From: unruh on
On 2010-05-18, Mike Amling <mamling(a)rmcis.com> wrote:
> Francois Grieu wrote:
>> I think I correctly summarize the field by stating a quantum key
>> distribution system aims to solve the problem that if Alice and Bob
>> share an initial secret, then they can securely exchange more
>> information through some link, in a way such that even if the initial
>> secret leaks after that exchange, the secrecy of what was exchanged is
>> not compromised; and do that demonstrably based on quantum physics
>> assumptions.
>>
>> I see three issues with that:
>>
>> 1) At least once in the history of quantum cryptography, the quantum
>> physics assumptions made have been accepted as correct, then shown to
>> not match reality precisely enough, in a way such that these assumptions
>> lead to a correct demonstration that the system is secure when in
>> reality it is not. If the article is correct and the research original,
>> we have another case of that.
>
> There is much I have never seen explained about quantum crypto. E.g.
> if the system involves Alice sending single photons to Bob, how does
> Alice know when her device has emitted a photon? Photon emission is
> probabilistic AFAIK, not like pulling a trigger. And how does she know
> her device has not emitted two photons, one of which could be
> intercepted without her or Bob realizing it?

It depends on the emission source. People are looking for and developing
single photon sources-- ie you pull the trigger and one and only one
photon is emitted. Current sources are as you say more problematic. But
imagine sending a single excited H atom into a trap. It will emit its
photon in the next microsecond. Or consider a double cascade-- an atom
emits two photons ( of diffent frequencies) and you emit one and detect
the other. Once you have detected the second you know that the first was
emitted.
Certainly all physical devices have error rates. You simply design your
protocal to take those into account. Thus, if your device emits 2
photons once every 100 times, you make sure that you hash your system so
that any output bit depends on at least two of the input bits, etc.

From: unruh on
On 2010-05-18, Mok-Kong Shen <mok-kong.shen(a)t-online.de> wrote:
> Mike Amling wrote:
>
>> There is much I have never seen explained about quantum crypto. E.g. if
>> the system involves Alice sending single photons to Bob, how does Alice
>> know when her device has emitted a photon? Photon emission is
>> probabilistic AFAIK, not like pulling a trigger. And how does she know
>> her device has not emitted two photons, one of which could be
>> intercepted without her or Bob realizing it?
>
> There is also something apparently relatively new in the field termed
> "location-based quantum cryptography". See
> http://www.technologyreview.com/blog/arxiv/25177/
>
> However, the following quote from that webpage appears to be a bit less
> than very encouraging to the readers in my humble view:
>
> But the scheme will need some careful study. While the approach is
> relatively simple in conception, the proof of its security is
> complex and involved. And theoretical security is not the same as
> practical security which looks harder to verify. Chandran and
> cooffer one such scheme at the end of their paper but are unable to
> nail it. "Unfortunately we do not have a security proof, and we
> leave it as an open problem to find an attack or prove its
> security," they say.

??? Have you ever heard of something called research? You start out with
a question whose answer you do not know before hand and try to find the
answer? You seem to feel that any proposal must arise full grown from
the researchers, and if it does not it is "not very encouraging".
There has never been a security proof for say RSA. Does that mean that
you would never use it and find it "not very encouraging"?
>
> M. K. Shen
>
From: Maaartin on
Isn't the whole quantum cryptography simply too impractical, at least
at the moment? It gives us some proven security based on physical
theories which are believed to be right. Conventional cryptography
gives us some proven security based on cryptographic theories which
are believed to be right. While the physical laws are more solid, the
implementation of quantum transmissions is much more complicated, thus
giving more opportunities for errors. Most cryptographic failures are
based on weak implementations as opposed to weak ciphers; only in
cases of working with limited resources the cipher failed (e.g., WEP
disaster).

Or am I talking nonsense? I do not argue against the research, I only
think that the state of the art in quantum cryptography is not
advanced enough.
From: Francois Grieu on
On 18/05/2010 18:20, unruh wrote:
> On 2010-05-18, Francois Grieu<fgrieu(a)gmail.com> wrote:
>> According to this article
<http://www.technologyreview.com/blog/arxiv/25189/>
>> and online paper
<http://arxiv.org/abs/1005.2376>
>>
>> the feasibility of an attack on a quantum key distribution system used
>> in a commercial quantum crypto product has been demonstrated
>> experimentally. Or something on that tune.
>
> Note that the attack is on a commercial realisation of the distribution
> system and is attacking features of that implimentation where it
> deviates from the assumptions that go into the proofs. Furthermore, it
> drops the error rate under eavesdropping ( which is what the system uses
> to detect evesdropping) from 20% to 19.7%, a pretty insignificant
> change.
>
>>
>> I can't form an informed opinion on if the attack would break a
>> commercially deployed quantum link, for I do not grasp the physic and
>> math, and never saw a commercially deployed quantum link.
>
> They are coming into use

Any reference? I have seen press stunts similar to (old)
<http://www.secoqc.net/downloads/pressrelease/Banktransfer_english.pdf>
that quickly vanish, but nothing I would qualify as real life.

