Firstly, QKD - that is quantum key distribution - is simply that. A method whereby two parties can establish a secret key. The possible information leakage of this key to an eavesdropper can be tightly controlled and a definite bound put on the risk exposure.

It should be compared with other methods for key distribution - not other encryption algorithms. Once you have established the key you can use it in whichever way you see fit.

It makes no sense to compare QKD to AES, unless one is thinking of AES as an encryption tool for securing key distribution. If so, then both QKD and AES require the two parties to possess some initial secret.

There is no way round this - either classically or quantum mechanically. It is a problem you cannot solve with either classical or quantum means. So AES and QKD start from exactly the same place. QKD systems need to possess some means to make an initial authentication to fully secure the channel. But two parties wishing to use AES also need to share some initial secret which may be used for either implicit or explicit authentication.

Public key systems also require this initial authentication. From a certain perspective, PK systems simply transfer the problems of key management into problems of certificate management. Whilst this may be operationally beneficial in some scenarios it is simply an expression of the fact that if two parties wish to communicate in secret then they must already possess some shared secret.

QKD is only one possible component of a much larger security infrastructure. I think it has been dreadfully oversold by some physicists. It allows the risk of key distribution to be more tightly controlled. It is not the be all and end all of security by any means.

Organisations wishing this level of security for this particular component of their security infrastructure may well consider QKD as a possible solution. But, in general, it will come down to whether the risks for existing techniques for key distribution are sufficient to warrant the extra expense involved in reducing those risks using QKD.

Perfect security is a ridiculous goal. Bob Morris expressed it rather well in response to a comment by Whit Diffie at a conference I attended. Diffie was stressing the importance of key length and security, and commenting on the required key lengths to keep security agencies at bay. He was asked by Morris whether he thought it was more difficult for the NSA to steal a 60 bit key or a 90 bit key.

The response underlines that all of the high-tech security in the world will not buy you what you think you may have when humans and human processes are involved somewhere in the chain.

QKD may be a valuable tool for reducing the risk of key distribution for certain high value links. Whether the consequent reduction in risk (if any) is worth it is a commercial/operational decision.

Current commercial QKD systems exploit the quantum property of complementarity. QKD systems using entangled photons exploit quantum correlation properties and are not currently commercially available, to my knowledge.

Here is the link
http://www.secoqc.net/downloads/secoqc_crypto_wp.pdf

And here is the abstract

The SECOQC White Paper on Quantum Key Distribution is the outcome on a thorough consultation and discussion among the participants of the European project SECOQC (www.secoqc.net).
This paper is a review article that attempts to position Quantum Key Distribution (QKD) in terms of cryptographic applications. A detailed comparison of QKD with the solutions currently in use to solve the key distribution problem, based on classical cryptography, is provided. We also detail how the work on QKD networks lead within SECOQC will allow the deployment of long-distance secure communication infrastructures based on quantum cryptography
The purpose of the White Paper is finally to promote closer collaboration between classical and quantum cryptographers. We believe that very fruitful research, involving both communities, could emerge in the future years and try to sketch what may be the next challenges in this direction.

--
Dr. Romain Alléaume
Assistant Professor / Maître de Conférence
ENST Paris & LTCI-UMR CNRS 5141
Network and Computer Science Department / Département Informatique et Réseaux
37/39 rue Dareau, 75014 Paris, France

1)Perry seemed to suggest Q. Computation is definitely plausible and more interesting quantum technology.

2)He also says q. crypto is pointless because AES is secure enough.

My question is:
What happens when quantum computers are available (say in 20 years) and someone finds an efficienct q. algorithm to crack AES (similar to Shor's)? Isn't the point of Q crypto that we know it is overkill now, but best to be prepared for the future...especially if you believe q. computation is coming soon.

2) It's not an encryption algorithm, it's a (random) key growing algorithm. Only that.

6) It can use entangled photons (not that it is for any relevance to the man in the middle attack).

Sorry, this is my last posting in this thread. May I finally suggest those really interested in the state of the art read the review http://arxiv.org/abs/quant-ph/0101098
- as opposed to reading postings by persons who enjoy producing long opinionated comments about things they do not understand.

