Schneier on Security
A blog covering security and security technology.
« Leon County, FL Dumps Diebold Voting Machines |
| Are Port Scans Precursors to Attack? »
December 15, 2005
Totally Secure Classical Communications?
My eighth Wired column:
How would you feel if you invested millions of dollars in quantum cryptography, and then learned that you could do the same thing with a few 25-cent Radio Shack components?
I'm exaggerating a little here, but if a new idea out of Texas A&M University turns out to be secure, we've come close.
Earlier this month, Laszlo Kish proposed securing a communications link, like a phone or computer line, with a pair of resistors. By adding electronic noise, or using the natural thermal noise of the resistors -- called "Johnson noise" -- Kish can prevent eavesdroppers from listening in.
In the blue-sky field of quantum cryptography, the strange physics of the subatomic world are harnessed to create a secure, unbreakable communications channel between two points. Kish's research is intriguing, in part, because it uses the simpler properties of classic physics -- the stuff you learned in high school -- to achieve the same results.
At least, that's the theory.
I go on to describe how the system works, and then discuss the security:
There hasn't been enough analysis. I certainly don't know enough electrical engineering to know whether there is any clever way to eavesdrop on Kish's scheme. And I'm sure Kish doesn't know enough security to know that, either. The physics and stochastic mathematics look good, but all sorts of security problems crop up when you try to actually build and operate something like this.
It's definitely an idea worth exploring, and it'll take people with expertise in both security and electrical engineering to fully vet the system.
There are practical problems with the system, though. The bandwidth the system can handle appears very limited. The paper gives the bandwidth-distance product as 2 x 106 meter-Hz. This means that over a 1-kilometer link, you can only send at 2,000 bps. A dialup modem from 1985 is faster. Even with a fat 500-pair cable you're still limited to 1 million bps over 1 kilometer.
And multi-wire cables have their own problems; there are all sorts of cable-capacitance and cross-talk issues with that sort of link. Phone companies really hate those high-density cables, because of how long it takes to terminate or splice them.
Even more basic: It's vulnerable to man-in-the-middle attacks. Someone who can intercept and modify messages in transit can break the security. This means you need an authenticated channel to make it work -- a link that guarantees you're talking to the person you think you're talking to. How often in the real world do we have a wire that is authenticated but not confidential? Not very often.
Generally, if you can eavesdrop you can also mount active attacks. But this scheme only defends against passive eavesdropping.
For those keeping score, that's four practical problems: It's only link encryption and not end-to-end, it's bandwidth-limited (but may be enough for key exchange), it works best for short ranges and it requires authentication to make it work. I can envision some specialized circumstances where this might be useful, but they're few and far between.
But quantum key distributions have the same problems. Basically, if Kish's scheme is secure, it's superior to quantum communications in every respect: price, maintenance, speed, vibration, thermal resistance and so on.
Both this and the quantum solution share another problem, however; they're solutions looking for a problem. In the realm of security, encryption is the one thing we already do pretty well. Focusing on encryption is like sticking a tall stake in the ground and hoping the enemy runs right into it, instead of building a wide wall.
Arguing about whether this kind of thing is more secure than AES -- the United States' national encryption standard -- is like arguing about whether the stake should be a mile tall or a mile and a half tall. However tall it is, the enemy is going to go around the stake.
Software security, network security, operating system security, user interface -- these are the hard security problems. Replacing AES with this kind of thing won't make anything more secure, because all the other parts of the security system are so much worse.
This is not to belittle the research. I think information-theoretic security is important, regardless of practicality. And I'm thrilled that an easy-to-build classical system can work as well as a sexy, media-hyped quantum cryptosystem. But don't throw away your crypto software yet.
Here's the press release, here's the paper, and here's the Slashdot thread.
EDITED TO ADD (1/31): Here's an interesting rebuttal.
Posted on December 15, 2005 at 6:13 AM
• 51 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Sounds like more of "fixing the wrong problem". But then, so is quantum crypto! The implementations of QC I've been hearing about all need a physically secure link a priori too... in fact, they seem mostly to be using the Q-link just to transmit crypto seeds for the main link.
Note that even a QC system that could actually store Q-bits would have issues similar to one-time pads. That FTL aspect is also overrated -- it only applies among points within the "event cone" (that is, the lightspeed communication range) of the original Q-bit generator.
I'm not quite convinced, I suspect that switching time and signal delays will give away the locatin of the two resistors if the eaves droper makes two measerments on the line seperated by a reasonable distance, you basically see the wave propagate up and down the line untill the steady state is achived.
