Re: Quantum Cryptography

2007-07-03 Thread John Denker

On 07/01/2007 05:55 AM, Peter Gutmann wrote:


One threat model (or at least failure mode) that's always concerned me deeply
about QC is that you have absolutely no way of checking whether it's working
as required.  With any other mechanism you can run test vectors through it,
run ongoing/continuous self-checks, and (in the case of some Type I crypto)
run dual units in parallel with one checking the other.  With QC you've just
got to hope that everything's working as intended.  That alone would be enough
to rule out its use as far as I'm concerned, I can't trust something that I
can't verify.


That's partly true, but there's more to the story.

Let's start by looking at the simple case, and then proceed to a more
sophisticated analysis:

By analogy:
 -- baseball pitchers should be evaluated on things like ERA, while
 -- football halfbacks should be evaluated on things like yard per carry,
 ... and not vice versa.

By that I mean:
 -- the integrity of DH depends fundamentally on the algorithm, so you
  should verify the algorithmic theory, and then verify that the box
  implements the algorithm correctly; while
 -- in the simple case, the integrity of quantum cryptography depends
  fundamentally on the physics, so you should verify the physics
  theoretically and then verify that the box implements the physics
  correctly,
 ... and not vice versa.

Don't complain that you cannot verify the physics the same way you
would verify the algorithm;  it's not a relevant complaint.

There are some beautiful operational checks that *can* be made on
a simple quantum crypto system.  For starters, you can insert a
smallish amount of attenuation in the link, as a model of attempted
eavesdropping.  The system should detect this, shut down, and raise
the red flag;  if it doesn't, you know it's broken.

==

A more sophisticated analysis takes into account the fact that in the
real world (as opposed to the ultra-specialized laboratory bench),
there is always some dissipation.  Therefore any attempt to do anything
resembling quantum crypto (or even quantum computing) in the real world
uses some sort of error correction.  (These error correction schemes are
some of the niftiest results in the whole quantum computation literature,
because they involve /analog/ error correction, whereas most previous
modern error-correcting codes had been very, very digital.)  So there is
some interesting genuine originality there, from a theory-of-computation
standpoint.

From a security standpoint though, this raises all sorts of messy issues.
We now have a box that is neither a pitcher nor a fullback, but some
weird chimera.  To validate it you would need to verify the physics *and*
verify the algorithms *and* verify the interaction between the two.

Needless to say, an algorithm intended for crypto requires much stricter
scrutiny than the same algorithm intended for ordinary computation.

In particular, the oft-repeated claim that quantum cryptography detects
eavesdropping may be true on the lab bench, but it does _not_ follow in
any simple way that a usable long-haul system will have the same property.

===

I agree with Steve that there is a difference between bona-fide early-stage
research and snake oil.

I did research in neural networks at a time when 90% of the published
papers in the field were absolute garbage, such as claims of solving
NP-hard problems in P time.
 -- When there are people who respect the difference between garbage and
  non-garbage, and are doing serious research, we should support that.
 -- When people try to publish garbage, and/or package garbage in shiny
  boxes and sell it to the government, we should call it for what it is.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Quantum Cryptography

2007-07-03 Thread Paul Hoffman

At 5:11 PM -0400 7/2/07, John Denker wrote:

By that I mean:
 -- the integrity of DH depends fundamentally on the algorithm, so you
  should verify the algorithmic theory, and then verify that the box
  implements the algorithm correctly; while
 -- in the simple case, the integrity of quantum cryptography depends
  fundamentally on the physics, so you should verify the physics
  theoretically and then verify that the box implements the physics
  correctly,
 ... and not vice versa.


This is a nice, calm analogy, and I think it is useful. But it misses 
the point of the snake oil entirely.


The fact that there is some good quantum crypto theory doesn't mean 
that there is any application in the real world. For the real world, 
you need key distribution. For the cost of a quantum crypto box (even 
after cost reductions after years of successful deployment), you 
could put a hardware crypto accelerator that could do 10,000-bit DH.


Going back to the theory, the only way that quantum crypto will be 
more valuable than DH (much less ECDH!) is if DH is broken *at all 
key lengths*. If it is not, then the balance point for cost will be 
when the end boxes for quantum crypto equals the cost of the end 
boxes for still-useful DH.


Oh, and all the above is ignoring that DH works over multiple hops of 
different media, and quantum crypto doesn't (yet, maybe ever).


--Paul Hoffman, Director
--VPN Consortium

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Quantum Cryptography

2007-07-01 Thread Peter Gutmann
Alexander Klimov [EMAIL PROTECTED] writes:

So what kind of threat models does it address, and what does that say about
the kinds of customers who'd want it?

One threat model (or at least failure mode) that's always concerned me deeply
about QC is that you have absolutely no way of checking whether it's working
as required.  With any other mechanism you can run test vectors through it,
run ongoing/continuous self-checks, and (in the case of some Type I crypto)
run dual units in parallel with one checking the other.  With QC you've just
got to hope that everything's working as intended.  That alone would be enough
to rule out its use as far as I'm concerned, I can't trust something that I
can't verify.

Peter.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Quantum Cryptography

2007-06-30 Thread Bill Stewart

At 08:51 AM 6/28/2007, Alexander Klimov wrote:

I suspect there are two reasons for QKD to be still alive.
First of all, the cost difference between quantum and normal
approaches is so enormous that a lot of ignorant decision makers
actually believe that they get something extra for this money.
  If you tell a lie big enough and keep repeating it, people
  will eventually come to believe it.

The second reason is ``rollback'' (is it right term?): you pay

Kickbacks would be the usual American term.

$10 from your company funds to a QKD vendor, and they
covertly give $5 back to you.


Never attribute to malice what can be adequately explained by incompetence.

Quantum Crypto is shiny new technology, complete with dancing pigs.
And once you've invested the research and development costs into building it,
of course you want to sell it to anybody who could use it.

So what kind of threat models does it address, and what does that
say about the kinds of customers who'd want it?
- It doesn't protect against traffic analysis,
because the eavesdropper can follow the fiber routes
and see who you're connected to.
- It potentially provides perfect forward secrecy a long time
into the future against attackers who can eavesdrop on you now
and save all the bits they want.
That's mainly useful for military applications - most commercial
applications don't require secrecy for more than a few years,
and most criminal activities can't use it because of the
traffic analysis threat.   Maybe banks?
- It doesn't protect against Auditors getting your data.
So maybe it's not useful for banks.
That's really too bad, because except for the military,
the main kinds of customers that need to spend lots of money
on extra-shiny security equipment are doing so to distract Auditors,
but it does let you tell the auditors you'd done everything you could.

