Re: Quantum Cryptography
On 07/01/2007 05:55 AM, Peter Gutmann wrote: One threat model (or at least failure mode) that's always concerned me deeply about QC is that you have absolutely no way of checking whether it's working as required. With any other mechanism you can run test vectors through it, run ongoing/continuous self-checks, and (in the case of some Type I crypto) run dual units in parallel with one checking the other. With QC you've just got to hope that everything's working as intended. That alone would be enough to rule out its use as far as I'm concerned, I can't trust something that I can't verify. That's partly true, but there's more to the story. Let's start by looking at the simple case, and then proceed to a more sophisticated analysis: By analogy: -- baseball pitchers should be evaluated on things like ERA, while -- football halfbacks should be evaluated on things like yard per carry, ... and not vice versa. By that I mean: -- the integrity of DH depends fundamentally on the algorithm, so you should verify the algorithmic theory, and then verify that the box implements the algorithm correctly; while -- in the simple case, the integrity of quantum cryptography depends fundamentally on the physics, so you should verify the physics theoretically and then verify that the box implements the physics correctly, ... and not vice versa. Don't complain that you cannot verify the physics the same way you would verify the algorithm; it's not a relevant complaint. There are some beautiful operational checks that *can* be made on a simple quantum crypto system. For starters, you can insert a smallish amount of attenuation in the link, as a model of attempted eavesdropping. The system should detect this, shut down, and raise the red flag; if it doesn't, you know it's broken. == A more sophisticated analysis takes into account the fact that in the real world (as opposed to the ultra-specialized laboratory bench), there is always some dissipation. Therefore any attempt to do anything resembling quantum crypto (or even quantum computing) in the real world uses some sort of error correction. (These error correction schemes are some of the niftiest results in the whole quantum computation literature, because they involve /analog/ error correction, whereas most previous modern error-correcting codes had been very, very digital.) So there is some interesting genuine originality there, from a theory-of-computation standpoint. From a security standpoint though, this raises all sorts of messy issues. We now have a box that is neither a pitcher nor a fullback, but some weird chimera. To validate it you would need to verify the physics *and* verify the algorithms *and* verify the interaction between the two. Needless to say, an algorithm intended for crypto requires much stricter scrutiny than the same algorithm intended for ordinary computation. In particular, the oft-repeated claim that quantum cryptography detects eavesdropping may be true on the lab bench, but it does _not_ follow in any simple way that a usable long-haul system will have the same property. === I agree with Steve that there is a difference between bona-fide early-stage research and snake oil. I did research in neural networks at a time when 90% of the published papers in the field were absolute garbage, such as claims of solving NP-hard problems in P time. -- When there are people who respect the difference between garbage and non-garbage, and are doing serious research, we should support that. -- When people try to publish garbage, and/or package garbage in shiny boxes and sell it to the government, we should call it for what it is. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Quantum Cryptography
At 5:11 PM -0400 7/2/07, John Denker wrote: By that I mean: -- the integrity of DH depends fundamentally on the algorithm, so you should verify the algorithmic theory, and then verify that the box implements the algorithm correctly; while -- in the simple case, the integrity of quantum cryptography depends fundamentally on the physics, so you should verify the physics theoretically and then verify that the box implements the physics correctly, ... and not vice versa. This is a nice, calm analogy, and I think it is useful. But it misses the point of the snake oil entirely. The fact that there is some good quantum crypto theory doesn't mean that there is any application in the real world. For the real world, you need key distribution. For the cost of a quantum crypto box (even after cost reductions after years of successful deployment), you could put a hardware crypto accelerator that could do 10,000-bit DH. Going back to the theory, the only way that quantum crypto will be more valuable than DH (much less ECDH!) is if DH is broken *at all key lengths*. If it is not, then the balance point for cost will be when the end boxes for quantum crypto equals the cost of the end boxes for still-useful DH. Oh, and all the above is ignoring that DH works over multiple hops of different media, and quantum crypto doesn't (yet, maybe ever). --Paul Hoffman, Director --VPN Consortium - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Quantum Cryptography
Alexander Klimov [EMAIL PROTECTED] writes: So what kind of threat models does it address, and what does that say about the kinds of customers who'd want it? One threat model (or at least failure mode) that's always concerned me deeply about QC is that you have absolutely no way of checking whether it's working as required. With any other mechanism you can run test vectors through it, run ongoing/continuous self-checks, and (in the case of some Type I crypto) run dual units in parallel with one checking the other. With QC you've just got to hope that everything's working as intended. That alone would be enough to rule out its use as far as I'm concerned, I can't trust something that I can't verify. Peter. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Quantum Cryptography
At 08:51 AM 6/28/2007, Alexander Klimov wrote: I suspect there are two reasons for QKD to be still alive. First of all, the cost difference between quantum and normal approaches is so enormous that a lot of ignorant decision makers actually believe that they get something extra for this money. If you tell a lie big enough and keep repeating it, people will eventually come to believe it. The second reason is ``rollback'' (is it right term?): you pay Kickbacks would be the usual American term. $10 from your company funds to a QKD vendor, and they covertly give $5 back to you. Never attribute to malice what can be adequately explained by incompetence. Quantum Crypto is shiny new technology, complete with dancing pigs. And once you've invested the research and development costs into building it, of course you want to sell it to anybody who could use it. So what kind of threat models does it address, and what does that say about the kinds of customers who'd want it? - It doesn't protect against traffic analysis, because the eavesdropper can follow the fiber routes and see who you're connected to. - It potentially