1) I'm not sure I'd call myself a cryptography professional, but I have implemented crypto in a commercial setting for security products, and I've administered crypto devices for DoD, and I am on Perry's list. I don't think QC is snake oil, but I do think it will appeal to a small market at this time. I see engineering problems; how does Alice make her polarizing filter positions exactly perpendicular, how does she align hers with Bob's, how do we generate exactly one photon exactly aligned with the filter, how does Alice detect a single photon only when one is sent, etc. Physical objects are not ideal, and any non-idealness is going to leak information about the communication over time.

2) Perry's allegations are that QC doesn't solve the authentication problem, so is worthless. Well, neither does Diffie-Hellman key exchange. So what? It doesn't have to solve all the world's problems at once. Solving one problem better than anything else is enough. The problem it solves is preventing undetected observation, and that's a problem some parties would like to solve. I suspect rather than calling it an encryption algorithm, you could also file it under LPI (low-probability of intercept) communication techniques, like spread-spectrum radio. Currently there are people burying copper lines in tubes in cement and filling the tubes with nitrogen under pressure, so they can detect potential observers. Those kinds of people would value this technology.

3) Perry talks about the data and keystream, and it's worth pointing out that QC removes the need for confidentiality on the keystream, but doesn't remove the need for authenticity. That's exactly what public-key encryption does. If PK didn't solve the confidentiality problem, there'd be very little reason to use it at all. Further, an attack on the keystream can be detected later (assuming that _all_ communication can't be actively modified to hide past misdeeds) and so it prevents undetected interception again. Remember, in many settings, _secret_knowing_ is much more valuable than public disclosure. You can't take measures to reduce the impact of secret knowledge your opponent has, because you don't know about it!

4) Perry says: "To get around this, you need to use a message authentication code (or MAC) on the data stream -- again, if you're going to do that, and depend on the security of a conventional crypto algorithm, why use QC?". Well, I'd like to point out here that it doesn't have to be all-quantum-or-none. More importantly, if you have information-theoretic confidentiality (e.g. OTP), you can use a much more efficient algorithm for integrity/authenticity - like using a few key bits to select a universal hash function with a uniform distribution (e.g. y = ax + b mod n) and then you just protect those hashes with the OTP/QC and you have unconditional security (confidentiality, authentication, integrity). So no, we don't have to rely on conventional cryptography for our authentication, we just have to bootstrap the process with a few secret key bits.

5) Perry also suggests that trusting your telecom carrier with the physical security of the boxes is equivalent to not using QC at all. This is a false dilemma in many cases. I know crypto people don't like trusting anyone, but I assume they also keep their money in a bank, and that they buy their computer parts somewhere, and that they use software other people wrote. They may want to minimize the number of people they trust, and that's one thing that QC can do -- instead of trusting anyone along the signal path, you trust only people with physical access to the repeaters.

6) Gael says, "you cannot perform a MiM attack on quantum entangled photon." I find this a bit odd; last time I checked, QC didn't use entanglement, just polarization.

7) Eric says, "How does this make QC more secure? Isn't AES 256-bit key long enough at least for the next 20+ years?"

And the answer is both simple and profound: we don't know. Anyone who tells you "yes" is a liar, because it's saying that there is no system for inverting AES without the key that works in less than 20+ years. Since the number of possible systems is unbounded and probably uncountable, you can't test all of them. Conventional security relies on our continued ignorance of any such algorithms. Unconditional security, also known as information-theoretic security, does not. Remember 640kB being enough for anyone? Remember that a heavier-than-air flying machine is impossible? Remember that Tesla's alternating current is a perpetual motion machine? The number of absurdly wrong forecasts about the future is long indeed, and a very common feature of them is the implicit assumption that the world will be too similar to the world now.

8) Cryptographers will hold up AES-256 as sufficiently secure when they need a big keyspace, and then they'll ridicule people for using it in other discussions, because it's keyspace is so absurdly big. It seems to me you can't have it both ways.

7) Tom says, "In this global world, when is 120km enough?" to which I'd answer, when there's less than 120km between two people that is owned and operated by a third party they don't trust. For example, between two communication towers owned by a telecom company, in a country that is politically hostile to the parties doing the communicating.

Summary: I think that fiber has some nice physical-layer security properties and that QC has some nice link-layer properties and conventional cryptosystems have some nice end-to-end properties, and that they all complement each other. The order of these is important; if you can't break the security of one layer, then the subsequent layers are unbreakable too. If the Allies could not intercept the German messages encrypted with the Enigma, all the brilliant cryptanalysis wouldn't have helped them one whit.