Quantum Key Distribution: the bad idea that won't die...
michaelslists at gmail.com
Wed Apr 21 18:05:23 EDT 2010
First of all, I'm sure you know more about this than me, but allow me
to reply ...
On Wed, Apr 21, 2010 at 11:19 PM, Perry E. Metzger <perry at piermont.com> wrote:
> > Useless now maybe, but it's preparing for a world where RSA is broken
> > (i.e. quantum computers) and it doesn't require quantum computers; so
> > it's quite practical, in that sense.
> No, it isn't. QKD is useless three different ways.
> First, AES and other such systems are fine, and the way people break
> reasonably designed security systems (i.e. not WEP or what have you) is
> not by attacking the crypto.
I didn't say AES, I said RSA. Specifically I was referring to Shors
factoring algorithm on quantum computers :
> Second, you can't use QKD on a computer network. It is strictly point to
> point. Want 200 nodes to talk to each other? Then you need 40,000
> fibers, without repeaters, in between the nodes, each with a $10,000 or
> more piece of equipment at each of the endpoints, for a total cost of
> hundreds of millions of dollars to do a task ethernet would do for a
> couple thousand dollars.
Sure, now. That's the point of research though; to find more efficient
ways of doing things. If you stopped working on anything that seemed
initially too hard or unpractical I don't think we'd get anywhere.
> Third, QKD provides no real security because there is no actual
> authentication. If someone wants to play man in the middle, nothing
> stops them. If someone wants to cut the fiber and speak QKD to one
> endpoint, telling it false information, nothing stops them. You can
> speak the QKD protocol to both endpoints and no one will be the
> wiser. So, you need some way of providing privacy and
> authentication... perhaps a conventional cryptosystem.
I agree this is an issue, and from my reading it doesn't seem
completely resolved, but again I think it's reasonable to continue
researching into solutions. Importantly, however, is that if a
classical system is used to do authentication, then the resulting QKD
stream is *stronger* than the classically-encrypted scheme.
> So, what did QKD
> provide you with again?
> There is no point to QKD at all.
> Perry E. Metzger perry at piermont.com
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography