Let me note that cryptography professionals generally think the whole Quantum Cryptography thing is only a few notches above snake oil.

For practically zero dollars, you can get software that will give you end to end encryption across the public internet that has authentication guarantees of a sort that Quantum Cryptography is incapable of providing. Oh, and the QC device will run much slower than systems based on openly available conventional cryptographic algorithms.

The QC crowd is willing to give us equipment that, for $100,000 plus the cost of an end to end fiber line between my locations (Quantum Crypto fails if there is any equipment in between), will provide security that isn't as good as what I can get for free.

I know of no computer security professional who takes Quantum Cryptography seriously. I would know, too -- I run a mailing list for cryptographers and computer security people. Almost every serious person in the field makes fun of Quantum Cryptography.

For those who think I'm shilling some product, I have no skin in the game -- I'm a lover of neat new gadgets, and I find the physics behind these devices really cool, and the alternatives I advocate are free and do not further my financial interests. I would love for QC to be useful, but it just isn't -- it is a neat solution looking for a problem, and solves no real customer's needs.

I'm happy to provide a detailed explanation of why Quantum Cryptography is essentially useless on request.

Hi, Perry. Please share your thoughts on QC and its value in the real world. Also, please comment on the sort of "...end to end encryption across the public internet that has authentication guarantees of a sort that Quantum Cryptography is incapable of providing."

Thanks!

Eric

I want to comment the following sentences in the interview: "We’ll see devices like quantum repeaters and also things that have a broader approach, not just for security. It’ll also impact other areas such as biotech or biodesign." It is obvious that investors like Bob Gelfond are carefully following the "buzz words" and they are following where the governments are putting research efforts and money. In the last 10 years we see boom of research in Biotechnology, so now Quantum guys are coming and saying: We will offer "Quantum Biotechnology". I am very curious how will the biotechnology scientific community react on the new "quantum biotechnology".

Perry,

Having just read Simon Singh's _The Code Book_ I find QC to be a pretty interesting idea that solves a problem that's been identified, and even mentioned in the above interview: it is imprevious to eavesdropping. How can preventing an attacker from storing the encrypted conversation in order to attack it offline at leisure not be an important step forward?

Thanks.

Wes C: actually, QC doesn't fix that on its own. It can only guarantee that there is no eavesdropper if it uses conventional cryptography as a backstop, at which point you might as well use conventional crypto. I will explain this.

So, lets say you have two QC based black boxes at either side of your very expensive leased fiber link. You know that no one can listen in, right? Wrong.

You can't guard a hundred km length of fiber, and indeed the whole reason you are trying to protect the link in the first place is because of that. So, all you need to do in order to eavesdrop is to switch from passive eavesdropping to an active attack. If you just try to passively listen in to the communications, you'll fail -- the QC boxes will detect you. However, you don't need to be passive. If you cut the cable in the middle and put two identical QC based boxes on either side of the cut, and relay the cleartext between your two boxes, you can speak the Quantum Crypto protocol to both ends, which will be blissfully unaware of the fact that you are there eavesdropping in the middle. (This is called a "Man in the Middle" attack.) It is slightly harder to pull this off if the key stream and encrypted data are sent along radically different paths, but not especially harder.

Now, how can you stop this? Not easily. The evil eavesdropper simply repeats everything both sides say. The Quantum Cryptographic protocol itself doesn't really have a way of knowing if you're getting entangled photons from the person you really want to talk to or from some bad guy pretending to be them instead -- there isn't any way to "key" the protocol itself.

You can find a man-in-the-middle eavesdropper physically by using something like an optical time delay reflectometer to detect that there is a break in the fiber, but there are ways to spoof the return signal from the OTDR so that won't work. More effective is to add conventional cryptographic protection to the key stream, but of course, at that point, why are you using QC?

Even worse than mere eavesdropping, of course, is the fact that you can modify the data in transit when you perform a man-in-the-middle active attack.

Now, another fun twist here is the fact that you don't need to intercept the key stream in order to alter the contents of QC protected communications. How can that be? QC is effectively generating an XOR keystream and using it to transmit data. Stream ciphers that do this are subject to the unfortunate property that you can deterministically modify the contents of the encrypted data stream even if you cannot read it -- a rather bad property in a security system. To get around this, you need to use a message authentication code (or MAC) on the data stream -- again, if you're going to do that, and depend on the security of a conventional crypto algorithm, why use QC?

