Re: quantum hype
[EMAIL PROTECTED] wrote: >> From: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] Behalf Of Dave Howe >> >> Peter Fairbrother may well be in possession of a break for the QC hard >> problem - his last post stated there was a way to "clone" photons with >> high accuracy in retention of their polarization >> [SNIP] >> > Not a break at all. The physical limit for cloning is 5/6ths of the bits will > clone true. Alice need only send 6 bits for every one bit desired to assure > Eve has zero information. For a 256-bit key negotiation, Alice sends 1536 bits > and hashes it down to 256 bits for the key. I've just discovered that that won't work. Eve can get sufficient information to make any classical error correction or entropy distillation techniques unuseable. See: http://www.gap-optique.unige.ch/Publications/Pdf/9611041.pdf You have to use QPA instead, which has far too many theoretical assumptions for my trust. -- Peter Fairbrother - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: quantum hype
Peter Fairbrother wrote: > I promised some links about the 5/6 cloning figure. You've had a few > experimental ones, here are some theory ones. has anyone with better number theory / probability skills than me taken a stab at exactly *how* accurate cloning would have to be (and how many clones you would need) to determine accurately both the bit and filter values for a quantum key exchange photon? for a single pass (5/6 photons output) it feels like the odds are stacked against getting a clean reading; for two passes (25/36) it feels even worse. how accurate would cloning need to be to get a better than 1/3 failure rate? - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: quantum hype
I promised some links about the 5/6 cloning figure. You've had a few experimental ones, here are some theory ones. Cloning machines: http://www.fi.muni.cz/usr/buzek/mypapers/96pra1844.pdf Theoretically optimal cloning machines: http://www.gap-optique.unige.ch/Publications/Pdf/PRL02153.pdf 1/6 disturbance is theoretically optimal, both as a QC interception strategy and "it's an optimal cloning machine": http://www.gap-optique.unige.ch/Publications/Pdf/PRA04238.pdf A different approach to the 1/6 figure (2/3 cloned correctly, the 1/3 imperfectly cloned still has a 50% chance of being right): http://arxiv.org/PS_cache/quant-ph/pdf/0012/0012121.pdf That lot is pretty much indisputed... ...except for the "optimal" part; and that's a sideways argument anyway - the math and physics theory are right as far as they go, just that they didn't consider everything. It may be possible to clone better than those "optimal" solutions, especially in the classic QC case, or get more information like which photons were cloned correctly, and perhaps to as near perfection as you like, but that is in dispute. Actually it's a pretty friendly dispute, people mostly say "I don't know"*. I'll post some more links on that later. *unless someone mentions non-linear transformations. Which is a different dispute really. -- Peter Fairbrother - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: quantum hype
I'm always stuck on that little step where Alice tells Bob what basis
she used for each photon sent. Tells him how? They need integrity
protection and endpoint authentication for N bits of basis. Is the
quantum trick converting those N bits to N/2 privacy-protected bits
really as exciting as it's made out to be?
They need integrity and data origin authentication, but not
confidentiality. This is what is referred to as the "public channel"
in QC papers. The standard approach (in papers) is to use universal
hashing. This is just math, with no quantum aspects. But, it enables
authenticating an arbitrarily long string of bits with a single key,
just like one can MAC a long message with HMAC-SHA1.
The difference is that because of the hash construction there are two
key property changes from an HMAC such as used in IPsec:
One can prove that the odds of a forgery are vanishingly small (1 in
$2^{n-1}$ for n bit keys, or something like that), even with an
adversary with infinite computional power.
You can only use the key once (or perhaps twice). Otherwise, an
adversary can recover it. This results in needing a constant stream
of authentication keying material.
Whether these two properties are a good tradeoff from HMAC in practice
for any particular situation and threat model is an interesting
question.
See "Universal Classes of Hash Functions", by Carter and Wegman,
Journal of Computer and System Sciences 18, 143-154 (1979) for the
canonical paper on universal hashing.
--
Greg Troxel <[EMAIL PROTECTED]>
-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: quantum hype
John S. Denker wrote:
>After the key exchange has taken place, Alice
>and Bob can use the key to set up a tunnel to
>keep their discussions private. Probably one
>of the first things they will do is exchange
>authentication messages through the newly
>created tunnel. Thereby Alice can decide
>whether this Bob is the Bob she wanted to
>talk to, as opposed to an impersonator.
>Similarly Bob ought to check Alice's creds.
Exchanging authentication messages through the newly created channel is
not secure: It is vulnerable to man-in-the-middle attacks.
For instance, suppose I do a quantum key exchange to get a session key SK,
set up a channel encrypted using SK, and then do a challenge-response
authentication protocol to check whether the party on the other end of
this channel is the Bob I wanted to talk to. The resulting protocol
looks like this:
A<->B: [exchange session key SK using a quantum key exchange]
A->B: {N_A}_SK
B->A: {sig}_SK,where sig = {N_A}_{K_B^{-1}}
This protocol is insecure. A man in the middle can relay messages.
A<->M: [exchange session key SK using a quantum key exchange]
M<->B: [exchange session key SK' using a quantum key exchange]
A->M: {N_A}_SK
M->B: {N_A}_SK'
B->M: {sig}_SK',where sig = {N_A}_{K_B^{-1}}
M->A: {sig}_SK
Now Alice thinks she is talking to Bob, when actually Mallet has
insinuated herself into the middle of their communication link.
The problem with doing authentication after creation of the channel is
that the authentication is not bound to the quantum key exchange itself.
The only fix I can see is to somehow authenticate the quantum link used
for the quantum key exchange. For instance, the quantum key exchange
could be done over an authentic link -- a link where you *know* who is
on the other end, and you have confidence that no one can tamper with
the link or splice themselves in.
