The author fails to understand the basics of Quantum Teleportation. Think of it this way: Alice has 2 boxes with the same unknown bit, and sends one of those boxes to Bob. When Alice opens her box she can see the value and Bob can see it too. Something like that.
Very good for cryptography (think untamperable shared secret keys) and for some cases of parallel computing.
Superluminal (FTL) communication would break Special Theory of Relativity. If anybody achieves that it would be an instant Nobel and front page on every newspaper on the planet. Even a mistake like the FTL neutrinos fiasco earlier this year.
Tech journalists tend to skim the abstracts and hype it to sell more clicks/ads.
I'm trying to think of a physical analogy to better understand this: Image you (Alice) have a randomly shuffled (say, by god) deck of cards. You cut the deck in half and distribute one half to Bob and keep the other half (such that by knowing one half, you would know the other). Until either of you look at your respective half-deck, the distribution of cards is in a superposition of all possible distributions (a la Schrodinger's cat). Where the analogy breaks down (thereby illustration what's special about Quantum Teleportation), is that as soon as Alice flips her cards, Bob's cards flip as well (and visa versa). Thus by the time the cards got to Bob, Bob would be able to detect that someone else could have read the cards and thus the information may have been compromised. (This is kind of how I remember quantum cryptography to work, actually).
Does this analogy make sense? My physics background is pretty weak...
This is really just an illustration of quantum cryptography, rather than quantum teleportation. Quantum cryptography is a method of exploiting quantum effects to create a channel that can be used to transmit classical information in a manner that cannot be eavesdropped.
Quantum teleportation is kind of the opposite. It uses a classical information channel in order to transmit -quantum information-, which can't actually be represented clasically. It is actually moving the superposition itself from one place to another. The term "teleportation" is used because the "no cloning" rule (quantum information cannot be "copied") means that the information is no longer in the original location.
This is mostly useful in quantum computers, because in order to actually process information it's pretty important to be able to get it from one piece of the machine to another, and until the recent teleportation breakthroughs building quantum computers that could handle more than a couple "qubits" was pretty much not doable.
The big difference is that encryption based on computationally difficult (but not impossible) problems (i.e. factoring) should not be used to encrypt information that must remain secure long-term.
e.g. Say you have a highly sensitive secret that must remain secret not for just a few years, but decades or centuries. If you encrypt it using a factoring based scheme and then transmit it classically, an eavesdropper could take a copy of the encoded message without your knowledge. Whatever scheme it was encrypted with will then have to stand up to decades of advances in algorithms and computing technology. Quantum computers will probably break most currently used factoring-based schemes (including elliptic) eventually, and there's no guarantee that there exists no classical algorithms that could break such encryption with practical amounts of classical computation either. You should view anything encrypted and transmitted using factoring-based methods as having been broadcast publicly with an unspecified delay.
Quantum cryptography is unbreakable in theory, but is not without flaws in practical systems. However, the nature of communicating with quantum states (google the no cloning theorem) means that attacks must be known and used at the time your message is transmitted. An eavesdropper trying to listen in on quantum encrypted communications cannot archive coded messages to attack at his or her leisure. Attacks must be immediately successful or the message will remain secure for all time.
So, your credit-card info is probably safe to transmit using factoring based cryptography, since it changes every few years. Your medical records, or where you buried that body, are a different matter entirely!
Whatever scheme it was encrypted with will then have to stand up to decades of advances in algorithms and computing technology.
So will the block or stream cipher you encrypted the data with.
Quantum computers will probably break most currently used factoring-based schemes (including elliptic) eventually
That seems extremely optimistic to me. Given the current state of the technology, it's a little like an astronomer discovering a distant new star and then promising to open suntan parlors from its concentrated rays.
Try this thought experiment: For a given set of security and speed requirements, take the money you would spend on a pair of quantum key exchange devices and spend it instead on accelerator hardware for non-quantum ECDH operations. How much longer (and more secure and reliable) can we make the key exchange parameters with this conventional hardware within the same time limits?
The answer to your thought experiment is: I don't know.
That's the only correct answer, and the reason why you shouldn't use ECDH for long-term sensitive information. It's still a method based on computational difficulty. There's no proof that there's isn't an algorithm that could efficiently break it on currently existing classical computers. One could be discovered in 50 years, tomorrow, or might already be in use in organizations like the NSA. Even if quantum computing wasn't progressing in leaps and bounds (if you look at what is being done you might be very surprised), the possibility it presents is still there.
Again, I'm not talking about credit-card-transactions here. I'm talking about critical information that you don't want to gamble with. ECDH, however good it is, is a medium-term gamble and practically certain to be broken in the long-term.
The only truly safe alternative to QKD at present is the simple one-time-pad (a.k.a. Vernam cipher). i.e. The sender and receiver physically exchange random bit strings. In Canada we still see government agents carrying handcuffed briefcases around on commercial airlines a lot, and that's probably what they're full of. It may sound ridiculous to do this because you're relying on the loyalty of those agents, but security is ultimately a people problem no matter what technology you throw at it.