I'll be blunt here. Right now, the NSA has approved the use of AES, which anyone can use for free (the algorithm is public and unpatented), for use in transmission of classified traffic.
I'll repeat that -- the most paranoid part of the US government is willing to trust people's lives to AES. Do you have a good reason not to trust AES?

Bob Gelfond speaks of doing a "brute force attack" on algorithms like AES. He's nuts. A brute force attack means trying every possible key in sequence. AES has 256 bit keys. That means that there are 2 to the 256 power possible keys. For those that don't have a sense of how large that number is, it is:

115792089237316195423570985008687907
853269984665640564039457584007913129
639936

(Pardon the inserted spaces.) That's more keys than there are subatomic particles in the visible universe (a number estimated to be less than 10^80).

Lets say you built a machine that could try a key every nanosecond. That's a lot faster than anyone can manage, but lets suppose. How many years would a brute force attack then take? Why, the number is:

367174306308080274681541682549111833
6290905145409708398004109 years.

By comparison, the universe has only been around for about 13000000000 years so far.

Yes, there may (in theory) be flaws in AES that will allow you to break AES keys faster than brute force, but Bob Gelfond said you should worry about brute force attacks. Well, you don't have to worry about Bob Gelfond's stupid musings about how his competitors are subject to "brute force attacks" -- AES can't be broken by brute force. Besides, as I noted, you will end up relying on AES to backstop the QC in any real QC deployment anyway, because otherwise you're subject to man-in-the-middle issues.

Gelfond also is rather cavalier with his customer's security in discussing the problem of distance limitations in QC. He blythely says "oh, people who need more than 120km distance for communications can chain the boxes". What that really means is that you've eliminated the end to end security of the system yourself -- you've man-in-the-middle'd your own setup. He speaks of your telecom carrier running your QC boxes for you, but that's sort of like having your telecom carrier sleep with your spouse for you -- if they're running the box and it isn't in your hands you've eliminated the thing you were trying to protect in the first place.

As I've said, there are high quality encryption algorithms, message authentication algorithms, cryptographic protocols, etc., that the people who actually know something about security have built over the years. They're not just good, but they're available for free. The best stuff in the business is non-proprietary. You can download a copy of OpenSSL and use it to your heart's content without paying a penny to anyone ever.

Lets discuss economics for a moment. In the large enterprise, there isn't one link you need secured, you need the links between tens of thousands of machines secured. You can't afford to pay $100,000 plus the cost of a dedicated fiber run for each of the thousands squared combinations of bilateral communications that are possible on that network. Hell, if you're sane, you probably aren't willing to pay it for even one link, not to mention the fact that you need end to end dedicated fiber for each link you set up.

Anyway, as I said, if anyone wants to talk to real security professionals instead of snake oil salesmen, there are plenty of people out there who will happily discuss this. As I also said, it is hard to find a reputable person in cryptographic security who takes the whole quantum cryptography thing seriously.

(By the way, there is stuff we do take seriously in the quantum world -- there are algorithms for so-called quantum computers that would be very useful in cracking codes, such as Shor's algorithm, but no one has yet shown that you can build a quantum computer of a large enough size to implement Shor's algorithm to attack real world problems. This is a sense of "quantum cryptography" that is rather different from the stuff that Bob Gelfond is peddling, so please do not confuse the two.)

Perry,

I am sorry to say that I am not convinced at all by your arguments. I am a phD student working in a field contingent to QC. Next to my lab there is a QC lab. I have done advance quantum physics studies.

I agree with you the QC is, currently, a useless toy. But you cannot perform a man in the middle attack on the fiber. You can perform one on the repeaters, if they are not quantum physics based (whats called quantum repeaters,all the research teams in the field are working on that). You cannot perform a MiM attack on quantum entangled photon. The quantum non cloning theorem guaranties that by trying to clone the photons in order to read them and re-emit them you will break the quantum statistics and introduce errors that will be found on a statistical analysis of the signal. I am sorry, this is physics, not information theory, and I cannot explain this easily, but this is the reason why QC is so popular. QC weakness lies in the non quantum world.

You seem to put a lot of faith in Quantum Computing. In the labs many people believe that only our grand-sons will ever get to see this working.

As a security professional you should really try to learn a bit more about quantum cryptography. I agree it is quite useless, but you should at least understand it (and that is not really easy).

My 2 cents.

more info on quantum mechanics, quantum crypto etc at
http://groups.yahoo.com/group/qm2/

Gael;

Of course you can perform the man-in-the-middle on the fiber.

