China’s quantum* crypto tech may be unhackable, but it's hardly a secret We have a new call to arms in the 21st century battlefront between the West and China. The Middle Kingdom is building an uncrackable national infrastructure based on quantum key distribution (QKD). The laws of physics are being used against us, and we're not keeping up, claims a think tank. quantum entanglement (illustration …
These days all you hear about is quantum, AI and financial scams cryptocurrency.
And you rarely ever hear any bad things about the first two.
It's good to learn that there are still pie-in-sky ideas that can be shot down by any person with a sane mind aware of the requirements.
Now that I have learned the requirements of QKD, I will know to not be impressed by the next snake-oil prophet that tries to pull a fast one.
Thumbs up from me for this article.
It's often a good idea to separate the technology (a tool) from the way people use it. Most tools offer some decent use cases, but can be badly misused.or wildly overhyped. (Plus some people are also tools).
NFTs for example.
The technology: An NFT is some immutable, cryptographically signed data stored in a distributed database.
That's it.
That actually has uses, for example storing the hashes of documents in some ongoing financial transaction. The distributed nature of the blockchain and the cryptographic safeguards make it impossible to tamper with the NFT, so in situations where every party has a vested interest to game the system a way of storing and signing some data that it can be proven that no party can alter is useful.
However, mention NFT to anyone and they think of weird jpegs and crypto bro's and people pissing money away for no good reason. (I'll be honest, I never really understood the mainstream definition of NFTs).
At some point when all the hype dies down, the technology will get re-named and quietly incorporated into something and no one will know.
It's the same with AI. People like being able to contextually search their photos, or re-master old recordings by using AI to rip out each instrument (the Beatles Revolver re-master was done this way), but it's also going to end the world if you listen to the wrong people.
Yet another dreamer who insists the block chain is the best thing in the world. Sadly, as so many news articles have shown as the whole world does not exist within the block chain it is exploitable at the point it interfaces with the non-block chain world (rather larger than the little bit the block chain resides in) .
Sadly, as it is decentralised there is no way do manage, audit or validate what crosses into and out of this “dream technology” so it’s like having the most secure ATM which cannot be hacked but which will hand over the cash to anyone who walks up to it. It keeps perfect records of all the mistakes it made because it insisted there was no need to check anything.
DeFi”? Yup, Defies belief!
There's quite a bit of active research to improve on the "bad things" though. For QKD, the Marco Lucamarini (York U., UK) team is looking at 3 kbit/s over 224 km (yellow diamond on Fig. 5, Entropy journal, Nov. 2023) so there might be "hope" yet. As Rupert notes, it gets faster at shorter distances, the Fig. suggests close to 10 Mbit/s SKR at 50 km (about 30 times the linked commercially available Toshiba QKD boxes).
that is not far off.
The Quantum part is our part. Quantum Computing. The process they are talking about is a known one. the neuron entanglement they are using is 'binary' so crackable.
They seem to have bpught one of the theory boys who came up with part of this quantum model as he is over there now and has been for 2 years now.
Entaglement is cascading. They need to abstract the cascades thru a LNN. That is completely uncrackable without the admin on model that made it.
> Quantum keys are only safe if they are never reused. Which means you need as much key as you have data
This sounds to me like a one time pad. A system used by spies for decades.
But another technique used when messages can be intercepted - such as when sent over a shortwave radio link, as done by number stations, is to fill the channel. Not to send messages only when there is something to communicate, as that, itself, provides the interceptor with information, but to constantly send padding or random stuff, so the actual messages do not stand out.
The techniques for this are well understood and while the bandwidth constraints might make this impractical for mass-commercial use, it is still a viable method for transmitting high value secrets.
A point which occurs to me for a given message is that ideally it looks like random noise. Assuming this to be the case, a hostile agency - personally hostile, they want you in jail but they don't really care what you actually said - can trivially generate a 'key' that will e.g. xor with your message to 'decode' it to anything they want. And the only way you can deny this is to do the actual decode, thus revealing both the method, the message, and the encryption key...