-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: quantum hype
Matt Crawford wrote: >> BTW, you can decrease the wavelength of a photon by bouncing it off >> moving >> mirrors. > > Sure. To double the energy (halve the wavelength), move the mirror at > 70% of the speed of light. And since you don't know exactly when the > photon is coming, keep it moving at that speed ... > I never suggested it was very practical, but: Trap it in a cavity between two parallel mirrors, and shrink the cavity. It doesn't matter (within reason) how fast you shrink it, just how much. :) -- Peter Fairbrother - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: quantum hype
BTW, you can decrease the wavelength of a photon by bouncing it off moving mirrors. Sure. To double the energy (halve the wavelength), move the mirror at 70% of the speed of light. And since you don't know exactly when the photon is coming, keep it moving at that speed ... - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: quantum hype
[EMAIL PROTECTED] wrote: >> From: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] Behalf Of Dave Howe >> >> Peter Fairbrother may well be in possession of a break for the QC hard >> problem - his last post stated there was a way to "clone" photons with >> high accuracy in retention of their polarization >> [SNIP] >> > Not a break at all. The physical limit for cloning is 5/6ths of the bits will > clone true. Alice need only send 6 bits for every one bit desired to assure > Eve has zero information. For a 256-bit key negotiation, Alice sends 1536 bits > and hashes it down to 256 bits for the key. Agreed. It's not a break, though it does make it harder. Many people think the no-cloning theorem says you can't clone photons at all. Most COTS QC gear only "works" under that false assumption. Then there's the noise/error rates - in practice it's very hard to get > 60% single photon detection rates, even under the most favourable conditions, and low error rates are hard to get too. I tend to the opinion, without sufficient justification and knowledge to make it more than an opinion, that most COTS QC products are probably secure today in practice, but claims for theoretical security are overblown. There may be yet another problem which I should mention. First, I'd like to state that I'm not a quantum mechanic, and I find the math and theory quite hard, so don't rely too much on this. I'm not certain that the 5/6 figure is a universal physical limit. It may just be an artifact of the particular unitary transform used in that specific cloning process. It _may_ be possible for the cloner to get some information about which photons were cloned incorrectly. This is tricky, and I don't know if it's right - it involves non-interactive measurement of virtual states, kind of. Another possibility is to imperfectly clone the photon more than once. The no-cloning theorem per se doesn't disallow these, it only disallows perfect cloning, but other physics might. QC's unbreakability isn't based on a "hard problem", it's based on the physical impossibility of perfect cloning. But exactly what that impossibility means in practice, I wouldn't like to say. You can't clone every photon. Can you only clone 5/6 of photons? Or 99.9...% of them? It may be the latter. BTW, you can decrease the wavelength of a photon by bouncing it off moving mirrors. -- Peter Fairbrother - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
RE: quantum hype
> From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Dave Howe > > Peter Fairbrother may well be in possession of a break for the QC hard > problem - his last post stated there was a way to "clone" photons with > high accuracy in retention of their polarization > [SNIP] > Not a break at all. The physical limit for cloning is 5/6ths of the bits will clone true. Alice need only send 6 bits for every one bit desired to assure Eve has zero information. For a 256-bit key negotiation, Alice sends 1536 bits and hashes it down to 256 bits for the key. -Michael Heyman - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: quantum hype
I always understood that QKD is based on a hard problem of which the theory of physics says it is impossible to find a solution (if not, then i'd like to know). Then if QKD breaks, the current theory of physics was wrong. On the other hand, if DH or RSA breaks, factoring or the discrete log turn out to be polynomial. This is earthshattering, but doesn't imply our theory of computing was wrong. Whether one is a stronger foundation than the other is really a philosophical question (and a an interesting one too... ;-) Jaap-Henk On Sun, 21 Sep 2003 16:39:17 +0200 martin f krafft <[EMAIL PROTECTED]> writes: >> > Has anyone *proven* that there is no way to read >> > a quantum bit without altering it? >> no. its the "underlieing hard problem" for QC. If there is >> a solution to any of the Hard Problems, nobody knows about them. > > right, so it's no better than the arguable hard problem of factoring > a 2048 bit number. -- Jaap-Henk Hoepman | I've got sunshine in my pockets Dept. of Computer Science | Brought it back to spray the day University of Nijmegen |Gry "Rocket" (w) www.cs.kun.nl/~jhh | (m) [EMAIL PROTECTED] (t) +31 24 36 52710/531532 | (f) +31 24 3653137 - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: quantum hype
On Sun, Sep 21, 2003 at 01:37:21PM +0100, Peter Fairbrother wrote: [cloning photons] > There is also another less noisy cloning technique which has recently been > done in laboratories, though it doubles the photon's wavelength, which would > be noticeable, To get rid of the wavelength change it sounds like you "just" have to produce a new photon with half the wavelength, clone it and then clone one of the clones and measure whether it matches the intercepted one. If it does, forward its clone, otherwise choose another one. I am a little skeptic though, does this really work? I would expect that measuring one clone would affect its twin just as if it was measured directly. Andreas - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: quantum hype
Peter Fairbrother wrote: > If the channel is authentic then a MitM is hard - but not impossible. The > "no-cloning" theorem is all very well, but physics actually allows imperfect > cloning of up to 5/6 of the photons while retaining polarisation, and this > should be allowed for as well as the noise calculations. I don't know of any > existing OTS equipment that does that. > > A lasing medium can in theory clone photons with up to 5/6 of them retaining > enough polarisation data to use as above, though in practice the noise is > usually high. > > There is also another less noisy cloning technique which has recently been > done in laboratories, though it doubles the photon's wavelength, which would > be noticeable, and I can't see ofhand how in practice to half the wavelength > again without losing polarisation (except perhaps using changing > gravitational fields and the like); but there is no theory that says that > that can't be done. Had two requests for links (and some scepticism) about this already. Try: http://www.photonics.com/spectra/research/XQ/ASP/preaid.44/QX/read.htm for an article and some ref's (though I'm not even sure if the paper referred to is the one I'm thinking of, the one with wavelength doubling. I though it was published earlier this year). I'll try and post some better links later. -- Peter Fairbrother - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: quantum hype
>> no. its the "underlieing hard problem" for QC. If there is >> a solution to any of the Hard Problems, nobody knows about them. >right, so it's no better than the arguable hard problem of >factoring a 2048 bit number. Peter Fairbrother may well be in possession of a break for the QC hard problem - his last post stated there was a way to "clone" photons with high accuracy in retention of their polarization (at the cost of a irrelevent increase in wavelength) so that Mallory could test photons with BOTH filters, determining the value of the bit (from the correct filter which would show a strong bias to the correct bit value) and the orientation (given the incorrect filter would be roughly 50/50) > wrong. i don't consider those that shouldn't know about > some things to be my enemies. i know that crypto is > useful when someone actively seeks information. Hmm. normally, the agent attempting to intercept your traffic is termed the attacker; I don't know many attackers that aren't enemies :) > but if i want my girlfriend not to see those mails i send to this other chick (i have no > girlfriend btw), I suspect my wife might not like it if I had one :) > i encrypt them and guard against the risk that i leave > the window open when she comes home and she > accidentally hits enter to read that email. but not against you accidentally leaving the plaintext window open, or your system having stored a draft of the plaintext someplace. endpoint security is typically much, much harder than transmission security (despite key exchange not being an issue) simply because so many standard machines and software is orientated towards data loss prevention, not security. > i guess it's a matter of definition, so let's just leave it there. indeed. perhaps "interceptor" rather than enemy would be closer? > You seem to have a lot more of a grasp than I. I am (as usual) standing on the shoulders of giants; I am simply repeating my understanding of what they said trying to dumb it down to my miserable level :) > Anyhow, we are deviating here and there from the topic. > So let me summarise: > - QC, if correctly used, can serve as the basis for OTP >encryption. correct - it is a key negotiation method, not an actual transmission method. > - The provable security of QC thus actually comes from OTP. no, the provable security of OTP is a given. the security of QC comes from not being able to determine the polarization of a photon without pushing it though a filter and seeing if it fits :) > - QC needs an unbroken channel. The channel does not have to be >private because an observer destroys photons, which can be >detected. destroying photons would mean breaking (diverting the flow of photons down) the channel, so there is no real distinction. > - This observer could DoS the communication, but that's akin to >cutting the land-line. indeed. not only akin, but actually a case of :) > - Actually, no, because if I don't rely on QC but have other >means, I can switch to another medium if someone cuts my >landline. in fact, you would be better served using another channel (or channels) for actual data, and keeping the optical channel for key negotiation only. a successful MiTM attack relies on controlling *all* the communications between alice and bob. if there are multiple channels, and even one is missed, alice and bob can determine there was a middleman involved and the attack breaks down. Ideal for transmitting the actual data would be (say) a broadcast medium; alice can check her own trasmissions, and bob can read > Btw: is this list archived? yes http://www.mail-archive.com/cryptography%40metzdowd.com/index.html and in general terms, always assume mailing lists are not only archived, but read avidly by the enemies I have and you haven't got ;) - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: quantum hype