I must point out this is a gut reaction and it requires some considered thought.
Do you mind if I use your "Focusing on encryption is like sticking a tall stake in the ground and hoping the enemy runs right into it, instead of building a wide wall." comment (for non-commercial purposes of course)? I want to make sure there are no copyright violations :=)
I've thought a little more on it and I'm going to put my neck out and say it's Snake oil and not very pure at that.
I don't agree with the idea that the "quantum solution" is a "solution looking for a problem". When quantum computers exist, we won't be doing cryptography well any more, and we will have to change to the quantum solution.
wrt his patent app, I call prior art:
This was published in Scientific American circa 1992/1993. I remember reading it and xeroxing it for later reference. I might still have it somewhere...
I will have to accept the transmission line isn't resonant at any frequency, or else you've built a ham radio operators noise bridge. I'm also going to believe the resistors are in a temperature controlled enviroment. The energy derived from a resistor is random brownian noise, and higher resistance gives you louder noise, but they both are just as random. I'm going to have to read it more to understand what they're trying to do here. So far, I think they are switching resistors in and out as some sort of binary resistor, like 1k=logic1, 10k=logic0, and they are power matching the resistor random voltage with the same resistor. If this is true, then eavesdropping could be as simple as a high gain, low noise, high impedance a.c. amplifier (probably cooled) feeding a d.c. restorer. The d.c. restorer will catch the changes in resistance (and the average noise voltage) much like how a cdplayer recovers data from the optical sensor, or how a TV sends the picture information to the picture tube (pre-LCD version).
I know a little about electrical engineering even though I'm primarily a theoretical computer scientist, and I posted some of my thoughts on the technical details here (also linked from my name on this comment): http://ansuz.sooke.bc.ca/software/security/...
Laszlo Kish was good enough to respond addressing some of my points. I remain unconvinced that it'd really work because the theoretical security appears to depend on simplifying assumptions like Eve only being able to tap the wire in one place, and I don't think he quite "gets" that Eve cannot be forced to apply the same physical model that Alice and Bob use; but I certainly think it's worth putting it through the scientific peer review process with real electrical engineers. Even if this scheme doesn't work it could give someone the idea that would lead to a similar scheme that would work.
This is similar to an old scheme for bidirectional communications over a single wire (plus ground plane). In that scheme, each participant connects his end of the wire, through a 1000-ohm resistor, either to ground or to +1 Volt. By monitoring the voltage on the wire and knowing the connection on his own end, each participant can deduce the connection on the other end.
In that scheme, when an eavesdropper measures the voltage as +0.5 V in the middle of the wire, she can't tell which end is connected to ground and which to +1 V. However, if she can measure the current in the wire, she'll know, so this scheme doesn't keep communications secret.
Kish's contribution is primarily the assertion that if the voltage is generated by thermal noise, the current and the voltage are in some sense uncorrelated (otherwise, one resistor would get hot and the other cold), so the eavesdropper cannot distinguish the two ends even by measuring the current. I'm not competent to assess this claim.
However, Kish's claim that simultaneous bidirectional communication will make up for the uselessness of the 50% of bit windows where both ends are set to the same value is false. He hints at a scheme in which Alice and Bob apply random resistor settings for many bit windows, and then Alice says (over a public channel), "You'll see my message if you look in bit windows 12, 15, 16, ..." (all of them bit windows in which Alice and Bob's settings differed), and Bob says, "You'll see *my* message in 3, 11, 16, ..." But Kish overlooks the fact that unless Alice's and Bob's lists are completely disjoint, they have in effect re-used a one-time pad.
I don't think there is any point in this thing (or quantum key exchange, either). The bandwidth of such key exchange protocols is around thousand(s) bits per second. Let's estimate it as 2 kbit per second. Over one year, we get less than 8 gigabytes of keys transferred.
It makes a lot more sense to simply deliver 300GB hard disk with keys. Given reasomable lifetime, it corresponds to much bigger bandwidth, over essentially unlimited distance.
Yes, delivery of hard disk must be secure.