- The Quantum Key Distribution versions only protect keys, not data,
so it doesn't protect you against cracking symmetric-key algorithms.
It does provide some protection against Zero-Day attacks on
public-key crypto-systems, but wrapping your key exchange
in a layer of symmetric-key crypto can do that also.
And if you're the military, you can revert to the traditional
armed couriers with briefcases handcuffed to their arms method.


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Quantum Cryptography

2007-06-30 Thread Ivan Krstić

On Jun 29, 2007, at 10:44 AM, Steven M. Bellovin wrote:

It's very valid to criticize today's products, and it's almost
obligatory to criticize over-hyped marketing.  As I said, I don't  
think

today's products are useful anywhere, and the comparisons vendors draw
to conventional cryptography are at best misleading.  But let's not
throw the baby out with the bathwater.


The problem I have with QC is that, as others have amply pointed out,  
there is a lot of bathwater but not much of a baby to speak of. If  
someone created a protocol that does a DH exchange at the beginning  
and then throws away the secret and performs the rest of the  
communication in plaintext, we'd hardly call the resulting system a  
cryptographic protocol. Really, we'd be hesitant to use any form of  
the word cryptography in the description.


QC, however, does something exactly analogous: it performs a  
quantum key exchange and then falls back on classical primitives.  
It's at best confusing, fallacious and disingenuous to refer to such  
setups as quantum cryptography, though I understand classical  
encryption with quantum key exchange has less of a marketable ring  
to it.


So, by all means, let the QKD and related research continue. It's  
interesting, it's cool, it's *important* work. But when the folks  
behind it are talking to those of us who understand and work with  
cryptography every day, they need to do a much better job at not  
letting their own imprecise and almost deceitful terminology paint  
themselves in a corner and trigger our snakeoil detectors. I deeply  
support Jon's proposal of renaming the whole thing quantum secrecy,  
in which case I'd get off my snark horse and show more respect for  
the whole thing.


--
Ivan Krstić [EMAIL PROTECTED] | GPG: 0x147C722D

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Quantum Cryptography

2007-06-29 Thread Steven M. Bellovin
I'm unhappy with the tone of the discussion thus far.  It's gone far
beyond critiquing current products and is instead attacking the very
concept.

Today's cryptography is largely based on certain assumptions.  You
can't even call them axioms; they're far too weak.  Let's consider
RSA.  We *know* that no one has proven it equivalent to factoring; even
if that had been done, there is as far as I know no theoretically and
useful computational complexity bound for factoring, especially for the
average case.  Similarly, we have no proofs that discrete log is
inherently hard.  But cryptographic proofs frequently work by showing
that breaking some new construct is equivalent to solving one of these
believed to be hard problems.  We have a theoretically unbreakable
system -- one-time pads -- but as most of us on this list know, they're
rarely usable.

Protocols are even worse.  We can prove certain things about the
message exchanges, and we have tools to help analyze protocols.  But I
have yet to see any such mechanism that can cope with attacks that mix
protocol weaknesses with, say, number theory -- think of
Bleichenbacher's Million Message Attack (which also involved how the
protocol worked over the wire) or Simmons' Common Modulus Attack.

It's not wrong to want something better.  Sure, we think our ciphers
are secure.  The Germans thought that of Enigma and the
Geheimschreiber; the Japanese thought that of Purple.  Is AES secure?
NSA has said so publicly, but there have been technical papers
challenging that.  I've seen no technical commentary on this list on
the Warren D. Smith paper that was cited here about a week ago.

To me, QKD is indeed a very valid area for research.  It's a very
different approach; ultimately, it may prove to be useful, at least in
some circumstances.

Now -- I'm not saying that *anyone* should buy today's products.  As
has been pointed out ad infinitum, they rely on conventional
cryptographic techniques for authentication.  More seriously, they have
been subject to serious friendly attacks.  It's only recently been
mentioned prominently that the most devices don't send a single photon
per bit, and the proof of security relies on that.  There is the
limitation, possibly inherent, to a single link.  (I wonder, though,
what can be done in the future with switched optical networks.)

All that said, perhaps QKD will be useful some day.  Unauthenticated?
Diffie-Hellman is unauthenticated.  Expensive?  RSA is computationally
expensive, and in fact wasn't used very much for 10 years after its
invention.  Single link?  We still use -- and need -- link-layer
cryptography today.  Provable security?  Despite their limitations,
one-time pads are and have been used in the real world. Sometimes, the
operational and threat environments are right.  Gilmore has noted that
cryptography is a matter of economics -- and in some situations,
perhaps the economics of QKD are right.

It's very valid to criticize today's products, and it's almost
obligatory to criticize over-hyped marketing.  As I said, I don't think
today's products are useful anywhere, and the comparisons vendors draw
to conventional cryptography are at best misleading.  But let's not
throw the baby out with the bathwater.


--Steve Bellovin, http://www.cs.columbia.edu/~smb

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Quantum Cryptography

2007-06-28 Thread Alexander Klimov
I suspect there are two reasons for QKD to be still alive.
First of all, the cost difference between quantum and normal
approaches is so enormous that a lot of ignorant decision makers
actually believe that they get something extra for this money.

  If you tell a lie big enough and keep repeating it, people
  will eventually come to believe it.

The second reason is ``rollback'' (is it right term?): you pay
$10 from your company funds to a QKD vendor, and they
covertly give $5 back to you.

-- 
Regards,
ASK

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Quantum Cryptography

2007-06-27 Thread Jon Callas

On Jun 26, 2007, at 10:10 AM, Nicolas Williams wrote:



This too is a *fundamental* difference between QKD and classical
cryptography.


What does this classical word mean? Is it the Quantum way to say  
real? I know we're in violent agreement, but why are we letting  
them play language games?




IMO, QKD's ability to discover passive eavesdroppers is not even
interesting (except from an intellectual p.o.v.) given: its  
inability to

detect MITMs, its inability to operate end-to-end across across middle
boxes, while classical crypto provides protection against  
eavesdroppers

*and* MITMs both *and* supports end-to-end operation across middle
boxes.


Moreover, the quantum way of discovering passive eavesdroppers is  
really just a really delicious sugar coating on the classical term  
denial of service. I'm not being DoSed, I'm detecting a passive  
eavesdropper!


Jon

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Quantum Cryptography

2007-06-27 Thread [EMAIL PROTECTED]

On 6/25/07, Greg Troxel [EMAIL PROTECTED] wrote:


 1) Do you believe the physics?  (Most people who know physics seem to.)


