Switzerland Protects its Vote with Quantum Cryptography

This is so silly I wasn't going to even bother blogging about it. But the sheer number of news stories has made me change my mind.

Basically, the Swiss company ID Quantique convinced the Swiss government to use quantum cryptography to protect vote transmissions during their October 21 election. It was a great publicity stunt, and the news articles were filled with hyperbole: how the "unbreakable" encryption will ensure the integrity of the election, how this will protect the election against hacking, and so on.

Complete idiocy. There are many serious security threats to voting systems, especially paperless touch-screen voting systems, but they're not centered around the transmission of votes from the voting site to the central tabulating office. The software in the voting machines themselves is a much bigger threat, one that quantum cryptography doesn't solve in the least.

Moving data from point A to point B securely is one of the easiest security problems we have. Conventional encryption works great. PGP, SSL, SSH could all be used to solve this problem, as could pretty much any good VPN software package; there's no need to use quantum crypto for this at all. Software security, OS security, network security, and user security are much harder security problems; and quantum crypto doesn't even begin to address them.

So, congratulations to ID Quantique for a nice publicity stunt. But did they actually increase the security of the Swiss election? Doubtful.

Posted on October 29, 2007 at 6:02 AM • 46 Comments

Comments

AnonymousOctober 29, 2007 6:25 AM

At least they still have a real democracy, with proportional representation (instead of the winner takes it all system which leaves up to 49.99% of the voters without representation)) and more than two parties (which, despite having different names, accept bribes from the same "sponsors" and therefor do not differ in their actual policies).

JohnOctober 29, 2007 6:38 AM

I noticed the economist article mentioned this was as much about advertising as security, and personally I think its mostly about advertising.

The Swiss have lots of referenda and a devolved style of government with most things working at canton level. What works for them may not work elsewhere.

Kai RoerOctober 29, 2007 6:45 AM

Using quantum cryptology is a big waste, and a completely wrong approach to election security. It is so easy to single minded focusing on one part of the chain - and completely oversee the human side of elections.
In Norway, this was brought to everyones attention earlier this autumn - when some local politicians payed people to vote. How can quantum technology help avoiding that??

CocotoniOctober 29, 2007 6:53 AM

In Switzerland they have been trying to push voting over Internet for some time, and there have been some advances in that field as well (mostly for unimportant referenda on municipal level). But people are weary and do not accept any big push in that direction.

So this is just advertising for "safe computer based voting". Even though it has nothing to do with the problem.

Most of the vote here is done by mail (snailmail), and what they are encrypting is connection between room 1 where the mail-in votes are opened and counted, and room 2 (really next door) where the counts are tallied and scores tabulated. Really the least vulnerable part of the voting system.

And pretty much everyone is aware that this is just marketing. While the shear number of referenda and elections in Switzerland can make an economic interest for computerized voting (not a problem of getting the votes as soon as possible for the latest news on CNN, but the problem that organizing referenda 4 times a year costs a lot), people mostly do understand that the problem is that their computer is not secure (and they are being reminded on every corner) and do not want to trust their votes to such system.

Same is with e-commerce in Switzerland - most people prefer not to give CC details on the computer, but to receive an invoice that they can pay in usual way.

Unix RoninOctober 29, 2007 7:08 AM

"...up to 49.999% of the voters without representation"? Uh, have you been paying attention to recent elections? Bill Clinton was elected by only 24% of the registered voters, let alone the total eligible electorate. Under the US voting system, you don't have to get a majority; all you have to do is get more votes than any other candidate. When as much as 60% of the electorate are so disgusted with the entire electoral process that they don't bother to vote (be it because they don't believe their vote counts any more, or because there isn't anyone running who they can hold back their gag reflex long enough to vote for) and then you add in the winner-takes-all factor, the unrepresented voters become the rule, not the exception.

Erwin SchroedingerOctober 29, 2007 7:31 AM

There's no such thing as quantum cryptography, since quantum mechanics is fiction. Except that quantum mechanics is real.

(Pardon the quantum humor.)

gregOctober 29, 2007 7:56 AM

I really can't see any good use for quantum crypto. Its makes the strongest link in the chain stronger.....