Is this a reasonable assumption (think of some of the more controlling states)? Are there mechanisms in common algorithms to prevent this?
(As is obvious, this really isn't my field.)
"trivially generate a 'key' that will e.g. xor with your message to 'decode' it to anything they want"
Nice thinking but no, I don't think you can do that. Firstly, xor isn't encryption, is just scrambling. What I think you describe is having the coded message and the decoded message, and from those two, working out the third unknown - the decryption key (ie the specific key needed for your chosen message to appear).
Encryption algorithms aren't invertible like that. If you have the encoded message and the key, then yes you can work out the decoded message. But you can't do it in reverse. A simple example is if the encryption algorithm was simply coded_message x cos(a) = decoded _messge. where a is the key. In this case, the inverse of cos(a) is a = arccos(decoded_message / coded_message) and is ambiguous because a = arccos() +/- 2npi where n is any integer.
I think that's the way modern encryption like public shared keys work on the mathematical level, but rather more complex maths than my example here.
I follow your logic and appreciate your reply.
However, it seems to me that _any_ random noise sequence can be trivially 'decoded' into any message of the same length - irrespective of the coding scheme. The opponent merely has to say, look, the sender is an idiot and just used a simple xor with a long key, and here's the key... I think your method is expecting to forge a message as if it were from the original sender using his rather-more-secure algorithm, and for a single message it doesn't need to...
The defendant would presumably insist that the opponent demonstrate the method on another message, but (a) the obvious answer is 'he was using a different key for each' and (b) I suspect that an authority who would stoop to this isn't going to care much about process of law for the defendant.
And I note the reply below about sending someone a string of random digits and dropping the authority a hint...
In both cases the issue is not actually decoding the message; it's decoding it into something incriminating. What it starts out as, and how it was encrypted, are immaterial. It's the message itself that does the damage.
Maybe I did misinterpret your earlier message then.
If you could trivially decode any random noise sequence into any message, then as the old adage in signal processing goes, if you process it hard enough, you don't need the signal. I think you are describing generating an incriminating message but trying to give it a degree of credibility to further incriminate the recipient?
I suspect in any half decent jurisdiction, a trail of messages forming an exchange would have to be shown, otherwise it's no different to posting a snail mail letter to your mark, claiming to be from any anti government or criminal organisation. And if you are doing this in a place with little regard to fair law, just a few well placed posts on social media might do the job instead.
> they want you in jail but they don't really care what you actually said
I have occasionally pondered the following situation:
An entity (person or organisation) sends a large block of random data to an individual who has sensitive political associations. The authorities intercept this message and assume it is a coded message. They then demand the recipient provide (on penalty of jail) the key to decrypt it. Which obviously they are unable to do since it is not an encrypted message - it just looks like one.
The question being, how can the authorities prove a block of data is actually an encrypted message, in the first place?
Looks like random noise, but isn't. Ideally yes it will look like random noise in terms of having a flat spectrum, but that's to maximise the bandwidth of the channel you are using. I seem to recall that there is also a benefit in having an equal number of up/down chip transitions to obscure certain properties of the encryption that could be useful to an eavesdropper, but my memory is vague on that.
I think you are both wrong and right. The wrong part is that "they" even need to reverse decode something. They only need to be suspicious in order to apply electrodes to your * and get you to say something they want to hear, which incidentally will allow them to make further arrests, baseless or not.
Here is how you could be right by process of elimination. The safest way forward for Alice and Bob is that their encrypted messages must appear to be valid "small talk" (in the general sense - it may include images), but actually contain a secret hidden part that looks like "natural" noise. Safest doesn't imply absolutely safe. As soon as Alice or Bob generate suspicion for any reason, they are goners. 1984.
However, the poster you replied to could have been talking about nation states spying on each other, where Eve doesn't have the power to arrest and torture Alice and Bob. That's a different story.
sounds to me like a one time pad.
