11

i read this recently: http://www.newscientist.com/article/dn12786-quantum-cryptography-to-protect-swiss-election.html

and some parts of this: http://en.wikipedia.org/wiki/Quantum_key_distribution

they talk about direct fibre optic cable and evesdropping that seems passive.

i want to know whether quantum key distribution provides any security against active attacks too?

i mean, for example isn't it possible that fibre optic cable is cut at some point in its path by an attacker and then he places a repeater there and before repeating the signal he can read the secret information in the channel?

fgrieu
  • 140,762
  • 12
  • 307
  • 587
H M
  • 283
  • 3
  • 8
  • See also this article and the accompany comments section for extensive discussion about the strengths and weaknesses of quantum key distribution, from many experts. – D.W. Nov 24 '12 at 00:55
  • The interesting article and comments linked above are still available there thanks to the Internet Archive. – fgrieu Oct 16 '16 at 09:41
  • There is a major misconception in this question: "and then he places a repeater there and before repeating the signal he can read the secret information". This is not how quantum repeaters work. The central theorem why quantum computing has any advantage over classical cryptography is the no cloning theorem - which is exactly what you describe and is impossible. And that is actually the problem with creating quantum repeaters - no repeater can exist, that would copy the information or read the quantum state without collapsing it. – tylo Sep 05 '17 at 14:38

1 Answers1

16

No, Quantum Key Distribution is not any safer than conventional crypto is against an active Eve impersonating as Bob to Alice using the same equipment and knowledge as the rightful Bob (or/and impersonating as Alice to Bob using the same equipment and knowledge as the rightful Alice). Otherwise stated, QKD can resist Man Eve In The Middle only inasmuch as Eve lacks some initial shared secret known only to legitimate parties Alice and Bob (or there is an independent channel with known integrity, but that's impractical).

The best QKD claims to achieve is turn an authenticated channel (or a short shared secret) into a channel safe from any eavesdropping (or an arbitrarily longer shared secret), against any attack active or passive (including by MITM). E.g. Alice and Bob start from a shared secret of say 512 bits (that could be the conventional hash of a pass phrase), assumed unknown to Eve. Alice and Bob apply some protocol with photons and mirrors, plus some conventional operations¹ on bits for post-processing; and end up with some kilo bits (per second of experiment) of random secret material unknown to Eve. Alice and Bob can use that secret material to encipher data using a One Time Pad (perhaps while they are generating that secret material, so they need not store it).

Non-quantum cryptography routinely does the same (or better: the initial trusted data needs not be secret, e.g. Alice and Bob can exchange their public key; this makes it easier to safely use asymmetric non-quantum cryptography than it is to use QKD). However non-quantum cryptography relies on assumptions on the hardness of some problem, such as the discrete logarithm problem, or/and finding more plaintext/ciphertext pairs given examples for a blockcipher; whereas QKD, and more generally Quantum Cryptography, attempts to rely only on the laws of physics.

The security track record of QKD systems is poor: one security problem has been that imperfections of single-photon sources could be exploited; another rather spectacular one was active blinding; now I'm hearing of double blinding. QKD is not practicable with the current fiber infrastructure (quantum repeaters, if any, exist in labs only). Combine with the fact that QKD solves a problem that is already solved in practice, more conveniently, by classical cryptography, and many reach the conclusion that QKD is a marvelous accomplishment but pointless in practice, except perhaps as a justification for funneling out money.

Update: the need for an initial shared secret (or a channel trusted for integrity) is acknowledged in this whitepaper by ID Quantique², a supplier of KQD equipment:

Key distillation is then complemented by an authentication step in order to prevent a “man in the middle attack”. In this case the eavesdropper would cut the communication channels and pretend to the emitter that he is the receiver and vice versa.
Such an attack is prevented thanks to the use of a preestablished secret key in the emitter and the receiver, which is used to authenticate the communications on the classical channel. This initial secret key serves only to authenticate the first quantum cryptography session. After each session, part of the key produced is used to replace the previous authentication key.

¹ Despite the inevitable errors in the quantum communication, these conventional operations can be simple, secure, and robust: pick at most two attributes! Perhaps the most cited considered to reaching the later two is the cascade protocol in: Gilles Brassard and Louis Salvail's Secret-Key Reconciliation by Public Discussion, in proceedings of Eurocrypt 1993.

² Originally available there.

fgrieu
  • 140,762
  • 12
  • 307
  • 587
  • can u clarify your meaning of 'short shared secret' and 'longer shared secret' please? – H M May 27 '12 at 09:53
  • 3
    A short shared secret is similar to a symmetric key in conventional crypto: a couple of hundred bits. The long shared secret is similar to the keystream a stream cipher produces. It's as long as the message you want to send. Essentially quantum crypto acts like an online-only stream cipher. – CodesInChaos May 27 '12 at 10:08
  • can we possibly combine (use concurrently) classic methods/algorithms like symmetric and asymmetric encryption algorithms with QKD to make it more complete/strong? i mean for example we can defend against MITM attacks using standard public key cryptography methods. that is to say encrypt the key using classic methods before sending it over the quantum channel. – H M May 27 '12 at 16:16
  • 2
    You can use certain provably secure MACs with quantum crypto, but they're still symmetric crypto. Using normal public key crypto defeats most of the point of quantum crypto, it's provable security. Symmetric encryption is one of the strongest building blocks we currently have, so quantum crypto is pretty useless, since we need to use weaker primitives to do anything interesting. – CodesInChaos May 27 '12 at 17:12
  • 5
    Another argument that I've come across is that OTP is more implementable than Quantum Cryptography. That is, if the goal is to rely on a security assumption other than computational complexity, it's easier to pregenerate billions of truly random keypairs and preload them onto the endpoints at installation time, than to implement a secure QKD system. This is not an argument that we should use OTP, this is an argument that suggests that QKD doesn't solve any problems that aren't solved better using other means. – poncho May 29 '12 at 16:26
  • How exactly would you use "a short shared secret" to authenticate the channel? (Without using weaker, conventional, cryptographic primitives.) – Awn Jul 29 '17 at 15:57
  • 1
    @Awn: some conventional cryptographic primitives are not weak. The "short shared secret" can be used to implement a provably secure message authentication method based on a one-time secret key, such as the universal hashing of Mark N. Wegman, J. Lawrence Carter; New hash functions and their use in authentication and set equality, in Journal of Computer and System Sciences, 1981. Some of the material distributed by QKD can be spared for a later messages. – fgrieu Sep 06 '17 at 10:08
  • @poncho: I recently realized a benefit of cryptography based on Quantum Key Distribution: if it is secure at time of use, then an intercept can't be made that could be deciphered later with better technology. Classical forward secure encryption does not offer that unconditionally. That makes a justification for super-encryption using Quantum Cryptography in some narrow use case. I develop that argument in a ridiculously long answer, right before the final "Operational summary" – fgrieu Sep 09 '17 at 06:20