For those who would like to know a little more about the physics, see:

http://www.icfo.es/images/publications/J05-055.pdf, Quantum Cloning,
Valerio Scarani, Sofyan Iblisdir, and Nicolas Gisin. This is a late
2005 review and of eavesdropping techniques for QKD. Much of the
terminology of quantum physics is unfamiliar to me but I think the
paper states that Eve could theoretically get 5/6 of the bits through
cloning and to keep this from happening, Alice and Bob have to assume
an eavesdropper if more than 11% of the bits have errors.

also:

http://w3.antd.nist.gov/pubs/Mink-SPIE-One-Time-Pad-6244_22.pdf,
One-Time Pad Encryption of Real-Time Video1, Alan Mink, Xiao Tang,
LiJun Ma, Tassos Nakassis, Barry Hershman, Joshua C. Bienfang, David
Su, Ron Boisvert, Charles W. Clark and Carl J. Williams - a more
accessible paper describing a working system where NIST claims bit
error rates in the 3% range while generating key material at greater
than 2Mb/s. Its not clear whether the bit error rate is before or
after an error correction stage but the paper discusses how bit error
rate reduces the overall result after privacy amplification so I
believe they have thought of Eve cloning photons in flight.

-Michael

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Quantum Cryptography

2007-06-27 Thread Nicolas Williams
On Tue, Jun 26, 2007 at 02:03:29PM -0700, Jon Callas wrote:
 On Jun 26, 2007, at 10:10 AM, Nicolas Williams wrote:
 This too is a *fundamental* difference between QKD and classical
 cryptography.
 
 What does this classical word mean? Is it the Quantum way to say  
 real? I know we're in violent agreement, but why are we letting  
 them play language games?

I don't mind using classical here.  I don't think Newtonian physics
(classical) is bad -- it works great at every day human scales.

 IMO, QKD's ability to discover passive eavesdroppers is not even
 interesting (except from an intellectual p.o.v.) given: its
 inability to detect MITMs, its inability to operate end-to-end across
 across middle boxes, while classical crypto provides protection
 against  eavesdroppers *and* MITMs both *and* supports end-to-end
 operation across middle boxes.
 
 Moreover, the quantum way of discovering passive eavesdroppers is  
 really just a really delicious sugar coating on the classical term  
 denial of service. I'm not being DoSed, I'm detecting a passive  
 eavesdropper!

Heh!  Indeed: with classical (or non-quantum, or standard, or...) crypto
eavesdroppers are passive attackers and passive attackers cannot mount
DoS attacks (oh, I suppose that wiretapping can cause some slightly
noticeable interference in some cases, but usually that's no DoS), but
in QKD passive attackers become active attackers.

But it gets worse!  To eavesdrop on a QKD link requires much the same
effort (splice the fiber) as to be an MITM on a QKD link, so why would
any attacker choose to eavesdrop and be detected instead of being an
MITM, go undeteceted and get the cleartext they're after?  Right, they
wouldn't.  Attackers aren't stupid, and an attacker that can splice your
fibers can probably afford the QKD HW they need to mount an MITM attack.

So, really, you need authentication.  And, really, you need end-to-end,
not hop-by-hop authentication and data confidentiality + integrity
protection.

This reminds me of Feynman's presentation of Quantum Electro Dynamics,
which finished with QED.  Has it now been sufficiently established
that QKD is not useful that whenever it rears its head we can point
folks at archives of these threads and not spill anymore ink?

Nico
-- 

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Quantum Cryptography

2007-06-26 Thread Greg Troxel

Victor Duchovni [EMAIL PROTECTED] writes:

 Secure in what sense? Did I miss reading about the part of QKD that
 addresses MITM (just as plausible IMHO with fixed circuits as passive
 eavesdropping)?

It would be good to read the QKD literature before claiming that QKD is
always unauthenticated.

The generally accepted approach among the physics crowd is to use
authentication with a secret keys and a universal family of has
functions.

 Once QKD is augmented with authentication to address MITM, the Q
 seems entirely irrelevant.

It's not if you care about perfect forward secrecy and believe that DH
might be broken, and can't cope with or don't trust a Kerberos-like
scheme.  You can authenticate QKD with a symmetric mechanism, and get
PFS against an attacker who records all the traffic and breaks DH later.

See

  http://portal.acm.org/citation.cfm?id=863982dl=GUIDEdl=ACM

for a citation and

  http://www.ir.bbn.com/documents/articles/gdt-sigcomm03.pdf

for text, for a discussion of a system that uses regular IKE and AH to
authenticate the control channel and uses the resulting bits to key
ESP with AES or a one-time pad to get PFS against a DH-capable attacker.
This all ran on NetBSD over 3 sites in the Boston area for several
years.

There are two very hard questions for QKD systems:

 1) Do you believe the physics?  (Most people who know physics seem to.)

 2) Does the equipment in your lab correspond to the idealized models
with which the proofs for (1) were done.  (Not even close.)


Because of (2) I wouldn't have confidence in any current QKD system.
The one I worked on was for research, to address some of the basic
systems issues, because the physics community concentrates on the
physics parts.

I am most curious as to the legal issue that came up regarding QKD.


pgpVro7qtbxAH.pgp
Description: PGP signature


Re: Quantum Cryptography

2007-06-26 Thread Nicolas Williams
On Fri, Jun 22, 2007 at 08:21:25PM -0400, Leichter, Jerry wrote:
 BTW, on the quantum subway tokens business:  In more modern terms,
 what this was providing was unlinkable, untraceable e-coins which
 could be spent exactly once, with *no* central database to check
 against and none of this well, we can't stop you from spending it
 more than once, but if we ever notice, we'll learn all kinds of
 nasty things about you.  (The coins were unlinkable and untraceable
 because, in fact, they were *identical*.)  Now, of course, they
 were also physical objects, not just collections of bits.  The same
 is true of the photons used in quantum key exchange.  Otherwise,
 it wouldn't work.  We're inherently dealing with a different model
 here.  Where it ends up is anyone's guess at this point.

This relates back to the inutility of QKD as follows: when physical
exchanges are required you cannot run such exchanges end-to-end over an
Internet -- the middle boxes (routers, etc...) get in the way of the
physical exchange.

This too is a *fundamental* difference between QKD and classical
cryptography.

That difference makes QKD useless in *today's* Internet.

