Quantum Cryptography

Leichter, Jerry leichter_jerrold at emc.com
Fri Jun 22 20:21:25 EDT 2007 

My previous message was not an attempt to defend the companies that are
out there trying to sell quantum cryptography.  They're clearly way out
ahead of any reasonable theory and are following in a great tradition
of offering crypto snake oil.  That some of them are doing it on *my*
money - i.e., by selling stuff to the government - hardly makes me
happier.

However, just because there are many people in there to make a buck,
and others who are naive about the state of the art - having come over
from a different field (not something new either; look at some of the
papers mathematicians published when public-key first came into public
view) - doesn't mean there might not be valid and potentially useful
ideas to be found here.  The question was:  Does QK as it currently
exists offer anything that isn't available with conventional crypto?
The answer is clearly yes.  It offers two things:

	- An entirely different (and just as unprovable!) set of
		assumptions on which proofs of security can be
		based.  One might argue that our assumptions about QM
		have a significantly longer history than our assump-
		tions about the difficulty of various computational
		problems, and are at least to some degree empirically
		testable.  For some people, that might make a
		difference.  If you're really paranoid, you might
		build a system which would be secure if *either*
		set of assumptions was valid - defense in depth.
		I'll agree, though, that a debate along these lines
		is rather pointless.  There's really no good way
		to know if either set of assumptions is really
		correct, but both are so embedded in extensive
		bodies of knowledge that it would be very surprising
		if they turned out to be wrong.  (Frankly, it would
		be much more surprising at this point to find a
		fundamental error in the assumptions about randomness
		in QM than to find, say, a fast factoring algorithm
		or an attack on AES, or a break in secure hash
		algorithms - oops, that happened already!)

	- Quantum techniques allow you to detect eavesdropping.  This
		is a *fundamental* difference.  Its implications have
		not been explored, so there's no way to tell if they
		will ultimately prove interesting or not.  (If a
		number of years ago I had handed to you, without
		explanation, an algorithm for bit commitment, would
		you have had any idea what it might be used for?)
		It's also not at all clear that this is the *only*
		fundamental property that distinguishes Quantum
		Cryptography (whatever that might turn out to be)
		as opposed to Quantum Key Exchange.  (Might there
		be a quantum signature algorithm which can detect
		that someone has stolen your signature and is
		using it?)

If you want to attack the vendors of quantum key distribution equipment
for selling high-priced snake oil, fine.  They are hardly alone in
this field - and if their equipment doesn't *add* security, at least
it doesn't seem to remove it (if you use it properly).  Likewise,
if you want to attack papers by physicists who don't understand the
problem, that's fine - they *should* be attacked, because that's the
way science works.  Many of these guys are quite clever, and they'll
learn.

All I'm responding to is the self-congratulating commentary whose
starting point is "these problems have all been solved, there's
nothing at all new here".  That's not true.

BTW, on the quantum subway tokens business:  In more modern terms,
what this was providing was unlinkable, untraceable e-coins which
could be spent exactly once, with *no* central database to check
against and none of this "well, we can't stop you from spending it
more than once, but if we ever notice, we'll learn all kinds of
nasty things about you".  (The coins were unlinkable and untraceable
because, in fact, they were *identical*.)  Now, of course, they
were also physical objects, not just collections of bits.  The same
is true of the photons used in quantum key exchange.  Otherwise,
it wouldn't work.  We're inherently dealing with a different model
here.  Where it ends up is anyone's guess at this point.

							-- Jerry



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list