I think that is the gist of it but there might be more crypto clever~ty involved. Exchanging limited use ephemeral key for quantum resistant crypto algorithms might be more practical.
I can imagine using quantum entanglement for indisputable tamper evidence could be applied to a portable vault (briefcase :) which protecting conventional storage containing a massive quantity of key material (or one time pad) could be physically transported between sites.
Only those apparently unmolested vaults would be used.
Saturating the channel with random traffic would hamper traffic analysis - using encrypted plausible but false or irrelevant messages for the padding might be more effective. Either way the receiver still has to be able to distinguish the message from the padding and I am not sure that can be achieved without a finite risk of an adversary discovering this.
I don't know that many secrets need to be kept for more than a century. Various (Wiki)leaks of extremely damaging documents would suggest that two decades is more than enough to dissipate any fallout from these premature exposures. Also demonstrated that the most secure channels are as weak as the nongs and drongos at either end.
One time pads are a bit old school; the encryption scheme used by AES (Rijndael) is quite adequate at this time. It being a block cypher only encodes blocks of data that are a key's length but there are several techniques for combining an encrypted block with the next block to give the effect of a stream cypher.
So unless I'm missing something the real purpose of this quantum key distribution is safely distributing randomly generated keys between communicating parties as well as helping to prove that the corresponding parties are really who they claim to be. This, after all, is one of the fundamental weaknesses of all encryption schemes (others being a lack of message discipline and a tendency for people to write 'Passw0rd' on a PostIt note which they stick under their keyboard). Nobody attacks the actual encrypted data.
The theoretical attacks from future quantum computers are against public key systems, not symmetric ciphers.
Therefore, using quantum key distribution for a one-time pad is very wasteful. Just use them for keying a symmetric cipher like AES256, rekey every few seconds, and you're done.
Having said that, all this QDC stuff is just hype. If you are genuinely worried that your adversary is going to do quantum decryption of your key exchanges, then you could create two identical 32GB flash drives filled with random data(*), and have over 1 billion AES256 keys: enough for 34 years at one key per second.
Your problem then boils down to how to stop the USB drive being intercepted and cloned in shipping. The traditional approach is to put it in a suitcase chained to the wrist of a diplomat.
(*) generated from some truly random physical noise source, not pseudo-random.
Your problem then boils down to how to stop the USB drive being intercepted and cloned in shipping.
Or compromised/exfiltrated whilst in storage. You would also like to think that routine security procedures would reliably ensure secure disposal - but filing cabinets and data drives do turn up in the most unexpected (and undesirable places) from time to time.
Having something that is truly ethereal like QKD would seem to offer a solution to these problems - there should be no need to store the agreed key for any longer than is necessary to decrypt the message. So no need to store the key on any form of permanent medium.
(Of course you still need to keep the decrypted data safe - preferably not in cardboard boxes in a hotel bathroom [or in your garage - even if there is a '67 Corvette to distract would-be thieves])
My favorite simple cipher is the “book cipher,” because nobody can possibly figure it out unless you know precisely which book is being referenced. Although I suppose you could just look for the most worn-out book on the shelf… (or, to foil that, pick anything from project Gutenberg).
My “fill the band” scheme goes like this: the ‘key’ is a seed value for some RNG that generates values up to 100. That number is the bit-count of noise bits per single data bit. So the message becomes up to 99% waste. Anyway, what you do is take the sparse data stream (data bits surrounded by random stretches of zeroes) and just pick random phrases, words, and letters that happen to have the same data bit set while filling in the emptiness with plausible information. Even better, every once in awhile you include within the message a special instruction to reset the RNG seed, etc.
(Of course this is a specialty cipher for particular people that want something more than commodity crypto. The algorithm can be as nuts as you want, and the plausible data could be audio, video, noise, repeating patterns, anything your imagination dreams up!)
Realistically you won't use QKD for a full message (one-time pad style) but as a means of regularly changing long-ish keys on a good symmetric cypher. It will not be unbreakable in theory, but in practice you have many millennia unless the cypher is flawed in some way (backdoor, mistake, falls to quantum algorithm if/when computers become practical).
