbage and non-garbage, and are doing serious research, we should support that. -- When people try to publish garbage, and/or package garbage in shiny boxes and sell it to the government, we should call it for what it is. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Quantum Cryptography
At 5:11 PM -0400 7/2/07, John Denker wrote: By that I mean: -- the integrity of DH depends fundamentally on the algorithm, so you should verify the algorithmic theory, and then verify that the box implements the algorithm correctly; while -- in the simple case, the integrity of quantum cryptography depends fundamentally on the physics, so you should verify the physics theoretically and then verify that the box implements the physics correctly, ... and not vice versa. This is a nice, calm analogy, and I think it is useful. But it misses the point of the snake oil entirely. The fact that there is some good quantum crypto theory doesn't mean that there is any application in the real world. For the real world, you need key distribution. For the cost of a quantum crypto box (even after cost reductions after years of successful deployment), you could put a hardware crypto accelerator that could do 10,000-bit DH. Going back to the theory, the only way that quantum crypto will be more valuable than DH (much less ECDH!) is if DH is broken *at all key lengths*. If it is not, then the balance point for cost will be when the end boxes for quantum crypto equals the cost of the end boxes for still-useful DH. Oh, and all the above is ignoring that DH works over multiple hops of different media, and quantum crypto doesn't (yet, maybe ever). --Paul Hoffman, Director --VPN Consortium - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Quantum Cryptography
Alexander Klimov [EMAIL PROTECTED] writes: So what kind of threat models does it address, and what does that say about the kinds of customers who'd want it? One threat model (or at least failure mode) that's always concerned me deeply about QC is that you have absolutely no way of checking whether it's working as required. With any other mechanism you can run test vectors through it, run ongoing/continuous self-checks, and (in the case of some Type I crypto) run dual units in parallel with one checking the other. With QC you've just got to hope that everything's working as intended. That alone would be enough to rule out its use as far as I'm concerned, I can't trust something that I can't verify. Peter. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Quantum Cryptography
At 08:51 AM 6/28/2007, Alexander Klimov wrote: I suspect there are two reasons for QKD to be still alive. First of all, the cost difference between quantum and normal approaches is so enormous that a lot of ignorant decision makers actually believe that they get something extra for this money. If you tell a lie big enough and keep repeating it, people will eventually come to believe it. The second reason is ``rollback'' (is it right term?): you pay Kickbacks would be the usual American term. $10 from your company funds to a QKD vendor, and they covertly give $5 back to you. Never attribute to malice what can be adequately explained by incompetence. Quantum Crypto is shiny new technology, complete with dancing pigs. And once you've invested the research and development costs into building it, of course you want to sell it to anybody who could use it. So what kind of threat models does it address, and what does that say about the kinds of customers who'd want it? - It doesn't protect against traffic analysis, because the eavesdropper can follow the fiber routes and see who you're connected to. - It potentially provides perfect forward secrecy a long time into the future against attackers who can eavesdrop on you now and save all the bits they want. That's mainly useful for military applications - most commercial applications don't require secrecy for more than a few years, and most criminal activities can't use it because of the traffic analysis threat. Maybe banks? - It doesn't protect against Auditors getting your data. So maybe it's not useful for banks. That's really too bad, because except for the military, the main kinds of customers that need to spend lots of money on extra-shiny security equipment are doing so to distract Auditors, but it does let you tell the auditors you'd done everything you could. - The Quantum Key Distribution versions only protect keys, not data, so it doesn't protect you against cracking symmetric-key algorithms. It does provide some protection against Zero-Day attacks on public-key crypto-systems, but wrapping your key exchange in a layer of symmetric-key crypto can do that also. And if you're the military, you can revert to the traditional armed couriers with briefcases handcuffed to their arms method. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Quantum Cryptography
On Jun 29, 2007, at 10:44 AM, Steven M. Bellovin wrote: It's very valid to criticize today's products, and it's almost obligatory to criticize over-hyped marketing. As I said, I don't think today's products are useful anywhere, and the comparisons vendors draw to conventional cryptography are at best misleading. But let's not throw the baby out with the bathwater. The problem I have with QC is that, as others have amply pointed out, there is a lot of bathwater but not much of a baby to speak of. If someone created a protocol that does a DH exchange at the beginning and then throws away the secret and performs the rest of the communication in plaintext, we'd hardly call the resulting system a cryptographic protocol. Really, we'd be hesitant to use any form of the word cryptography in the description. QC, however, does something exactly analogous: it performs a quantum key exchange and then falls back on classical primitives. It's at best confusing, fallacious and disingenuous to refer to such setups as quantum cryptography, though I understand classical encryption with quantum key exchange has less of a marketable ring to it. So, by all means, let the QKD and related research continue. It's interesting, it's cool, it's *important* work. But when the folks behind it are talking to those of us who understand and work with cryptography every day, they need to do a much better job at not letting their own imprecise and almost deceitful terminology paint themselves in a corner and trigger our snakeoil detectors. I deeply support Jon's proposal of renaming the whole thing quantum secrecy, in which case I'd get off my snark horse and show more respect for the whole thing. -- Ivan Krstić [EMAIL PROTECTED] | GPG: 0x147C722D - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Quantum Cryptography
I'm unhappy with the tone of the discussion thus far. It's gone far beyond critiquing current products and is instead attacking the very concept. Today's cryptography is largely based on certain assumptions. You can't even call them axioms; they're far too weak. Let's consider RSA. We *know* that no one has proven it equivalent to factoring; even if that had been done, there is as far as I know no theoretically and useful computational complexity bound for factoring, especially for the average case. Similarly, we have no proofs that discrete log is inherently hard. But cryptographic proofs frequently work by showing that breaking some new construct is equivalent to solving one of these believed to be hard problems. We have a theoretically unbreakable system -- one-time pads -- but as most of us on this list know, they're rarely usable. Protocols are even worse. We can prove certain things about the message exchanges, and we have tools to help analyze protocols. But I have yet to see any such mechanism that can cope with attacks that mix protocol weaknesses with, say, number theory -- think of Bleichenbacher's Million Message Attack (which also involved how the protocol worked over the wire) or Simmons' Common Modulus Attack. It's not wrong to want something better. Sure, we think our ciphers are secure. The Germans thought that of Enigma and the Geheimschreiber; the Japanese thought that of Purple. Is AES secure? NSA has said so publicly, but there have been technical papers challenging that. I've seen no technical commentary on this list on the Warren D. Smith paper that was cited here about a week ago. To me, QKD is indeed a very valid area for research. It's a very different approach; ultimately, it may prove to be useful, at least in some circumstances. Now -- I'm not saying that *anyone* should buy today's products. As has been pointed out ad infinitum, they rely on conventional cryptographic techniques for authentication. More seriously, they have been subject to serious friendly attacks. It's only recently been mentioned prominently that the most devices don't send a single photon per bit, and the proof of security relies on that. There is the limitation, possibly inherent, to a single link. (I wonder, though, what can be done in the future with switched optical networks.) All that said, perhaps QKD will be useful some day. Unauthenticated? Diffie-Hellman is unauthenticated. Expensive? RSA is computationally expensive, and in fact wasn't used very much for 10 years after its invention. Single link? We still use -- and need -- link-layer cryptography today. Provable security? Despite their limitations, one-time pads are and have been used in the real world. Sometimes, the operational and threat environments are right. Gilmore has noted that cryptography is a matter of economics -- and in some situations, perhaps the economics of QKD are right. It's very valid to criticize today's products, and it's almost obligatory to criticize over-hyped marketing. As I said, I don't think today's products are useful anywhere, and the comparisons vendors draw to conventional cryptography are at best misleading. But let's not throw the baby out with the bathwater. --Steve Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Quantum Cryptography
I suspect there are two reasons for QKD to be still alive. First of all, the cost difference between quantum and normal approaches is so enormous that a lot of ignorant decision makers actually believe that they get something extra for this money. If you tell a lie big enough and keep repeating it, people will eventually come to believe it. The second reason is ``rollback'' (is it right term?): you pay $10 from your company funds to a QKD vendor, and they covertly give $5 back to you. -- Regards, ASK - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Quantum Cryptography
