Interesting. Here in The Netherlands there will be a quantum network connecting Delft, The Hague, Leiden and Amsterdam, but that's largely still a research project and it won't be up and running before 2020. If QuantumXC has commercially available tech then they seem to be ahead by a couple of years.
That research quantum network has a different purpose. Quantum key distribution (QKD) as mentioned in the article has been commercially available for a number of years now (for example by ID Quantique [1]). These products rely on having a direct connection, i.e. a single fibre line without repeaters or other ‘interruptions’. This limits their range to about 100km (20dB attenuation).
The research network in The Netherlands is more ambitious than that. The researchers’ goal is to build a true quantum internet, with ‘quantum repeaters’ that allow connections over longer distances [2]. These quantum repeaters work on the principe of quantum entanglement generation and purification to achieve quantum teleportation of qubits to allow end to end communication [3].
If you’re interested in learning more about this, I can highly recommend the free edX course by TU Delft and Caltech on quantum cryptography [4].
It's meant to be used in conjuction with disabling javascript or using js-blockers like uMatrix, however, so I'm not sure if that's your use case (if you're frequently annoyed by ads, popups, auto-play videos, etc, you might want to look into something like uMatrix or uBlock anyway.)
This particular site works without javascript except that the article text is blurred. I might consider making the script just remove blurs completely and fix that type of defect in general, because I can't think of a legitimate use of blur that isn't just unnecessary eye candy.
For me it didn't even load. I just got a slowly loading blur of text that slowed Chrome on Android to a halt and made me force restart the browser.
Sites like this make me hate the web. I have even started to like pages that I hated when they were launched because they were slow (prime example: Swedish state television: www.svt.se). They now shine like beacons of hope.
We don't. In cryptography we generally trade off information theoretic security for computational security. This means that (more broadly speaking) we don't usually know what anyone has broken if there's no public proof.
But that also means that, as a research community, we've mostly accepted that that's okay. Likewise as a heuristic we can generally say the same thing about any cryptographic algorithm that hasn't been publicly broken. And that means that evaluating the security of publicly unbroken cryptography by postulating the hypothetical strength of the NSA isn't very useful.
We know the following based on an examination of history:
1) Most vulnerabilities which compromise confidentiality or authenticity actually happen in cryptographic implementations or infrastructure code, not algorithm design;
2) RSA has not been publicly broken. Moreover, we have no research providing a way to break RSA given current technology (nor even a path forward);
3) Quantum key distribution is extremely immature technology, which trades off decades of well-studied literature about computational security to pursue information theoretic assurances.
Quantum key distribution is an extremely overengineered and brittle solution. That's not to say it isn't technically cool...but it's difficult to reconcile with everything we know about modern cryptography.
We don't, in the same way that we don't know there aren't vulnerabilities in the quantum protocol they're using, or in its practical implementation. And if the NSA can only break DHE for parameters less than N bits, why not just use a ridiculously high number like 10000 bits, since it's only a linear cost when you know the key.
"Each key is usually extra-encrypted, but documents disclosed by former National Security Agency contractor Edward Snowden in 2013 showed that the U.S. government, which hoovers up most of the world’s internet traffic, can also break those tougher codes. Exactly how the NSA accomplishes this isn’t widely known. (One suspicion is that while keys are supposed to be based on multiplying two random large prime numbers together, many systems use a relatively small subset of primes, making it much easier for a computer to guess the key.)"
Except that Weak DH only needs one prime - not two. It sounds like the author conflated RSA with DH somehow. It's very rare for real in-the-wild RSA keys to share factors (barring stupid errors like Debian's randomization fail).
Technically speaking when you turn a laser's power down far enough, you start adjusting the probability that the laser will emit a photon. Many pulses will generate zero photons, some will generate one, and a few might generate two or more. The two or more case is the scary one where an attacker could siphon off a photon to measure.