Say Alice and Bob are speaking over a link. Mallory cuts the line and puts in two new boxes from Bob Gelfond's company. Mallory pretends to be Bob to Alice and pretends to be Alice to Bob.

It is true that each half link will end up using a different bit sequence for encryption, but so what? Alice will never know she is talking to Mallory, and Bob will never know he is talking to Mallory. Yes, I do understand the physics -- you don't understand the security side. All Alice knows is she's exchanging entangled photons with someone, but she has no idea WHO she is exchanging entangled photons with. There is no such thing as a photon that Bob could send but Mallory could not send. It is true that Alice can find out that the photons she's exchanging are being observed along the way, but she can't know who was sending them in the first place! There is nothing special about Bob's box that identifies it as Bob's -- anyone can build a similar box and pretend to be Bob.

I don't really care if you are a PhD student in physics. This field is cryptography. I fully believe that you can't listen in on the photon stream without impacting it, but you can get around that simply by breaking the rules of the artificial game.

Quantum Cryptography started as a lame excuse to fund EPR style experiments, and gained a ridiculous life of its own.

I agree that Quantum Computing is unlikely to be seen any time soon -- I only am stating that it is not snake oil in the same way Quantum Cryptography is.

Conventional encryption does provide a high level of authentication and encryption with minimal cost (there is always some cost). However, it does not guarantee that the contents are not stored offline somewhere for later brute force decryption. Quantum encryption provides a guarantee against eavesdropping but does not provide a complete authentication solution. You get all of the strengths and none of the weaknesses by using quantum encryption as a transport for conventional authentication and encryption.

Just repeating here, what the physics grad students don't get and the security people do get is that the proof of security of a quantum cryptographic system proves the wrong thing. This is a common failing of proofs of security, and thus is something crypto people are very wary of.

Yes, you can prove that you can know no one is intercepting your stream of entangled photons, but that is not your only concern -- you need to know who send the entangled photons in the first place, and there is no way to put some sort of "secret handshake" into an entangled photon.

Variations on this problem appear in real cryptography, by the way. The reason you can't do a Diffie-Hellman key exchange with someone without doing some sort of wrapping authentication protocol a la STS is that you can be certain your key is known only to you and the counterparty in the Diffie-Hellman exchange but you have no way of knowing who that counterparty is without authentication.

You could, of course, make the cryptographic key stream derived from the entangled photons authenticated by transmitting a MAC for the key stream, or you could MAC the ciphertext, but at that point, as I've said, you've lost the supposed advantage of not relying on the conventional cryptosystems we've all be studying for decades.

Dear Perry,

I am quite amused by your overwhelming self-confidence. You write as if you were representative of the entire crypto community. Believe it or not, QC people have heard of classical authentication for many years. I mean information theoretical classical authentication, not mere computational as most MACs are. It is well known (for decades) that authentication of messages is much cheaper than encryption (in order to authenticate N bits of message with a tag of T bits, roughly T bits of secret key are required). What Quantum Cryptography provides is a way to use a small amount of secret bits (for authentication) to produce million more secret bits, with information theoretical security. Yes, it bootstraps on classical, information theoretical authentication, but it allows to produce much more key than what it uses...

Do you really think nobody in QC is a serious scientist ? How many research papers did you ever publish exactly ?? Or do you just specialize in opiniated comments on topics you don't really understand...

Claude Crépeau, a QC researcher

Claude says: "It is well known (for decades) that authentication of messages is much cheaper than encryption"

Fascinating, especially given that, at the moment, the most popular authentication algorithms, such as HMAC, run significantly slower than modern encryption algorithms, like AES. A substantial amount of work has gone in to producing cheaper MAC algorithms to little avail. Perhaps you would care to reveal to us the MAC algorithms you are aware of that run faster than encryption algorithms? I was at an IETF meeting recently where the lack of such algorithms was a topic of substantial discussion, especially given the desirability of them -- doubtless you, an enlightened QC researcher, would be able to dispel our ignorance on this topic.

Your claim that "in order to authenticate N bits of message with a tag of T bits, roughly T bits of secret key are required" is one I'm entirely unfamiliar with, in spite of the fact that I've taught graduate classes on cryptography and manage the largest electronic mailing list in world for cryptographers, to whit, cryptography@metzdowd.com. I've also failed to find this claim in the CRC "Handbook of Applied Cryptography" written by Menzes, Oorschot and Vanstone, or any other reference I have at hand, including a number of volumes of proceedings from the Crypto, Eurocrypt and Asiacrypt conferences. This is doubtless pure ignorance on my part -- would you be so kind as to state the paper that you find this fascinating claim in, so that I and other people in the field might become familiar with it? Indeed, I must confess that this "T Bit Tag" concept is one that I'm unfamiliar with -- perhaps you could explain what that means for one as ignorant as myself?

