Bruce Schneier has a commentary up at Wired about quantum cryptography. There are a lot of good points about the article, but it left me kind of scratching my head. As far as I can tell Bruce Schneier believes that you should not worry about any cryptographic system currently in use ever being broken. I didn’t think cryptographers were allowed to have so little paranoia.

Schneier begins by explaining quantum cryptography and quantum computing. The former is a method for taking a small shared private key (needed for authentication) and boosting it up into a shared secret key of greater length such that if someone is eavesdropping on the line you can detect this eavesdropping due to the properties of quantum theory. The later is a method for building computers which, among its other traits, could be used to break many modern cryptographic systems. (See here for a discussion of quantum cryptography and quantum computing and how the former doesn’t fix all that the later breaks.)

After explaining all this, Schneier says

While I like the science of quantum cryptography — my undergraduate degree was in physics — I don’t see any commercial value in it. I don’t believe it solves any security problem that needs solving. I don’t believe that it’s worth paying for, and I can’t imagine anyone but a few technophiles buying and deploying it. Systems that use it don’t magically become unbreakable, because the quantum part doesn’t address the weak points of the system.

Security is a chain; it’s as strong as the weakest link. Mathematical cryptography, as bad as it sometimes is, is the strongest link in most security chains. Our symmetric and public-key algorithms are pretty good, even though they’re not based on much rigorous mathematical theory. The real problems are elsewhere: computer security, network security, user interface and so on.

Now let me get this straight: I have no doubt that there are many greater worries in security than “mathematical crypography.” But does this *justify* totally ignoring the possibility that a cryptographic system might possibly be breakable? I mean maybe I’m influenced by this in the fact that I’ve been sitting in on a cryptanalysis course and I just met a graduate student who broke a cryptographic pseudorandom number generator, but really what kind of an argument is this? “Um, well, sometimes our cryptographic systems have been broken, but that’s nothing to worry about, because, you know, everything is kosher with the systems we are using.” Should the author of such claims at least make some attempt at figuring out what the probability that the current infrastructure is actually secure, or will remain secure (not everyone needs security that expires at the end of a session)? Certainly when you get to twenty years out, I’m going to put a lot less faith in much of our public key system cryptography because of the fact that quantum computers can break most of these systems.

It is interesting to think about the competitiveness of quantum cryptography with the infrastructure it would replace. But to ignore it straightaway seems to me, well very very anti-security.

Now why can’t I get the Nirvana line “Just because you’re not paranoid, don’t mean they’re not after you” out of my head?

“Schneier” fixed.

Beyond, that, you’ve misread his article. He certainly doesn’t advocate ‘totally ignoring the possibility that a cryptographic system might possibly be breakable’ . In fact, he regularly blogs about mathematical flaws in cryptographic systems.No he only ignores the ones which he wants to.

Robert Thille: I agree you have to prioritize, no question. But if I said: why don’t you just use a Caesar cipher for your encrypted message? Would you take advice from me?

There is no ‘d’ in his last name, Schneier.

Schneier, not Schneider. Probably you use a spell checking product that has Schneider in its dictionary, but not Schneier. Never can trust it.

Beyond, that, you’ve misread his article. He certainly doesn’t advocate ‘totally ignoring the possibility that a cryptographic system might possibly be breakable’ . In fact, he regularly blogs about mathematical flaws in cryptographic systems.

Well, when you can get the user’s password for a candy bar, or just for asking (while pretending to be the helpdesk/IT department), then worrying about the math protecting the secret seems a bit silly.

I think you missed the point. It isn’t that everything is kosher so don’t worry about cryptography. It is that while current cryptography is sometimes bad, everything else is so horribly wrong. So if everything else is a pig, cryptography would be the lipstick. And quantum cryptography would be like $150,000 worth of lipstick.

