Quantum Key Distribution: the bad idea that won't die...

silky michaelslists at gmail.com
Wed Apr 21 20:58:40 EDT 2010

On Thu, Apr 22, 2010 at 10:47 AM, Perry E. Metzger <perry at piermont.com> wrote:


>>> Second, you can't use QKD on a computer network. It is strictly point to
>>> point. Want 200 nodes to talk to each other? Then you need 40,000
>>> fibers, without repeaters, in between the nodes, each with a $10,000 or
>>> more piece of equipment at each of the endpoints, for a total cost of
>>> hundreds of millions of dollars to do a task ethernet would do for a
>>> couple thousand dollars.
>> Sure, now. That's the point of research though; to find more efficient
>> ways of doing things.
> I'm afraid that QKD is literally incapable of being done more
> efficiently than this. The whole point of the protocol is to get
> guarantees of security from quantum mechanics, and as soon as you have
> any intermediate nodes they're gone. I know of no one who claims to have
> any idea about how to extend the protocol beyond that, and I suspect it
> of being literally impossible (that is, I suspect that a mathematical
> proof that it is impossible should be doable.)

What do you mean "intermediate nodes"? It's possible to extend the
length of QKD depending on the underlying QKD protocol used. I.e. in
the EPR-based QKD, extension is possible.


> No one is doing that, though. People are working on things like faster
> bit rates, as though the basic reasons the whole thing is useless were
> solved.

I don't think you can legitimately speak for the entire community as
to what or not they may be doing. It's interesting to me that some
arguably unrelated fields of research (i.e. quantum repeaters) may be

> > Importantly, however, is that if a classical system is used to do
> > authentication, then the resulting QKD stream is *stronger* than the
> > classically-encrypted scheme.
> Nope. It isn't. The system is only as strong as the classical system. If
> the classical system is broken, you lose any assurance that you aren't
> being man-in-the-middled.

No, it's not only as strong as the classical; it gets stronger if the
classical component works. Quoting from:
http://arxiv.org/abs/0902.2839v2 - The Case for Quantum Key

"If authentication is unbroken during the first round of QKD, even if
it is only computationally
secure, then subsequent rounds of QKD will be information-theoretically secure."

> Perry
> --
> Perry E. Metzger                perry at piermont.com



The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list