On Jun 26, 2007, at 10:10 AM, Nicolas Williams wrote: This too is a *fundamental* difference between QKD and classical cryptography. What does this classical word mean? Is it the Quantum way to say real? I know we're in violent agreement, but why are we letting them play language games? IMO, QKD's ability to discover passive eavesdroppers is not even interesting (except from an intellectual p.o.v.) given: its inability to detect MITMs, its inability to operate end-to-end across across middle boxes, while classical crypto provides protection against eavesdroppers *and* MITMs both *and* supports end-to-end operation across middle boxes. Moreover, the quantum way of discovering passive eavesdroppers is really just a really delicious sugar coating on the classical term denial of service. I'm not being DoSed, I'm detecting a passive eavesdropper! Jon - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Quantum Cryptography
On 6/25/07, Greg Troxel [EMAIL PROTECTED] wrote: 1) Do you believe the physics? (Most people who know physics seem to.) For those who would like to know a little more about the physics, see: http://www.icfo.es/images/publications/J05-055.pdf, Quantum Cloning, Valerio Scarani, Sofyan Iblisdir, and Nicolas Gisin. This is a late 2005 review and of eavesdropping techniques for QKD. Much of the terminology of quantum physics is unfamiliar to me but I think the paper states that Eve could theoretically get 5/6 of the bits through cloning and to keep this from happening, Alice and Bob have to assume an eavesdropper if more than 11% of the bits have errors. also: http://w3.antd.nist.gov/pubs/Mink-SPIE-One-Time-Pad-6244_22.pdf, One-Time Pad Encryption of Real-Time Video1, Alan Mink, Xiao Tang, LiJun Ma, Tassos Nakassis, Barry Hershman, Joshua C. Bienfang, David Su, Ron Boisvert, Charles W. Clark and Carl J. Williams - a more accessible paper describing a working system where NIST claims bit error rates in the 3% range while generating key material at greater than 2Mb/s. Its not clear whether the bit error rate is before or after an error correction stage but the paper discusses how bit error rate reduces the overall result after privacy amplification so I believe they have thought of Eve cloning photons in flight. -Michael - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Quantum Cryptography
On Tue, Jun 26, 2007 at 02:03:29PM -0700, Jon Callas wrote: On Jun 26, 2007, at 10:10 AM, Nicolas Williams wrote: This too is a *fundamental* difference between QKD and classical cryptography. What does this classical word mean? Is it the Quantum way to say real? I know we're in violent agreement, but why are we letting them play language games? I don't mind using classical here. I don't think Newtonian physics (classical) is bad -- it works great at every day human scales. IMO, QKD's ability to discover passive eavesdroppers is not even interesting (except from an intellectual p.o.v.) given: its inability to detect MITMs, its inability to operate end-to-end across across middle boxes, while classical crypto provides protection against eavesdroppers *and* MITMs both *and* supports end-to-end operation across middle boxes. Moreover, the quantum way of discovering passive eavesdroppers is really just a really delicious sugar coating on the classical term denial of service. I'm not being DoSed, I'm detecting a passive eavesdropper! Heh! Indeed: with classical (or non-quantum, or standard, or...) crypto eavesdroppers are passive attackers and passive attackers cannot mount DoS attacks (oh, I suppose that wiretapping can cause some slightly noticeable interference in some cases, but usually that's no DoS), but in QKD passive attackers become active attackers. But it gets worse! To eavesdrop on a QKD link requires much the same effort (splice the fiber) as to be an MITM on a QKD link, so why would any attacker choose to eavesdrop and be detected instead of being an MITM, go undeteceted and get the cleartext they're after? Right, they wouldn't. Attackers aren't stupid, and an attacker that can splice your fibers can probably afford the QKD HW they need to mount an MITM attack. So, really, you need authentication. And, really, you need end-to-end, not hop-by-hop authentication and data confidentiality + integrity protection. This reminds me of Feynman's presentation of Quantum Electro Dynamics, which finished with QED. Has it now been sufficiently established that QKD is not useful that whenever it rears its head we can point folks at archives of these threads and not spill anymore ink? Nico -- - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Quantum Cryptography
Victor Duchovni [EMAIL PROTECTED] writes: Secure in what sense? Did I miss reading about the part of QKD that addresses MITM (just as plausible IMHO with fixed circuits as passive eavesdropping)? It would be good to read the QKD literature before claiming that QKD is always unauthenticated. The generally accepted approach among the physics crowd is to use authentication with a secret keys and a universal family of has functions. Once QKD is augmented with authentication to address MITM, the Q seems entirely irrelevant. It's not if you care about perfect forward secrecy and believe that DH might be broken, and can't cope with or don't trust a Kerberos-like scheme. You can authenticate QKD with a symmetric mechanism, and get PFS against an attacker who records all the traffic and breaks DH later. See http://portal.acm.org/citation.cfm?id=863982dl=GUIDEdl=ACM for a citation and http://www.ir.bbn.com/documents/articles/gdt-sigcomm03.pdf for text, for a discussion of a system that uses regular IKE and AH to authenticate the control channel and uses the resulting bits to key ESP with AES or a one-time pad to get PFS against a DH-capable attacker. This all ran on NetBSD over 3 sites in the Boston area for several years. There are two very hard questions for QKD systems: 1) Do you believe the physics? (Most people who know physics seem to.) 2) Does the equipment in your lab correspond to the idealized models with which the proofs for (1) were done. (Not even close.) Because of (2) I wouldn't have confidence in any current QKD system. The one I worked on was for research, to address some of the basic systems issues, because the physics community concentrates on the physics parts. I am most curious as to the legal issue that came up regarding QKD. pgpVro7qtbxAH.pgp Description: PGP signature
Re: Quantum Cryptography
On Fri, Jun 22, 2007 at 08:21:25PM -0400, Leichter, Jerry wrote: BTW, on the quantum subway tokens business: In more modern terms, what this was providing was unlinkable, untraceable e-coins which could be spent exactly once, with *no* central database to check against and none of this well, we can't stop you from spending it more than once, but if we ever notice, we'll learn all kinds of nasty things about you. (The coins were unlinkable and untraceable because, in fact, they were *identical*.) Now, of course, they were also physical objects, not just collections of bits. The same is true of the photons used in quantum key exchange. Otherwise, it wouldn't work. We're inherently dealing with a different model here. Where it ends up is anyone's guess at this point. This relates back to the inutility of QKD as follows: when physical exchanges are required you cannot run such exchanges end-to-end over an Internet -- the middle boxes (routers, etc...) get in the way of the physical exchange. This too is a *fundamental* difference between QKD and classical cryptography. That difference makes QKD useless in *today's* Internet. IF we had a quantum authentication facility then we could build hop-by-hop authentication to build an Internet out of QKD and QA (quantum authentication). That's a *big* condition, and the change in security models is tremendous, and for the worse: since the trust chains get enormously enlarged. IMO, QKD's ability to discover passive eavesdroppers is not even interesting (except from an intellectual p.o.v.) given: its inability to detect MITMs, its inability to operate end-to-end across across middle boxes, while classical crypto provides protection against eavesdroppers *and* MITMs both *and* supports end-to-end operation across middle boxes. Nico -- - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Quantum Cryptography
On Mon, Jun 25, 2007 at 08:23:14PM -0400, Greg Troxel wrote: 1) Do you believe the physics? (Most people who know physics seem to.) Yes. 2) Does the equipment in your lab correspond to the idealized models with which the proofs for (1) were done. (Not even close.) Does QKD address a real-world risk at a reasonable cost without unreasonable application constraints? If I am very concerned about PFS for secrets that must stay secure for decades and 521-bit ECDH is broken, yes I lose PFS. So there may be a market for fixed direct circuits used by a small number of agencies, but if I were a budget director I would spend the money elsewhere... I am most curious as to the legal issue that came up regarding QKD. Indeed, what was the legal question that got us here? -- /\ ASCII RIBBON NOTICE: If received in error, \ / CAMPAIGN Victor Duchovni please destroy and notify X AGAINST IT Security, sender. Sender does not waive / \ HTML MAILMorgan Stanley confidentiality or privilege, and use is prohibited. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Quantum Cryptography
