To be impartial who are the "everyone's" you speak of?

Are they considered in general to be sufficiently knowledgeable as to make meaningful tests?

If not, then the system has not been meaningfully tested has it?

And that raises the question,

Who is the person with sufficient reputation who would admit to having carried out any tests and be subject to the same level of criticism Laszlo Kish has recieved?

Whilst cryptograpers and other security researchers actualy see critics and relevant criticism as a healthy response that is part of the game researchers in other fields see it considerably less so.

So I suspect that Laszlo's "Totally Secure Classical Communications" is now seen as 'A Poisoned Chalice'.

But let's assume for the sake of argument TSCC is secure, the next question is, Is it practical for general use by ordinary users?

It would appear that it is not realy any more practical than QKD in that it requires a point to point link via a constrained and quantified communications channel.

So in general terms TSCC like QKD is a solution looking for a problem, which makes it very niche at best.

But worse for TSCC, QKD has many detractors not just for it's lack of practicality but also because although in theory it's secure the practical implementations have been found to be insecure in many cases which has significantly reduced confidence in it. This has the unfortunate effect of tarnishing TSCC with the same brush which the above conversation of if TSCC is realy Clasical, Quantum or just some quirk of statisticaly based measuring methods realy does not help.

]]>http://www.ece.tamu.edu/~noise/research_files/research_secure.htm

More data will follow in the paper.

Laszlo Kish

]]>Interesting considerations. Your own definition of classical physics seems to be the deterministic physics. Stochasticity and noise comes with both classical statistical physics and quantum physics. The difference between Fermi-Dirac and Boltzmann is due to the Pauli principle and the non-distinquishability (I hope I spelled correctly) of quantum particles.

Your considerations generate a natural question. What do we need for a secure physical layer? Quantum physics and classical statistical physics have one thing in common: randomness/statistics. What else do we need? Is there a general rule?

Laszlo

]]>Regarding Matthew Skala's comments here and on his web site http://ansuz.sooke.bc.ca/software/security/kish-classical-crypto.php:

See especially the new preprint http://arxiv.org/pdf/physics/0602013. It mentions that another paper is also in preparation which will address practical issues.

Skala is concerned that Eve can record voltage and current as function of time at high bandwidth and at several positions along the wire. This would then help determine which end has the larger resistor, because of propagation delays. Note that Eve does not have to inject any current into the wire.

See http://www.phys.sci.kobe-u.ac.jp/~sonoda/notes/nyquist_random.ps

for a derivation of the Nyquist relation. See also http://en.wikipedia.org/wiki/Fluctuation_dissipation_theorem.

(Laszlo: perhaps you would contribute to that article, which is a little sparse?)

The average squared noise voltage <V^2> across a resistor is directly proprotional to bandwidth delta nu (Hz). Higher bandwidth gives higher <V^2>. But the wire has a limited bandwidth. Also, in the practical case described in the new preprint, there are low-pass filters at each end of the wire limiting the bandwidth of the noise. Thus, Eve can measure the voltage at high bandwidth, but the low-pass filters will smooth out the signal Eve was hoping to observe.

Information leakage due to taps at each end of a wire which has finite resistance is to be avoided by choosing suitable resistor values such that there will not be enough time to determine the position of the larger resistor before the end of the clock period.

Regarding http://terrybollinger.com/qencrypt/BollingerCritiqueOfKishPaper-2006-01-31.pdf

Bollinger's concerns that this classical method lacks something which is present in the quantum approach:

In my opinion, the difference between "classical" and "quantum" physics is much overrated. As Einstein noted, "there is, strictly speaking, today, no such thing as a classical field-theory" (A.E. Philosopher Scientist, P.A. Schilpp, ed., vol 2 p. 675). The work of Maxwell, Boltzmann, Gibbs, and others on electrodynamics and statistical mechanics is quite different from Newtonian mechanics. But regardless of how we define a classical theory, the problem here arises because people suppose they know for sure that there is a "classical domain" and a "quantum domain" and that experiments in the classical domain somehow cannot benefit from quantum effects.