>> However I have an opinion regarding the commercial interest of quantum
>> cryptography, and it is a low one.
>>
>> I think I correctly summarize the field by stating a quantum key
>> distribution system aims to solve the problem that if Alice and Bob
>> share an initial secret, then they can securely exchange more
>> information through some link, in a way such that even if the initial
>> secret leaks after that exchange, the secrecy of what was exchanged is
>> not compromised; and do that demonstrably based on quantum physics
>> assumptions.
>>
>> I see three issues with that:
>>
>> 1) At least once in the history of quantum cryptography, the quantum
>> physics assumptions made have been accepted as correct, then shown to
>> not match reality precisely enough, in a way such that these assumptions
>> lead to a correct demonstration that the system is secure when in
>> reality it is not. If the article is correct and the research original,
>> we have another case of that.
>
> The other case was?

I was thinking of the so-called "photon number splitting attack" which, as far as I understand (which is, not deeply), theoretically breaks a straight implementation of the 1984 protocol of Charles Bennett and Gilles Brassard.

> This is like saying "Henry ford promised us to be
> able drive these cars, and my tire went flat so I could not drive it.
> There is no commercial future to cars"

Granted, early failures are not enough to disqualify a technology. My point 1) is only that claims of provable unbreakability have been disproved by practice, bringing down one of the main selling point of QKD. Beside, there are accounts of implementations of QKD shown to be unsafe in practice (e.g. the emitter leaks thru some side channel, pre-existing or induced on purpose by shinning into the transmitter), or near snake oil (single photons replaced by many to get something running despite the lack of sensitivity of the receiver).

>> 2) Physical links known suitable for (at least the standard breed of)
>> quantum crypto are direct optical paths, which precludes routers not
>> designed specifically for quantum crypto, and is a formidable obstacle
>> to long-distance communication; I am unaware of an alleged commercial
>> solution.
>
> Yes, quantum repeaters are a difficulty. Using error correction
> protocols from quantum computing one can imagine such quantum repeaters
> being made, but it will be a while. Ie, there ARE theoretical solutions.

First time I have heard of that. Any reference? How does that error correction interract with the security arguments?

>> 3) Today's cryptography can solve a similar problem: use the initial
>> secret as a key of a strong cryptosystem, then safely discard it after
>> use; this is secure based on assumptions tested and refined by
>> approximately 50 years of theoretical and experimental studies (which is
>> fair in comparison to 1) and field deployment (which is great in
>> comparison to 2).
>
> Well, not really. If you have 10 bits of secret, the attacker can use
> exhaustive search to determine your complete expanded message. Ie, you
> cannot theoretically increase the "entropy" of your secret using
> classical means.

Indeed. This is where QKD has a true edge. But...

> Practically you may be able to (Ie your intital secret
> is so huge that it becomes infeasible to attack via that road).

I would not say "huge" for a 128 bit shared secret, which is well over 10 decimal orders of magnitudes more than we can realistically attack today.

> It may
> be that quantum exchange is like the OTP, theoretically invulnerable,
> but practically problematic, but it is very early days yet to be
> pronouncing on that.

Over 25 years and still no good use case. QKD seems to be a solution solving problems that nobody cares about.

> "Them cars will never catch on. Horses have had
> 2000 years of developement and field deployment, there is no way that
> cars will ever replace them"

I do not suggest never. See below the order of magnitude of my aim.

>> Is anyone here defending that within the next 20 years, quantum
>> cryptography is going to be more than either one of
>> - a nice academic subject,
>> - a way to siphon money out of the gullible,
>> - a cover for justifying the transfer of money?

Francois Grieu
From: Mok-Kong Shen on
unruh wrote:
> Mok-Kong Shen wrote:

>> However, the following quote from that webpage appears to be a bit less
>> than very encouraging to the readers in my humble view:
>>
>> But the scheme will need some careful study. While the approach is
>> relatively simple in conception, the proof of its security is
>> complex and involved. And theoretical security is not the same as
>> practical security which looks harder to verify. Chandran and
>> cooffer one such scheme at the end of their paper but are unable to
>> nail it. "Unfortunately we do not have a security proof, and we
>> leave it as an open problem to find an attack or prove its
>> security," they say.
>
> ??? Have you ever heard of something called research? You start out with
> a question whose answer you do not know before hand and try to find the
> answer? You seem to feel that any proposal must arise full grown from
> the researchers, and if it does not it is "not very encouraging".
> There has never been a security proof for say RSA. Does that mean that
> you would never use it and find it "not very encouraging"?

Didn't you see the word sequence "a bit" there??

M. K. Shen