IF we had a quantum authentication facility then we could build
hop-by-hop authentication to build an Internet out of QKD and QA
(quantum authentication).  That's a *big* condition, and the change in
security models is tremendous, and for the worse: since the trust chains
get enormously enlarged.

IMO, QKD's ability to discover passive eavesdroppers is not even
interesting (except from an intellectual p.o.v.) given: its inability to
detect MITMs, its inability to operate end-to-end across across middle
boxes, while classical crypto provides protection against eavesdroppers
*and* MITMs both *and* supports end-to-end operation across middle
boxes.

Nico
-- 

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Quantum Cryptography

2007-06-26 Thread Victor Duchovni
On Mon, Jun 25, 2007 at 08:23:14PM -0400, Greg Troxel wrote:

  1) Do you believe the physics?  (Most people who know physics seem to.)

Yes.

  2) Does the equipment in your lab correspond to the idealized models
 with which the proofs for (1) were done.  (Not even close.)

Does QKD address a real-world risk at a reasonable cost without unreasonable
application constraints?

If I am very concerned about PFS for secrets that must stay secure for
decades and 521-bit ECDH is broken, yes I lose PFS. So there may be a
market for fixed direct circuits used by a small number of agencies, but
if I were a budget director I would spend the money elsewhere...

 I am most curious as to the legal issue that came up regarding QKD.

Indeed, what was the legal question that got us here?

-- 

 /\ ASCII RIBBON  NOTICE: If received in error,
 \ / CAMPAIGN Victor Duchovni  please destroy and notify
  X AGAINST   IT Security, sender. Sender does not waive
 / \ HTML MAILMorgan Stanley   confidentiality or privilege,
   and use is prohibited.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Quantum Cryptography

2007-06-26 Thread Nicolas Williams
On Mon, Jun 25, 2007 at 08:23:14PM -0400, Greg Troxel wrote:
 Victor Duchovni [EMAIL PROTECTED] writes:
  Secure in what sense? Did I miss reading about the part of QKD that
  addresses MITM (just as plausible IMHO with fixed circuits as passive
  eavesdropping)?
 
 It would be good to read the QKD literature before claiming that QKD is
 always unauthenticated.

Noone claimed that it isn't -- the claim is that there is no quantum
authentication, so QKD has to be paired with classical crypto in order
to defeat MITMs, which renders it worthless (because if you'll rely on
classical crypto then you might as well only use classical crypto as QKD
doesn't add any security that classical crypto, which you still have to
use, doesn't already).

The real killer for QKD is that it doesn't work end-to-end across middle
boxes like routers.  And as if that weren't enough there's the
exhorbitant cost of QKD kit.

 The generally accepted approach among the physics crowd is to use
 authentication with a secret keys and a universal family of has
 functions.

Everyone who's commented has agreed that authentication is to be done
classically as there is no quantum authentication yet.

But I can imagine how quantum authentication might be done: generate an
entangled pair at one end of the connection, physically carry half of it
to the other end, and then run a QKD exchange that depends on the two
ends having half of the same entangled particle or photon pair.  I'm no
quantum physicist, so I can't tell how workable that would be at the
physics-wise, but such a scheme would be analogous to pre-sharing
symmetric keys in classical crypto.  Of course, you'd have to do this
physical pre-sharing step every time you restart the connection after
having run out of pre-shared entabled pair halfs; ouch.

  Once QKD is augmented with authentication to address MITM, the Q
  seems entirely irrelevant.
 
 It's not if you care about perfect forward secrecy and believe that DH
 might be broken, and can't cope with or don't trust a Kerberos-like
 scheme.  You can authenticate QKD with a symmetric mechanism, and get
 PFS against an attacker who records all the traffic and breaks DH later.

The end-to-end across middle boxes issue kills this argument about
protection against speculative brokenness of public key cryptography.

All but the smallest networks depend on middle boxes.

Quantum cryptography will be useful when:

 - it can be deployed in an end-to-end fashion across middle boxes

 OR

 - we adopt hop-by-hop methods of building end-to-end authentication

And, of course, quantum kit has got to be affordable, but let's assume
that economies of scale will be achieved once quantum crypto becomes
useful.

Critical breaks of public key crypto will NOT be sufficient to drive
adoption of quantum crypto: we can still build networks out of symmetric
key crypto (and hash/MAC functions) only if need be (with pre-shared
keying, Kerberos, and generally Needham-Schroeder).

 There are two very hard questions for QKD systems:
 
  1) Do you believe the physics?  (Most people who know physics seem to.)
 
  2) Does the equipment in your lab correspond to the idealized models
 with which the proofs for (1) were done.  (Not even close.)

But the only real practical issue, for Internet-scale deployment, is the
end-to-end issue.  Even for intranet-scale deployments, actually.

 I am most curious as to the legal issue that came up regarding QKD.

Which legal issue?

Nico
-- 

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Quantum Cryptography

2007-06-26 Thread John Denker

On 06/25/2007 08:23 PM, Greg Troxel wrote:

  1) Do you believe the physics?  (Most people who know physics seem to.)

Well, I do happen to know a thing or two about physics.  I know
 -- there is quite a lot you can do with quantum physics, and
 -- there is quite a lot you cannot do with quantum physics.

I also know that snake-oil salesmen can lie about the physics
just as easily as they lie about anything else.

Since it's not clear what is meant by THE physics, it would
be more meaningful to ask more-specific questions, namely:
 -- Do I believe in real physics?  Yes.
 -- Do I believe in what Dr. Duck says about physics?  Usually not.

==

One commonly-made claim about quantum cryptography is that
it can detect eavesdropping.  I reckon that's narrowly
true as stated.  The problem is, I don't know why I should
care.  The history of cryptography for most of the last 2000
years has been a cat and mouse game between the code makers
and the code breakers.  The consensus is that right now the
code makers have the upper hand.  As a result, Eve can eavesdrop
all she wants, and it won't do her a bit of good.

To say the same thing:  It appears that in this respect, quantum
cryptography takes a well-solved problem and solves it another
way at higher cost and lower throughput.  The cost/benefit ratio
is exceedingly unfavorable, and seems likely to remain so.

Meanwhile, it takes some less-well-solved problems and makes
them worse.  Consider for example traffic analysis.  Since
quantum encryption requires a dedicated hardware link from end
to end, there is no hope of disguising who is communicating
with whom.

I am reminded of a slide that Whit Diffie used in one of his
talks.  It showed a house that was supposed to be protected
by a picket fence.  The problem was that the so-called fence
consisted of a single picket, 4 inches wide and a mile high,
while the other 99.9% of the perimeter was unprotected.  Yes
sirree, no eavesdropper is going to hop over that picket!