In "quantum cryptography," the actual physical state of the photon (e.g. its polarization) cannot be known before it is measured, and even then, only the measurement result is known, not the full state. Because a single photon (or a pair of entangled photons) is involved, we are supposed to believe that this is fundamentally different from the situation where one or another macroscopic resistor is switched into a circuit. But, with the resistor, there are also many things which cannot be known even after the measurement. We know nothing about the microscopic environment of each electron in the resistor, and after we measure a noise voltage, we know only the average squared voltage. Just as measuring photon polarization tells us almost nothing about the full state of the photon, measuring the voltage tells us very little about the microscopic state of the resistor.

Look at the Sonoda derivation of the Nyquist relation. A resistor is modeled as containing N electrons distributed along length L. Each electron has thermal kinetic energy in the x direction of 1/2 kT, and there is a local electric field which accelerates it randomly. All we know about these fields is that they average to zero, that they are uncorrelated, and that they must maintain the average kinetic energy 1/2 kT for each electron. From this we derive the Johnson noise.

One may consider a theory classical if it doesn't involve Planck's constant, but I suggest that the appearance of Boltzmann's constant also makes the theory non-classical. Individual particles and point sources are non-classical.

In quantum cryptography, detection of the evesdropper occurs when Alice and Bob learn they had their polarizers set at equal angles but did not observe compatible results. (By the way, in QC, the transmitted key is used only after Alice and Bob determine that it was not overheard, so the fact that evesdropping is not noticed instantly is not a problem). In Kish's scheme, evesdropping is detected when Alice and Bob find that they are measuring significantly different voltages and currents.

The point is, in both schemes, the evesdropper cannot measure the physical property of interest without disturbing it. There is nothing more magical about polarization of a single photon than there is about the voltage and current arising from a pair of resistors at opposite ends of a wire. To detect the polarization of a passing photon, you have to insert a polarizer into the fiber. To determine the location of the larger resistor, you have to inject current into the wire. The low-pass filters and the finite clock period serve the same purpose as the photon number: there is not enough information available to a passive evesdropper to detect the randomly chosen polarization or resistance setting, but Alice and Bob know their own instrument setting, and hence have enough additional information to establish a shared secret.

In your December 17th message, you point out an important aspect. If the sender and receiver operate with two DC voltage generators, then nobody can decode the message. That was my first attempt last summer but I failed with it due to the very same reason. However, the noise cipher does not operate with DC but with thermal-like noise. Thus we have more info about the voltage than in the DC case. We know how does the effective noise voltage scale with the value of the resistor. In this way, the sender and receiver have just enough knowledge to extract the information.

Note: you could ask if the system works with DC voltage that scale in the same way as the thermal noise. I tried that, too. It does not work because it is not secure. Then the eavesdropper has enough information to extract the bits.

Finally, you could ask, if different type of noise scaling would work. The answer is again no. In that case, the fluctuation-dissipation theorem is violated and there will be a net energy flow between the two sides. Then by clever current-voltage crosscorrelation measurements, the eavesdropper can again find out what is the situation at the two ends.

Laszlo

Interesting interpretation. Or is it more proper to talk about joint information? The received information is part of a joint information between the two ends. To receive it, the receiver has to know his own resistor setting. If the receiver does not look up his own resistor value, he cannot extract any information. Just like the eavesdropper, he will know only the global situation (2 high resistances; 1 high and 1 low; or 2 low resistances).

Laszlo

]]>This is not Kish's claim, however. He claims (and it's an interesting question whether that is truely that case - we have seen some supposed rebuttals in this thread) that he is capable of transferring data without any of the data being actually on the line. That, in itself, is known to be possible.

A simple example, proveably unattackable, is giving you a one time pad key in advance, and then sending the actual data encrypted with said one time pad key.