But same applies to ANY kind of receiver and transmitter. No matter what, you need to deliver computer securely, or somebody might (for example) plant spyware while it is in transit
With hard disks, you don't need to guard transmission line.
p.s. and yes, with hard disk with pre-made keys you of course need some truly random data. But you need it for quantum encryption or this thing aswell, i.e. you must randomly switch resistors or need to randomly rotate polarizers (i'm is not entirely sure all QE schemes need you to randomly rotate polarizers, but if i recall correctly some do)
I find it very interesting that this, quantum cryptography, and Diffie-Hellman (I believe) all require twice as much entropy as they eventually provide. It actually reminds me a lot of the comment I read somewhere (probably in Practical Cryptography) that three transmissions seems to be the minimum for a secure connection. Is throwing away half of the entropy simply the cost of securely distributing keys over an insecure medium?
I agree with your comments. The paper does not address a lot of questions that an ordinary EE would ask, such as:
* The resistors are not ideal: they will have different errors on the receiver and sender side, and they will vary as they are being used. This will spill a lot of information into the public channel, and it could be possible to distinguish the 0's from the 1's even through the fog of noise.
* The paper doesn't address the resistor switching: even if the sender and receiver switch at the exact same time with exact same set of ideal resistors, the channel would be affected differently depending on which end had the lower resistance.
Well, I've never been a good analog EE, but I'd at least expect several pages describing why I shouldn't be worried about such things, and possibly a lab experiment since it's so bloody easy to set up.
It's an interesting idea, though. I wish that there was a mathematical analogue.
alice and bob's 10 ohm and 1000 ohm resistors would have to have absolutely identical resistance, which does not seem possible. if you buy any two 1000 ohm resistors from radio shack, they will not be absolutely identical, one might be 999.9996 ohms and the other might be 1000.0002 ohms. then there's the problem of perfect synchronization. if you synchronize two atomic clocks, which themselves aren't perfect timekeepers, at the same location, then fly one to another city, relativistic effects will slow the clock that's moving ever so slightly in relation to the stationary clock. time is a funny thing. snake oil.
Wouldn't this scheme be vulnerable to a trivial man-in-the-middle attack?
Ah, sorry, you already said that, I should read more carefullly :)
From a standpoint of physical practicality, judging from the comments here, it seems like this is not a workable solution.
From a standpoint of philosophy however, ignoring some of the details, one could make a conceptually sound solution- it's at least a leaping off point.
It's a poor channel for a rock-paper-scissors based encryption mechanism, at least from the way I'm looking at it. And I could be totally wrong.
"Do you mind if I use your "Focusing on encryption is like sticking a tall stake in the ground and hoping the enemy runs right into it, instead of building a wide wall." comment (for non-commercial purposes of course)?"
Sure you’d better build a wall and not a stake. The height of the wall will be determined by the security of the encryption method. There will be a difference between computational security (AES) and information theoretical security (one time pad). But how to distribute the keys for that?
Quantum crypto, like this thermal noise crypto, and any other form of “crypto��? that computes keys out of distributed correlated data, of which Eve is assumed to know less than Alvis and Bobo, is only a key generation and distribution primitive. It is a building block for the wall.
The name quantum crypto is so misleading, and basically it were physicists with only little cryptographic knowledge that coined the name and immediately and falsely claimed its superiority to other methods of encryption. This is why cryptographers are so offended and do not like quantum crypto. But they should see it as what it is, and use it where appropriate for constructing secure cryptographic systems.
In terms of snake oil viscosity, what's the difference between this approach and the one using the physical properties of the silicon wafers in laser transmissions that you excoriated just a week or so ago? Why is this one better, in your view?
> The name quantum crypto is so misleading, and basically it were
> physicists with only little cryptographic knowledge that coined the
> name and immediately and falsely claimed its superiority to other
> methods of encryption. This is why cryptographers are so offended and
> do not like quantum crypto.
The name of quantum crypto isnt misleadind because it is the name of a
field. It is the same with crypto, when you talk about key distribution
or secure hashing function you are talking about crypto. So it is the
same for quantum crypto, with quantum crypto you can do quantum key
agremment, quantum random numbers, quantum cryptanalysis and even
> I don't think there is any point in this thing (or quantum key
> exchange, either). The bandwidth of such key exchange protocols is
> around thousand(s) bits per second. Let's estimate it as 2 kbit per second.
> Over one year, we get less than 8 gigabytes of keys transferred. It
> makes a lot more sense to simply deliver 300GB hard disk with keys.
> Given reasomable lifetime, it corresponds to much bigger bandwidth,
> over essentially unlimited distance.
First the bandwith of quantum key agreement is low yes. But in classical
key agreement or key distribution like DH or RSA it also very slow. Do
you know how much key material do you produced with protocols like IPSec
in one hour? Quantum key agreement is not slower. But the important
thing is you dont need a better bandwith if you use classical encryption
algorithms like AES.