One sometimes hears even stronger claims, but they are even
more easily refuted.  I've reviewed papers that claim quantum
mechanics solves the key distribution problem but in fact
they were using classical techniques to deal with all the
hard parts of the problem.  It reminds me of stone soup: if
the ingredients include broth, meat, vegetables, seasoning,
and a stone, I don't see why the stone should get credit for
the resulting soup.  Likewise, since a quantum key distribution
system is in no ways better and in some ways worse than a
classical system, I don't see why quantum cryptography
should get credit for solving the problem.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Quantum Cryptography

2007-06-23 Thread Jon Callas


On Jun 22, 2007, at 10:44 AM, Ali, Saqib wrote:


...whereas the key distribution systems we have aren't affected by
eavesdropping unless the attacker has the ability to perform 2^128 or
more operations, which he doesn't.


Paul: Here you are assuming that key exchange has already taken place.
But key exchange is the toughest part. That is where Quantum Key
Distribution QKD comes in the picture. Once the keys are exchanged
using QKD, you have to rely on conventional cryptography to do bulk
encryption using symmetric crypto.

Using Quantum Crypto to do bulk encryption doesn't make any sense. It
is only useful in key distribution.


Let me create an aphorism to sum up what Paul, Perry, and others have  
said in detail before I address your comment:


If Quantum Cryptography does what is claims, then it is
strengthening the strongest link in the chain of security.

Now to your comment.

If you do a 3000 bit Diffie-Hellman exchange, you have a key exchange  
with 2^128 security, to the best of our knowledge, assuming this and  
that, blah, blah, blah. If you don't like 3000 bit integers, go to  
elliptic curve.


I have in some of my talks, renamed Quantum Cryptography to Quantum  
Secrecy. If the QC people would stop calling it cryptography, a good  
deal of the hostility you find among us crypto people would evaporate.


Let me give an analogy. I will posit Quantum Message Teleportation.  
Using QMT, Alice can write her message on a piece of paper, close her  
eyes, and it will disappear from her hand and appear in Bob's hand.


This is cool. This is useful. It is amazing. It is also not  
cryptography.


It also has all the problems that Perry points out in QC, like a lack  
of authentication and so on. Like QC, adding cryptography to it makes  
it even more useful.


The QC people should change their song to QS, and stop bashing the  
mathematicians with arguments we can show are somewhere between  
incomplete and fallacious. Then they might find us drift over to  
supporting them because while Quantum Secrecy is not practical, it is  
very cool.


Jon

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Quantum Cryptography

2007-06-22 Thread Massimiliano Pala

Victor Duchovni wrote:

Quantum Cryptography or Quantum Computing (i.e. cryptanysis)?

- Quantum Cryptography is fiction (strictly claims that it solves
  an applied problem are fiction, indisputably interesting Physics).


I do not really agree on this statement. There are ongoing projects, that
I know of, that are actually working on maximizing communication throughput
(which is currently not very good) on encrypted channels and minimizing
costs of involved equipment. AFAIK, one great advantage of quantum crypto
is in the area of key-exchange when establishing a secure communication.
I guess quantum crypto is definitely not fiction (Anyhow I do not know if
it has already been used somewhere... ).

Later,

--

Best Regards,

Massimiliano Pala

--o
Massimiliano Pala [OpenCA Project Manager][EMAIL PROTECTED]
 [EMAIL PROTECTED]

Dartmouth Computer Science Dept   Home Phone: +1 (603) 397-3883
PKI/Trust - Office 063Work Phone: +1 (603) 646-9179
--o


smime.p7s
Description: S/MIME Cryptographic Signature


Re: Quantum Cryptography

2007-06-22 Thread Ali, Saqib

- Quantum Cryptography is fiction (strictly claims that it solves
  an applied problem are fiction, indisputably interesting Physics).


Well that is a broad (and maybe unfair) statement.

Quantum Key Distribution (QKD) solves an applied problem of secure key
distribution. It may not be able to ensure unconditional secrecy
during key exchange, but it can detect any eavesdropping. Once
eavesdropping is detected, the key can be discarded.

saqib
http://security-basics.blogspot.com/

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Quantum Cryptography

2007-06-22 Thread Eugen Leitl
On Thu, Jun 21, 2007 at 01:20:35PM -0400, Victor Duchovni wrote:

 Quantum Cryptography or Quantum Computing (i.e. cryptanysis)?
 
 - Quantum Cryptography is fiction (strictly claims that it solves
   an applied problem are fiction, indisputably interesting Physics).
 
 - Quantum Computing is science fiction. Some science fiction
   eventually becomes reality.

A nice blog to follow here is Shtetl-Optimized:
http://www.scottaaronson.com/blog/

-- 
Eugen* Leitl a href=http://leitl.org;leitl/a http://leitl.org
__
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Quantum Cryptography

2007-06-22 Thread Victor Duchovni
On Thu, Jun 21, 2007 at 10:59:14AM -0700, Ali, Saqib wrote:

 - Quantum Cryptography is fiction (strictly claims that it solves
   an applied problem are fiction, indisputably interesting Physics).
 
 Well that is a broad (and maybe unfair) statement.
 
 Quantum Key Distribution (QKD) solves an applied problem of secure key
 distribution. It may not be able to ensure unconditional secrecy
 during key exchange, but it can detect any eavesdropping. Once
 eavesdropping is detected, the key can be discarded.

Secure in what sense? Did I miss reading about the part of QKD that
addresses MITM (just as plausible IMHO with fixed circuits as passive
eavesdropping)?

Once QKD is augmented with authentication to address MITM, the Q
seems entirely irrelevant.

-- 

 /\ ASCII RIBBON  NOTICE: If received in error,
 \ / CAMPAIGN Victor Duchovni  please destroy and notify
  X AGAINST   IT Security, sender. Sender does not waive
 / \ HTML MAILMorgan Stanley   confidentiality or privilege,
   and use is prohibited.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Quantum Cryptography

2007-06-22 Thread Perry E. Metzger

Massimiliano Pala [EMAIL PROTECTED] writes:
 Victor Duchovni wrote:
 Quantum Cryptography or Quantum Computing (i.e. cryptanysis)?
 - Quantum Cryptography is fiction (strictly claims that it
 solves
   an applied problem are fiction, indisputably interesting Physics).

