[14171] in cryptography@c2.net mail archive

home help back first fref pref prev next nref lref last post

Re: quantum hype

daemon@ATHENA.MIT.EDU (John S. Denker)
Sat Sep 13 19:29:14 2003

X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Sat, 13 Sep 2003 19:02:09 -0400
From: "John S. Denker" <jsd@av8n.com>
To: David Wagner <daw@cs.berkeley.edu>,
	crypto list <cryptography@metzdowd.com>
In-Reply-To: <200309132143.h8DLhWA08667@mozart.cs.berkeley.edu>

On 09/13/2003 05:43 PM, David Wagner wrote:
 >
 > I believe the following is an accurate characterization:
 >  Quantum provides confidentiality (protection against eavesdropping),
 >  but only if you've already established authenticity (protection
 >  against man-in-the-middle attacks) some other way.

I wouldn't have put it quite that way.  Authenticity
doesn't need to come before confidentiality.

Let's consider various threats:
  1) passive eavesdropping.
  2) active eavesdropping including tampering.
  3) simple impersonation at the far end.
  4) MITM, which can be considered a form of
     active eavesdropping by means of a double
     impersonation.

Quantum key exchange provides end-to-end protection
against passive eavesdropping.  It plugs into the
block diagram in the same place as Diffie-Hellman
key exchange would plug in.  It's the same only a
little stronger (no assumptions about algorithmic
intractability).

That means you can establish a confidential but
anonymous tunnel, and then send authentication
messages through the tunnel.

As far as I know, there are no quantum algorithms
that prevent impersonation.  Perhaps I'll learn of
some tomorrow, but I would be truly surprised.

Quantum mechanics isn't going to tell you that
John Doe #137 is a good guy while John Doe #138
is a bad guy.

This is quite significant, because key exchange is
only one part of any practical system.  Quantum
mountebanks claim to have solved "the" key
distribution problem, but this is untrue.  They
have dealt with _exchange_ of session keys, but
they have not dealt with the _distribution_ of
authentication keys.

Distributing and securing any kind of keys under
(say) battlefield conditions is a nightmare.
Reducing the amount of keying material helps
only slightly, unless you can reduce it to zero,
which has not been achieved AFAIK.

Then you have to consider the cost of very special
endpoint equipment, the cost of a very special
communication channel, and the cost of using that
channel inefficiently.


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com

home help back first fref pref prev next nref lref last post