Re: quantum crypto rears its head again.
On 13 Dec 2006, at 11:57 AM, Perry E. Metzger wrote: I saw this link on Slashdot (and it was also on Ekr's blog): http://hackreport.net/2006/12/13/quantum-cryptography-its-some-kind- of-magiq/ It appears that the quantum crypto meme just won't go away. Bob Gelfond of MagiQ promises us that for only $100,000, plus monthly leasing of a dry fiber optic home run between your end systems, you can have security that isn't even as good as what nearly free software will give commodity computers over the unsecured public internet. I wonder if this idea is ever going to die. My guess is it will, but not until the people who have thrown away their money investing in this technology go bankrupt. Thanks for writing your note at the bottom. Quantum cryptography is a fascinating thing, but first of all, it's not cryptography. It should be called quantum secrecy, or something akin to that. Next, its proponents have a tendency to effectively say, "Oh, math, that's something that could go bad. But physics, *that* will always be good!" Jon - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Quantum Crypto
John Lowry <[EMAIL PROTECTED]> writes: > Perry is absolutely right. > There is no point in pursuing this. > It might even be analogous to what we now know about computers. > We were warned that there would never be a need for more than > A half-dozen - after all, they were extremely expensive just to get > A few more digits in the logarithm table ... Thank goodness that we stopped > those wasteful government research efforts and put money into improving > analog mechanical desktop calculators - which is all anyone ever needed > anyway. ;-) Your amusing banter aside, my point remains. QCrypto doesn't solve any problems that anyone has in the real world -- everything it can do can be done far more cheaply and indeed far better by other means -- so it is a large expense that serves no purpose. I know of no company using something like AES+HMAC for link security that has had its cryptographically secured communications successfully attacked by cryptanalysis* -- and AES is free, and running it is nearly free. On the other hand, I know of lots of companies that have had problems because they haven't thought out their remote access systems well or because they are running software vulnerable to buffer overflows. The issue is not that we need "unbreakable crypto" -- we already have it for practical purposes. The issue is that our systems are not built robustly. > Please don't dismiss what is really a very new research area with unknown > potential - This is not an issue of "unknown potential" -- we know what the systems being marketed do. They have specifications and user manuals. I would never suggest that people stop research, of course, but it seems that QCrypto is not a solution to any real world problem. Perry *By this, I don't include things like "the key management algorithm only used all ones as the key" -- I mean legitimate attacks against AES etc. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Quantum Crypto
Perry is absolutely right. There is no point in pursuing this. It might even be analogous to what we now know about computers. We were warned that there would never be a need for more than A half-dozen - after all, they were extremely expensive just to get A few more digits in the logarithm table ... Thank goodness that we stopped those wasteful government research efforts and put money into improving analog mechanical desktop calculators - which is all anyone ever needed anyway. ;-) Perry, I seem to remember paying excessive amounts for my first installations of 1822, X.25, token-ring, ethernet - in fact all new devices. Even the ones that weren't needed ... Initial cost is a poor metric and you of all people should know it. However, I sincerely applaud your effort to present a snapshot of the state of the art - and the effort to qualify the QKD folks who are prematurely entering the market. Please try to include a view the long term potential and imagine how it might be used when you write your report. After all, who would have thought that computers _would_ be linked together to create communication networks ... And that my 75-year old mother could not only afford one but actually enjoy using it. (Ok, its a Macintosh ...) Please don't dismiss what is really a very new research area with unknown potential - just leaving the physicist's lab bench for the engineering lab bench - because a few folks are entering the market too soon and claiming that they have "product". There is a baby in that bath water ! Season's Greetings ! John On 12/16/03 10:14, "Perry E.Metzger" <[EMAIL PROTECTED]> wrote: > > There have been more press releases about quantum crypto products > lately. > > I will summarize my opinion simply -- even if they can do what is > advertised, they aren't very useful. They only provide link security, > and at extremely high cost. You can easily just run AES+HMAC on all > the bits crossing a line and get what is for all practical purposes > similar security, at a fraction of the price. > > The problem in security is not that we don't have crypto technologies > that are good enough -- our algorithms are fine. Our real problem is > in much more practical things like getting our software to high enough > assurance levels, architectural flaws in our systems, etc. > > Thus, Quantum Crypto ends up being a very high priced way to solve > problems that we don't have. > > > Perry > > - > The Cryptography Mailing List > Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Quantum Crypto
"Perry E.Metzger" wrote: > ... > The problem in security is not that we don't have crypto technologies > that are good enough -- our algorithms are fine. Our real problem is > in much more practical things like getting our software to high enough > assurance levels, architectural flaws in our systems, etc. > > Thus, Quantum Crypto ends up being a very high priced way to solve > problems that we don't have. Well, one of our real problems is that in order to protect a system we need to introduce targets in addition to the system's resources (the original targets) that can come under attack, which additional targets increase complexity, overhead and we cannot protect with 100% efficiency. Thus, paradoxically, adding controls adds weakenesses. For example, if we add a password list and an ACL to control access we are adding targets -- that can be (and are) attacked. Another example is the software itself, needed to control the access. Quantum cryptography's promise is to solve this real problem by eliminating some additional targets when compared to a conventional system. The same, however, can be done without QC and that is, IMO, one of the directions we need more work on. How can we reduce the number of additional targets -- QC or not? This approach can provide provable benefits by directly reducing the total number of targets. You can't attack a target that does not exist. Cheers, Ed Gerck - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Quantum crypto, from BBC
