[cryptography] Well, that's depressing. Now what?

Nico Williams nico at cryptonector.com
Sat Jan 28 20:39:25 EST 2012

On Sat, Jan 28, 2012 at 5:45 PM, Noon Silk <noonslists at gmail.com> wrote:
> On Sun, Jan 29, 2012 at 4:22 AM, Nico Williams <nico at cryptonector.com> wrote:
>> I don't see how I could have been much more specific given the two
>> things you quoted from me.
> As I said, you could point to specific products that you have issues
> with, not "QKD" at large (a collection of potential protocols and
> implementations).

Any key exchange solution based on quantum mechanics is pointless
unless: a) it's somehow better than ECDH, b) does not weaken the
security of the whole system, c) it doesn't cost much more than ECDH.

(a) is critical.  And it's not enough to say that QKD is inherently
unbreakable in a way that hasn't been proven about some classical key
exchange protocol, because if all QKD does is exchange keys then you
still have to authenticate the exchanged keys and then use them, all
in classical crypto, so any inherent strength of QKD does not accrue
to the system as a whole.

Even supposing there was a complete all-quantum authentication +
integrity- and confidentiality-protected data transfers solution,
you'd still be limited to hop-by-hop security, and this is quite
limiting.  End-to-end security is preferable whenever one can have it.
 Even in multi-party protocols we generally do better than
link-by-link security.

Now suppose that P=NP (and that fast algorithms can be found for every
heretofore-thought-NP problem) and we suddenly really badly want
"quantum crypto", and suppose we did have quantum authenticated link
encryption...  but we'd still need the thing to be practical, which
among other things means small and cheap enough to put on all the
devices where we need security (and that's quite a few devices).
Quantum tech will not be a perfect solution if P=NP, and it will be
impractical and/or uneconomic for a long time.  This makes "just in
case [P=NP]" arguments for QKD rather weak, IMO.

(b) started out as the subject of this thread.

>> Let's turn it around: what QKD products do
>> you think are not snake oil today?  Please be specific (list products
>> currently on sale) and back up the assertion with a rationale,
>> remembering that this is in comparison to classical cryptography
>> technology.  Feel free to also point to literature about QKD
>> technologies perhaps not yet on the market but which might change
>> everything, and again, back up your assertions.
> Nice try, but I'm not the one making general claims about it. My
> original comment to you was, it's not sensible to say "QKD is snake
> oil", without direct reference to something. I didn't say I want to
> argue about which products are or aren't (frankly, I don't know
> anywhere near enough about them or their implementations to comment on
> that).

I leave things here.   I believe reasonable people can educate
themselves about this and decide for themselves.  I do believe there's
not yet any economic point to any QKD technology currently on the
market, and I've explained why.  I've referred you to the archives as
well; I encourage you to go look.


More information about the cryptography mailing list