You’re actually 100% reversing Schneier’s position. Fifteen years ago, he was a huge proponent of the view that crypto was great and would solve all our security problems. Since then, he has become convinced that even absolutely perfect crypto goes only a small way towards solving real-world problems: it is necssary, but there are many other weak points. No matter how good your crypto is, it doesn’t help you unless everything else is just as good. It’s the same way replacing your front door with a bank vault door doesn’t amount to a perfect home security system.

So basically Schneier’s argument is that it doesn’t matter how good quantum crypto is. Quality of crypto simply isn’t the bottleneck in providing real-world security, not by a long shot. He’s right about that: crypto is important, but crypto research is only a small part of the security field.

Quantum crypto is definitely cool, but Schneier is right not to take it seriously at this point in time.

(1) It requires a physical infrastructure. There’s simply no chance we will deploy such an infrastructure on an internet-wide basis any time in the foreseeable future. (I’ll be surprised if it happens in our lifetimes, and shocked if it happens in 25 years.) In the absence of end-to-end quantum crypto, there’s going to have to be some classical crypto used too. If you have to rely on that, then there’s no extra security benefit from the quantum parts.

This doesn’t rule out the possibility of special-purpose uses of quantum crypto on small, high-security networks. We may well see that in coming decades, although I haven’t yet seen any compelling security argument for it. (All implementations so far are publicity stunts. If you don’t have armed guards and serious background investigations for employees, then you don’t yet need to worry about quantum crypto.)

(2) The “provable” security of quantum crypto may not be real in practice, for three reasons. One is that the proofs only work in an idealized mathematical model, and there may be subtle physics effects not captured by undergraduate quantum mechanics. When you believe in the security of quantum crypto, you are counting on the belief that physicists will never discover anything that might break it. That may be true, but it is still an unjustified assumption.

Second, even if no new physics is discovered, the model may still not incorporate all possible attacks. For example, consider side-channel and timing attacks on classical crypto (which defeat some classical provable security models). People may come up with whole classes of attacks that were simply never imagined when the models were formulated.

Finally, the physical implementation may not perfectly match the model. It’s hard to build devices that operate 100% perfectly at the single-particle level, and any deviations from this may introduce weaknesses. The security proof is only as good as the implementation, and building physical devices perfectly is much harder even than writing perfect software.

So basically the current argument for quantum crypto is “if you deploy expensive infrastructure, we can prove that no attacks are possible.” However, the proofs just aren’t convincing enough (for real-world implementations) to make this anywhere near a compelling argument.

Quantum crypto is a wonderful research topic, and it may someday be very important, but that day is far in the future. Anybody who talks about how important it is now is either a very idealistic researcher or a quantum crypto salesperson. (And the existence of quantum crypto companies means little: the world is full of companies selling garbage crypto. Quantum crypto isn’t garbage, but the mere fact that someone wants to sell it doesn’t mean anyone should want to buy it.)

He doesn’t have to say that current algorithms will -never- be broken to make even the strong version of his argument that you presented. All he has to argue is that the probability of breaking current systems using current algorithms is no higher than the probability of breaking systems using quantum channels to send keys.

I would agree personally that that point, given the relative amounts of understanding of the systems and the scrutiny involved. is easy to say.

*Warning: conspiracy theory follows.* Perhaps Schneier is somehow associated with the so-called “Echelon” program…

I don’t think that one would count as “pretty good” in Schneier’s book. I’m with Kevin and Markk on this one.

It is not entirely clear to me how one gets “trust my blind faith in cryptography” from an essay which explicitly describes crypto using such phrases as “not based on much rigorous mathematical theory” and “as bad as it sometimes is”.

Or, shorter Quantum Pontiff: “This Schneier must be a total moron —

he dissedmyfield!”Cubist: if you had ever read anything I’ve actually done research on you would know I’ve never done anything on quantum cryptography.

Anonymous: I agree mostly with (1) but I might argue that the author of an article titled “Quantum Cryptography: As Awesome As It Is Pointless” forgets exactly how large the U.S. military is. What is the point of an article which doesn’t honestly say that there are clients who do require some obscene amounts of security?