As for whether anyone involved in QC is a "serious scientist", clearly a serious quantum cryptography researcher such as yourself knows far more than I do about the topic of security systems, and would never make up nonsense for purposes of posting it in a blog. How foolish of me to get into an argument with my betters. You have certainly convinced me of the perspicacity and sophistication of the QC community.

//What Quantum Cryptography provides is a way to use a small amount of secret bits (for authentication) to produce million more secret bits, with information theoretical security. Yes, it bootstraps on classical, information theoretical authentication, but it allows to produce much more key than what it uses...

How does this make QC more secure? Isn't AES 256-bit key long enough at least for the next 20+ years?

I have to say that I strongly agree with Perry here. Quantum cryptography solves an already-solved problem, and solves it poorly and at enormous expense. There are far better ways to secure your communications.

Quantum cryptography may sound good in theory, but it's a poor match to the security problems we see in practice. In my experience, practicing cryptographers tend to snicker at the quantum cryptography solutions on the market. Of course there is serious physics and serious science underlying the quantum crypto theory -- but when you look at transitioning the technology into practice, it doesn't make good engineering sense. Right now, it's a poor solution to a problem that can be better and more cheaply solved through other means.

If you were thinking of spending $100,000 on MagiQ's products, you'd do better to walk down to your bank, withdraw 1000 hundred-dollar bills, get out your Bic lighter, light them on fire, and then deploy free end-to-end encryption software in your networks. The end result will probably be more secure, and it won't cost you a cent more than MagiQ is charging. More seriously, you'd be better off spending it on hiring a security expert who knows what he is doing for half a year, and deploying a free encryption solution.

Dylan Clark is confused. Talking about storing the ciphertext for later brute-force search is silly. As Perry Metzger explained, brute-force cryptanalysis of an AES-256 encrypted ciphertext will take longer than the lifetime of the universe. Store it as long as you like -- you're not going to break AES-256 by brute-force decryption.

-- David Wagner, applied cryptographer

Dear Perry,

1. Dr. Crépeau pretty much answers your first point, in that a man-in-the-middle attack is prevented by using a short initial secret for authentication. In this respect, quantum cryptography is more properly called quantum key growing: it generates secret key material once it has started using the initial short shared secret. The classical authentication technique based on this shared secret is unconditional (i.e., not based on computational complexity). The need of initial authentication is universal to all cryptography: you must pre-share some (usually secret, always authentic) information, else you cannot in principle know whom you are communicating with. For example, in the modern cryptography used on the internet, you get copies of the public keys belonging to certificate authorities with a copy of your web browser. If the copy of the browser you install has been tampered with and these keys replaced, you can have your man-in-the-middle exactly as you describe - with public key cryptography.

2. I am very curious myself what exact improvement in security the more frequent update of keys for the AES, or other symmetric cipher, affords. If you know, point me any peer-reviewed paper on this topic, please.

3. If your data stream is low-bandwidth, you can use the one time pad cipher. I think that the commercial systems include this option. It is just that the typical data rates on a VPN link exceed the current quantum key distribution rates by several orders of magnitude, and prospective customers are used to these data rates. But if you look close and select the most sensitive data, you can use one time pad on them. Which, in theory, when coupled with QKD, gives you unconditional security.*

4. Quantum cryptography is not "snake oil", it is a real technology. It is a technology in its adolescence, however, and for now it has certain limitations. Time will show its destiny - to be improved and universally adopted, or dumped into the landfill of rational but unclaimed ideas.

*In theory, because I am doing my PhD trying to crack quantum cryptosystems.

Dear Vadim Makarov,

In your 4-th point you are wondering: "Time will show its destiny - to be improved and universally adopted, or dumped into the landfill of rational but unclaimed ideas."

I think that probably it will be "dumped into the landfill of irrational ideas". There are many facts in the support of this. I would even dare to claim that on the first place financial costs of QC products will be the most important fact for dumping the whole QC concept. On the second place are the facts about the security limitations that QC solutions are trying to cover by applying classical cryptography. Off coarse it will not happen immediately, and businessmen who invested in QC startup companies will try every marketing trick to save something of their doomed investments in Quantum Cryptography.