provides perfect forward secrecy a long time into the future against attackers who can eavesdrop on you now and save all the bits they want. That's mainly useful for military applications - most commercial applications don't require secrecy for more than a few years, and most criminal activities can't use it because of the traffic analysis threat. Maybe banks? - It doesn't protect against Auditors getting your data. So maybe it's not useful for banks. That's really too bad, because except for the military, the main kinds of customers that need to spend lots of money on extra-shiny security equipment are doing so to distract Auditors, but it does let you tell the auditors you'd done everything you could. - The Quantum Key Distribution versions only protect keys, not data, so it doesn't protect you against cracking symmetric-key algorithms. It does provide some protection against Zero-Day attacks on public-key crypto-systems, but wrapping your key exchange in a layer of symmetric-key crypto can do that also. And if you're the military, you can revert to the traditional armed couriers with briefcases handcuffed to their arms method. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Quantum Cryptography
On Jun 29, 2007, at 10:44 AM, Steven M. Bellovin wrote: It's very valid to criticize today's products, and it's almost obligatory to criticize over-hyped marketing. As I said, I don't think today's products are useful anywhere, and the comparisons vendors draw to conventional cryptography are at best misleading. But let's not throw the baby out with the bathwater. The problem I have with QC is that, as others have amply pointed out, there is a lot of bathwater but not much of a baby to speak of. If someone created a protocol that does a DH exchange at the beginning and then throws away the secret and performs the rest of the communication in plaintext, we'd hardly call the resulting system a cryptographic protocol. Really, we'd be hesitant to use any form of the word cryptography in the description. QC, however, does something exactly analogous: it performs a quantum key exchange and then falls back on classical primitives. It's at best confusing, fallacious and disingenuous to refer to such setups as quantum cryptography, though I understand classical encryption with quantum key exchange has less of a marketable ring to it. So, by all means, let the QKD and related research continue. It's interesting, it's cool, it's *important* work. But when the folks behind it are talking to those of us who understand and work with cryptography every day, they need to do a much better job at not letting their own imprecise and almost deceitful terminology paint themselves in a corner and trigger our snakeoil detectors. I deeply support Jon's proposal of renaming the whole thing quantum secrecy, in which case I'd get off my snark horse and show more respect for the whole thing. -- Ivan Krstić [EMAIL PROTECTED] | GPG: 0x147C722D - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Quantum Cryptography
I'm unhappy with the tone of the discussion thus far. It's gone far beyond critiquing current products and is instead attacking the very concept. Today's cryptography is largely based on certain assumptions. You can't even call them axioms; they're far too weak. Let's consider RSA. We *know* that no one has proven it equivalent to factoring; even if that had been done, there is as far as I know no theoretically and useful computational complexity bound for factoring, especially for the average case. Similarly, we have no proofs that discrete log is inherently hard. But cryptographic proofs frequently work by showing that breaking some new construct is equivalent to solving one of these believed to be hard problems. We have a theoretically unbreakable system -- one-time pads -- but as most of us on this list know, they're rarely usable. Protocols are even worse. We can prove certain things about the message exchanges, and we have tools to help analyze protocols. But I have yet to see any such mechanism that can cope with attacks that mix protocol weaknesses with, say, number theory -- think of Bleichenbacher's Million Message Attack (which also involved how the protocol worked over the wire) or Simmons' Common Modulus Attack. It's not wrong to want something better. Sure, we think our ciphers are secure. The Germans thought that of Enigma and the Geheimschreiber; the Japanese thought that of Purple. Is AES secure? NSA has said so publicly, but there have been technical papers challenging that. I've seen no technical commentary on this list on the Warren D. Smith paper that was cited here about a week ago. To me, QKD is indeed a very valid area for research. It's a very different approach; ultimately, it may prove to be useful, at least in some circumstances. Now -- I'm not saying that *anyone* should buy today's products. As has been pointed out ad infinitum, they rely on conventional cryptographic techniques for authentication. More seriously, they have been subject to serious friendly attacks. It's only recently been mentioned prominently that the most devices don't send a single photon per bit, and the proof of security relies on that. There is the limitation, possibly inherent, to a single link. (I wonder, though, what can be done in the future with switched optical networks.) All that said, perhaps QKD will be useful some day. Unauthenticated? Diffie-Hellman is unauthenticated. Expensive? RSA is computationally expensive, and in fact wasn't used very much for 10 years after its invention. Single link? We still use -- and need -- link-layer cryptography today. Provable security? Despite their limitations, one-time pads are and have been used in the real world. Sometimes, the operational and threat environments are right. Gilmore has noted that cryptography is a matter of economics -- and in some situations, perhaps the economics of QKD are right. It's very valid to criticize today's products, and it's almost obligatory to criticize over-hyped marketing. As I said, I don't think today's products are useful anywhere, and the comparisons vendors draw to conventional cryptography are at best misleading. But let's not throw the baby out with the bathwater. --Steve Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Quantum Cryptography
I suspect there are two reasons for QKD to be still alive. First of all, the cost difference between quantum and normal approaches is so enormous that a lot of ignorant decision makers actually believe that they get something extra for this money. If you tell a lie big enough and keep repeating it, people will eventually come to believe it. The second reason is ``rollback'' (is it right term?): you pay $10 from your company funds to a QKD vendor, and they covertly give $5 back to you. -- Regards, ASK - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Quantum Cryptography
