[Cryptography] QM giveth, QM taketh away

Jerry Leichter leichter at lrw.com
Wed Feb 17 06:34:32 EST 2021

> And how do the two parties verify that the shared public channel is
> not controlled by an attacker?
What does "control the shared public channel" include?  If you assume an attacker who can undetectably present any data to each participant independently of any other participant, it's not anything of interest is possible.  Even if the participants can reliably authenticate messages - the attacker can always scramble all their messages.  This is just not an interesting scenario.

> Even wikipedia agrees that classic crypto is required:
> The main drawback of Quantum Key Distribution is that it usually relies on having an authenticated classical channel of communications. In modern cryptography, having an authenticated classical channel means that one has either already exchanged a symmetric key of sufficient length or public keys of sufficient security level.
You're misunderstanding the article.

QKD does key distribution.  Period.  In this way, it's just like raw DH.  As all the previous discussion has pointed out, neither provides authentication.  If you want authentication, you need to provide another mechanism - and even in principle, it's not clear what that even means without some pre-shared information.  A simple (if rather limited) authentication mechanism is for Alice and Bob to each share knowledge of a pair of 128-bit random values.  Once QKD provides the random pad, each simply sends the other the encrypted value it has for the other's authentication value.  The digital equivalent of the spy trope in which Alice knocks on Bob's door and announces "the snows are early in London this year" and Bob responds "And Big Ben is covered in blue."  No crypto assumptions needed.
                                                        -- Jerry

More information about the cryptography mailing list