53 comments

[ 3.2 ms ] story [ 111 ms ] thread
> The company says a research team has used quantum cryptography to securely send and store human genome data

Unless I'm wrong, it appears to be a "milestone" in that they sent human genome data rather some other kind of data (I'm not sure how that is significant) and no new quantum cryptography breakthrough has been achieved?

Yeah I read this the same way. The article is very vague and does not mention anything concrete at all.
It's crazy how they messed up, the original Toshiba press release is super clear and even leads with this list of key points for media to use right up top:

-New dual band stabilisation technique cancels the problem of temperature and strain fluctuations to allow long distance quantum communication

-Quantum key distribution demonstrated on fibres of record 600km length

-Significant advance towards building a global quantum internet

I don't see how the third follows from the second, wouldn't a Quantum internet that spans the globe always require point-to-point physical links between any two parties that want to trust each other?
"point-to-point" links can be circuit-switched at least, so you don't need an actual full mesh.
Why would it need to be end-point to end-point? Just have routers continuously build up entanglement with their neighbors, do entanglement swapping along packet-switched paths, and then use the entanglement to teleport via the classical internet.
Quality NHK reporting very poor on actual details as usual.
There's a better article here (which is the source):

https://www.toshiba.eu/pages/eu/Cambridge-Research-Laborator...

Basically their achievement is that they have done quantum key distribution over a distance of 600km, which is apparently a world first. And I suppose it demonstrates commercial viability.

For people not familiar with the idea: They didn't send a genome over the quantum channel, they sent a private key over the quantum channel, and then encrypted the genome with that key using conventional encryption, and then sent that encrypted genome over a conventional network.

Without QKD this process would have been done using public key encryption, which means the sender would have to have received the public key from a trusted source, usually you trust that source because a third source trusts it, etc, this is called the chain of trust. You can see how if a malicious party injects itself into the chain of trust the confidentiality is broken. With QKD you only have to trust that the person you want to talk to is on the other side of the quantum link you've established, i.e. the security is put firmly in the physical realm. Because of the quantum entangling properties of this link, a malicious party can't inject itself physically in the middle of this link, and can not eaves drop or manipulate it.

>> can not eaves drop

More precisely, it is possible to know if someone is eavesdropping and halt the key sharing.

QKD does not prevent it, but has a provable method to know that someone is listening (statistics of the measurements change).

> QKD does not prevent it, but has a provable method to know that someone is listening

Unless some breakthrough in physics of particles, where all is not fully understood yet. A bit like standard cryptographic protocol are safe unless some breakthrough in mathematics or computer science.

This is not quite correct. QKD could in principle be safe against eavesdropping (even though the track record so far has been very poor due to experimental imperfections), but it has no inherent protection against man-in-the-middle attacks.

If you think about it, this is fundamentally not possible. There is no way of authenticating who sits on the other end of your fiber connection without having previously exchanged a key. This could either be a shared secret key, or standard public key cryptography.

From an it-security perspective, QKD is simply a very expensive and impractical stream cipher that (slowly) grows a short shared secret key into an arbitrarily long one. The only fundamental advantage over a symmetric encryption algorithm like AES is that an attack would have to happen during the QKD process when the (signed) basis settings are exchanged. It is not possible to simply record all the communication with the hope to maybe being able to break the algorithm in the far future.

Yeah, the only reason this is possible in the situation is because you already know there’s only one possible person on the other end (you have already exchanged some meta-information about the channel).

QE doesn’t stop anyone from creating a new node in the middle of a single edge and then re-establishing the QE channel in between.

The way it was explained to me was that three key was sent in some kind of quantum superposition that only resolved when observed. And that somehow at the receiving end, they could tell if the quantum state had been collapsed. Not surprisingly we didn't get too much into the quantum mechanics in a cryptography class but that's how it was explained
But the man in the middle would just do the receiving and then resending it to the real recipient with a new key.
No but see, they would need to have QKD technology which is too complex and expensive.
If the "man" in the middle is the NSA, no expense will be spared.
MITM can only re-send the correct key if he knows the correct basis to measure in for every qubbit. The probability that he measures in the correct basis for every qubit is exponentially unlikely as the length of the bitstring grows. He can't just forward along the proper qubit to the receiver in this case.
But he has man-in-the-middle'd the channel over which that is communicated too. If the benefit is merely that he would need to hijack two different channels, you could just do classical crypto and splitting the key into two parts (e.g. XOR with random bits) and send those over two channels.
Quantum fluffery. We as humans simply don't know what the state of the entangled particle is. There's no communication between the particles. All it guarantees is that if 1 particle spins in a direction, it's entangled partner spins in another. There is no measurement of collapse, you have to trust it just the same.
You (Alice and Bob, where Alice is Tx/Bob is Rx) need to have agreed upon the basis in which you measure for each bit ahead of time. If you get MITM'd and they don't know the basis to measure in, then:

- They have a 50% chance of measuring in the correct basis and re-sending the proper qubit - They have a 50% change of measuring in the incorrect basis, in which case their measurement means nothing and the qubit they send is in a superposition in the correct basis, leading to a chance Bob measures the wrong value

Over a very long string, it becomes exponentially unlikely that the MITM could guess the proper basis and then re-send the proper qubit to Bob. As that binary string grows in length, it's essentially impossible to MITM with any meaningful likelihood.

I don't know why someone downvoted you, but the flaw people are pointing out is that the initial agreeing upon a basis is equivalent to exchanging a preshared key. If you've got a preshared key, then why go through the trouble of setting up a QKD for sending PSK's? There's bound to be good reasons, but you're comment doesn't address this.
This [1] is a great read about the chain of trust, it boils down to whether you can trust your UEFI, if you can trust your UEFI, then you can trust your OS and its trusted public keys and the chain doesn't break.

From the essay

> Now, no one has actually observed UEFI being compromised, nor has anyone captured any UEFI-compromising Trickbot code. The thinking goes that Trickbot only downloads the UEFI code when it finds a vulnerable system.

> Running in UEFI would make Trickbot largely undetectable and undeletable. Even wiping and restoring the OS wouldn't do it. Remember, TPMs are designed to be unpatchable and tamper-resistant. The physical hardware is designed to break forever if you try to swap it out.

[1] https://pluralistic.net/2020/12/05/trusting-trust/#thompsons...

> With QKD you only have to trust that the person you want to talk to is on the other side of the quantum link you've established

I can see how that would be an easy thing to trust if the only people capable of building such a link are your fellow scientists, but in a scenario where this technology becomes common, is it reasonable that users would ever be able to verify who is listening at the other end?

If not, what’s the use case?

It would be useful for any organization that has the means to implement this. I can see AWS datacenters and rich governments rolling our their own QKD.
You can't authenticate it. It's not secure. Full stop.
Why would it be impossible for a government or large cloud company to control all the nodes in a QKD system? In that case, they could rely on the physics to detect eavesdropping. The problem for simple customers is that they can't be sure that the transmission isn't MITM'd somewhere, but that's only because they don't build and maintain the whole channel themselves.
> With QKD you only have to trust that the person you want to talk to is on the other side of the quantum link you've established

To trust that (without PKI), you have to meet your peer in person, don't you? If so, at that point you can just hand an HSM to them with your symmetric key on it. No need to use a quantum device.

Yes, but what if you want to generate a new secret key? You can encrypt it and send through a channel. But, in theory, an eavesdropper can capture it and decrypt at some point in future. In QKD an eavesdropper is absolutely helpless, he can't capture traffic at all (it will be ruined otherwise).
But the same applies to the messages themselves, no? QKD is only for key exchange, so I assume the resulting keys themselves are just random (non-quantum) bits of data, and the encrypted messages are sent through plain old TCP/IP. If a message is intercepted, the same tactics of waiting until the encryption is no longer secure could work.
I thought about the scenario when some old secret key is revealed. Sure, you can decrypt old messages with it if they were transmitted classically. But in a classical channel if you're capturing all the traffic then you can derive the current secret key and decrypt current messages as well. This is not possible in a quantum case.
What if you store a large number of keys on the module right from the start, and get all the new keys from that list. That way the key switch message only needs to contain the index of the new key. Even better, store a huge random seed and generate all subsequent keys from that. Then you can also change key size and algorithm as needed without ever having to meet your contact in person again.
Not just a symmetric key, but probably also ECDH and RSA keys.
> Without QKD this process would have been done using public key encryption, which means the sender would have to have received the public key from a trusted source, ...

> With QKD you only have to trust that the person you want to talk to is on the other side of the quantum link you've established, ...

Re-read that please. How is that different?

How do you know that there isn't a QKD MITM in your wire? It would be trivial to set one up. QKD is trivially vulnerable to MITM attacks because there's no quantum authentication system. All it costs is a pair of QKD devices, and physical access -- anywhere in the 600km will do.

But with classical crypto we get to arrange authentication that works. You don't have to trust a third party, just the employees doing the set up.

Anyone who tells you QKD is better than classical crypto is straight up lying to you.