On Jun 26, 2007, at 10:10 AM, Nicolas Williams wrote: This too is a *fundamental* difference between QKD and classical cryptography. What does this classical word mean? Is it the Quantum way to say real? I know we're in violent agreement, but why are we letting them play language games? IMO, QKD's ability to discover passive eavesdroppers is not even interesting (except from an intellectual p.o.v.) given: its inability to detect MITMs, its inability to operate end-to-end across across middle boxes, while classical crypto provides protection against eavesdroppers *and* MITMs both *and* supports end-to-end operation across middle boxes. Moreover, the quantum way of discovering passive eavesdroppers is really just a really delicious sugar coating on the classical term denial of service. I'm not being DoSed, I'm detecting a passive eavesdropper! Jon - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Quantum Cryptography
On 6/25/07, Greg Troxel [EMAIL PROTECTED] wrote: 1) Do you believe the physics? (Most people who know physics seem to.) For those who would like to know a little more about the physics, see: http://www.icfo.es/images/publications/J05-055.pdf, Quantum Cloning, Valerio Scarani, Sofyan Iblisdir, and Nicolas Gisin. This is a late 2005 review and of eavesdropping techniques for QKD. Much of the terminology of quantum physics is unfamiliar to me but I think the paper states that Eve could theoretically get 5/6 of the bits through cloning and to keep this from happening, Alice and Bob have to assume an eavesdropper if more than 11% of the bits have errors. also: http://w3.antd.nist.gov/pubs/Mink-SPIE-One-Time-Pad-6244_22.pdf, One-Time Pad Encryption of Real-Time Video1, Alan Mink, Xiao Tang, LiJun Ma, Tassos Nakassis, Barry Hershman, Joshua C. Bienfang, David Su, Ron Boisvert, Charles W. Clark and Carl J. Williams - a more accessible paper describing a working system where NIST claims bit error rates in the 3% range while generating key material at greater than 2Mb/s. Its not clear whether the bit error rate is before or after an error correction stage but the paper discusses how bit error rate reduces the overall result after privacy amplification so I believe they have thought of Eve cloning photons in flight. -Michael - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Quantum Cryptography
On Tue, Jun 26, 2007 at 02:03:29PM -0700, Jon Callas wrote: On Jun 26, 2007, at 10:10 AM, Nicolas Williams wrote: This too is a *fundamental* difference between QKD and classical cryptography. What does this classical word mean? Is it the Quantum way to say real? I know we're in violent agreement, but why are we letting them play language games? I don't mind using classical here. I don't think Newtonian physics (classical) is bad -- it works great at every day human scales. IMO, QKD's ability to discover passive eavesdroppers is not even interesting (except from an intellectual p.o.v.) given: its inability to detect MITMs, its inability to operate end-to-end across across middle boxes, while classical crypto provides protection against eavesdroppers *and* MITMs both *and* supports end-to-end operation across middle boxes. Moreover, the quantum way of discovering passive eavesdroppers is really just a really delicious sugar coating on the classical term denial of service. I'm not being DoSed, I'm detecting a passive eavesdropper! Heh! Indeed: with classical (or non-quantum, or standard, or...) crypto eavesdroppers are passive attackers and passive attackers cannot mount DoS attacks (oh, I suppose that wiretapping can cause some slightly noticeable interference in some cases, but usually that's no DoS), but in QKD passive attackers become active attackers. But it gets worse! To eavesdrop on a QKD link requires much the same effort (splice the fiber) as to be an MITM on a QKD link, so why would any attacker choose to eavesdrop and be detected instead of being an MITM, go undeteceted and get the cleartext they're after? Right, they wouldn't. Attackers aren't stupid, and an attacker that can splice your fibers can probably afford the QKD HW they need to mount an MITM attack. So, really, you need authentication. And, really, you need end-to-end, not hop-by-hop authentication and data confidentiality + integrity protection. This reminds me of Feynman's presentation of Quantum Electro Dynamics, which finished with QED. Has it now been sufficiently established that QKD is not useful that whenever it rears its head we can point folks at archives of these threads and not spill anymore ink? Nico -- - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Quantum Cryptography
Victor Duchovni [EMAIL PROTECTED] writes: Secure in what sense? Did I miss reading about the part of QKD that addresses MITM (just as plausible IMHO with fixed circuits as passive eavesdropping)? It would be good to read the QKD literature before claiming that QKD is always unauthenticated. The generally accepted approach among the physics crowd is to use authentication with a secret keys and a universal family of has functions. Once QKD is augmented with authentication to address MITM, the Q seems entirely irrelevant. It's not if you care about perfect forward secrecy and believe that DH might be broken, and can't cope with or don't trust a Kerberos-like scheme. You can authenticate QKD with a symmetric mechanism, and get PFS against an attacker who records all the traffic and breaks DH later. See http://portal.acm.org/citation.cfm?id=863982dl=GUIDEdl=ACM for a citation and http://www.ir.bbn.com/documents/articles/gdt-sigcomm03.pdf for text, for a discussion of a system that uses regular IKE and AH to authenticate the control channel and uses the resulting bits to key ESP with AES or a one-time pad to get PFS against a DH-capable attacker. This all ran on NetBSD over 3 sites in the Boston area for several years. There are two very hard questions for QKD systems: 1) Do you believe the physics? (Most people who know physics seem to.) 2) Does the equipment in your lab correspond to the idealized models with which the proofs for (1) were done. (Not even close.) Because of (2) I wouldn't have confidence in any current QKD system. The one I worked on was for research, to address some of the basic systems issues, because the physics community concentrates on the physics parts. I am most curious as to the legal issue that came up regarding QKD. pgpVro7qtbxAH.pgp Description: PGP signature
Re: Quantum Cryptography
