Quantum Cryptography

Perry E. Metzger perry at piermont.com
Fri Jun 22 11:04:47 EDT 2007

Massimiliano Pala <pala at cs.dartmouth.edu> writes:
> Victor Duchovni wrote:
>> Quantum Cryptography or Quantum Computing (i.e. cryptanysis)?
>>     - Quantum Cryptography is "fiction" (strictly claims that it
>> solves
>>       an applied problem are fiction, indisputably interesting Physics).
> I do not really agree on this statement. There are ongoing projects, that
> I know of, that are actually working on maximizing communication throughput
> (which is currently not very good) on encrypted channels and minimizing
> costs of involved equipment. AFAIK, one great advantage of quantum crypto
> is in the area of key-exchange when establishing a secure communication.
> I guess quantum crypto is definitely not "fiction" (Anyhow I do not know if
> it has already been used somewhere... ).

"Quantum cryptography" is useless. Victor is completely correct here.

Quantum crypto provides you with a slow way of getting a one time pad
(of sorts) that you cannot authenticate and thus cannot trust, between
two endpoints only, and it does it at extreme expense.

Why do I say "that you cannot authenticate"? Because although you can
tell that no one eavesdropped in on the line, you have no way of
knowing that no one cut the fiber in two and put two such boxes in
between. You know that no one eavesdropped, but not who you are
talking to. Various physics types who I explain this to generally do
not understand what I'm talking about at first blush because they only
consider the problem of eavesdropping -- the notion that you also need
to verify who the guy at the other end is never occurs to them because
they aren't security people. The fact that the attacker might not even
bother to eavesdrop and could simply insert himself into the
communication stream never occurs to the proponents.

So, to fix the man-in-the-middle problem, you have to layer an
authentication technology on top. Unfortunately, the ones we have are
all conventional crypto -- perhaps a MAC of some sort. At which point,
you're trusting conventional crypto for your security, so why bother?
Conventional crypto is nearly free.

This brings up another issue.  Quantum crypto is exceptionally
expensive, and is virtually undeployable. To provide security that, in
a practical sense, is no better than what you can get from high key
length conventional ciphers, you spend vast amounts on end system
equipment, rent a dedicated dark fiber link between two locations that
can't be arbitrarily far apart, and in the end, you have two machines
that can talk securely in a world where one needs thousands or
millions of machines to talk securely to any one of the other
machines. The phone network and internet exist for a reason -- people
want communication networks, not a string between two cans between
each other's homes. They need NxN communication, not 1-1
communication. Building the N^2 array of dark fibers and quantum
crypto boxes between lots of machines is, of course, utterly
impractical and always will be. Of course, even if you could, you
would still need out of band key distribution and a MAC to know that
no one had man-in-the-middled your links. Again, why bother?

Now, lets consider the alternative. In a practical sense, no one
rational worries on a day to day basis that their security is going to
be compromised because someone has a magic box that decrypts 256 bit
AES in 12 seconds flat. The crypto we already have is more than good
enough. Quantum Crypto exists on the mistaken premise that people are
worried about their ciphers being broken and that this is the main
issue in security. It is not. Having your ciphers broken is not even
remotely the main issue for most installations.

What people worry about in the real world are design flaws,
programming errors, human interface problems that make things like
phishing possible, and whether or not the $12-an-hour security guard
at your data center will happily take a $5000 bribe to let someone at
your equipment for an hour. Quantum Key Distribution solves none of
those issues at all. The issue it does solve is a non-issue -- we
already have 256 bit keyed AES if you need it.

Quantum Crypto does what it says it does, but it is a commercially
worthless invention, like an 800 pound wristwatch that is 20% more
accurate than normal wristwatches but which is completely wrong one
day in seven, or like a $20,000,000 tube of toothpaste that tastes
slightly better but causes your teeth to explode one time in every
400. Even if the watch is marginally more accurate, no one will wear
it. Even if the toothpaste tastes slightly better, no one will buy
it. Neither invention solves a real problem from the real world.

Quantum Crypto was invented by physicists who understand physics well
but have no understanding of security. It does what it claims to do,
but what it claims to do is of no use to anyone. Quantum Crypto does
nothing for at all for the things people actually need solved, and
for what it does do, it costs vastly too much. It is a lead balloon, a
jet powered toast buttering machine, an electronically controlled
salad fork.

What continues to amaze me is that, none the less, people continue to
spend time and money on this. I can understand finding the technique
theoretically interesting, and perhaps even someday someone will think
of a way to use the ideas in a system of practical use, but there are
companies out there like MagiQ trying to sell the solid gold covered +
barbed wire seat commodes to people.

Perry E. Metzger		perry at piermont.com

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list