Alright, so my initial response is this: Luckily I'm not in charge of setting up a QKD network at the moment. I have no idea what the actual usecase is for these things. I fully agree that simply sending a "runner" with the PSK in some sort of tamper proof container (glitter nail polish?) achieves basically the same thing, and about a thousand orders of magnitude cheaper.

But then I thought about it for a while longer, and I came up with this: Maybe the advantage is that the private key never actually can be read by anyone, not even the two communicating parties, thus basically eradicating the possibility of spies or betrayal within your engineering ranks.

If you can guarantee the physical integrity of the line for the entire 600km, you're also basically set. The only actual attack on QKD is setting up those MITM's, maybe even only during the initial set up? I don't know how often the entanglement has to be reset, are they permanently entangled or is there a reestablishing every so often?

> Maybe the advantage is that the private key never actually can be read by anyone [...]

You're going to be using classical crypto for bulk no matter what, so, no, you don't get that advantage, and anyways, what does anyone care what a session key is when they can get the session plaintext? Worried about decryption of ciphertext the attacker did not earlier get the plaintext to? Just re-key often.

> If you can guarantee the physical integrity of the line for the entire 600km, you're also basically set.

You must be joking.

With classical crypto I just don't have to care if the physical link is secure (except for DoS concerns -- please don't backhoe-cut my links!). For bulk symmetric crypto PQ is not even that much of a concern. And if we ever get to a PQ world, the lack of quantum authentication technology means that QKD will not be a solution to our PQ problems.

No matter how hard anyone tries to find QKD to be better than classical crypto, it just isn't.

> You're going to be using classical crypto for bulk no matter what, so, no, you don't get that advantage, and anyways, what does anyone care what a session key is when they can get the session plaintext?

You're right, there's no fundamental advantage there it seems. It could still just be a convenient way of rekeying very often (assuming it can "conveniently" be verified to be free of mitm)

> You must be joking.

Only half, for my day job I work with UAV operations, and inspecting 600km of lines daily would be peanuts for something with military scale funding.

> No matter how hard anyone tries to find QKD to be better than classical crypto

Well I hope you don't think I was doing that, I'm just trying to figure out a use for it.

> It could still just be a convenient way of rekeying very often (assuming it can "conveniently" be verified to be free of mitm)

No. ECDH is just fine. PQ crypto is also just fine.

And no, QKD cannot be "conveniently" verified to be free of MITMs -- this is more important than whether QKD can be a "convenient way of rekeying very often" (which it isn't anyways).

> Only half, for my day job I work with UAV operations, and inspecting 600km of lines daily would be peanuts for something with military scale funding.

A UAV cannot police 600km of fiber optics 24/7. 10 UAVs cannot either. The cost of this is nuts compared to the cost of using classical crypto -- and for what benefit?! There is no benefit to QKD, not any benefit at all.

> Well I hope you don't think I was doing that, I'm just trying to figure out a use for it.

It may be useful to train quantum physicists. Hmm, that may be its only use -- I can't think of any others.

The idea behind QKD is that it's secure if you have a MITM proof (but not passive observation proof) channel, even if all asymmetric algorithms are broken by quantum computers.

Of course, this depends on your equipment not leaking extra photons or having other sidechannels... which seems harder than ordinary asymmetric crypto.

But you would combine QKD with asymmetric crypto so that both would have to be broken to lose your link security.

I don't think it's that generally interesting, but if you already have dedicated private fiber between your super secret secure facilities, -- why not?

QKD is trivially vulnerable to MITMs who have compatible QKD devices. QKD is only immune to eavesdroppers and active attacks by attackers who don't have QKD compatible devices.

QKD only works for point-to-point links.

If PQ happens and we have no PQ classical asymmetric algorithms, QKD cannot save us. We do not have time to rebuild the Internet around hop-by-hop security in a world of QKD, and anyways, QKD can be trivially MITMed, so this just doesn't work.

Fortunately we do have some PQ classical algs. Fortunately we're not in a PQ world yet. If we end up being unfortunate (PQ happens before we deploy PQ classical algs) then QKD cannot help us.

> I don't think it's that generally interesting, but if you already have dedicated private fiber between your super secret secure facilities, -- why not?

Because I might as well use classical symmetric keying and not worry about PQ.