On Mon, Jun 25, 2007 at 08:23:14PM -0400, Greg Troxel wrote: Victor Duchovni [EMAIL PROTECTED] writes: Secure in what sense? Did I miss reading about the part of QKD that addresses MITM (just as plausible IMHO with fixed circuits as passive eavesdropping)? It would be good to read the QKD literature before claiming that QKD is always unauthenticated. Noone claimed that it isn't -- the claim is that there is no quantum authentication, so QKD has to be paired with classical crypto in order to defeat MITMs, which renders it worthless (because if you'll rely on classical crypto then you might as well only use classical crypto as QKD doesn't add any security that classical crypto, which you still have to use, doesn't already). The real killer for QKD is that it doesn't work end-to-end across middle boxes like routers. And as if that weren't enough there's the exhorbitant cost of QKD kit. The generally accepted approach among the physics crowd is to use authentication with a secret keys and a universal family of has functions. Everyone who's commented has agreed that authentication is to be done classically as there is no quantum authentication yet. But I can imagine how quantum authentication might be done: generate an entangled pair at one end of the connection, physically carry half of it to the other end, and then run a QKD exchange that depends on the two ends having half of the same entangled particle or photon pair. I'm no quantum physicist, so I can't tell how workable that would be at the physics-wise, but such a scheme would be analogous to pre-sharing symmetric keys in classical crypto. Of course, you'd have to do this physical pre-sharing step every time you restart the connection after having run out of pre-shared entabled pair halfs; ouch. Once QKD is augmented with authentication to address MITM, the Q seems entirely irrelevant. It's not if you care about perfect forward secrecy and believe that DH might be broken, and can't cope with or don't trust a Kerberos-like scheme. You can authenticate QKD with a symmetric mechanism, and get PFS against an attacker who records all the traffic and breaks DH later. The end-to-end across middle boxes issue kills this argument about protection against speculative brokenness of public key cryptography. All but the smallest networks depend on middle boxes. Quantum cryptography will be useful when: - it can be deployed in an end-to-end fashion across middle boxes OR - we adopt hop-by-hop methods of building end-to-end authentication And, of course, quantum kit has got to be affordable, but let's assume that economies of scale will be achieved once quantum crypto becomes useful. Critical breaks of public key crypto will NOT be sufficient to drive adoption of quantum crypto: we can still build networks out of symmetric key crypto (and hash/MAC functions) only if need be (with pre-shared keying, Kerberos, and generally Needham-Schroeder). There are two very hard questions for QKD systems: 1) Do you believe the physics? (Most people who know physics seem to.) 2) Does the equipment in your lab correspond to the idealized models with which the proofs for (1) were done. (Not even close.) But the only real practical issue, for Internet-scale deployment, is the end-to-end issue. Even for intranet-scale deployments, actually. I am most curious as to the legal issue that came up regarding QKD. Which legal issue? Nico -- - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Quantum Cryptography
On 06/25/2007 08:23 PM, Greg Troxel wrote: 1) Do you believe the physics? (Most people who know physics seem to.) Well, I do happen to know a thing or two about physics. I know -- there is quite a lot you can do with quantum physics, and -- there is quite a lot you cannot do with quantum physics. I also know that snake-oil salesmen can lie about the physics just as easily as they lie about anything else. Since it's not clear what is meant by THE physics, it would be more meaningful to ask more-specific questions, namely: -- Do I believe in real physics? Yes. -- Do I believe in what Dr. Duck says about physics? Usually not. == One commonly-made claim about quantum cryptography is that it can detect eavesdropping. I reckon that's narrowly true as stated. The problem is, I don't know why I should care. The history of cryptography for most of the last 2000 years has been a cat and mouse game between the code makers and the code breakers. The consensus is that right now the code makers have the upper hand. As a result, Eve can eavesdrop all she wants, and it won't do her a bit of good. To say the same thing: It appears that in this respect, quantum cryptography takes a well-solved problem and solves it another way at higher cost and lower throughput. The cost/benefit ratio is exceedingly unfavorable, and seems likely to remain so. Meanwhile, it takes some less-well-solved problems and makes them worse. Consider for example traffic analysis. Since quantum encryption requires a dedicated hardware link from end to end, there is no hope of disguising who is communicating with whom. I am reminded of a slide that Whit Diffie used in one of his talks. It showed a house that was supposed to be protected by a picket fence. The problem was that the so-called fence consisted of a single picket, 4 inches wide and a mile high, while the other 99.9% of the perimeter was unprotected. Yes sirree, no eavesdropper is going to hop over that picket! One sometimes hears even stronger claims, but they are even more easily refuted. I've reviewed papers that claim quantum mechanics solves the key distribution problem but in fact they were using classical techniques to deal with all the hard parts of the problem. It reminds me of stone soup: if the ingredients include broth, meat, vegetables, seasoning, and a stone, I don't see why the stone should get credit for the resulting soup. Likewise, since a quantum key distribution system is in no ways better and in some ways worse than a classical system, I don't see why quantum cryptography should get credit for solving the problem. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Quantum Cryptography
On Jun 22, 2007, at 10:44 AM, Ali, Saqib wrote: ...whereas the key distribution systems we have aren't affected by eavesdropping unless the attacker has the ability to perform 2^128 or more operations, which he doesn't. Paul: Here you are assuming that key exchange has already taken place. But key exchange is the toughest part. That is where Quantum Key Distribution QKD comes in the picture. Once the keys are exchanged using QKD, you have to rely on conventional cryptography to do bulk encryption using symmetric crypto. Using Quantum Crypto to do bulk encryption doesn't make any sense. It is only useful in key distribution. Let me create an aphorism to sum up what Paul, Perry, and others have said in detail before I address your comment: If Quantum Cryptography does what is claims, then it is strengthening the strongest link in the chain of security. Now to your comment. If you do a 3000 bit Diffie-Hellman exchange, you have a key exchange with 2^128 security, to the best of our knowledge, assuming this and that, blah, blah, blah. If you don't like 3000 bit integers, go to elliptic curve. I have in some of my talks, renamed Quantum Cryptography to Quantum Secrecy. If the QC people would stop calling it cryptography, a good deal of the hostility you find among us crypto people would evaporate. Let me give an analogy. I will posit Quantum Message Teleportation. Using QMT, Alice can write her message on a piece of paper, close her eyes, and it will disappear from her hand and appear in Bob's hand. This is cool. This is useful. It is amazing. It is also not cryptography. It also has all the problems that Perry points out in QC, like a lack of authentication and so on. Like QC, adding cryptography to it makes it even more useful. The QC people should change their song to QS, and stop bashing the mathematicians with arguments we can show are somewhere between incomplete and fallacious. Then they might find us drift over to supporting them because while Quantum Secrecy is not practical, it is very cool. Jon - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Quantum Cryptography
Victor Duchovni wrote: Quantum Cryptography or Quantum Computing (i.e. cryptanysis)? - Quantum Cryptography is fiction (strictly claims that it solves an applied problem are fiction, indisputably interesting Physics). I do not really agree on this statement. There are ongoing projects, that I know of, that are actually working on maximizing communication throughput (which is currently not very good) on encrypted channels and minimizing costs of involved equipment. AFAIK, one great advantage of quantum crypto is in the area of key-exchange when establishing a secure communication. I guess quantum crypto is definitely not fiction (Anyhow I do not know if it has already been used somewhere... ). Later, -- Best Regards, Massimiliano Pala --o Massimiliano Pala [OpenCA Project Manager][EMAIL PROTECTED] [EMAIL PROTECTED] Dartmouth Computer Science Dept Home Phone: +1 (603) 397-3883 PKI/Trust - Office 063Work Phone: +1 (603) 646-9179 --o smime.p7s Description: S/MIME Cryptographic Signature
Re: Quantum Cryptography
- Quantum Cryptography is fiction (strictly claims that it solves an applied problem are fiction, indisputably interesting Physics). Well that is a broad (and maybe unfair) statement. Quantum Key Distribution (QKD) solves an applied problem of secure key distribution. It may not be able to ensure unconditional secrecy during key exchange, but it can detect any eavesdropping. Once eavesdropping is detected, the key can be discarded. saqib http://security-basics.blogspot.com/ - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Quantum Cryptography
On Thu, Jun 21, 2007 at 01:20:35PM -0400, Victor Duchovni wrote: Quantum Cryptography or Quantum Computing (i.e. cryptanysis)? - Quantum Cryptography is fiction (strictly claims that it solves an applied problem are fiction, indisputably interesting Physics). - Quantum Computing is science fiction. Some science fiction eventually becomes reality. A nice blog to follow here is Shtetl-Optimized: http://www.scottaaronson.com/blog/ -- Eugen* Leitl a href=http://leitl.org;leitl/a http://leitl.org __ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Quantum Cryptography
On Thu, Jun 21, 2007 at 10:59:14AM -0700, Ali, Saqib wrote: - Quantum Cryptography is fiction (strictly claims that it solves an applied problem are fiction, indisputably interesting Physics). Well that is a broad (and maybe unfair) statement. Quantum Key Distribution (QKD) solves an applied problem of secure key distribution. It may not be able to ensure unconditional secrecy during key exchange, but it can detect any eavesdropping. Once eavesdropping is detected, the key can be discarded. Secure in what sense? Did I miss reading about the part of QKD that addresses MITM (just as plausible IMHO with fixed circuits as passive eavesdropping)? Once QKD is augmented with authentication to address MITM, the Q seems entirely irrelevant. -- /\ ASCII RIBBON NOTICE: If received in error, \ / CAMPAIGN Victor Duchovni please destroy and notify X AGAINST IT Security, sender. Sender does not waive / \ HTML MAILMorgan Stanley confidentiality or privilege, and use is prohibited. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Quantum Cryptography
