Quantum Cryptography

[Perry E. Metzger]

"Leichter, Jerry" <leichter_jerrold at emc.com> writes:
> | > >    - Quantum Cryptography is "fiction" (strictly claims that it solves
> | > >      an applied problem are fiction, indisputably interesting Physics).
> | > 
> | > Well that is a broad (and maybe unfair) statement.
> | > 
> | > Quantum Key Distribution (QKD) solves an applied problem of secure key
> | > distribution. It may not be able to ensure "unconditional" secrecy
> | > during key exchange, but it can detect any eavesdropping. Once
> | > eavesdropping is detected, the key can be discarded.
> | 
> | Secure in what sense? Did I miss reading about the part of QKD that
> | addresses MITM (just as plausible IMHO with fixed circuits as passive
> | eavesdropping)?
> | 
> | Once QKD is augmented with authentication to address MITM, the "Q"
> | seems entirely irrelevant.

> The unique thing the "Q" provides is the ability to detect eaves-
> dropping.  I think a couple of weeks ago I forwarded a pointer to
> a paper showing that there were some limits to this ability, but
> even so, this is a unique feature that no combination of existing
> primitives can provide.  One can argue about what this adds.

If it cost almost nothing, it would be a neat frill to have. When it
increases the cost of encrypting a link by a factor of four to six
orders of magnitude while still requiring all the old security systems
you had before, it is pretty uninteresting.

> The current approach of the QKD efforts is to assume that physical
> constraints are sufficient to block MITM,
[...]
> One can argue about the reasonableness of this model - particularly
> about the ability of physical limitations to block MITM.  It does
> move the center of the problem, however - and into a region (physical
> protection) in which there is much more experience and perhaps
> some better intuition.

Indeed it does. We have a lot of experience with securing links that
go for hundreds of km, and the experience tells us that we can't do it
in the real world. It would be one thing if experience said that
attackers can be easily found and stopped on long range physical
links, but we know that they can't, so why are we even thinking about
it this way?

Besides, companies like MagiQ don't say "we're giving you
unconditional security against eavesdropping provided your prayers
that no one MITMs you are granted", they claim that they are providing
you with actual unconditional security. They clearly are not.

> In the other direction, whether the ability to detect eavesdropping lets
> you do anything interesting is, I think, an open question.  I wouldn't
> dismiss it out of hand.

As you know, most of us argue you should simply assume you're being
eavesdropped on and design security so that you don't care. It is much
simpler, much less expensive, and much more robust.


-- 
Perry E. Metzger		perry at piermont.com

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com