Quantum Cryptography

Hi Folks,

On a legal mailing list I'm on there is a bunch of emails on
the  
perceived effects of quantum cryptography. Is there any
authoritative  
literature/links that can help clear the confusion?

Thanks in advance,
Aram Perez

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography"
to majordomometzdowd.com

On Tue, Jun 19, 2007 at 09:10:12PM -0700, Aram Perez wrote:

> On a legal mailing list I'm on there is a bunch of
emails on the  
> perceived effects of quantum cryptography. Is there any
authoritative  
> literature/links that can help clear the confusion?

Quantum Cryptography or Quantum Computing (i.e.
cryptanysis)?

    - Quantum Cryptography is "fiction" (strictly
claims that it solves
      an applied problem are fiction, indisputably
interesting Physics).

    - Quantum Computing is "science fiction". Some
science fiction
      eventually becomes reality.

-- 

 /" ASCII RIBBON                  NOTICE: If received
in error,
  / CAMPAIGN     Victor Duchovni  please destroy and
notify
  X AGAINST       IT Security,     sender. Sender does not
waive
 /  HTML MAIL    Morgan Stanley   confidentiality or
privilege,
                                   and use is prohibited.

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography"
to majordomometzdowd.com

>     - Quantum Cryptography is "fiction"
(strictly claims that it solves
>       an applied problem are fiction, indisputably
interesting Physics).

Well that is a broad (and maybe unfair) statement.

Quantum Key Distribution (QKD) solves an applied problem of
secure key
distribution. It may not be able to ensure
"unconditional" secrecy
during key exchange, but it can detect any eavesdropping.
Once
eavesdropping is detected, the key can be discarded.

saqib
http://security-
basics.blogspot.com/

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography"
to majordomometzdowd.com

Victor Duchovni wrote:
> Quantum Cryptography or Quantum Computing (i.e.
cryptanysis)?
> 
>     - Quantum Cryptography is "fiction"
(strictly claims that it solves
>       an applied problem are fiction, indisputably
interesting Physics).

I do not really agree on this statement. There are ongoing
projects, that
I know of, that are actually working on maximizing
communication throughput
(which is currently not very good) on encrypted channels and
minimizing
costs of involved equipment. AFAIK, one great advantage of
quantum crypto
is in the area of key-exchange when establishing a secure
communication.
I guess quantum crypto is definitely not "fiction"
(Anyhow I do not know if
it has already been used somewhere... ).

Later,

-- 

Best Regards,

	Massimiliano Pala

--o---------------------------------------------------------
---------------
Massimiliano Pala [OpenCA Project Manager]           
palacs.dartmouth.edu
                                                 
project.manageropenca.org

Dartmouth Computer Science Dept               Home Phone: +1
(603) 397-3883
PKI/Trust - Office 063                        Work Phone: +1
(603) 646-9179
--o---------------------------------------------------------
---------------

On Thu, Jun 21, 2007 at 01:20:35PM -0400, Victor Duchovni
wrote:

> Quantum Cryptography or Quantum Computing (i.e.
cryptanysis)?
> 
>     - Quantum Cryptography is "fiction"
(strictly claims that it solves
>       an applied problem are fiction, indisputably
interesting Physics).
> 
>     - Quantum Computing is "science fiction".
Some science fiction
>       eventually becomes reality.

A nice blog to follow here is Shtetl-Optimized:
	http://www.scottaa
ronson.com/blog/

-- 
Eugen* Leitl <a href="http://leit
l.org">leitl</a> http://leitl.org
____________________________________________________________
__
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29
F6BE

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography"
to majordomometzdowd.com

Victor Duchovni <Victor.DuchovniMorganStanley.com>
writes:

> Secure in what sense? Did I miss reading about the part
of QKD that
> addresses MITM (just as plausible IMHO with fixed
circuits as passive
> eavesdropping)?

It would be good to read the QKD literature before claiming
that QKD is
always unauthenticated.

The generally accepted approach among the physics crowd is
to use
authentication with a secret keys and a universal family of
has
functions.

> Once QKD is augmented with authentication to address
MITM, the "Q"
> seems entirely irrelevant.

