April 27, 2004

QC - another hype cycle

Cryptographers and software engineers are looking askance at the continued series of announcements in the Quantum Cryptography world. They are so ... vacuous, yet, so repititious. Surely nobody is buying this stuff?

'Fraid so. It's another hype cycle, in the making. Here's my analysis, as posted to the cryptography list.

Subject: Re: Bank transfer via quantum crypto
From: "Ian Grigg" <iang@...>
Date: Sun, April 25, 2004 14:47
To: "Ivan ..."
Cc: "Metzdowd Crypto" <cryptography@metzdowd.com>

Ivan Krstic wrote:
> I have to agree with Perry on this one: I simply can't see a compelling
> reason for the push currently being given to ridiculously overpriced
> implementations of what started off as a lab toy, and what offers - in
> all seriousness - almost no practical benefits over the proper use of
> conventional techniques.

You are looking at QC from a scientific perspective.
What is happening is not scientific, but business.

There are a few background issues that need to be
brought into focus.

1) The QC business is concentrated in the finance
industry, not national security. Most of the
fiber runs are within range. 10 miles not 100.

2) Within the finance industry, the security
of links is done majorly by using private lines.
Put in a private line, and call it secure because
only the operator can listen in to it.

3) This model has broken down somewhat due to the
arisal of open market net carriers, open colos, etc.
So, even though the mindset of "private telco line
is secure" is still prevalent, the access to those
lines is much wider than thought.

4) there is eavesdropping going on. This is clear,
although it is difficult to find confirmable
evidence on it or any stats:

"Security forces in the US discovered an illegally installed fiber
eavesdropping device in Verizon's optical network. It was placed at a
mutual fund company?..shortly before the release of their quarterly
numbers" Wolf Report March, 2003

(some PDF that google knows about.) These things
are known as vampire taps. Anecdotal evidence
suggests that it is widespread, if not exactly
rampant. That is, there are dozens or maybe hundreds
of people capable of setting up vampire taps. And,
this would suggest maybe dozens or hundreds of taps
in place. The vampires are not exactly cooperating
with hard information, of course.

5) What's in it for them? That part is all too

The vampire taps are placed on funds managers to
see what they are up to. When the vulnerabilities
are revealed over the fibre, the attacker can put
in trades that take advantage. In such a case,
the profit from each single trade might be in the
order of a million (plus or minus a wide range).

6) I have not as yet seen any suggestion that an
*active* attack is taking place on the fibres,
so far, this is simply a listening attack. The
use of the information happens elsewhere, some
batch of trades gets initiated over other means.

7) Finally, another thing to bear in mind is that
the mutual funds industry is going through what
is likely to be the biggest scandal ever. Fines
to date are at 1.7bn, and it's only just started.
This is bigger than S&L, and LTCM, but as the
press does not understand it, they have not
presented it as such. The suggested assumption
to draw from this is that the mutual funds are
*easy* to game, and are being gamed in very many
and various fashions. A vampire tap is just one
way amongst many that are going on.

So, in the presence of quite open use of open
lines, and in the presence of quite frequent
attacking on mutual funds and the like in order
to game their systems (endemic), the question
has arisen how to secure the lines.

Hence, quantum cryptogtaphy. Cryptographers and
engineers will recognise that this is a pure FUD
play. But, QC is cool, and only cool sells. The
business circumstances are ripe for a big cool
play that eases the fears of funds that their
info is being collected with impunity. It shows
them doing something.

Where we are now is the start of a new hype
cycle. This is to be expected, as the prior
hype cycle(s) have passed. PKI has flopped and
is now known in the customer base (finance
industry and government) as a disaster. But,
these same customers are desperate for solutions,
and as always are vulnerable to a sales pitch.

QC is a technology who's time has come. Expect
it to get bigger and bigger for several years,
before companies work it out, and it becomes the
same disputed, angry white elephant that PKI is

If anyone is interested in a business idea, now
is the time to start building boxes that do "just
like QC but in software at half the price." And
wait for the bubble to burst.