Again, replying to all. also sprach John S. Denker <[EMAIL PROTECTED]> [2003.09.19.0038 +0200]: > Other key-exchange methods such as DH are comparably > incapable of solving the DoS problem. So why bring up > the issue? For one, I can un-DoS with QC at any point in time. This may be relevant for certain attacks. Second, if I have a strong key exchange protocol, you cannot DoS me because I can choose other media. If all I can use is QC because of its "features", you can DoS me easily. > If you can _prove_ DH is secure, please let us know immediately. I was drunk last night, but I swear I was able to prove it ;^> > If you have a consistent theory of physics that repeals the > uncertainty principle, please let us know immediately. Yeah, solved that in my dream last night. (also ;^>) also sprach Dave Howe <[EMAIL PROTECTED]> [2003.09.19.1416 +0200]: > QC is a hype-only technology - it relies on a unbroken line > impervious to MitM, and there ain't no such beast. I think this may well be the conclusion up to now... > > Has anyone *proven* that there is no way to read > > a quantum bit without altering it? > no. its the "underlieing hard problem" for QC. If there is > a solution to any of the Hard Problems, nobody knows about them. right, so it's no better than the arguable hard problem of factoring a 2048 bit number. > cryptography is 90% paranoia - you *have* enemies, and don't know > about them. wrong. i don't consider those that shouldn't know about some things to be my enemies. i know that crypto is useful when someone actively seeks information. but if i want my girlfriend not to see those mails i send to this other chick (i have no girlfriend btw), i encrypt them and guard against the risk that i leave the window open when she comes home and she accidentally hits enter to read that email. i also don't consider an ISP an enemy who does network-related maintenance and happens to read into my data stream. heck, maybe the guy is even interested and reads along for his pleasure. he's not an enemy. but using crypto will still prevent this. i guess it's a matter of definition, so let's just leave it there. > evesdropping *destroys* the data by removing 50% of the photons > almost at random. that is the quantum bit of the process - only > a single photon is sent, so it can only be processed (read) by one > host; reading the photon destroys its value, and the random > element ensures it is incorrectly read 50% of the time. Now this makes a lot more sense. Somehow I thought that QC simply flipped the bit. But then nature isn't binary, neither is physics, so I was just dumb. > I admit to not entirely following the logic behind Quantum > Cryptography You seem to have a lot more of a grasp than I. Anyhow, we are deviating here and there from the topic. So let me summarise: - QC, if correctly used, can serve as the basis for OTP encryption. - The provable security of QC thus actually comes from OTP. - QC needs an unbroken channel. The channel does not have to be private because an observer destroys photons, which can be detected. - This observer could DoS the communication, but that's akin to cutting the land-line. - Actually, no, because if I don't rely on QC but have other means, I can switch to another medium if someone cuts my landline. There were other points, but I concentrated on the technical ones and hope I left none out. Btw: is this list archived? -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED] invalid/expired pgp subkeys? use subkeys.pgp.net as keyserver! "if beethoven's seventh symphony is not by some means abridged, it will soon fall into disuse." -- philip hale, boston music critic, 1837 pgp0.pgp Description: PGP signature
Re: quantum hype
There are lots of types of QC. I'll just mention two. In "classic" QC Alice generates polarised photons at randomly chosen either "+" or "x" polarisations. Bob measures the received photons using a randomly chosen polarisation, and tells Alice whether the measurement polarisation he chose was "+" or "x", on a authenticated but non-secret channel. Alice replies with a list of correct choices, and the shared secret is calculated according as to whether the "+" polarisations are horizontal or vertical, similar for the "slant" polarisations. If the channel is authentic then a MitM is hard - but not impossible. The "no-cloning" theorem is all very well, but physics actually allows imperfect cloning of up to 5/6 of the photons while retaining polarisation, and this should be allowed for as well as the noise calculations. I don't know of any existing OTS equipment that does that. A lasing medium can in theory clone photons with up to 5/6 of them retaining enough polarisation data to use as above, though in practice the noise is usually high. There is also another less noisy cloning technique which has recently been done in laboratories, though it doubles the photon's wavelength, which would be noticeable, and I can't see ofhand how in practice to half the wavelength again without losing polarisation (except perhaps using changing gravitational fields and the like); but there is no theory that says that that can't be done. In another type of QC Alice and Bob agree on the measurement angles (any angles, not just multiples of 45 deg) they will use, and Alice generates a pair of entangled photons, sending one to Bob. Both measure the individual photons at that angle, and the shared secret is generated according to whether the photons pass the filter. If the agreed-on measurement angles are kept secret, and noise bounds etc are obeyed, then a MitM is hard as before except the theoretical maximum ratio of "clonable" photons is lower - but it isn't much use, except as an "otp key multiplier". There are a zillion variations on these themes, and other types of QC. For instance Alice can send Bob data rather than generating a random shared secret, and without a separate channel, if she generates the quantum string using a preshared secret. Mallory can get 1/2 of the bits, but AONT's can defend against that, and if properly implemented no MitM is possible. And so on. -- Peter Fairbrother - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: quantum hype
At 6:38 PM -0400 9/18/03, John S. Denker wrote: Yes, Mallory can DoS the setup by reading (and thereby trashing) every bit. But Mallory can DoS the setup by chopping out a piece of the cable. The two are equally effective and equally detectable. Chopping is cheaper and easier. Other key-exchange methods such as DH are comparably incapable of solving the DoS problem. So why bring up the issue? It seems to me that because key-exchange methods such as DH only depend on exchanging bits (as opposed to specifying a physical layer), they can rely on a wide variety of techniques to combat DoS. If Bob and Alice can safeguard their local connections to the Internet, its multi-routing properties provide significant DoS protection. Other options available to them include the switched telephone network, wireless, LEO satellites, cybercafes, steganography, HF radio, and even postal mail. In addition, DH users have no need to call attention to themselves by leasing a fiber-optic line. Arnold Reinhold - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: quantum hype
> Date: Fri, 19 Sep 2003 11:57:22 -0400 > From: Ian Grigg <[EMAIL PROTECTED]> > If I understand this correctly, this is both > an eavesdropping scenario and an MITM scenario. > > In the above, Eve is acting as Mallory, as she > is by definition intercepting the bits and re- > sending them on? As Dave Howe pointed out, Eve is acting as a repeater and tries not to alter the bits. This seems a sensible model of eavesdropping for QKD. The threat is that Alice and Bob might incorporate bits that were seen by Eve into their key. If Bob never receives a bit, it won't be used. > That is, the "Quantum Property" is that Eve can > be detected because she destroys photos in the > act of listening, and Mallory, who can resend > the photons, has only a 50% chance of reading > each bit correctly in advance, so he can be > detected after the fact as well, as 25% of his > bits are wrong. The terminology "destroy" is used a bit loosely. I think the important thing for QKD is that if a photon is measured with the wrong basis, the information it is carrying about the key is lost. Ray - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Threat models (was: quantum hype )
