Schneier on Security

Come again?

Either it means "Our algorithm is so good that intentional flaws in the hardware implementation don't matter" or "We've designed a system with obvious flaws that we haven't noticed yet".

You choose...

Sounds to me a little like machine translation gone amok.

Anybody know what language the original quote might have been in?

I read it as an attempt at job security through obfuscation, or just really wild nationalism.

Isn't the premise fundamentally flawed? Algorithms so secure that you don't need to trust your own hardware? Someone should tell Microsoft.

"you don't have to trust equipment you buy from a vendor"

Certainly not. You simply have to trust equipment you buy from them, instead.

That quote isn't *totally* meaningless, in the sense that in a quantum communication system, you can build into the protocol itself a mechanism whereby the integrity of the communication is continuously verified. This is done by periodically checking that various Bell inequalities are indeed violated. Violating a Bell inequality implies non-local quantum correlations that cannot be reproduced through 'normal' channels.

On the other hand, I would have expected that these sort of checks are built into existing commerical quantum crpyto hardware. I'm sure they must be, actually. So yeah on second thoughts, I really don't understand the quote.

Professor Artur Ekert needs to take a grammar course. It would seem the Research Centre of Excellence he is director of is not concerned with any sort of excellence regarding the English language.

I will say, Bruce, you write like a poet!

"At the moment, you can buy quantum cryptography systems,"
Can you? My impression was that quantum cryptography was still some way from application, but it's obviously not my field. Can anyone confirm/refute this?

@Willy Shakespeare
I would hazard the good professor's native tongue is not English, and rather suspect he speaks several languages more than you do, so why not cut him a little slack.

Kisil> I read it as an attempt at job security through obfuscation, or just really wild nationalism.

Having lived in Singapore and having worked in a research center there, I would say that probably both are correct.

Alan

I'd like a pint of quantum cryptography please.

I don't believe this research center is in Singapore. And I don't want to look, because it might collapse the quantum probability field, and we all know what happens then...

Help, my quantum probability has collapsed and I can't get up or fall down!

If you don't eat your 0xDEADBEEF, you can't have any Quantum Cryptography. How can you have any Quantum Cryptography if you don't finish your 0xDEADBEEF?

If some of your money is entangled with their $98M do you benefit from faster-than-light investment tips based on their findings?

hope we're making equally significant investments in critical areas like this one and get there first, otherwise singapore is gonna own us.

The comment does seem to have been written in "Quantum" which in this case is almost assuredly Chinese. Having a distant familiarility with the language, I'd say that a description of it as "quantum" is not out of place.

Hubris. FUD.

Salespeak for the uninitiated.

To those who think quantum cryptography is still far away -- to the contrary, quantum cryptography has existed for quite some time. What doesn't exist is quantum cryptanalysis. We've got the algorithms to break RSA quickly given a quantum computer with certain properties, except there do not exist any quantum computers with the desired properties.

In contrast, quantum cryptography merely refers to exploiting various quantum properties to ensure communications security. No quantum computing, or quantum computer, needed. The applicable technology is already within reach and, as the good Dr. said, commercially available.

Sounds to me like he's trying to say something important. Cryptographers know that the foundation of good security is Kerckhoffs' Law: a cryptosystem should be secure even if everything about the system, except the key, is public knowledge. This doesn't work for quantum secrecy systems, since they're all proprietary. In principle you could test them if you happened to be a quantum physicist with a fully equipped lab -- all readers with home quantum physics labs raise your hands... Quantum key distribution systems don't interoperate with each other, so you can't even swap one brand with another to figure out whether the differences in documented specs are real or simply due to different ways of phrasing the same thing.

Another way of putting this is: "secret secrecy systems cannot be distinguished from snake oil". As long as quantum key distribution systems remain proprietary, they can't be trusted.

Quantum cryptography is real enough, although it should really be called quantum key exchange: http://en.wikipedia.org/wiki/Quantum_cryptography#Quantum_key_exchange

"There are currently three companies offering commercial quantum cryptography systems"

"...to make it so secure that you don't even have to trust equipment that you could buy from a vendor."

I have to trust him that I don't have to trust him?