However, speaking about dozens of bright scientists that are in this moment involved somehow in research of Quantum Cryptography – I think that many of them will soon migrate to other areas such as: Quantum Computing or Nanotechnology.

Very good discussion. This should be archived somewhere. It is always appropriate to be a tad cautious when hearing claims of absolute fact, especially from a person who has a vested interest in that fact. Moreover, believing in a tamper-free secured communication line may give you a false sense of security, and assuming your data is subject to interception anyway seems like a more prudent approach.

Excellent points on both sides everyone. I'd like to add my own cent and a half or so.

The notion of a company trying to make real money by selling QC boxes today or next year is certainly interesting. If they are successful, they will be heralded as purveyors of a disruptive technology that everyone said wouldn't amount to anything. I wish them luck.

Unfortunately, it does sound that the current state of the art is rather lacking. Problem constraints often change drastically between the academic world and real deployments, and it sure sounds like that's the case here. Suppose for a moment, that the MagiQ boxes are super-mega-awesome cool and totally secure the 120km link. Chances are they at least sort of work, so let's just assume that they completely work.

Now, are they useful? Well, probably not to that wide an audience. In this global world, when is 120km enough? And if you're going to bother letting someone else run the relay stations every 120km, why did you bother to begin with? What you've done is not eliminate the possibility of a man in the middle attack, you've just reduced the number of feasible locations. That might be enough for some applications, but are there enough applications for MagiQ to be successful? We'll see.

Considering QC a disruptive technology, it's fine that it has a lot of negatives compared to current systems. The question though, is what does it change - i.e. what's the upside? The ONLY upside seems to be that you know when your data is observed. Fine. But is that really that much of a pain point? It seems that protecting your data regardless of who sees it, and authenticating the source of the data are vastly more important issues. And for both of these, QC does not seem to offer any advantage over traditional systems.

Thus, IMHO, it appears that QC does offer an advantage in one area, and by extrapolating from other disruptive technologies we can know that sometimes that is all it takes. However, when the area in which that advantage is offered is not very useful, then overall it seems like it probably won't actually disrupt the current status quo.

This doesn't mean it's not cool as hell - it's just not actually very useful in the a contemporary business setting. In other words, it's like silly putty. Fun to play with, but doesn't make any money for anyone other than the people selling it.

I think the missing link here is that QC uses a form of light that can detect it's own changes of the actual media. Traditional copper lines can't do this. Perry sort of does a bit of double talk up above. He states you can do a man in the middle attack and then admits you would need to QC boxes.

How do you pull off such a feat? You would have to cut & re terminate the fiber, swap in two QC boxes without missing a beat... So, OK, so maybe there is a bit of down time and you have a window of opportunity to swap in the boxes -- you then have different IR tx/rx characteristics that QC would detect -- something in the copper world can not detect.

Putting this into perspective: The ethernet port on a computer does not know the difference between a port on a Cisco switch or 3Com Switch. You could build some intelligence into the switch and NIC card to prevent a man in the middle attack but this is hard since we can't detect spins -- copper has eddy currents but they can't be controlled like photons can in a fiber medium.

I think QC has it's merits but, in Perry's defense, AES is what we call Good Enough.

Eric wrote:

"I think QC has it's merits but, in Perry's defense, AES is what we call Good Enough."

I will agree to that statement, for most practical purposes. Remember however that nobody uses AES for classified material. Moreover, the Man-in-the-middle attack is non-sense if you understand that classical authentication is an important part of QC (I do not claim here that devices you can buy deal with this issue properly, but QC theoreticians have known this fact for several decades). It does not reduce the merits of QC to use authentication.

The main interest of QC is for long-term important security issues. Fifty years from now, messages encrypted with AES today may very well be easily readable. But one-time-pad encrypted messages, with keys obtained from QC will remain secure.

If someone finds an efficient algorithm to break AES he will get media coverage and his two minutes of fame. If someone breaks QC (and thus prove something is wrong with quantum mechanics) he is up for Nobel price...

I think we should examine carefully the statement

To get around this, you need to use a message authentication code (or MAC) on the data stream -- again, if you're going to do that, and depend on the security of a conventional crypto algorithm, why use QC?

that was made above.

As far as I know, Security services have an implicit time to live. Thus cryptographic services providing integrity and authentication in the net need to be strong enough to be unbreakable while in use, typically a rather short time span.

Other services, such as confidentiality or notary-public ones, have typically longer time spans and need to be commensurately stronger.

