Focus on Quantum Crypto in IOP New Journal of Physics issue of 04/09

2009-04-30 Thread Charles McElwain


IOP New Journal of Physics, Volume 11, April, 2009

Editorial page describing focus, with table of contents:
http://www.iop.org/EJ/abstract/1367-2630/11/4/045005/

TOC has links to freely downloadable copies of the papers.
--

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com


unbreakable quantum crypto cracked by a laser

2008-10-24 Thread Steven M. Bellovin
http://technology.newscientist.com/channel/tech/dn14866-laser-cracks-unbreakable-quantum-communications.html?feedId=online-news_rss20

Not surprisingly, it's attacking the implementation, not the physics --
but of course we use implementations to communicate, rather than
theories.



--Steve Bellovin, http://www.cs.columbia.edu/~smb

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Quantum Crypto broken again

2008-10-24 Thread [EMAIL PROTECTED]
A failure in implementation leads to the ability to eavesdrop on a
quantum-secrecy based key exchange on 2/3 of the types of quantum
equipment used.

From: 
http://technology.newscientist.com/article/dn14866-laser-cracks-unbreakable-quantum-communications.html

Makarov and colleagues from Sweden and Russia have shown that Eve
could control
Bob's equipment, so that they both decode exactly the same digits
from Alice's
transmission...The method exploits the way a common type of photon
counter can have
its sensitivity reduced by a very bright flash of light. The
attack begins when Eve fires a
pulse of laser light to all four detectors in Bob's
equipment...[Eve leverages this into
getting the key] by sending on a sequence of encoded photons that
are identical to the
ones she receives from Alice, Eve can safely intercept a message
without leaving the
tell-tale quantum errors...Makarov and colleagues have now uncovered such
vulnerabilities in two of the three types of quantum equipment
commonly used. They
are now investigating ways to solve the flaw without introducing
more weaknesses.

A paper, Can Eve control PerkinElmer actively-quenched single-photon
detector? is available at
http://arxiv.org/ftp/arxiv/papers/0809/0809.3408.pdf.

-Michael Heyman

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: interesting and thought provoking resources on quantum crypto

2007-02-09 Thread Travis H.
On Thu, Feb 08, 2007 at 04:29:25PM -0800, Saqib Ali wrote:
 i have been tasked by my advisor to create series of mini-lectures
 slides on the topic of cryptography for a freshman year CS class.

You know, you shouldn't use the Internet to ask people to do your
homework for you... ;-) j/k

 any thoughts? the resource has to be related to quantum crypto...

Well, this company sells quantum cryptography devices:
http://www.idquantique.com/home.htm

On the other side, any link collection on quantum _cryptanalysis_
wouldn't be complete without Shor:

http://www-math.mit.edu/~shor/

I went to one of his lectures at my university, and it was one of
those experiences where you know they're speaking English, but it's
just not communicating information to you.  Usually this means one of
two things; either they are trying to fool you, or you are the fool.
I'm convinced it was the latter. I know an EPR pair from a quantum
decoy, but I still have no idea what the angles on his graphs had to
do with QC and superposition.

Lots of good papers on his electronic publications list:
http://www-math.mit.edu/~shor/elecpubs.html

He points to this wiki:
http://www.qubit.org/

This page is about the watershed paper:
http://en.wikipedia.org/wiki/Shor's_algorithm

And this page attempts to illustrate it:
http://pdivos.mobstop.com/shor/
-- 
Good code works.  Great code can't fail. --
URL:http://www.subspacefield.org/~travis/
For a good time on my UBE blacklist, email [EMAIL PROTECTED]


pgpS1PBD0MH5l.pgp
Description: PGP signature


interesting and thought provoking resources on quantum crypto

2007-02-08 Thread Saqib Ali

i have been tasked by my advisor to create series of mini-lectures
slides on the topic of cryptography for a freshman year CS class. each
mini-lecture will be 10-12 mins and will be delivered towards the end
of the class (so i will have to make them *very* interesting). There
is be 12 sessions.

I know what to include in the slides, but i would like to end each
session with a link/URL to a interesting and thought provoking
resource on quantum crypto.

any thoughts? the resource has to be related to quantum crypto

saqib
http://www.full-disk-encryption.net

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: quantum crypto rears its head again.

2006-12-14 Thread Jon Callas

On 13 Dec 2006, at 11:57 AM, Perry E. Metzger wrote:



I saw this link on Slashdot (and it was also on Ekr's blog):

http://hackreport.net/2006/12/13/quantum-cryptography-its-some-kind- 
of-magiq/


It appears that the quantum crypto meme just won't go away.

Bob Gelfond of MagiQ promises us that for only $100,000, plus monthly
leasing of a dry fiber optic home run between your end systems, you
can have security that isn't even as good as what nearly free software
will give commodity computers over the unsecured public internet.

I wonder if this idea is ever going to die. My guess is it will, but
not until the people who have thrown away their money investing in
this technology go bankrupt.



Thanks for writing your note at the bottom. Quantum cryptography is a  
fascinating thing, but first of all, it's not cryptography. It should  
be called quantum secrecy, or something akin to that. Next, its  
proponents have a tendency to effectively say, Oh, math, that's  
something that could go bad. But physics, *that* will always be good!


Jon

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


quantum crypto rears its head again.

2006-12-13 Thread Perry E. Metzger

I saw this link on Slashdot (and it was also on Ekr's blog):

http://hackreport.net/2006/12/13/quantum-cryptography-its-some-kind-of-magiq/

It appears that the quantum crypto meme just won't go away.

Bob Gelfond of MagiQ promises us that for only $100,000, plus monthly
leasing of a dry fiber optic home run between your end systems, you
can have security that isn't even as good as what nearly free software
will give commodity computers over the unsecured public internet.

I wonder if this idea is ever going to die. My guess is it will, but
not until the people who have thrown away their money investing in
this technology go bankrupt.

-- 
Perry E. Metzger[EMAIL PROTECTED]

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


[EMAIL PROTECTED]: [IP] more on ARMSTRONG LECTURE on Quantum Crypto and Optical Networks (Forwarded)]]

2005-09-20 Thread Eugen Leitl
- Forwarded message from David Farber [EMAIL PROTECTED] -

From: David Farber [EMAIL PROTECTED]
Date: Mon, 19 Sep 2005 20:30:36 -0400
To: Ip Ip ip@v2.listbox.com
Subject: [IP] more on  ARMSTRONG LECTURE on Quantum Crypto and Optical Networks 
(Forwarded)]
X-Mailer: Apple Mail (2.734)
Reply-To: [EMAIL PROTECTED]



Begin forwarded message:

From: Rod Van Meter [EMAIL PROTECTED]
Date: September 19, 2005 7:25:19 PM EDT
To: Joe Touch [EMAIL PROTECTED], [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED], David Wagner [EMAIL PROTECTED]
Subject: Re: [Fwd: Re: [IP] ARMSTRONG LECTURE on Quantum Crypto and  
Optical Networks (Forwarded)]
Reply-To: [EMAIL PROTECTED]


[Dave, for IP, if you wish...]

I generally agree with Dave Wagner's response, but a few thoughts...

The physicists are indeed working on quantum repeaters, capable of doing
QKD over long distances.  The trouble is, you have to trust every one of
the repeaters.

I wouldn't phrase the fiber security issue quite the same way.  As
others have said, what you need is access to an authenticated channel,
then you're set (but that's a non-trivial problem!).  It's important to
note that a) QKD does NOT solve what Shor's factoring algorithm broke,
and b) key exchange/distribution is not the biggest security problem we
have on the net (it might not even make the top ten).

The one possibly interesting use of QKD is for the super-paranoid: those
who believe their traffic is being snooped today, and don't want it
decrypted fifty years from now when theoretical and technological
advances render all classical cryptography breakable (!?!).

But in order for that to work, you have to use the QKD-generated random
bit string as a one-time pad, not just a seed or key for classical
encryption.  That means you need very high QKD bit-generation rates, and
most are still in the kilobits/second.  Some experiments have been done
in the low megabits/sec., but that's pre-filtering, I believe, which
costs you at least one order of magnitude in performance.