As for (2), there are a few points. For your first objection, it really boils down to whether you trust physical security or mathematical security. The former has a host of experimental reasons for why you might believe in the security. The later has the fact that a lot of smart people have tried to crack it. Experimentally verifiable cryptography or mathematical lore, take your choice.

And of course there are all sorts of attacks that need to be taken into consideration. But I would note that the arguments for quantum cryptography are a lot more in line with the information theoretic security arguments of a one-time pad, than the vast majority of other techniques which rely on vast quantities of unproven complexity conjectures.

Anybody who talks about how important it is now is either a very idealistic researcher or a quantum crypto salespersonOr knows how to break our modern mathematical cryptosystems.

Obvious my sarcasm mode has failed. But where exactly do you draw the line? Where smart people have failed, apparently. That’s a lot of faith in computer science!

Alex do you offer a courier service?

Schneier has a point — but it’s badly presented. I have too much respect for Schneier to think that he really believes that current cryptosystems are effectively flawless and unbreakable. History calls shenanigans on that hypothesis.

The good point is that for

mostcommercial purposes, (a) RSA is good enough for the foreseeable future, and (b) the other points of weakness are so weak that trying to improve the cryptosystem is wasted effort. Furthermore, he’s correct that every highly publicized demo to date has been a stunt.This doesn’t justify relegating quantum crypto to the dustbin. There are customers who can and will secure their information chain enough that the cryptosystem is a genuinely relevant weak point. They tend to have unlimited budgets and extraordinary security needs.

Here’s an analogy. Bruce is saying, “Rocket technology is pointless. Nobody needs rockets. Cars and airplanes work just fine.” This is abundantly true… but also false. 99.99% of the world’s population has no need

whatsoeverfor rockets — but try telling Lockheed, Boeing, General Dynamics, or another U.S. defense contractor that there’s no market for rockets.Now, the problem that

doesworry me is that quantum computers (when built) break all known public key systems — which means they break digital signature / authentication protocols. AFAIK, quantum crypto offers no fix for that, whichisa big strike against it.Quantum crypto is useless.

It solves a non-problem – distribution of keys. All practical quantum encryption devices have bandwidth too small to be used to transmit actual data.

And it’s much easier to distribute key using a secure real-world channel. Like a flash card carried personally.

No, I do not run a courier service.

But I do work with crypto – my company produces a government-certified crypto library (I’m in Ukraine, BTW).

Quantum computing is neat, but why would you use it?

Backbone lines now are usually not encrypted _at_ _all_, mainly because encryption of multi-gigabit streams is not easy and cheap. And some kind of networks (like SONET) are not designed for transport-level encryption at all.

And if you’re building a special purpose highly-encrypted network (say, for military purposes) then it won’t be a big problem to securely deliver a key.

And the main problem: quantum encryption won’t help ME if my government forces my provider to install a ‘secret room’.

sez the Quantum Pontiff: “Cubist: if you had ever read anything I’ve actually done research on you would know I’ve never done anything on quantum cryptography.”

No, but you

dowork in quantum computing, a field whose current state is sufficiently rudimentary as to recall a once-famous comment on lasers: “a solution in search of a problem”. And quantum cryptography, to the extent I understand it, seems to be the subfield within quantum computing-in-general which is closest to being ‘ready for prime time’. Thus, it would hardly be implausible to presume that your negative reaction to Schneier’s essay might be due, at least partially, to personal pique — all the more so because your he-thinks-crypto-is-invulnerable schtick simplyis notanything you could reasonably have gotten from Scheier’s essay.Schneier wasn’t talking about the intrinsic worth of quantum crypto; he was, rather, talking about

current commercial valueof the tech. Okay?I should not be surprised by the emotional reactions to and against this story.

Cryptography has exerted a powerful grip on the imagination since well before Julius Caesar, as suggested above. It helped the US beat Japan in World War II. It helps protect us against terrorists and, to a lesser extent, helps protect terrorists against us.

It is at the heart of the Hackers versus Media mutual distruct. It is abused by governments against each other, and against the civil rights of indivduals.

