Quantum Key Distribution: the bad idea that won't die...

[Perry E. Metzger]

Let me note that Mr. Leiseboer is the CTO of a company that makes QKD
equipment.

"John Leiseboer" <jleiseboer at bigpond.com> writes:
> I too once worked exclusively in the world of classical cryptography and
> was sceptical of QKD. I now work in both worlds - classical cryptography
> and QKD. I now know that QKD can be a part of a high performance, cost
> competitive, highly secure system.

On what basis do you "know" this?

Again, there are three insurmountable problems here:

QKD requires a conventional cryptosystem on top to provide
authentication and privacy in the face of man-in-the middle attacks (so
why do you want the QKD system?)

QKD is inherently incompatible with networks -- it is point to point
security only.

QKD provides no practical security over conventional cryptosystems. No
one attacks your security by breaking a modern system like AES -- people
look elsewhere to attack you. Not, of course, that it matters, because
if you can break AES, you can break a QKD system just by playing
man-in-the-middle, so again, why use QKD?

> Just because "everyone" who claims to be a crypto expert, or a few of
> the more well-known popular experts (often the ones with big egos and
> loud voices) say that crypto is not the weakest link, or that QKD is a
> bad idea, doesn't mean it's true forever, even if you want to believe
> that it's true now.

It is true forever. QKD doesn't even provide any security at all. As
I've said repeatedly:

As soon as you put a man in the middle with a pair of QKD boxes, each
endpoint will happily communicate with it as though it was the other
end. So, your security depends on having the data also authenticated and
encrypted with a conventional system. If the conventional system is
broken, the QKD added nothing. If the conventional system works, you
didn't need the QKD.  Game over.

If you can explain how to get around this, I'm all ears.

And please, no more comments about "big egos". Technical arguments
only. This is not a marketing list, it is a technical list. I'm pretty
ruthless about cutting people off if they get insulting.

> I don't know what the future holds, but when I think about what
> technology might be like in 10, 20, 50 years from now, I think back to
> what technology was like 10, 20, 50 years ago. Things change. And they
> change a lot. I doubt that public key encryption as we know it will
> survive the next 50 years.

That's a very bold statement, and one that I doubt you can back up, but
it is irrelevant to the current discussion, since no one encrypts links
with public key anyway. They may use it for key exchange -- but again,
QKD only provides link security, and you need a conventional crypto
system running on top of it anyway because it can't defend against man
in the middle attacks anyway, so it doesn't matter. If RSA and DH can't
be trusted for key exchange, then both the conventional and the QKD
systems will need keys for conventional ciphers manually loaded at both
ends -- QKD isn't secure without the conventional cipher system
providing authentication and privacy in the face of man in the middle
attacks.

> I worry when I see critically secure systems being deployed that rely
> exclusively on public key cryptography for key distribution.

Well, since any secure QKD system needs a conventional cryptosystem on
top to provide the actual security anyway, this is not an advantage of
QKD. If it is a problem conventional systems can't surmount, QKD can't
surmount it. If conventional systems can get beyond it, then QKD isn't
needed.

> I'm disappointed when I read and hear comments from people that reject
> outright,

Well, you'll have to explain why I'm wrong, then.

In detail.

> even the possibility that QKD might be practical, and have a place in
> securing our current and future systems.

It is practical to build very expensive QKD boxes. It is totally
impractical to use them vs. just using a conventional cipher.

> To respond directly to Perry's comment quoted at the beginning of this
> email, I can assure you that there is actually very strong interest in
> QKD in the security community.

Not at the conferences I go to. I can't name anyone who has any interest
in it at all. Mostly we sit around at the bar and wonder why the hell
people keep spending money on it.

If you care to name people who have an interest here, please let me
know. I haven't found them.

> The interest is not purely academic or oriented towards research. It
> has a very sound practical, commercial, and security basis.

I again note that Mr. Leiseboer is the CTO of a company that makes QKD
equipment.

If you dispute my position here, I'm happy to discuss it, but you're
going to have to explain why I'm wrong -- a detailed technical
explanation, not a set of assertions.

Perry
-- 
Perry E. Metzger		perry at piermont.com

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com