With a key that is truly random and changes every few hours, for example, you would have such a backlog of data to crack that you need to do it within the key-change period, or you will quickly become overwhelmed.
While it might seem attractive as the "gold standard" of information security in transit, I suspect there are many other ways to access the data more easily by traditional spying techniques or making use of the endless holes found in most common software. In an active war I doubt you would have time to try and break most systems, so you just jam a link or bomb the path and/ endpoints to deny use.
(Note : this is well outside my area of expertise, and probably that of others. I'd appreciate it if, instead of/in addition to simply downvoting this post, you could explain where I've gone wrong here.)
Yeah, I always thought the idea of QKD was to distribute just a symmetric key, and not what amounts to a one-time pad. It might securely distribute a mere 2048 bits for a 2048-bit cipher, for example, which would leave the attacker trying all 2^2048 possible keys. Your message can be broken, but only after the sun has gone through its red giant phase.
Which leads me to wonder : what's wrong with existing key distribution schemes? (Obviously, if some TLAs have solved the discrete logarithm problem and haven't told anybody, they could break current key distribution schemes. You'd then either want QKD, or maybe send somebody with a scrap of paper with the key written on it... the latter might be simpler.)
The 'somebody with a scrap of paper with the key written on it' is easily susceptible to covert interception. There are post-quantum key exchange algorithms that are probably safer than relying on discrete logarithm, and you can always stack a few hardnesses on top of each other to defend against anything but the most catastrophic algorithmic breakthrough.
But I can absolutely see the appeal of not having to worry about how secure your hardness primitive is. QKD is another layer of defence and when the bitrate is too low can be reserved for only the most important secrets. There's definitely value in it.
I suspect in China's case however the biggest value will end up being in commercialising the tech and selling it to paranoid governments around the world. Probably those that are already penetrated by all sides in ways QKD doesn't help with. And possibly with the QKD endpoints trivially backdoored.
> The 'somebody with a scrap of paper with the key written on it' is easily susceptible to covert interception.
Well, yes... but much in the same way that any key exchange/cryptographic system is susceptible : if you don't do it exactly right, it's vulnerable. Even one-time pads are vulnerable if, for example, you re-use them (as I gather the Soviets did in the 1950s, resulting in broken messages.) You can say -- quite correctly -- "don't use the OTP more than once". But if so, I get to say : "don't show that scrap of paper to anybody while you're going from point A to point B."
I could definitely see China wanting to commercialise the tech. But trust would be an obstacle. With algorithms from TLAs, for example, I can at least trust that plenty of very stable geniuses have examined them carefully and failed to find flaws. But... with hardware from a TLA, whether it be Chinese or US or Absurdistanian, how can I ever be really confident it's not backdoored?
Mhmm, I'll admit I was abstracting away that 'use the OTP correctly' problem, in the way that's always dangerous in this area. But still I think it's a different scale of problem. If you somehow have the key material at both endpoints in controlled environments then you stand a much better chance of enforcing it's correct use, and at least detecting when it's misused. If it has to travel thousands of miles through an unsecured environment then your threat model is at the least a whole lot more complex. (Place the key material in some kind of tamper-evident device? Send it via two uncorrelated routes and XOR at the end? There are probably some reasonable solutions that are expensive but still much cheaper than QKD.)
In the ideal world of a perfect cypher you would need 2^N-1 attempts on average to find the key for a N-bit symmetric cypher. You might get lucky early, or you might have some side-channel information that can narrow down the range of keys to lok for, but even with a current 256 bit AES that is 5.79E76 trials. If you can do each in, say, 0.1us you would need 1.8E62 years, Even if you have parallel hardware to do a million checks in parallel you are still beyond solar life times, let alone the worries of mere mortals. TL;DR 256-bit AES is plenty good enough if no flaws are found. Which might happen, which is why they are suggesting that over 128-bit that would still be countless aeons.