Massimiliano Pala [EMAIL PROTECTED] writes: Victor Duchovni wrote: Quantum Cryptography or Quantum Computing (i.e. cryptanysis)? - Quantum Cryptography is fiction (strictly claims that it solves an applied problem are fiction, indisputably interesting Physics). I do not really agree on this statement. There are ongoing projects, that I know of, that are actually working on maximizing communication throughput (which is currently not very good) on encrypted channels and minimizing costs of involved equipment. AFAIK, one great advantage of quantum crypto is in the area of key-exchange when establishing a secure communication. I guess quantum crypto is definitely not fiction (Anyhow I do not know if it has already been used somewhere... ). Quantum cryptography is useless. Victor is completely correct here. Quantum crypto provides you with a slow way of getting a one time pad (of sorts) that you cannot authenticate and thus cannot trust, between two endpoints only, and it does it at extreme expense. Why do I say that you cannot authenticate? Because although you can tell that no one eavesdropped in on the line, you have no way of knowing that no one cut the fiber in two and put two such boxes in between. You know that no one eavesdropped, but not who you are talking to. Various physics types who I explain this to generally do not understand what I'm talking about at first blush because they only consider the problem of eavesdropping -- the notion that you also need to verify who the guy at the other end is never occurs to them because they aren't security people. The fact that the attacker might not even bother to eavesdrop and could simply insert himself into the communication stream never occurs to the proponents. So, to fix the man-in-the-middle problem, you have to layer an authentication technology on top. Unfortunately, the ones we have are all conventional crypto -- perhaps a MAC of some sort. At which point, you're trusting conventional crypto for your security, so why bother? Conventional crypto is nearly free. This brings up another issue. Quantum crypto is exceptionally expensive, and is virtually undeployable. To provide security that, in a practical sense, is no better than what you can get from high key length conventional ciphers, you spend vast amounts on end system equipment, rent a dedicated dark fiber link between two locations that can't be arbitrarily far apart, and in the end, you have two machines that can talk securely in a world where one needs thousands or millions of machines to talk securely to any one of the other machines. The phone network and internet exist for a reason -- people want communication networks, not a string between two cans between each other's homes. They need NxN communication, not 1-1 communication. Building the N^2 array of dark fibers and quantum crypto boxes between lots of machines is, of course, utterly impractical and always will be. Of course, even if you could, you would still need out of band key distribution and a MAC to know that no one had man-in-the-middled your links. Again, why bother? Now, lets consider the alternative. In a practical sense, no one rational worries on a day to day basis that their security is going to be compromised because someone has a magic box that decrypts 256 bit AES in 12 seconds flat. The crypto we already have is more than good enough. Quantum Crypto exists on the mistaken premise that people are worried about their ciphers being broken and that this is the main issue in security. It is not. Having your ciphers broken is not even remotely the main issue for most installations. What people worry about in the real world are design flaws, programming errors, human interface problems that make things like phishing possible, and whether or not the $12-an-hour security guard at your data center will happily take a $5000 bribe to let someone at your equipment for an hour. Quantum Key Distribution solves none of those issues at all. The issue it does solve is a non-issue -- we already have 256 bit keyed AES if you need it. Quantum Crypto does what it says it does, but it is a commercially worthless invention, like an 800 pound wristwatch that is 20% more accurate than normal wristwatches but which is completely wrong one day in seven, or like a $20,000,000 tube of toothpaste that tastes slightly better but causes your teeth to explode one time in every 400. Even if the watch is marginally more accurate, no one will wear it. Even if the toothpaste tastes slightly better, no one will buy it. Neither invention solves a real problem from the real world. Quantum Crypto was invented by physicists who understand physics well but have no understanding of security. It does what it claims to do, but what it claims to do is of no use to anyone. Quantum Crypto does nothing for at all for the things people actually need solved, and for what it does do, it costs vastly too much. It is a lead balloon, a jet
Re: Quantum Cryptography
| - Quantum Cryptography is fiction (strictly claims that it solves |an applied problem are fiction, indisputably interesting Physics). | | Well that is a broad (and maybe unfair) statement. | | Quantum Key Distribution (QKD) solves an applied problem of secure key | distribution. It may not be able to ensure unconditional secrecy | during key exchange, but it can detect any eavesdropping. Once | eavesdropping is detected, the key can be discarded. | | Secure in what sense? Did I miss reading about the part of QKD that | addresses MITM (just as plausible IMHO with fixed circuits as passive | eavesdropping)? | | Once QKD is augmented with authentication to address MITM, the Q | seems entirely irrelevant. The unique thing the Q provides is the ability to detect eaves- dropping. I think a couple of weeks ago I forwarded a pointer to a paper showing that there were some limits to this ability, but even so, this is a unique feature that no combination of existing primitives can provide. One can argue about what this adds. The current approach of the QKD efforts is to assume that physical constraints are sufficient to block MITM, while quantum contraints block passive listening (which is assumed not to be preventable using physical constraints). It's the combination that gives you security. One can argue about the reasonableness of this model - particularly about the ability of physical limitations to block MITM. It does move the center of the problem, however - and into a region (physical protection) in which there is much more experience and perhaps some better intuition. Valid or not, it certainly is easier to give people the warm fuzzies by talking about physical protection than by talking about math In the other direction, whether the ability to detect eavesdropping lets you do anything interesting is, I think, an open question. I wouldn't dismiss it out of hand. There's an old paper that posits related primitive, Verify Once Memory: Present it with a set of bits, and it answers either Yes, that's the value stored in me or No, wrong value. In either case, *the stored bits are irrevokably scrambled*. (One could, in principle, build such a thing with quantum bits, but beyond the general suggestions in the original paper, no one has worked out how to do this in detail.) The paper uses this as a primitive to construct unforgeable subway tokens: Even if you buy a whole bunch of valid tokens, and get hold of a whole bunch of used ones, you have no way to construct a new one. (One could probably go further - I don't recall if the paper does - and have a do the two of you match primitive, which would use quantum bits in both the token and the token validator. Then even if you had a token validator, you couldn't create new tokens. Obviously, in this case you don't want to scramble the validator.) -- Jerry | -- | | /\ ASCII RIBBON NOTICE: If received in error, | \ / CAMPAIGN Victor Duchovni please destroy and notify | X AGAINST IT Security, sender. Sender does not waive | / \ HTML MAILMorgan Stanley confidentiality or privilege, |and use is prohibited. | | - | The Cryptography Mailing List | Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] | | - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Quantum Cryptography
At 10:59 AM -0700 6/21/07, Ali, Saqib wrote: - Quantum Cryptography is fiction (strictly claims that it solves an applied problem are fiction, indisputably interesting Physics). Well that is a broad (and maybe unfair) statement. Quantum Key Distribution (QKD) solves an applied problem of secure key distribution. It may not be able to ensure unconditional secrecy during key exchange, but it can detect any eavesdropping. Once eavesdropping is detected, the key can be discarded. ...whereas the key distribution systems we have aren't affected by eavesdropping unless the attacker has the ability to perform 2^128 or more operations, which he doesn't. Which part of the word useless is not apparent here? --Paul Hoffman, Director --VPN Consortium - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Quantum Cryptography
On Fri, Jun 22, 2007 at 11:33:38AM -0400, Leichter, Jerry wrote: | Secure in what sense? Did I miss reading about the part of QKD that | addresses MITM (just as plausible IMHO with fixed circuits as passive | eavesdropping)? | | Once QKD is augmented with authentication to address MITM, the Q | seems entirely irrelevant. The unique thing the Q provides is the ability to detect eaves- dropping. If I want to encrypt a fixed circuit, I assume that eavesdropping is omni-present, and furthermore don't want to be constrained to transmit only when the eavesdroppers have chosen to take a lunch break. One can argue about what this adds. Warm fuzzies? The current approach of the QKD efforts is to assume that physical constraints are sufficient to block MITM. An interesting assumption. It does move the center of the problem, however - and into a region (physical protection) in which there is much more experience and perhaps some better intuition. I would conjecture that a lot more people grasp undergraduate mathematics than undergraduate quantum mechanics... Valid or not, it certainly is easier to give people the warm fuzzies by talking about physical protection than by talking about math Warm fuzzies is not in conflict with fiction. In the other direction, whether the ability to detect eavesdropping lets you do anything interesting is, I think, an open question. I wouldn't dismiss it out of hand. There's an old paper that posits related primitive, Verify Once Memory: Present it with a set of bits, and it answers either Yes, that's the value stored in me or No, wrong value. Suppose I install a fake subway entrace, and MITM all the interactions between the victim's card and the real turnstile where I have a card that proxies the victims interactions with the fake terminal. Is the system still secure? Likely not, I would bet The threat model was card forgery, not MITM. -- /\ ASCII RIBBON NOTICE: If received in error, \ / CAMPAIGN Victor Duchovni please destroy and notify X AGAINST IT Security, sender. Sender does not waive / \ HTML MAILMorgan Stanley confidentiality or privilege, and use is prohibited. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Quantum Cryptography