About the idea of 300GB hard disk. The first problem is you don't use fresh
keys, you store your keys for a long time and so it's bad for security.
The second problem is you need perfectly random key material and only
quantum crypto can gives you (really) true random numbers.
About authentication and quantum crypto. Yes, you need an authenticated
channel, and? With classical communications you also need an
authenticated channeé and we know how to build one. But with quantum
crypto we need a perfect authentication? Yes and we also know how to
do that, take Wegman-Carter authentication codes which are
Finally, I'm not very convinced about the arguments of Bruce against
quantum crypto. His argument is something like: "usually crypto is not
the weakest link, so we dont need better crypto". But my mind is if we
can do better crypto so do it, and why not to secure all the links?
Quantum key agreement only secure one thing in a cryptosystem: the key
agreement. But it's an improvement because we need to take each link
of the chain and secure them!
i don't see how someone getting close to said 300GB hard disk is any better than letting somebody touch your quantum hardware. If one can compromise keys storen on hard disk, one can install keylogger, or put some device into your quantum receiver and transmitter.
The point is that we can view hard disk (maybe with some hardware mods so you can' read it at once but only at 2kbit per second) as "key exchange device" operating over "hyperspace". If we would ever create such hyperspace communicator that is ABSOLUTELY impossible to intercept, it would sure be better than quantum cripto, but not better than hard disk.
curiously enough, http://www.nsa.gov/public/publi00004.cfm lists...
NR 3391 CBPM44 24215A 19441012 PROJECT C-43 DECODING SPEECH CODES
NR 4241 ZEMA172 25979A 19430313 OPERATION OF RC-220-T1 (SPEECH PRIVACY), 1943
NR 4242 ZEMA172 35374A 19410521 PROJECT C-43 PRELIMINARY REPORTS
NR 4243 ZEMA172 35375A 19411215 PROJECT C43 PRELIMINARY AND PROGRESS REPORTS
re:Bnonymous NSA snippet
Interestingly this info seems to point to SIGSALY (google for RC-220-T1 C-43). Many of you probably know of SIGSALY, but because is it so interesting, here is a bit from the NSA and a link to much more info:
The device's success in protecting voice communications was due to a new development known as "pulse code modulation," the predecessor of such present-day innovations as digital voice, data and video transmission. It also was one of the earliest applications of spread spectrum technology, which was key to its effective operation. The U.S. Army awarded the first contract for the device in 1942; formal deployment followed in 1943. The SIGSALY terminal was massive. Consisting of 40 racks of equipment, it weighed over 50 tons, and featured two turntables which were synchronized on both the sending and the receiving end by an agreed upon timing signal from the U.S. Naval Observatory. (For a more detailed explanation of the engineering aspects of SIGSALY, see J.V. Boone and R.R. Peterson's work, The Start of the Digital Revolution: SIGSALY Secure Digital Voice Communications in World War II, NSA Center for Cryptologic History, Ft. George G. Meade, Md.)
>>The Start of the Digital Revolution
Please don't call it "QC" - this acronym is already taken for "quantum chromodynamics".
My original essay had a paragraph about SIGSALY, but I deleted it because it seemed tangential to this system.
> How often in the real world do we have a wire
> that is authenticated but not confidential? Not
> very often.
Every time I talk to my wife on the phone?
It seems to me that in Kish device there are some flaws that are not described previously.
If Alice use a stochastic voltage generator, and a two wires metallic line joins Alice and Bob, If Alice connect its voltage generator to the two wires and if Alice and Bob insert at some clock 'tick" a resistor in serie with the metallic wires , then:
1) its not possible for Bob to deduce the value of Alice's resistor. This is because Bob can only measure the current intensity and he knows the value of it's own resistor. This make it impossible to know the value of Alice resistor without knowing the value of the voltage.
2) Eve have exactly the same electrical informations as Bob, because she can know how much current intensity is flowing, and how much voltage there is at both end of Bob resistor. So Eve knows Bob's resistor value.
In conclusion if the set-up is what I have described above, not only Eve knows the value of Bob's resistor, but neither Eve, nor Bob can compute the value of Alice's resistor.
In an after thought, I think also that it would be easy also for Eve to insert a capacitor between the two wires and observe the rising and falling times of voltages. As they are independant of the voltage and depends only of the R and C components, Alice's and Bob's resistors can be computed.
