[Cryptography] QM giveth, QM taketh away

Patrick Chkoreff pc at fexl.com
Sat Feb 13 10:47:59 EST 2021 

Jerry Leichter wrote on 2/12/21 9:39 PM:

> Quantum key distribution (theoretically) provides a way for Alice and Bob to share a random bitstream with strong randomness and privacy guarantees.  It doesn't give a way to transmit a message as such - but once they have that shared bitstream, then can use it as a one-time pad.

Thanks Jerry, I read up on it further.  You're right, QKD does not give
a way to transmit a preordained message.  Instead, it is a two-way
handshake protocol in which both Alice and Bob deploy a randomized
process to arrive at a shared sequence of bits.

They do this using a pair of channels: one an optical channel carrying
polarized photons, and one a standard public digital channel carrying
bits.  Alice first shines a series of photons over to Bob, and then
Alice and Bob use the digital channel to establish which observations
Bob should keep and which he should discard.  Anyone eavesdropping on
the digital channel is unable to discern anything about the actual bits
Bob keeps.

> Note that the actual physical realization of QKD has proven to be much trickier than the neat theoretical examples.  Still, it seems to be getting there - if this is what you want.  Keep in mind that QKD (and encryption using XOR with a one-time pad) have theoretically perfect security properties, but provide no authentication (so as with raw DH, you can end up conducting a secure communication but with no way of knowing who you are actually communicating with).

Yes, and I would think that to solve that problem, you must deploy
asymmetric cryptography, where Alice and Bob know each other's public
key.  In that case I do not see the benefit of using a shared one-time
pad established by a quantum process, unless perhaps there is some way
to shoehorn authentication into an OTP protocol, and do that in a way
that does not rely on an asymmetric algorithm that is theoretically
vulnerable to some future compromise.

In short, is there an authentication method with the same theoretically
perfect security properties as OTP itself?  To my novice mind, that
strikes me as impossible in some fundamental way, perhaps similar to how
it's impossible securely to communicate a new OTP using an old OTP.


-- Patrick

More information about the cryptography mailing list