Therefore, to the best of my understanding, there is nothing inherently wrong with the use of ephemerally strong integrity/authentication services if the service can be relied upon while it is still in use and the outcome is a highly secure shared secret to be used in support of a strong confidentiality service.

I would conclude that the desirability (or lack thereof) of QC and its reliance on classic security services are orthogonal issues and said desirability must be argued on different fronts.

Re: cost. Name me a modern technology that was not expensive when it was taking off. There is nothing intrinsically expensive about quantum cryptography hardware. With mass production and widespread use, the cost (and size) of a quantum cryptography card would be down to your typical computer component. Some compact technology for quantum cryptography (integrated optics, small single photon detectors, processing electronics) has already been developed in research labs.

It's hard to say much more than Perry already has on this subject. Even assuming that QC did more than key generation but actually supported authentication, it would still make no economic sense. That's because the 'ends' that we care about when we talk about end-to-end encryption are not at the link layer, and as for the link layer, there are much cheaper link encryption alternatives with sufficient security.

And no one is going to store all the ciphertext they sniff from some link (if link has enough bandwidth or there are enough links of interest to the attacker) just so they can decrypt the text later when they've managed to recover the key. Because we also need security above the link layers the attacker would, upon recovering the key, likely find simply more ciphertext!

In terms of economics it's much, much cheaper to mount attacks elsewhere in the system (e.g., social engineering) than on encrypted links, so if you can put link security beyond the means of any attacker for a small amount of money, then why bother with the much more expensive QC? (Cryptographic protocols built on AES and MACs are beyond any attackers today, even assuming attacks on AES-256 that halve its key length. If AES is ever seriously broken the link layer will be the least of our problems.)

Finally, in fairness to QC proponents, non-QC link encryption isn't free: there's hardware involved, either general purpose CPUs or specialized encryptors, but it's still cheaper than QC.

> Even assuming that QC did more than key generation but actually supported authentication

Explain me what you mean by "supporting authentication", please.

Claude Crépeau writes, "Remember however that nobody uses AES for classified material." Well, I don't know about that. How certain are you of this statement?

Wikipedia says that the NSA has approved AES-128 for encryption of data classified SECRET, and AES-192 and AES256 for encryption of material classified TOP SECRET. This is a fairly strong statement of confidence in the security of AES. (I would imagine that the implementation would have to be reviewed and approved by the NSA, that one would have to use key management, and that other conditions might apply.)

What level of classification is MagiQ's product approved for? As far as I know, MagiQ is not even approved for encrypting sensitive-but-unclassified data, let alone data classified SECRET or TOP SECRET.

That's a pretty stark contrast.

-- David Wagner

> > Even assuming that QC did more than key generation but actually supported authentication

> Explain me what you mean by "supporting authentication", please.

Read the rest of the thread. I meant authentication of the QC end-points. You know, that which prevents the MITM attack described by Perry.

> Read the rest of the thread. I meant authentication of the QC end-points. You know, that which prevents the MITM attack described by Perry.

The quantum key distribution protocol does actually include this authentication. I'd think it has been explained in the thread. Why don't you think so?

> Read the rest of the thread. I meant authentication of the QC end-points. You know, that which prevents the MITM attack

The quantum key distribution protocol does actually include this authentication. I'd think it has been explained in the thread. Why don't you think so?

Vadim Makarov wrote:
"... Name me a modern technology that was not expensive when it was taking off. There is nothing intrinsically expensive about quantum cryptography hardware. ..."

When I wrote about costs of QC, as a major obstacle QC to be accepted as a useful concept I was thinking about the current status on the market. On one side you have free or almost free security standards and product based on that standard (AES) that is approved by some of the most trusted organizations such as NIST and NSA, and on the other side you have a new and VERY expensive technology that have ambitions by the mass production to become cheaper and is not approved by any standardization organization.

Yes, if QC was a technology that is coming to the market where there is no other alternative then QC would probably follow the cost pattern that you are mentioning. However in this case the stage is already occupied by "free" product.

This gives me an interesting possible scenario for increasing the chances QC ever to succeed: If a part of the enormous intellectual potential of the researchers in QC is devoted to "BREAKING THE AES" and if they eventually succeed in that effort, then maybe QC will attract more attention as a valuable alternative to conventional cryptography.