A little comment:
I think there's a little bit mis-description about the idea of researchers
from Texas A&M. A and B should each have two random voltage generators
of two lines on its side. This can not be simplified to that just A
has random voltage generators, which is not safe.
However, I think the original idea is not good, either. Since A and B
need to switch between two lines. The attacker can detect the switch
process. The random voltage generators should not be secret, otherwise
this idea will be a joke. And the attacker can also learn about the
resisters A and B have. Then the attacker can cut the circuit between
A and B in to two independent ones. (Because the switch process of A
and B, they can not detect this cut.) Thus construct a man-in-middle
This seems so simple, I must have missed something
And most importantly, is it secure?
No not secure. A passive attack gets it all.
Anybody gets a multimeter (set to measure voltage) and attaches it
across the two wires leaving either Alice or Bob's house. Assume it
is Bob's house and he is supplying the power for the system).
If Bob has chosen the same resistor as Alice the meter will read
half of the voltage - because half the voltage is dropped by each of
the identical resistors.
If Bob chooses a different value to Alice then the multimeter will
read proportional to Rb/(Ra + Rb). With your numbers in this example that would be
0.99 % if he chooses 10 ohms and 99 % if he chose the 1000 ohm
regardless of the signal used to power it all up.
This idea seems so flawed that it must be a joke.
David Eather: yes, when Alice and Bob choose the same resistor, then the attacker can detect that. The issue is that when Alice and Bob do *not* choose the same resistor, although the attacker can detect that that has happened, there are two ways that can happen (Alice goes high and Bob goes low, or Alice goes low and Bob goes high), and the claim is that the attacker can't distinguish between those two cases, but Alice and Bob can.
So Alice and Bob repeat the process many times, they throw out the trials in which they happened to choose the same value, and then they supposedly can do secret communications based on the other trials.
Real quantum crypto involves a similar situation, where half the trials result in revealing a bit and must be thrown out, but it's claimed that the other trials are secure. Note that the bits being transmitted are not the message bits, they're randomly generated bits which will later be used to encrypt the message; so it doesn't matter if you reveal half of them as long as you know which ones you revealed and don't use those for encryption.
A comment on the comment of Leo_Z:
A circuit where two voltage generators are placed in serie, is absolutely equivalent to a circuit with one voltage generator.
A schematic of the two generators and resistors is shown on http://arxiv.org/ftp/physics/papers/0509/...
Here is an extract of the text:
Absolute secure classical communication scheme utilizing Kirchoff laws and a threefold encryption.
The information channel is a wire. The message is carried by the sender's choice of resistor value.
The sender encrypts this message by the random generator voltage US. The receiver double-encrypts the message by using his randomly chosen esistor RR and the random generator voltage UR. The random voltage generators are either the Johnson noises of the resistors or artificial noise generator with much larger noise voltage but with the same scaling relation between the resistance and the noise voltage spectrum as that of Johnson noise. The eavesdropper may have access to the measurement of the voltage and current in the channel, however this information is not enough to break the code.."
Anybody can test this apparitus at home, to find if he/she can guess the value of one end, while knowing only the current intensity and the resistance at the other end.
Or if you have no electronic material at home, use a spreadsheet, set an array with:
* A column for Bob resistor
* A column for a chosen value for the current
* A column for Alice resistor, for each value of Bob's resistor, use two lines for the two Alice possible resistors.
Now you have four lines (two value for Bob's resistor * two value for Alice's resistor. Compute the value for the *unique* voltage generator ;-)
Use the Ohm's law: U=R*I.
It will be the fourth column.
Copy/paste the four lines three or four times, change the current value. Now you have an array with 12 or 16 lines and four column.
Now the acid test: Are you able with only the current intensity and the value of Bob's resistor to guess Alice's resistor?
If you answer "no", you comply with 2 centuries old electricity laws.
A comment on A comment on the comment of Leo_Z:
sorry, maybe in circuit field: one voltage generator is equivalent to two voltage generators. However, in this security issue, they are not.
If only A has a voltage generator on her side, then the attacker just stand in the middle and test the resister.
Attacker will get the information about the resister from A or B. Even he does not know which side he is testing. But it will always be the same side.
Thus there only have two possibalities of the entire singal sequence for the attacker.
I was quite intrigued by the idea of using resistors, but my problem with it is this:
If A uses the 10 Ohm resistor and B uses the 1000 Ohm resistor the potential (e.g. Voltage) will be different than when the situation is reversed - effectively an attacker is analysing the behaviour of two (or four, if you include the duplicated resistors) different potential dividers. Now okay, the voltage drop across the line would be the same but there must be any number of ways of detecting the change in potential and thus knowing what resistor each party has chosen.