Shachar

]]>Laszlo]]>

It is a shame that I was able to read the comments only now. I answered those who sent me an email (though it seems there is one exception when I did not receive it). Please note that the idealized/mathematical scheme is totally secure and nobody has been able to challenge it. On the other hand, the practical system is never ideal therefore no practical physical secure layer can be totally secure. This is true for quantum, too. But when we have at least an idealized security, that provides directives for the pactical design to approach that situation as much as our resources allow. If you want to read more, you can find new stuff at this web site: www.ece.tamu.edu/~noise/research_files/research_secure.htm

NOTE: surprisingly, the cipher is naturally protected against the man-in-the-middle attack!

All the best,

Laszlo

This does not protect from man-in-the-middle attacks but makes hard the life of eavestroppers, giving a bothering difficulty that they won't find in any other means of transfer of information.

]]>Thanks to this interesting conversation.

To sum up:

1) In the case of only one voltage genarator:

I disagree with your statement that an attacker can deduce Alice's resistor by merely measuring it .

In effect to measure a resistor you need to inject a current through the resistor under test, so if there is already at least one voltage generator in the circuit, you can't measure the value of the resistor (the current flowing through it is determined by both voltage sources).

2) In the case of two voltage generators:

You are right to state that Eve is not able to know Bob's resistor if Bob's also have a voltage generator.

And my main point now: In any case Bob can't deduce Alice's resistor value by knowing its own resistor value and current value.

This is deduced from the ordinary laws of electricity without involving complex impedances, short transition time or something more subtle.

For me the claim that this communication means is secure is true, with only one flaw: Even the receiver is unable to decrypt what send the emitter ;-)

It's security at is best!

Jean-Pierre

]]>Obviously recording the signal then measuring the resistors *after* the data is captured is a complete compromise apart from not being instantaneous.

]]>If A uses the 10 Ohm resistor and B uses the 1000 Ohm resistor the potential (e.g. Voltage) will be different than when the situation is reversed - effectively an attacker is analysing the behaviour of two (or four, if you include the duplicated resistors) different potential dividers. Now okay, the voltage drop across the line would be the same but there must be any number of ways of detecting the change in potential and thus knowing what resistor each party has chosen.

It's been a while since I did electrical theory, but the line is effectively a combination of capacitive and inductive load. It is not beyond the realms of consideration that the transition between different electrical states would produce different magnetic fields, which could be non-intrusively detected and interpreted accordingly.

Alternatively a barely significant capacitive (or possibly inductive) load could be introduced into the line that would provide easily measurable voltage drops. Unless the line had been thoroughly characterised (and maybe not even then) I do not see that the interference could be detected.

Obviously your article is a simplification of the technique; is this an area that is covered by theory that I have missed or misunderstood?

:)

sorry, maybe in circuit field: one voltage generator is equivalent to two voltage generators. However, in this security issue, they are not.

Explaination:

If only A has a voltage generator on her side, then the attacker just stand in the middle and test the resister.

Attacker will get the information about the resister from A or B. Even he does not know which side he is testing. But it will always be the same side.

Thus there only have two possibalities of the entire singal sequence for the attacker.

A comment on the comment of Leo_Z:

A circuit where two voltage generators are placed in serie, is absolutely equivalent to a circuit with one voltage generator.

A schematic of the two generators and resistors is shown on http://arxiv.org/ftp/physics/papers/0509/0509136.pdf

Here is an extract of the text:

**********

Figure 1.

Absolute secure classical communication scheme utilizing Kirchoff laws and a threefold encryption.

The information channel is a wire. The message is carried by the sender's choice of resistor value.

The sender encrypts this message by the random generator voltage US. The receiver double-encrypts the message by using his randomly chosen esistor RR and the random generator voltage UR. The random voltage generators are either the Johnson noises of the resistors or artificial noise generator with much larger noise voltage but with the same scaling relation between the resistance and the noise voltage spectrum as that of Johnson noise. The eavesdropper may have access to the measurement of the voltage and current in the channel, however this information is not enough to break the code.."

*************

Anybody can test this apparitus at home, to find if he/she can guess the value of one end, while knowing only the current intensity and the resistance at the other end.