It's not if you care about perfect forward secrecy and
believe that DH
might be broken, and can't cope with or don't trust a
Kerberos-like
scheme.  You can authenticate QKD with a symmetric
mechanism, and get
PFS against an attacker who records all the traffic and
breaks DH later.

See

  http://portal.acm.org/citation.cfm?id=863982
&dl=GUIDE&dl=ACM

for a citation and

  http://www.ir.bbn.com/documents/articles/gdt-sigcomm03
.pdf

for text, for a discussion of a system that uses regular IKE
and AH to
authenticate the "control channel" and uses the
resulting bits to key
ESP with AES or a one-time pad to get PFS against a
DH-capable attacker.
This all ran on NetBSD over 3 sites in the Boston area for
several
years.

There are two very hard questions for QKD systems:

 1) Do you believe the physics?  (Most people who know
physics seem to.)

 2) Does the equipment in your lab correspond to the
idealized models
    with which the proofs for (1) were done.  (Not even
close.)


Because of (2) I wouldn't have confidence in any current QKD
system.
The one I worked on was for research, to address some of the
basic
systems issues, because the physics community concentrates
on the
physics parts.

I am most curious as to the legal issue that came up
regarding QKD.

On Fri, Jun 22, 2007 at 08:21:25PM -0400, Leichter, Jerry
wrote:
> BTW, on the quantum subway tokens business:  In more
modern terms,
> what this was providing was unlinkable, untraceable
e-coins which
> could be spent exactly once, with *no* central database
to check
> against and none of this "well, we can't stop you
from spending it
> more than once, but if we ever notice, we'll learn all
kinds of
> nasty things about you".  (The coins were
unlinkable and untraceable
> because, in fact, they were *identical*.)  Now, of
course, they
> were also physical objects, not just collections of
bits.  The same
> is true of the photons used in quantum key exchange. 
Otherwise,
> it wouldn't work.  We're inherently dealing with a
different model
> here.  Where it ends up is anyone's guess at this
point.

This relates back to the inutility of QKD as follows: when
physical
exchanges are required you cannot run such exchanges
end-to-end over an
Internet -- the middle boxes (routers, etc...) get in the
way of the
physical exchange.

This too is a *fundamental* difference between QKD and
classical
cryptography.

That difference makes QKD useless in *today's* Internet.

IF we had a quantum authentication facility then we could
build
hop-by-hop authentication to build an Internet out of QKD
and QA
(quantum authentication).  That's a *big* condition, and the
change in
security models is tremendous, and for the worse: since the
trust chains
get enormously enlarged.

IMO, QKD's ability to discover passive eavesdroppers is not
even
interesting (except from an intellectual p.o.v.) given: its
inability to
detect MITMs, its inability to operate end-to-end across
across middle
boxes, while classical crypto provides protection against
eavesdroppers
*and* MITMs both *and* supports end-to-end operation across
middle
boxes.

Nico
-- 

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography"
to majordomometzdowd.com

On Mon, Jun 25, 2007 at 08:23:14PM -0400, Greg Troxel
wrote:

>  1) Do you believe the physics?  (Most people who know
physics seem to.)

Yes.

>  2) Does the equipment in your lab correspond to the
idealized models
>     with which the proofs for (1) were done.  (Not even
close.)

Does QKD address a real-world risk at a reasonable cost
without unreasonable
application constraints?

If I am very concerned about PFS for secrets that must stay
secure for
decades and 521-bit ECDH is broken, yes I lose PFS. So there
may be a
market for fixed direct circuits used by a small number of
agencies, but
if I were a budget director I would spend the money
elsewhere...

> I am most curious as to the legal issue that came up
regarding QKD.

Indeed, what was the legal question that got us here?

-- 

 /" ASCII RIBBON                  NOTICE: If received
in error,
  / CAMPAIGN     Victor Duchovni  please destroy and
notify
  X AGAINST       IT Security,     sender. Sender does not
waive
 /  HTML MAIL    Morgan Stanley   confidentiality or
privilege,
                                   and use is prohibited.