At 12:44 PM 06/07/2003 -0400, John S. Denker wrote: On 06/07/2003 08:04 AM, Udhay Shankar N wrote: I haven't seen this discussed here yet. I hadn't seen this particular implementation of it discussed here before your posting, but as John points out, the topic has been discussed. It's somewhat cool, but not particularly useful. On the scale of physics hype, quantum crypto in particular and quantum computation in general are nowhere near as bad as cold fusion, but perhaps comparable to high-Tc superconductors, which had a definite basis in fact, but their practicality was wildly overclaimed. Quantum computers that can actually do factoring of usefully large numbers would have a major impact on the whole crypto field. But quantum cryptography for sending messages is seldom any more useful than sending an occasional courier with a briefcase handcuffed to his arm, which probably costs a lot less than stringing fiber. It's also not very useful for preventing traffic analysis :-) - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Quantum crypto, from BBC
Udhay Shankar N <[EMAIL PROTECTED]> writes: > I haven't seen this discussed here yet. Is there something to this? Quantum Cryptography is a really expensive way to provide link encryption that is perhaps marginally better in some theoretical sense to simply using, say, AES link encryption boxes at both ends, but in day to day practice provides no additional security at all. It is the sort of thing that fascinates people who are interested in neat solutions that solve no real problems. In the real world, the issue is not finding cryptographic mechanisms that are good enough. We have fine algorithms for securing links already. It is getting people to use them, and getting programmers not to misuse them or make other mistakes that render them moot. Perry - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Quantum crypto, from BBC
Udhay Shankar N wrote: > I haven't seen this discussed here yet. Is there something to this? For limited applications, yes QC in the form usually found in recent tests is actually quite simple. The sender generates some good random binary data (from an unknown source, doesn't really matter) and sends it encoded in the polarization of a photon (one of four states - so two bits are needed at this point per photon; the first encodes a choice of axes (horizontal+vertical or the diagonals) and the second an orientation (so for example a 0 could be represented by horizontal and 1 by vertical, or if the diagonal filter is in use, 0 by a \ and 1 by a /) ) The recipient filters the photons using a random choice of filter - and transmits the choice of filter back to the sender. From this, the sender will know if the recipient received the photon encoded properly or not - a vertical filter would "see" a photon for a vertically encoded 1, not see one for a horizontally encoded 0, and have a chance to see either a \ or a / but if it is a decent filter, would not see them at all; the same idea rotated 45 degrees applies to the diagonal filter. The sender then tells the recipient which filters he got right. Both now have a set of bits that they alone know, are completely randomly generated, and can be used as a key for conventional crypto (or if it is important enough, OTP) >From this, it should be obvious that you need a fairly clean, predictable photon path - usually a fiberoptic, so that you can predetermine the reference axes at both ends of the cable. even a free-air path is usually too vunerable to distortion and/or photon loss, so is unsuitable. So, for the limited case where you can create a single, unbroken optic path between two sites, and maintain it in a state where it can't be broken by a third party for a literal mitm attack, it is a perfectly feasable scheme for transmitting keys. Not likely to replace a trusted courier with a dozen cheap CDR burnt with keydata in the near future though - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Quantum crypto, from BBC
On 06/07/2003 08:04 AM, Udhay Shankar N wrote: I haven't seen this discussed here yet. It's been discussed here some, and discussed elsewhere plenty. I get 19,000 hits from http://www.google.com/search?q=quantum+cryptography+product+OR+products > Is there something to this? It depends on your definition of "something". Quantum cryptography is perfectly real and is fascinating in an academic sort of way. The available products are somewhere between "not very practical" and "ridiculous" if you ask me. Most companies can't be bothered to do classical crypto properly. The idea that they would pay the incremental cost to step up to quantum crypto seems far-fetched to me. On the scale of physics hype, quantum crypto in particular and quantum computation in general are nowhere near as bad as cold fusion, but perhaps comparable to high-Tc superconductors, which had a definite basis in fact, but their practicality was wildly overclaimed. Dr Shields' team have demonstrated quantum cryptography working over distances of 100 km, which should be enough to cover large metropolitan areas such as London and Tokyo. This is not new news. The Department of Trade and Industry has pledged cash to help the researchers refine their work and bring commercial quantum cryptography products to market. Tee hee. Very funny. I don't think "trade and industry" considerations are the driving force here. I think the military and the cryptologic agencies have rather larger budgets than the Department of Trade and Industry, and they are really who's paying for the flurry of R&D. = If you want to improve the fact-to-hype ratio, go to http://xxx.lanl.gov/find/quant-ph and type "cryptography" in the 'abstract' box. I get 82 hits in the range 2001-to-date. And those lead to yet other references. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