If you do it right, then, authentication that is good enough TODAY, plus
QKD to generate a random one-time pad, can make your data secure FOREVER
(modulo breakins/breakdowns at the endpoints).  Even if your
authentication is broken later, since it's not used in the actual data
exchange, the attacker gains no data.  This is covered in Paterson et
al.'s paper.

I arrived at the party a little late to get in on the recent thread at
Dave Bacon's Quantum Pontiff blog, but I did throw in my two cents
anyway:

http://dabacon.org/pontiff/?p=1049#comments

Dave's blog is an excellent source for current news and gossip, and is
read (and commented on) by many of the best names in the biz.

btw, Steve, not sure if you're aware of it or not, but Al Aho's student
Krysta Svore is doing quantum stuff for her thesis.  She just spent a
year in Cambridge working with Ike Chuang, but is back at Columbia, I
understand.  She's pretty sharp.

--Rod




-
You are subscribed as [EMAIL PROTECTED]
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/

- End forwarded message -
-- 
Eugen* Leitl a href=http://leitl.org;leitl/a
__
ICBM: 48.07100, 11.36820http://www.leitl.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE


signature.asc
Description: Digital signature


[Colloquium] ARMSTRONG LECTURE on Quantum Crypto and Optical Networks (Forwarded)

2005-09-15 Thread Steven M. Bellovin



Date: Wed, 14 Sep 2005 18:30:22 -0400 (EDT)
From: Dan Rubenstein [EMAIL PROTECTED]
To: [EMAIL PROTECTED]


The Department of Electrical Engineering at Columbia University invites you
to attend
THE ARMSTRONG MEMORIAL LECTURE
Monday, September 19 - 3:00pm
Davis Auditorium (Schapiro/Host)

Host:  Professor Osgood

Unbreakable Secret Key Distribution?
Quantum Cryptography and Optical Networks

by

Matthew S. Goodman, Ph.D.,
Chief Scientist and Telcordia Fellow, Telcordia Technologies  Laboratory
for Telecommunications Sciences Red Bank, NJ and Adelphi, MD

Abstract:
Manifestly quantum mechanical behavior has had tremendously important
implications for the development of modern technology.  In this talk we
explore the impact of recent ideas and new approaches that quantum
information is having on future secure communications for high performance
optical networks. The talk will concentrate on quantum cryptography, which
offers the promise of unconditional security for communications, and
complements existing mathematically based cryptography, which is applied at
higher networking levels.  The talk will review the rapid progress in this
field as well as some very recent experimental results from the Telcordia
research group and its collaborations.  We will describe the impact that
this work is having on optical networking research and some early
commercial activities and will speculate on its broader commercial
implications.

Light refreshments will be served.  We look forward to seeing you there!

___
Colloquium mailing list
[EMAIL PROTECTED]
http://lists.cs.columbia.edu/mailman/listinfo/colloquium


--




--Steven M. Bellovin, http://www.cs.columbia.edu/~smb



-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Network World: 10-node Quantum Crypto net under Boston streets

2005-05-20 Thread John Gilmore
NETWORK WORLD NEWSLETTER: OPTICAL NETWORKING
05/04/05

Today's focus:  Hooked on photonics

By Amy Schurr

CAMBRIDGE, MASS. - Chip Elliott is every hacker's worst 
nightmare.

Elliott, principal scientist at BBN Technologies, leads a team 
building the world's first continuously operating quantum 
cryptography network, a 12-mile snoop-proof glass loop under the 
streets of Boston and Cambridge.

Quantum cryptography uses single photons of light to distribute 
keys to encrypt and decrypt messages. Because quantum particles 
are changed by any observation or measurement, even the simplest 
attempt at snooping on the network interrupts the flow of data 
and alerts administrators.

While the technology is still in the pilot stage, Elliott 
envisions a day when quantum cryptography will safeguard all 
types of sensitive traffic. It's not going to overnight replace 
everything we have, he says. But it will be used to augment 
current technologies.

Defense funding

BBN's research is funded by the Pentagon's Defense Advanced 
Research Projects Agency , so it's likely the government would 
be first in line to roll out the super-secure technology. 
Elliott predicts financial firms will deploy quantum 
cryptography within a few years and estimates that businesses in 
general will deploy within five years. The technology also could 
move to the consumer market - for example, in a 
fiber-to-the-home scenario to protect the network between a home 
and service provider.

People think of quantum cryptography as a distant possibility, 
but [the network] is up and running today underneath Cambridge, 
Elliott says. The team of nine researchers from BBN, four from 
Boston University and two from Harvard University, have put 
together a set of high-speed, full-featured quantum 
cryptography systems and has woven them together into an 
extremely secure network, he says.

The system is essentially two networks - one for quantum key 
distribution and one that carries the encrypted traffic. And 
although it's probably the world's most secure network, it's not 
protecting any real secrets, at least not yet. For this pilot 
phase, BBN encrypts normal Internet traffic such as Web pages, 
Webcam feeds and e-mail.

The network has 10 nodes. Eight are at BBN's offices in 
Cambridge, one is at Harvard in Cambridge, and another is across 
the Charles River at BU's Photonics Center.

In keeping with the traditional naming convention that IT 
security professionals use, the nodes are named Alice, Bob, Ali, 
Baba, Amanda, Brian, Anna, Boris, Alex and Barb.

For the complete story, please go to: 
http://www.networkworld.com/news/2005/050205widernet.html?nlo
___
To contact: Amy Schurr

Amy Schurr is an editor for Network World's Management 
Strategies and Features sections. If you have any career topics 
you'd like her to cover or want to comment on this newsletter, 
you can reach her at mailto:[EMAIL PROTECTED].

Copyright Network World, Inc., 2005


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Quantum crypto firm charts way to mainstream

2005-02-07 Thread R.A. Hettinga
http://news.zdnet.com/2102-1009_22-5564288.html?tag=printthis

Quantum crypto firm charts way to mainstream

 By Michael Kanellos
 URL: http://news.zdnet.com/2100-1009_22-5564288.html
Magiq Technologies is creating a new line of products this year that it
says could help make quantum encryption--theoretically impossible to
crack--more palatable to mainstream customers.

The New York-based company said it has signed a deal with Cavium Networks,
under which Cavium's network security chips will be included inside Magiq's
servers and networking boards.

 Magiq and Cavium will also create reference designs for networking boards
and cards, with all of the necessary silicon to create a quantum encryption
system. These will be marketed to networking gear makers, which, Magiq
hopes, will include the boards inside future boxes.

 We have operability tests going on with major vendors, said Andy
Hammond, vice president of marketing at Magiq. Our goal in life is to
increase the adoption rate of this technology.

 By the fall, Magiq expects to be able to provide functioning beta, or
test, products that include its quantum encryption boards. Volume sales to
manufacturers are scheduled to begin in 2006.

 Quantum encryption involves sending data by way of photons, the smallest
unit of light. The photons are polarized, or oriented, in different
directions. Eavesdroppers cause detectable changes in the orientation,
which in turn prevents them from getting secret information, as dictated by
Heisenberg's Uncertainty Principle, which says you can't observe something
without changing it. For added measure, the data is encrypted before
sending.

 There is no cracking it. This is like the apple falling down, said
Audrius Berzanskis, Magiq's vice president of security engineering, meaning
that it was like one of Sir Isaac Newton's natural laws.

 This doesn't mean quantum encryption systems are unconditionally
foolproof, he added. Hypothetically, radio transmitters or some other
technology could intercept signals before they are sent. Still, these are
computer architecture issues: Unlike traditional encryption systems,
applying brute-force calculations to a message encrypted using quantum
methods will not eventually yield its contents to an unauthorized party.

 However, quantum encryption systems are pricey. The two-box system Magiq
sells goes for $70,000. Academic institutions and government agencies have
been the primary customers, the company said.

 Whether demand will go mainstream is still a matter of debate. Nearly
foolproof encryption has its obvious attractions. Various security experts
have stated, however, that the strength of today's cryptography is the
least of the security world's worries.