"Yet for high-speed transmissions under real-world conditions, the record is just 60 miles. Farther transmissions require a series of “trusted nodes,” relays that are themselves vulnerable to hackers or physical tapping. China uses armed guards to secure the nodes in its 1,240-mile QKD network"
Armed guards at the relays.. I wonder what they are transmitting on that cable. In any case it seems they take the thread of fiber tapping very seriously. I bet the US government have similar experiments only they don't talk about it.
I still don’t understand the point of quantum key distribution. It protects against passive snooping but not against an active man-in-the-middle attack: thus it gives you no more protection than, say, the Diffie-Hellman exchange performed at the start of every TLS connection. The main counterargument is that quantum computers can break Diffie-Hellman, and can do so retroactively if someone is tapping your communications today and saving them for the future. But post-quantum public key cryptography exists; admittedly it’s not as vetted yet as the traditional kind. but it will be soon enough, so even if there’s some rationale for using QKD today, it’s not the “future-looking” technology it’s sold as.
And in the meantime, if you really want to guarantee the confidentiality of your shared secret that badly, you can just physically drive over to the other organization carrying a copy of it. Inconvenient, but surely less so than running long fiber-optic cables through tunnels solely for that purpose.
The basic idea is that the communication channel key changes very frequently (EDIT: see praseodym's response below). The QKD network itself is basically just a stream of keys. An active attack would require compromise of many keys. If your error rate goes above some threshold (even for re-transmissions of a single message), you know the QKD channel is being tampered with.
Take the whisper protocol for example... instead of having a synchronized state machine that determines shared message keys between both parties, those keys may instead come from an external QKD stream.
To add to that: a QKD with one-time pad[1] is proven secure. However, because many QKD implementations have low secret key rates (the highest in research is 10Mbps[2]; most commercial implementations do only a few Kbps) you won’t be doing high-bandwidth communication using that method.
The author of OP article really needs to read that Toshiba press release. Good layman explanation.
Also, I figured that the bottleneck came from the amount of entangled photons that could be generated. Interesting to know that it's a hardware/software issue on the detector and post-processing side.
QKD does defend against active man-in-the-middle. Working from the premise that qubits in general cannot be cloned (the no-cloning theorem), a protocol can be devised that can detect tempering by an adversary with unlimited computational power and technological abilities. BB84[1] is such a protocol, which is also used in commercial QKD products.
Of course it doesn’t defend against attacks on the devices, buildings or people; these are likely higher ranked risks than crypto attacks for many organisations.
I think OP's point is that no key establishment protocol - quantum or otherwise - protects against a true "man-in-the-middle" who can simply negotiate different keys with both parties and transparently decrypt-encrypt in the middle.
Of course, this isn't what QKD is supposed to solve, anyway. QKD does not address authentication, only key distribution.
> I still don’t understand the point of quantum key distribution.
The point is to make wild claims about a future Quantum Internet, which then leads to large amounts of research funding. It's very successful in achieving that.
> If any of the pulses’ paths are interrupted and they don’t arrive at the endpoint at the expected nanosecond, the sender and receiver know their communication has been compromised.
This isn't how QKD works - it isn't based on timing or delays. The common BB84 protocol (and the decoy-state modification) are based on the fact that measuring a photon necessarily changes it. Essentially, it is easy to distinguish a photon that's been measured twice from a photon that's been measured once (statistically speaking). Because an eavesdropper would necessarily have to measure photons in order to extract any useful information about the communication, their presence can be easily detected.
29 comments
[ 4.4 ms ] story [ 122 ms ] threadWe are living in the future already.
The research network in The Netherlands is more ambitious than that. The researchers’ goal is to build a true quantum internet, with ‘quantum repeaters’ that allow connections over longer distances [2]. These quantum repeaters work on the principe of quantum entanglement generation and purification to achieve quantum teleportation of qubits to allow end to end communication [3].
If you’re interested in learning more about this, I can highly recommend the free edX course by TU Delft and Caltech on quantum cryptography [4].
