Shostack + Friends Blog Archive


Quantum Crypto is Quantum Backdoored, But It's Not a Problem

Nature reports that Quantum Cryptography has been completely broken in “Hackers blind quantum cryptographers.” Researcher Vadim Makarov of the Norwegian University of Science and Technology

constructed an attack on a quantum cryptography system that “gave 100% knowledge of the key, with zero disturbance to the system,” as Makarov put it.

There have been other attacks on quantum cryptography, but this is the first in which there is no indication that the key has been stolen. In those attacks, the operator of the system would see the transmission error rate go up, but in Makarov’s attack, the operator sees nothing. In short, they are completely, utterly defeated. The attacker gets everything with impunity.

As usual, the quantum crypto crowd doesn’t see that a 100% loss of key with no inkling of the loss is a problem. Makarov himself said to Nature, “If you want state-of-the-art security, quantum cryptography is still the best place to go.”

Perhaps the kicker is this in Nature’s article:

Ribordy [CEO of ID Quantique] and Zavriyev [Director of R&D at MagiQ] stress that the open versions of their systems that are sold to university researchers are not the same as those sold for security purposes, which contain extra layers of protection. For instance, the fully commercial versions of IDQ’s system also use classical cryptographic techniques as a safety net, says Ribordy.

Huh? We can trust commercial versions of quantum crypto because it uses classical crypto as a safety net? That’s saying that the quantum coolness is really just icing over a VPN. Isn’t it? Am I missing something?

Now it’s time for a rant. Quantum cryptography is really, really cool technology, but the whole point of it is, well, security, and if the state of the art is that the system is breakable, then the art is in a sorry state. It’s a state of being a research toy, not a real security system.

The whole point of quantum crypto is that it isn’t even really crypto. It’s communications that can’t be eavesdropped on. It’s a magical tour-de-force of science and technology. But if it can be silently thwarted, it’s no good. If there is no way that it can be tested to be good, it’s no good. Moreover, the latter is more important than anything else.

For quantum crypto to be viable and trusted, we have to have some way that we know that the boxes were designed and manufactured in such a way that we can be confident that there’s no silent quantum backdoor in the box, then it has no value. You might as well just get a VPN router from the usual suspects and be done with it. If you’re really paranoid, just lay down some glass fiber and put it in a conduit.

Quantum information science as a discipline needs to start taking security seriously. It can’t just brush off a break of this magnitude, and remain credible. Come on, at least admit this is serious and has to be reflected in the manufacturing and testing. Come up with countermeasures, something.

3 comments on "Quantum Crypto is Quantum Backdoored, But It's Not a Problem"

  • Disclosure: I play a peripheral role in quantum crypto commercialization efforts.

    The discussion around the latest Makarov paper is somewhat misleading. The basic Makarov attack has been known for a couple of years (I heard him talk about it in Vienna in 2008), and the actual news in the current paper is that he managed to tune it so finely that the error rate no longer changes noticeably.

    You say “quantum information science” needs to respond, but actual QI scientists don’t care about this specific attack much since it’s an implementation problem, so the onus is more or less on the experimentalists/engineers. Some QIS people try to solve a more general problem and produce a different security model where one can verify the confidentiality of the produced key under the heading of “device-independent QKD” (a bit of a misnomer in my lowly opinion), but I think this stuff is far out in theory-land at the moment.

    Countermeasures are also not that hard to come up with, since the difference between “Makarov attack” and “no Makarov attack” is easy to recognize if you look for it – in one case, you have a continuous laser beam shining into your device, in the other you have dark fiber with the occasional single photon.

    All that said, I’m aware that the QKD world needs more serious security engineering. Since the entire field is very much physicist-dominated, there are not that many considerations beyond “and then, you have the key on both sides with confidentiality guarantee epsilon and identity guarantee delta” and many of the higher-level designs of how to extend this to networks etc seem to lack sophistication compared to what I see in Internet work.

    I blame it on the fact that there is just a lot more money for security engineers in working for the banks 🙂

  • Mordaxus says:

    Thanks for writing, Thomas, and for your words.

    For some time now, there’s been tension between us classical security people and the QIS folks. Most of that comes from what we see as a lack of humility in the physics world. It’s as if the QIS people think that because they’re doing physics, they’re immune to human frailties.

    Most of us are science geeks. We’re mathematicians, computer scientists, and engineers. We want to see QIS be successful. But because we’re practitioners as much (well, more, really) than we’re scientists, we have a very jaundiced eye that starts inward. If you look at the cryptographers with the most public successes and the ones with the most public failures, you’ll find they’re the same people. There’s the old adage: How do you make good decisions? Through wisdom. How do you gain wisdom? Through bad decisions.

    We’d love to help. It’s nice that there have been quantum papers at the last couple of years of IACR conferences. It was pleasing to see a whole session in Santa Barbara a couple weeks ago. If there’s anything you can do to help get security engineering with them, I’m sure you’ll find people ready and willing to help.

    A mere change in tone and language would help, too. If IDQ, MagiQ, and others said, “This is real. We take it seriously. We understand the issue and the fix will be deployed real soon now,” the security people would say, “That’s great. They have it under control.” After all, we have our own long litany of things we were caught by.

    Anyway, thanks for writing again, and thanks for reading, too.

  • PHB says:

    “actual QI scientists don’t care about this specific attack much since it’s an implementation problem, so the onus is more or less on the experimentalists/engineers.”

    Well maybe those actual QI scientists should find another field then.

    Back in the 1950s a bunch of physicists decided they had found a method of making electricity that was practically free. Only thing was that they hadn’t really thought about how to make it safe or what to do with the waste produced.

    Instead they told us that the scheme they had thought up was absolutely safe and problem free. As a result the whole field of Nuclear power was discredited as serious problems occurred (Chernobyl, Three Mile Island) and the waste mounted up.

    Now one of the big lies told by the nuclear industry is that Chernobyl was caused by Soviet reactor design techniques that were never used in the West. That is untrue. The Soviet reactor had a hidden flaw, a region of positive feedback that was not revealed using the limited 2D modeling simulations possible at the time. Western reactors were built using similar tools. Several of the UK Magnox reactors were shut down three years later in 1989.

    The point I am making here is that if you are proposing a scheme for use in the real world then you had better learn to think like an engineer.

    If nuclear power had been approached as an engineering problem rather than a science project we might have seen the type of designs that started to emerge in the 1990s that are genuinely ‘fail-safe’ designs. Rather than the fail-safe by assertion designs that were fobbed off as safe by scientists playing engineer.

    Mordaxus is actually wrong with his title. The system was not quantum backdoored, the backdoor was in the classical physics. And this is what I suspect is going to prove the undoing of Quantum Cryptography.

    Quantum cryptography looks very appealing as pure theory. But none of the systems that I have seen to date are implementable as a pure quantum system. So none of the systems are even theoretically quantum secure from an engineering point of view.

Comments are closed.