Comments on: Shor Broke Our Toys http://dabacon.org/pontiff/?p=1086 Theoretical Musings Thu, 09 Sep 2010 14:06:56 +0000 hourly 1 http://wordpress.org/?v=3.0.1 By: Daniel Gottesman http://dabacon.org/pontiff/?p=1086#comment-46752 Daniel Gottesman Tue, 04 Oct 2005 00:01:43 +0000 http://dabacon.org/pontiff/?p=1086#comment-46752 Well, I always mention it. Basically Dave is right: QKD fixes part of what Shor broke. Or more correctly, classical cryptography was already broken, Shor just happened to be the one that saw the cracks. There are two additional points I think are worth making: First, it is a good idea to make a distinction between what QKD does and what quantum mechanics does. There are other possible quantum cryptography protocols besides QKD, and we don't yet really know to what extent they can substitute for other useful aspects of public key cryptography (like digital signatures). Second, even without additional quantum cryptographic techniques, authentication is a much easier problem than public key encryption. Indeed, there are reasonably good private key authentication schemes which work with small keys and information-theoretic security (see: Wegman-Carter). The certificate authority system is nice because the CA can sign the public key in the distant past and then be uninvolved, but that's not really an essential part of the system. It would work nearly as well if Alice and Bob authenticated messages via the CA in real time. Each would start with a shared secret key with the CA, so, for instance, Alice would authenticate a message to the CA, and then the CA would authenticate it to Bob. There is a slight increase in trust required vs. the usual CA model, but the CA can't learn the message without an active man-in-the-middle attack, which risks discovery and the consequent ruin of the CA's business. Well, I always mention it.

Basically Dave is right: QKD fixes part of what Shor broke. Or more correctly, classical cryptography was already broken, Shor just happened to be the one that saw the cracks. There are two additional points I think are worth making:

First, it is a good idea to make a distinction between what QKD does and what quantum mechanics does. There are other possible quantum cryptography protocols besides QKD, and we don’t yet really know to what extent they can substitute for other useful aspects of public key cryptography (like digital signatures).

Second, even without additional quantum cryptographic techniques, authentication is a much easier problem than public key encryption. Indeed, there are reasonably good private key authentication schemes which work with small keys and information-theoretic security (see: Wegman-Carter). The certificate authority system is nice because the CA can sign the public key in the distant past and then be uninvolved, but that’s not really an essential part of the system. It would work nearly as well if Alice and Bob authenticated messages via the CA in real time. Each would start with a shared secret key with the CA, so, for instance, Alice would authenticate a message to the CA, and then the CA would authenticate it to Bob. There is a slight increase in trust required vs. the usual CA model, but the CA can’t learn the message without an active man-in-the-middle attack, which risks discovery and the consequent ruin of the CA’s business.

Like or Dislike: Thumb up 0 Thumb down 0

]]> By: Dave Bacon http://dabacon.org/pontiff/?p=1086#comment-46750 Dave Bacon Mon, 03 Oct 2005 22:10:50 +0000 http://dabacon.org/pontiff/?p=1086#comment-46750 I certainly agree that the matter of having an authenticated channel along with QKD should be mentioned up front! Certainly if I were talking to a group of experts in security. Maybe the problem is the usual audience those who deal with QKD are used to is rarely this group and so introducing this so early seems confusing. I certainly agree that the matter of having an authenticated channel along with QKD should be mentioned up front! Certainly if I were talking to a group of experts in security. Maybe the problem is the usual audience those who deal with QKD are used to is rarely this group and so introducing this so early seems confusing.

Like or Dislike: Thumb up 0 Thumb down 0

]]> By: Rod http://dabacon.org/pontiff/?p=1086#comment-46749 Rod Mon, 03 Oct 2005 21:40:37 +0000 http://dabacon.org/pontiff/?p=1086#comment-46749 Hmm, I guess I should go back and revise my text a little :-). I certainly didn't mean to imply that physicists don't understand the need for the authentication channel. But I've now been to half a dozen QKD talks by physicists, and the authenticated channel is sometimes given one sentence late in the talk, sometimes not mentioned until Q&A. The people working in QKD, as you say, are all aware of it, they just don't emphasize it much (and consequently, I think many casual listeners are unaware of it). A network security person would probably start a talk on it with, "QKD uses entangled photons and an authenticated channel to..." So it's really a matter of focus. The physicists are interested in the physics, the network people are interested in the network. Hmm, now there's a profound observation... Hmm, I guess I should go back and revise my text a little :-) . I certainly didn’t mean to imply that physicists don’t understand the need for the authentication channel. But I’ve now been to half a dozen QKD talks by physicists, and the authenticated channel is sometimes given one sentence late in the talk, sometimes not mentioned until Q&A. The people working in QKD, as you say, are all aware of it, they just don’t emphasize it much (and consequently, I think many casual listeners are unaware of it). A network security person would probably start a talk on it with, “QKD uses entangled photons and an authenticated channel to…”

So it’s really a matter of focus. The physicists are interested in the physics, the network people are interested in the network. Hmm, now there’s a profound observation…

Like or Dislike: Thumb up 0 Thumb down 0

]]>