Quantum Key Distribution: the bad idea that won't die...

Perry E. Metzger perry at piermont.com
Wed Apr 21 22:04:21 EDT 2010

silky <michaelslists at gmail.com> writes:
>>>> Second, you can't use QKD on a computer network. It is strictly point to
>>>> point. Want 200 nodes to talk to each other? Then you need 40,000
>>>> fibers, without repeaters, in between the nodes, each with a $10,000 or
>>>> more piece of equipment at each of the endpoints, for a total cost of
>>>> hundreds of millions of dollars to do a task ethernet would do for a
>>>> couple thousand dollars.
>>> Sure, now. That's the point of research though; to find more efficient
>>> ways of doing things.
>> I'm afraid that QKD is literally incapable of being done more
>> efficiently than this. The whole point of the protocol is to get
>> guarantees of security from quantum mechanics, and as soon as you have
>> any intermediate nodes they're gone. I know of no one who claims to have
>> any idea about how to extend the protocol beyond that, and I suspect it
>> of being literally impossible (that is, I suspect that a mathematical
>> proof that it is impossible should be doable.)
> What do you mean "intermediate nodes"? It's possible to extend the
> length of QKD depending on the underlying QKD protocol used. I.e. in
> the EPR-based QKD, extension is possible.

Length isn't the issue. Networks are the problem. If you want to have
every computer have only one link instead of one for every other
computer it might ever talk to, you need a network. Networks need
routers, that is, intermediate nodes. QKD requires that the actual
endpoints of the communication be the only objects intercepting the
photons in question -- it is inherently useless in an environment with

Thus, if you want 200 nodes in a network to talk to each other, you need
200*200 fibers to do it, and 200*200*2 QKD units, each of which is more
expensive than your computer is. In exchange for your vast expenditure,
you will gain no security whatsoever and have to implement a
conventional cryptosystem on top anyway.

It seems like a lose.

> [...]
>> No one is doing that, though. People are working on things like faster
>> bit rates, as though the basic reasons the whole thing is useless were
>> solved.
> I don't think you can legitimately speak for the entire community as
> to what or not they may be doing.

I think I can, actually. I know of very few people in computer security
who take QKD seriously. I feel pretty safe making these sorts of

> It's interesting to me that some arguably unrelated fields of research
> (i.e. quantum repeaters) may be useful.

Not for this problem.

>> > Importantly, however, is that if a classical system is used to do
>> > authentication, then the resulting QKD stream is *stronger* than the
>> > classically-encrypted scheme.
>> Nope. It isn't. The system is only as strong as the classical system. If
>> the classical system is broken, you lose any assurance that you aren't
>> being man-in-the-middled.
> No, it's not only as strong as the classical; it gets stronger if the
> classical component works. Quoting from:
> http://arxiv.org/abs/0902.2839v2 - The Case for Quantum Key
> Distribution
> "If authentication is unbroken during the first round of QKD, even if
> it is only computationally secure, then subsequent rounds of QKD will
> be information-theoretically secure."

Read what you just wrote.

IF THE AUTHENTICATION IS UNBROKEN. That is, the system is only secure if
the conventional cryptosystem is not broken -- that is, it is only as
secure as the conventional system in use. Break the conventional system
and you've broken the whole thing.

It is, of course, worse than that paper states. If you're only
authenticating, a man in the middle gets the entire bit stream, so you
need both: authentication to know a man in the middle isn't lying to
you, and conventional crypto to know that the man in the middle isn't
violating your privacy. Color me unimpressed by the usefulness of the

Perry E. Metzger		perry at piermont.com

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list