I think quantum cryptography is a waste of time. Schneier has pointed it out himself: the last thing the world needs is yet another bunch of strong encryption algorithms. We've already got piles of the things pouring out our ears--the real weaknesses in our security systems invariably lie elsewhere.

Besides. quantum cryptography is sensitive to eavesdropping, whereas conventional cryptography is eavesdropping-immune. That means quantum crypto is going to be vulnerable to denial-of-service attacks: the slightest appearance of something that looks like eavesdropping will be sufficient to trigger the alarm bells, even if no actual information is being collected.

It's a solution to the wrong problem.

I'm currently working on quantum cryptography, and I know I am therefore not objective on this subject. But it allows me to give some context :
Arthur Eckert is one of the Pioneer of the field since his seminal paper of 1991, and the research center in Singapore is not new at all (I guess the funding is...)

I guess I can bring some light on Eckert's sentence : "...to make it so secure that you don't even have to trust equipment that you could buy from a vendor."

Quantum cryptography is fundamentally different from classical cryptography in that you depend on the physical nature of the system used: it only works if Alice and Bob exchange single photons. Therefore, if you plan to use your system you have to trust both your optical hardware, which sends the photons, and your software, which extract the secret bits. While the software problem is easy to solve, with public algorithm, open-source or whatever, the hardware one is more tricky, but solvable.

Eckert's sentence probably refers to entanglement based protocol, where you only have to trust your software. In such protocols, the hardware at Alice and Bob's side output bits which can only come from quantum correlation. Basically, their hardware could be Eve made blackboxes, the communication would still be secure, provided a few assumptions are respected, which do not need a fully equipped quantum lab.
1. Alice and Bob have access to random number generators
2. The black boxes do not communicate back to Eve, but can take instruction from her.

The downsides : such protocols are currently much less practical than "usual" quantum cryptography (lower key rate).

Frédéric Grosshans

PS for Tim R: sorry for my bad english ;-)
PS for Alton : I raise my hand !

@Frédéric Grosshans:

Yes, this is how I interpreted the statement as well.

Along with the single photon emission problem, there are also other physical problems such as ensuring two communications points can polarise photons to a precise angle. I assume Prof. Eckert is referring to developing protocols which are resistant to these physical-world problems.

Interesting question: (I know nothing about the "entanglement based protocols" you refer to, except that they work by entangling quantum states of paired photons) does the assumption that the device doesn't communicate back to Eve mean that if Eve was physically present and monitoring the device as it executed, she could break the assumption? What is the minimum amount of monitoring she could do to break the security?

This is of particular interest for me as I am actively in sidechannel research.

the weak point is not cryptography. As i see it quantum cryto atempts to make a strong link stronger.

Whats the point?

Make the weakest link stronger first.

@Lawrence D'Oliveiro: "the last thing the world needs is yet another bunch of strong encryption algorithms."
Quantum cryptography is not an encryption algorithm. It is rather a key exchange protocol/algorithm/technology. While we have many excellent symmetric algorithms, we don't have that many key exchange protocols (which, furthermore, all rely on some unproven mathematical properties).
In particular, we don't have any that can exchange keys long enough to be used as One Time Pads.
Quantum key exchange has its own problems however, such as need for a dedicated link, no authentication etc.

Unfortunately, I thing the "no need to trust the hardware" claim is somewhat specious. From comments above (particularly by Frédéric Grosshans), it seems that this is most-likely referring very narrowly to the quantum-state production/emission/detection hardware. There is still going to be plenty of hardware for interpretation/storage/presentation to and for actual usage (e.g., a text-display terminal) that can be subverted before encryption occurs (or after decryption occurs).

Unless, of course, they are talking about some form of quantum-state bulk data-storage mechanism - which would really be pretty exciting!

to X the unknown : I agree is a little specious. But the other side channel attacks are also present in other kind of cryptography, or can be avoided by the same way.

to Byron Thomas:
If Eve have all the measurement results of Bob's (or Alice's) apparatus, she has all information Bob has to build his key and ther is no way to preserve privacy. But if one can bound the Shannon Information Eve get through sidechannel, I think Alice and Bob only need to shorten they key by this amount to be on the safe side.