It's been a while since I did electrical theory, but the line is effectively a combination of capacitive and inductive load. It is not beyond the realms of consideration that the transition between different electrical states would produce different magnetic fields, which could be non-intrusively detected and interpreted accordingly.
Alternatively a barely significant capacitive (or possibly inductive) load could be introduced into the line that would provide easily measurable voltage drops. Unless the line had been thoroughly characterised (and maybe not even then) I do not see that the interference could be detected.
Obviously your article is a simplification of the technique; is this an area that is covered by theory that I have missed or misunderstood?
The key flaw as I see it (which I've sent to Kish and received no response) is the assumption that security is acheived by stopping communication went resistor measurement current is injected.
Obviously recording the signal then measuring the resistors *after* the data is captured is a complete compromise apart from not being instantaneous.
Hello all and Leo_Z
Thanks to this interesting conversation.
To sum up:
1) In the case of only one voltage genarator:
I disagree with your statement that an attacker can deduce Alice's resistor by merely measuring it .
In effect to measure a resistor you need to inject a current through the resistor under test, so if there is already at least one voltage generator in the circuit, you can't measure the value of the resistor (the current flowing through it is determined by both voltage sources).
2) In the case of two voltage generators:
You are right to state that Eve is not able to know Bob's resistor if Bob's also have a voltage generator.
And my main point now: In any case Bob can't deduce Alice's resistor value by knowing its own resistor value and current value.
This is deduced from the ordinary laws of electricity without involving complex impedances, short transition time or something more subtle.
For me the claim that this communication means is secure is true, with only one flaw: Even the receiver is unable to decrypt what send the emitter ;-)
It's security at is best!
This attack could be defeted by a directional coupler. By placing a directional coupler on the line, Eve can obtain the current contribution of Alice and that of Bob seperately, and almost undetecably with a good amp.
I intend to read the original paper and all these comments again, as I cannot say I have fully understood them, and my knowledge of EE is rusty. However, Kish and I are collaborating in designing and building one of these devices. Our first prototype will have both ends on the same desk and assume a completely passive Eve, but if it is a success we will evolve a more sophisticated attack model. If you wish to be kept apprised of this project, or better yet to help, you may contact me as solinym at google mail. I look forward to evaluating these attacks and others against any design or prototype we come up with, in the "trial by fire" methodology that security folk are familiar with. I look forward to your ideas, attacks and suggestions.
There is one important feature of Quantum Cryptography that can't be reproduced in *any* classical system (as far as the current physics theories predict): when you measure a system, you perturbate it unless you already know in what state it is (or you guess it).
This does not protect from man-in-the-middle attacks but makes hard the life of eavestroppers, giving a bothering difficulty that they won't find in any other means of transfer of information.
Dear Bruce and All the Others,
It is a shame that I was able to read the comments only now. I answered those who sent me an email (though it seems there is one exception when I did not receive it). Please note that the idealized/mathematical scheme is totally secure and nobody has been able to challenge it. On the other hand, the practical system is never ideal therefore no practical physical secure layer can be totally secure. This is true for quantum, too. But when we have at least an idealized security, that provides directives for the pactical design to approach that situation as much as our resources allow. If you want to read more, you can find new stuff at this web site: www.ece.tamu.edu/~noise/research_files/research_secure.htm
NOTE: surprisingly, the cipher is naturally protected against the man-in-the-middle attack!
All the best,
Solinym say in his December 21 comment that we are collaborating on a test device. He indeed asked some advices to build a home device but we stuck at the noise generators level and since then there was no continuation. Since then, a NY company has expressed an interest in developing and marketing the cipher, moreover the National Science Foundation has encouraged me to submit a proposal. Thus I am unable to provide help with home device design aspects. However, a home device should be very easy to build. Though it would have a limited security, if it is a careful work it would easily reach beyond quantum security. And in any case, nobody would be able to break it, not even the NSA, because it is too new :-) Best, Laszlo
Response to Ventu at February 4. Yes it is true that you perturbate quantum when you eavesdrop on it. The resistor-based cipher works in a different way. If you do not perturb the system with a large probing signal, and measure the response, you can stay hidden but you are unable to extract any information. If you probe the system with the large signal, you will be discovered after 1 bits of extracted info. You are completely protected against the man-in-the-middle attack, zero bits can be extracted in that way. Note, the quantum situation is not as good as it seems. For example, you can extract say every 100th bits and you can stay hidden.