CliveOctober 29, 2007 8:07 AM

In any case, surely vote tallies are public? They want authentication and integrity, not secrecy, so why encrypt at all?

Clive RobinsonOctober 29, 2007 8:11 AM

@Bruce,

If you subscribe to Info-Security Mag (online or paper) this Octobers issue had an artical about using Quantom Crypt from Alan Woodward chief technology officer of business and information technology consultancy firm Charteris (www.charteris.com).

I read it and had to check the date to see it was not the 1st of Apr issue I had picked up by mistake...

The Artical is titled,

"To boldly make the quantum leap"

Which kind of lets you know... and the artical teaser says,

"The technology behind Star Trek’s photo torpedoes could soon have the same effect on those wanting to break cryptography, argues Alan Woodward of Charteris"

It has some realy funny bits in it like where he claims it will stop hackers...

"Today, in the relentless and deadly battle against computer hackers, photon technology is being used to create a level of computer security that could finally lead to hackers giving up, and, perhaps, confining their activities to watching Star Trek reruns on UK Gold."

The artical also appears to be available (unrestricted) at,

http://www.bcs.org/server.php?...

MikeOctober 29, 2007 8:24 AM

Another issue with quantum cryptography (QC) is the susceptibility to a denial of service attack. For those that are not aware, one of the benefits of QC is that the transmission is altered when tapped. This is supposed to be a good thing because it alerts the receiving end that there was a tap. However, what happens when all a person wants to do is shut down the link? Attach a reader to the line and walk away. Instant DoS. Banks contemplating using QC recognize this issue and keep their old transmission line available. In the case of the banks using QC, a person could force the bank to use a less secure line. A line that perhaps a thief has already tapped?

ElliottOctober 29, 2007 8:37 AM

When I was a child, my grandfather showed me a newspaper ad that hyped the security of transport boxes for radioactive waste, and said:

"Look, with ads like this, the makers and operators of nuclear power plants try to distract the public attention from the real problems of nuclear energy. Transport security is just a minor detail that is easy to solve. Why don't they talk about the ultimate disposal of radioactive waist, or about the possible severity of accidents in nuclar power plants? Always think for yourself."

As a child, I was not too interested. Only with time I understand more and more of what he told me. He told me quite a lot, and my respect for his wisdom is ever increasing.

PaeniteoOctober 29, 2007 9:07 AM

@Mike: "attach a reader" for DoS

Why so complicated/expensive?
If you can attach a reader, you could simply cut the cable...

Carlo GrazianiOctober 29, 2007 9:24 AM

So, is the election winner a linear superposition of the quantum states of all the candidates until ID Quantique makes a wave-function-collapsing measurement?

RCOctober 29, 2007 11:07 AM

OTP is more secure than quantum crypto, but it is considered impractical. But quantum crypto is much more impractical since you have to be able to generate and read polarized photons, or entangled pairs of photons.

For RealOctober 29, 2007 11:13 AM

"Scientific American"

What an oxymoron...
Yes, it's become Popular Science for the unscientific (with pretenses)

dragonfrogOctober 29, 2007 11:17 AM

@ Unix Ronin, Anonymous

In general, you don't need low voter turnout for the majority of voters to be unrepresented. Only in a two-party system does that apply (which to my mind is kind of like the Chinese one-party system, but with one more party to keep things interesting).

In a three candidate riding, the winner can have as little as 1/3 of the votes + 1, in a 5 candidate riding, as little as 1/5 + 1, etc.

In Canada, where there is a relatively lively political scene, there are typically 3 to 5 "serious" candidates in every riding at a federal election. Consequently, it's very unusual for a winning candidate to have over 50% of the vote - they tend to get in on around 35 to 40%.

AnonymousOctober 29, 2007 12:32 PM

Arguably, all the hype about the uncrackable quantum crypto made the election LESS secure, because it lulled everyone into thinking it was unconditionally secure due to the quantum crypto. Sort of a reverse halo effect.