On Fri, Jun 22, 2007 at 08:21:25PM -0400, Leichter, Jerry wrote: BTW, on the quantum subway tokens business: In more modern terms, what this was providing was unlinkable, untraceable e-coins which could be spent exactly once, with *no* central database to check against and none of this well, we can't stop you from spending it more than once, but if we ever notice, we'll learn all kinds of nasty things about you. (The coins were unlinkable and untraceable because, in fact, they were *identical*.) Now, of course, they were also physical objects, not just collections of bits. The same is true of the photons used in quantum key exchange. Otherwise, it wouldn't work. We're inherently dealing with a different model here. Where it ends up is anyone's guess at this point. This relates back to the inutility of QKD as follows: when physical exchanges are required you cannot run such exchanges end-to-end over an Internet -- the middle boxes (routers, etc...) get in the way of the physical exchange. This too is a *fundamental* difference between QKD and classical cryptography. That difference makes QKD useless in *today's* Internet. IF we had a quantum authentication facility then we could build hop-by-hop authentication to build an Internet out of QKD and QA (quantum authentication). That's a *big* condition, and the change in security models is tremendous, and for the worse: since the trust chains get enormously enlarged. IMO, QKD's ability to discover passive eavesdroppers is not even interesting (except from an intellectual p.o.v.) given: its inability to detect MITMs, its inability to operate end-to-end across across middle boxes, while classical crypto provides protection against eavesdroppers *and* MITMs both *and* supports end-to-end operation across middle boxes. Nico -- - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Quantum Cryptography
On Mon, Jun 25, 2007 at 08:23:14PM -0400, Greg Troxel wrote: 1) Do you believe the physics? (Most people who know physics seem to.) Yes. 2) Does the equipment in your lab correspond to the idealized models with which the proofs for (1) were done. (Not even close.) Does QKD address a real-world risk at a reasonable cost without unreasonable application constraints? If I am very concerned about PFS for secrets that must stay secure for decades and 521-bit ECDH is broken, yes I lose PFS. So there may be a market for fixed direct circuits used by a small number of agencies, but if I were a budget director I would spend the money elsewhere... I am most curious as to the legal issue that came up regarding QKD. Indeed, what was the legal question that got us here? -- /\ ASCII RIBBON NOTICE: If received in error, \ / CAMPAIGN Victor Duchovni please destroy and notify X AGAINST IT Security, sender. Sender does not waive / \ HTML MAILMorgan Stanley confidentiality or privilege, and use is prohibited. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Quantum Cryptography
On Mon, Jun 25, 2007 at 08:23:14PM -0400, Greg Troxel wrote: Victor Duchovni [EMAIL PROTECTED] writes: Secure in what sense? Did I miss reading about the part of QKD that addresses MITM (just as plausible IMHO with fixed circuits as passive eavesdropping)? It would be good to read the QKD literature before claiming that QKD is always unauthenticated. Noone claimed that it isn't -- the claim is that there is no quantum authentication, so QKD has to be paired with classical crypto in order to defeat MITMs, which renders it worthless (because if you'll rely on classical crypto then you might as well only use classical crypto as QKD doesn't add any security that classical crypto, which you still have to use, doesn't already). The real killer for QKD is that it doesn't work end-to-end across middle boxes like routers. And as if that weren't enough there's the exhorbitant cost of QKD kit. The generally accepted approach among the physics crowd is to use authentication with a secret keys and a universal family of has functions. Everyone who's commented has agreed that authentication is to be done classically as there is no quantum authentication yet. But I can imagine how quantum authentication might be done: generate an entangled pair at one end of the connection, physically carry half of it to the other end, and then run a QKD exchange that depends on the two ends having half of the same entangled particle or photon pair. I'm no quantum physicist, so I can't tell how workable that would be at the physics-wise, but such a scheme would be analogous to pre-sharing symmetric keys in classical crypto. Of course, you'd have to do this physical pre-sharing step every time you restart the connection after having run out of pre-shared entabled pair halfs; ouch. Once QKD is augmented with authentication to address MITM, the Q seems entirely irrelevant. It's not if you care about perfect forward secrecy and believe that DH might be broken, and can't cope with or don't trust a Kerberos-like scheme. You can authenticate QKD with a symmetric mechanism, and get PFS against an attacker who records all the traffic and breaks DH later. The end-to-end across middle boxes issue kills this argument about protection against speculative brokenness of public key cryptography. All but the smallest networks depend on middle boxes. Quantum cryptography will be useful when: - it can be deployed in an end-to-end fashion across middle boxes OR - we adopt hop-by-hop methods of building end-to-end authentication And, of course, quantum kit has got to be affordable, but let's assume that economies of scale will be achieved once quantum crypto becomes useful. Critical breaks of public key crypto will NOT be sufficient to drive adoption of quantum crypto: we can still build networks out of symmetric key crypto (and hash/MAC functions) only if need be (with pre-shared keying, Kerberos, and generally Needham-Schroeder). There are two very hard questions for QKD systems: 1) Do you believe the physics? (Most people who know physics seem to.) 2) Does the equipment in your lab correspond to the idealized models with which the proofs for (1) were done. (Not even close.) But the only real practical issue, for Internet-scale deployment, is the end-to-end issue. Even for intranet-scale deployments, actually. I am most curious as to the legal issue that came up regarding QKD. Which legal issue? Nico -- - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Quantum Cryptography
On 06/25/2007 08:23 PM, Greg Troxel wrote: 1) Do you believe the physics? (Most people who know physics seem to.) Well, I do happen to know a thing or two about physics. I know -- there is quite a lot you can do with quantum physics, and -- there is quite a lot you cannot do with quantum physics. I also know that snake-oil salesmen can lie about the physics just as easily as they lie about anything else. Since it's not clear what is meant by THE physics, it would be more meaningful to ask more-specific questions, namely: -- Do I believe in real physics? Yes. -- Do I believe in what Dr. Duck says about physics? Usually not. == One commonly-made claim about quantum cryptography is that it can detect eavesdropping. I reckon that's narrowly true as stated. The problem is, I don't know why I should care. The history of cryptography for most of the last 2000 years has been a cat and mouse game between the code makers and the code breakers. The consensus is that right now the code makers have the upper hand. As a result, Eve can eavesdrop all she wants, and it won't do her a bit of good. To say the same thing: It appears that in this respect, quantum cryptography takes a well-solved problem and solves it another way at higher cost and lower throughput. The cost/benefit ratio is exceedingly unfavorable, and seems likely to remain so. Meanwhile, it takes some less-well-solved problems and makes them worse. Consider for example traffic analysis. Since quantum encryption requires a dedicated