[cryptography] Well, that's depressing. Now what?

Randall Webmail rvh40 at insightbb.com
Fri Jan 27 06:04:33 EST 2012

Serious Flaw Emerges In Quantum Cryptography 

Posted: 24 Jan 2012 09:10 PM PST 

The perfect secrecy offered by quantum mechanics appears to have been scuppered by a previously unknown practical problem, say physicists 

The problem of sending messages securely has troubled humankind since the dawn of civilisation and probably before. 

In recent years, however, physicists have raised expectations that this problem has been solved by the invention of quantum key distribution. This exploits the strange quantum property of entanglement to guarantee the secrecy of a message. 

Entanglement is so fragile that any eavesdropper cannot help but break it, revealing the ruse. So cryptographers can use it to send a secure key called a one time pad that can then be used to encrypt a message. If the key is intercepted, the sender simply sends another and repeats this until one gets through. 

So-called quantum key distribution is unconditionally secure--it offers perfect secrecy guaranteed by the laws of physics. 

Or at least that's what everyone thought. More recently, various groups have begun to focus on a fly in the ointment: the practical implementation of this process. While quantum key distribution offers perfect security in practice, the devices used to send quantum messages are inevitably imperfect. 

For example, lasers that are supposed to send one photon at a time can sometimes send several and this allows information to leak to an eavesdropper. 

Last year, we discussed another trick used by a group of quantum hackers to eavesdrop on a commercial quantum cryptography system . This system, although theoretically secure, turned out to be embarrassingly vulnerable in practice. 

That led quantum theorists to begin the search for a device-independent protocol that would be free of the practical imperfections of everyday equipment. Such a system would offer guaranteed security regardless of any weaknesses in the equipment it relies on. 

Today , however, Jonathan Barrett at the Royal Holloway, University of London, and a few pals reveal a problem that looks to scupper this work. The worrying implication of their discovery is that there is no known way to guarantee the security of data sent on any quantum cryptographic system including those that are commercially available today . 

Here's the problem. Some groups claim to have made progress in developing device-independent protocols but Barrett and co have found an issue that all others appear to have overlooked. These protocols all treat quantum cryptography as a single-shot process, as if the equipment is used only once. 

The question that Barrett and co consider is what tricks could a malicious manufacturer exploit in a device that is likely to be used more than ince. The answer is obvious: such a manufacturer could build in a memory that stores information before it is transmitted. This information would then be released when the device is reused. 

"In short, the problem is that an adversary can program devices to store data in one protocol and leak it in subsequent protocols, in ways that are hard or impossible to counter if the devices are reused," say Barrett and co. 

This is a particular worry, they say, because there is no general technique for identifying security loopholes in standard cryptography devices. 

Of course, there are a couple of simple ways round this new problem. The most obvious is to discard a quantum cryptography device after it has been used; to actually make the equipment single-use like a disposable camera. 

But Barrett and friends think this impractical: "While these attacks can be countered by not reusing devices, this solution is so costly that we query whether it is generally practical." 

Another is based on the fact that the security of message is guaranteed until the device is re-used. So quantum cryptography could still be used only for secrets that need to be kept only for a short period of time, until the equipment is re-used. 

Neither of these is going to stop blood pressures rising at the various government and military organisations that have bet the farm on the guarantees that quantum cryptography was thought to provide. That's not to mention the commercial organisations offering quantum cryptography such as ID Quantique. 

There may be other ways round this problem that have yet to emerge. Indeed, Barrett and co's ideas will be an important driver of future work. 

In the meantime, they conclude: "In our view, the attacks are generic and problematic enough to merit a serious reappraisal of the scope for device-independent quantum cryptography as a practical technology." 

That'll mean more than few a few sleepless nights over this. 

Ref: arxiv.org/abs/1201.4407 : Prisoners Of Their Own Device: Trojan Attacks On Device-Independent Quantum Cryptography 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20120127/af7a1d0d/attachment.html>

More information about the cryptography mailing list