Clive RobinsonOctober 29, 2007 12:37 PM

@RC

"OTP is more secure than quantum crypto, but it is considered impractical"

Quantum crypto is an OTP but by the magic of QM it's online...

However QC has some very very real limitations to do with the speed you can send the photons down the "wire". So in any given time frame you are limited in the number of bits you can send (let alone use).

As was once pointed out to me "Never underestimate the bandwidth of a Jumbo Jet full of optical disks".

On that score alone an OTP beats QC hands down.


C GomezOctober 29, 2007 1:10 PM

In parliamentary systems where seats are allocated by percentage of votes for a party, it is less important that the vote is accurate down to the last vote.

Why? Because it is unlikely the last vote is going to change the overall distribution of seats. Therefore, you don't have to try for picture perfect accuracy.

In theoretical terms, the system most often used in U.S. elections: winner take all, does require such pinpoint accuracy. This is why the U.S. is debating how to improve such accuracy. Unfortunately, the debates are being taken up by politicians, elected by an uneducated mass. Since politicians are a reflection of their electorate, they are easily fooled by snake oil schemes from "election companies".

The end result, a simple system of paper balloting with unambiguous results is replaced by systems that are so complex it is impossible to be sure anything is correct.

Frank BitterlichOctober 29, 2007 1:19 PM

I think you're missing the point of the effort. The basic purpose of using quantum cryptography here was to demonstrate how it can be used to prevent tampering of the data traffic (read: wire tapping, hardware-based man-in-the-middle attack). It was never intended to actually increase the security of the election itself. It was to _demonstrate_ that QC can be used instead of traditional encryption means like SSL when you need even higher security.

AleOctober 29, 2007 1:38 PM

I do not think that you need "higher security" than SSL or SSH for this application. In this case, QC is completely superfluous.

markmOctober 29, 2007 2:49 PM

@Mike: "attach a reader" for DoS

Why so complicated/expensive?
If you can attach a reader, you could simply cut the cable...

One possible reason: A cut fiber-optic end reflects light, so it's relatively easy to measure the time until the reflection comes back and calculate the distance to the break. Could you DOS a quantum-cryptographic link with a more subtle tap (such as a second line glued to the side of the transmission line) that disturbs it enough to scramble the entangled bits but doesn't give much of a reflection, thereby leaving the repair crew with 100 miles of cable to search?

OTOH, if I understand correctly (and I have only worked on copper systems), fiber-optics usually aren't repaired by going out and splicing the break. Instead, they just switch to an unused fiber in the bundle, or to another bundle. Eventually, they have to pull through some new bundles, but the location of the break isn't important data, like it is with copper.

LeoOctober 29, 2007 4:15 PM

@ dragonfrog

That's why proportional voting is needed, as "Anonymous" at the top pointed out, such as IRV for single seat offices. The one man, one vote method so proudly proclaimed in the U.S. (and apparently even more abused in Canada) is about the least effective way of getting accurate representation in a democracy.

LeoOctober 29, 2007 4:31 PM

@ Clive

Quantum cryptography provides integrity, theoretically. It doesn't actually encrypt, or so I heard.

@ Carlo Graziani

If the photons are sent in a pure state the "wave function" is already "collapsed", isn't it? I am curious as to what you'd do if you had more candidates, or choices, than pure states, though.

Maybe I should pull out that dust-collecting quantum information book and read up on it.

J-P KrelliOctober 29, 2007 4:44 PM

Juste to be clear about this info : the swiss vote was not an electronic voting, only a classical one by paper (mainly by mail). The news is only about the transfert of the results (the summations of the paper ballots) from the geneva's (juste one state of Switzterland) central place where the (paper) ballots are opened and counted to the local government building (less than one kilometer). This is good marketing for the product, and certainly hype for the local public administration's eVoting project (not used after spring 2005, and not much before). The IDquantic product is only for the key exchange (on a first fiber), a second fiber is used to send the datas, encrypted with an usual symetrical algorithm; the fiber link must be less than 80 km long, and in only one part (no electronic between). IDq has another product wich is more interesting : a quantic random number generator with high capacity (4-16 Mbps).