 I do not really agree on this statement. There are ongoing projects, that
 I know of, that are actually working on maximizing communication throughput
 (which is currently not very good) on encrypted channels and minimizing
 costs of involved equipment. AFAIK, one great advantage of quantum crypto
 is in the area of key-exchange when establishing a secure communication.
 I guess quantum crypto is definitely not fiction (Anyhow I do not know if
 it has already been used somewhere... ).

Quantum cryptography is useless. Victor is completely correct here.

Quantum crypto provides you with a slow way of getting a one time pad
(of sorts) that you cannot authenticate and thus cannot trust, between
two endpoints only, and it does it at extreme expense.

Why do I say that you cannot authenticate? Because although you can
tell that no one eavesdropped in on the line, you have no way of
knowing that no one cut the fiber in two and put two such boxes in
between. You know that no one eavesdropped, but not who you are
talking to. Various physics types who I explain this to generally do
not understand what I'm talking about at first blush because they only
consider the problem of eavesdropping -- the notion that you also need
to verify who the guy at the other end is never occurs to them because
they aren't security people. The fact that the attacker might not even
bother to eavesdrop and could simply insert himself into the
communication stream never occurs to the proponents.

So, to fix the man-in-the-middle problem, you have to layer an
authentication technology on top. Unfortunately, the ones we have are
all conventional crypto -- perhaps a MAC of some sort. At which point,
you're trusting conventional crypto for your security, so why bother?
Conventional crypto is nearly free.

This brings up another issue.  Quantum crypto is exceptionally
expensive, and is virtually undeployable. To provide security that, in
a practical sense, is no better than what you can get from high key
length conventional ciphers, you spend vast amounts on end system
equipment, rent a dedicated dark fiber link between two locations that
can't be arbitrarily far apart, and in the end, you have two machines
that can talk securely in a world where one needs thousands or
millions of machines to talk securely to any one of the other
machines. The phone network and internet exist for a reason -- people
want communication networks, not a string between two cans between
each other's homes. They need NxN communication, not 1-1
communication. Building the N^2 array of dark fibers and quantum
crypto boxes between lots of machines is, of course, utterly
impractical and always will be. Of course, even if you could, you
would still need out of band key distribution and a MAC to know that
no one had man-in-the-middled your links. Again, why bother?

Now, lets consider the alternative. In a practical sense, no one
rational worries on a day to day basis that their security is going to
be compromised because someone has a magic box that decrypts 256 bit
AES in 12 seconds flat. The crypto we already have is more than good
enough. Quantum Crypto exists on the mistaken premise that people are
worried about their ciphers being broken and that this is the main
issue in security. It is not. Having your ciphers broken is not even
remotely the main issue for most installations.

What people worry about in the real world are design flaws,
programming errors, human interface problems that make things like
phishing possible, and whether or not the $12-an-hour security guard
at your data center will happily take a $5000 bribe to let someone at
your equipment for an hour. Quantum Key Distribution solves none of
those issues at all. The issue it does solve is a non-issue -- we
already have 256 bit keyed AES if you need it.

Quantum Crypto does what it says it does, but it is a commercially
worthless invention, like an 800 pound wristwatch that is 20% more
accurate than normal wristwatches but which is completely wrong one
day in seven, or like a $20,000,000 tube of toothpaste that tastes
slightly better but causes your teeth to explode one time in every
400. Even if the watch is marginally more accurate, no one will wear
it. Even if the toothpaste tastes slightly better, no one will buy
it. Neither invention solves a real problem from the real world.

Quantum Crypto was invented by physicists who understand physics well
but have no understanding of security. It does what it claims to do,
but what it claims to do is of no use to anyone. Quantum Crypto does
nothing for at all for the things people actually need solved, and
for what it does do, it costs vastly too much. It is a lead balloon, a
jet 

Re: Quantum Cryptography

2007-06-22 Thread Leichter, Jerry
|  - Quantum Cryptography is fiction (strictly claims that it solves
|an applied problem are fiction, indisputably interesting Physics).
|  
|  Well that is a broad (and maybe unfair) statement.
|  
|  Quantum Key Distribution (QKD) solves an applied problem of secure key
|  distribution. It may not be able to ensure unconditional secrecy
|  during key exchange, but it can detect any eavesdropping. Once
|  eavesdropping is detected, the key can be discarded.
| 
| Secure in what sense? Did I miss reading about the part of QKD that
| addresses MITM (just as plausible IMHO with fixed circuits as passive
| eavesdropping)?
| 
| Once QKD is augmented with authentication to address MITM, the Q
| seems entirely irrelevant.
The unique thing the Q provides is the ability to detect eaves-
dropping.  I think a couple of weeks ago I forwarded a pointer to
a paper showing that there were some limits to this ability, but
even so, this is a unique feature that no combination of existing
primitives can provide.  One can argue about what this adds.  The
current approach of the QKD efforts is to assume that physical
constraints are sufficient to block MITM, while quantum contraints
block passive listening (which is assumed not to be preventable
using physical constraints).  It's the combination that gives you
security.

One can argue about the reasonableness of this model - particularly
about the ability of physical limitations to block MITM.  It does
move the center of the problem, however - and into a region (physical
protection) in which there is much more experience and perhaps
some better intuition.  Valid or not, it certainly is easier to
give people the warm fuzzies by talking about physical protection
than by talking about math

In the other direction, whether the ability to detect eavesdropping lets
you do anything interesting is, I think, an open question.  I wouldn't
dismiss it out of hand.  There's an old paper that posits related
primitive, Verify Once Memory:  Present it with a set of bits, and it
answers either Yes, that's the value stored in me or No, wrong value.
In either case, *the stored bits are irrevokably scrambled*.  (One
could, in principle, build such a thing with quantum bits, but beyond
the general suggestions in the original paper, no one has worked out how
to do this in detail.)  The paper uses this as a primitive to construct
unforgeable subway tokens:  Even if you buy a whole bunch of valid
tokens, and get hold of a whole bunch of used ones, you have no way
to construct a new one.  (One could probably go further - I don't
recall if the paper does - and have a do the two of you match
primitive, which would use quantum bits in both the token and the
token validator.  Then even if you had a token validator, you couldn't
create new tokens.  Obviously, in this case you don't want to scramble
the validator.)
-- Jerry

| -- 
| 
|  /\ ASCII RIBBON  NOTICE: If received in error,
|  \ / CAMPAIGN Victor Duchovni  please destroy and notify
|   X AGAINST   IT Security, sender. Sender does not waive
|  / \ HTML MAILMorgan Stanley   confidentiality or privilege,
|and use is prohibited.
| 
| -
| The Cryptography Mailing List
| Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
| 
| 

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Quantum Cryptography

2007-06-22 Thread Paul Hoffman

At 10:59 AM -0700 6/21/07, Ali, Saqib wrote:

- Quantum Cryptography is fiction (strictly claims that it solves
  an applied problem are fiction, indisputably interesting Physics).


