Re: [cryptography] Well, that's depressing. Now what?
On Feb 2, 2012, at 6:25 PM, ianG wrote: Hi Bill, Actually, Marsh wrote those words, but my mail client decided I really needed to take credit for them... on the order of 6 or 8 times. -wps ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Well, that's depressing. Now what?
On 29/01/12 13:54 PM, Noon Silk wrote: On Sun, Jan 29, 2012 at 1:03 PM, ianGi...@iang.org wrote: [...] It seems to me that you are resting on a sort of philosophical assumption that pure research is pure, neither good nor bad. If that is the case, the problem with this assumption is that QKD is not pure, it's applied. We know precisely where we (as society) are going to apply the results to, it's in the title: Key Distribution. I don't know what you mean by applied and pure research here. That is to say, you claim it's applied purely because it's used for some problem you know about? Yes, applied. The research is applied to a problem that we in society have faced and want solved, for direct economic improvement. Or because it's a problem that already has a solution proposed? Because it seems like any research falls under that categorisation ..., I mean there is pure maths and applied maths, pure maths doesn't mean it's not applied to problems. Maths is value-free, this is research, which costs money. Research is typically paid for by grants. The grant requests will specify in one way or another whether the research is directed to a specific field. That is, applied, or pure. In this case, it's in the title. All grants for this area will raise the impression that this leads to the successful creation of a new and important market in QKD devices. If you're unsure on this point, ask your profs for some grant applications. Our point here is that such an impression is false. From everything we know, a proper market will not exist. We can predict this from economic, marketing, scientific and end-customer-demand bases. What we can't do is rule out a market based on falsity. That's quite possible. We have many of those in the field. For those, we tend to slap on the term snake-oil. (One thing should be noted however that snake-oil itself isn't really defined. Often, it is used in reverse. For example, I think there is a major software product that still calls self-signed certificates snake-oil certificates. Which is upside down, the use of the term itself can be snake-oil recursively. So really, it is not good to get too bent up about the term.) Note that I didn't say research doesn't cost money; I said it doesn't cost businesses *directly*. That is, if I publish some paper on a protocol, you can't call it snake oil because I'm not selling it to you! Ha. Snake oil refers to its marketing claims, not to who's buying. You are selling your paper to someone. In this case, QKD is being sold, as a field of endeavour, to: your professor, your academic peers, your grant funders, your university as employer, venture capitalists, politicians, the military, etc etc. In the academic world, the currency of choice is published papers and citations. Which means, a published paper is selling its authors. Who are earning from its success. Grants, promotions, tenure, etc. You can, of course, claim it doesn't consider implementation requirements (maybe it doesn't) and you can claim that it doesn't work (maybe it doesn't), but in that case my response to you is cool, thanks, somehow I missed that, let's keep working on it!, not ah, you got me, was hoping you wouldn't see that, which is what you're implying (with the snake oil claim). Yeah, it's fine. Just take KD out of the title (and the grant applications) and we're all cool :) I mean, look at this argument we've gotten ourselves into ... it's also completely useless. If you don't want to buy a QKD product, then fine; so be it, I'm not trying to convince you otherwise (and I certainly don't work for anyone who sells them; I'm just a student). It's not useless. 9 out of 10 people with a long term background in security advise not to invest a dime in QKD. If they're right, that means the money is saved for something worthwhile. You mean QKD *products*. No, I mean research. Sure, invest in Quantum, it's great, as the comic says, it's what transistors do :) But forget the KD, there are many many reasons why this isn't going to work. It's like alchemy, which is research in how to turn lead into gold. Sure you can do the research, but it seems that historically this didn't work out. So be it (as I said), I'm not going to argue about that (like I said, I don't know about them in detail to argue, specifically). As someone who has studied marketing at an advanced level, I can suggest that applied research is part of the product. Strange as it may seem. I've tried really hard to state that I don't see a problem with complaining about specific implementations of a QKD protocol. Yeah, we get it. But this is a slippery slope. You say you're promoting QKD protocols not products. But the only way to do that is to promise product. In the grant request. Try this experiment. Write two grant requests. One which talks about the quantum properties at a pure level, and one
Re: [cryptography] Well, that's depressing. Now what?