PS: Points 1-7 are correct AFAIK. Conclusions,
beyond those points, are just how I see it, IMHO.

Posted by iang at April 27, 2004 01:59 PM | TrackBack

Are you sure of this terminology? Back in my networking days, the term "vampire tap" referred to a method of adding an ethernet tranceiver by clamping onto and biting into the cable, and was widely practiced with the old thicknet (10Base-5, which preceded 10Base-2 thinnet, which preceded 10Base-T twisted pair) because it was such a pita (and also disruptive) to cut the cable and attach connectors.

Perhaps in appropriating the term the financial industry has switched the analogy from the bite to the sucking of blood.

Posted by: Ray at April 29, 2004 06:25 AM

I think you are probably right in both those points. I certainly saw the use of the term "vampire" being used as a tap along a stretch of fiber, but there is a problem: the techniques are not written up in any authoritive terms, presumably because they are borderline criminal.

It's all anecdotal, passed hand to hand, and defies confirmation. Until someone comes up with more hard facts such as catching someone in the act, or proving the existance of tapping and finding a tap, the documents that are written by the, um, "professional document writers" present themselves as the only quotable commentary. As almost all writing on the subject is from the FUD pov (to sell something to those who are fearful and incapable of dealing with it through normal means) the writings don't really provide any solid detailed evidence of what's going on, they only support the notion that something is going on. E.g., any detail mentioned might be true, or might not.

It could be that the term has been adopted as a business technique across any technology (fiber, ethernet, 802.11b...). Or, maybe the eavesdropper did it on an ethernet and the copy editor decided to call it a fiber.

Posted by: iang at April 29, 2004 06:37 AM

-------- Original Message --------
Subject: EU to use QC as a response to Echelon
Date: Tue, 18 May 2004
From: Ivan Krstic
To: Metzdowd Crypto
CC: Ian Grigg

/. reports:
"An article on Security.ITWorld.com[1] seems to outline a coming information arms race. The European Union has decided to respond to the Echelon project [2] by funding research into supposedly unbreakable quantum cryptography that will keep EU data out of Echelon's maw. Leaving aside the question of whether such a thing is possible, the political implications are troubling, indicating a widening rift within the Western world. Interestingly, the UK is part of the EU, but its intelligence services are among Echelon's sponsors."

[1] - http://security.itworld.com/4361/040517euechelon/page_1.html
[2] - http://www.echelonwatch.org/

This goes back to my discussion with Ian Grigg. Ian establishes: "Effectively, if you can sell a solution to the finance industry, you have it made. It doesn't matter what it is, only that it is a solution." This hits home, as the ITWorld article states that "Banks, insurance companies and law firms could be potential clients, Monyk said, and a decision will have to be made as to whether and how a key could be made available to law enforcement authorities under exceptional circumstances."

So not only will they pour untold resources into something that they can arguably accomplish today, and cheaply [3] -- but ironically, they'll hand keys to authorities on request [4]. Brilliant - the bargain becomes - hide from Echelon, and instead trust that its EU counterpart won't look at your data. No, really, we promise.

In discussing QC, furthermore, Ian makes the following statement: 'Engineers want to deal in the technical realities, and marketing wants to deal in the sellable properties, but there is no intersection between these. The result is that you won't easily be able to put the engineer and the marketeer together. One side or the other will win, and you will get either an unsold crypto box, or a sold "solution" that migrates out of the crypto field. The integrity of the marketeer and the integrity of the crypto engineer have nought in common, and one must give.'