Well that is a broad (and maybe unfair) statement.

Quantum Key Distribution (QKD) solves an applied problem of secure key
distribution. It may not be able to ensure unconditional secrecy
during key exchange, but it can detect any eavesdropping. Once
eavesdropping is detected, the key can be discarded.


...whereas the key distribution systems we have aren't affected by 
eavesdropping unless the attacker has the ability to perform 2^128 or 
more operations, which he doesn't.


Which part of the word useless is not apparent here?

--Paul Hoffman, Director
--VPN Consortium

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Quantum Cryptography

2007-06-22 Thread Victor Duchovni
On Fri, Jun 22, 2007 at 11:33:38AM -0400, Leichter, Jerry wrote:

 | Secure in what sense? Did I miss reading about the part of QKD that
 | addresses MITM (just as plausible IMHO with fixed circuits as passive
 | eavesdropping)?
 | 
 | Once QKD is augmented with authentication to address MITM, the Q
 | seems entirely irrelevant.

 The unique thing the Q provides is the ability to detect eaves-
 dropping.

If I want to encrypt a fixed circuit, I assume that eavesdropping is
omni-present, and furthermore don't want to be constrained to transmit
only when the eavesdroppers have chosen to take a lunch break.

 One can argue about what this adds.

Warm fuzzies?

 The current approach of the QKD efforts is to assume that physical
 constraints are sufficient to block MITM.

An interesting assumption.

 It does move the center of the problem, however - and into a region
 (physical protection) in which there is much more experience and perhaps
 some better intuition. 

I would conjecture that a lot more people grasp undergraduate mathematics
than undergraduate quantum mechanics...

 Valid or not, it certainly is easier to give people the warm fuzzies by
 talking about physical protection than by talking about math

Warm fuzzies is not in conflict with fiction.

 In the other direction, whether the ability to detect eavesdropping lets
 you do anything interesting is, I think, an open question.  I wouldn't
 dismiss it out of hand.  There's an old paper that posits related
 primitive, Verify Once Memory:  Present it with a set of bits, and it
 answers either Yes, that's the value stored in me or No, wrong value.

Suppose I install a fake subway entrace, and MITM all the interactions
between the victim's card and the real turnstile where I have a card that
proxies the victims interactions with the fake terminal. Is the system
still secure? Likely not, I would bet The threat model was card forgery,
not MITM.

-- 

 /\ ASCII RIBBON  NOTICE: If received in error,
 \ / CAMPAIGN Victor Duchovni  please destroy and notify
  X AGAINST   IT Security, sender. Sender does not waive
 / \ HTML MAILMorgan Stanley   confidentiality or privilege,
   and use is prohibited.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Quantum Cryptography

2007-06-22 Thread Perry E. Metzger

Leichter, Jerry [EMAIL PROTECTED] writes:
 |  - Quantum Cryptography is fiction (strictly claims that it solves
 |an applied problem are fiction, indisputably interesting Physics).
 |  
 |  Well that is a broad (and maybe unfair) statement.
 |  
 |  Quantum Key Distribution (QKD) solves an applied problem of secure key
 |  distribution. It may not be able to ensure unconditional secrecy
 |  during key exchange, but it can detect any eavesdropping. Once
 |  eavesdropping is detected, the key can be discarded.
 | 
 | Secure in what sense? Did I miss reading about the part of QKD that
 | addresses MITM (just as plausible IMHO with fixed circuits as passive
 | eavesdropping)?
 | 
 | Once QKD is augmented with authentication to address MITM, the Q
 | seems entirely irrelevant.

 The unique thing the Q provides is the ability to detect eaves-
 dropping.  I think a couple of weeks ago I forwarded a pointer to
 a paper showing that there were some limits to this ability, but
 even so, this is a unique feature that no combination of existing
 primitives can provide.  One can argue about what this adds.

If it cost almost nothing, it would be a neat frill to have. When it
increases the cost of encrypting a link by a factor of four to six
orders of magnitude while still requiring all the old security systems
you had before, it is pretty uninteresting.

 The current approach of the QKD efforts is to assume that physical
 constraints are sufficient to block MITM,
[...]
 One can argue about the reasonableness of this model - particularly
 about the ability of physical limitations to block MITM.  It does
 move the center of the problem, however - and into a region (physical
 protection) in which there is much more experience and perhaps
 some better intuition.

Indeed it does. We have a lot of experience with securing links that
go for hundreds of km, and the experience tells us that we can't do it
in the real world. It would be one thing if experience said that
attackers can be easily found and stopped on long range physical
links, but we know that they can't, so why are we even thinking about
it this way?

Besides, companies like MagiQ don't say we're giving you
unconditional security against eavesdropping provided your prayers
that no one MITMs you are granted, they claim that they are providing
you with actual unconditional security. They clearly are not.

 In the other direction, whether the ability to detect eavesdropping lets
 you do anything interesting is, I think, an open question.  I wouldn't
 dismiss it out of hand.

As you know, most of us argue you should simply assume you're being
eavesdropped on and design security so that you don't care. It is much
simpler, much less expensive, and much more robust.


-- 
Perry E. Metzger[EMAIL PROTECTED]

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Quantum Cryptography

2007-06-22 Thread Ali, Saqib

...whereas the key distribution systems we have aren't affected by
eavesdropping unless the attacker has the ability to perform 2^128 or
more operations, which he doesn't.


Paul: Here you are assuming that key exchange has already taken place.
But key exchange is the toughest part. That is where Quantum Key
Distribution QKD comes in the picture. Once the keys are exchanged
using QKD, you have to rely on conventional cryptography to do bulk
encryption using symmetric crypto.

Using Quantum Crypto to do bulk encryption doesn't make any sense. It
is only useful in key distribution.

saqib
http://www.linkedin.com/in/encryption

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Quantum Cryptography

2007-06-22 Thread Paul Hoffman

At 10:44 AM -0700 6/22/07, Ali, Saqib wrote:

...whereas the key distribution systems we have aren't affected by
eavesdropping unless the attacker has the ability to perform 2^128 or
more operations, which he doesn't.


Paul: Here you are assuming that key exchange has already taken place.