Leichter, Jerry [EMAIL PROTECTED] writes: | - Quantum Cryptography is fiction (strictly claims that it solves |an applied problem are fiction, indisputably interesting Physics). | | Well that is a broad (and maybe unfair) statement. | | Quantum Key Distribution (QKD) solves an applied problem of secure key | distribution. It may not be able to ensure unconditional secrecy | during key exchange, but it can detect any eavesdropping. Once | eavesdropping is detected, the key can be discarded. | | Secure in what sense? Did I miss reading about the part of QKD that | addresses MITM (just as plausible IMHO with fixed circuits as passive | eavesdropping)? | | Once QKD is augmented with authentication to address MITM, the Q | seems entirely irrelevant. The unique thing the Q provides is the ability to detect eaves- dropping. I think a couple of weeks ago I forwarded a pointer to a paper showing that there were some limits to this ability, but even so, this is a unique feature that no combination of existing primitives can provide. One can argue about what this adds. If it cost almost nothing, it would be a neat frill to have. When it increases the cost of encrypting a link by a factor of four to six orders of magnitude while still requiring all the old security systems you had before, it is pretty uninteresting. The current approach of the QKD efforts is to assume that physical constraints are sufficient to block MITM, [...] One can argue about the reasonableness of this model - particularly about the ability of physical limitations to block MITM. It does move the center of the problem, however - and into a region (physical protection) in which there is much more experience and perhaps some better intuition. Indeed it does. We have a lot of experience with securing links that go for hundreds of km, and the experience tells us that we can't do it in the real world. It would be one thing if experience said that attackers can be easily found and stopped on long range physical links, but we know that they can't, so why are we even thinking about it this way? Besides, companies like MagiQ don't say we're giving you unconditional security against eavesdropping provided your prayers that no one MITMs you are granted, they claim that they are providing you with actual unconditional security. They clearly are not. In the other direction, whether the ability to detect eavesdropping lets you do anything interesting is, I think, an open question. I wouldn't dismiss it out of hand. As you know, most of us argue you should simply assume you're being eavesdropped on and design security so that you don't care. It is much simpler, much less expensive, and much more robust. -- Perry E. Metzger[EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Quantum Cryptography
...whereas the key distribution systems we have aren't affected by eavesdropping unless the attacker has the ability to perform 2^128 or more operations, which he doesn't. Paul: Here you are assuming that key exchange has already taken place. But key exchange is the toughest part. That is where Quantum Key Distribution QKD comes in the picture. Once the keys are exchanged using QKD, you have to rely on conventional cryptography to do bulk encryption using symmetric crypto. Using Quantum Crypto to do bulk encryption doesn't make any sense. It is only useful in key distribution. saqib http://www.linkedin.com/in/encryption - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Quantum Cryptography
At 10:44 AM -0700 6/22/07, Ali, Saqib wrote: ...whereas the key distribution systems we have aren't affected by eavesdropping unless the attacker has the ability to perform 2^128 or more operations, which he doesn't. Paul: Here you are assuming that key exchange has already taken place. No, I'm not. I am talking about protocols that do their own key exchange. IPsec. SSL/TLS. Kerberos. Etc. But key exchange is the toughest part. No, requiring that the two ends have a fixed connection which QKD works over is far tougher than using a proven protocol that works over any connection. --Paul Hoffman, Director --VPN Consortium - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Quantum Cryptography
On Fri, Jun 22, 2007 at 10:44:41AM -0700, Ali, Saqib wrote: Paul: Here you are assuming that key exchange has already taken place. But key exchange is the toughest part. That is where Quantum Key Distribution QKD comes in the picture. Once the keys are exchanged using QKD, you have to rely on conventional cryptography to do bulk encryption using symmetric crypto. QKD fails to come into the picture, because its key exchange is unauthenticated. I can do secure unauthenticated key exchange at zero cost using EECDH with no special quantum hardware. If the link is MITM-proof, I am done. Using Quantum Crypto to do bulk encryption doesn't make any sense. It is only useful in key distribution. What bulk-encryption system am I going to use that is usefully stronger than EECDH over secp384r1 (or tinfoil hat secp521r1). It is also not useful for key distribution. It remains (charitably) fiction. -- /\ ASCII RIBBON NOTICE: If received in error, \ / CAMPAIGN Victor Duchovni please destroy and notify X AGAINST IT Security, sender. Sender does not waive / \ HTML MAILMorgan Stanley confidentiality or privilege, and use is prohibited. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Quantum Cryptography
At 10:44 -0700 2007/06/22, Ali, Saqib wrote: ...whereas the key distribution systems we have aren't affected by eavesdropping unless the attacker has the ability to perform 2^128 or more operations, which he doesn't. Paul: Here you are assuming that key exchange has already taken place. But key exchange is the toughest part. That is where Quantum Key Distribution QKD comes in the picture. Once the keys are exchanged using QKD, you have to rely on conventional cryptography to do bulk encryption using symmetric crypto. Using Quantum Crypto to do bulk encryption doesn't make any sense. It is only useful in key distribution. To be used in key distribution I have to have laid a private optical fiber between me and my correspondent. I could have paid a lot less for an armored truck to carry the key for me. (I know you can do QKD without the fiber these days, but how do you know that you agreed the key with the person you think you agreed it with? It's turtles all the way down.) Greg. saqib http://www.linkedin.com/in/encryption - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Quantum Cryptography
Ali, Saqib [EMAIL PROTECTED] writes: ...whereas the key distribution systems we have aren't affected by eavesdropping unless the attacker has the ability to perform 2^128 or more operations, which he doesn't. Paul: Here you are assuming that key exchange has already taken place. But key exchange is the toughest part. Key exchange is not the toughest part or even tough at all. Algorithms like Diffie-Hellman and variants on the theme work just fine. Authenticated protocols based on these algorithms are well understood and have been studied for defects for many years. The STS protocol and variants on it like the ones used in TLS are fine, and if you feel that they're not secure enough with the number of bits commonly used, you can crank up the dial for a lot less than the cost of one of these mind-bogglingly expensive boxes from MagiQ (not to mention the price of dedicated dark fiber between the endpoints.) That is where Quantum Key Distribution QKD comes in the picture. Once the keys are exchanged using QKD, you have to rely on conventional cryptography to do bulk encryption using symmetric crypto. I don't believe that any of the commercial units work that way, but if they do, my opinion of them has dropped even further, and it was already about as low as I thought was possible. Using QKD only for key exchange and using a conventional crypto system for the bulk of the data completely eliminates any conceivable benefits over more conventional techniques. Perry - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Quantum Cryptography
Hi Folks, On a legal mailing list I'm on there is a bunch of emails on the perceived effects of quantum cryptography. Is there any authoritative literature/links that can help clear the confusion? Thanks in advance, Aram Perez - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Quantum Cryptography
On Tue, Jun 19, 2007 at 09:10:12PM -0700, Aram Perez wrote: On a legal mailing list I'm on there is a bunch of emails on the perceived effects of quantum cryptography. Is there any authoritative literature/links that can help clear the confusion? Quantum Cryptography or Quantum Computing (i.e. cryptanysis)? - Quantum Cryptography is fiction (strictly claims that it solves an applied problem are fiction, indisputably interesting Physics). - Quantum Computing is science fiction. Some science fiction eventually becomes reality. -- /\ ASCII RIBBON NOTICE: If received in error, \ / CAMPAIGN Victor Duchovni please destroy and notify X AGAINST IT Security, sender. Sender does not waive / \ HTML MAILMorgan Stanley confidentiality or privilege, and use is prohibited. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Toshiba shows practical quantum cryptography