I'm still not buying this. This is based on stereotypes, not unlike "all computer experts wear thick glasses, play D&D, are asocial and mortally afraid of women". Sure - some combination of small pieces of the stereotype may apply to a large percentage of the affected population, but the corollary to the stereotype is that in a 6bn people world, "a large percentage of the population" still leaves you with many, many people that fall generously outside of it. Someone like Prof. Rivest is a good example - he certainly knows what he's talking about, and he's "commercially active", be it with RSA Inc., or a venture (Peppercoin, which he did with Micali if I'm not mistaken). Or this mailing list, for instance: I'd say many members would have the knowledge and common sense to start a company tomorrow where engineering and marketing work together in a beneficial way, and where - in this particular case of QC - good, reliable non-QC solutions could be designed, implemented, tested and marketed reasonably quickly. Why hasn't it been done yet? What's the wait?

Ian concludes shrewdly that "the countervailing factor to all the above doom & gloom is that open source bypasses a lot of the marketing and engineering dysfunctionalism, which is why probably most important crypto in the future will be in software, in open source, and initially crummy (a la skype, SSH, etc) only to be repaired and improved when the demand has been shown." The 'initially crummy' status reminds me of Peter Gutmann's not-so-old analysis of several vpn/encrypted tunneling solutions which revealed large problems, and I'm sure many of the programs involved are fixed (or are getting fixed, redesigned, etc) as a result. I agree with Ian - OSS might prove to be a dominant driving force to "get things right" when it comes to crypto, but it's important to keep in mind that we're still years away from removing the "it must be open because it's bad/worthless" stigma in the eyes of I/T decisionmakers. That, however, is a story unto itself.

Finally, the appeal of QC is simply not very clear to me: expanding on my previous post, I feel that the "QC as panacea to crypto ills" approach is really just a very, very refined form of security through obscurity. When you go deep down enough in physics, no one really understands what's happening - so saying "QC is absolutely unbreakable" amuounts to saying "QC is absolutely unbreakable with today's physics", which I find no stronger an argument than "[insert algorithm here] is exceedingly difficult to break with today's mathematics". The former, however, involves much more money, and rests on a silly premise - that when it comes to very strong crypto, someone wanting the data will actually undertake an effort to break it. Guess what? Rubber-hose cryptanalysis, extortion, or bribery are much more effective. I posit that with the advent of anything stronger than XOR encryption, humans became easier to break than the algorithms. If the NSA really cares what the shiny new EU QC system hides, how long do you think it'll take them to put one of their own into the key designation facility? Come on, people - I understand that toys are cool; go and buy an iPod. There is much more useful science to be conducted with these funds - and if you can't think of any, there's always Oxfam.


[3] - This group has plenty of crypto experts, of which I am not one. Will someone please tell me if I'm simply mistaken about this? Maybe I have a horribly deluded understanding of reality here, but how is well-done software crypto on a rotating key schedule worse than QC?
[4] - The article only says they're considering it, but I'll bet money they will go forward with it.

Posted by: Ivan at May 18, 2004 04:41 AM

Perhaps I am missing something. What functionally differentiates these quantum entryptors from link encryptors?

Posted by: Steve at May 19, 2004 07:37 PM

You mean in terms of privacy? Nothing. The only difference that I can see is that the listener is detected. Whether that is worthwhile is .. open to debate.

Posted by: Iang at May 19, 2004 07:38 PM

If the tap is in a switching office or some other easily accessible location, perhaps. But if the eavesdropper really wishes to mess with the target they might be able to find some long stretch of fiber under open country and bury the vampire there. Since a time-domain-reflectometer, the most common test instrument for detecting fiber problems will probably not detect it, good luck!

Posted by: Steve at May 21, 2004 05:36 AM

Right. In order to find the advantage of QC over link encryptors we have to figuratively split hairs. That is, the attacker has to dig up a stretch of fiber, open it up, split out the one fiber of interest, and put the tap on it.

This is an implausible attacker. If you have this attacker, and you haven't already link-encrypted or better, end-encrypted, you are a market that deserves to be sold QC. I would like that customer list, because I have a bridge for sale.

Posted by: Iang at May 21, 2004 07:56 AM