hardware link from end to end, there is no hope of disguising who is communicating with whom. I am reminded of a slide that Whit Diffie used in one of his talks. It showed a house that was supposed to be protected by a picket fence. The problem was that the so-called fence consisted of a single picket, 4 inches wide and a mile high, while the other 99.9% of the perimeter was unprotected. Yes sirree, no eavesdropper is going to hop over that picket! One sometimes hears even stronger claims, but they are even more easily refuted. I've reviewed papers that claim quantum mechanics solves the key distribution problem but in fact they were using classical techniques to deal with all the hard parts of the problem. It reminds me of stone soup: if the ingredients include broth, meat, vegetables, seasoning, and a stone, I don't see why the stone should get credit for the resulting soup. Likewise, since a quantum key distribution system is in no ways better and in some ways worse than a classical system, I don't see why quantum cryptography should get credit for solving the problem. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Quantum Cryptography
On Jun 22, 2007, at 10:44 AM, Ali, Saqib wrote: ...whereas the key distribution systems we have aren't affected by eavesdropping unless the attacker has the ability to perform 2^128 or more operations, which he doesn't. Paul: Here you are assuming that key exchange has already taken place. But key exchange is the toughest part. That is where Quantum Key Distribution QKD comes in the picture. Once the keys are exchanged using QKD, you have to rely on conventional cryptography to do bulk encryption using symmetric crypto. Using Quantum Crypto to do bulk encryption doesn't make any sense. It is only useful in key distribution. Let me create an aphorism to sum up what Paul, Perry, and others have said in detail before I address your comment: If Quantum Cryptography does what is claims, then it is strengthening the strongest link in the chain of security. Now to your comment. If you do a 3000 bit Diffie-Hellman exchange, you have a key exchange with 2^128 security, to the best of our knowledge, assuming this and that, blah, blah, blah. If you don't like 3000 bit integers, go to elliptic curve. I have in some of my talks, renamed Quantum Cryptography to Quantum Secrecy. If the QC people would stop calling it cryptography, a good deal of the hostility you find among us crypto people would evaporate. Let me give an analogy. I will posit Quantum Message Teleportation. Using QMT, Alice can write her message on a piece of paper, close her eyes, and it will disappear from her hand and appear in Bob's hand. This is cool. This is useful. It is amazing. It is also not cryptography. It also has all the problems that Perry points out in QC, like a lack of authentication and so on. Like QC, adding cryptography to it makes it even more useful. The QC people should change their song to QS, and stop bashing the mathematicians with arguments we can show are somewhere between incomplete and fallacious. Then they might find us drift over to supporting them because while Quantum Secrecy is not practical, it is very cool. Jon - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Quantum Cryptography
Victor Duchovni wrote: Quantum Cryptography or Quantum Computing (i.e. cryptanysis)? - Quantum Cryptography is fiction (strictly claims that it solves an applied problem are fiction, indisputably interesting Physics). I do not really agree on this statement. There are ongoing projects, that I know of, that are actually working on maximizing communication throughput (which is currently not very good) on encrypted channels and minimizing costs of involved equipment. AFAIK, one great advantage of quantum crypto is in the area of key-exchange when establishing a secure communication. I guess quantum crypto is definitely not fiction (Anyhow I do not know if it has already been used somewhere... ). Later, -- Best Regards, Massimiliano Pala --o Massimiliano Pala [OpenCA Project Manager][EMAIL PROTECTED] [EMAIL PROTECTED] Dartmouth Computer Science Dept Home Phone: +1 (603) 397-3883 PKI/Trust - Office 063Work Phone: +1 (603) 646-9179 --o smime.p7s Description: S/MIME Cryptographic Signature
Re: Quantum Cryptography
- Quantum Cryptography is fiction (strictly claims that it solves an applied problem are fiction, indisputably interesting Physics). Well that is a broad (and maybe unfair) statement. Quantum Key Distribution (QKD) solves an applied problem of secure key distribution. It may not be able to ensure unconditional secrecy during key exchange, but it can detect any eavesdropping. Once eavesdropping is detected, the key can be discarded. saqib http://security-basics.blogspot.com/ - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Quantum Cryptography
On Thu, Jun 21, 2007 at 01:20:35PM -0400, Victor Duchovni wrote: Quantum Cryptography or Quantum Computing (i.e. cryptanysis)? - Quantum Cryptography is fiction (strictly claims that it solves an applied problem are fiction, indisputably interesting Physics). - Quantum Computing is science fiction. Some science fiction eventually becomes reality. A nice blog to follow here is Shtetl-Optimized: http://www.scottaaronson.com/blog/ -- Eugen* Leitl a href=http://leitl.org;leitl/a http://leitl.org __ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Quantum Cryptography
On Thu, Jun 21, 2007 at 10:59:14AM -0700, Ali, Saqib wrote: - Quantum Cryptography is fiction (strictly claims that it solves an applied problem are fiction, indisputably interesting Physics). Well that is a broad (and maybe unfair) statement. Quantum Key Distribution (QKD) solves an applied problem of secure key distribution. It may not be able to ensure unconditional secrecy during key exchange, but it can detect any eavesdropping. Once eavesdropping is detected, the key can be discarded. Secure in what sense? Did I miss reading about the part of QKD that addresses MITM (just as plausible IMHO with fixed circuits as passive eavesdropping)? Once QKD is augmented with authentication to address MITM, the Q seems entirely irrelevant. -- /\ ASCII RIBBON NOTICE: If received in error, \ / CAMPAIGN Victor Duchovni please destroy and notify X AGAINST IT Security, sender. Sender does not waive / \ HTML MAILMorgan Stanley confidentiality or privilege, and use is prohibited. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Quantum Cryptography
