[HN Gopher] Toshiba reports milestone in quantum cryptography
___________________________________________________________________
Toshiba reports milestone in quantum cryptography
Author : elahieh
Score : 120 points
Date : 2021-08-26 08:05 UTC (14 hours ago)
(HTM) web link (www3.nhk.or.jp)
(TXT) w3m dump (www3.nhk.or.jp)
| tofukid wrote:
| Can someone explain how this is a breakthrough compared to
| China's satellite system which achieved QKD in 2016? They also
| claim "ground-based QKD to beyond 500 km using a new technology
| called twin-field QKD"
|
| https://scitechdaily.com/china-builds-the-worlds-first-integ...
| heavenlyblue wrote:
| By the way, how does this work over the radio? Does that mean
| that adding an antenna that captures the signal in the middle
| would affect the statistics of the received signal? What does
| it mean to have a "receiving antenna" in this case if any
| antenna can receive signals of any frequency?
| ekianjo wrote:
| Quality NHK reporting very poor on actual details as usual.
| devwastaken wrote:
| We need a down to earth real guide on quantum, because many are
| convinced that superposition and entanglement are somehow
| communication and/or trust mechanisms. In reality entanglement
| simply means that one particle spins the opposite of another
| particle it's entangled with. They could already have been this
| way from entanglement, but we don't know it's actual state until
| observation (with scientific instruments small enough to read the
| spin of a particle, not eyes).
|
| I'm probably completely wrong too.
| drdeca wrote:
| No, entanglement does not just mean "it is in one of these two
| states but we haven't measured which".
|
| Entanglement is what you get when you have a state in the
| tensor product of two systems which is not a tensor product of
| a single state from each system, but is instead a linear
| combination of such products.
|
| There are, in fact, experiments that can be (and have been)
| done which distinguish between "these two particles are
| entangled" and "we don't know which of two combinations of
| states these two particles are in".
|
| However, if you only have one particle of the entangled pair,
| and don't have any other way of getting information from the
| other particle, you can't distinguish it from just, a
| probability mixture of (superpositions of) states of the one
| particle. I say "(superpositions of) states of the one
| particle" to emphasize that the states don't have to be in one
| of the standard basis states with a nice name like "up" or
| "down", (though you could use a different basis in which it is
| a basis state).
| randomopining wrote:
| What does this mean for teh bitcoins?
| aomobile wrote:
| Even if quantum crypto reaches distances of 100'000km it would
| still not mean we can use it at home I suppose, because just
| having one switch/router between Alice and Bob would break the
| scheme, no?
| hannob wrote:
| I'm not entirely sure why this comment gets downvoted, because
| it's spot on. QC is impractical for any real-world network, and
| the idea that it could ever play a role in the real-world
| Internet is just fantasy.
|
| But also we don't need to. Cryptography without quantum is just
| fine.
| tinco wrote:
| There's a better article here (which is the source):
|
| https://www.toshiba.eu/pages/eu/Cambridge-Research-Laborator...
|
| Basically their achievement is that they have done quantum key
| distribution over a distance of 600km, which is apparently a
| world first. And I suppose it demonstrates commercial viability.
|
| For people not familiar with the idea: They didn't send a genome
| over the quantum channel, they sent a private key over the
| quantum channel, and then encrypted the genome with that key
| using conventional encryption, and then sent that encrypted
| genome over a conventional network.
|
| Without QKD this process would have been done using public key
| encryption, which means the sender would have to have received
| the public key from a trusted source, usually you trust that
| source because a third source trusts it, etc, this is called the
| chain of trust. You can see how if a malicious party injects
| itself into the chain of trust the confidentiality is broken.
| With QKD you only have to trust that the person you want to talk
| to is on the other side of the quantum link you've established,
| i.e. the security is put firmly in the physical realm. Because of
| the quantum entangling properties of this link, a malicious party
| can't inject itself physically in the middle of this link, and
| can not eaves drop or manipulate it.
| fsh wrote:
| This is not quite correct. QKD could in principle be safe
| against eavesdropping (even though the track record so far has
| been very poor due to experimental imperfections), but it has
| no inherent protection against man-in-the-middle attacks.
|
| If you think about it, this is fundamentally not possible.
| There is no way of authenticating who sits on the other end of
| your fiber connection without having previously exchanged a
| key. This could either be a shared secret key, or standard
| public key cryptography.
|
| From an it-security perspective, QKD is simply a very expensive
| and impractical stream cipher that (slowly) grows a short
| shared secret key into an arbitrarily long one. The only
| fundamental advantage over a symmetric encryption algorithm
| like AES is that an attack would have to happen during the QKD
| process when the (signed) basis settings are exchanged. It is
| not possible to simply record all the communication with the
| hope to maybe being able to break the algorithm in the far
| future.