You are ignoring one important aspect, namely timing. The speed of light is well known so if the latency suddenly increases when accessing information that is not available at the MITM you know the connection is compromised.
Well, so how much latency would an MITM add? If it's small enough, then forget it, this won't do.
If think the sender can force an arbitrary latency in decoding with a signal with noise added but i might be wrong. If the MITM sends a signal before the measurement is complete (ccertainty that the noise is leaning one way is above threshold) he either produces unlikely signals (detectable, since all the information is sent after the decode, htus the signals entropy will vay with time n a stair step way) or he occasionally transmits a wrong signal.
> Because I might as well use classical symmetric keying and not worry about PQ.

In that case the attacker could potentially compromise your security with an analysis breakthrough on the symmetric cipher, and a passive (e.g. bend the fiber a bit and see the light that comes out the side) attack.

The QCD requires an active attack, you have to actually insert active equipment into the line, not just peel off some stray photons.

So assume you're already using multiple layers of independently keyed state of the art cryptography, and still have money left over in your link security budget...

How much is it worth to you to make it so that attackers have to insert equipment vs just siphon off a bit of extra light with a tiny bend in the fiber (assuming they have space alien grade mathematical breakthroughs)?

It's probably worth more than nothing.

Now, I would agree that any who is promoting this stuff with claims greater than "probably worth slightly more than nothing" is misleading people.

And as an area of pure research it gives us a lot of room to learn about practical realizations of quantum-sensitive systems, optics, photonics, electronics, etc. There is plenty of research with no known practical application at all. Having a really minor application isn't a great sin.

I see this type of explanation frequently, and it’s misleading.

QKD does roughly what Diffie-Hellman does. One way to look at Diffie-Hellman is that two parties have a public but tamper-proof communication channel: Alice and Bob can talk to each other, everyone can hear them, but no one can impersonate them. (This could be literal shouting in a crowded room, cryptography could be used to authenticate messages, etc.) Using Diffie-Hellman, Alice and Bob exchange secret shares over the public channel, derive a secret key, and, assuming no one has a mathematical breakthrough or a quantum computer, no one else knows the key.

With QKD, Alice and Bob have the same public channel, but they also have a quantum communication channel, e.g. a fiber. This quantum channel is assumed to be completely insecure. Using both channels together and some math, Alice and Bob derive a secret key. For their trouble, they have a stronger sort of security compared to Diffie-Hellman — they don’t need to trust that their attacker doesn’t have some kind of breakthrough. There is an information theoretic proof that the scheme is secure as long as everyone plays by the rules. (Playing by the rules means no side channel or glitch attacks. A classical glitch might involve putting a very high voltage onto someone’s network cable to cause their NIC to malfunction. A quantum glitch attack might involve shining an extremely bright light into the fiber to cause someone’s hardware to misbehave.)

This is all that QKD does. It’s not magic, and the tamper-proof classical channel is required.

Can someone explain how this is a breakthrough compared to China's satellite system which achieved QKD in 2016? They also claim "ground-based QKD to beyond 500 km using a new technology called twin-field QKD"

https://scitechdaily.com/china-builds-the-worlds-first-integ...

By the way, how does this work over the radio? Does that mean that adding an antenna that captures the signal in the middle would affect the statistics of the received signal? What does it mean to have a “receiving antenna” in this case if any antenna can receive signals of any frequency?
Even if quantum crypto reaches distances of 100‘000km it would still not mean we can use it at home I suppose, because just having one switch/router between Alice and Bob would break the scheme, no?
I'm not entirely sure why this comment gets downvoted, because it's spot on. QC is impractical for any real-world network, and the idea that it could ever play a role in the real-world Internet is just fantasy.

But also we don't need to. Cryptography without quantum is just fine.

(comment deleted)
We need a down to earth real guide on quantum, because many are convinced that superposition and entanglement are somehow communication and/or trust mechanisms. In reality entanglement simply means that one particle spins the opposite of another particle it's entangled with. They could already have been this way from entanglement, but we don't know it's actual state until observation (with scientific instruments small enough to read the spin of a particle, not eyes).

I'm probably completely wrong too.

No, entanglement does not just mean “it is in one of these two states but we haven’t measured which”.

Entanglement is what you get when you have a state in the tensor product of two systems which is not a tensor product of a single state from each system, but is instead a linear combination of such products.

There are, in fact, experiments that can be (and have been) done which distinguish between “these two particles are entangled” and “we don’t know which of two combinations of states these two particles are in”.

However, if you only have one particle of the entangled pair, and don’t have any other way of getting information from the other particle, you can’t distinguish it from just, a probability mixture of (superpositions of) states of the one particle. I say “(superpositions of) states of the one particle” to emphasize that the states don’t have to be in one of the standard basis states with a nice name like “up” or “down”, (though you could use a different basis in which it is a basis state).