The thing with asymmetric cyphers (used for public-private key exchange) is the entropy is a lot less than the length. There is a table around 3/4 down on here comparing requirements:
https://justcryptography.com/key-length/
E.g. 128-bit AES needs a 3072-bit RSA key, and 256-bit AES needs 15360 bits for similar protection. Elliptical curve can work with smaller keys (but still above 512-bits in 256-bit AES case). Again the issues is not brute-forcing them, it is the fear that someone, somewhere, finds a flaw that allows a vastly shorter search to be done.
Many tin foil hatters distrust any NIST guidance on principle due to past issues (e.g. opaque design of S-box, DES being only 56-bit key, etc, and the NSA in the background) which is why NIST went to a public world-wide competition that led to the AES by a couple of Belgium cryptographers being chosen following a lot of public analysis and checks. Now that does not mean the algorithm is not flawed, but it means there is no deliberate weakness. But an unintended weakness that nobody spotted and that is discovered later is just as risky once it is in global uses on embedded devices, etc!
It is a problem that QKD is 1-1. The more endpoints/messages are using the same key, the more opportunity there is for the key to leak, especially if "local" endpoints are sharing the key after transmission. Ideally, at a minimum, every two endpoints would have there QKD system between them, but I imagine that is prohibitively expensive.
Actually that is not exactly true, I just found this article:
https://www.nature.com/articles/s41534-023-00757-x.pdf
Basically they propose an optical switching system with fibre delay-lines to hold packets briefly in order to deal with packet collisions, but without touching the QKD in any particular way. This keeps the end-end security (i.e. interception discovery), but the main down sides are:
- No extension of distance. Losses of all fibre and all switches impact on the same original photons.
- Not sure how well it would scale to many ports and/or support fancy routing rules, but maybe that is just a practical technology challenge than a fundamental limit.
I'm scratching my head a little over this article.
Like, what does this mean?
"Quantum keys are only safe if they are never reused. Which means you need as much key as you have data."
A secret key is usually exchanged in order to do symmetric cryptography. Why can't this work here?
And PQC has barely been standardized by the NIST, it's hardly in use, nor proven to be practical to use and as secure as advertised.
I think the original comment is wrong, but not completely. The problem is QKD does not prevent a key being intercepted, it just tells you it has been so try again (maybe noise causing ECC to fail) or look for a spy.
If you send the same key several times then once could be intercepted, maybe discarded/changed as just noise, but data gobbled between the 2st and the eve key is now open for decryption.
Secret key-exchange usually means all data exchange can be spied upon but the combination of public/private keys means that is of little use unless you have access/control of one of the private yes. That is why SSH squawks if a machine appears to change, as it could mean someone is man-in-the-middle exchanging data both ways...
Keys usually aren't exchanged several times, only once, up until when they're renewed and a new key is exchanged. Also, they're point to point for transmission, and single-use for data protection: the same key isn't used for different purposes.
Here, QKD would mean a key that's intercepted during the initial exchange is known to be intercepted and thus never used.
I'm not sure at all your ssh example is relevant: if the host key changes, it only means the remote server can't be authenticated. It doesn't related to the safety of the encryption to this server. The safely distribution of public host keys so they can be trusted absent a PKI is a whole other can of worms.
How does one detect interception with quantum comms? If Eve intercepts a photon and decodes it (I’m assuming we’re talking about spin here) then what is to stop Eve making a new photon with the same properties and sending THAT on to Bob? How would Bob tell the difference?
I’m guessing the entanglement with another photon is supposed to help but I’m stumped as to how - detecting the state of one of the photons has no influence whatsoever on the other - it will tell you what the other photon’s state IS but it won’t influence it
"detecting the state of one of the photons has no influence whatsoever on the other"
This is a common mistake when talking about quantum entanglement. Observing the state of an entangled photon instantly collapses the entanglement--the photons are no longer entangled. Even disturbing one of the photons will almost certainly collapse the entanglement, which is one of many reasons but probably the most important, that quantum computers are so difficult to build. Almost anything will cause quantum entanglement to collapse. Since it is possible to know when photons (or other particles) are entangled, without actually observing the photons themselves, hiding the fact that someone is snooping becomes nearly impossible. Entanglement is a "quantum weirdness" that has no classical counterpart.