http://www.zdnet.co.uk/print/?TYPE=storyAT=39181033-39020357t-1013c Toshiba shows practical quantum cryptography Rupert Goodwins ZDNet UK December 13, 2004, 18:15 GMT Toshiba Research Europe demonstrated last week what it claims is the world's first reliable automated quantum cryptography system and run it continuously for over a week. The system, which relies on single photons to transmit an untappable key over standard optical fibres, is capable of delivering thousands of keys a second and can be effective over distances of more than 100km. Although no price or launch date has been set yet, Toshiba is already in talks with a number of telcos and end users in preparation for commercialisation of the technology -- which offers the possibility of significantly more secure networking. We're talking to a number of potential end users at the minute, Dr Andrew Shields, group leader of Toshiba's Cambridge-based Quantum Information Group told ZDNet UK. We're planning to do some trials in the City of London next year, and are targeting users in the financial sector. We've also had some interest from telcos, including MCI with whom we've been running the installed fibre tests. The system works by transmitting a long stream of photons modulated to represent ones and zeros, most of which are lost along the way. These photons can be modulated in one of two ways through two different kinds of polarisation, but according to Heisenberg's Uncertainty Principle it is impossible to know both the kind of polarisation and the data represented by the photon. The receiver has to assume one to get the other, which it will frequently get wrong. The receiver picks up and attempts to decode a few out of those that make it, and reports back to the sender which ones it received and decoded thus making up a key that both ends know. Any interceptor can't know what the value of those photons is, because by reading them in transit it will destroy them, and it can't replace them after reading them because it can never know their exact details. Although Toshiba has been developing special hardware to create and analyse single photon transactions by quantum dots -- effectively artificial atoms integrated with control circuitry -- the current cryptographic equipment uses standard parts, including Peltier-effect cooled detectors operating at very low noise levels. The next generation of equipment is expected to use this new technology. Toshiba is also looking at ways to increase the range of the systems beyond the limitations of a single fibre -- because a photon can't be intercepted and retransmitted, it's not possible for the technology to incorporate repeaters to overcome the losses in multiple segments. However, says Shields, there is a possibility that repeaters may be created using quantum teleportation -- a new and still experimental effect where the quantum state of a particle can be transmitted across distances without it needing to be fully measured. Toshiba Research Europe Ltd is part of the European SECOQC project, which is working towards the development of a global network for secure communication using quantum technology. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Quantum cryptography gets practical
On Wed, 2004-10-06 at 06:27, Dave Howe wrote: I have yet to see an advantage to QKE that even mildly justifies the limitations and cost over anything more than a trivial link (two buildings within easy walking distance, sending high volumes of extremely sensitive material between them) But it's cool! More seriously, it has no advantage now, but maybe something will come up. The early telephones were about useless, too, remember. In the mean time, the coolness factor will keep people playing with it and researching it. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Quantum cryptography gets practical
Dave Howe wrote: I think this is part of the purpose behind the following paper: http://eprint.iacr.org/2004/229.pdf which I am currently trying to understand and failing miserably at *sigh* Nope, finally strugged to the end to find a section pointing out that it does *not* prevent mitm attacks. Anyone seen a paper on a scheme that does? - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
QC Hype Watch: Quantum cryptography gets practical
http://www.computerworld.com/printthis/2004/0,4814,96111,00.html - Computerworld Quantum cryptography gets practical Opinion by Bob Gelfond, MagiQ Technologies Inc. SEPTEMBER 30, 2004 (COMPUTERWORLD) - In theory and in labs, quantum cryptography -- cryptography based on the laws of physics rather than traditional, computational difficulty -- has been around for years. Advancements in science and in the world's telecommunications infrastructure, however, have led to the commercialization of this technology and its practical application in industries where high-value assets must be secure. Protecting information today usually involves the use of a cryptographic protocol where sensitive information is encrypted into a form that would be unreadable by anyone without a key. For this system to work effectively, the key must be absolutely random and kept secret from everyone except the communicating parties. It must also be refreshed regularly to keep the communications channel safe. The challenge resides in the techniques used for the encryption and distribution of this key to its intended parties to avoid any interception of the key or any eavesdropping by a third party. Many organizations are advancing quantum technology and bringing it outside academia. Research labs, private companies, international alliances such as the European Union and agencies such as the Defense Advanced Research Projects Agency are investing tens of millions of dollars in quantum research, with projects specifically focused on the challenge of key distribution. The trouble with key distribution Huge investment in the late 1990s through 2001 created a vast telecommunications infrastructure resulting in millions of miles of optical fiber laid across the country and throughout buildings to enable high-speed communications. This revolution combined a heavy reliance on fiber-optic infrastructure with the use of open network protocols such as Ethernet and IP to help systems communicate. Although this investment delivers increased productivity, dependence on optical fiber compounds key distribution challenges because of the relative ease with which optical taps can be used. With thousands of photons representing each bit of data traveling over fiber, nonintrusive, low-cost optical taps placed anywhere along the fiber can siphon off enough data without degrading the signal to cause a security breach. The threat profile is particularly high where clusters of telecommunications gear are found in closets, the basements of parking garages or central offices. Data can be tapped through monitoring jacks on this equipment with inexpensive handheld devices. This enables data to be compromised without eavesdroppers disclosing themselves to the communicating parties. Another important aspect of this problem is the refresh rate of the keys. Taking large systems off-line to refresh keys can cause considerable headaches, such as halting business operations and creating other security threats. Therefore, many traditional key-distribution systems refresh keys less than once per year. Infrequent key refreshing is detrimental to the security of a system because it makes brute-force attacks much easier and can thereby provide an eavesdropper with full access to encrypted information until the compromised key is refreshed. Adding quantum physics to the key distribution equation Companies are now in a position to use advancements in quantum cryptography, such as quantum key distribution (QKD) systems, to secure their most valued information. Two factors have made this possible: the vast stretches of optical fiber (lit and dark) laid in metropolitan areas, and the decreasing cost in recent years of components necessary for producing QKD systems as a result of the over-investment in telecommunications during the early 2000s. Based on the laws of quantum mechanics, the keys generated and disseminated using QKD systems have proved to be absolutely random and secure. Keys are encoded on a photon-by-photon basis, and quantum mechanics guarantees that the act of an eavesdropper intercepting a photon will irretrievably change the information encoded on that photon. Therefore, the eavesdropper can't copy or read the photon -- or the information encoded on it -- without modifying it, which makes it possible to detect the security breach. In addition to mitigating the threat of optical taps, QKD systems are able to refresh keys at a rate of up to 10 times per second, further increasing the level of security of the encrypted data. Not for everyone Quantum key distribution systems aren't intended for everyday use: You won't find a QKD system in the home office anytime soon. One reason is that a QKD system requires a dedicated fiber-optic line. Also, because the loss of photons over longer distances, these systems have current distance limitations of approximately 120 kilometers (nearly 75 miles) which is common with optical
U. of Tokyo, Fujitsu advance towards quantum cryptography
http://www.infoworld.com/article/04/07/23/HNquantumcrypto_1.html InfoWorld U. of Tokyo, Fujitsu advance towards quantum cryptography Project succeeds in generating single photo needed for securely sharing keys across telecom networks By Martyn Williams, IDG News Service July 23, 2004 TOKYO -- A joint research project of Fujitsu Ltd. and The University of Tokyo has made progress towards realizing a viable quantum cryptography system. Such a system allows parties to share encryption keys via telecommunication networks with full confidence that they have not been compromised en route. The team has succeeded in generating and detecting a single photon at wavelengths useful for telecommunications, said Yasuhiko Arakawa, director of the Nanoelectronics Collaborative Research Center at The University of Tokyo and leader of the research project, in an interview on Tuesday. The reliable generation and detection of single photons is vital if quantum cryptography systems are to leave the laboratory and enter practical use and the team has managed this through the development of a new photon generator. Quantum cryptography is based on the physical properties of photons. If two parties want to exchange encrypted data they need to share the electronic key that will be used to encode the data. The data is encoded with a corresponding private key, so using the genuine public key is vital. Should a fake key be substituted for the real one the data could be read by a third party rather than the intended recipient. Sharing of keys across telecommunication networks can expose the key to tampering so many users exchange keys offline via physical media, such as a floppy disk or CD-ROM. Under public key infrastructure (PKI) schemes, public keys are certified as being genuine by a certificate authority. Quantum cryptography systems allow users to exchange keys across networks with the knowledge that they haven't been tampered with during transmission. This is because each data bit of the key is encoded onto individual photons of light. A photon cannot be split so it can only end up in one place: with the intended receiver or with an eavesdropper. Should a key be completely received the recipient can be sure it hasn't been compromised and should it be incorrectly received there's a chance that it has been intercepted and so a new key can be issued. Thus, for a viable quantum cryptography system it must be possible to reliably generate a single photon. If two or more photons are generated the key's security is gone. We have to avoid the key being received by other people, Arakawa said. It's not easy to avoid but if we use single photons it's possible. So its very important to develop a single photon