more on ARMSTRONG LECTURE on Quantum Crypto and Optical Networks (Forwarded)]

[David Farber <dave () farber net>]

Begin forwarded message:

From: Rod Van Meter <rdv () tera ics keio ac jp>
Date: September 19, 2005 7:25:19 PM EDT
To: Joe Touch <touch () ISI EDU>, dave () farber net
Cc: smb () cs columbia edu, David Wagner <daw () cs berkeley edu>
Subject: Re: [Fwd: Re: [IP] ARMSTRONG LECTURE on Quantum Crypto and  
Optical Networks (Forwarded)]
Reply-To: rdv () tera ics keio ac jp


[Dave, for IP, if you wish...]

I generally agree with Dave Wagner's response, but a few thoughts...

The physicists are indeed working on quantum repeaters, capable of doing
QKD over long distances.  The trouble is, you have to trust every one of
the repeaters.

I wouldn't phrase the "fiber security" issue quite the same way.  As
others have said, what you need is access to an authenticated channel,
then you're set (but that's a non-trivial problem!).  It's important to
note that a) QKD does NOT solve what Shor's factoring algorithm broke,
and b) key exchange/distribution is not the biggest security problem we
have on the net (it might not even make the top ten).

The one possibly interesting use of QKD is for the super-paranoid: those
who believe their traffic is being snooped today, and don't want it
decrypted fifty years from now when theoretical and technological
advances render all classical cryptography breakable (!?!).

But in order for that to work, you have to use the QKD-generated random
bit string as a one-time pad, not just a seed or key for classical
encryption.  That means you need very high QKD bit-generation rates, and
most are still in the kilobits/second.  Some experiments have been done
in the low megabits/sec., but that's pre-filtering, I believe, which
costs you at least one order of magnitude in performance.

If you do it right, then, authentication that is good enough TODAY, plus
QKD to generate a random one-time pad, can make your data secure FOREVER
(modulo breakins/breakdowns at the endpoints).  Even if your
authentication is broken later, since it's not used in the actual data
exchange, the attacker gains no data.  This is covered in Paterson et
al.'s paper.

I arrived at the party a little late to get in on the recent thread at
Dave Bacon's Quantum Pontiff blog, but I did throw in my two cents
anyway:

http://dabacon.org/pontiff/?p=1049#comments

Dave's blog is an excellent source for current news and gossip, and is
read (and commented on) by many of the best names in the biz.

btw, Steve, not sure if you're aware of it or not, but Al Aho's student
Krysta Svore is doing quantum stuff for her thesis.  She just spent a
year in Cambridge working with Ike Chuang, but is back at Columbia, I
understand.  She's pretty sharp.

        --Rod




-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/