A couple of points:

1) I'm not sure I'd call myself a cryptography professional, but I have implemented crypto in a commercial setting for security products, and I've administered crypto devices for DoD, and I am on Perry's list. I don't think QC is snake oil, but I do think it will appeal to a small market at this time. I see engineering problems; how does Alice make her polarizing filter positions exactly perpendicular, how does she align hers with Bob's, how do we generate exactly one photon exactly aligned with the filter, how does Alice detect a single photon only when one is sent, etc. Physical objects are not ideal, and any non-idealness is going to leak information about the communication over time.

2) Perry's allegations are that QC doesn't solve the authentication problem, so is worthless. Well, neither does Diffie-Hellman key exchange. So what? It doesn't have to solve all the world's problems at once. Solving one problem better than anything else is enough. The problem it solves is preventing undetected observation, and that's a problem some parties would like to solve. I suspect rather than calling it an encryption algorithm, you could also file it under LPI (low-probability of intercept) communication techniques, like spread-spectrum radio. Currently there are people burying copper lines in tubes in cement and filling the tubes with nitrogen under pressure, so they can detect potential observers. Those kinds of people would value this technology.

3) Perry talks about the data and keystream, and it's worth pointing out that QC removes the need for confidentiality on the keystream, but doesn't remove the need for authenticity. That's exactly what public-key encryption does. If PK didn't solve the confidentiality problem, there'd be very little reason to use it at all. Further, an attack on the keystream can be detected later (assuming that _all_ communication can't be actively modified to hide past misdeeds) and so it prevents undetected interception again. Remember, in many settings, _secret_knowing_ is much more valuable than public disclosure. You can't take measures to reduce the impact of secret knowledge your opponent has, because you don't know about it!

4) Perry says: "To get around this, you need to use a message authentication code (or MAC) on the data stream -- again, if you're going to do that, and depend on the security of a conventional crypto algorithm, why use QC?". Well, I'd like to point out here that it doesn't have to be all-quantum-or-none. More importantly, if you have information-theoretic confidentiality (e.g. OTP), you can use a much more efficient algorithm for integrity/authenticity - like using a few key bits to select a universal hash function with a uniform distribution (e.g. y = ax + b mod n) and then you just protect those hashes with the OTP/QC and you have unconditional security (confidentiality, authentication, integrity). So no, we don't have to rely on conventional cryptography for our authentication, we just have to bootstrap the process with a few secret key bits.

5) Perry also suggests that trusting your telecom carrier with the physical security of the boxes is equivalent to not using QC at all. This is a false dilemma in many cases. I know crypto people don't like trusting anyone, but I assume they also keep their money in a bank, and that they buy their computer parts somewhere, and that they use software other people wrote. They may want to minimize the number of people they trust, and that's one thing that QC can do -- instead of trusting anyone along the signal path, you trust only people with physical access to the repeaters.

6) Gael says, "you cannot perform a MiM attack on quantum entangled photon." I find this a bit odd; last time I checked, QC didn't use entanglement, just polarization.

7) Eric says, "How does this make QC more secure? Isn't AES 256-bit key long enough at least for the next 20+ years?"

And the answer is both simple and profound: we don't know. Anyone who tells you "yes" is a liar, because it's saying that there is no system for inverting AES without the key that works in less than 20+ years. Since the number of possible systems is unbounded and probably uncountable, you can't test all of them. Conventional security relies on our continued ignorance of any such algorithms. Unconditional security, also known as information-theoretic security, does not. Remember 640kB being enough for anyone? Remember that a heavier-than-air flying machine is impossible? Remember that Tesla's alternating current is a perpetual motion machine? The number of absurdly wrong forecasts about the future is long indeed, and a very common feature of them is the implicit assumption that the world will be too similar to the world now.

8) Cryptographers will hold up AES-256 as sufficiently secure when they need a big keyspace, and then they'll ridicule people for using it in other discussions, because it's keyspace is so absurdly big. It seems to me you can't have it both ways.

7) Tom says, "In this global world, when is 120km enough?" to which I'd answer, when there's less than 120km between two people that is owned and operated by a third party they don't trust. For example, between two communication towers owned by a telecom company, in a country that is politically hostile to the parties doing the communicating.

Summary: I think that fiber has some nice physical-layer security properties and that QC has some nice link-layer properties and conventional cryptosystems have some nice end-to-end properties, and that they all complement each other. The order of these is important; if you can't break the security of one layer, then the subsequent layers are unbreakable too. If the Allies could not intercept the German messages encrypted with the Enigma, all the brilliant cryptanalysis wouldn't have helped them one whit.

1) This is what the research community has been occupied with for the last twenty years. It boils down to: you can extract a secret key in the presence of non-idealities in the equipment (all those you named). Look up key extraction, privacy amplification, and security proofs generally if you want the gory details.

