Quantum Cryptography
Leichter, Jerry
leichter_jerrold at emc.com
Fri Jun 22 20:21:25 EDT 2007
My previous message was not an attempt to defend the companies that are
out there trying to sell quantum cryptography. They're clearly way out
ahead of any reasonable theory and are following in a great tradition
of offering crypto snake oil. That some of them are doing it on *my*
money - i.e., by selling stuff to the government - hardly makes me
happier.
However, just because there are many people in there to make a buck,
and others who are naive about the state of the art - having come over
from a different field (not something new either; look at some of the
papers mathematicians published when public-key first came into public
view) - doesn't mean there might not be valid and potentially useful
ideas to be found here. The question was: Does QK as it currently
exists offer anything that isn't available with conventional crypto?
The answer is clearly yes. It offers two things:
- An entirely different (and just as unprovable!) set of
assumptions on which proofs of security can be
based. One might argue that our assumptions about QM
have a significantly longer history than our assump-
tions about the difficulty of various computational
problems, and are at least to some degree empirically
testable. For some people, that might make a
difference. If you're really paranoid, you might
build a system which would be secure if *either*
set of assumptions was valid - defense in depth.
I'll agree, though, that a debate along these lines
is rather pointless. There's really no good way
to know if either set of assumptions is really
correct, but both are so embedded in extensive
bodies of knowledge that it would be very surprising
if they turned out to be wrong. (Frankly, it would
be much more surprising at this point to find a
fundamental error in the assumptions about randomness
in QM than to find, say, a fast factoring algorithm
or an attack on AES, or a break in secure hash
algorithms - oops, that happened already!)
- Quantum techniques allow you to detect eavesdropping. This
is a *fundamental* difference. Its implications have
not been explored, so there's no way to tell if they
will ultimately prove interesting or not. (If a
number of years ago I had handed to you, without
explanation, an algorithm for bit commitment, would
you have had any idea what it might be used for?)
It's also not at all clear that this is the *only*
fundamental property that distinguishes Quantum
Cryptography (whatever that might turn out to be)
as opposed to Quantum Key Exchange. (Might there
be a quantum signature algorithm which can detect
that someone has stolen your signature and is
using it?)
If you want to attack the vendors of quantum key distribution equipment
for selling high-priced snake oil, fine. They are hardly alone in
this field - and if their equipment doesn't *add* security, at least
it doesn't seem to remove it (if you use it properly). Likewise,
if you want to attack papers by physicists who don't understand the
problem, that's fine - they *should* be attacked, because that's the
way science works. Many of these guys are quite clever, and they'll
learn.
All I'm responding to is the self-congratulating commentary whose
starting point is "these problems have all been solved, there's
nothing at all new here". That's not true.
BTW, on the quantum subway tokens business: In more modern terms,
what this was providing was unlinkable, untraceable e-coins which
could be spent exactly once, with *no* central database to check
against and none of this "well, we can't stop you from spending it
more than once, but if we ever notice, we'll learn all kinds of
nasty things about you". (The coins were unlinkable and untraceable
because, in fact, they were *identical*.) Now, of course, they
were also physical objects, not just collections of bits. The same
is true of the photons used in quantum key exchange. Otherwise,
it wouldn't work. We're inherently dealing with a different model
here. Where it ends up is anyone's guess at this point.
-- Jerry
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list