 Security is a chain; it's only as strong as the weakest link. Currently
encryption is the strongest link we have. Everything else is worse:
software, networks, people. There's absolutely no value in taking the
strongest link and making it even stronger, Bruce Schneier, chief
technology officer at Counterpane Internet Security, wrote in an e-mail to
CNET News.com on quantum cryptography in general.

 It's like putting a huge stake in the ground and hoping the enemy runs
right into it, he noted.

 Speed also has been a problem for quantum encryption. The deal with Cavium
will ideally boost the performance of the Magiq products and lower the
costs by standardizing some of the engineering. Cavium's chips, for
instance, will assume encryption tasks now performed in software. Reference
designs also allow potential customers to skirt some independent design
tasks.


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Swiss on a Roll With Quantum Crypto

2004-09-29 Thread R. A. Hettinga
http://www.lightreading.com/document.asp?site=lightreadingdoc_id=60160

Light Reading - Networking the Telecom Industry

SEPTEMBER 29, 2004 ?


Swiss on a Roll With Quantum Crypto

GENEVA -- Deckpoint and id Quantique, two private companies active in the
field of information technology and based in Geneva, Switzerland, and the
University of Geneva announce, as a world premiere, the official opening of
a data archiving network secured using quantum cryptography technology. A
ceremony will take place on September 29th 2004, at 11 :00 am in Geneva.
Carlo Lamprecht, the Minister of Economy, Labor and Foreign Affairs of the
Republic and Canton of Geneva, as well as Professor André Hurst, the Dean
of the University of Geneva, will attend this ceremony.

 In a world where the reliance on electronic data transmission and
processing is becoming every day more prevalent, data archiving plays a
critical role in the ability of an organization to operate continuously
under all circumstances. In order to guarantee the highest availability of
information, the use of remote backup solutions on several sites is
increasing strongly. In such a scenario, the confidentiality and the
integrity of sensitive information exchanged between two sites is of the
utmost importance.

 Current cryptographic techniques used to guarantee this confidentiality
are based on mathematical theories. In spite of the fact, that they are
very widespread, they do not offer a foolproof security. They are in
particular vulnerable to increasing computing power and theoretical
advances in mathematics. On the contrary, quantum cryptography exploits the
laws of quantum physics to guarantee in an absolute fashion the
confidentiality of data transmission. « Quantum cryptography constitutes a
revolution in the field of information security » says Professor Nicolas
Gisin, of the University of Geneva. « It is the only solution offering long
term confidentiality and which cannot be compromised by scientific or
technological advances ».

 The University of Geneva, where research on quantum cryptography started
in the early 90's, played a pioneer role in the development of this
technology. At the end of 2001, four researchers, who were convinced of the
potential of this technology, founded the company id Quantique to develop
commercial applications.

 id Quantique and Deckpoint joined forces to develop and implement the
first data archiving network secured using quantum cryptography. The data
saved on a farm of 30 servers of the Deckpoint Housing Center, in the
Acacias district of Geneva, are replicated on servers located at the Cern
Internet Exchange Point, in Meyrin, in the suburbs of Geneva. The distance
between the two sites is about 10 kilometers. This application, which will
initially last about one month, constitutes a world premiere.

 id Quantique, the first company to bring quantum cryptography to the
market, provided the hardware used in this application. « This world
premiere is an excellent illustration of the of the potential of this
technology » says Gregoire Ribordy, CEO. « The company confirms thus its
leading position in applications of quantum technologies. »

 « We are convinced that security has become critical, in particular with
the implementation of the Basel II standards in the banking industry as of
2006. The economic world cannot afford anymore not to have a complete
information security strategy » adds Dominique Perisset, director of
Deckpoint. Seduced by the ambitions and visionary nature of this project,
Deckpoint granted access to its infrastructure and offered technical
support to make the implementation of this network possible.


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: On hash breaks, was Re: First quantum crypto bank transfer

2004-08-25 Thread John Kelsey
From: Jerrold Leichter [EMAIL PROTECTED]
Sent: Aug 24, 2004 7:18 AM
To: Joseph Ashwood [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: On hash breaks, was Re: First quantum crypto bank transfer


[[Note: I've tried to sort out who wrote what, but something odd was
going on in the quoting of the messages, so I may have it all
wrong]]

...
| Actually for years the cryptography community has been saying
|retire MD5, ...because it's been seen as giving too short a hash,
|and because of a minor weakness - widely described as
|certificational - in the compression function that no one ever
|showed lead to an attack.  (While the details of the current attack
|aren't yet completely clear, the fact that it worked on so many
|functions strongly indicates that the particular weakness in the MD5
|compression function has nothing to do with it.)

The advice may have been prudent, but it doesn't rise to the level of
a theory for distinguishing good from bad hash functions.

How about this: When someone finds any collision at all in your hash
compression function, even a pseudocollision or a free-start
collision, it's time to change hash functions.  This is true, even
when the alternatives are slower, and the existing attacks don't yet
turn into a full attack.  Also, when your collision resistance is
known to be vulnerable to brute-force collision attacks, you really
need to stop using it.  Even when the alternatives are slower, and you
think you can maybe get away with using MD5 here if the stars all line
up properly.

Now, for fielded hardware and (to some extent) software, you can try
to phase out the use of the broken primitive, if the attack isn't yet
leading to a practical fast collision-finding algorithm.  If MD5 had
started being phased out when the pseudocollision attack was found, or
even when the Dobbertin attack was found, it seems like we'd be in
better shape now.  

...
| So basically I encourage my clients to maintain good business
| practices which means that they don't need to have belief in the
| long term security of AES, or SHA-1, or RSA, or . This is
| just good business, and it is a process that evolved to deal with
| similar circumstances.

Real good business practice has to make judgements about possible
risks and trade them off against potential costs.  I quite agree that
your advice is sound.  But that doesn't change the facts: Our
theoretical bases for security are much weaker than we sometimes let
on.  We can still be surprised.

True.  But was anyone surprised at another attack on MD5, which had
already had two high-profile attacks on its compression function?  Was
anyone surprised at an attack on HAVAL?  

Suppose a year ago I offered the following bet: At the next Crypto,
all but one of the widely-discussed hash functions will be shown to be
fundamentally flawed.  What odds would you have given me?  

You would have lost the bet.  Where's the fundamental flaw in SHA1,
SHA256, SHA512, or RIPE-MD160?  Where's the fundamental flaw in
Whirlpool?  There may *be* such flaws in any or all of these hashes,
but they haven't been shown yet.  (Phil Hawkes' results on SHA256 look
interesting; it will be interesting to see if they lead anywhere, but
it sure doesn't look trivial to control those corrective patterns with
choices of message block differences.)  

What odds would you have given me on the following bet: At the next
Crypto, an attack against AES that is substantially better than brute
force will be published?  If the odds were significantly different,
how would you have justified the difference?

Remember that we had the algebraic attacks, which claimed the ability
to break the whole AES, though the attacks apparently don't work as
claimed because of a miscounting of variables.  (It's certainly
possible that someone will find an algebraic attack on AES.)  

Let's update the question to today: Replace widely-discussed hash
functions with SHA-1 and the related family.  Keep the AES bet
intact.  But let's got out 5 years.  Now what odds do you give me?
Why?

I don't know.  If you had to build something today to be secure, it
wouldn't be crazy to use SHA1, IMO.  But you just can't ever rule out
cryptanalytic advances of this kind.  I think the difference between
block ciphers and hash functions is that there's a much better
developed theory of block cipher design and analysis in the public
world than for hash function design and analysis.  This may be
changing, though.  And new attacks (algebraic attacks, the integral
attack that is so effective against reduced-round Rijndael versions)
are always coming up, even so.  

I think seriously trying to beat up on our algorithms, publishing
intermedaite results, etc., is the best we can do at our current state
of knowledge.  