2) It's not an encryption algorithm, it's a (random) key growing algorithm. Only that.

6) It can use entangled photons (not that it is for any relevance to the man in the middle attack).

Sorry, this is my last posting in this thread. May I finally suggest those really interested in the state of the art read the review http://arxiv.org/abs/quant-ph/0101098
- as opposed to reading postings by persons who enjoy producing long opinionated comments about things they do not understand.

I am intrigued by a couple comments that were made:

1)Perry seemed to suggest Q. Computation is definitely plausible and more interesting quantum technology.

2)He also says q. crypto is pointless because AES is secure enough.

My question is:
What happens when quantum computers are available (say in 20 years) and someone finds an efficienct q. algorithm to crack AES (similar to Shor's)? Isn't the point of Q crypto that we know it is overkill now, but best to be prepared for the future...especially if you believe q. computation is coming soon.

For the readers that were interested by this discussion, I would like to refer to the White Paper recently published by the SECOQC European Project, dealing with QKD and Cryptography.

Here is the link
http://www.secoqc.net/downloads/secoqc_crypto_wp.pdf

And here is the abstract

The SECOQC White Paper on Quantum Key Distribution is the outcome on a thorough consultation and discussion among the participants of the European project SECOQC (www.secoqc.net).
This paper is a review article that attempts to position Quantum Key Distribution (QKD) in terms of cryptographic applications. A detailed comparison of QKD with the solutions currently in use to solve the key distribution problem, based on classical cryptography, is provided. We also detail how the work on QKD networks lead within SECOQC will allow the deployment of long-distance secure communication infrastructures based on quantum cryptography
The purpose of the White Paper is finally to promote closer collaboration between classical and quantum cryptographers. We believe that very fruitful research, involving both communities, could emerge in the future years and try to sketch what may be the next challenges in this direction.

--
Dr. Romain Alléaume
Assistant Professor / Maître de Conférence
ENST Paris & LTCI-UMR CNRS 5141
Network and Computer Science Department / Département Informatique et Réseaux
37/39 rue Dareau, 75014 Paris, France

I think there are one or two things that need to be clarified here.

Firstly, QKD - that is quantum key distribution - is simply that. A method whereby two parties can establish a secret key. The possible information leakage of this key to an eavesdropper can be tightly controlled and a definite bound put on the risk exposure.

It should be compared with other methods for key distribution - not other encryption algorithms. Once you have established the key you can use it in whichever way you see fit.

It makes no sense to compare QKD to AES, unless one is thinking of AES as an encryption tool for securing key distribution. If so, then both QKD and AES require the two parties to possess some initial secret.

There is no way round this - either classically or quantum mechanically. It is a problem you cannot solve with either classical or quantum means. So AES and QKD start from exactly the same place. QKD systems need to possess some means to make an initial authentication to fully secure the channel. But two parties wishing to use AES also need to share some initial secret which may be used for either implicit or explicit authentication.

Public key systems also require this initial authentication. From a certain perspective, PK systems simply transfer the problems of key management into problems of certificate management. Whilst this may be operationally beneficial in some scenarios it is simply an expression of the fact that if two parties wish to communicate in secret then they must already possess some shared secret.

QKD is only one possible component of a much larger security infrastructure. I think it has been dreadfully oversold by some physicists. It allows the risk of key distribution to be more tightly controlled. It is not the be all and end all of security by any means.

Organisations wishing this level of security for this particular component of their security infrastructure may well consider QKD as a possible solution. But, in general, it will come down to whether the risks for existing techniques for key distribution are sufficient to warrant the extra expense involved in reducing those risks using QKD.

Perfect security is a ridiculous goal. Bob Morris expressed it rather well in response to a comment by Whit Diffie at a conference I attended. Diffie was stressing the importance of key length and security, and commenting on the required key lengths to keep security agencies at bay. He was asked by Morris whether he thought it was more difficult for the NSA to steal a 60 bit key or a 90 bit key.

The response underlines that all of the high-tech security in the world will not buy you what you think you may have when humans and human processes are involved somewhere in the chain.

QKD may be a valuable tool for reducing the risk of key distribution for certain high value links. Whether the consequent reduction in risk (if any) is worth it is a commercial/operational decision.

Current commercial QKD systems exploit the quantum property of complementarity. QKD systems using entangled photons exploit quantum correlation properties and are not currently commercially available, to my knowledge.