source. Until now most experiments involving quantum cryptography have used lasers as their photon source and these haven't proven to be completely reliable generators of single photons. By reducing the output power of the laser we can create one photon sometimes, however it is impossible to control accurately the number of photons, Arakawa said. Reducing the laser power also means the overall transmission speed is slowed. Arakawa's team has developed a new generator based on materials developed by Fujitsu and Japan's National Institute for Materials Science. The material is embedded with quantum dots, which are like tiny holes into which individual electrons can enter and a photon be produced. They are almost comparable to the wavelength of the electron so electron motion is almost zero and the electron cannot move, Arakawa said. The energy state is fixed. So if we can control the energy of the electron, we can control the number of photons that are emitted. The wavelength of the photons that are emitted can be controlled by adjusting the size and shape of the quantum dots. Doing so very accurately is difficult so additional filtering is employed to ensure that only those with a wavelength suitable for transmission down commercial optical fiber networks are let through, said Tatsuya Usuki, a researcher at Fujitsu Laboratories Ltd., who also worked on the technology. Because the accurate generation of single photons is possible and there is no need to throttle back the power, the transmission speed can be increased from a few hundred bits per second to around 400 times that speed, Arakawa said. He estimated a commercial system might be possible to transmit data at up to 100k bps (bits per second). The group has also made progress on the detection end of the system. Light coming out of the fiber is split into two and sent to two detectors. By measuring the time at which photons arrive researchers can determine whether one or two photons were generated. In the case photons arrive at the same time at each detector, it means two were generated which was not the case with the new system, Arakawa said. At present the team has succeeded in generating photons at both 1.3 micron and 1.55 micron
BBN Technologies Unveils World's First Quantum Cryptography Network
http://www.prnewswire.com/cgi-bin/stories.pl?ACCT=SVBIZINK3.storySTORY=/www/story/06-03-2004/0002186418EDATE=THU+Jun+03+2004,+07:50+AM Silicon Valley Biz Ink :: The voice of the valley economy June 3, 2004 Computers/Electronics News Press release distributed by PR Newswire BBN Technologies Unveils World's First Quantum Cryptography Network back Quantum Cryptography Breakthrough Delivers Absolute Security Based on Laws of Physics CAMBRIDGE, Mass., June 3 /PRNewswire/ -- BBN Technologies announced today that it has built the world's first quantum cryptography network and is now operating it continuously beneath the streets of Cambridge, Massachusetts. Today the DARPA Quantum Network links BBN's campus to Harvard University; soon it will stretch across town to include Boston University as a third link. The Harvard University Applied Physics Department and the Boston University Photonics Center have worked in close collaboration with BBN to build the network under Defense Advanced Research Projects Agency (DARPA) sponsorship. Information traveling over open networks such as the Internet is often encrypted to prevent unauthorized eavesdropping. Currently, complex mathematical algorithms are the most common method used to scramble (encrypt) and de-scramble (decrypt) messages that require secure transmission. Although this method can provide high levels of security, it is not infallible. In contrast, the DARPA Quantum Network introduces extremely high levels of security for Internet-based communications systems by encrypting and decrypting messages with keys created by quantum cryptography. Quantum cryptography, invented by Charles Bennett and Giles Brassard in the 1980s, prepares and transmits single photons of light, through either fiber optic cable or the atmosphere, to distribute cryptographic keys that are used to encrypt and decrypt messages. This method of securing information is radically different from methods based on mathematical complexity, relying instead on fundamental physical laws. Because very small (quantum) particles are changed by any observation or measurement, eavesdropping on a quantum cryptography system is always detectable. The DARPA Quantum Network has improved on these techniques to create a highly robust, six-node network that is both extremely secure and 100% compatible with today's Internet technology. Patent-pending BBN protocols pave the way for robust quantum networks on a larger scale by providing any to any networking of quantum cryptography through a mesh of passive optical switches and cryptographic key relays. People think of quantum cryptography as a distant possibility, said Chip Elliott, a Principal Scientist at BBN and leader of its quantum engineering team, but the DARPA Quantum Network is up and running today underneath Cambridge. BBN has built a set of high-speed, full-featured quantum cryptography systems and has woven them together into an extremely secure network. This kind of breakthrough is the essence of BBN, said Tad Elmer, president and CEO of BBN. We were ahead of the technology curve with the ARPANET and the first router, and our quantum network exemplifies the same kind of forward thinking and innovation that has made BBN a technology leader for over 50 years. About BBN Technologies BBN Technologies was established as Bolt Beranek and Newman Inc. in 1948. From its roots as an acoustical design consulting firm, BBN grew to implement and operate the ARPANET (the forerunner of today's Internet) and develop the first network email, which established the @ sign as an icon for the digital age. Today BBN Technologies provides technical expertise and innovation to both government and commercial customers. Areas of expertise include: quantum information, speech and language processing, networking, information security, and acoustic technologies. BBN has more than 600 employees in offices across the US. For more information, visit http://www.bbn.com. Media Contact: Joyce Kuzmin 617-873-8193 [EMAIL PROTECTED] This release was issued through eReleases(TM). For more information, visit http://www.ereleases.com. © 2004 Silicon Valley Business Ink. All rights reserved. This material may not be published, broadcast, rewritten for broadcast or publication or redistribution directly or indirectly in any medium. Neither these Silicon Valley Business Ink. materials nor any portion thereof may be stored in a computer except for personal and non-commercial use. Silicon Valley Business Ink. will not be held liable for any delays, inaccuracies, errors or omissions therefrom or in the transmission or delivery of all or any part thereof or for any damages arising from any of the foregoing. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street
EU seeks quantum cryptography response to Echelon
http://www.nwfusion.com/news/2004/0517euseeks.html Network World Fusion EU seeks quantum cryptography response to Echelon By Philip Willan IDG News Service, 05/17/04 The European Union is to invest ¤11 million ($13 million) over the next four years to develop a secure communication system based on quantum cryptography, using physical laws governing the universe on the smallest scale to create and distribute unbreakable encryption keys, project coordinators said Monday. If successful, the project would produce the cryptographer's holy grail -- absolutely unbreakable code -- and thwart the eavesdropping efforts of espionage systems such as Echelon, which intercepts electronic messages on behalf of the intelligence services of the U.S., the U.K., Canada, New Zealand and Australia. The aim is to produce a communication system that cannot be intercepted by anyone, and that includes Echelon, said Sergio Cova, a professor from the electronics department of Milan Polytechnic and one of the project's coordinators. We are talking about a system that requires significant technological innovations. We have to prove that it is workable, which is not the case at the moment. Major improvements in geographic range and speed of data transmission will be required before the system becomes a commercial reality, Cova said. The report of the European Parliament on Echelon recommends using quantum cryptography as a solution to electronic eavesdropping. This is an effort to cope with Echelon, said Christian Monyk, the director of quantum technologies at the Austrian company ARC Seibersdorf Research and overall coordinator of the project. Economic espionage has caused serious harm to European companies in the past, Monyk said. With this project we will be making an essential contribution to the economic independence of Europe. Quantum cryptography takes advantage of the physical properties of light particles, known as photons, to create and transmit binary messages. The angle of vibration of a photon as it travels through space -- its polarization -- can be used to represent a zero or a one under a system first devised by scientists Charles Bennett and Gilles Brassard in 1984. It has the advantage that any attempt to intercept the photons is liable to interfere with their polarization and can therefore be detected by those operating the system, the project coordinators said. An intercepted key would therefore be discarded and a new one created for use in its place. The new system, known as SECOQC (Secure Communication based on Quantum Cryptography), is intended for use by the secure generation and exchange of encryption keys, rather than for the actual exchange of data, Monyk said. The encrypted data would then be transmitted by normal methods, he said. Messages encrypted using quantum mechanics can currently be transmitted over optical fibers for tens of kilometers. The European project intends to extend that range by combining quantum physics with other technologies, Monyk said. The important thing about this project is that it is not based solely on quantum cryptography but on a combination with all the other components that are necessary to achieve an economic application, he said. We are taking a really broad approach to quantum cryptography, which other countries haven't done. Experts in quantum physics, cryptography, software and network development from universities, research institutes and private companies in Austria, Belgium, Britain, Canada, the Czech Republic, Denmark, France, Germany, Italy, Russia, Sweden and Switzerland will be contributing to the project, Monyk said. In 18 months project participants will assess progress on a number of alternative solutions and decide which technologies are the most promising and merit further development, project coordinators said. SECOQC aims to have a workable technology ready in four years, but will probably require three to four years of work beyond that before commercial use, Monyk said. Cova was more cautious: This is the equivalent of the first flight of the Wright brothers, so it is too early to be talking already about supersonic transatlantic travel. The technological challenges facing the project include the creation of sensors capable of recording the arrival of photons at high speed and photon generators that produce a single photon at a time, Cova said. If two or three photons are released simultaneously they become vulnerable to interception, he said. Monyk believes there will be a global market of several million users once a workable solution has been developed. A political decision will have to be taken as to who those users will be in order to prevent terrorists and criminals from taking advantage of the completely secure communication network, he said. In my view it should not be limited to senior government officials and the military, but made available to all users who need really secure communications, Monyk said. Banks