-- Jerry

--John Kelsey

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: First quantum crypto bank transfer

2004-08-24 Thread Jerrold Leichter
|  ... the comments I've seen on this list and elsewhere have been much
|  broader, and amount to QM secure bit distribution is dumb, it solves
|  no problem we haven't already solved better with classical
|  techniques.
|
| Most of the comments on this list are more nuanced than that.
Perhaps we hear them differently.

| Examples of sensible comments include:
|   -- We have seen claims that QM solves the key distribution
|problem.  These claims are false.
I'm not sure what the key distribution problem would be or what solving it
would mean.  As we all know, the real problem with OTP systems is that you
have to distribute as much keying material, securely, as you have material to
protect.  So OTP pretty much comes down to leveraging a single secure channel
to produce another.  In all practical instances I know of, the two channels
are separated in time and space:  You leverage the security of your diplomatic
pouch today to get secure messages from a spy tomorrow.

QM key sharing lets you build an OTP with a shared transmission medium and an
arbitrarily small time separation.  This is new.  It gives you guarantees that
the bits sent have not been intercepted.  That's new. Certainly, it doesn't
solve MITM attacks, as mathematical abstractions. What it does is reduce
protection from MITM attacks to protection of physical assets.  All crypto
ultimately has to rest on that - if you can't protect your keys, nothing
works.  The nature of the system that must be protected, and the kind of
protection, are somewhat different than in traditional systems, but the
inherent problem is neither eliminated nor made inherently worse.

|   -- _Commercialization_ of QM bit-exchange is dumb, for now
|and for the forseeable future
Here, I'll pretty much agree with you.

|  Also, there is a world of difference between:
| 
|  1.  Showing something is possible in principle;
|  2.  Making it work on the lab bench;
|  3.  Making it into something that works in the real world.
| 
|  For QM key exchange, step 1 goes back maybe 10-15 years, and most
|  people thought it was a curiosity - that you could never maintain
|  coherence except in free space and over short distances.
|
| That's backwards.  Quantum crypto free in space is hard.
The thought experiments on this always involve simple pictures in free space.
I agree, actually *doing* anything in free space over macroscopic distances is
a non-starter.

| It's
| much easier to use a single-mode fiber, over distances such
| that there is little total attenuation (which can be a quite
| macroscopic distance, since the attenuation is a fraction of
| a db/km if you do it right).
|
|  Step 2 is a couple of years back, the first surprise being that you
|  could actually make things work through fiber, then through a couple
|  of Km of fiber coiled on a bench.
|
| Again, that diametrically misstates the physics.  Propagation
| through a couple km of fiber shouldn't have surprised anybody.
I think that's obvious now, but might not have been so obvious 20 years ago.
(For that matter, just how long have we had usable multi-km single-mode
fibers?)

|  BTW, if we look at QM *computation* in comparison, we've barely made
|  it through Step 1.  There are still plausible arguments that you
|  can't maintain coherence long enough to solve any interesting
|  problems.
|
| Within a year of the invention of quantum computation,
| people were working on quantum error correction.
Actually, they started off pointing out that error correction couldn't be
done in QM systems without unmixing the states, thus losing the essense of the
computation.  Well, it turned out that things are more subtle than that.

Don't take this as a criticism of those who sayd quantum error correction was
impossible!  This is all new, complex physics.  We're wrong before we're
right.

|  This
| is interesting work and has had spin-offs in the form
| of changing how people think about error correction even
| in non-quantum systems.  And it has had spin-offs
| applicable to quantum cryptography, i.e. showing how it
| is possible to survive a modest amount of attenuation.
|
|  Some of the papers I've seen solve the problem only in their titles:
|  They use a QM system, but they seem to only make classical bits
|  available for general use.
|
| Huh?  The world abounds in QM systems that produce classical
| results, including e.g. transistors, lasers, practically all of
| chemistry, etc. etc. etc.  Quantum computers produce classical
| results because that is what is desired.
You miss my point.  Papers have been published _ there's not much point
dredging them up - whose title and abstract implies that they are providing a
way to store and manipulate qubits, but when you look at what they actually
end up providing, you can't *use* them as qubits, just classical bits.  (What
a surprise:  There are poor papers

Re: First quantum crypto bank transfer

2004-08-24 Thread John Denker
Jerrold Leichter wrote:
... the comments I've seen on this list and elsewhere have been much 
broader, and amount to QM secure bit distribution is dumb, it solves
no problem we haven't already solved better with classical 
techniques.
Most of the comments on this list are more nuanced than that.
Examples of sensible comments include:
 -- We have seen claims that QM solves the key distribution
  problem.  These claims are false.
 -- _Commercialization_ of QM bit-exchange is dumb, for now
  and for the forseeable future.  I am reminded of a slide
  Whit Diffie showed (in a different context) of an attempt
  to build a picket fence consisting of a single narrow pale
  a mile high ... while the rest of the perimeter remains
  undefended.  That's a dumb allocation of resources.  The
  opposition aren't going to attack the mega-pale;  they are
  going to go around it.  QM doesn't solve the whole problem.
  Sensible research should not be directed toward making the
  tall pale taller;  instead it should be directed toward
  filling in the gaps in the fence.
 Even if some snake-oil salesmen have attached themselves
 to the field doesn't say research in the field is worthless.
Be that as it may, there are other grounds for judging the
commercialization projects to be near-worthless.
Also, there is a world of difference between:
1.  Showing something is possible in principle;
2.  Making it work on the lab bench;
3.  Making it into something that works in the real world.
For QM key exchange, step 1 goes back maybe 10-15 years, and most
people thought it was a curiosity - that you could never maintain
coherence except in free space and over short distances.
That's backwards.  Quantum crypto free in space is hard.  It's
much easier to use a single-mode fiber, over distances such
that there is little total attenuation (which can be a quite
macroscopic distance, since the attenuation is a fraction of
a db/km if you do it right).
Step 2 is a couple of years back, the first surprise being that you
could actually make things work through fiber, then through a couple
of Km of fiber coiled on a bench.
Again, that diametrically misstates the physics.  Propagation
through a couple km of fiber shouldn't have surprised anybody.
BTW, if we look at QM *computation* in comparison, we've barely made
it through Step 1.  There are still plausible arguments that you
can't maintain coherence long enough to solve any interesting
problems.
Within a year of the invention of quantum computation,
people were working on quantum error correction.  This
is interesting work and has had spin-offs in the form
of changing how people think about error correction even
in non-quantum systems.  And it has had spin-offs
applicable to quantum cryptography, i.e. showing how it
is possible to survive a modest amount of attenuation.
Some of the papers I've seen solve the problem only in their titles:
They use a QM system, but they seem to only make classical bits
available for general use.   
Huh?  The world abounds in QM systems that produce classical
results, including e.g. transistors, lasers, practically all of
chemistry, etc. etc. etc.  Quantum computers produce classical
results because that is what is desired.
The contrast between this work and QM
key exchange is striking. 
If the intent is to make quantum cryptography sound better
than quantum computation, the point is implausible and
unproven.
If the intent it so make the best results in quantum crypto
sound better than the lamest parts of quantum computation,
then the comparision is (a) unfair and (b) hardly a ringing
endorsement of quantum crypto.
after all, transistors were invented to build phone lines, not
computers!
It's not true that transistors were invented solely for
application to phone lines.  Even if it were true, it would
be irrelevant for mulitple reasons.  For starters, keep
in mind that the big computers built during the 1940s
were built using vast amounts of telecom switch gear.
Bletchley Park relied on engineers from the Post Office
(which was the 'phone company' in those days).
And even if the facts had been otherwise, arguments about
the near-term applicability of one technology are largely
irrelevant to the near-term applicability of another
technology.
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: First quantum crypto bank transfer

2004-08-24 Thread Bill Stewart
At 02:02 AM 8/23/2004, Florian Weimer wrote:
* Bill Stewart:
 I agree that it doesn't look useful, but lawful intercept is harder,
 if you're defining that as undetected eavesdropping with
 possible cooperation of the telco in the middle,
 because quantum crypto needs end-to-end fiber so there's
 nothing the telco can help with except installing dark fiber,
 and the quantum crypto lets you detect eavesdroppers.
But this doesn't scale.
You'd need dark fiber to all communication partners.
Yes.  That's part of one definition of doesn't look useful.
So if quantum key distribution was mandated for
applications involving more than just a handful communication
partners, you'd need relays (or rather unlikely advances in optical
circuit switching).
It would be possible to use it as link encryption,
giving up the benefits of end-to-end in return for better scaling,
but you could still make all the relaying happen in the
user organization's facilities, rather than in a telco building
that's outside the user organization's control.
(Just because something isn't very useful doesn't mean you can't
at least try to do the job semi-correctly...)
By the way, the complete bashing of the recent QKD experiment is
probably not totally deserved.  Apparently, the experimenters used a
QKD variant that relies on quantum teleportation of photons.
This QKD variant is currently *not* available commercially,
and the experiment itself could well be an important refinement of
Zeilinger's earlier work in this area.
That's at least interesting, though I don't see why you'd take
the experiment out of the lab without a really well-defined
benefit to the end user (unless you've got a research grant.)
I'm surprised to hear that _any_ quantum key distribution variant
is available commercially, given the costs of dedicating fiber
and the effectiveness of current mathematical crypto
or the alternative approach of couriers with briefcases and handcuffs.

