First quantum crypto bank transfer

[Jerrold Leichter]

| > ... the comments I've seen on this list and elsewhere have been much
| > broader, and amount to "QM secure bit distribution is dumb, it solves
| > no problem we haven't already solved better with classical
| > techniques."
|
| Most of the comments on this list are more nuanced than that.
Perhaps we hear them differently.

| Examples of sensible comments include:
|   -- We have seen claims that QM solves "the" key distribution
|    problem.  These claims are false.
I'm not sure what "the" key distribution problem would be or what "solving" it
would mean.  As we all know, the real problem with OTP systems is that you
have to distribute as much keying material, securely, as you have material to
protect.  So OTP pretty much comes down to leveraging a single secure channel
to produce another.  In all practical instances I know of, the two channels
are separated in time and space:  You leverage the security of your diplomatic
pouch today to get secure messages from a spy tomorrow.

QM key sharing lets you build an OTP with a shared transmission medium and an
arbitrarily small time separation.  This is new.  It gives you guarantees that
the bits sent have not been intercepted.  That's new. Certainly, it doesn't
solve MITM attacks, as mathematical abstractions. What it does is reduce
protection from MITM attacks to protection of physical assets.  All crypto
ultimately has to rest on that - if you can't protect your keys, nothing
works.  The nature of the system that must be protected, and the kind of
protection, are somewhat different than in traditional systems, but the
inherent problem is neither eliminated nor made inherently worse.

|   -- _Commercialization_ of QM bit-exchange is dumb, for now
|    and for the forseeable future....
Here, I'll pretty much agree with you.

| > Also, there is a world of difference between:
| >
| > 	1.  Showing something is possible in principle;
| > 	2.  Making it work on the lab bench;
| > 	3.  Making it into something that works in the real world.
| >
| > For QM key exchange, step 1 goes back maybe 10-15 years, and most
| > people thought it was a curiosity - that you could never maintain
| > coherence except in free space and over short distances.
|
| That's backwards.  Quantum crypto free in space is hard.
The thought experiments on this always involve simple pictures in free space.
I agree, actually *doing* anything in free space over macroscopic distances is
a non-starter.

|							  It's
| much easier to use a single-mode fiber, over distances such
| that there is little total attenuation (which can be a quite
| macroscopic distance, since the attenuation is a fraction of
| a db/km if you do it right).
|
| > Step 2 is a couple of years back, the first surprise being that you
| > could actually make things work through fiber, then through a couple
| > of Km of fiber coiled on a bench.
|
| Again, that diametrically misstates the physics.  Propagation
| through a couple km of fiber shouldn't have surprised anybody.
I think that's obvious now, but might not have been so obvious 20 years ago.
(For that matter, just how long have we had usable multi-km single-mode
fibers?)

| > BTW, if we look at QM *computation* in comparison, we've barely made
| > it through Step 1.  There are still plausible arguments that you
| > can't maintain coherence long enough to solve any interesting
| > problems.
|
| Within a year of the invention of quantum computation,
| people were working on quantum error correction.
Actually, they started off pointing out that error correction couldn't be
done in QM systems without unmixing the states, thus losing the essense of the
computation.  Well, it turned out that things are more subtle than that.

Don't take this as a criticism of those who sayd quantum error correction was
impossible!  This is all new, complex physics.  We're wrong before we're
right.

|						   This
| is interesting work and has had spin-offs in the form
| of changing how people think about error correction even
| in non-quantum systems.  And it has had spin-offs
| applicable to quantum cryptography, i.e. showing how it
| is possible to survive a modest amount of attenuation.
|
| > Some of the papers I've seen solve the problem only in their titles:
| > They use a QM system, but they seem to only make classical bits
| > available for general use.
|
| Huh?  The world abounds in QM systems that produce classical
| results, including e.g. transistors, lasers, practically all of
| chemistry, etc. etc. etc.  Quantum computers produce classical
| results because that is what is desired.
You miss my point.  Papers have been published _ there's not much point
dredging them up - whose title and abstract implies that they are providing a
way to store and manipulate qubits, but when you look at what they actually
end up providing, you can't *use* them as qubits, just classical bits.  (What
a surprise:  There are poor papers published that miss the point of the
problem.)

| > The contrast between this work and QM
| > key exchange is striking.
|
| If the intent is to make quantum cryptography sound better
| than quantum computation, the point is implausible and
| unproven.
On the contrary.  The point is to show that, for whatever reasons, quantum key
sharing (or whatever you want to call it; quantum *cryptography* it isn't any
more than a quantum-based random bit generator is quantum cryptography) has
progressed to the point of engineering practicality much faster than quantum
computation.  (Personally, I'm not surprised - it strikes me as an inherently
simpler problem.)  Note that "engineering practicallity" doesn't in and of
itself imply usefullness!  (The converse *is* true:  What can't be reduced to
engineering practicality will probably never be very useful.)

| If the intent it so make the best results in quantum crypto
| sound better than the lamest parts of quantum computation,
| then the comparision is (a) unfair and (b) hardly a ringing
| endorsement of quantum crypto.
Again, not at all.  Quantum computation has a long way to go, and will likely
tell us significant, interesting things about the world even if it never
produces any practical results.  Quantum key sharing is pretty much a closed
book as far as theory and even physics is concerned.  What there is to be
learned from it was probably learned years back in analyzing the thought
experiment first proposed by, as I recall, Einstein, Podolsky, and Rose.
(They used the same basic setup as is used in quantum key sharing and thought
it could transfer information faster than light.  It doesn't, and why and how
it doesn't is pretty fundamental.)

| > after all, transistors were invented to build phone lines, not
| > computers!
|
| It's not true that transistors were invented solely for
| application to phone lines.  Even if it were true, it would
| be irrelevant for mulitple reasons.  For starters, keep
| in mind that the big computers built during the 1940s
| were built using vast amounts of telecom switch gear.
| Bletchley Park relied on engineers from the Post Office
| (which was the 'phone company' in those days).
|
| And even if the facts had been otherwise, arguments about
| the near-term applicability of one technology are largely
| irrelevant to the near-term applicability of another
| technology.
You've missed my point.  Transistors were developed for message transmission
purposes.  (So, for that matter, were vacuum tubes.)  They turned out to be
the basis for modern computation, a result no one could have forseen.

We may eventually get to the point where we try to build practical quantum
computation devices.  At that point, what was learned in the process of
building quantum bit agreement systems may prove useful.  Or it may not; we
really can't say.  But certainly the history of technology shows that
techniques often turn out to be useful outside the field they originally grew
up in.
							-- Jerry


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com