Massimiliano Pala [EMAIL PROTECTED] writes: Victor Duchovni wrote: Quantum Cryptography or Quantum Computing (i.e. cryptanysis)? - Quantum Cryptography is fiction (strictly claims that it solves an applied problem are fiction, indisputably interesting Physics). I do not really agree on this statement. There are ongoing projects, that I know of, that are actually working on maximizing communication throughput (which is currently not very good) on encrypted channels and minimizing costs of involved equipment. AFAIK, one great advantage of quantum crypto is in the area of key-exchange when establishing a secure communication. I guess quantum crypto is definitely not fiction (Anyhow I do not know if it has already been used somewhere... ). Quantum cryptography is useless. Victor is completely correct here. Quantum crypto provides you with a slow way of getting a one time pad (of sorts) that you cannot authenticate and thus cannot trust, between two endpoints only, and it does it at extreme expense. Why do I say that you cannot authenticate? Because although you can tell that no one eavesdropped in on the line, you have no way of knowing that no one cut the fiber in two and put two such boxes in between. You know that no one eavesdropped, but not who you are talking to. Various physics types who I explain this to generally do not understand what I'm talking about at first blush because they only consider the problem of eavesdropping -- the notion that you also need to verify who the guy at the other end is never occurs to them because they aren't security people. The fact that the attacker might not even bother to eavesdrop and could simply insert himself into the communication stream never occurs to the proponents. So, to fix the man-in-the-middle problem, you have to layer an authentication technology on top. Unfortunately, the ones we have are all conventional crypto -- perhaps a MAC of some sort. At which point, you're trusting conventional crypto for your security, so why bother? Conventional crypto is nearly free. This brings up another issue. Quantum crypto is exceptionally expensive, and is virtually undeployable. To provide security that, in a practical sense, is no better than what you can get from high key length conventional ciphers, you spend vast amounts on end system equipment, rent a dedicated dark fiber link between two locations that can't be arbitrarily far apart, and in the end, you have two machines that can talk securely in a world where one needs thousands or millions of machines to talk securely to any one of the other machines. The phone network and internet exist for a reason -- people want communication networks, not a string between two cans between each other's homes. They need NxN communication, not 1-1 communication. Building the N^2 array of dark fibers and quantum crypto boxes between lots of machines is, of course, utterly impractical and always will be. Of course, even if you could, you would still need out of band key distribution and a MAC to know that no one had man-in-the-middled your links. Again, why bother? Now, lets consider the alternative. In a practical sense, no one rational worries on a day to day basis that their security is going to be compromised because someone has a magic box that decrypts 256 bit AES in 12 seconds flat. The crypto we already have is more than good enough. Quantum Crypto exists on the mistaken premise that people are worried about their ciphers being broken and that this is the main issue in security. It is not. Having your ciphers broken is not even remotely the main issue for most installations. What people worry about in the real world are design flaws, programming errors, human interface problems that make things like phishing possible, and whether or not the $12-an-hour security guard at your data center will happily take a $5000 bribe to let someone at your equipment for an hour. Quantum Key Distribution solves none of those issues at all. The issue it does solve is a non-issue -- we already have 256 bit keyed AES if you need it. Quantum Crypto does what it says it does, but it is a commercially worthless invention, like an 800 pound wristwatch that is 20% more accurate than normal wristwatches but which is completely wrong one day in seven, or like a $20,000,000 tube of toothpaste that tastes slightly better but causes your teeth to explode one time in every 400. Even if the watch is marginally more accurate, no one will wear it. Even if the toothpaste tastes slightly better, no one will buy it. Neither invention solves a real problem from the real world. Quantum Crypto was invented by physicists who understand physics well but have no understanding of security. It does what it claims to do, but what it claims to do is of no use to anyone. Quantum Crypto does nothing for at all for the things people actually need solved, and for what it does do, it costs vastly too much. It is a lead balloon, a jet
Re: Quantum Cryptography
| - Quantum Cryptography is fiction (strictly claims that it solves |an applied problem are fiction, indisputably interesting Physics). | | Well that is a broad (and maybe unfair) statement. | | Quantum Key Distribution (QKD) solves an applied problem of secure key | distribution. It may not be able to ensure unconditional secrecy | during key exchange, but it can detect any eavesdropping. Once | eavesdropping is detected, the key can be discarded. | | Secure in what sense? Did I miss reading about the part of QKD that | addresses MITM (just as plausible IMHO with fixed circuits as passive | eavesdropping)? | | Once QKD is augmented with authentication to address MITM, the Q | seems entirely irrelevant. The unique thing the Q provides is the ability to detect eaves- dropping. I think a couple of weeks ago I forwarded a pointer to a paper showing that there were some limits to this ability, but even so, this is a unique feature that no combination of existing primitives can provide. One can argue about what this adds. The current approach of the QKD efforts is to assume that physical constraints are sufficient to block MITM, while quantum contraints block passive listening (which is assumed not to be preventable using physical constraints). It's the combination that gives you security. One can argue about the reasonableness of this model - particularly about the ability of physical limitations to block MITM. It does move the center of the problem, however - and into a region (physical protection) in which there is much more experience and perhaps some better intuition. Valid or not, it certainly is easier to give people the warm fuzzies by talking about physical protection than by talking about math In the other direction, whether the ability to detect eavesdropping lets you do anything interesting is, I think, an open question. I wouldn't dismiss it out of hand. There's an old paper that posits related primitive, Verify Once Memory: Present it with a set of bits, and it answers either Yes, that's the value stored in me or No, wrong value. In either case, *the stored bits are irrevokably scrambled*. (One could, in principle, build such a thing with quantum bits, but beyond the general suggestions in the original paper, no one has worked out how to do this in detail.) The paper uses this as a primitive to construct unforgeable subway tokens: Even if you buy a whole bunch of valid tokens, and get hold of a whole bunch of used ones, you have no way to construct a new one. (One could probably go further - I don't recall if the paper does - and have a do the two of you match primitive, which would use quantum bits in both the token and the token validator. Then even if you had a token validator, you couldn't create new tokens. Obviously, in this case you don't want to scramble the validator.) -- Jerry | -- | | /\ ASCII RIBBON NOTICE: If received in error, | \ / CAMPAIGN Victor Duchovni please destroy and notify | X AGAINST IT Security, sender. Sender does not waive | / \ HTML MAILMorgan Stanley confidentiality or privilege, |and use is prohibited. | | - | The Cryptography Mailing List | Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] | | - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Quantum Cryptography
