Quantum Cryptography

[Nicolas Williams]

On Mon, Jun 25, 2007 at 08:23:14PM -0400, Greg Troxel wrote:
> Victor Duchovni <Victor.Duchovni at MorganStanley.com> writes:
> > Secure in what sense? Did I miss reading about the part of QKD that
> > addresses MITM (just as plausible IMHO with fixed circuits as passive
> > eavesdropping)?
> 
> It would be good to read the QKD literature before claiming that QKD is
> always unauthenticated.

Noone claimed that it isn't -- the claim is that there is no quantum
authentication, so QKD has to be paired with classical crypto in order
to defeat MITMs, which renders it worthless (because if you'll rely on
classical crypto then you might as well only use classical crypto as QKD
doesn't add any security that classical crypto, which you still have to
use, doesn't already).

The real killer for QKD is that it doesn't work end-to-end across middle
boxes like routers.  And as if that weren't enough there's the
exhorbitant cost of QKD kit.

> The generally accepted approach among the physics crowd is to use
> authentication with a secret keys and a universal family of has
> functions.

Everyone who's commented has agreed that authentication is to be done
classically as there is no quantum authentication yet.

But I can imagine how quantum authentication might be done: generate an
entangled pair at one end of the connection, physically carry half of it
to the other end, and then run a QKD exchange that depends on the two
ends having half of the same entangled particle or photon pair.  I'm no
quantum physicist, so I can't tell how workable that would be at the
physics-wise, but such a scheme would be analogous to pre-sharing
symmetric keys in classical crypto.  Of course, you'd have to do this
physical pre-sharing step every time you restart the connection after
having run out of pre-shared entabled pair halfs; ouch.

> > Once QKD is augmented with authentication to address MITM, the "Q"
> > seems entirely irrelevant.
> 
> It's not if you care about perfect forward secrecy and believe that DH
> might be broken, and can't cope with or don't trust a Kerberos-like
> scheme.  You can authenticate QKD with a symmetric mechanism, and get
> PFS against an attacker who records all the traffic and breaks DH later.

The end-to-end across middle boxes issue kills this argument about
protection against speculative brokenness of public key cryptography.

All but the smallest networks depend on middle boxes.

Quantum cryptography will be useful when:

 - it can be deployed in an end-to-end fashion across middle boxes

 OR

 - we adopt hop-by-hop methods of building end-to-end authentication

And, of course, quantum kit has got to be affordable, but let's assume
that economies of scale will be achieved once quantum crypto becomes
useful.

Critical breaks of public key crypto will NOT be sufficient to drive
adoption of quantum crypto: we can still build networks out of symmetric
key crypto (and hash/MAC functions) only if need be (with pre-shared
keying, Kerberos, and generally Needham-Schroeder).

> There are two very hard questions for QKD systems:
> 
>  1) Do you believe the physics?  (Most people who know physics seem to.)
> 
>  2) Does the equipment in your lab correspond to the idealized models
>     with which the proofs for (1) were done.  (Not even close.)

But the only real practical issue, for Internet-scale deployment, is the
end-to-end issue.  Even for intranet-scale deployments, actually.

> I am most curious as to the legal issue that came up regarding QKD.

Which legal issue?

Nico
-- 

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com