Bill Stewart  [EMAIL PROTECTED] 

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: On hash breaks, was Re: First quantum crypto bank transfer

2004-08-24 Thread Jerrold Leichter
|  Alternatively, how anyone can have absolute confidence in conventional
|  crypto
|  in a week when a surprise attack appears against a widely-fielded
|  primitive
|  like MD5 is beyond me.  Is our certainty about AES's security really any
|  better today than was our certainty about RIPEM - or even SHA-0 - was
|  three
|  weeks ago?
|  -- Jerry
|
| Actually for years the cryptography community has been saying retire MD5,
...because it's been seen as giving too short a hash, and because of a minor
weakness - widely described as certificational - in the compression function
that no one ever showed lead to an attack.  (While the details of the current
attack aren't yet completely clear, the fact that it worked on so many
functions strongly indicates that the particular weakness in the MD5
compression function has nothing to do with it.)

The advice may have been prudent, but it doesn't rise to the level of a theory
for distinguishing good from bad hash functions.

| SHA-0 has been required to be replaced by SHA-1 for some time,
because the NSA said so.  It turns out they were ahead of public crypto by a
couple of years.  I will grant you that this is indirect evidence that NSA
has no attacks on AES, since this is now the second time that they've
strengthened a proposed primitive against which no publically-known attacks
existed.  It tells us little about how strong AES actually is - and absolutely
nothing about any other system out there, since NSA has no reason to comment
on those and every reason not to.

|   the RIPEM
| series is functionally-speaking unused
...but not because anyone thought there was a weakness.  MD5 happened to be
widely used, SHA-1 had standards pushing it; little room was left for another
hash.

|and represented the only real
| surprise. Except for RIPEM there were known to be reasons for this, MD5 was
| known to be flawed, SHA-0 was replaced because it was flawed (although
| knowledge of the nature of the flaw was hidden). Even with RIPEM (and SHA-1
| for the same reason) I have plans in place (and have had for some time) the
| move away from 160-bit hashes to larger ones, so the attack on RIPEM had
| little effect on me and my clients, even a full attack on SHA-1 would have
| little effect on the clients that actually listen (they all have backup
| plans that involve the rest of the SHA series and at the very least
| Whirlpool).
Moving to a larger hash function with no underlying theory isn't very far from
the million-bit key algorithms you see all over the place.  Bigger probably
can't be worse, but is it really better?

| So basically I encourage my clients to maintain good business practices
| which means that they don't need to have belief in the long term security of
| AES, or SHA-1, or RSA, or . This is just good business, and it is a
| process that evolved to deal with similar circumstances.
Real good business practice has to make judgements about possible risks and
trade them off against potential costs.  I quite agree that your advice is
sound.  But that doesn't change the facts:  Our theoretical bases for security
are much weaker than we sometimes let on.  We can still be surprised.

Suppose a year ago I offered the following bet:  At the next Crypto, all but
one of the widely-discussed hash functions will be shown to be fundamentally
flawed.  What odds would you have given me?  What odds would you have given me
on the following bet:  At the next Crypto, an attack against AES that is
substantially better than brute force will be published?  If the odds were
significantly different, how would you have justified the difference?

Let's update the question to today:  Replace widely-discussed hash functions
with SHA-1 and the related family.  Keep the AES bet intact.  But let's got
out 5 years.  Now what odds do you give me?  Why?

-- Jerry


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: On hash breaks, was Re: First quantum crypto bank transfer

2004-08-24 Thread Hal Finney
Joe Ashwood writes:
 Except for RIPEM there were known to be reasons for this, MD5 was 
 known to be flawed, SHA-0 was replaced because it was flawed (although 
 knowledge of the nature of the flaw was hidden). Even with RIPEM (and SHA-1 
 for the same reason) I have plans in place (and have had for some time) the 
 move away from 160-bit hashes to larger ones, so the attack on RIPEM had 
 little effect on me and my clients...

A minor terminology correction: the hash is RIPEMD, the more recent (and
still unbroken) version being RIPEMD-160.  RIPEMD is the RIPE Message
Digest, where RIPE is the EU's RACE Integrity Primitives Evaluation
project, and I haven't been able to find out what RACE stands for.

RIPEM was an old implementation by Mark Riordan of the PEM (Privacy
Enhanced Email) standard which preceded S/MIME.

Hal Finney

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: On hash breaks, was Re: First quantum crypto bank transfer

2004-08-24 Thread Joseph Ashwood
- Original Message - 
From: Jerrold Leichter [EMAIL PROTECTED]
Subject: Re: On hash breaks, was Re: First quantum crypto bank transfer


| (they all have backup
| plans that involve the rest of the SHA series and at the very least
| Whirlpool).
Moving to a larger hash function with no underlying theory isn't very far 
from
the million-bit key algorithms you see all over the place.  Bigger 
probably
can't be worse, but is it really better?
The key expansion problem is why the rest of the SHA series is present, and 
Whirlpool is present because of the fundamental flaw problem. The truth is 
that having a diversity of options for this is simple enough, it takes only 
a small amount of additional work to allow a cryptographic function to be 
easily replaced, and making it replacable by 1000 is only marginally more 
difficult than 2, the four I listed are well-built, which is why they are 
the recommended ones.

Suppose a year ago I offered the following bet:  At the next Crypto, all 
but
one of the widely-discussed hash functions will be shown to be 
fundamentally
flawed.  What odds would you have given me?
I think it would be important to change the phrasing a bit to make the odds 
more quantifiable, simply chagne At the next Crypto to By the end of the 
next Crypto. With that said considering history, I would've put the odds at 
~~5:1 (Current hash functions seem to be broken quite often, and being the 
house I want the odds in my favor). But you are correct in that this 
represents a major advance in the state of the art, one that has taken large 
portions of the security community completely blind, I simply took the 
opportunity to push the concept of good business planning into this as a way 
that allows a good escape plan should anything happen.

What odds would you have given me
on the following bet:  At the next Crypto, an attack against AES that is
substantially better than brute force will be published?  If the odds were
significantly different, how would you have justified the difference?
Very different odds actually, we as a group have a much better understanding 
of block ciphers than hash functions, as evidence the just published 4 for 
the price of 2 break (cryptography list post by Hal Finney Subject: More 
problems with hash functions 8/20/2004). However AES has one of the smallest 
security margins available, so let's put it around 10:1, I really don't 
expect a break, but I would not be excessively shocked to see one made. It 
is for this very reason that again I recommend to all my clients that the 
have backup plans here as well, all the AES finalists, and Camellia because 
of it's Nessie selection.


Let's update the question to today:  Replace widely-discussed hash 
functions
with SHA-1 and the related family.  Keep the AES bet intact.  But let's 
got
out 5 years.  Now what odds do you give me?  Why?
SHA series 1:1
AES   3:1
Whirlpool   3:1 (even though it wasn't asked)
Camellia 3:1
Of SHA and Whirlpool being felled by the same attack in the next 5 years 
100:1
AES and Camellia by the same attack within 5 years 30:1

SHA in five years because the SHA methodology is showing some cracks, there 
are only minor differences between SHA-0 and SHA-1, and the differences 
between SHA-1 and SHA-256/384/512 are basically just matters of scale, I 
expect to see a major break against the methodology within 10 years, and 
with the current renewed interest in hash functions I expect the manpower to 
be available very soon to find that break.