Mmm, mail misfire. Apologies. I'd say I'm better than that, but apparently, I'm not. -wps On Jan 31, 2012, at 1:50 PM, Bill Squier wrote: On 01/31/2012 05:21 AM, ianG wrote: major software product that still calls self-signed certificates snake-oil certificates. Which is upside down, the use of the term itself can be snake-oil recursively. That would make it 'Ouroboris oil'. Yes, easy. QKD requires hardware. A laser+receiver at each end fiber in the middle. Software techniques don't impose any hardware costs. QKD is only ever point to point. It can never be end to end. We now have a 1.5 decade experiment that tells us that point to point security is pretty much ... cosmetic for serious purposes. Now, now. Weren't you just sticking up for self-signed certs? Different applications have different needs. For the foreseeable future, QKD requires dedicated hardware at each end of an unboosted fiber circuit. This is OK! Every system has known limitations. It's like this: in principle, it is possible to imagine a perfect link between those two boxes. But, those two boxes aren't customer applications. Pretty much all customer applications are more complex than two end-points and a piece of string between. There are some fixed point-to-point connections of bicycle distance in the world needing security from fiber-splicing attackers who control the physical key distribution and might also (can't say for sure) secretly have better mathematicians than the rest of the world. You know what QKD would have been great for? West Berlin. With the short block lengths in use back then it probably would make sense to re-key every minute. - Marsh ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Well, that's depressing. Now what?
On 01/31/2012 05:21 AM, ianG wrote: major software product that still calls self-signed certificates snake-oil certificates. Which is upside down, the use of the term itself can be snake-oil recursively. That would make it 'Ouroboris oil'. Yes, easy. QKD requires hardware. A laser+receiver at each end fiber in the middle. Software techniques don't impose any hardware costs. QKD is only ever point to point. It can never be end to end. We now have a 1.5 decade experiment that tells us that point to point security is pretty much ... cosmetic for serious purposes. Now, now. Weren't you just sticking up for self-signed certs? Different applications have different needs. For the foreseeable future, QKD requires dedicated hardware at each end of an unboosted fiber circuit. This is OK! Every system has known limitations. It's like this: in principle, it is possible to imagine a perfect link between those two boxes. But, those two boxes aren't customer applications. Pretty much all customer applications are more complex than two end-points and a piece of string between. There are some fixed point-to-point connections of bicycle distance in the world needing security from fiber-splicing attackers who control the physical key distribution and might also (can't say for sure) secretly have better mathematicians than the rest of the world. You know what QKD would have been great for? West Berlin. With the short block lengths in use back then it probably would make sense to re-key every minute. - Marsh ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Well, that's depressing. Now what?
On 01/31/2012 05:21 AM, ianG wrote: major software product that still calls self-signed certificates snake-oil certificates. Which is upside down, the use of the term itself can be snake-oil recursively. That would make it 'Ouroboris oil'. Yes, easy. QKD requires hardware. A laser+receiver at each end fiber in the middle. Software techniques don't impose any hardware costs. QKD is only ever point to point. It can never be end to end. We now have a 1.5 decade experiment that tells us that point to point security is pretty much ... cosmetic for serious purposes. Now, now. Weren't you just sticking up for self-signed certs? Different applications have different needs. For the foreseeable future, QKD requires dedicated hardware at each end of an unboosted fiber circuit. This is OK! Every system has known limitations. It's like this: in principle, it is possible to imagine a perfect link between those two boxes. But, those two boxes aren't customer applications. Pretty much all customer applications are more complex than two end-points and a piece of string between. There are some fixed point-to-point connections of bicycle distance in the world needing security from fiber-splicing attackers who control the physical key distribution and might also (can't say for sure) secretly have better mathematicians than the rest of the world. You know what QKD would have been great for? West Berlin. With the short block lengths in use back then it probably would make sense to re-key every minute. - Marsh ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Well, that's depressing. Now what?
On 01/31/2012 05:21 AM, ianG wrote: major software product that still calls self-signed certificates snake-oil certificates. Which is upside down, the use of the term itself can be snake-oil recursively. That would make it 'Ouroboris oil'. Yes, easy. QKD requires hardware. A laser+receiver at each end fiber in the middle. Software techniques don't impose any hardware costs. QKD is only ever point to point. It can never be end to end. We now have a 1.5 decade experiment that tells us that point to point security is pretty much ... cosmetic for serious purposes. Now, now. Weren't you just sticking up for self-signed certs? Different applications have different needs. For the foreseeable future, QKD requires dedicated hardware at each end of an unboosted fiber circuit. This is OK! Every system has known limitations. It's like this: in principle, it is possible to imagine a perfect link between those two boxes. But, those two boxes aren't customer applications. Pretty much all customer applications are more complex than two end-points and a piece of string between. There are some fixed point-to-point connections of bicycle distance in the world needing security from fiber-splicing attackers who control the physical key distribution and might also (can't say for sure) secretly have better mathematicians than the rest of the world. You know what QKD would have been great for? West Berlin. With the short block lengths in use back then it probably would make sense to re-key every minute. - Marsh ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Well, that's depressing. Now what?