"Observing the state of an entangled photon instantly collapses the entanglement--the photons are no longer entangled"
And before anyone mentions using collapsing entanglement as a form of faster than light comms, that collapsed entanglement is only apparent when the original entangled pairs are brought back together and correlated. They can only be brought back together using not-faster-than-light methods. Sorry everyone, faster than light comms is still sci-fi.
"How does one detect interception with quantum comms? If Eve intercepts a photon and decodes it (I’m assuming we’re talking about spin here) then what is to stop Eve making a new photon with the same properties and sending THAT on to Bob? How would Bob tell the difference?"
Interception is detected because the interception collapses the state of the intercepted photon (which is one of the entangled pair that Alice generated and sent to Bob, whilst keeping her other one of the same pair). When Bob and Alice correlate their photons (Bob and Alice have each half of an entangled pair), they will discover that they are no longer coherent and the gaff is blown. Alice and Bob realise that the key being sent with those entangled pairs has been compromised so agree not to use that key in the subsequent encryption. They keep trying until an unintercepted photon finally gets through.
If Eve did intercept and send an identical photon, it would not be correlated (entangled) with Alice's half of the original entangled pair, which would show up when Alice and Bob compare their half of the photon pair. That's how they would know of the interception. Entanglement is a fundamental product of producing the two photons at the same time and in the same place. You can't make a photon and entangle it with any other photon of your choosing from some other place in the universe.
I want to comment on this.
About 5 years ago, I read a panic story that China had developed completely secure quantum communications between a satellite and a ground station. Some talk about the orbital height, the speed, the bandwidth, the size of message, yada yada yada ~ not much talk about what the ‘quantum’ part was.
Eventually, it came out that they’d transmitted the private key of about 256 bits, between a machine on one side of the lab to a machine on the other, and then launched a satellite with that ‘quantum secured’ private key. Everything else about that ground ~ satellite communication was completely standard and normal.
Nothing in their claim was a lie ~ but everything in it was misleading. That is NOT quantum secure communication.
---------
Quantum computers can perform certain very specific functions millions of times faster than a conventional computer. That doesn’t mean you can run Window$ or Outlook on them. There are certain kinds of problems you can attack with a quantum computer, and reach a solution in a reasonable time-frame, which would be impossible to brute-force with conventional equipment. That doesn’t make them a replacement for conventional computers.
It is arguably practical to transmit something across a room (the lab) by quantum entangled particles, but it’s not practical to transmit something from Earth to the moon that way, or from New York to Beijing that way. That would be a KILLER AP on every level, but doing it is a lot harder than saying it.
Thirty years ago, when I started to take an interest in computers and IT, two subjects were hot. Quantum computers and Artificial Intelligence. AI is growing to show some of the promise it had, although there are questions, but quantum computing still seems to be like energy from fusion ~ 30 years in the future and it always will be.
"Thirty years ago, when I started to take an interest in computers and IT, two subjects were hot. Quantum computers and Artificial Intelligence. "
No way. 30 years ago Mobile was just cooling off pre-iPhone. AI has only really been taken seriously since 2015/2016 thanks a lot to Demis.
Quantum computers is wrong imagery. Quantum interruption thru AI/SI is better. We are guessing the probabilities of high-dimensional representations of 'sub-atomic' states. That is tricky, but doesn't need any special machine to do it. Just a special me
Why is it actually a problem that China is securing its own communication? Not that I'm a fan, but it IS a sovereign country and they're as much entitled to keeping their own secrets as anyone else.
Or are we reading between the lines that certain other nations are upset they can no longer intercept communication? Woudl we cry foul if it was, for instance, the US which is shoring up its communication security?
Maybe I haven't had enough coffee but I fail to see the actual issue here.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