At 10:59 AM -0700 6/21/07, Ali, Saqib wrote: - Quantum Cryptography is fiction (strictly claims that it solves an applied problem are fiction, indisputably interesting Physics). Well that is a broad (and maybe unfair) statement. Quantum Key Distribution (QKD) solves an applied problem of secure key distribution. It may not be able to ensure unconditional secrecy during key exchange, but it can detect any eavesdropping. Once eavesdropping is detected, the key can be discarded. ...whereas the key distribution systems we have aren't affected by eavesdropping unless the attacker has the ability to perform 2^128 or more operations, which he doesn't. Which part of the word useless is not apparent here? --Paul Hoffman, Director --VPN Consortium - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Quantum Cryptography
On Fri, Jun 22, 2007 at 11:33:38AM -0400, Leichter, Jerry wrote: | Secure in what sense? Did I miss reading about the part of QKD that | addresses MITM (just as plausible IMHO with fixed circuits as passive | eavesdropping)? | | Once QKD is augmented with authentication to address MITM, the Q | seems entirely irrelevant. The unique thing the Q provides is the ability to detect eaves- dropping. If I want to encrypt a fixed circuit, I assume that eavesdropping is omni-present, and furthermore don't want to be constrained to transmit only when the eavesdroppers have chosen to take a lunch break. One can argue about what this adds. Warm fuzzies? The current approach of the QKD efforts is to assume that physical constraints are sufficient to block MITM. An interesting assumption. It does move the center of the problem, however - and into a region (physical protection) in which there is much more experience and perhaps some better intuition. I would conjecture that a lot more people grasp undergraduate mathematics than undergraduate quantum mechanics... Valid or not, it certainly is easier to give people the warm fuzzies by talking about physical protection than by talking about math Warm fuzzies is not in conflict with fiction. In the other direction, whether the ability to detect eavesdropping lets you do anything interesting is, I think, an open question. I wouldn't dismiss it out of hand. There's an old paper that posits related primitive, Verify Once Memory: Present it with a set of bits, and it answers either Yes, that's the value stored in me or No, wrong value. Suppose I install a fake subway entrace, and MITM all the interactions between the victim's card and the real turnstile where I have a card that proxies the victims interactions with the fake terminal. Is the system still secure? Likely not, I would bet The threat model was card forgery, not MITM. -- /\ ASCII RIBBON NOTICE: If received in error, \ / CAMPAIGN Victor Duchovni please destroy and notify X AGAINST IT Security, sender. Sender does not waive / \ HTML MAILMorgan Stanley confidentiality or privilege, and use is prohibited. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Quantum Cryptography
Leichter, Jerry [EMAIL PROTECTED] writes: | - Quantum Cryptography is fiction (strictly claims that it solves |an applied problem are fiction, indisputably interesting Physics). | | Well that is a broad (and maybe unfair) statement. | | Quantum Key Distribution (QKD) solves an applied problem of secure key | distribution. It may not be able to ensure unconditional secrecy | during key exchange, but it can detect any eavesdropping. Once | eavesdropping is detected, the key can be discarded. | | Secure in what sense? Did I miss reading about the part of QKD that | addresses MITM (just as plausible IMHO with fixed circuits as passive | eavesdropping)? | | Once QKD is augmented with authentication to address MITM, the Q | seems entirely irrelevant. The unique thing the Q provides is the ability to detect eaves- dropping. I think a couple of weeks ago I forwarded a pointer to a paper showing that there were some limits to this ability, but even so, this is a unique feature that no combination of existing primitives can provide. One can argue about what this adds. If it cost almost nothing, it would be a neat frill to have. When it increases the cost of encrypting a link by a factor of four to six orders of magnitude while still requiring all the old security systems you had before, it is pretty uninteresting. The current approach of the QKD efforts is to assume that physical constraints are sufficient to block MITM, [...] One can argue about the reasonableness of this model - particularly about the ability of physical limitations to block MITM. It does move the center of the problem, however - and into a region (physical protection) in which there is much more experience and perhaps some better intuition. Indeed it does. We have a lot of experience with securing links that go for hundreds of km, and the experience tells us that we can't do it in the real world. It would be one thing if experience said that attackers can be easily found and stopped on long range physical links, but we know that they can't, so why are we even thinking about it this way? Besides, companies like MagiQ don't say we're giving you unconditional security against eavesdropping provided your prayers that no one MITMs you are granted, they claim that they are providing you with actual unconditional security. They clearly are not. In the other direction, whether the ability to detect eavesdropping lets you do anything interesting is, I think, an open question. I wouldn't dismiss it out of hand. As you know, most of us argue you should simply assume you're being eavesdropped on and design security so that you don't care. It is much simpler, much less expensive, and much more robust. -- Perry E. Metzger[EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Quantum Cryptography
...whereas the key distribution systems we have aren't affected by eavesdropping unless the attacker has the ability to perform 2^128 or more operations, which he doesn't. Paul: Here you are assuming that key exchange has already taken place. But key exchange is the toughest part. That is where Quantum Key Distribution QKD comes in the picture. Once the keys are exchanged using QKD, you have to rely on conventional cryptography to do bulk encryption using symmetric crypto. Using Quantum Crypto to do bulk encryption doesn't make any sense. It is only useful in key distribution. saqib http://www.linkedin.com/in/encryption - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Quantum Cryptography
