Quantum Cryptography

Nicolas Williams Nicolas.Williams at sun.com
Wed Jun 27 17:53:34 EDT 2007 

On Tue, Jun 26, 2007 at 02:03:29PM -0700, Jon Callas wrote:
> On Jun 26, 2007, at 10:10 AM, Nicolas Williams wrote:
> >This too is a *fundamental* difference between QKD and classical
> >cryptography.
> 
> What does this "classical" word mean? Is it the Quantum way to say  
> "real"? I know we're in violent agreement, but why are we letting  
> them play language games?

I don't mind using "classical" here.  I don't think Newtonian physics
(classical) is "bad" -- it works great at every day human scales.

> >IMO, QKD's ability to discover passive eavesdroppers is not even
> >interesting (except from an intellectual p.o.v.) given: its
> >inability to detect MITMs, its inability to operate end-to-end across
> >across middle boxes, while classical crypto provides protection
> >against  eavesdroppers *and* MITMs both *and* supports end-to-end
> >operation across middle boxes.
> 
> Moreover, the quantum way of discovering passive eavesdroppers is  
> really just a really delicious sugar coating on the classical term  
> "denial of service." I'm not being DoSed, I'm detecting a passive  
> eavesdropper!

Heh!  Indeed: with classical (or non-quantum, or standard, or...) crypto
eavesdroppers are passive attackers and passive attackers cannot mount
DoS attacks (oh, I suppose that wiretapping can cause some slightly
noticeable interference in some cases, but usually that's no DoS), but
in QKD passive attackers become active attackers.

But it gets worse!  To eavesdrop on a QKD link requires much the same
effort (splice the fiber) as to be an MITM on a QKD link, so why would
any attacker choose to eavesdrop and be detected instead of being an
MITM, go undeteceted and get the cleartext they're after?  Right, they
wouldn't.  Attackers aren't stupid, and an attacker that can splice your
fibers can probably afford the QKD HW they need to mount an MITM attack.

So, really, you need authentication.  And, really, you need end-to-end,
not hop-by-hop authentication and data confidentiality + integrity
protection.

This reminds me of Feynman's presentation of Quantum Electro Dynamics,
which finished with "QED."  Has it now been sufficiently established
that QKD is not useful that whenever it rears its head we can point
folks at archives of these threads and not spill anymore ink?

Nico
-- 

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list