On Sat, Jan 28, 2012 at 6:55 PM, Nico Williams n...@cryptonector.com wrote: [BTW, I held off saying anything until the first post. I'd wanted to see how long we could collectively avoid the same old QKD thread. It took five hours to the first post, fourteen to get to the first significant disagreement.] On Fri, Jan 27, 2012 at 8:43 PM, Noon Silk noonsli...@gmail.com wrote: I think it's important to note that it's obviously completely wrong to say QKD is snake-oil, what you *can* say is that someone *selling* *any* demonstratably-insecure crypto device as a secure one, is snake oil. So, that is to say, you can only claim snake-oil in reference to a vendor and a device, not a field of research. This has been covered to death by now, both today and in the past (search the archives of this and similar lists). Until we see scalable quantum authenticated quantum secrecy / key distribution, QKD is not suitable for production deployment. Right, but two things: 1) who disagrees with that? not me, 2) this isn't what my original comment was about. [...] , but QKD as a product sure is. Again, this is a useless statement in it's general form; you need to be specific. Nico -- -- Noon Silk Fancy a quantum lunch? https://sites.google.com/site/quantumlunch/ Every morning when I wake up, I experience an exquisite joy — the joy of being this signature. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Well, that's depressing. Now what?
On Sun, Jan 29, 2012 at 1:23 AM, Steven Bellovin s...@cs.columbia.edu wrote: On Jan 27, 2012, at 8:22 PM, Noon Silk wrote: On Sat, Jan 28, 2012 at 6:01 AM, Steven Bellovin s...@cs.columbia.edu wrote: Or at least that's what everyone thought. More recently, various groups have begun to focus on a fly in the ointment: the practical implementation of this process. While quantum key distribution offers perfect security in practice, the devices used to send quantum messages are inevitably imperfect. This is only surprising if you assume large values of everyone. Anyone in the real world has long since worried about implementations. Remember Bob Morris' Rule 1 of cryptanalysis: check for plaintext. (http://www.ieee-security.org/Cipher/ConfReports/conf-rep-Crypto95.html) So why didn't one of these real world people point this out, to researchers? It's a bit too easy to claim something as obvious when someone just told you. https://www.cs.columbia.edu/~smb/blog/2007-06/2007-06-29.html is something I wrote 4.5 years ago. You'll note that it mentions the issue of sending more than one photon per bit. Bruce Schneier has often written on it: http://www.schneier.com/blog/archives/2010/09/successful_atta.html http://www.schneier.com/blog/archives/2009/12/quantum_cryptog_1.html http://www.wired.com/politics/security/commentary/securitymatters/2008/10/securitymatters_1016 If you go to http://www.mail-archive.com/cryptography@metzdowd.com/msg07680.html you'll see a whole thread that I, among many others, participated in. Right, but I said *specifically about the mentioned issue, in the original post*. Of course it would be ridiculous and wrong to claim the non-research world hasn't spoken about the issue with QKD in general, and commented on specific proposals. In your original post it looked to me that you claimed the found issue was obvious; not that side channel attacks were obvious (I addressed this in an earlier email). --Steve Bellovin, https://www.cs.columbia.edu/~smb -- Noon Silk Fancy a quantum lunch? https://sites.google.com/site/quantumlunch/ Every morning when I wake up, I experience an exquisite joy — the joy of being this signature. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Well, that's depressing. Now what?
On Sun, Jan 29, 2012 at 4:22 AM, Nico Williams n...@cryptonector.com wrote: On Sat, Jan 28, 2012 at 2:33 AM, Noon Silk noonsli...@gmail.com wrote: On Sat, Jan 28, 2012 at 6:55 PM, Nico Williams n...@cryptonector.com wrote: Until we see scalable quantum authenticated quantum secrecy / key distribution, QKD is not suitable for production deployment. Right, but two things: 1) who disagrees with that? not me, 2) this isn't what my original comment was about. [...] , but QKD as a product sure is. Again, this is a useless statement in it's general form; you need to be specific. I don't see how I could have been much more specific given the two things you quoted from me. As I said, you could point to specific products that you have issues with, not QKD at large (a collection of potential protocols and implementations). Let's turn it around: what QKD products do you think are not snake oil today? Please be specific (list products currently on sale) and back up the assertion with a rationale, remembering that this is in comparison to classical cryptography technology. Feel free to also point to literature about QKD technologies perhaps not yet on the market but which might change everything, and again, back up your assertions. Nice try, but I'm not the one making general claims about it. My original comment to you was, it's not sensible to say QKD is snake oil, without direct reference to something. I didn't say I want to argue about which products are or aren't (frankly, I don't know anywhere near enough about them or their implementations to comment on that). Nico -- -- Noon Silk Fancy a quantum lunch? https://sites.google.com/site/quantumlunch/ Every morning when I wake up, I experience an exquisite joy — the joy of being this signature. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Well, that's depressing. Now what?