AnonymousOctober 29, 2007 9:31 PM

@Unix Ronin

To be fair, he did say "49.999% of voters". This is not the same as eligable voters.

nfd_ghlOctober 29, 2007 11:58 PM

@C Gomez
Also parliamentary systems where seats are allocated by percentage of votes is not that simple. And even there can a single vote determine if one party gets one seat more or less.

There can even be a paradox, that more votes for one party means one seat less for that party. But that depends on the system used and to find a good/fair/paradox free system is not that easy as it seems to be. Just like cryptography.

nfd_ghlOctober 29, 2007 11:59 PM

@C Gomez
Also parliamentary systems where seats are allocated by percentage of votes is not that simple. And even there can a single vote determine if one party gets one seat more or less.

There can even be a paradox, that more votes for one party means one seat less for that party. But that depends on the system used and to find a good/fair/paradox free system is not that easy as it seems to be. Just like cryptography.

the anonymous from the first postOctober 30, 2007 3:28 AM

> There can even be a paradox, that more
> votes for one party means one seat less
> for that party. But that depends on the
> system used and to find a
> good/fair/paradox free system is not
> that easy as it seems to be.

These paradoxons are extremely rare statistically, and even when they happen they are still lightyears ahead of the yankee (winner takes it all) version of ...um... "democracy".

wmOctober 30, 2007 7:35 AM

@nfd_ghl: "...to find a good/fair/paradox free system is not that easy as it seems to be."

Depending on your definition of "fair", it could well be impossible. Arrow's theorem ( http://en.wikipedia.org/wiki/Arrow_theorem ) shows that it is impossible to construct a voting system that satisfies a particular set of requirements, all of which seem desirable for a fair system.


--------
Required disclaimer:
The views expressed above are entirely those of the writer and do not represent the views, policy or understanding of any other person or official body.

David JonesOctober 30, 2007 8:34 AM

Has anyone seen any evidence that Quantum Cryptography is actually performed in this case? Or does Quantique simply sell you a pipe with two black boxes at either end and wave their magic wand and say "Look! Quantum!"?

Clive RobinsonOctober 30, 2007 8:45 AM

@ Leo

"Quantum cryptography provides integrity, theoretically. It doesn't actually encrypt, or so I heard."

No what QC actually does is allow two people to build a "One Time Pad" of supposedly random bits online. This is opposed to more traditional OTP where you print up two pads keep one yourself and then send the second securly to the person you wish to corespond with (which is one of the big hassels of OTPs).

Both QC and OTPs have one problem in common finding a good source of randomness to use. In the case of QC it is used to select the polarisation of the Qbit (photon) at the originating end.

This is realy one of the major weaknesses of both QC and OTPs in that Physical sources produce very very few true random bits/sec. And Pesudo Random Generators (PRNGs) are well just ordinary crypto (ie a Key stream Generator / cipher), subject to all the usual crypto analysis techniques.

If you can from sampling just a very few Qbits on a QC channel (ie below the threshold) you can determin the state of the PRNG then you only need to monitor the second channel where the two users are selecting the bits to use to have broken the system compleatly.

Even if the RNG is unpredictable being close to the originating end is likley to give you the polarisation information from TEMPEST techniques (in the first implementation of QC the polariser was so noisy you could apparently hear it in the next room).

As for Quantum Entanglment and Twin Photons it is not altogether clear if it cannot be used on the physical transmission line to provide Eve with the information required.

A little while ago Bruce Bloged about "Hairpin Taps" on optical lines and it was concluded that this might be an interesting area of reasurch.

Last but not least most practical implementations of QC do not use single photons due to a rather boring issue of transmission line antenuation. So if yo can sniff just on photon at the source end the chances are you will go undetected.

So QC is a nice idea that is very difficult to implement and due to it's many limitations activly looking for a real world use.

J.October 30, 2007 8:48 AM

You can read similar nonsense on countless web sites: "your data is secure with us because we use SSL cryptography". Gives a hint where not to buy.

Quantum MechanicOctober 30, 2007 9:13 AM

Its interesting to see a site with so many naysayers of why quantum crypto won't work. I agree that quantum crypto will never be necessary so long as nothing is available to crack current crypto systems.