In message <[EMAIL PROTECTED]>, "John S. Denker" writes: > Or perhaps more relevantly, what >is the chance that an enemy black-bag artist or a >traitor or a bungler will compromise all my keys >and/or all my plaintext? The latter is not to >be sneezed at, and puts an upper bound on what >I'm willing to pay for fancy crypto. > Right -- this is crucial. *What is your threat model?* Until you know that, you don't know how to design your crypto gear. For example, one of the prime considerations in NSA designs is to make sure that no traffic decryption key is *ever* accessible to users of the system -- that way, those keys can't be compromised, by stupidity or espionage. Think of it as perfect forward secrecy on steroids. Let me strongly recommend that people read "Between Silk and Cyanide", by Leo Marks. It's a good read, but from a professional perspective what's important is what you learn about threat models. During World War II, Marks worked on (among other things) secure communications for resistance fighters in occupied Europe. A naive approach to the problem would be "make sure that all of the keying material is memorizable, so that there's nothing incriminating in written form". Indeed, that was tried -- it turned out to be the wrong answer. If the Gestapo was interested in you, you *would* disclose your key, with high probability. It didn't matter if there was a secret distress authenticator; they'd match what you said about that to your past traffic and see what it looked like. By contrast, a written one-time-use key that was destroyed after encryption revealed nothing, not even which variant of the key was the distress signal. Furthermore, the printed keys were easier to use, which made for fewer garbles when encrypting and hence fewer retransmissions. And transmissions were *very* dangerous, because of Gestapo direction finders; anything that minimized transmission time was a major improvement. In other words, what looks at first glance to be a weaker system is actually much stronger. There's a lot more; read the book. Returning to the original question -- quantum key distribution has certain strengths and certain weaknesses. Do its strengths address areas where you're actually weak? For example, is (as John points out) the real risk that someone will steal your private key or your plaintext, rather than that someone will crack RSA? If so, QKD isn't going to help. Even from a purely cryptographic perspective, if you're using QKD perhaps AES is the weak point, rather than RSA, in which case a more secure mechanism for distributing AES keys won't help. We're dealing with cryptographic systems here, and enemies don't go through security, they go around it. --Steve Bellovin, http://www.research.att.com/~smb - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: quantum hype
On 09/19/2003 12:07 PM, Matt Crawford wrote: I'm always stuck on that little step where Alice tells Bob what basis she used for each photon sent. Tells him how? That's a fair question. Here's an outline of the answer. We choose an eps << 1. We ask how many people accurately received a fraction (1-eps) of the bits. -- perhaps nobody received that many. This will be detected. No key exchange will take place. Start over. Do not pass Go, do not collect $200.00. -- perhaps one person did. In this case, without loss of generality, we call this person Bob. -- the laws of quantum mechanics assure us that not more than one person will receive that many bits. Quanta cannot be copied. Alice can then publish in the clear (e.g. on netnews) what basis she used for transmitting. This information is of little use to anyone except Bob (exponentially little, as a function of eps and other parameters). Anyone who tampers with this message can cause a DoS but not a compromise of the data. Alice and Bob proceed with the integrity checks leading to the key exchange as previously described. After the key exchange has taken place, Alice and Bob can use the key to set up a tunnel to keep their discussions private. Probably one of the first things they will do is exchange authentication messages through the newly created tunnel. Thereby Alice can decide whether this Bob is the Bob she wanted to talk to, as opposed to an impersonator. Similarly Bob ought to check Alice's creds. > They need integrity protection and endpoint authentication for N bits of basis. No, the authentication etc. can quite nicely come after the quantum key exchange, as I previously mentioned. > Is the quantum trick ... really as exciting as it's made out to be? We need a more specific question. Does quantum key exchange solve all of the world's problems? Surely not. Does quantum key exchange solve *any* of the world's problems? More specifically, is there any plausible scenario where QKE is more cost-effective than conventional modern crypto, within (say) the next ten years? I tend to doubt it, but it's hard to be sure. What is the chance of a treeemendous cryptanalytic breakthrough that will defeat all or most of the currently-used ciphers? I'd say the chance is less than 1%. But is it less than one in a million? Or perhaps more relevantly, what is the chance that an enemy black-bag artist or a traitor or a bungler will compromise all my keys and/or all my plaintext? The latter is not to be sneezed at, and puts an upper bound on what I'm willing to pay for fancy crypto. To calibrate the sincerity of my estimate: I walked away from a potential job managing some major programs in this area. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: quantum hype
I'm always stuck on that little step where Alice tells Bob what basis she used for each photon sent. Tells him how? They need integrity protection and endpoint authentication for N bits of basis. Is the quantum trick converting those N bits to N/2 privacy-protected bits really as exciting as it's made out to be? - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: quantum hype
Ian Grigg wrote: > If I understand this correctly, this is both > an eavesdropping scenario and an MITM scenario. > > In the above, Eve is acting as Mallory, as she > is by definition intercepting the bits and re- > sending them on? I think it is more a question of style - a classic "passive" Eve can't exist in terms of QC key exchange, as eve/mallory *must* read the photons or no interception at all can take place - therefore, even eve must generate a new photon to send to bob. If the intercept agent is Eve, she will attempt to reproduce as nearly as possible the original photon to send to bob. she will get this wrong 25% of the time. if the intercept agent is Mallory, he will generate his own, known good photons to send to bob, unrelated to what he has detected. If Eve can intercept also the filter list from bob to april, she is now in a fix - she now knows which ones she got different to bob, but doesn't know how many bob got wrong. however, being eve she passes this on to april, and correctly relays the "bad bit" message back to bob. bob now has an approximately 25% error block which is detectable. Nothing changes if the two lists are out-of-band and therefore untouchable. If Mallory *can't* intercept the filter and bad bit lists he is in much more trouble - his photon list to bob bore no relation to alice's, so purely in terms of random chance he will have a 50% error block If Mallory *can* intercept the fillter and bad bit lists he is in an better situation - he can send his own filter list to alice, and negotiate a set of bits with her; by selectively causing "bad luck" for bob, he can tune the bad bit list(based on bob's filter list) to give an identical set of bits. As the mallory-bob filter match is approximately 50%, and bob will have to additionally "kill" a further 50% of the "correct" answers in order to make the two bitsets match, bob will have a filter match rate of about 25% which is again statistically significant If Mallory *can* intercept the filter/bad block conversation and *further* is sure he can intercept the message traffic too, he can simply negotiate a separate bit list with bob; statistically, the key exchange will look fine, but of course Mallory will also have to decode and re-encode the traffic between alice and bob, or it will all go horribly wrong. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: quantum hype
"R. Hirschfeld" wrote on QKD: > The eavesdropper Eve doesn't know with which basis to measure the > polarity of the each intercepted photon. When she guesses right, she > gets the correct information and can send it on undetectably. When > she guesses wrong, she gets a zero or one with equal probability (*) > and half the time sends on the wrong bit (which is again randomized > when Bob reads it with the correct basis). By eavesdropping Eve thus > introduces a 25% error rate, which is detectable. If I understand this correctly, this is both an eavesdropping scenario and an MITM scenario. In the above, Eve is acting as Mallory, as she is by definition intercepting the bits and re- sending them on? That is, the "Quantum Property" is that Eve can be detected because she destroys photos in the act of listening, and Mallory, who can resend the photons, has only a 50% chance of reading each bit correctly in advance, so he can be detected after the fact as well, as 25% of his bits are wrong. iang - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: quantum hype
On Fri, 19 Sep 2003, martin f krafft wrote: > But Newton gets more wrong the faster you go. So it's not F = m.a, > that theory was only a good approximation, nothing more. Actually it still is F = m.a, but the numbers depend on the observer. F=m.a is a fundamental consequence of the conservation of momentum, which in turn is equivalent to the isotropy of inertial reference frames. This fundamental princinple was reinforced by Einstein's relativity which made conservation of momentum work accross a much larger range of physical phenomena (classical dynamics + electromagnetism + gravity). Quantum mechanics introduces into our understanding not only new "approximate truths", which are subject to later revisions, but also some fundamental concepts, that will be features of all future theories. I am not necessarily claiming that the non-cloning theorems are on as solid a footing as conservation of momentum and energy, but it is quite plausible that while quantum *dynamics* will continue to be refined by future theories, that quantum statistics is fundamental. This still does not mean that QKD is commercially useful, but what it does mean is that there is little reason to believe that the physics will be found wrong. QKD *is* good and interesting physics. QKD is not commercially sound security technology for terrestrial fibre optics. Out in space, with line of sight communications, two infosec minded starship captains might engage in QKD secured crypto some day :-) They will still face the black box problem, and need to secure the channel between the person and the device (internal security). It seems unlikely that they will not have any simpler (easier to trust and verify, closer to the endpoints of communication) technology available. -- Viktor. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: quantum hype
