First of all, I'm sure you know more about this than me, but allow me to reply ...
On Wed, Apr 21, 2010 at 11:19 PM, Perry E. Metzger <pe...@piermont.com> wrote: > > Useless now maybe, but it's preparing for a world where RSA is broken > > (i.e. quantum computers) and it doesn't require quantum computers; so > > it's quite practical, in that sense. > > No, it isn't. QKD is useless three different ways. > > First, AES and other such systems are fine, and the way people break > reasonably designed security systems (i.e. not WEP or what have you) is > not by attacking the crypto. I didn't say AES, I said RSA. Specifically I was referring to Shors factoring algorithm on quantum computers : http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.47.3862 > Second, you can't use QKD on a computer network. It is strictly point to > point. Want 200 nodes to talk to each other? Then you need 40,000 > fibers, without repeaters, in between the nodes, each with a $10,000 or > more piece of equipment at each of the endpoints, for a total cost of > hundreds of millions of dollars to do a task ethernet would do for a > couple thousand dollars. Sure, now. That's the point of research though; to find more efficient ways of doing things. If you stopped working on anything that seemed initially too hard or unpractical I don't think we'd get anywhere. > Third, QKD provides no real security because there is no actual > authentication. If someone wants to play man in the middle, nothing > stops them. If someone wants to cut the fiber and speak QKD to one > endpoint, telling it false information, nothing stops them. You can > speak the QKD protocol to both endpoints and no one will be the > wiser. So, you need some way of providing privacy and > authentication... perhaps a conventional cryptosystem. I agree this is an issue, and from my reading it doesn't seem completely resolved, but again I think it's reasonable to continue researching into solutions. Importantly, however, is that if a classical system is used to do authentication, then the resulting QKD stream is *stronger* than the classically-encrypted scheme. > So, what did QKD > provide you with again? > > There is no point to QKD at all. I disagree. > Perry > -- > Perry E. Metzger pe...@piermont.com -- silky http://www.programmingbranch.com/ --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com