| wholinator2 wrote:
| The way it was explained to me was that three key was sent in
| some kind of quantum superposition that only resolved when
| observed. And that somehow at the receiving end, they could
| tell if the quantum state had been collapsed. Not
| surprisingly we didn't get too much into the quantum
| mechanics in a cryptography class but that's how it was
| explained
| devwastaken wrote:
| Quantum fluffery. We as humans simply don't know what the
| state of the entangled particle is. There's no
| communication between the particles. All it guarantees is
| that if 1 particle spins in a direction, it's entangled
| partner spins in another. There is no measurement of
| collapse, you have to trust it just the same.
| gliptic wrote:
| But the man in the middle would just do the receiving and
| then resending it to the real recipient with a new key.
| arksingrad wrote:
| MITM can only re-send the correct key if he knows the
| correct basis to measure in for every qubbit. The
| probability that he measures in the correct basis for
| every qubit is exponentially unlikely as the length of
| the bitstring grows. He can't just forward along the
| proper qubit to the receiver in this case.
| gliptic wrote:
| But he has man-in-the-middle'd the channel over which
| that is communicated too. If the benefit is merely that
| he would need to hijack two different channels, you could
| just do classical crypto and splitting the key into two
| parts (e.g. XOR with random bits) and send those over two
| channels.
| baby wrote:
| No but see, they would need to have QKD technology which
| is too complex and expensive.
| bitwize wrote:
| If the "man" in the middle is the NSA, no expense will be
| spared.
| arksingrad wrote:
| You (Alice and Bob, where Alice is Tx/Bob is Rx) need to
| have agreed upon the basis in which you measure for each
| bit ahead of time. If you get MITM'd and they don't know
| the basis to measure in, then:
|
| - They have a 50% chance of measuring in the correct basis
| and re-sending the proper qubit - They have a 50% change of
| measuring in the incorrect basis, in which case their
| measurement means nothing and the qubit they send is in a
| superposition in the correct basis, leading to a chance Bob
| measures the wrong value
|
| Over a very long string, it becomes exponentially unlikely
| that the MITM could guess the proper basis and then re-send
| the proper qubit to Bob. As that binary string grows in
| length, it's essentially impossible to MITM with any
| meaningful likelihood.
| tinco wrote:
| I don't know why someone downvoted you, but the flaw
| people are pointing out is that the initial agreeing upon
| a basis is equivalent to exchanging a preshared key. If
| you've got a preshared key, then why go through the
| trouble of setting up a QKD for sending PSK's? There's
| bound to be good reasons, but you're comment doesn't
| address this.
| heavenlyblue wrote:
| Yeah, the only reason this is possible in the situation is
| because you already know there's only one possible person on
| the other end (you have already exchanged some meta-
| information about the channel).
|
| QE doesn't stop anyone from creating a new node in the middle
| of a single edge and then re-establishing the QE channel in
| between.
| cryptonector wrote:
| > Without QKD this process would have been done using public
| key encryption, which means the sender would have to have
| received the public key from a trusted source, ...
|
| > With QKD you only have to trust that the person you want to
| talk to is on the other side of the quantum link you've
| established, ...
|
| Re-read that please. How is that different?
|
| How do you know that there isn't a QKD MITM in your wire? It
| would be trivial to set one up. QKD is trivially vulnerable to
| MITM attacks because there's no quantum authentication system.
| All it costs is a pair of QKD devices, and physical access --
| anywhere in the 600km will do.
|
| But with classical crypto we get to arrange authentication that
| works. You don't have to trust a third party, just the
| employees doing the set up.
|
| Anyone who tells you QKD is better than classical crypto is
| straight up lying to you.
| tinco wrote:
| Alright, so my initial response is this: Luckily I'm not in
| charge of setting up a QKD network at the moment. I have no
| idea what the actual usecase is for these things. I fully
| agree that simply sending a "runner" with the PSK in some
| sort of tamper proof container (glitter nail polish?)
| achieves basically the same thing, and about a thousand
| orders of magnitude cheaper.
|
| But then I thought about it for a while longer, and I came up
| with this: Maybe the advantage is that the private key never
| actually can be read by anyone, not even the two
| communicating parties, thus basically eradicating the
| possibility of spies or betrayal within your engineering
| ranks.
|
| If you can guarantee the physical integrity of the line for
| the entire 600km, you're also basically set. The only actual
| attack on QKD is setting up those MITM's, maybe even only
| during the initial set up? I don't know how often the
| entanglement has to be reset, are they permanently entangled
| or is there a reestablishing every so often?
| PartiallyTyped wrote:
| This [1] is a great read about the chain of trust, it boils
| down to whether you can trust your UEFI, if you can trust your
| UEFI, then you can trust your OS and its trusted public keys
| and the chain doesn't break.