also sprach [EMAIL PROTECTED] <[EMAIL PROTECTED]> [2003.09.19.1115 +0200]: > The sender sends RANDOM BITS to the receiver. Those that don't get > eavesdropped can then be concatenated at both ends to produce an > identical string of random bits. Since this is known to both > endpoint parties, and not to the eavesdropper, it can be used as > a session key for symmetric encryption. So it is not true that you > have "lost data" by being eavesdropped. You've only lost random > bits, not real data. Does reading a quantum bit destroy the bit or simply flip it? If the latter, how then can you find out when a bit got read? > No physical theory is _EVER_ "proven", only "corroborated by > observational evidence". Quantum theory is consistently > corroborated by observational evidence. For comparison, Newton's > theory of gravity was never "proven", but it matched (almost) all > observational evidence. But Newton gets more wrong the faster you go. So it's not F = m.a, that theory was only a good approximation, nothing more. > We _can_ make this statement about Heisenberg's uncertainty > principle. Sure we can. But I don't accept an argument that QC is bettern than asymmetric crypto because the second is based on assumption, when the first is just as well based on assumption. Fact is, MagiQ is wrong in claiming theoretical security. -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED] invalid/expired pgp subkeys? use subkeys.pgp.net as keyserver! "arguments are extremely vulgar, for everyone in good society holds exactly the same opinion." -- oscar wilde pgp0.pgp Description: PGP signature
Re: quantum hype
martin f krafft wrote: >This is what I don't buy. If Mallory sees the data, it must be >detected, because otherwise the approach is flawed. As I understand it, there are four possible "rotations" for the photon ( call them '\' '|' '/' and '-' ) so two choices for a filter (straight or slant). a straight filter can reliably tell '|' and '-' apart, but '\' and '/' are going to be unreliable; a slant filter can read '\' or '/' but not '|' or '-' if Mallory can guess the correct filter to use, he can reproduce the bit to bob; if he guesses wrongly, he can still send a random bit to bob, who will (if he uses the right filter) further randomly interpret that and either get the right or wrong answer (50/50 chance) of course if Mallory *is* Mallory, and not Eve, he is mounting a Man-in-the-middle attack, so can conveniently negotiate key a with alice, key b with bob, and do the usual :) quantum channels are just as sensitive to Mitm as any other; without a non-interruptable (if insecure) channel no key negotiation protocol is ever going to work. > But in any case does Mallory have the means to completely > DoS any attempt of communication between the parties, > simply by reading along, unless there is a dedicated channel > between Alice and Bob. In which case, > why is there a need for quantum cryptography in the first place? QC allows you to negotiate a one-time-pad between two nodes joined by an unbroken optical link it says nothing about the identity of the two nodes, and relies on the optical link being unbroken (a mitm breaks the link, turning it into two independent QC channels that happen to be both to Mallory) > One chance in 2^C, otherwise it would be deadly, no? But in any > case, Reasonable keysized DH exchanges give me the same security > with a lot more flexibility, and a lot less chance for DoS. I still > don't buy it. QC really needs an insecure but unbroken link. if that is achievable, then the crypto is OTP and unbreakable (much better than DH). if it is not achievable (and I would doubt that it is) then the key negotiation is broken and the crypto worthless. >> The foregoing assumed an error-free channel. Things get much >> worse if the good guys need to do error correction. >... which is almost always required. The incidence should be low - in fact, there are no good reasons to use the QC channel for actual data exchange at all - use normal insecure channels for actual data transfer, protected by the negotiated OTP key. We then have to correct for wrongly read bits from the QC channel, and there you will have difficulty adding EC codes (given any individual bit may be in error) and transmitting hashes of (or worse yet, EC for) the known-received bits insecurely would compromise the OTP key at least a little. I must admit my signal-processing knowledge is weak - maybe another regular could propose a scheme that would work. to define the problem: GIVEN a transmission line with approximately 50% bit loss, but for which you know which bits were received, and a less than 10% error rate (say) in the received bits, how do you detect and discard/correct the bad bits? I assume there is something in FEC for very unreliable lines like this > Sending asymmetrically encrypted data over something like > the plain old telephone system strikes me as being more secure > than sending these data over the Internet, and that should hold > for any encryption used. Unless QC is applicable to the Internet > (which it won't be, as far as I can tell), I don't see any use > beyond marketing hype. bingo. QC is a hype-only technology - it relies on a unbroken line impervious to MitM, and there ain't no such beast. > also sprach David Wagner <[EMAIL PROTECTED]> >> I believe the following is an accurate characterization: >> Quantum provides confidentiality (protection against eavesdropping), >> but only if you've already established authenticity (protection >> against man-in-the-middle attacks) some other way. .> Tell me if I got anything wrong. >I don't think this is wrong, but I still don't see how QC guards >against eavesdropping. No, wrong, I see how a key exchange >with QC can make it very difficult to eavesdrop the key (more without Mitm, it is impossible to evesdrop the photons used for key negotiation. even assuming you can detect a photon without distorting it in any way (rotation or attenuation) then the *only* known way to detect the polarization of a photon is to push it though a filter and see if it comes out the other side. this is the "strong problem" on which QC relies; if that fell, then QC would be worthless. also sprach David Wagner <[EMAIL PROTECTED]> > One could reasonably ask how often it is in practice that we have > a physical channel whose authenticity we trust, but where > eavesdropping is a threat. I don't know. I can't think of a single instance of one suitable to QC. the usual definition is a broadcast channel - send once read many - where anyone can read it, but the origi
Re: quantum hype
> Date: Thu, 18 Sep 2003 18:02:50 +0200 > From: martin f krafft <[EMAIL PROTECTED]> > > I don't know a lot about QKD, but I believe the following is true: The eavesdropper Eve doesn't know with which basis to measure the polarity of the each intercepted photon. When she guesses right, she gets the correct information and can send it on undetectably. When she guesses wrong, she gets a zero or one with equal probability (*) and half the time sends on the wrong bit (which is again randomized when Bob reads it with the correct basis). By eavesdropping Eve thus introduces a 25% error rate, which is detectable. After Alice sends the random bits over the quantum channel, Alice and Bob tell each other over an insecure (even public) classical channel which bases they used (these were randomly chosen between rectilinear and diagonal), and they throw away the bits for which they used different bases. Bob now knows all the remaining bits but still only about half of them were measured correctly by Eve unless she was very lucky. The information available to Eve is further reduced via a privacy amplification step (using universal hash functions, I think). There are proofs of the security of QKD and mechanisms for quantum authentication. A google search will find these. Ray (*) This assumes that Eve's wrong basis is 45 degrees off from the correct basis. A different basis will introduce a bias, but that doesn't help Eve. Also, this simple description assumes that there is no transmission error, that single photons can be sent and detected, etc., which in practice is not true and needs to be corrected for. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: quantum hype