RE: EU seeks quantum cryptography response to Echelon
Tom Shaddack wrote: On Tue, 18 May 2004, Tyler Durden wrote: Monyk believes there will be a global market of several million users once a workable solution has been developed. A political decision will have to be taken as to who those users will be in order to prevent terrorists and criminals from taking advantage of the completely secure communication network, he said. Hope the technology hits the streets fast enough after getting on the market. Monyk apparently doesn't believe that people who don't have the money to buy the Official Approval have no right to access to this technology. Actually, I read this as the sort of puffery we more often see from the snake-oil vendors; Our proprietary Auto Generated One Time Pad (TM) crypto is s strong that the government may ban it - get it while you can! Peter - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RE: EU seeks quantum cryptography response to Echelon
Boondoggle. A solution in search of a problem: Monyk believes there will be a global market of several million users once a workable solution has been developed. A political decision will have to be taken as to who those users will be in order to prevent terrorists and criminals from taking advantage of the completely secure communication network, he said. Silliness itself, at this point. Practical quantum cryptography at this point is limited to transmission. The moment it goes O/E, it's as vulnerable as any other data. And terrorists aren't going to bother splicing fiber. Of course, primitive quantum storage (with error correcting codes!) is possible and done in laboratories, but we're talking tens of bits here. It'll be a decade before quantum storage is practical, and that's only IF someone can find a convincing reason to start developing it. -TD From: R. A. Hettinga [EMAIL PROTECTED] To: [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: EU seeks quantum cryptography response to Echelon Date: Mon, 17 May 2004 14:32:34 -0400 http://www.nwfusion.com/news/2004/0517euseeks.html Network World Fusion EU seeks quantum cryptography response to Echelon By Philip Willan IDG News Service, 05/17/04 The European Union is to invest ¤11 million ($13 million) over the next four years to develop a secure communication system based on quantum cryptography, using physical laws governing the universe on the smallest scale to create and distribute unbreakable encryption keys, project coordinators said Monday. If successful, the project would produce the cryptographer's holy grail -- absolutely unbreakable code -- and thwart the eavesdropping efforts of espionage systems such as Echelon, which intercepts electronic messages on behalf of the intelligence services of the U.S., the U.K., Canada, New Zealand and Australia. The aim is to produce a communication system that cannot be intercepted by anyone, and that includes Echelon, said Sergio Cova, a professor from the electronics department of Milan Polytechnic and one of the project's coordinators. We are talking about a system that requires significant technological innovations. We have to prove that it is workable, which is not the case at the moment. Major improvements in geographic range and speed of data transmission will be required before the system becomes a commercial reality, Cova said. The report of the European Parliament on Echelon recommends using quantum cryptography as a solution to electronic eavesdropping. This is an effort to cope with Echelon, said Christian Monyk, the director of quantum technologies at the Austrian company ARC Seibersdorf Research and overall coordinator of the project. Economic espionage has caused serious harm to European companies in the past, Monyk said. With this project we will be making an essential contribution to the economic independence of Europe. Quantum cryptography takes advantage of the physical properties of light particles, known as photons, to create and transmit binary messages. The angle of vibration of a photon as it travels through space -- its polarization -- can be used to represent a zero or a one under a system first devised by scientists Charles Bennett and Gilles Brassard in 1984. It has the advantage that any attempt to intercept the photons is liable to interfere with their polarization and can therefore be detected by those operating the system, the project coordinators said. An intercepted key would therefore be discarded and a new one created for use in its place. The new system, known as SECOQC (Secure Communication based on Quantum Cryptography), is intended for use by the secure generation and exchange of encryption keys, rather than for the actual exchange of data, Monyk said. The encrypted data would then be transmitted by normal methods, he said. Messages encrypted using quantum mechanics can currently be transmitted over optical fibers for tens of kilometers. The European project intends to extend that range by combining quantum physics with other technologies, Monyk said. The important thing about this project is that it is not based solely on quantum cryptography but on a combination with all the other components that are necessary to achieve an economic application, he said. We are taking a really broad approach to quantum cryptography, which other countries haven't done. Experts in quantum physics, cryptography, software and network development from universities, research institutes and private companies in Austria, Belgium, Britain, Canada, the Czech Republic, Denmark, France, Germany, Italy, Russia, Sweden and Switzerland will be contributing to the project, Monyk said. In 18 months project participants will assess progress on a number of alternative solutions and decide which technologies are the most promising and merit further development, project coordinators said. SECOQC aims to have a workable technology ready in four years, but will probably require three to four
Bank Transfer via Quantum Cryptography Based on Entangled Photons
Sigh... The old hype-meter pegs so much the needle's bent... Cheers, RAH http://www.quantenkryptographie.at/rathaus_press.html Quantum Cryptography live World Premiere: Bank Transfer via Quantum Cryptography Based on Entangled Photons Press conference and demonstration of the ground-breaking experiment: 21 April 2004, 11:30, Vienna City Hall ñ Steinsaal A collaboration of: group of Professor Anton Zeilinger, Vienna University; ARC Seibersdorf research GmbH; City of Vienna; Wien Kanal Abwassertechnologien GmbH and Bank Austria ñ Creditanstalt Downloads: Einladung (pdf-file, german) Invitation (pdf-file, english) Presse-Information (pdf-file, german) Press release (pdf-file, english) Where to get Pictures of the Event :: Fotoinformation (pdf-file) Poster 1 (pdf-file, german) Poster 2 (pdf-file, german) Poster 3 (pdf-file, german) Poster 4 (pdf-file, german) Poster 5 (pdf-file, german) For further Information please contact: Julia Petschinka ARC Seibersdorf research; Information Technologies e-mail: [EMAIL PROTECTED] Phone: +43-(0)50550-4161 Fax: +43-(0)50550-4150 Mobile: +43-(0)664-8251064 or: Andrea Aglibut Institut fuer Experimentalphysik, University of Vienna e-mail: [EMAIL PROTECTED] Phone: +43-(1)4277-51166 Fax: +43-(1)4277-9512 Mobile: +43-(0)664-60277-51166 -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Quantum cryptography finally commercialized?
R. A. Hettinga wrote: http://www.net-security.org/news.php?id=3583 Quantum cryptography finally commercialized? Posted by Mirko Zorz - LogError Tuesday, 16 September 2003, 1:23 PM CET For the onlookers, this article is misinformed and should not be relied upon for evaluating quantum cryptography. The rest of the article contains statements like the following: MagiQ's Navajo creates encryption keys that change up to 1,000 times a second to prevent eavesdroppers from deciphering the transmitted data packets. [...] While AES is very secure, the combination of AES and Navajo is theoretically absolutely secure: unbreakable. The unbreakable claim is unfounded. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Quantum cryptography finally commercialized?
http://www.net-security.org/news.php?id=3583 Help Net Security - Quantum cryptography finally commercialized? Posted by Mirko Zorz - LogError Tuesday, 16 September 2003, 1:23 PM CET Start-up MagiQ Technologies, from Somerville, Massachusetts, has released the first commercial implementation of quantum cryptography, the much-heralded solution to the perfect encryption cipher. Theoretically, encryption ciphers created using quantum physics are unbreakable. While MagiQ Technologies' product, Navajo, isn't itself a quantum device it uses one of the fundamental tenets of quantum theory: Heisenberg's Uncertainty Principle, to create a Quantum Key Distribution (QKD) network. Werner Heisenberg first published his theory in 1927, stating that the more precisely the position of is known, the less precisely the momentum is known. This succinct statement addresses the uncertain relationship between the position and the momentum (mass times velocity) of a subatomic particle, such as an electron, and has profound impact on the development of future information systems. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