Or if you have no electronic material at home, use a spreadsheet, set an array with:

* A column for Bob resistor

* A column for a chosen value for the current

* A column for Alice resistor, for each value of Bob's resistor, use two lines for the two Alice possible resistors.

Now you have four lines (two value for Bob's resistor * two value for Alice's resistor. Compute the value for the *unique* voltage generator ;-)

Use the Ohm's law: U=R*I.

It will be the fourth column.

Copy/paste the four lines three or four times, change the current value. Now you have an array with 12 or 16 lines and four column.

Now the acid test: Are you able with only the current intensity and the value of Bob's resistor to guess Alice's resistor?

If you answer "no", you comply with 2 centuries old electricity laws.

Jean-Pierre

So Alice and Bob repeat the process many times, they throw out the trials in which they happened to choose the same value, and then they supposedly can do secret communications based on the other trials.

Real quantum crypto involves a similar situation, where half the trials result in revealing a bit and must be thrown out, but it's claimed that the other trials are secure. Note that the bits being transmitted are not the message bits, they're randomly generated bits which will later be used to encrypt the message; so it doesn't matter if you reveal half of them as long as you know which ones you revealed and don't use those for encryption.

]]>And most importantly, is it secure?

No not secure. A passive attack gets it all.

Anybody gets a multimeter (set to measure voltage) and attaches it

across the two wires leaving either Alice or Bob's house. Assume it

is Bob's house and he is supplying the power for the system).

If Bob has chosen the same resistor as Alice the meter will read

half of the voltage - because half the voltage is dropped by each of

the identical resistors.

If Bob chooses a different value to Alice then the multimeter will

read proportional to Rb/(Ra + Rb). With your numbers in this example that would be

0.99 % if he chooses 10 ohms and 99 % if he chose the 1000 ohm

regardless of the signal used to power it all up.

This idea seems so flawed that it must be a joke.

]]>I think there's a little bit mis-description about the idea of researchers

from Texas A&M. A and B should each have two random voltage generators

of two lines on its side. This can not be simplified to that just A

has random voltage generators, which is not safe.

However, I think the original idea is not good, either. Since A and B

need to switch between two lines. The attacker can detect the switch

process. The random voltage generators should not be secret, otherwise

this idea will be a joke. And the attacker can also learn about the

resisters A and B have. Then the attacker can cut the circuit between

A and B in to two independent ones. (Because the switch process of A

and B, they can not detect this cut.) Thus construct a man-in-middle

attack.

It seems to me that in Kish device there are some flaws that are not described previously.

If Alice use a stochastic voltage generator, and a two wires metallic line joins Alice and Bob, If Alice connect its voltage generator to the two wires and if Alice and Bob insert at some clock 'tick" a resistor in serie with the metallic wires , then:

1) its not possible for Bob to deduce the value of Alice's resistor. This is because Bob can only measure the current intensity and he knows the value of it's own resistor. This make it impossible to know the value of Alice resistor without knowing the value of the voltage.

2) Eve have exactly the same electrical informations as Bob, because she can know how much current intensity is flowing, and how much voltage there is at both end of Bob resistor. So Eve knows Bob's resistor value.

In conclusion if the set-up is what I have described above, not only Eve knows the value of Bob's resistor, but neither Eve, nor Bob can compute the value of Alice's resistor.

In an after thought, I think also that it would be easy also for Eve to insert a capacitor between the two wires and observe the rising and falling times of voltages. As they are independant of the voltage and depends only of the R and C components, Alice's and Bob's resistors can be computed.

Jean-Pierre

> that is authenticated but not confidential? Not

> very often.

