silky <michaelsli...@gmail.com> writes: >>>> Second, you can't use QKD on a computer network. It is strictly point to >>>> point. Want 200 nodes to talk to each other? Then you need 40,000 >>>> fibers, without repeaters, in between the nodes, each with a $10,000 or >>>> more piece of equipment at each of the endpoints, for a total cost of >>>> hundreds of millions of dollars to do a task ethernet would do for a >>>> couple thousand dollars. >>> >>> Sure, now. That's the point of research though; to find more efficient >>> ways of doing things. >> >> I'm afraid that QKD is literally incapable of being done more >> efficiently than this. The whole point of the protocol is to get >> guarantees of security from quantum mechanics, and as soon as you have >> any intermediate nodes they're gone. I know of no one who claims to have >> any idea about how to extend the protocol beyond that, and I suspect it >> of being literally impossible (that is, I suspect that a mathematical >> proof that it is impossible should be doable.) > > What do you mean "intermediate nodes"? It's possible to extend the > length of QKD depending on the underlying QKD protocol used. I.e. in > the EPR-based QKD, extension is possible.
Length isn't the issue. Networks are the problem. If you want to have every computer have only one link instead of one for every other computer it might ever talk to, you need a network. Networks need routers, that is, intermediate nodes. QKD requires that the actual endpoints of the communication be the only objects intercepting the photons in question -- it is inherently useless in an environment with routers. Thus, if you want 200 nodes in a network to talk to each other, you need 200*200 fibers to do it, and 200*200*2 QKD units, each of which is more expensive than your computer is. In exchange for your vast expenditure, you will gain no security whatsoever and have to implement a conventional cryptosystem on top anyway. It seems like a lose. > [...] > >> No one is doing that, though. People are working on things like faster >> bit rates, as though the basic reasons the whole thing is useless were >> solved. > > I don't think you can legitimately speak for the entire community as > to what or not they may be doing. I think I can, actually. I know of very few people in computer security who take QKD seriously. I feel pretty safe making these sorts of statements. > It's interesting to me that some arguably unrelated fields of research > (i.e. quantum repeaters) may be useful. Not for this problem. >> > Importantly, however, is that if a classical system is used to do >> > authentication, then the resulting QKD stream is *stronger* than the >> > classically-encrypted scheme. >> >> Nope. It isn't. The system is only as strong as the classical system. If >> the classical system is broken, you lose any assurance that you aren't >> being man-in-the-middled. > > No, it's not only as strong as the classical; it gets stronger if the > classical component works. Quoting from: > http://arxiv.org/abs/0902.2839v2 - The Case for Quantum Key > Distribution > > "If authentication is unbroken during the first round of QKD, even if > it is only computationally secure, then subsequent rounds of QKD will > be information-theoretically secure." Read what you just wrote. IF THE AUTHENTICATION IS UNBROKEN. That is, the system is only secure if the conventional cryptosystem is not broken -- that is, it is only as secure as the conventional system in use. Break the conventional system and you've broken the whole thing. It is, of course, worse than that paper states. If you're only authenticating, a man in the middle gets the entire bit stream, so you need both: authentication to know a man in the middle isn't lying to you, and conventional crypto to know that the man in the middle isn't violating your privacy. Color me unimpressed by the usefulness of the system. Perry -- Perry E. Metzger pe...@piermont.com --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com