The Math is really cool. At least since the 1950s when Finite Field Theory and Galois Theory became part of the armamentarium of code makers and code breakers. Caltech’s Professor Herbert Ryser, King of Combinatorics, helped push that transition into being.

There is hotblooded debate between SIGINT mathematical Cryptographers and old Human Intelligence Cryptosystems folks.

I have anonymously refereed at least one published paper on mathematical cryptography.

It can involve Semiprimes today, and I have many many contributions to the Online Encyclopedia of Integer Sequences about semiprimes.

And now we are in the era of Quantum Cryptography.

Aren’t we?

Schneier wasn’t talking about the intrinsic worth of quantum crypto; he was, rather, talking about current commercial value of the tech. Okay?Okay. And I’m saying his judgement on the current commercial value is wrong because it disregards the fact that there are customers for which Schneier’s reasoning is flawed.

Anonymous: I agree mostly with (1) but I might argue that the author of an article titled “Quantum Cryptography: As Awesome As It Is Pointless” forgets exactly how large the U.S. military is. What is the point of an article which doesn’t honestly say that there are clients who do require some obscene amounts of security?I don’t actually expect that the military will use much, if any, quantum crypto any time soon. It’s just not flexible enough: it currently requires a wired connection (which rules out planes and ships, units in the field, etc.), and it can’t protect stored data (so it doesn’t help the next time a spy plane is forced down in China). Most applications of classical crypto currently can’t be replaced by quantum crypto, and it’s not clear how much additional security you get by selectively replacing a tiny fraction of them.

I actually think one of the most likely real-world scenarios for quantum crypto is connecting major foreign embassies to their home governments. There were many times during the 20th century when diplomatic communications were intercepted and decrypted, and I’m sure it happens today. Of course, quantum computing would go only a small way towards solving the problem. (Your embassy may be bugged, your employees may be spies, the building next door probably contains every snooping device ever invented, etc.) However, it may be worthwhile for a rich country to deploy quantum crypto to a small number of important embassies, just in case it helps.

Incidentally, there’s another issue that may seriously limit the widespread deployment of quantum crypto. Where will the machines come from? Big countries may build their own, but small countries, corporations, etc. will have to buy them from someone. That introduces the fear that the company supplying the devices may be compromised. (Crypto AG is a famous purported example of this. People thought they could trust it because it was an independent Swiss company with a long history, but allegations have been made that some employees secretly cooperated with the US to rig their devices. Regardless of whether this is true, I’m sure the possibility worries anyone who has to rely on a physical device produced by a third party.) Classical crypto machines have the same issue, but software can be more transparent.

It’s just not flexible enough: it currently requires a wired connection (which rules out planes and ships, units in the field, etc.)More likely the requirement is line of site to a satellite, I’d think. Still a limitation though.

Some people will use one more layer because not doing so could be a reason they’ll lose a war. (Then again using the extra layer could also be the reason they lose the war because that extra layer cost too much.)

For your first objection, it really boils down to whether you trust physical security or mathematical security. The former has a host of experimental reasons for why you might believe in the security. The later has the fact that a lot of smart people have tried to crack it. Experimentally verifiable cryptography or mathematical lore, take your choice.The problem is that neither physical nor mathematical security actually means all that much in the real world. In practice, many supposedly secure systems turn out to be vulnerable to attacks that circumvent the assumed model or take advantage of tiny implementation flaws. (And this is not even counting non-cryptographic security weaknesses, which are a dime a dozen.) No matter how incredibly iron-clad the security proof seems, there’s a substantial chance a real-world implementation will be broken.

This isn’t to say security proofs are useless: they tell us a lot. However, they are mainly of theoretical value, and they only go so far in practical cryptography.

And of course there are all sorts of attacks that need to be taken into consideration. But I would note that the arguments for quantum cryptography are a lot more in line with the information theoretic security arguments of a one-time pad, than the vast majority of other techniques which rely on vast quantities of unproven complexity conjectures.That’s true, and it’s what makes quantum crypto appealing. However, even one-time pads are pretty nasty objects in some ways. They depend on vast quantities of perfect randomness, which is not easily available. The best you can do is probably to use a radioactive source as an entropy generator, but that requires careful thought and processing to turn the output into independent random bits. It’s easy to screw things up and end up with a key that’s not quite as perfect as you had hoped.

Incidentally, one of the highest-profile applications of one-time pads was by Soviet spies in the US. In the 1940’s the USSR slightly messed up the key generation and the US government was able to break a few messages (this was the Venona project).

So even thought everybody knows what not to do when using a one-time pad, and it is guaranteed to be unbreakable if you don’t mess up, it’s not easy to do it perfectly. Overall, key generation is one of the biggest weaknesses in most crypto applications. As a general rule, the more key material you have to generate, the riskier it is.

In any case, I don’t mean any of this as criticism of quantum crypto. It’s a beautiful idea, and it may someday be important in practice. However, in practice the hypothetical weaknesses of standard cryptography are a minor concern for real-world security. They’re an issue, but there are much bigger issues that just can’t be addressed by new cryptosystems.

So?

There would be customers for ANYTHING, including complete 100% snake-oil products.

Hell, I’m tired of telling my customers that it’s not possible to somehow make their software to decrypt files without entering a key.

I honestly do not there quantum encryption could be really useful. Bur of course, some people will use it as one more layer of security “just in case”.

More likely quantum encryption will give a false sense of security (it’s PROVEN that quantum encryption is unbreakable, right?).

Until one day adversary performs a man-in-the-middle attack.

Worrying about the math should be left to the elite few who can actually do stuff with it.Until they come for you or steal your identity this sounds like a fine and dandy plan.

Until one day adversary performs a man-in-the-middle attack.Nice to make your acquaintance Mr. Strawman! Quantum cryptography, of course, should more properly be called “quantum key amplification.”

Remember, Schneier has worked extensively on both the practical and the mathematical side of cryptography. Guess which side he’s seen fail the most?

He’s writing for a general audience. The concern of managers and IT personnel should be the proper implementation of cryptography and the proper oversight of the human factor in the security model. Worrying about the math should be left to the elite few who can actually do stuff with it. Everyone else should assume that the math holds — because it does — and engineer based on it.

> Until one day adversary performs a man-in-the-middle attack.

That’s the idea, doing so is impossible.

Except for the fact that most key distribution schemes rely on assumptions about the difficulty of different computational tasks not on upon how we currently think the laws of physics works.

B-con:

See? You’ve also fallen for it. Quantum encryption is susceptible to _active_ man-in-the-middle attack. It’s not possible to _passively_ eavesdrop it.

“Nice to make your acquaintance Mr. Strawman! Quantum cryptography, of course, should more properly be called “quantum key amplification.””

Where do you see a strawman? I was pointing out that a lot of people can (and will) be lulled by a false sense of security.

Also, if you have a pre-shared classic key then quantum encryption won’t help you if adversary knows it and decides to perform man-in-the-middle attack during quantum key negotiation. In this sense qunatum encryption is not really different from other key distribution schemes.

In practice, a good implementation of symmetric crypto is unbreakable. Schneier estimates that it’ll take about one supernova’s explosion of energy to brute-force a 220-bit key.

So 256 bit keys are safe. You’ll need implausibly good cryptographic attack to lower complexity of its brute-force by about 2^180 times.

But that’s all moot since you’re using quantum encryption only to negotiate a symmetric key.

“You’ll need implausibly good cryptographic attack to lower complexity of its brute-force by about 2^180 times.”

Only a factor of 2^22 to go beyond a naive quantum algorithm.

AFAIR my quantum computing classes, quantum code breaking gives square speedup compared to classical algorithm (i.e. you’ll get 2^128 variants to brute-force instead of 2^256).

But that can be defeated by using 512-bit keys (defeat brute-force by brute-force ðŸ™‚ ). It’s way too much overkill for modern encryption, but is perfectly doable.