[145250] in cryptography@c2.net mail archive
Re: Quantum Key Distribution: the bad idea that won't die...
daemon@ATHENA.MIT.EDU (Steven Bellovin)
Thu Apr 22 10:57:52 2010
From: Steven Bellovin <smb@cs.columbia.edu>
In-Reply-To: <87mxwwusj7.fsf@snark.cb.piermont.com>
Date: Thu, 22 Apr 2010 09:09:22 -0400
Cc: cryptography@metzdowd.com, michaelslists@gmail.com
To: "Perry E. Metzger" <perry@piermont.com>
While I'm quite skeptical that QKD will prove of practical use, I do =
think it's worth investigating. The physics are nice, and it provides =
an interesting and different way of thinking about cryptography. I =
think that there's a non-trivial chance that it will some day give us =
some very different abilities, ones we haven't even thought of. My =
analog is all of the strange and wondrous things our cryptographic =
protocols can do -- blind signatures, zero knowledge proofs, secure =
multiparty computation, and more -- things that weren't on the horizon =
just 35 years ago. I'm reminded of a story about a comment Whit Diffie =
once heard from someone in the spook community about public key crypto. =
"We had it first -- but we never knew what we had. You guys have done =
much more with it than we ever did." All they knew to do with public =
key was key distribution or key exchange; they didn't even invent =
digital signatures. They had "non-secret encryption"; we had public key =
cryptography.
Might the same be true for QKD? I have no idea. I do suggest that it's =
worth thinking in those terms, rather than how to use it to replace =
conventional key distribution. Remember that RSA's essential property =
is not that you can use it to set up a session key; rather, it's that =
you can use it to send a session key to someone with whom you don't =
share a secret. =20
Beyond Perry's other points -- and QKD is inherently point-to-point; you =
need n^2 connections, since you can't terminate the link-layer crypto at =
a router without losing your security guarantees -- it's worth reminding =
people that the security guarantees apply to ideal quantum systems. If =
your emitter isn't ideal -- and of course it isn't -- it can (will?) =
emit more photons; I can play my interception games with the ones your =
detector doesn't need.=
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