Every time I talk to my wife on the phone?]]>

Interestingly this info seems to point to SIGSALY (google for RC-220-T1 C-43). Many of you probably know of SIGSALY, but because is it so interesting, here is a bit from the NSA and a link to much more info:

SIGSALY

The device's success in protecting voice communications was due to a new development known as "pulse code modulation," the predecessor of such present-day innovations as digital voice, data and video transmission. It also was one of the earliest applications of spread spectrum technology, which was key to its effective operation. The U.S. Army awarded the first contract for the device in 1942; formal deployment followed in 1943. The SIGSALY terminal was massive. Consisting of 40 racks of equipment, it weighed over 50 tons, and featured two turntables which were synchronized on both the sending and the receiving end by an agreed upon timing signal from the U.S. Naval Observatory. (For a more detailed explanation of the engineering aspects of SIGSALY, see J.V. Boone and R.R. Peterson's work, The Start of the Digital Revolution: SIGSALY Secure Digital Voice Communications in World War II, NSA Center for Cryptologic History, Ft. George G. Meade, Md.)

>>The Start of the Digital Revolution

http://www.nsa.gov/publications/publi00019.cfm

NR 3391 CBPM44 24215A 19441012 PROJECT C-43 DECODING SPEECH CODES

NR 4241 ZEMA172 25979A 19430313 OPERATION OF RC-220-T1 (SPEECH PRIVACY), 1943

NR 4242 ZEMA172 35374A 19410521 PROJECT C-43 PRELIMINARY REPORTS

NR 4243 ZEMA172 35375A 19411215 PROJECT C43 PRELIMINARY AND PROGRESS REPORTS

The point is that we can view hard disk (maybe with some hardware mods so you can' read it at once but only at 2kbit per second) as "key exchange device" operating over "hyperspace". If we would ever create such hyperspace communicator that is ABSOLUTELY impossible to intercept, it would sure be better than quantum cripto, but not better than hard disk.

]]>> The name quantum crypto is so misleading, and basically it were

> physicists with only little cryptographic knowledge that coined the

> name and immediately and falsely claimed its superiority to other

> methods of encryption. This is why cryptographers are so offended and

> do not like quantum crypto.

The name of quantum crypto isnt misleadind because it is the name of a

field. It is the same with crypto, when you talk about key distribution

or secure hashing function you are talking about crypto. So it is the

same for quantum crypto, with quantum crypto you can do quantum key

agremment, quantum random numbers, quantum cryptanalysis and even

quantum signatures!

D said:

> I don't think there is any point in this thing (or quantum key

> exchange, either). The bandwidth of such key exchange protocols is

> around thousand(s) bits per second. Let's estimate it as 2 kbit per second.

> Over one year, we get less than 8 gigabytes of keys transferred. It

> makes a lot more sense to simply deliver 300GB hard disk with keys.

> Given reasomable lifetime, it corresponds to much bigger bandwidth,

> over essentially unlimited distance.

First the bandwith of quantum key agreement is low yes. But in classical

key agreement or key distribution like DH or RSA it also very slow. Do

you know how much key material do you produced with protocols like IPSec

in one hour? Quantum key agreement is not slower. But the important

thing is you dont need a better bandwith if you use classical encryption

algorithms like AES.

About the idea of 300GB hard disk. The first problem is you don't use fresh

keys, you store your keys for a long time and so it's bad for security.

The second problem is you need perfectly random key material and only

quantum crypto can gives you (really) true random numbers.

About authentication and quantum crypto. Yes, you need an authenticated

channel, and? With classical communications you also need an

authenticated channeé and we know how to build one. But with quantum

crypto we need a perfect authentication? Yes and we also know how to

do that, take Wegman-Carter authentication codes which are

unconditionnaly secure.

Finally, I'm not very convinced about the arguments of Bruce against

quantum crypto. His argument is something like: "usually crypto is not

the weakest link, so we dont need better crypto". But my mind is if we

can do better crypto so do it, and why not to secure all the links?

Quantum key agreement only secure one thing in a cryptosystem: the key

agreement. But it's an improvement because we need to take each link

of the chain and secure them!

In terms of snake oil viscosity, what's the difference between this approach and the one using the physical properties of the silicon wafers in laser transmissions that you excoriated just a week or so ago? Why is this one better, in your view?

]]>Quantum crypto, like this thermal noise crypto, and any other form of “crypto��? that computes keys out of distributed correlated data, of which Eve is assumed to know less than Alvis and Bobo, is only a key generation and distribution primitive. It is a building block for the wall.