[1]: https://www.idquantique.com/quantum-safe-security/overview/q... [2]: https://qutech.nl/roadmap/quantum-internet/ [3]: https://en.m.wikipedia.org/wiki/Quantum_network#Quantum_repe... [4]: https://www.edx.org/course/quantum-cryptography-0
1. Huge ad at the top.
2. Large persistent bar under that telling me I’m on Bloomburg’s Site.
3. Headline in large bold font.
4. Author and dateline
5. Huge blue (sharing?) icon with white dots
6. Huge persistent bar begging me to log in or subscribe.
7. Large persistent ad at the bottom.
After much scrolling you can get to the article. The state of mobile web journalism I guess.
Firefox for Android has it as well, combined with ublock origin it makes reading long form on a phone pleasant.
https://github.com/user234683/no-js-fixer
It's meant to be used in conjuction with disabling javascript or using js-blockers like uMatrix, however, so I'm not sure if that's your use case (if you're frequently annoyed by ads, popups, auto-play videos, etc, you might want to look into something like uMatrix or uBlock anyway.)
This particular site works without javascript except that the article text is blurred. I might consider making the script just remove blurs completely and fix that type of defect in general, because I can't think of a legitimate use of blur that isn't just unnecessary eye candy.
Sites like this make me hate the web. I have even started to like pages that I hated when they were launched because they were slow (prime example: Swedish state television: www.svt.se). They now shine like beacons of hope.
There's a lot the NSA hasn't broken. Why not just use higher block sizes like RSA-2048 or large DHE parameters instead of a quantum network?
But that also means that, as a research community, we've mostly accepted that that's okay. Likewise as a heuristic we can generally say the same thing about any cryptographic algorithm that hasn't been publicly broken. And that means that evaluating the security of publicly unbroken cryptography by postulating the hypothetical strength of the NSA isn't very useful.
We know the following based on an examination of history:
1) Most vulnerabilities which compromise confidentiality or authenticity actually happen in cryptographic implementations or infrastructure code, not algorithm design;
2) RSA has not been publicly broken. Moreover, we have no research providing a way to break RSA given current technology (nor even a path forward);
3) Quantum key distribution is extremely immature technology, which trades off decades of well-studied literature about computational security to pursue information theoretic assurances.
Quantum key distribution is an extremely overengineered and brittle solution. That's not to say it isn't technically cool...but it's difficult to reconcile with everything we know about modern cryptography.
Sorry, what a load of bullshit...
Also the solution to weak DH is certainly not qkd. It's not using DH with weak parameters.
so the stream can't be split because the bits are so small?
Armed guards at the relays.. I wonder what they are transmitting on that cable. In any case it seems they take the thread of fiber tapping very seriously. I bet the US government have similar experiments only they don't talk about it.
And in the meantime, if you really want to guarantee the confidentiality of your shared secret that badly, you can just physically drive over to the other organization carrying a copy of it. Inconvenient, but surely less so than running long fiber-optic cables through tunnels solely for that purpose.
Take the whisper protocol for example... instead of having a synchronized state machine that determines shared message keys between both parties, those keys may instead come from an external QKD stream.
[1] https://en.m.wikipedia.org/wiki/One-time_pad [2] https://www.toshiba.co.jp/about/press/2017_09/pr1501.htm
Also, I figured that the bottleneck came from the amount of entangled photons that could be generated. Interesting to know that it's a hardware/software issue on the detector and post-processing side.
Of course it doesn’t defend against attacks on the devices, buildings or people; these are likely higher ranked risks than crypto attacks for many organisations.
[1]: https://en.wikipedia.org/wiki/BB84
Of course, this isn't what QKD is supposed to solve, anyway. QKD does not address authentication, only key distribution.
The point is to make wild claims about a future Quantum Internet, which then leads to large amounts of research funding. It's very successful in achieving that.
This isn't how QKD works - it isn't based on timing or delays. The common BB84 protocol (and the decoy-state modification) are based on the fact that measuring a photon necessarily changes it. Essentially, it is easy to distinguish a photon that's been measured twice from a photon that's been measured once (statistically speaking). Because an eavesdropper would necessarily have to measure photons in order to extract any useful information about the communication, their presence can be easily detected.