|
| From the essay
|
| > Now, no one has actually observed UEFI being compromised, nor
| has anyone captured any UEFI-compromising Trickbot code. The
| thinking goes that Trickbot only downloads the UEFI code when
| it finds a vulnerable system.
|
| > Running in UEFI would make Trickbot largely undetectable and
| undeletable. Even wiping and restoring the OS wouldn't do it.
| Remember, TPMs are designed to be unpatchable and tamper-
| resistant. The physical hardware is designed to break forever
| if you try to swap it out.
|
| [1] https://pluralistic.net/2020/12/05/trusting-
| trust/#thompsons...
| definataly wrote:
| >> can not eaves drop
|
| More precisely, it is possible to know if someone is
| eavesdropping and halt the key sharing.
|
| QKD does not prevent it, but has a provable method to know that
| someone is listening (statistics of the measurements change).
| guyomes wrote:
| > QKD does not prevent it, but has a provable method to know
| that someone is listening
|
| Unless some breakthrough in physics of particles, where all
| is not fully understood yet. A bit like standard
| cryptographic protocol are safe unless some breakthrough in
| mathematics or computer science.
| jl6 wrote:
| > With QKD you only have to trust that the person you want to
| talk to is on the other side of the quantum link you've
| established
|
| I can see how that would be an easy thing to trust if the only
| people capable of building such a link are your fellow
| scientists, but in a scenario where this technology becomes
| common, is it reasonable that users would ever be able to
| verify who is listening at the other end?
|
| If not, what's the use case?
| joconde wrote:
| It would be useful for any organization that has the means to
| implement this. I can see AWS datacenters and rich
| governments rolling our their own QKD.
| bsza wrote:
| > With QKD you only have to trust that the person you want to
| talk to is on the other side of the quantum link you've
| established
|
| To trust that (without PKI), you have to meet your peer in
| person, don't you? If so, at that point you can just hand an
| HSM to them with your symmetric key on it. No need to use a
| quantum device.
| dandanua wrote:
| Yes, but what if you want to generate a new secret key? You
| can encrypt it and send through a channel. But, in theory, an
| eavesdropper can capture it and decrypt at some point in
| future. In QKD an eavesdropper is absolutely helpless, he
| can't capture traffic at all (it will be ruined otherwise).
| bsza wrote:
| But the same applies to the messages themselves, no? QKD is
| only for key exchange, so I assume the resulting keys
| themselves are just random (non-quantum) bits of data, and
| the encrypted messages are sent through plain old TCP/IP.
| If a message is intercepted, the same tactics of waiting
| until the encryption is no longer secure could work.
| dandanua wrote:
| I thought about the scenario when some old secret key is
| revealed. Sure, you can decrypt old messages with it if
| they were transmitted classically. But in a classical
| channel if you're capturing all the traffic then you can
| derive the current secret key and decrypt current
| messages as well. This is not possible in a quantum case.
| bsza wrote:
| What if you store a large number of keys on the module
| right from the start, and get all the new keys from that
| list. That way the key switch message only needs to
| contain the index of the new key. Even better, store a
| huge random seed and generate all subsequent keys from
| that. Then you can also change key size and algorithm as
| needed without ever having to meet your contact in person
| again.
| [deleted]
| sharmin123 wrote:
| https://www.hackerslist.co/how-to-hack-facebook-account-is-i...
| helsinkiandrew wrote:
| > The company says a research team has used quantum cryptography
| to securely send and store human genome data
|
| Unless I'm wrong, it appears to be a "milestone" in that they
| sent human genome data rather some other kind of data (I'm not
| sure how that is significant) and no new quantum cryptography
| breakthrough has been achieved?
| roemerb wrote:
| Yeah I read this the same way. The article is very vague and
| does not mention anything concrete at all.
| tinco wrote:
| It's crazy how they messed up, the original Toshiba press
| release is super clear and even leads with this list of key
| points for media to use right up top:
|
| -New dual band stabilisation technique cancels the problem of
| temperature and strain fluctuations to allow long distance
| quantum communication
|
| -Quantum key distribution demonstrated on fibres of record
| 600km length
|
| -Significant advance towards building a global quantum
| internet
| jacquesm wrote:
| I don't see how the third follows from the second, wouldn't
| a Quantum internet that spans the globe always require
| point-to-point physical links between any two parties that
| want to trust each other?
| detaro wrote:
| "point-to-point" links can be circuit-switched at least,
| so you don't need an actual full mesh.
| Strilanc wrote:
| Why would it need to be end-point to end-point? Just have
| routers continuously build up entanglement with their
| neighbors, do entanglement swapping along packet-switched
| paths, and then use the entanglement to teleport via the
| classical internet.
___________________________________________________________________
(page generated 2021-08-26 23:02 UTC)