OTOH, there was this confusion about the need for random numbers in QC. The solution around this problem already exists and that is to use entangled photon pairs.

Field experiments to exchange keys with entangled photon pairs have already taken place. And it doesn't even need to be polarization entangled, as long as non-classical correlations are distributed.

QOctober 31, 2007 5:34 AM

Quote: "Moving data from point A to point B securely is one of the easiest security problems we have. Conventional encryption works great. PGP, SSL, SSH could all be used to solve this problem"

There are at least 3 different reasons why these computational secure encryption methods in conventional systems are provable NOT secure, so they don't solve this problem provable:

1) Conventional Systems are based on pseudo-randomness instead of true-randomness.

2) Conventional Systems do use Public keys instead of Private keys.

3) Conventional Systems use a 3rd Parties for Keys, Certificates etc. A 3rd Party is able to listen in passively and manipulate actively.

On the URL http://picasaweb.google.com/... the description of an Information-Theoretic Provable Secure Proof-of-Concept System can be found which doesn't suffer from these Computational Security problems.

Nicolas GisinOctober 31, 2007 6:22 AM

Let me explain briefly how the Swiss elections were organized, at least in the canton of Geneva. All ballots are paper ballots, either affiliated to a party or blank requiring the voter to inscribe the names of the candidates he/she votes for. Voting machines are not used in Geneva. The ballots are all collected in a single tabulating centre. There, two groups of two people independently count the ballots, one by one, and enter the results into two terminals. These are connected to a remote centre, through a 4 km long optical fibre, where the counts are cross checked and processed. The results, i.e. votes per candidate, are then sent back to the tabulating centre, through the same 4 km long fibre, where the results are made public.
Where are the weak points in such a procedure? The easiest attack is to steal some paper ballots, because many of them are sent per post. But this is not very effective, since only few ballots can be affected. A second possibility is to corrupt some of the persons involved in the counting. Not obvious, but always possible. A third possibility is to act on the 4 km long optical communication. This is clearly the easiest attack and could be extremely effective if the communication was not encrypted. Hence, encrypting this communication link in order to prevent results tampering seems very reasonable. Now, changing frequently the 256-bit AES key is not a bad idea, it will make any attack even more difficult. Whether Quantum Key Distribution is necessary, or useful, in such a situation reduces to the general question whether quantum key distribution offers a valuable plus to encryption. This is an important question, but different from the question whether it is worth securing the link between the tabulating and the data processing centres. I believe the principle of encrypting that 4 km long link is clearly a

Clive RobinsonNovember 1, 2007 8:43 AM

With regard to my earlier comments about QC,

"So QC is a nice idea that is very difficult to implement and due to it's many limitations activly looking for a real world use."

I left out the main engineering points of why Pure QC is not going anywhere fast,

1) It is range limited (about 100Km currently).
2) It is speed limited by the current technology.
3) It is speed limited by distance (laws of physics).
4) To be "quantum" secure it has to be a single point-to-point cable.
5) Once the cable is proved to be secure the system cannot be turned off as this will provide a window of oportunity.

Points 3&4 set definate "usefullness" limitations on Pure QC. Especially 4 which means that it is not switchable and is therefore an N^2/2 Links problem.

The Only way around this is Hybrid QC where you make the nodes Non-QC but physically and electricaly secure (which is difficult). However Hybrid QC is not "Quantum Secure" it is only as secure as the security of the weakest node.

That being said Hybrid QC actually has considerably more chance of comercial success than Pure QC.

Over and above the above problems there are two practical problems for any QC system adopter,

First off there is the simple MIT problem of how do you establish trust on the insecure channel to the same "Quantum" security level...

Secondly, who is going to let you "walk the line" to ensure that the cable is genuinly point-to-point...

M M KhanSeptember 17, 2008 11:45 AM

Can someone prove to break the unconditional security, of QKD? if yes then please point out the reference. Can some one prove the strength of classical cryptography against future quantum computer attack? if yes then please point out the reference.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..