With all sympathy to what Terry has written, I think his claim is a bit harsh. More to the point, his claims address one aspect only of QC - the ability to detect an evesdropper. There his physics is sound, and I quite agree that I do not see how that ability is duplicated with duplicatable data (which any data is, according to classical physics).
This is not Kish's claim, however. He claims (and it's an interesting question whether that is truely that case - we have seen some supposed rebuttals in this thread) that he is capable of transferring data without any of the data being actually on the line. That, in itself, is known to be possible.
A simple example, proveably unattackable, is giving you a one time pad key in advance, and then sending the actual data encrypted with said one time pad key.
Interesting interpretation. Or is it more proper to talk about joint information? The received information is part of a joint information between the two ends. To receive it, the receiver has to know his own resistor setting. If the receiver does not look up his own resistor value, he cannot extract any information. Just like the eavesdropper, he will know only the global situation (2 high resistances; 1 high and 1 low; or 2 low resistances).
In your December 17th message, you point out an important aspect. If the sender and receiver operate with two DC voltage generators, then nobody can decode the message. That was my first attempt last summer but I failed with it due to the very same reason. However, the noise cipher does not operate with DC but with thermal-like noise. Thus we have more info about the voltage than in the DC case. We know how does the effective noise voltage scale with the value of the resistor. In this way, the sender and receiver have just enough knowledge to extract the information.
Note: you could ask if the system works with DC voltage that scale in the same way as the thermal noise. I tried that, too. It does not work because it is not secure. Then the eavesdropper has enough information to extract the bits.
Finally, you could ask, if different type of noise scaling would work. The answer is again no. In that case, the fluctuation-dissipation theorem is violated and there will be a net energy flow between the two sides. Then by clever current-voltage crosscorrelation measurements, the eavesdropper can again find out what is the situation at the two ends.
This is a long post. If you don't read all of it, please read the last sentence. Kish's scheme depends on the behavior of individual atoms and electrons. Classical electrodynamics does not deal with point charges or individual particles, and does not predict the Johnson-Nyquist noise. The scheme is not so classical as it might appear.
Regarding Matthew Skala's comments here and on his web site http://ansuz.sooke.bc.ca/software/security/...
See especially the new preprint http://arxiv.org/pdf/physics/0602013. It mentions that another paper is also in preparation which will address practical issues.
Skala is concerned that Eve can record voltage and current as function of time at high bandwidth and at several positions along the wire. This would then help determine which end has the larger resistor, because of propagation delays. Note that Eve does not have to inject any current into the wire.
for a derivation of the Nyquist relation. See also http://en.wikipedia.org/wiki/...
(Laszlo: perhaps you would contribute to that article, which is a little sparse?)
The average squared noise voltage <V^2> across a resistor is directly proprotional to bandwidth delta nu (Hz). Higher bandwidth gives higher <V^2>. But the wire has a limited bandwidth. Also, in the practical case described in the new preprint, there are low-pass filters at each end of the wire limiting the bandwidth of the noise. Thus, Eve can measure the voltage at high bandwidth, but the low-pass filters will smooth out the signal Eve was hoping to observe.
Information leakage due to taps at each end of a wire which has finite resistance is to be avoided by choosing suitable resistor values such that there will not be enough time to determine the position of the larger resistor before the end of the clock period.
Bollinger's concerns that this classical method lacks something which is present in the quantum approach:
In my opinion, the difference between "classical" and "quantum" physics is much overrated. As Einstein noted, "there is, strictly speaking, today, no such thing as a classical field-theory" (A.E. Philosopher Scientist, P.A. Schilpp, ed., vol 2 p. 675). The work of Maxwell, Boltzmann, Gibbs, and others on electrodynamics and statistical mechanics is quite different from Newtonian mechanics. But regardless of how we define a classical theory, the problem here arises because people suppose they know for sure that there is a "classical domain" and a "quantum domain" and that experiments in the classical domain somehow cannot benefit from quantum effects.
In "quantum cryptography," the actual physical state of the photon (e.g. its polarization) cannot be known before it is measured, and even then, only the measurement result is known, not the full state. Because a single photon (or a pair of entangled photons) is involved, we are supposed to believe that this is fundamentally different from the situation where one or another macroscopic resistor is switched into a circuit. But, with the resistor, there are also many things which cannot be known even after the measurement. We know nothing about the microscopic environment of each electron in the resistor, and after we measure a noise voltage, we know only the average squared voltage. Just as measuring photon polarization tells us almost nothing about the full state of the photon, measuring the voltage tells us very little about the microscopic state of the resistor.