There's no proof that there's isn't an algorithm that could efficiently break it on currently existing classical computers.
But we could also say that about the cipher used to encrypt the bulk message data.
I'm just saying that QC for the forseeable future seems complicated, expensive, and fragile and at best only addresses one bit of the overall puzzle.
Again, I'm not talking about credit-card-transactions here.
That's always refreshing :-)
I'm talking about critical information that you don't want to gamble with. ECDH, however good it is, is a medium-term gamble and practically certain to be broken in the long-term.
You probably know some things I don't, but conventional and EC DH seem to be the more conservative choice to me whereas QC seems like it's barely out of the lab (i.e., we have less than a decade of real-world experience with it).
Re: The cipher for encryption of the message data:
One time pad. Inefficient, but guaranteed secure by mathematical proof if the key is secure. Google it.
QKD is far from ready for last-mile networks, but in principle it should be able to use existing fiber and have similar network topologies to what we currently have in classical networks. (e.g. It is possible to distribute entanglement through untrusted repeaters.) Your arguments against it are the same that were once applied to transistors or lasers.
As for ECDH, please reread what I posted earlier. If your information will not be sensitive after a decade or two it is perfectly fine. If the information will remain sensitive, it is unsuitable.
One time pad. Inefficient, but guaranteed secure by mathematical proof if the key is secure. Google it. QKD is far from ready for last-mile networks
The very term QKD as "Quantum Key Distribution" implies that the system we're discussing is good only for distribution of keys much shorter than the message.
So which is it?
You're not impressing me with the claiming of "one time pad security" for a system that's not actually a one time pad. This is classic snake oil jargon.
Your arguments against it are the same that were once applied to transistors or lasers.
Yes, I'll admit there's an element of reactionary conservatism here. The difference is that lasers were demonstrably doing something new and transistors were doing something existing (amplification) in a way that had radically better economics.
QKD is taking something that we're already doing now (non-intrinsically authenticated key agreement) and claiming that there's a need to do it in this new, expensive, complicated, and fragile way. Forgive me if I don't just take your word for it.
It would really be cool for those saying "really, your (EC)DH will be broken in 20 years" to put it where their mouth is and tell us what attacks they have in mind. Otherwise, it's just FUD.
"Quantum Key Distribution" in no way implies the key is shorter than the message. It actually needs to be longer to allow for error correction, authentication, and privacy amplification (i.e. to compensate for noise that could be attributed to an attack). A one time pad, or vernam cipher, is commonly used in commercial QKD systems. It's not snake-oil. Please google it. It's dead simple to understand and almost as easy to understand why it's impossible to break if used properly. As I pointed out, it's the gold-standard for paranoid government agencies even without QKD, ergo spooks with suitcases on planes.
As for attacks on ECDH, look up Shor's algorithm. That particular algorithm needs a quantum computer to run, but there is no existing proof showing that it is impossible to find one that would run efficiently on a classical computer. Again, the nature of classical communications means that encrypted messages may be copied and archived, so that vulnerabilities found in the future can compromise messages you send today. Maybe nobody will ever manage to crack ECDH, but maybe they will. It's a gamble. Quantum communications cannot be copied and archived so QKD must be broken at the time of transmission or the message is safe for all time. That's the big difference.
Again, I'm not suggesting ECDH isn't fine for most normal people's day-to-day needs. We're talking about secrets that need to be kept for generations that you simply don't want to gamble on.
Reading your comment, and a few short articles (and that Defcon19 talk) on Quantum cryptography, correct me if I'm wrong. Quantum cryptography is a "way" (emphasis) to securely send a one time pad to the recipient in such a way that due to the quantum effects, if the quantum bit currently in transmission (in the wire) is mitm'ed, it doesn't reach the end or something like that. So both of you can discard that bit and continue on to the next bit until you've transmitted the whole pad.
More or less. Quantum states can only be measured probabilistically. This, combined with the fact that they cannot be cloned, is what makes the eavesdropper detectable if he/she tries to intercept the quantum states in between the sender and receiver. i.e. The sender knows what she sent, but if the eavesdropper measures those states and tries to imperfectly clone them she will send states to the receiver that will produce impossible results when measured by the receiver.
In a true MITM attack the eavesdropper could claim to be the receiver to the sender and the sender to the receiver and exchange keys with them both. This is why authentication must be a part of QKD protocols.
Once you have a secure key, using it as a one-time-pad is the most secure way to send data. (Note: We're skipping a few steps like error correction and privacy amplification)
Very good for cryptography (think untamperable shared secret keys) and for some cases of parallel computing.
Superluminal (FTL) communication would break Special Theory of Relativity. If anybody achieves that it would be an instant Nobel and front page on every newspaper on the planet. Even a mistake like the FTL neutrinos fiasco earlier this year.
Tech journalists tend to skim the abstracts and hype it to sell more clicks/ads.