Quantum Key Distribution: the bad idea that won't die...

Perry E. Metzger perry at piermont.com
Thu Apr 22 11:26:52 EDT 2010

Steven Bellovin <smb at cs.columbia.edu> writes:
> While I'm quite skeptical that QKD will prove of practical use, I do
> think it's worth investigating.

I agree. What I don't understand is why people are trying to
*commercialize* it, or claiming that it is of practical use as it

> The physics are nice, and it provides an interesting and different way
> of thinking about cryptography.  I think that there's a non-trivial
> chance that it will some day give us some very different abilities,
> ones we haven't even thought of.

I don't disagree, and I think that this, too, is a good reason to study
it in an academic setting. What I don't get, as I said, is people going
off and spending large amounts of effort on things like getting the
systems to do video rate communications or trying to sell them.

> My analog is all of the strange and wondrous things our cryptographic
> protocols can do -- blind signatures, zero knowledge proofs, secure
> multiparty computation, and more -- things that weren't on the horizon
> just 35 years ago.  I'm reminded of a story about a comment Whit
> Diffie once heard from someone in the spook community about public key
> crypto.  "We had it first -- but we never knew what we had.  You guys
> have done much more with it than we ever did."  All they knew to do
> with public key was key distribution or key exchange; they didn't even
> invent digital signatures.  They had "non-secret encryption"; we had
> public key cryptography.
> Might the same be true for QKD?  I have no idea.  I do suggest that
> it's worth thinking in those terms, rather than how to use it to
> replace conventional key distribution.  Remember that RSA's essential
> property is not that you can use it to set up a session key; rather,
> it's that you can use it to send a session key to someone with whom
> you don't share a secret.

Fair point. There may be quite interesting tricks there, but I think it
would be better if people treated this as a very interesting research
space and not as an important security technology, which is how it gets
portrayed to the press.

As an academic research project, the intersection of quantum effects and
security remains a very interesting area to explore, and we may yet get
valuable security technologies out of it.

However, the current QKD concept is not of practical use, but it is
generally portrayed as being a really important breakthrough in the
press. (This also reflects a considerable popular misunderstanding of
where the problems in security are -- they're not in defending our
link layers against eavesdropping.)

> Beyond Perry's other points -- and QKD is inherently point-to-point;
> you need n^2 connections, since you can't terminate the link-layer
> crypto at a router without losing your security guarantees -- it's
> worth reminding people that the security guarantees apply to ideal
> quantum systems.  If your emitter isn't ideal -- and of course it
> isn't -- it can (will?) emit more photons; I can play my interception
> games with the ones your detector doesn't need.

Indeed, and from my readings of the literature there are other
attacks. I find it important, however, that even if the systems worked
perfectly and as advertised, there is little reason to want them.

Perry E. Metzger		perry at piermont.com

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list