No, I'm not. I am talking about protocols that do their own key 
exchange. IPsec. SSL/TLS. Kerberos. Etc.



But key exchange is the toughest part.


No, requiring that the two ends have a fixed connection which QKD 
works over is far tougher than using a proven protocol that works 
over any connection.


--Paul Hoffman, Director
--VPN Consortium

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Quantum Cryptography

2007-06-22 Thread Victor Duchovni
On Fri, Jun 22, 2007 at 10:44:41AM -0700, Ali, Saqib wrote:

 Paul: Here you are assuming that key exchange has already taken place.
 But key exchange is the toughest part. That is where Quantum Key
 Distribution QKD comes in the picture. Once the keys are exchanged
 using QKD, you have to rely on conventional cryptography to do bulk
 encryption using symmetric crypto.

QKD fails to come into the picture, because its key exchange is
unauthenticated.

I can do secure unauthenticated key exchange at zero cost using EECDH
with no special quantum hardware. If the link is MITM-proof, I am done.

 Using Quantum Crypto to do bulk encryption doesn't make any sense. It
 is only useful in key distribution.

What bulk-encryption system am I going to use that is usefully stronger
than EECDH over secp384r1 (or tinfoil hat secp521r1). It is also not
useful for key distribution. It remains (charitably) fiction.

-- 

 /\ ASCII RIBBON  NOTICE: If received in error,
 \ / CAMPAIGN Victor Duchovni  please destroy and notify
  X AGAINST   IT Security, sender. Sender does not waive
 / \ HTML MAILMorgan Stanley   confidentiality or privilege,
   and use is prohibited.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Quantum Cryptography

2007-06-22 Thread Greg Rose

At 10:44  -0700 2007/06/22, Ali, Saqib wrote:

...whereas the key distribution systems we have aren't affected by
eavesdropping unless the attacker has the ability to perform 2^128 or
more operations, which he doesn't.


Paul: Here you are assuming that key exchange has already taken place.
But key exchange is the toughest part. That is where Quantum Key
Distribution QKD comes in the picture. Once the keys are exchanged
using QKD, you have to rely on conventional cryptography to do bulk
encryption using symmetric crypto.

Using Quantum Crypto to do bulk encryption doesn't make any sense. It
is only useful in key distribution.


To be used in key distribution I have to have laid a private optical 
fiber between me and my correspondent. I could have paid a lot less 
for an armored truck to carry the key for me. (I know you can do QKD 
without the fiber these days, but how do you know that you agreed the 
key with the person you think you agreed it with? It's turtles all 
the way down.)


Greg.



saqib
http://www.linkedin.com/in/encryption

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Quantum Cryptography

2007-06-22 Thread Perry E. Metzger

Ali, Saqib [EMAIL PROTECTED] writes:
 ...whereas the key distribution systems we have aren't affected by
 eavesdropping unless the attacker has the ability to perform 2^128 or
 more operations, which he doesn't.

 Paul: Here you are assuming that key exchange has already taken place.
 But key exchange is the toughest part.

Key exchange is not the toughest part or even tough at
all. Algorithms like Diffie-Hellman and variants on the theme work
just fine. Authenticated protocols based on these algorithms are well
understood and have been studied for defects for many years.

The STS protocol and variants on it like the ones used in TLS are
fine, and if you feel that they're not secure enough with the number
of bits commonly used, you can crank up the dial for a lot less than
the cost of one of these mind-bogglingly expensive boxes from MagiQ
(not to mention the price of dedicated dark fiber between the
endpoints.)

 That is where Quantum Key Distribution QKD comes in the
 picture. Once the keys are exchanged using QKD, you have to rely on
 conventional cryptography to do bulk encryption using symmetric
 crypto.

I don't believe that any of the commercial units work that way, but if
they do, my opinion of them has dropped even further, and it was
already about as low as I thought was possible. Using QKD only for key
exchange and using a conventional crypto system for the bulk of the
data completely eliminates any conceivable benefits over more
conventional techniques.

Perry

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Quantum Cryptography

2007-06-21 Thread Victor Duchovni
On Tue, Jun 19, 2007 at 09:10:12PM -0700, Aram Perez wrote:

 On a legal mailing list I'm on there is a bunch of emails on the  
 perceived effects of quantum cryptography. Is there any authoritative  
 literature/links that can help clear the confusion?

Quantum Cryptography or Quantum Computing (i.e. cryptanysis)?

- Quantum Cryptography is fiction (strictly claims that it solves
  an applied problem are fiction, indisputably interesting Physics).

- Quantum Computing is science fiction. Some science fiction
  eventually becomes reality.

-- 

 /\ ASCII RIBBON  NOTICE: If received in error,
 \ / CAMPAIGN Victor Duchovni  please destroy and notify
  X AGAINST   IT Security, sender. Sender does not waive
 / \ HTML MAILMorgan Stanley   confidentiality or privilege,
   and use is prohibited.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Quantum cryptography gets practical

2004-10-08 Thread Steve Furlong
On Wed, 2004-10-06 at 06:27, Dave Howe wrote:
 I have yet to see an advantage to QKE that even mildly justifies the
 limitations and cost over anything more than a trivial link (two
 buildings within easy walking distance, sending high volumes of
 extremely sensitive material between them)

But it's cool!

More seriously, it has no advantage now, but maybe something will come
up. The early telephones were about useless, too, remember. In the mean
time, the coolness factor will keep people playing with it and
researching it.



-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Quantum cryptography gets practical

2004-10-06 Thread Dave Howe
Dave Howe wrote:
 I think this is part of the
purpose behind the following paper:
http://eprint.iacr.org/2004/229.pdf
which I am currently trying to understand and failing miserably at *sigh*
Nope, finally strugged to the end to find a section pointing out that it 
does *not* prevent mitm attacks.
Anyone seen a paper on a scheme that does?

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Quantum cryptography finally commercialized?

2003-09-17 Thread David Wagner
R. A. Hettinga wrote:
http://www.net-security.org/news.php?id=3583
 
Quantum cryptography finally commercialized?
Posted by Mirko Zorz - LogError
Tuesday, 16 September 2003, 1:23 PM CET

For the onlookers, this article is misinformed and should
not be relied upon for evaluating quantum cryptography.

The rest of the article contains statements like the following:

MagiQ's Navajo creates encryption keys that change up to 1,000 times a
second to prevent eavesdroppers from deciphering the transmitted data
packets.  [...]  While AES is very secure, the combination of AES and
Navajo is theoretically absolutely secure: unbreakable.

The unbreakable claim is unfounded.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]