At 10:44 AM -0700 6/22/07, Ali, Saqib wrote: ...whereas the key distribution systems we have aren't affected by eavesdropping unless the attacker has the ability to perform 2^128 or more operations, which he doesn't. Paul: Here you are assuming that key exchange has already taken place. No, I'm not. I am talking about protocols that do their own key exchange. IPsec. SSL/TLS. Kerberos. Etc. But key exchange is the toughest part. No, requiring that the two ends have a fixed connection which QKD works over is far tougher than using a proven protocol that works over any connection. --Paul Hoffman, Director --VPN Consortium - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Quantum Cryptography
On Fri, Jun 22, 2007 at 10:44:41AM -0700, Ali, Saqib wrote: Paul: Here you are assuming that key exchange has already taken place. But key exchange is the toughest part. That is where Quantum Key Distribution QKD comes in the picture. Once the keys are exchanged using QKD, you have to rely on conventional cryptography to do bulk encryption using symmetric crypto. QKD fails to come into the picture, because its key exchange is unauthenticated. I can do secure unauthenticated key exchange at zero cost using EECDH with no special quantum hardware. If the link is MITM-proof, I am done. Using Quantum Crypto to do bulk encryption doesn't make any sense. It is only useful in key distribution. What bulk-encryption system am I going to use that is usefully stronger than EECDH over secp384r1 (or tinfoil hat secp521r1). It is also not useful for key distribution. It remains (charitably) fiction. -- /\ ASCII RIBBON NOTICE: If received in error, \ / CAMPAIGN Victor Duchovni please destroy and notify X AGAINST IT Security, sender. Sender does not waive / \ HTML MAILMorgan Stanley confidentiality or privilege, and use is prohibited. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Quantum Cryptography
At 10:44 -0700 2007/06/22, Ali, Saqib wrote: ...whereas the key distribution systems we have aren't affected by eavesdropping unless the attacker has the ability to perform 2^128 or more operations, which he doesn't. Paul: Here you are assuming that key exchange has already taken place. But key exchange is the toughest part. That is where Quantum Key Distribution QKD comes in the picture. Once the keys are exchanged using QKD, you have to rely on conventional cryptography to do bulk encryption using symmetric crypto. Using Quantum Crypto to do bulk encryption doesn't make any sense. It is only useful in key distribution. To be used in key distribution I have to have laid a private optical fiber between me and my correspondent. I could have paid a lot less for an armored truck to carry the key for me. (I know you can do QKD without the fiber these days, but how do you know that you agreed the key with the person you think you agreed it with? It's turtles all the way down.) Greg. saqib http://www.linkedin.com/in/encryption - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Quantum Cryptography
Ali, Saqib [EMAIL PROTECTED] writes: ...whereas the key distribution systems we have aren't affected by eavesdropping unless the attacker has the ability to perform 2^128 or more operations, which he doesn't. Paul: Here you are assuming that key exchange has already taken place. But key exchange is the toughest part. Key exchange is not the toughest part or even tough at all. Algorithms like Diffie-Hellman and variants on the theme work just fine. Authenticated protocols based on these algorithms are well understood and have been studied for defects for many years. The STS protocol and variants on it like the ones used in TLS are fine, and if you feel that they're not secure enough with the number of bits commonly used, you can crank up the dial for a lot less than the cost of one of these mind-bogglingly expensive boxes from MagiQ (not to mention the price of dedicated dark fiber between the endpoints.) That is where Quantum Key Distribution QKD comes in the picture. Once the keys are exchanged using QKD, you have to rely on conventional cryptography to do bulk encryption using symmetric crypto. I don't believe that any of the commercial units work that way, but if they do, my opinion of them has dropped even further, and it was already about as low as I thought was possible. Using QKD only for key exchange and using a conventional crypto system for the bulk of the data completely eliminates any conceivable benefits over more conventional techniques. Perry - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Quantum Cryptography
On Tue, Jun 19, 2007 at 09:10:12PM -0700, Aram Perez wrote: On a legal mailing list I'm on there is a bunch of emails on the perceived effects of quantum cryptography. Is there any authoritative literature/links that can help clear the confusion? Quantum Cryptography or Quantum Computing (i.e. cryptanysis)? - Quantum Cryptography is fiction (strictly claims that it solves an applied problem are fiction, indisputably interesting Physics). - Quantum Computing is science fiction. Some science fiction eventually becomes reality. -- /\ ASCII RIBBON NOTICE: If received in error, \ / CAMPAIGN Victor Duchovni please destroy and notify X AGAINST IT Security, sender. Sender does not waive / \ HTML MAILMorgan Stanley confidentiality or privilege, and use is prohibited. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Quantum cryptography gets practical
On Wed, 2004-10-06 at 06:27, Dave Howe wrote: I have yet to see an advantage to QKE that even mildly justifies the limitations and cost over anything more than a trivial link (two buildings within easy walking distance, sending high volumes of extremely sensitive material between them) But it's cool! More seriously, it has no advantage now, but maybe something will come up. The early telephones were about useless, too, remember. In the mean time, the coolness factor will keep people playing with it and researching it. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Quantum cryptography gets practical
Dave Howe wrote: I think this is part of the purpose behind the following paper: http://eprint.iacr.org/2004/229.pdf which I am currently trying to understand and failing miserably at *sigh* Nope, finally strugged to the end to find a section pointing out that it does *not* prevent mitm attacks. Anyone seen a paper on a scheme that does? - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Quantum cryptography finally commercialized?
R. A. Hettinga wrote: http://www.net-security.org/news.php?id=3583 Quantum cryptography finally commercialized? Posted by Mirko Zorz - LogError Tuesday, 16 September 2003, 1:23 PM CET For the onlookers, this article is misinformed and should not be relied upon for evaluating quantum cryptography. The rest of the article contains statements like the following: MagiQ's Navajo creates encryption keys that change up to 1,000 times a second to prevent eavesdroppers from deciphering the transmitted data packets. [...] While AES is very secure, the combination of AES and Navajo is theoretically absolutely secure: unbreakable. The unbreakable claim is unfounded. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]