I wrote: >> >> *) In each block, Mallory has a 50/50 chance of being able to >> copy a bit without being detected. On 09/18/2003 12:02 PM, martin f krafft wrote: > > This is what I don't buy. If Mallory sees the data, it must be > detected, because otherwise the approach is flawed. But in any case > does Mallory have the means to completely DoS any attempt of > communication between the parties, simply by reading along, unless > there is a dedicated channel between Alice and Bob. In which case, > why is there a need for quantum cryptography in the first place? Yes, Mallory can DoS the setup by reading (and thereby trashing) every bit. But Mallory can DoS the setup by chopping out a piece of the cable. The two are equally effective and equally detectable. Chopping is cheaper and easier. Other key-exchange methods such as DH are comparably incapable of solving the DoS problem. So why bring up the issue? >>There is only one chance in 2^-C that Mallory knows this bit. > One chance in 2^C, otherwise it would be deadly, no? But in any > case, Reasonable keysized DH exchanges give me the same security > with a lot more flexibility, and a lot less chance for DoS. I still > don't buy it. The claim that DH is "secure" rests on certain assumptions about which computational operations are easy and which are not. These assumptions are open to question to some degree. Numbers that some people considered hopelessly difficult to factor a few years ago have been factored. One can imagine a world where factoring is computationally easy; it wouldn't be the end of the world. If you can _prove_ DH is secure, please let us know immediately. The security of the quantum algorithms rests on entirely different foundations. Nobody has been able to even imagine a world where quanta are copyable, without contradicting well-observed physical facts. People have tried. Seriously. If you have a consistent theory of physics that repeals the uncertainty principle, please let us know immediately. > How can you check for tampering without reading the data off the > channel? Checksums? I spelled this out in my previous email. It's a standard quality-assurance check using sampling. > why do I need QC then if I have > a dedicated channel anyhow? Suppose I *wish* to set up a dedicated channel. Dedicated means nobody but me is using it. Wishing doesn't suffice. I went through the motions of setting it up, and maybe I was the only person hooked onto it yesterday, but how do I know it hasn't been tapped sometime since then? Quantum key-exchange provides powerful assurance that the wished-for property is actually achieved. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: quantum hype
It took me a while. I would herewith like to reply to all posts on this I received so far: also sprach John S. Denker <[EMAIL PROTECTED]> [2003.09.13.2343 +0200]: > *) In each block, Mallory has a 50/50 chance of being able to > copy a bit without being detected. This is what I don't buy. If Mallory sees the data, it must be detected, because otherwise the approach is flawed. But in any case does Mallory have the means to completely DoS any attempt of communication between the parties, simply by reading along, unless there is a dedicated channel between Alice and Bob. In which case, why is there a need for quantum cryptography in the first place? > There is only one chance in 2^-C that Mallory knows this bit. One chance in 2^C, otherwise it would be deadly, no? But in any case, Reasonable keysized DH exchanges give me the same security with a lot more flexibility, and a lot less chance for DoS. I still don't buy it. > The foregoing assumed an error-free channel. Things get much > worse if the good guys need to do error correction. ... which is almost always required. > Not true. The signal is continually checked for tampering; no > assumption need be made. How can you check for tampering without reading the data off the channel? Checksums? > > if we want end-to-end security, one can't stick classical > > routers or other such equipment in the middle of the connection > > between you and I. > > That's true. A classical router is indistinguishable from a tap. The same argument holds as above, why do I need QC then if I have a dedicated channel anyhow? Sending asymmetrically encrypted data over something like the plain old telephone system strikes me as being more secure than sending these data over the Internet, and that should hold for any encryption used. Unless QC is applicable to the Internet (which it won't be, as far as I can tell), I don't see any use beyond marketing hype. Sure, DH and similar approaches are based on mathematical assumptions and are not secure, just incredibly hard to crack. But just as I can choose a larger C for QC to diminish Mallory's chance of decoding enough data to be able to make sense of the message without being detected, I can choose a keysize of 16k if the application calls for it. DH has been scrutinised and is, to current knowledge, a theoretically secure algorithm. Or am I mistaken? also sprach David Wagner <[EMAIL PROTECTED]> [2003.09.13.2343 +0200]: > I believe the following is an accurate characterization: > Quantum provides confidentiality (protection against eavesdropping), > but only if you've already established authenticity (protection > against man-in-the-middle attacks) some other way. > Tell me if I got anything wrong. I don't think this is wrong, but I still don't see how QC guards against eavesdropping. No, wrong, I see how a key exchange with QC can make it very difficult to eavesdrop the key (more difficult than DH?), but I do render the communication susceptible to complete DoS, and I don't really gain security, IMHO. also sprach John S. Denker <[EMAIL PROTECTED]> [2003.09.14.0102 +0200]: > That means you can establish a confidential but > anonymous tunnel, and then send authentication > messages through the tunnel. But the tunnel is only confidential as long as it isn't being eavesdropped. As soon as someone eavesdrops it, I may be able to find out, but I have already lost data to unwanted eyes. And if I thus choose to end communication due to the risk of disclosing more, the DoS worked. I hope I am not annoying anyone while continually banging on this. I just have not been convinced of the other side of this argument. also sprach David Wagner <[EMAIL PROTECTED]> [2003.09.14.0018 +0200]: > One could reasonably ask how often it is in practice that we have > a physical channel whose authenticity we trust, but where > eavesdropping is a threat. I don't know. How much of a threat really exists in a channel encrypted with e.g. Blowfish, 256bit keys, perfect forward secrecy, and a session key lifetime of 30 minutes??? also sprach Arnold G. Reinhold <[EMAIL PROTECTED]> [2003.09.14.0536 +0200]: > The 160 GB hard drive has a couple of advantages over quantum key > exchange: And a disadvantage: disk corruption, which may render your channel temporarily inaccessible. Also, once someone gets hold of the data on the disk, everyone can read along. It's the same problem of all symmetric algorithms, enhanced by the fact that the key data is stored on a medium other than a human neural network (which to date is only readable by one person) also sprach David Wagner <[EMAIL PROTECTED]> [2003.09.14.1954 +0200]: > Well, I agree. If we get to use complexity-based crypto that is > not proven secure, like AES, RSA, or the like, then we can do much > better than quantum crypto. The only real attraction of quantum > crypto that I can see is that its security does not rely on > unproven complexity-theoretic conjectures. Has anyone
Re: quantum hype
QC is currently a one-time pad distribution mechanism - or at lower rates a key establishment mechanism most suitable for symmetric algorithms. You are correct that authentication is not inherent. Then again, this is also true for "classical" symmetric and PKI schemes. To be usable, all crypto requires some kind of authentication mechanism or scheme. The QC community is well aware of this problem and is working on it. Please don't give up yet ! In the mean time, manual establishment of an authentication secret works as do physical means e.g., optical viewing of a satellite from a ground station. Please remember that it's early days yet; the problems are real and hard. Come join the fun. And watch out for snake oil from early attempts at commercialization ;-) John PS: a small nit. The quantum channel is tamper _detectable_. There is no claim to being "untamperable". You can always detect tampering (and throw away those bits) regardless of who you are talking to. Multiple "reads" of a photon (several approaches have been considered) is either equivalent to tampering or yields no information. Physics is fun ! On 9/16/03 16:03, "Hadmut Danisch" <[EMAIL PROTECTED]> wrote: > On Sat, Sep 13, 2003 at 09:06:56PM +, David Wagner wrote: >> >> You're absolutely right. Quantum cryptography *assumes* that you >> have an authentic, untamperable channel between sender and receiver. > > So as a result, Quantum cryptography depends on the known > methods to provide authenticity and integrity. Thus it can not > be any stronger than the known methods. Since the known methods > are basically the same a for confidentiality (DLP, Factoring), > and authentic channels can be turned into confidential channels > by the same methods (e.g. DH), Quantum cryptography can not be > stronger than known methods, I guess. > > On the other hand, quantum cryptography is based on several > assumptions. Is there any proof that the polarisation of a > photon can be read only once and only if you know how to turn > your detector? > > AFAIK quantum cryptography completey lacks the binding to > an identity of the receiver. Even if it is true that just a single > receiver can read the information, it is still unknown, _who_ > it is. All you know is that you send information which can be read > by a single receiver only. And you hope that this receiver was the > good guy. > > Hadmut > > - > The Cryptography Mailing List > Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: quantum hype
On Sat, Sep 13, 2003 at 09:06:56PM +, David Wagner wrote: > > You're absolutely right. Quantum cryptography *assumes* that you > have an authentic, untamperable channel between sender and receiver. So as a result, Quantum cryptography depends on the known methods to provide authenticity and integrity. Thus it can not be any stronger than the known methods. Since the known methods are basically the same a for confidentiality (DLP, Factoring), and authentic channels can be turned into confidential channels by the same methods (e.g. DH), Quantum cryptography can not be stronger than known methods, I guess. On the other hand, quantum cryptography is based on several assumptions. Is there any proof that the polarisation of a photon can be read only once and only if you know how to turn your detector? AFAIK quantum cryptography completey lacks the binding to an identity of the receiver. Even if it is true that just a single receiver can read the information, it is still unknown, _who_ it is. All you know is that you send information which can be read by a single receiver only. And you hope that this receiver was the good guy. Hadmut - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: quantum hype
