[Cryptography] QM giveth, QM taketh away

Jerry Leichter leichter at lrw.com
Sat Feb 13 11:58:50 EST 2021 

> If I remember correctly, and the quantum techniques haven't changed, QKD requires sending entangled states between the two parties and examining how they settle when the entanglement is broken. The last I looked this required a physical or line of sight link.
At this point, QKD has been demonstrated over many kilometer of fiber, and I believe between a satellite and an Earth station.

By its nature, it's "point to point."

> If all this is vaguely true, then protecting the link is a viable way of providing a reasonable level of authentication for the other end.
Sort of.  "Protecting the link" - interpreted properly - is also a viable way of providing a reasonable level of security!

> I vaguely remember hearing about a communication link in the Washington DC area that ran beside a freeway. To protect the link against various "tapping in" attacks ended with the link costing more per mile than the freeway beside it. Protecting a quantum link might take this level of effort.
QKD is (again, in principle; actual implementation is harder) secure against "taps" in the sense that if someone does listen in, the two parties can tell (with arbitrarily high probability).  This is one of the unusual properties that a quantum approach brings to the table:  A passive listener can be detected (or, more accurately, there can be no such thing as a passive listener:  No matter what the listener does, he *must* disturb things.  Classically, this can't be achieved.

The deeper question, of course, is just exactly what you need from authentication in a QKD framework.  Unauthenticated DH allows two parties who've never shared anything before to establish a secure connection over a public channel - but then it's impossible for either party to know who they are really talking to.  Of course, if the two ends don't actually know anything about each other to begin with, it's not clear what it would even *mean* for them to authenticate to each other.

QKD can do the same thing, but if you have some assurance about where the other end of the link is, you can be sure you're talking to someone ... at the other end of the link.  But then again if you do DH over a link with a similar level of assurance, you can make the same assertion.

What QKD gives you over DH and similar approaches is a different security assumption:  Security based on quantum mechanical principles vs. security based on the difficulty of discrete logs (or some other base mathematical problem).  Except that the stark black and white of the physical assurances gets grey when you look at real-world realizations, many of which have fallen to detailed analysis.  Given that making physical realizations secure has proved so hard, arguments along the lines of "well, we know that you can sneak bad parameters into, say, the generation of elliptic curves to provide trap doors, but you can't put a trap door into the physics" kind of miss the point:  You may not be able to put a trap door in the physics, but you could certainly slip one into a physical realization, at either the design or hardware level.

Certainly a cool set of physics problems, and it makes for a great selling point that attracts investment money - but at base whether it bring anything really new and worthwhile to the table ... one can certainly debate.
                                                        -- Jerry

More information about the cryptography mailing list