AES is a very solid algorithm, but it's security margin is too close for me, 
this is always solid evidence that a break may be just around the corner, 
that the evidence is that various agencies don't have a break is irrelevant, 
the current evidence is that the general cryptographic community is  10 
years behind and gaining quickly..

Whirlpool has the same odds as AES because the underlying cipher is based on 
the same methodology, by the same people, so if it has a flaw it is likely 
to be extremely similar.

Camellia simply does not have the examination behind it that the AES 
finalists do, something that makes me nervous and why it is only a backup 
algorithm.

SHA and Whirlpool are unlikely to all at the same time because they have 
fundamentally different cores, SHA is a hash constructed primitive, 
Whirlpool a block cipher constructed primitive based on a chaining mode. 
This makes the odds of a single attack felling both slim at best. This odd 
is probably slanted too far in my favor.

AES and Camellia by the same attack is more likely because the tools against 
block ciphers are generally cross borders capable, and the differences 
between the styles in Camellia and AES are simply not great enough to 
prevent this. The difference in the styles though represents the additional 
3.333:1 odds.

All my odds on this are conservative and based on sloppy meanings (you and I 
may have very different meanings

Re: First quantum crypto bank transfer

2004-08-23 Thread Florian Weimer
* Bill Stewart:

 I agree that it doesn't look useful, but lawful intercept is harder,
 if you're defining that as undetected eavesdropping with
 possible cooperation of the telco in the middle,
 because quantum crypto needs end-to-end fiber so there's
 nothing the telco can help with except installing dark fiber,
 and the quantum crypto lets you detect eavesdroppers.

But this doesn't scale.  You'd need dark fiber to all communication
partners.  So if quantum key distribution was mandated for
applications involving more than just a handful communication
partners, you'd need relays (or rather unlikely advances in optical
circuit switching).

By the way, the complete bashing of the recent QKD experiment is
probably not totally deserved.  Apparently, the experimenters used a
QKD variant that relies on quantum teleportation of photons.  This QKD
variant is currently *not* available commercially, and the experiment
itself could well be an important refinement of Zeilinger's earlier
work in this area.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: First quantum crypto bank transfer

2004-08-23 Thread Matt Crawford
| However, I still don't believe that quantum cryptography can buy you
| anything but research funding (and probably easier lawful intercept
| because end-to-end encryption is so much harder).

Not to attack you personally - I've heard the same comments from many 
other
people - but this is a remarkably parochial attitude.

Quantum crypto raises fundamental issues in physics.
But we aren't physicists.
Hey!
It isn't research any more. There are companies trying to *sell this*.
Please don't blame the physicists for that.  It is still research, but 
someone is selling tincture of quantum physics in their snake-oil 
bottles.  Too bad that may poison the market for a really useful 
development a few years from now, but it does help shake the money tree 
for research.  And physics can use every dime it can get right now.

Matt Crawford   [EMAIL PROTECTED]
Fermilab Computer Security Coordinator
http://www.fnal.gov/
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: First quantum crypto bank transfer

2004-08-22 Thread Bill Stewart
At 01:00 PM 8/21/2004, Florian Weimer wrote:
However, I still don't believe that quantum cryptography can buy you
anything but research funding (and probably easier lawful intercept
because end-to-end encryption is so much harder).

I agree that it doesn't look useful, but lawful intercept is harder,
if you're defining that as undetected eavesdropping with
possible cooperation of the telco in the middle,
because quantum crypto needs end-to-end fiber so there's
nothing the telco can help with except installing dark fiber,
and the quantum crypto lets you detect eavesdroppers.
On the other hand, at least in the US and probably in Germany,
if the government wants the records of a bank's transactions,
all they need is the locally-proper paperwork demanding the data,
which is a threat model that quantum crypto doesn't help with,
especially since the costs of that attack are much lower than
tapping quantum fiber transactions.
An intermediate level of weakness is detection of who
the bank is communicating with.  In the case of quantum crypto,
it's simple - just follow the fiber to the other end.
But banks are a semi-special case for this threat also,
because you know that a bank's headquarters will talk to
other buildings belonging to that bank, so it's no information leak...
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: First quantum crypto bank transfer

2004-08-22 Thread Florian Weimer
* Jerrold Leichter:

 | Not quite correct, the first bank transfer occurred earlier this year,
 | in a PR event arranged by the same group:
 |
 |   http://www.quantenkryptographie.at/rathaus_press.html
 |
 | However, I still don't believe that quantum cryptography can buy you
 | anything but research funding (and probably easier lawful intercept
 | because end-to-end encryption is so much harder).

 Not to attack you personally - I've heard the same comments from many other
 people - but this is a remarkably parochial attitude.

I'm the last person to argue against basic research, but I'm really
against presenting it as if had direct practical relevance.  Basic
research such receive government funding, but not based on the false
claim that it can secure bank transfers.

 Quantum crypto raises fundamental issues in physics.  The interaction of
 information and QM is complex and very poorly understood.  No one really knows
 what's possible.  This is neat stuff, and really nice research.  New results
 are appearing at a rapid pace.

I fully agree.  Experimental quantum physics *is* important, but much
more from a physics point of view than from a cryptography point of
view.

 Will this end up producing something new and useful?  Who can say?  Right now,
 we're seeing the classic uses for a new technique or technology:  Solving the
 old problems in ways that are probably no better than the old solutions.

My trouble with quantum key distribution is that at the current stage,
the experiments are stunning, but it's snake oil from a cryptography
perspective.

Have you actually at some of the quantum key distribution papers?  The
ones I examined even lack such a simple thing as a threat model, and
as a result, the authors completely miss man-in-the-middle attacks
where the attacker splits the fiber into two pieces, runs two
instances of the QKD protocol, and reencrypts the communication after
key distribution.

 Alternatively, how anyone can have absolute confidence in conventional crypto
 in a week when a surprise attack appears against a widely-fielded primitive
 like MD5 is beyond me.  Is our certainty about AES's security really any
 better today than was our certainty about RIPEM - or even SHA-0 - was three
 weeks ago?

If we postulate that man-in-the-middle attacks are non-existent,
convential cryptography is suddenly much stronger, too. 8-)

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


First quantum crypto bank transfer

2004-08-21 Thread R. A. Hettinga

--- begin forwarded text


From: Andrew Thomas [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: First quantum crypto bank transfer
Date: Fri, 20 Aug 2004 09:05:58 +0200
Sender: [EMAIL PROTECTED]

  Cryptography system goes underground (Aug 19)
  http://physicsweb.org/article/news/8/8/13
   A group of scientists in Austria and Germany has installed an optical
   fibre quantum cryptography system under the streets of Vienna and
used
   it to perform the first quantum secure bank wire transfer (A Poppe et
   al. 2004 Optics Express 12 3865). The quantum cryptography system
   consisted of a transmitter (Alice) at Vienna's City Hall and a
receiver
   (Bob) at the headquarters of an Austrian bank. The sites were linked
by
   1.45 kilometres of single-mode optical fibre.

-- 
Andrew G. Thomas

--- end forwarded text


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Bank transfer via quantum crypto

2004-05-25 Thread Ivan Krstic
Apologies for the late response. Finals have a knack for keeping me away 
from the keyboard.

Ian Grigg wrote:
You are looking at QC from a scientific perspective.
What is happening is not scientific, but business.
[Points 1..7 snipped]
Hence, quantum cryptogtaphy.  Cryptographers and
engineers will recognise that this is a pure FUD
play.  But, QC is cool, and only cool sells.  
See, this is what's scary to me: the cool being what sells is an 
indication that PHBs, instead of technically capable people, are making 
decisions when it comes to crypto. Maybe this is incredibly obvious to 
the veterans in the field, but it's a disillusionment I prefer not to have.

It reminds me of a guy I know who, every time when asked about his 
software, would rant off the features and conclude with It also 
features a phase multiplexer. He's never been asked about it. If it 
weren't funny, it'd be sad.

