So graze on, graze, you peaceful peoples!
You will not wake to honor’s call.
What need have herds for gifts of freedom?
They’re used to shears and butcher’s stall.

(Original in Russian here. Could not pass /. junk filter.)

Sigh. Four years ago, United Russia fraudulently got the 2/3 majority in the current parliament, in the same way, with all the same-looking statistics. This parliament passed, without a contest, some "nice" constitution changes (extending the presidential term from four to six years, extending the parliamentary term from four to five years). Now United Russia has a simple majority, by fraud. Yeah, these are "very minor inconsistencies not affecting the election outcome", as Putin has replied the protesters days ago.

It's easy to say "the party of crooks and thieves," but the problem that lets this happen is deeper... it's in the people, in the deeply rooted customs of the country.

Has any scientist in Canada disobeyed the 'official procedure' and talked to the journalists directly about his work? Or do they all follow the procedure, understandingly being very afraid of jeopardizing their positions and research grants prospects in Canada?

It is one of responsibilities of a publicly funded researcher (especially a tenured professor) to talk freely about his findings. This is an essential contribution of the publicly funded science to the society and democracy. I would thus seriously consider ignoring the orders in such situation, even at the risk of getting fired -- okay, it depends on the situation and how much is at stake, but I would at least think about this and probably discuss promptly with the university administration.

As far as I know, in other developed countries (including the one I am currently working in, Norway), there are no barriers in communication between scientists and the press. We answer emails and calls from journalists without asking anyone's permission. There is a public relations office at my university, but its purpose is to help the communication, not to censor.

Am I being too naive, or Canada is really abnormal in this respect?

Zero-knowledge authentication is impossible by definition. If you know nothing secret about someone, you can never verify his identity.

A small pre-shared key is used for initial authentication, in all classical and quantum crypto alike, to preclude a man-in-the-middle (MITM) attack. In the classical public-key infrastructure (PKI), this authentication key comes from the certicficate authority with, e.g., your copy of the web browser. If it is spoofed at the distribution step, MITM attack becomes possible.

In quantum crypto, the initial key is small, because once the quantum-generated key begins to grow, its small fraction is used for further authentication keys.

I'll bite this troll. I typed this submission because

1. I think what we do is cool, and is interesting to Slashdot readers (I read Slashdot daily myself).
2. I can formulate what we have done better and include most relevant links, comparing a random submitter who has just read a news story.
3. Yes! I am 37 and I do not nave a tenure yet! Every bit helps :). Unfortunately, really, I do not think anybody is going into science for money.

Currently the problem is quite general, because most quantum cryptosystems today use detectors of the vulnerable type. We think it is patchable, just not by the approach the Toshiba group practices, but patchable. (We dislike Toshiba's approach for not being general and thorough, but more of a quick band-aid.) During the past 20 years there were a couple problems of similar magnitude in quantum crypto, and they were solved. Note that similar problems periodically show in implementations of classical crypto.

The future of quantum crypto will now be decided, from one side, by the market, and from another side, by publicly disclosed mathematical developments on various classical ciphers (which can be cracked overnight, but can also be proven more secure... I'm not a mathematician so I won't venture a guess for the odds of either). In quantum cryptography there is at least one well-engineered commercial system, several advanced commercial prototypes (Toshiba has one), and the hacking efforts are going to eliminate all easy loopholes in a reasonable time. It is also important how well quantum cryptography can be meshed into networks with many nodes and links. There have been several demonstrations of quantum crypto networks, the latest in Japan last year.

The current commercial systems (like ID Quantique's Cerberis) use quantum cryptography as an extra security layer on top of classical crypto. To get to the master key used to encrypt the data, one needs to crack both quantum key distribution and classical key distribution at the same tme. We temporarily compromised the quantum layer in this work, but in a commercial installation the data security would hang on the classical crypto, until the quantum layer is patched. Of course the security of the symmetric ciphers (normally AES with frequent key changes) used for high-speed data encryption is another question, but I think there is also an option to establish a low-bandwidth highly-secure channel encrypted by one-time-pad. The whole reason AES is offered with quantum crypto is that the performance of the classical crypto has spoiled everybody, and the users do not want to separate communication into high-security and low-security categories. They just want to encrypt the whole 10 Gbps link, so this is the default option.

