[cryptography] Well, that's depressing. Now what?

ianG iang at iang.org
Sat Jan 28 21:03:57 EST 2012


On 29/01/12 11:50 AM, Noon Silk wrote:
> On Sun, Jan 29, 2012 at 11:31 AM, ianG<iang at iang.org>  wrote:
>> On 29/01/12 10:45 AM, Noon Silk wrote:
>>>   ... it's not sensible to say "QKD is snake
>>>
>>> oil", without direct reference to something.
>>
>>
>> Well, if you don't like the conclusion, there are books written on how to
>> attack it :) that doesn't mean much tho.
>>
>> QKD is snake oil because it achieves a benefit over other techniques that is
>> marginal, unreliable, unproven, and costs a hell of a lot of money.
>>
>> The notion that you can spot someone fiddling with your packets is marketing
>> blather, in the scheme of things.  In the real world, this will generally be
>> interpreted as faulty equipment (insert some bayesian statistics here) so
>> you can't rely on it being a feature that delivers value.  If you want more,
>> think about an aggressive attacker ... all he's got to do is put a wiretap
>> on the fibre, futze with the packets enough until you get sick of it, and
>> then you'll change it all because you can't deal with it.
>>
>> And, as the existing product out there provides pretty solid key exchange
>> for zero cost, relatively speaking, what's the point in paying megabucks for
>> it?  QKD has to do something pretty remarkable make it worth all those
>> dollars, and what it does isn't nearly interesting enough.
>>
>> It's straight forward economics, really.
>
> With respect, you are (as I've seen happen on this list many many
> times) responding to straw man arguments you're inventing. My comment
> to Nico was:
>
>> I think it's important to note that it's obviously completely wrong to
>> say "QKD is snake-oil", what you *can* say is that someone *selling*
>> *any* demonstratably-insecure crypto device as a secure one, is snake
>> oil. So, that is to say, you can only claim snake-oil in reference to
>> a vendor and a device, not a field of research.
>
> Obviously, only a product can cost a business money; research
> performed at universities doesn't (directly) cost money. So that is to
> say, the claim that QKD as a field is snake oil is just nonsense. If
> you want to say "Stop funding QKD research because I personally feel
> that it's useless", then do it; maybe people will be interested
> (probably not, unless you are specific in your problems, with
> reference to exact protocols). If you want to say "QKD is snake oil
> because XYZ product has ABC flaws" then do it; but I can't see how
> general comments about "QKD" are helpful, because they are useless
> without referring to something specific.


It seems to me that you are resting on a sort of philosophical 
assumption that pure research is pure, neither good nor bad.  If that is 
the case, the problem with this assumption is that QKD is not pure, it's 
applied.  We know precisely where we (as society) are going to apply the 
results to, it's in the title:  Key Distribution.

In this context, applied research is simply another product, or more 
properly, it's another component in the product-life-cycle.

Sure, pure research isn't a product in the markets sense because we 
don't know what we get out of it.  So good, bad, snake oil labels don't 
apply.  We could say that astronomy can't be snake oil because we might 
get some new wisdom out of listening to quasars that one day could turn 
into applications.

But QKD is very very applied.

And, your claim that research at Universities doesn't cost money is 
specious and naive.  If you look at the way grants are funded, 
channeled, marketed, politicised and manipulated, you'll find out that 
it's a market / business process, just like anything else.  Grants are 
typically full of snake-oil claims.


> I mean, look at this argument we've gotten ourselves into ... it's
> also completely useless. If you don't want to buy a QKD product, then
> fine; so be it, I'm not trying to convince you otherwise (and I
> certainly don't work for anyone who sells them; I'm just a student).


It's not useless.  9 out of 10 people with a long term background in 
security advise not to invest a dime in QKD.  If they're right, that 
means the money is saved for something worthwhile.

> All I'm saying is QKD is an interesting field of research, and it
> seems a little bizarre to claim "snake oil!" while it's still being
> developed.


Sure.  But not wrong.  Big difference between applied and pure research. 
  Think of it this way:  a company shouldn't in general do pure 
research, because it cannot show the benefit to shareholders, therefore 
it is not meeting its mandate.  It can do applied research, and does, 
because the line is very clear in claims from expenditure to future 
revenues.

Then, from that point, it is easy to see that applied research is just 
another product-life-cycle issue.  So yes, it can be labelled with 
'snake-oil' or other like opinions, because we know where that product 
is heading.

Of course we could be wrong in the call.  But we're not wrong to make 
the call.

iang



More information about the cryptography mailing list