martin f krafft wrote: > So MagiQ and others claim that the technology is theoretically > unbreakable. How so? If I have 20 bytes of data to send, and someone > reads the photon stream before the recipient, that someone will have > access to the 20 bytes before the recipient can look at the 20 > bytes, decide they have been "tampered" with, and alert the sender. This is not relevant when the technology is correctly used for Q key transmission because the sender would not be in the dark (sorry for the double pun) for so long. > So I use symmetric encryption and quantum cryptography for the key > exchange... the same situation here. Maybe the recipient will be > able to tell the sender about the junk it receives, but Mallory > already has read some of the text being ciphered. This should not happen in a well-designed system. The sender sends the random key in the Q channel in such a way that compromises in key transmission are detected before the key is used. That said, Q cryptography is something else and should not be confused with Q key distribution. Cheers, Ed Gerck - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: quantum hype
Arnold G. Reinhold wrote: >I think there is another problem with quantum cryptography. Putting >aside the question of the physical channel, there is the black box at >either end that does all this magical quantum stuff. One has to trust >that black box. > >- Its design has to thoroughly audited and the integrity of each unit verified >- It has to be shipped securely from some factory or depot to each end point >- It has to be continuously protected from tampering. Yes. Several years ago, Adi Shamir presented some fascinating attacks on the implementation of such black boxes at Cryptrec, so it is not something that should be taken for granted. >It seems to me one could just as well ship a 160 GB hard drive filled >with random keying material to each endpoint. Well, I agree. If we get to use complexity-based crypto that is not proven secure, like AES, RSA, or the like, then we can do much better than quantum crypto. The only real attraction of quantum crypto that I can see is that its security does not rely on unproven complexity-theoretic conjectures. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: quantum hype
David Wagner wrote: > One could reasonably ask how often it is in practice that we have a > physical channel whose authenticity we trust, but where eavesdropping > is a threat. I don't know. The only answer that I have come across - to which I ascribe no view on accuracy - is "undersea fibre" [1]. According to the story, it is possible tap into an undersea fibre without cutting into it, or the shield. Something about a device that bends the fibre, and listens to the energy that escapes... It's accurate enough to isolate individual fibres in a bundle. Of course. Which makes the attack simply a matter of getting there, and for this purpose there are special assets available. (I.e., submarines. google USS Jimmy Carter.) So, the analysis shifts to your threat model described above. How do you know when the enemy - a state that has these subs and these beam benders - is listening on our fibre? Personally, it all sounds like too much like a bad science fiction novel, where normal crypto practices are forgotten for plot reasons. But, that may still be indistinguishable from the actions of your average empire, from where we sit. It remains an interesting thought experiment, as long as we don't forget to challenge the "because we said so" assumptions... iang PS: I think there is one place where "QC" might make more sense: SOSUS. With that network, you don't so much care that the enemy is listening in on your fibre (e.g., RTP commsec says that you don't encrypt the enemy's location because he already knows it. Although there is more to it than that.) What you want is to find out where the enemy is listening in, and when. Then, it just becomes another data point in the tracking game. Still, it seems too elusive an advantage to worry about, in a practical sense. Once the enemy figures it out, he'll stop doing it. Or do it to insert bad data. [1] http://zdnet.com.com/2100-11-529826.html?legacy=zdnn http://www.spectrum.ieee.org/WEBONLY/publicfeature/apr03/code.html - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: quantum hype
martin f krafft wrote: and the general hype about quantum cryptography, I am bugged by a question that I can't really solve. I understand the quantum theory and how it makes it impossible for two parties to read the same stream. However, what I don't understand is how that adds to security. It's very much a question of threat model. If anonymity and traffic analysis protection are essential to your operations, a system that lets wiretappers follow a piece of fiber to your co-conspirators may not be the best security out there :-) - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: quantum hype
At 10:18 PM + 9/13/03, David Wagner wrote: ... One could reasonably ask how often it is in practice that we have a physical channel whose authenticity we trust, but where eavesdropping is a threat. I don't know. I think there is another problem with quantum cryptography. Putting aside the question of the physical channel, there is the black box at either end that does all this magical quantum stuff. One has to trust that black box. - Its design has to thoroughly audited and the integrity of each unit verified - It has to be shipped securely from some factory or depot to each end point - It has to be continuously protected from tampering. It seems to me one could just as well ship a 160 GB hard drive filled with random keying material to each endpoint. The disk drive would receive the same level of physical security as the quantum black boxes. At one AES256 key per second, a 160GB hard drive holds 150 years of keying material. For forward security one can erase used keys. (If you don't trust disk erasing, ship a carton of CD-Rs or DVD-Rs and burn them as they are used up). The 160 GB hard drive has a couple of advantages over quantum key exchange: - No special assumptions about the channel are needed. One can use the existing Internet, telephone, satellite and even shortwave infrastructure. - The hard drives and the PCs to use with them can be purchased off the shelf from a random computer store. No one is alerted that you are engaging in secret communications so no one is likely to tamper with your equipment before you get it. - The necessary software is easy to write and audit - I expect a quantum crypto box to cost far more than a160 GB disk drive, not to mention the cost of the dedicated fiber channel. What am I missing? Arnold Reinhold - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: quantum hype
Martin F Krafft asked: > So MagiQ and others claim that the technology is theoretically > unbreakable. How so? If I have 20 bytes of data to send, and someone > reads the photon stream before the recipient, that someone will have > access to the 20 bytes before the recipient can look at the 20 > bytes, decide they have been "tampered" with, and alert the sender. Well, there's a long explanation and a short one, and I don't think you got the short one yet. The short version is that you don't send your real data, you send random bits. Once both sides have agreed that they were received OK and not eavesdropped on (possible with QC because eavesdropping changes the data), then you use those random bits as a one time pad, xor them with your real data, and send that. This way, if someone does tap the line, all they get is random data, and their tappage will be discovered. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: quantum hype
On 09/13/2003 05:43 PM, David Wagner wrote: > > I believe the following is an accurate characterization: > Quantum provides confidentiality (protection against eavesdropping), > but only if you've already established authenticity (protection > against man-in-the-middle attacks) some other way. I wouldn't have put it quite that way. Authenticity doesn't need to come before confidentiality. Let's consider various threats: 1) passive eavesdropping. 2) active eavesdropping including tampering. 3) simple impersonation at the far end. 4) MITM, which can be considered a form of active eavesdropping by means of a double impersonation. Quantum key exchange provides end-to-end protection against passive eavesdropping. It plugs into the block diagram in the same place as Diffie-Hellman key exchange would plug in. It's the same only a little stronger (no assumptions about algorithmic intractability). That means you can establish a confidential but anonymous tunnel, and then send authentication messages through the tunnel. As far as I know, there are no quantum algorithms that prevent impersonation. Perhaps I'll learn of some tomorrow, but I would be truly surprised. Quantum mechanics isn't going to tell you that John Doe #137 is a good guy while John Doe #138 is a bad guy. This is quite significant, because key exchange is only one part of any practical system. Quantum mountebanks claim to have solved "the" key distribution problem, but this is untrue. They have dealt with _exchange_ of session keys, but they have not dealt with the _distribution_ of authentication keys. Distributing and securing any kind of keys under (say) battlefield conditions is a nightmare. Reducing the amount of keying material helps only slightly, unless you can reduce it to zero, which has not been achieved AFAIK. Then you have to consider the cost of very special endpoint equipment, the cost of a very special communication channel, and the cost of using that channel inefficiently. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: quantum hype
