Massimiliano Pala <[EMAIL PROTECTED]> writes: > Victor Duchovni wrote: >> Quantum Cryptography or Quantum Computing (i.e. cryptanysis)? >> - Quantum Cryptography is "fiction" (strictly claims that it >> solves >> an applied problem are fiction, indisputably interesting Physics). > > I do not really agree on this statement. There are ongoing projects, that > I know of, that are actually working on maximizing communication throughput > (which is currently not very good) on encrypted channels and minimizing > costs of involved equipment. AFAIK, one great advantage of quantum crypto > is in the area of key-exchange when establishing a secure communication. > I guess quantum crypto is definitely not "fiction" (Anyhow I do not know if > it has already been used somewhere... ).
"Quantum cryptography" is useless. Victor is completely correct here. Quantum crypto provides you with a slow way of getting a one time pad (of sorts) that you cannot authenticate and thus cannot trust, between two endpoints only, and it does it at extreme expense. Why do I say "that you cannot authenticate"? Because although you can tell that no one eavesdropped in on the line, you have no way of knowing that no one cut the fiber in two and put two such boxes in between. You know that no one eavesdropped, but not who you are talking to. Various physics types who I explain this to generally do not understand what I'm talking about at first blush because they only consider the problem of eavesdropping -- the notion that you also need to verify who the guy at the other end is never occurs to them because they aren't security people. The fact that the attacker might not even bother to eavesdrop and could simply insert himself into the communication stream never occurs to the proponents. So, to fix the man-in-the-middle problem, you have to layer an authentication technology on top. Unfortunately, the ones we have are all conventional crypto -- perhaps a MAC of some sort. At which point, you're trusting conventional crypto for your security, so why bother? Conventional crypto is nearly free. This brings up another issue. Quantum crypto is exceptionally expensive, and is virtually undeployable. To provide security that, in a practical sense, is no better than what you can get from high key length conventional ciphers, you spend vast amounts on end system equipment, rent a dedicated dark fiber link between two locations that can't be arbitrarily far apart, and in the end, you have two machines that can talk securely in a world where one needs thousands or millions of machines to talk securely to any one of the other machines. The phone network and internet exist for a reason -- people want communication networks, not a string between two cans between each other's homes. They need NxN communication, not 1-1 communication. Building the N^2 array of dark fibers and quantum crypto boxes between lots of machines is, of course, utterly impractical and always will be. Of course, even if you could, you would still need out of band key distribution and a MAC to know that no one had man-in-the-middled your links. Again, why bother? Now, lets consider the alternative. In a practical sense, no one rational worries on a day to day basis that their security is going to be compromised because someone has a magic box that decrypts 256 bit AES in 12 seconds flat. The crypto we already have is more than good enough. Quantum Crypto exists on the mistaken premise that people are worried about their ciphers being broken and that this is the main issue in security. It is not. Having your ciphers broken is not even remotely the main issue for most installations. What people worry about in the real world are design flaws, programming errors, human interface problems that make things like phishing possible, and whether or not the $12-an-hour security guard at your data center will happily take a $5000 bribe to let someone at your equipment for an hour. Quantum Key Distribution solves none of those issues at all. The issue it does solve is a non-issue -- we already have 256 bit keyed AES if you need it. Quantum Crypto does what it says it does, but it is a commercially worthless invention, like an 800 pound wristwatch that is 20% more accurate than normal wristwatches but which is completely wrong one day in seven, or like a $20,000,000 tube of toothpaste that tastes slightly better but causes your teeth to explode one time in every 400. Even if the watch is marginally more accurate, no one will wear it. Even if the toothpaste tastes slightly better, no one will buy it. Neither invention solves a real problem from the real world. Quantum Crypto was invented by physicists who understand physics well but have no understanding of security. It does what it claims to do, but what it claims to do is of no use to anyone. Quantum Crypto does nothing for at all for the things people actually need solved, and for what it does do, it costs vastly too much. It is a lead balloon, a jet powered toast buttering machine, an electronically controlled salad fork. What continues to amaze me is that, none the less, people continue to spend time and money on this. I can understand finding the technique theoretically interesting, and perhaps even someday someone will think of a way to use the ideas in a system of practical use, but there are companies out there like MagiQ trying to sell the solid gold covered + barbed wire seat commodes to people. -- Perry E. Metzger [EMAIL PROTECTED] --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]