Look at the Sonoda derivation of the Nyquist relation. A resistor is modeled as containing N electrons distributed along length L. Each electron has thermal kinetic energy in the x direction of 1/2 kT, and there is a local electric field which accelerates it randomly. All we know about these fields is that they average to zero, that they are uncorrelated, and that they must maintain the average kinetic energy 1/2 kT for each electron. From this we derive the Johnson noise.
One may consider a theory classical if it doesn't involve Planck's constant, but I suggest that the appearance of Boltzmann's constant also makes the theory non-classical. Individual particles and point sources are non-classical.
In quantum cryptography, detection of the evesdropper occurs when Alice and Bob learn they had their polarizers set at equal angles but did not observe compatible results. (By the way, in QC, the transmitted key is used only after Alice and Bob determine that it was not overheard, so the fact that evesdropping is not noticed instantly is not a problem). In Kish's scheme, evesdropping is detected when Alice and Bob find that they are measuring significantly different voltages and currents.
The point is, in both schemes, the evesdropper cannot measure the physical property of interest without disturbing it. There is nothing more magical about polarization of a single photon than there is about the voltage and current arising from a pair of resistors at opposite ends of a wire. To detect the polarization of a passing photon, you have to insert a polarizer into the fiber. To determine the location of the larger resistor, you have to inject current into the wire. The low-pass filters and the finite clock period serve the same purpose as the photon number: there is not enough information available to a passive evesdropper to detect the randomly chosen polarization or resistance setting, but Alice and Bob know their own instrument setting, and hence have enough additional information to establish a shared secret.
Maybe if I leave the URL out, the message will get by the spam filter. I want to note that there is another use of "classical" e.g. in Landau and Lifshitz _Statistical Physics_, where a gas with Boltzmann statistics is classical while a gas with Fermi or Bose statistics is quantum. To me, classical corresponds to those 19th century physicists who did not believe in atoms. Anyway, what I'm trying to say in the previous post is that some amazing things can arise even when using Boltzmann statistics, which do not arise from the continuous charge distributions considered in classical electrodynamics. So we shouldn't be so surprised if it is possible to securely exchange keys over a wire using Johnson noise.
Interesting considerations. Your own definition of classical physics seems to be the deterministic physics. Stochasticity and noise comes with both classical statistical physics and quantum physics. The difference between Fermi-Dirac and Boltzmann is due to the Pauli principle and the non-distinquishability (I hope I spelled correctly) of quantum particles.
Your considerations generate a natural question. What do we need for a secure physical layer? Quantum physics and classical statistical physics have one thing in common: randomness/statistics. What else do we need? Is there a general rule?
The Johnson-line noise based secure communicator has been built and it has been tested up to the range of 200 km which is well beyond the direct quantum communication range. Its raw-bit security level is set so that it is beyond the theoretical security of practical quantum communicators. Here are the pictures and the first draft:
More data will follow in the paper.
So far Kish's noise based security has withstood everyone's attack. Do any of you have anything else to say?
To be impartial who are the "everyone's" you speak of?
Are they considered in general to be sufficiently knowledgeable as to make meaningful tests?
If not, then the system has not been meaningfully tested has it?
And that raises the question,
Who is the person with sufficient reputation who would admit to having carried out any tests and be subject to the same level of criticism Laszlo Kish has recieved?
Whilst cryptograpers and other security researchers actualy see critics and relevant criticism as a healthy response that is part of the game researchers in other fields see it considerably less so.
So I suspect that Laszlo's "Totally Secure Classical Communications" is now seen as 'A Poisoned Chalice'.
But let's assume for the sake of argument TSCC is secure, the next question is, Is it practical for general use by ordinary users?
It would appear that it is not realy any more practical than QKD in that it requires a point to point link via a constrained and quantified communications channel.
So in general terms TSCC like QKD is a solution looking for a problem, which makes it very niche at best.
But worse for TSCC, QKD has many detractors not just for it's lack of practicality but also because although in theory it's secure the practical implementations have been found to be insecure in many cases which has significantly reduced confidence in it. This has the unfortunate effect of tarnishing TSCC with the same brush which the above conversation of if TSCC is realy Clasical, Quantum or just some quirk of statisticaly based measuring methods realy does not help.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.