On Sat, Jan 28, 2012 at 5:45 PM, Noon Silk noonsli...@gmail.com wrote: On Sun, Jan 29, 2012 at 4:22 AM, Nico Williams n...@cryptonector.com wrote: I don't see how I could have been much more specific given the two things you quoted from me. As I said, you could point to specific products that you have issues with, not QKD at large (a collection of potential protocols and implementations). Any key exchange solution based on quantum mechanics is pointless unless: a) it's somehow better than ECDH, b) does not weaken the security of the whole system, c) it doesn't cost much more than ECDH. (a) is critical. And it's not enough to say that QKD is inherently unbreakable in a way that hasn't been proven about some classical key exchange protocol, because if all QKD does is exchange keys then you still have to authenticate the exchanged keys and then use them, all in classical crypto, so any inherent strength of QKD does not accrue to the system as a whole. Even supposing there was a complete all-quantum authentication + integrity- and confidentiality-protected data transfers solution, you'd still be limited to hop-by-hop security, and this is quite limiting. End-to-end security is preferable whenever one can have it. Even in multi-party protocols we generally do better than link-by-link security. Now suppose that P=NP (and that fast algorithms can be found for every heretofore-thought-NP problem) and we suddenly really badly want quantum crypto, and suppose we did have quantum authenticated link encryption... but we'd still need the thing to be practical, which among other things means small and cheap enough to put on all the devices where we need security (and that's quite a few devices). Quantum tech will not be a perfect solution if P=NP, and it will be impractical and/or uneconomic for a long time. This makes just in case [P=NP] arguments for QKD rather weak, IMO. (b) started out as the subject of this thread. Let's turn it around: what QKD products do you think are not snake oil today? Please be specific (list products currently on sale) and back up the assertion with a rationale, remembering that this is in comparison to classical cryptography technology. Feel free to also point to literature about QKD technologies perhaps not yet on the market but which might change everything, and again, back up your assertions. Nice try, but I'm not the one making general claims about it. My original comment to you was, it's not sensible to say QKD is snake oil, without direct reference to something. I didn't say I want to argue about which products are or aren't (frankly, I don't know anywhere near enough about them or their implementations to comment on that). I leave things here. I believe reasonable people can educate themselves about this and decide for themselves. I do believe there's not yet any economic point to any QKD technology currently on the market, and I've explained why. I've referred you to the archives as well; I encourage you to go look. Nico -- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Well, that's depressing. Now what?
Why is this depressing? Because the snake oil was snakier or oilier? --Paul Hoffman ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Well, that's depressing. Now what?
Or at least that's what everyone thought. More recently, various groups have begun to focus on a fly in the ointment: the practical implementation of this process. While quantum key distribution offers perfect security in practice, the devices used to send quantum messages are inevitably imperfect. This is only surprising if you assume large values of everyone. Anyone in the real world has long since worried about implementations. Remember Bob Morris' Rule 1 of cryptanalysis: check for plaintext. (http://www.ieee-security.org/Cipher/ConfReports/conf-rep-Crypto95.html) --Steve Bellovin, https://www.cs.columbia.edu/~smb ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Well, that's depressing. Now what?
On Fri, 27 Jan 2012 13:39:44 -0500, Warren Kumari war...@kumari.net wrote: If your security widget vendor is malicious, they may include some sort of storage in devices you purchase, record secret bits and someone might pull them out in the future Surely I am missing something here? Or is that really the news? I thought the same thing and skimmed (very incompletely) through the paper. They do talk about how to hide the saved bits in later sessions of particular QKD protocols, so maybe there is something inherent there that would make such an attack, say, especially hard to detect in the QKD setting? -SMH ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Well, that's depressing. Now what?
