[dave at farber.net: [IP] more on ARMSTRONG LECTURE on Quantum Crypto and Optical Networks (Forwarded)]]
Eugen Leitl
eugen at leitl.org
Tue Sep 20 04:25:11 EDT 2005
----- Forwarded message from David Farber <dave at farber.net> -----
From: David Farber <dave at farber.net>
Date: Mon, 19 Sep 2005 20:30:36 -0400
To: Ip Ip <ip at v2.listbox.com>
Subject: [IP] more on ARMSTRONG LECTURE on Quantum Crypto and Optical Networks (Forwarded)]
X-Mailer: Apple Mail (2.734)
Reply-To: dave at farber.net
Begin forwarded message:
From: Rod Van Meter <rdv at tera.ics.keio.ac.jp>
Date: September 19, 2005 7:25:19 PM EDT
To: Joe Touch <touch at ISI.EDU>, dave at farber.net
Cc: smb at cs.columbia.edu, David Wagner <daw at cs.berkeley.edu>
Subject: Re: [Fwd: Re: [IP] ARMSTRONG LECTURE on Quantum Crypto and
Optical Networks (Forwarded)]
Reply-To: rdv at tera.ics.keio.ac.jp
[Dave, for IP, if you wish...]
I generally agree with Dave Wagner's response, but a few thoughts...
The physicists are indeed working on quantum repeaters, capable of doing
QKD over long distances. The trouble is, you have to trust every one of
the repeaters.
I wouldn't phrase the "fiber security" issue quite the same way. As
others have said, what you need is access to an authenticated channel,
then you're set (but that's a non-trivial problem!). It's important to
note that a) QKD does NOT solve what Shor's factoring algorithm broke,
and b) key exchange/distribution is not the biggest security problem we
have on the net (it might not even make the top ten).
The one possibly interesting use of QKD is for the super-paranoid: those
who believe their traffic is being snooped today, and don't want it
decrypted fifty years from now when theoretical and technological
advances render all classical cryptography breakable (!?!).
But in order for that to work, you have to use the QKD-generated random
bit string as a one-time pad, not just a seed or key for classical
encryption. That means you need very high QKD bit-generation rates, and
most are still in the kilobits/second. Some experiments have been done
in the low megabits/sec., but that's pre-filtering, I believe, which
costs you at least one order of magnitude in performance.
If you do it right, then, authentication that is good enough TODAY, plus
QKD to generate a random one-time pad, can make your data secure FOREVER
(modulo breakins/breakdowns at the endpoints). Even if your
authentication is broken later, since it's not used in the actual data
exchange, the attacker gains no data. This is covered in Paterson et
al.'s paper.
I arrived at the party a little late to get in on the recent thread at
Dave Bacon's Quantum Pontiff blog, but I did throw in my two cents
anyway:
http://dabacon.org/pontiff/?p=1049#comments
Dave's blog is an excellent source for current news and gossip, and is
read (and commented on) by many of the best names in the biz.
btw, Steve, not sure if you're aware of it or not, but Al Aho's student
Krysta Svore is doing quantum stuff for her thesis. She just spent a
year in Cambridge working with Ike Chuang, but is back at Columbia, I
understand. She's pretty sharp.
--Rod
-------------------------------------
You are subscribed as eugen at leitl.org
To manage your subscription, go to
http://v2.listbox.com/member/?listname=ip
Archives at: http://www.interesting-people.org/archives/interesting-people/
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a>
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.leitl.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20050920/add09de5/attachment.pgp>
More information about the cryptography
mailing list