
Physical Cryptographic Warhead Verification - runesoerensen
http://lnsp.mit.edu/zero-knowledge-warhead-verification/
======
beloch
"Instead, we use use a physical instantiation of one-time-pad encryption to
protect information. The process is based on a special single-pixel
tomographic transform and the use of a physical secret key for each single-
pixel measurement. The physical secret key is simply a thin foil, the
composition of which is known only to the weapon owner. "

The thing about a one-time-pad is that it's only secure if you use it "one
time". A malicious weapon inspector can make multiple measurements of known
objects using the foil to deduce the foil's structure and, if he knows enough
about how your system works, use that to deduce specifics of the warheads it's
meant to verify.

I suspect this is just a bad analogy and this system would be fairly hard to
crack, but their explanation should probably make a point of not comparing the
foil to a one-time-pad, or explain why knowing the key doesn't give away
protected knowledge.

~~~
conocer_cero
Yeah, a zero knowledge system would mean that the inspector chooses the
composition of the foil, and receives a return signal, that only the inspector
may interpret and verify.

Zero knowledge means your peer participates in the authentication without
needing you to inform them of your nuclear secrets, and them reading positive
communication without needing to tell you a secret.

So the inspector should provide the foil sample, and the foil should be
comprised of a publicly known composition, meanwhile they should still control
a secret of some kind, and use a combination of the additional retained
secret, and the exposed material as their own authoritative means of secretly
confirming whether they can prove that know the difference between an
authentic positive or negative result.

This way, the weapons producer cannot forge an arbitrarily desired result, by
providing both the means of measurement, and the measured object.

The inspector must decide the degree of proof. The manufacturer must submit to
a reasonable revelation of partial details.

This concept merely has the manufacturer stating that the foil signature is
valid, because the foil signature is valid.

------
cantrevealname
It's a fascinating application of crypto and physics, but there's a major
problem with putting this into practice: How do you verify that the opponent
has put this detector (I'll call it a "NuRF hat") on _all_ of their nukes? As
part of a treaty, both sides might apply the Nurf hat to only the number of
nukes they are believed to have, but holding some back.

And if the opponent removes the Nurf Hat--claiming they decommissioned the
nuke--how would you know it's true?

~~~
KenoFischer
I believe the idea is that this is supposed to be used when decommissioning as
part of a disarmament treaty, i.e. both parties witness the warhead being
destroyed, but how do you know it's an actual warhead rather than a dummy that
is being destroyed.

~~~
JorgeGT
This is correct. The objective is to verify that the weapon you're seen being
dismantled is indeed a real warhead and not a fake one. It should be noted
that a fake one could include some random nuclear material and still would be
a fake so you can't just measure radioactivity.

------
danielvf
My favorite underhanded C constest dealt with writing code to cheat nuclear
verification - which is why this approach tries to be physical only.

[http://www.underhanded-c.org/_page_id_5.html](http://www.underhanded-c.org/_page_id_5.html)

------
nxzero
Very possible I've misunderstood to process, but given the hash is produced
via the reuse of the secret key and that the crypto uses a one-time pad - why
is it not possible to crack the secret key?

EDIT: For an explanation of how this might be done, see:

[http://crypto.stackexchange.com/questions/2249/how-does-
one-...](http://crypto.stackexchange.com/questions/2249/how-does-one-attack-a-
two-time-pad-i-e-one-time-pad-with-key-reuse)

------
Ar-Curunir
[http://www.boazbarak.org/Papers/nuclear-
zk.pdf](http://www.boazbarak.org/Papers/nuclear-zk.pdf)

Also tackles this problem, from what I understand.

~~~
KenoFischer
Yep, I took Boaz's crypto seminar, so I was looking for how this was different
from his work. I couldn't find the full text of the article (maybe it isn't
fully published yet), but the supplemental information mention that one of the
primary distinguishing factors is that this is not based on neutron scattering
which apparently makes distinguishing between weapons-grade and depleted
material easier.