On Fri, Jan 27, 2012 at 3:49 PM, Sven Moritz Hallberg pe...@khjk.org wrote: On Fri, 27 Jan 2012 13:39:44 -0500, Warren Kumari war...@kumari.net wrote: Surely I am missing something here? Or is that really the news? I thought the same thing and skimmed (very incompletely) through the paper. They do talk about how to hide the saved bits in later sessions of particular QKD protocols, so maybe there is something inherent there that would make such an attack, say, especially hard to detect in the QKD setting? Well, if there were covert, deniable, quantum side-channels in QKD that the vendor could exploit practically undetectably, then yes, QKD would suddenly become not just snake oil but poisonous snake oil. OTOH, if this is just a worry that QKD devices might be compromised (whether purposefully by the vendor or unwittingly), then this is nothing new, and QKD remains snake oil. Quantum authentication that scales (as opposed to requiring pair-wise physical exchange of entangled particle pairs) would be a neat trick -perhaps applying Needham-Schoeder?- but it'd still be a novelty/curiosity IMO. The idea that QKD is in use by the military gives me pause, unless it's either completely redundant and classical crypto is still used (wasteful, yes, but that's a lesser concern), or the military using QKD is an enemy of the cause of liberty (in which case never mind and keep at it boys!). Nico -- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Well, that's depressing. Now what?
On 28/01/12 12:22 PM, Noon Silk wrote: On Sat, Jan 28, 2012 at 6:01 AM, Steven Bellovins...@cs.columbia.edu wrote: Or at least that's what everyone thought. More recently, various groups have begun to focus on a fly in the ointment: the practical implementation of this process. While quantum key distribution offers perfect security in practice, the devices used to send quantum messages are inevitably imperfect. This is only surprising if you assume large values of everyone. Anyone in the real world has long since worried about implementations. Remember Bob Morris' Rule 1 of cryptanalysis: check for plaintext. (http://www.ieee-security.org/Cipher/ConfReports/conf-rep-Crypto95.html) So why didn't one of these real world people point this out, to researchers? It's a bit too easy to claim something as obvious when someone just told you. Real world issues were frequently pointed out, but this isn't a real world project, and real world ears weren't listening. Quantum encryption is an unholy alliance between vulture funders who want some scary wonderful box to sell, physicists who need funding to play with really sexy ideas, and government who get tickled pink at the idea that their scientists are on the cutting edge of society. They just all come together with the same goal, but different interests. It is a mistake to think this is about encryption. As is pointed out frequently, we can do more or less the same thing with SSL. It is ... sadly the case that the market for security is not a real market in the sense of good information symmetrically held by all. Instead it is a market in silver bullets (google). This is just another silver bullet. iang ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Well, that's depressing. Now what?
On Jan 27, 2012, at 5:22 PM, Noon Silk wrote: So why didn't one of these real world people point this out, to researchers? It's a bit too easy to claim something as obvious when someone just told you. There are any number of us who have been quantum skeptics for years, and the responses that have come back to us have been essentially that the fact that we were skeptical showed ipso facto that we didn't know what we were talking about. The quantum folks have just insisted that doubting quantum cryptography was like doubting evolution or gravity. Nonetheless, as prettily fragrant as the schadenfreude is this evening, I'm not sure I buy this paper, either. I'm immediately reminded of Clarke's First Law. (Not the technology and magic one, but one about elderly and distinguished scientists making predictions.) The quantum crypto people have earned contempt from us math people by high-handedly dismissing any operational concerns, by fake competition -- insisting on the false dilemma that quantum and mathematical techniques are product and technological competitors, and even in the very *word* cryptography. Quantum cryptography is not cryptography. It is an amazing bit of physics. In the last few years, they've backed off to quantum key distribution but quantum *secrecy* is not only more accurate, less snake oil, and far cooler than either of the terms. Heck, just this week, an article Quantum mechanics enables perfectly secure cloud computing showed up on physorg.com at http://www.physorg.com/news/2012-01-quantum-mechanics-enables-perfectly-cloud.html. It manages to put the same snake oil into the very headline by using the word perfect. It's been a relatively few days since I read something else where they were claiming that devices to do quantum crypto to mobile devices are around the corner, unironically including the trusted third party in the middle that acts as a key router. That one's perfect, too. I can hardly wait to see the rebuttals to this paper. Jon ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Well, that's depressing. Now what?
On Fri, Jan 27, 2012 at 11:23 PM, Paul Hoffman paul.hoff...@vpnc.org wrote: On Jan 27, 2012, at 6:43 PM, Noon Silk wrote: [SNIP] what you *can* say is that someone *selling* *any* demonstratably-insecure crypto device as a secure one, is snake oil. So, that is to say, you can only claim snake-oil in reference to a vendor and a device, not a field of research. Again, we disagree. There are many fields of research that market themselves as useful when compared to other fields, and QKD is one of those. QKD is doing better then some, and worst than others: http://www.xkcd.com/808/. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography