Quantum Key Distribution: the bad idea that won't die...

Perry E. Metzger perry at piermont.com
Wed Apr 21 20:47:50 EDT 2010

silky <michaelslists at gmail.com> writes:
> First of all, I'm sure you know more about this than me, but allow me
> to reply ...
> On Wed, Apr 21, 2010 at 11:19 PM, Perry E. Metzger <perry at piermont.com> wrote:
>> > Useless now maybe, but it's preparing for a world where RSA is broken
>> > (i.e. quantum computers) and it doesn't require quantum computers; so
>> > it's quite practical, in that sense.
>> No, it isn't. QKD is useless three different ways.
>> First, AES and other such systems are fine, and the way people break
>> reasonably designed security systems (i.e. not WEP or what have you) is
>> not by attacking the crypto.
> I didn't say AES, I said RSA. Specifically I was referring to Shors
> factoring algorithm on quantum computers :
> http://citeseerx.ist.psu.edu/viewdoc/summary?doi=

I'm well aware, however, AES is not going to be broken by quantum
computers (see Scott Aaronson's excellent lay explanations of the fact
that quantum computers likely can't solve NP complete problems in
polynomial time), and no one uses RSA or any other asymmetric cipher for
link encryption. RSA+DH is typically used only for bootstrapping a
symmetric cipher. QKD only provides link encryption anyway.

>> Second, you can't use QKD on a computer network. It is strictly point to
>> point. Want 200 nodes to talk to each other? Then you need 40,000
>> fibers, without repeaters, in between the nodes, each with a $10,000 or
>> more piece of equipment at each of the endpoints, for a total cost of
>> hundreds of millions of dollars to do a task ethernet would do for a
>> couple thousand dollars.
> Sure, now. That's the point of research though; to find more efficient
> ways of doing things.

I'm afraid that QKD is literally incapable of being done more
efficiently than this. The whole point of the protocol is to get
guarantees of security from quantum mechanics, and as soon as you have
any intermediate nodes they're gone. I know of no one who claims to have
any idea about how to extend the protocol beyond that, and I suspect it
of being literally impossible (that is, I suspect that a mathematical
proof that it is impossible should be doable.)

>> Third, QKD provides no real security because there is no actual
>> authentication. If someone wants to play man in the middle, nothing
>> stops them. If someone wants to cut the fiber and speak QKD to one
>> endpoint, telling it false information, nothing stops them. You can
>> speak the QKD protocol to both endpoints and no one will be the
>> wiser. So, you need some way of providing privacy and
>> authentication... perhaps a conventional cryptosystem.
> I agree this is an issue, and from my reading it doesn't seem
> completely resolved,

It isn't resolved at all.

> but again I think it's reasonable to continue researching into
> solutions.

No one is doing that, though. People are working on things like faster
bit rates, as though the basic reasons the whole thing is useless were

> Importantly, however, is that if a classical system is used to do
> authentication, then the resulting QKD stream is *stronger* than the
> classically-encrypted scheme.

Nope. It isn't. The system is only as strong as the classical system. If
the classical system is broken, you lose any assurance that you aren't
being man-in-the-middled.

>> So, what did QKD provide you with again?
>> There is no point to QKD at all.
> I disagree.

That is, of course, your privilege.

Perry E. Metzger		perry at piermont.com

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list