Where we are now is the start of a new hype
cycle.  This is to be expected, as the prior
hype cycle(s) have passed.  PKI has flopped and
is now known in the customer base (finance
industry and government) as a disaster.  But,
these same customers are desparate for solutions,
and as always are vulnerable to a sales pitch.
This is part of my lack of understanding: I find it impossible to 
believe that - given a market begging for solutions - no one is offering 
high-quality non-QC link encryption boxes. Your points focused on the 
existing situation (particularly in the finance industry) which 
essentially amounts to people use insecure private telco lines to feel 
secure. The scenario I am missing - and you didn't address - is why 
someone with a little time and understanding doesn't throw together a 
few chips and offer an out-of-the-box crypto tunnel solution (or, if 
there is one, why isn't it catching on?).

What do you really need for a simple point-to-point encryption? Linksys 
makes a $70 wifi router that has a 125MHz MIPS processor, 16 MB RAM + 4 
MB Flash ROM, two 10/100Mbit ethernet controllers, and runs Linux 2.4. 
If someone paid me for a few hours of work, I could probably make a pair 
of *those* do secure link encryption. Rijndael isn't computationally 
expensive, and putting in a few extra bucks would likely afford you 
processing power that could support tank-like (Serpent?) encryption 
transparently.

The way I see this is that there are two options: consumers can entrust 
the security of their data to physics they don't understand, or 
mathematics they don't understand. One of the fundamental differences is 
that the former *no one* understands, and its price reflects that. With 
the latter, well - quite a few people understand the math behind crypto, 
and silicon is cheap these days. So what are people waiting for? Why 
doesn't everyone concerned for their link security have a pair of cheap 
strong crypto devices at both ends?

Cheers,
Ivan
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


The EU pursues quantum crypto because of Echelon

2004-05-25 Thread Steve Bellovin
http://www.computerworld.com/securitytopics/security/story/0,10801,93220,00.html?from=homeheads

I'm not sure what more to say, given my opinion of the general utility 
of quantum crypto

--Steve Bellovin, http://www.research.att.com/~smb


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Quantum crypto gets a speed boost

2004-05-08 Thread R. A. Hettinga
http://optics.org/articles/news/10/5/2/1

Optics.org

Quantum crypto gets a speed boost

6 May 2004

NIST scientists transfer a quantum key made of single photons at a rate of
1Mbps.

A team of US scientists from the National Institute of Standards and
Technology (NIST) in Colorado and Acadia Optronics, Maryland, claims to
have built the world's fastest quantum cryptography system (Optics Express
12 9).

NIST test bed

Its 730 m free-space link, which uses a stream of single photons to
transfer a secret encryption key, offers a key transfer rate of 1Mbps --
about 100 times faster than previously demonstrations. NIST says that the
increase in speed could potentially make quantum cryptography practical for
applications such as streaming encrypted video or communications across
large networks.

 Quantum key distribution (QKD) has recently emerged as an attractive
technique to create completely secure communication links between banks and
military bases and the first commercial systems are now starting to appear.

Although the transmission distances have steadily improved over the past
few years, the current records are 150 km in fiber and 23 km in free space,
the transfer rate of the key has remained painfully slow, typically 1 kbps
or so.


Crypto components

The NIST-Acadia team has boosted this transfer rate to 1 Mbps by employing
a clock synchronization scheme typically found in high-speed optical
communications.

The innovation is to operate a classical (unsecure) link at 1.5 microns in
parallel with an 845 nm QKD link over a 730 m span between two NIST
buildings. The classical link, at a clock rate of 1.25 Gbps, is used to
synchronize the QKD receiver and tell it when to look for the key's photons.

 This synchronized detection helps distinguish the QKD photons generated by
a pair of 845 nm VCSELs from stray light such as photons from the Sun and
thus raise the key transmission rate.

 Although in theory it should be possible to achieve key transmission at up
to the clock-rate, the team has found that the 350 ps timing resolution of
its silicon avalanche photodetectors currently limits performance to
1 Mbps. The team says with better detectors the key rate could be raised
further.


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Bank transfer via quantum crypto

2004-04-28 Thread Ian Grigg
Ivan Krstic wrote:
I have to agree with Perry on this one: I simply can't see a compelling 
reason for the push currently being given to ridiculously overpriced 
implementations of what started off as a lab toy, and what offers - in 
all seriousness - almost no practical benefits over the proper use of 
conventional techniques.

You are looking at QC from a scientific perspective.
What is happening is not scientific, but business.
There are a few background issues that need to be
brought into focus.
1) The QC business is concentrated in the finance
industry, not national security.  Most of the
fiber runs are within range.  10 miles not 100.
2) Within the finance industry, the security
of links is done majorly by using private lines.
Put in a private line, and call it secure because
only the operator can listen in to it.
3) This model has broken down somewhat due to the
arisal of open market net carriers, open colos, etc.
So, even though the mindset of private telco line
is secure is still prevalent, the access to those
lines is much wider than thought.
4) there is eavesdropping going on.  This is clear,
although it is difficult to find confirmable
evidence on it or any stats:
  Security forces in the US discovered an illegally installed fiber
  eavesdropping device in Verizons optical network. It was placed at a
  mutual fund company..shortly before the release of their quarterly
  numbers   Wolf Report March, 2003
(some PDF that google knows about.)  These things
are known as vampire taps.  Anecdotal evidence
suggests that it is widespread, if not exactly
rampant.  That is, there are dozens or maybe hundreds
of people capable of setting up vampire taps.  And,
this would suggest maybe dozens or hundreds of taps
in place.  The vampires are not exactly cooperating
with hard information, of course.
5) What's in it for them?  That part is all too
clear.
The vampire taps are placed on funds managers to
see what they are up to.  When the vulnerabilities
are revealed over the fibre, the attacker can put
in trades that take advantage.  In such a case,
the profit from each single trade might be in the
order of a million (plus or minus a wide range).
6) I have not as yet seen any suggestion that an
*active* attack is taking place on the fibres,
so far, this is simply a listening attack.  The
use of the information happens elsewhere, some
batch of trades gets initiated over other means.
7) Finally, another thing to bear in mind is that
the mutual funds industry is going through what
is likely to be the biggest scandal ever.  Fines
to date are at 1.7bn, and it's only just started.
This is bigger than SL, and LTCM, but as the
press does not understand it, they have not
presented it as such.  The suggested assumption
to draw from this is that the mutual funds are
*easy* to game, and are being gamed in very many
and various fashions.  A vampire tap is just one
way amongst many that are going on.

So, in the presence of quite open use of open
lines, and in the presence of quite frequent
attacking on mutual funds and the like in order
to game their systems (endemic), the question
has arisen how to secure the lines.
Hence, quantum cryptogtaphy.  Cryptographers and
engineers will recognise that this is a pure FUD
play.  But, QC is cool, and only cool sells.  The
business circumstances are ripe for a big cool
play that eases the fears of funds that their
info is being collected with impunity.  It shows
them doing something.
Where we are now is the start of a new hype
cycle.  This is to be expected, as the prior
hype cycle(s) have passed.  PKI has flopped and
is now known in the customer base (finance
industry and government) as a disaster.  But,
these same customers are desparate for solutions,
and as always are vulnerable to a sales pitch.
QC is a technology who's time has come.  Expect
it to get bigger and bigger for several years,
before companies work it out, and it becomes the
same disputed, angry white elephant that PKI is
now.
If anyone is interested in a business idea, now
is the time to start building boxes that do just
like QC but in software at half the price.  And
wait for the bubble to burst.
iang
PS:  Points 1-7 are correct AFAIK.  Conclusions,
beyond those points, are just how I see it, IMHO.
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Bank transfer via quantum crypto

2004-04-22 Thread Ivan Krstic
On /. today:

An anonymous reader writes with today's announcement that the Austrian 
project for Quantum Cryptography[1] made the world's first Bank Transfer 
via Quantum Cryptography Based on Entangled Photons; see also 
Einstein-Podolski-Rosen Paradoxon[2]. (For more background, see the 
recent Slashdot post Quantum Cryptography Leaving the Lab.[3])

[1] http://www.quantenkryptographie.at/
[2] http://en.wikipedia.org/wiki/EPR_paradox
[3] http://science.slashdot.org/science/04/04/12/1336238.shtml?tid=134
I have to agree with Perry on this one: I simply can't see a compelling 
reason for the push currently being given to ridiculously overpriced 
implementations of what started off as a lab toy, and what offers - in 
all seriousness - almost no practical benefits over the proper use of 
conventional techniques. Besides, any of the ultrasecret applications 
that *might* (I remain very skeptical) call for such a level of 
confidentiality - things like military communication or diplomatic 
message exchange between a country and its ambassadors - are all too 
likely to be out of the range currently offered by these QC setups (last 
I read, if I'm not mistaken, it was about 50 km or ~30 miles). Fine, the 
range might improve - but I doubt that the amount of money and hassle 
required to set these up will.

Cheers,
Ivan
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: my periodic rant on quantum crypto

2004-04-14 Thread David Honig
At 03:37 PM 4/12/04 -0400, Perry E. Metzger wrote:

QC can only run over a dedicated fiber over a short run, where more
normal mechanisms can work fine over any sort of medium -- copper, the
PSTN, the internet, etc, and can operate without distance limitation.


Nice essay.  I especially liked the discussion of authentication.

Its also the case AFAIK that the quantum-carrying fiber
can only carry one photon at a time.  (Perhaps you can multiplex
different frequencies, if your demultiplexor doesn't change the
quantum properties).  Now while there *is* a lot of dark fiber,
sending one photon at a time is a pretty good way to keep the
construction crews digging up roads :-) 

Similar quantum-hype is sometimes argued in RNG discussions
by those with very narrow views of what an RNG needs and
consists of.



-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


my periodic rant on quantum crypto

2004-04-12 Thread Perry E. Metzger

/. is running yet another story on quantum cryptography today, with
the usual breathless hype:

http://science.slashdot.org/article.pl?sid=04/04/12/133623

I'm especially unimpressed with the Does this spell the
end of the field of cryptography? comment.

For those who don't know much about what it is, Quantum Cryptography
is a very expensive way of producing an unauthenticated link
encryption device. It is useless for any application other than link
encryption over a short distance and requires a dedicated optical
fiber to work.

QC has no properties that render it especially better for link
encryption than, say, a box from one of several vendors running AES on
the link instead. It is perhaps theoretically safer, but in practice
no one is going to break AES either -- they're going to bribe the
minimum wage guard at your colo to have 20 minutes alone with your box
while they install a tap on the clear side of it (or worse, they'll
slip in while the guard is asleep at his desk.)

QC still requires link authentication (lest someone else other than
the people you think you're talking to terminate your fiber
instead). As a result of this, you can't really get rid of key
management, so QC isn't going to buy you freedom from that.

QC can only run over a dedicated fiber over a short run, where more
normal mechanisms can work fine over any sort of medium -- copper, the
PSTN, the internet, etc, and can operate without distance limitation.

QC is fiendishly costly -- orders of magnitude more expensive than an
AES based link encryption box.

QC is extremely hard to test to assure there are no hardware or other
failures -- given the key in use, I can use intercepted traffic to
assure my AES link encryption box is working correctly, but I have no
such mechanism for a QC box.

On top of all of this, the real problems in computer security these
days have nothing to do with stuff like how your link encryption box
works and everything to do with stuff like buffer overflows, bad
network architecture, etc.

Given that what we're dealing with is a very limited technology that
for a very high price will render you security that is at best not
particularly better than what much more economical solutions will
yield, why do people keep hyping this?  Indeed, why do people buy these
boxes, if indeed anyone is buying them?

It is stunning that a lab curiosity continues to be mentioned over
and over again, not to mention to see venture capitalists dump money
after it.

BTW, none of this has anything to do with Quantum Computing, which
may indeed yield breakthroughs someday in areas such as factoring but
which is totally unrelated...

Perry

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Quantum Crypto

2003-12-20 Thread John Lowry
Perry is absolutely right.
There is no point in pursuing this.
It might even be analogous to what we now know about computers.
We were warned that there would never be a need for more than
A half-dozen - after all, they were extremely expensive just to get
A few more digits in the logarithm table ...  Thank goodness that we stopped
those wasteful government research efforts and put money into improving
analog mechanical desktop calculators - which is all anyone ever needed
anyway.  ;-)

Perry,
I seem to remember paying excessive amounts for my first installations
of 1822, X.25, token-ring, ethernet - in fact all new devices.  Even the
ones that weren't needed ... Initial cost is a poor metric and you of all
people should know it.  However, I sincerely applaud your effort to present
a snapshot of the state of the art - and the effort to qualify the QKD folks
who are prematurely entering the market.  Please try to include a view the
long term potential and imagine how it might be used when you write your
report.  After all, who would have thought that computers _would_ be linked
together to create communication networks ... And that my 75-year old mother
could not only afford one but actually enjoy using it.  (Ok, its a Macintosh
...)
Please don't dismiss what is really a very new research area with unknown
potential - just leaving the physicist's lab bench for the engineering lab
bench - because a few folks are entering the market too soon and claiming
that they have product.  There is a baby in that bath water !

Season's Greetings !

John


On 12/16/03 10:14, Perry E.Metzger [EMAIL PROTECTED] wrote:

 
 There have been more press releases about quantum crypto products
 lately.
 
 I will summarize my opinion simply -- even if they can do what is
 advertised, they aren't very useful. They only provide link security,
 and at extremely high cost. You can easily just run AES+HMAC on all
 the bits crossing a line and get what is for all practical purposes
 similar security, at a fraction of the price.
 
 The problem in security is not that we don't have crypto technologies
 that are good enough -- our algorithms are fine. Our real problem is
 in much more practical things like getting our software to high enough
 assurance levels, architectural flaws in our systems, etc.
 
 Thus, Quantum Crypto ends up being a very high priced way to solve
 problems that we don't have.
 
 
 Perry
 
 -
 The Cryptography Mailing List
 Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Quantum Crypto

2003-12-20 Thread Perry E . Metzger

John Lowry [EMAIL PROTECTED] writes:
 Perry is absolutely right.
 There is no point in pursuing this.
 It might even be analogous to what we now know about computers.
 We were warned that there would never be a need for more than
 A half-dozen - after all, they were extremely expensive just to get
 A few more digits in the logarithm table ...  Thank goodness that we stopped
 those wasteful government research efforts and put money into improving
 analog mechanical desktop calculators - which is all anyone ever needed
 anyway.  ;-)

Your amusing banter aside, my point remains. QCrypto doesn't solve any
problems that anyone has in the real world -- everything it can do can
be done far more cheaply and indeed far better by other means -- so it
is a large expense that serves no purpose.

I know of no company using something like AES+HMAC for link security
that has had its cryptographically secured communications successfully
attacked by cryptanalysis* -- and AES is free, and running it is nearly
free. On the other hand, I know of lots of companies that have had
problems because they haven't thought out their remote access systems
well or because they are running software vulnerable to buffer
overflows. The issue is not that we need unbreakable crypto -- we
already have it for practical purposes. The issue is that our systems
are not built robustly.

 Please don't dismiss what is really a very new research area with unknown
 potential -

This is not an issue of unknown potential -- we know what the
systems being marketed do. They have specifications and user manuals.

I would never suggest that people stop research, of course, but it
seems that QCrypto is not a solution to any real world problem.

Perry

*By this, I don't include things like the key management algorithm
 only used all ones as the key -- I mean legitimate attacks against
 AES etc.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Quantum Crypto

2003-12-18 Thread Perry E . Metzger

There have been more press releases about quantum crypto products
lately.

I will summarize my opinion simply -- even if they can do what is
advertised, they aren't very useful. They only provide link security,
and at extremely high cost. You can easily just run AES+HMAC on all
the bits crossing a line and get what is for all practical purposes
similar security, at a fraction of the price.

The problem in security is not that we don't have crypto technologies
that are good enough -- our algorithms are fine. Our real problem is
in much more practical things like getting our software to high enough
assurance levels, architectural flaws in our systems, etc.

Thus, Quantum Crypto ends up being a very high priced way to solve
problems that we don't have.


Perry

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]