martin f krafft wrote: >David Wagner <[EMAIL PROTECTED]> writes: >> You're absolutely right. Quantum cryptography *assumes* that you >> have an authentic, untamperable channel between sender and >> receiver. The standard quantum key-exchange protocols are only >> applicable when there is some other mechanism guaranteeing that >> the guy at the other end of the fibre optic cable is the guy you >> wanted to talk to, and that noone else can splice into the middle >> of the cable and mount a MITM attack. > >Uh, so if I have a channel of that sort, why don't I send cleartext? Quantum cryptography doesn't assume the channel is immune from eavesdropping. It does assume you know who is on the other end, and no one can splice themselves in as a man-in-the-middle. (Even though we have an authentic channel, eavesdropping on the channel might still be possible.) One could reasonably ask how often it is in practice that we have a physical channel whose authenticity we trust, but where eavesdropping is a threat. I don't know. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: quantum hype
> On 09/13/2003 05:06 PM, David Wagner wrote: > > Quantum cryptography *assumes* that you > > have an authentic, untamperable channel between sender and receiver. > > Not true. The signal is continually checked for > tampering; no assumption need be made. Quantum crypto only helps me exchange a key with whoever is on the other end of the fibre optic link. How do I know that the person I exchanged a key with is the person I wanted to exchange a key with? I don't ... unless I can make extra assumptions (such as that I have a guaranteed-authentic channel to the party I want to communicate with). If I can't make any physical assumptions about the authenticity properties of the underlying channel, I can end up with a scenario like this: I wanted to exchange a key securely with Bob, but instead, unbeknownest to me, I ended up securely exchanging key with Mallet. I believe the following is an accurate characterization: Quantum provides confidentiality (protection against eavesdropping), but only if you've already established authenticity (protection against man-in-the-middle attacks) some other way. Tell me if I got anything wrong. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: quantum hype
On 09/13/2003 03:52 PM, martin f krafft wrote: > ... any observation of the quantum stream is immediately > detectable -- but at the recipient's side, and only if checksums are > being employed, which are not disturbed by continual or sporadic > photon flips. > > someone will have > access to the 20 bytes before the recipient can look at the 20 > bytes, decide they have been "tampered" with, and alert the sender. > So I use symmetric encryption and quantum cryptography for the key > exchange... the same situation here. Maybe the recipient will be > able to tell the sender about the junk it receives, but Mallory > already has read some of the text being ciphered. 1) As the subject: line suggests, there is indeed a lot of hype in the quantum crypto business. But there is also a kernel of reality behind it. 2) Typically people use a combination of quantum and non-quantum techniques. 3) Typically there is a multi-stage process: -- Exchange several blocks of keying material. -- Check for tampering; reject blocks that show tampering. -- Do some post-processing to reduce vulerability to undetected tampering. -- Use the result to encrypt your actual data. This is the first stage at which valuable data is exposed in any way. Consider the possibilities: *) In each block, Mallory has a 50/50 chance of being able to copy a bit without being detected. *) More generally, Mallory has a 2^-C chance of being able to copy C bits without being detected. As an easy-to-understand example: You (Alice and Bob, the good guys) choose a C big enough that 2^-C looks negligible to you. Alice sends Bob a bunch of bits (N>>2C). Bob tells Alice (in the clear) what receiver settings he used. Alice then knows which bits Bob should have been able to receive correctly. Alice tells Bob (in the clear) to check a randomly-chosen set of C bits, checking that they have the values Alice thinks they should have. If this test is passed, it puts an upper bound on how greedy Mallory has been. Then Alice tells Bob (in the clear) to use another (disjoint) set of C bits. Bob XORs these bits together and calls it one bit of key. There is only one chance in 2^-C that Mallory knows this bit. The efficiency of the key-exchange is roughly one part in 2C. So there is an exponential security/efficiency tradeoff. Not too shabby. The foregoing assumed an error-free channel. Things get much worse if the good guys need to do error correction. There are snake-oily products out there that throw in some "mild" cryptographic assumptions in order to increase the efficiency. So beware. On 09/13/2003 05:06 PM, David Wagner wrote: > > Quantum cryptography *assumes* that you > have an authentic, untamperable channel between sender and receiver. Not true. The signal is continually checked for tampering; no assumption need be made. Not all the world's oil comes from snakes. Some does, some doesn't. > if we want end-to-end security, one can't > stick classical routers or other such equipment in the middle of the > connection between you and I. That's true. A classical router is indistinguishable from a tap. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: quantum hype
also sprach David Wagner <[EMAIL PROTECTED]> [2003.09.13.2306 +0200]: > You're absolutely right. Quantum cryptography *assumes* that you > have an authentic, untamperable channel between sender and > receiver. The standard quantum key-exchange protocols are only > applicable when there is some other mechanism guaranteeing that > the guy at the other end of the fibre optic cable is the guy you > wanted to talk to, and that noone else can splice into the middle > of the cable and mount a MITM attack. Uh, so if I have a channel of that sort, why don't I send cleartext? -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED] invalid/expired pgp subkeys? use subkeys.pgp.net as keyserver! "the public is wonderfully tolerant. it forgives everything except genius." -- oscar wilde pgp0.pgp Description: PGP signature
Re: quantum hype
martin f krafft wrote: >So MagiQ and others claim that the technology is theoretically >unbreakable. How so? If I have 20 bytes of data to send, and someone >reads the photon stream before the recipient, that someone will have >access to the 20 bytes before the recipient can look at the 20 >bytes, decide they have been "tampered" with, and alert the sender. You're absolutely right. Quantum cryptography *assumes* that you have an authentic, untamperable channel between sender and receiver. The standard quantum key-exchange protocols are only applicable when there is some other mechanism guaranteeing that the guy at the other end of the fibre optic cable is the guy you wanted to talk to, and that noone else can splice into the middle of the cable and mount a MITM attack. One corollary of this is that, if we want end-to-end security, one can't stick classical routers or other such equipment in the middle of the connection between you and I. If we want to support quantum crypto, the conventional network architectures just won't work, because any two endpoints who want to communicate have to have a direct piece of glass. Quantum crypto might work fine for dedicated point-to-point links, but it seems to be lousy for large networks. For these reasons, and other reasons, quantum crypto looks pretty impractical to me, for most practical purposes. There is some very pretty theory behind it, but I predict quantum crypto will never replace general-purpose network encryption schemes like SSH, SSL, and IPSec. As you say, there is a lot of hype out there, but as you're discovering, it has to be read very carefully. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
quantum hype
Dear Cryptoexperts, With http://www.magiqtech.com/press/navajounveiled.pdf and the general hype about quantum cryptography, I am bugged by a question that I can't really solve. I understand the quantum theory and how it makes it impossible for two parties to read the same stream. However, what I don't understand is how that adds to security. The main problem I have with understanding the technology is in the fact that any observation of the quantum stream is immediately detectable -- but at the recipient's side, and only if checksums are being employed, which are not disturbed by continual or sporadic photon flips. So MagiQ and others claim that the technology is theoretically unbreakable. How so? If I have 20 bytes of data to send, and someone reads the photon stream before the recipient, that someone will have access to the 20 bytes before the recipient can look at the 20 bytes, decide they have been "tampered" with, and alert the sender. So I use symmetric encryption and quantum cryptography for the key exchange... the same situation here. Maybe the recipient will be able to tell the sender about the junk it receives, but Mallory already has read some of the text being ciphered. In addition to that, the MITM attack seems to be pertinent, unless I use public-key encryption and authentication. But then I am back to cryptography whose strength is based on intractability and not on a proof. And now I fail to see why quantum crypto is hyped so much. Maybe I am completely misguided, but I would really appreciate some explanation or even pointers. Or someone wants to spend a couple of minutes to explain the process of theoretically unbreakable quantum cryptography step-by-step. Note: I am reading MagiQ's press release with the subtract-marketing-b/s grain of salt. Of course, their technology is superior to everything. However, most of my information and the food for my questions stem from the more scientific side, having read about it in articles in renowned magazines and mailing list posts. Thanks, -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED] invalid/expired pgp subkeys? use subkeys.pgp.net as keyserver! joan of arc heard voices too. pgp0.pgp Description: PGP signature