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography"
to majordomometzdowd.com

On Mon, Jun 25, 2007 at 08:23:14PM -0400, Greg Troxel
wrote:
> Victor Duchovni <Victor.DuchovniMorganStanley.com> writes:
> > Secure in what sense? Did I miss reading about the
part of QKD that
> > addresses MITM (just as plausible IMHO with fixed
circuits as passive
> > eavesdropping)?
> 
> It would be good to read the QKD literature before
claiming that QKD is
> always unauthenticated.

Noone claimed that it isn't -- the claim is that there is no
quantum
authentication, so QKD has to be paired with classical
crypto in order
to defeat MITMs, which renders it worthless (because if
you'll rely on
classical crypto then you might as well only use classical
crypto as QKD
doesn't add any security that classical crypto, which you
still have to
use, doesn't already).

The real killer for QKD is that it doesn't work end-to-end
across middle
boxes like routers.  And as if that weren't enough there's
the
exhorbitant cost of QKD kit.

> The generally accepted approach among the physics crowd
is to use
> authentication with a secret keys and a universal
family of has
> functions.

Everyone who's commented has agreed that authentication is
to be done
classically as there is no quantum authentication yet.

But I can imagine how quantum authentication might be done:
generate an
entangled pair at one end of the connection, physically
carry half of it
to the other end, and then run a QKD exchange that depends
on the two
ends having half of the same entangled particle or photon
pair.  I'm no
quantum physicist, so I can't tell how workable that would
be at the
physics-wise, but such a scheme would be analogous to
pre-sharing
symmetric keys in classical crypto.  Of course, you'd have
to do this
physical pre-sharing step every time you restart the
connection after
having run out of pre-shared entabled pair halfs; ouch.

> > Once QKD is augmented with authentication to
address MITM, the "Q"
> > seems entirely irrelevant.
> 
> It's not if you care about perfect forward secrecy and
believe that DH
> might be broken, and can't cope with or don't trust a
Kerberos-like
> scheme.  You can authenticate QKD with a symmetric
mechanism, and get
> PFS against an attacker who records all the traffic and
breaks DH later.

The end-to-end across middle boxes issue kills this argument
about
protection against speculative brokenness of public key
cryptography.

All but the smallest networks depend on middle boxes.

Quantum cryptography will be useful when:

 - it can be deployed in an end-to-end fashion across middle
boxes

 OR

 - we adopt hop-by-hop methods of building end-to-end
authentication

And, of course, quantum kit has got to be affordable, but
let's assume
that economies of scale will be achieved once quantum crypto
becomes
useful.

Critical breaks of public key crypto will NOT be sufficient
to drive
adoption of quantum crypto: we can still build networks out
of symmetric
key crypto (and hash/MAC functions) only if need be (with
pre-shared
keying, Kerberos, and generally Needham-Schroeder).

> There are two very hard questions for QKD systems:
> 
>  1) Do you believe the physics?  (Most people who know
physics seem to.)
> 
>  2) Does the equipment in your lab correspond to the
idealized models
>     with which the proofs for (1) were done.  (Not even
close.)

But the only real practical issue, for Internet-scale
deployment, is the
end-to-end issue.  Even for intranet-scale deployments,
actually.

> I am most curious as to the legal issue that came up
regarding QKD.

Which legal issue?

Nico
-- 

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography"
to majordomometzdowd.com

On Jun 26, 2007, at 10:10 AM, Nicolas Williams wrote:

>
> This too is a *fundamental* difference between QKD and
classical
> cryptography.

What does this "classical" word mean? Is it the
Quantum way to say  
"real"? I know we're in violent agreement, but why
are we letting  
them play language games?

>
> IMO, QKD's ability to discover passive eavesdroppers is
not even
> interesting (except from an intellectual p.o.v.) given:
its  
> inability to
> detect MITMs, its inability to operate end-to-end
across across middle
> boxes, while classical crypto provides protection
against  
> eavesdroppers
> *and* MITMs both *and* supports end-to-end operation
across middle
> boxes.

Moreover, the quantum way of discovering passive
eavesdroppers is  
really just a really delicious sugar coating on the
classical term  
"denial of service." I'm not being DoSed, I'm
detecting a passive  
eavesdropper!

	Jon

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography"
to majordomometzdowd.com