The name quantum crypto is so misleading, and basically it were physicists with only little cryptographic knowledge that coined the name and immediately and falsely claimed its superiority to other methods of encryption. This is why cryptographers are so offended and do not like quantum crypto. But they should see it as what it is, and use it where appropriate for constructing secure cryptographic systems.

Sure.

]]>From a standpoint of philosophy however, ignoring some of the details, one could make a conceptually sound solution- it's at least a leaping off point.

It's a poor channel for a rock-paper-scissors based encryption mechanism, at least from the way I'm looking at it. And I could be totally wrong.

]]>]]>

I agree with your comments. The paper does not address a lot of questions that an ordinary EE would ask, such as:

* The resistors are not ideal: they will have different errors on the receiver and sender side, and they will vary as they are being used. This will spill a lot of information into the public channel, and it could be possible to distinguish the 0's from the 1's even through the fog of noise.

* The paper doesn't address the resistor switching: even if the sender and receiver switch at the exact same time with exact same set of ideal resistors, the channel would be affected differently depending on which end had the lower resistance.

Well, I've never been a good analog EE, but I'd at least expect several pages describing why I shouldn't be worried about such things, and possibly a lab experiment since it's so bloody easy to set up.

It's an interesting idea, though. I wish that there was a mathematical analogue.

It makes a lot more sense to simply deliver 300GB hard disk with keys. Given reasomable lifetime, it corresponds to much bigger bandwidth, over essentially unlimited distance.

Yes, delivery of hard disk must be secure.

But same applies to ANY kind of receiver and transmitter. No matter what, you need to deliver computer securely, or somebody might (for example) plant spyware while it is in transit

With hard disks, you don't need to guard transmission line.

In that scheme, when an eavesdropper measures the voltage as +0.5 V in the middle of the wire, she can't tell which end is connected to ground and which to +1 V. However, if she can measure the current in the wire, she'll know, so this scheme doesn't keep communications secret.

Kish's contribution is primarily the assertion that if the voltage is generated by thermal noise, the current and the voltage are in some sense uncorrelated (otherwise, one resistor would get hot and the other cold), so the eavesdropper cannot distinguish the two ends even by measuring the current. I'm not competent to assess this claim.

However, Kish's claim that simultaneous bidirectional communication will make up for the uselessness of the 50% of bit windows where both ends are set to the same value is false. He hints at a scheme in which Alice and Bob apply random resistor settings for many bit windows, and then Alice says (over a public channel), "You'll see my message if you look in bit windows 12, 15, 16, ..." (all of them bit windows in which Alice and Bob's settings differed), and Bob says, "You'll see *my* message in 3, 11, 16, ..." But Kish overlooks the fact that unless Alice's and Bob's lists are completely disjoint, they have in effect re-used a one-time pad.

Laszlo Kish was good enough to respond addressing some of my points. I remain unconvinced that it'd really work because the theoretical security appears to depend on simplifying assumptions like Eve only being able to tap the wire in one place, and I don't think he quite "gets" that Eve cannot be forced to apply the same physical model that Alice and Bob use; but I certainly think it's worth putting it through the scientific peer review process with real electrical engineers. Even if this scheme doesn't work it could give someone the idea that would lead to a similar scheme that would work.

]]>http://www.fortunecity.com/emachines/e11/86/circsync.html

This was published in Scientific American circa 1992/1993. I remember reading it and xeroxing it for later reference. I might still have it somewhere...

]]>

Do you mind if I use your "Focusing on encryption is like sticking a tall stake in the ground and hoping the enemy runs right into it, instead of building a wide wall." comment (for non-commercial purposes of course)? I want to make sure there are no copyright violations :=)

]]>

I'm not quite convinced, I suspect that switching time and signal delays will give away the locatin of the two resistors if the eaves droper makes two measerments on the line seperated by a reasonable distance, you basically see the wave propagate up and down the line untill the steady state is achived.

I must point out this is a gut reaction and it requires some considered thought.

]]>