If the prof suggests you to submit a conference paper, he should cover the costs of your trip, period. This is reasonable and here is how it works in the academia: prof's name is in the author list > he has one more publication in his CV and his current grant report > when he's applying for a grant in the future, better chance to get it. For any decent grant, conference expenses are a footnote. Thus it definitely makes sense for the prof to fly you there if a publication comes out as the result.

As for your own sake, do this of course (if the prof or university pays). This is fun, useful, you get to see what a conference is like, will listen to talks on diverse topics and get stunned by how littlle you know and understand yet, etc. This is a good item on your CV too, except you should not pay for it (disclaimer: I am from socialist Europe.)

I am just back from China, have stayed in Beijing this Friday (the day the article speaks about). I also visited two other cities, Hefei and Wuhu. I actually thought Beijing air and water were much cleaner than air and water in the two other cities. Tap water in Hefei (central China, 2 million population) strongly smelled sewage, and pollution haze was much thicker than in Beijing.

Generally you're thinking along the right lines, but if this stuff makes you vibe so much I would recommend to start reading original research literature at this point. J. Cryptology 5, 3 (1992) is a good starting paper, then you can move on to recent articles.

Your first item is correct, however for the second one I think you need to study a good description of the QKD protocol.

The QKD protocol is designed to cope with a huge bit loss, both due to detector inefficiency and the loss in the fiber line; in fact, in a typical setup only 1 in 1000 Alice's photon's may be detected by Bob. The loss in the line is the killer item: the best optical fiber is has loss about 0.2 dB per km. This means over 50 km, nine out of ten photons sent by Alice will be lost. (In our attack Eve can just gain all this loss to her advantage, by placing her intercept unit close to Alice and getting all ten photons.) Other losses and inefficiencies come in addition to the line loss.

The transmitter (Alice) and the receiver (Bob) cannot synchronize their basis selection in advance, but they have to choose them randomly and independently (so that Eve does not know either if the bases), otherwise QKD just cannot be secure. They synchronize the bases only after the photon transmission.

Good. We are not controlling Bob's basis: he chooses his detection basis randomly. What we do is to send a bright-light state that does not cause a detection event if Bob chooses a basis not matching Alice's, but causes a detection event in a specific detector if Bob chooses the same basis as Eve. See figure 2 in the paper for illustration. Thus, half the time our bright-light state failes to induce any detection, which translates to just 50% detection efficiency. This would be a problem if Bob's photon detectors (unblinded, not under attack) were 100% efficient and the transmission fibre were lossless, which is however not the case. The photon detectors are normally only about 10% efficient, and there is typically a few dB loss in the fibre between Alice and Bob. Thus Eve can easily hide her 50% (in)efficiency in all practical cases.

In schemes where Bob uses "passive basis choice" (not in commercial systems but in many research setups) we can choose the detection basis for Bob and have 100% click efficiency.

The attack workflow has been slightly simplified for the hews article. The actual Eve's workflow is: 1. Blind Bob with a continuous laser, 2. Intercept all photons coming from Alice using a copy of Bob's setup, 3. Every time Eve has a detection, she activates another laser to send a strong light pulse to Bob that tricks Bob's detectors to produce the same detection outcome. I wish there were 4. Profit!, but as for now our lab is running out of grant money with no other funding in sight :)).

I'm not sure what's your concern, but this is not a man-in-the-middle attack. We do intercept-resend in the quantum channel (photons) but leave the classical channel alone, just listen to it. Of course Alice and Bob do authentication of the classical channel (this is a part of the QKD protocol), but that passes just fine as we do not alter the classical authenticated traffic.

As you correctly notice, Eve does not know Alice's basis and will half the time choose a wrong basis for measurement. We just bite the problem from the other end: we make sure Bob's basis always matches Eve's. Alice and Bob always compare their bases after the transmission and then discard the bits where their bases did not match. During this comparison all bits where Eve has chosen a wrong basis will be discarded. What remains in the key are the bits where Alice, Eve and Bob all have the same basis.

We had to be a bit concise in the article because of Nature's 1500 words limit on the content, but I think we do explain the above :).

with the manufacturer's full approval to boot

I'm not sure the manufacturers would approve the existence of our lab if they could dictate it. Thankfully we are independent and need not seek their approval. The manufacturers did appreciate responsible disclosure, though. I don't know how this hacking affects their business in the short term (may as well be detrimental to sales), even though it is surely good for business in the long term as it leads to more secure systems.