Re: [Cfrg] QKD is pointless (was: Re: considering new topics for CFRG)

"Igoe, Kevin M." <> Wed, 08 January 2014 18:06 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 067FC1AE04F for <>; Wed, 8 Jan 2014 10:06:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -7.438
X-Spam-Status: No, score=-7.438 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.538] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id MobB36-VYV84 for <>; Wed, 8 Jan 2014 10:06:50 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 704961ADFCA for <>; Wed, 8 Jan 2014 10:06:50 -0800 (PST)
X-TM-IMSS-Message-ID: <>
Received: from ([]) by ([]) with ESMTP (TREND IMSS SMTP Service 7.1; TLSv1/SSLv3 AES128-SHA (128/128)) id 5bc08a270000efbc ; Wed, 8 Jan 2014 13:06:50 -0500
Received: from ( by ( with Microsoft SMTP Server (TLS) id 14.2.342.3; Wed, 8 Jan 2014 13:06:37 -0500
Received: from ([]) by ([]) with mapi id 14.01.0289.001; Wed, 8 Jan 2014 13:06:37 -0500
From: "Igoe, Kevin M." <>
To: 'David McGrew' <>, Sean Turner <>
Thread-Topic: QKD is pointless (was: Re: considering new topics for CFRG)
Thread-Index: AQHPDGG93i3ZBM+NS0KqToyzCB9/tpp7HkTg
Date: Wed, 08 Jan 2014 18:06:37 +0000
Message-ID: <>
References: <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "" <>
Subject: Re: [Cfrg] QKD is pointless (was: Re: considering new topics for CFRG)
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 08 Jan 2014 18:06:56 -0000

We really need to make sure at least some of the mailing list
has some expertise in a given area before we commit ourselves
to working in that area, and anything with "quantum" in the name
requires expertise I expect very few (if any) of the maining list
possess.  I suggest before committing to a topic we poll the
mailing list to see who has both expertise on a given topic and 
an employer who is willing to donate the time and resources 
needed to follow through.

> -----Original Message-----
> From: David McGrew []
> Sent: Wednesday, January 08, 2014 6:07 AM
> To: Sean Turner
> Cc: Igoe, Kevin M.;
> Subject: QKD is pointless (was: Re: considering new topics for CFRG)
> Hi Sean,
> On 01/08/2014 12:26 AM, Sean Turner wrote:
> > My list is kind of short:
> thanks for sharing your top of mind list, it will help us to prioritize
> work.
> >
> > 0) Could the CFRG get behind these recommendations for RSA-OAEP/PSS
> or not:
> >
> >
> >
> > If so, let's do a draft!
> >
> > 1) Assuming RSA goes kaput, it seems like we're moving towards EC (am
> I wrong here) then are these EC-based documents worth saying more about
> (e.g., in the next version of the protocol use this or run away in
> fear):
> >
> >
> >
> >
> > 2) Is QKD something we need to start considering:
> >
> >
> #0 and #1 are well worth discussion.   For now, I will only comment on
> #2.
> Quantum Key Distribution does not provide a solution to any problem
> that we have at hand, and is not worthy of serious consideration for
> extensive use in the Internet.
> The one benefit of QKD is that it does not rely on any computational
> assumptions for security.   However, it relies on physical assumptions
> for its security; that is, it can be attacked at the physical layer.
> This is a terrible tradeoff, since physical attacks are possible at any
> point between the encrypter and decrypter.   In addition, QKD requires
> large amounts of raw entropy, and entropy generation is a harder
> problem
> in the real world than pseudorandomnes.   (In other words: a QKD system
> could use AES-CTR to generate the large amounts of unpredictable
> elements that it needs, but if we trust AES-CTR, why not just use that
> algorithm directly to encrypt traffic?)
> QKD relies on point-to-point secret keys, and it is inherently and very
> severely limited in what data rates and ranges that it can support.
> The claimed speed record the last time that I checked was one megabit
> per second at 20 KM range.   Using that technology, we need 10,000
> repeaters to get global scale communication.   This would require the
> pre-placement to 9,999 shared secrets between pairs of repeaters along
> the communication path, and it would require that infrastructure to be
> trusted.  There are theoretical designs for repeaters that would not
> need to be trusted,
> The idea of "hybrid QKD", in which QKD is used to distribute keys for a
> conventional symmetric cryptosystem like AES, is a seriously bad idea.
> It suffers from the physical layer vulnerabilities of QKD as well as
> whatever vulnerabilities the symmetric cryptosystem has.   It is *more*
> vulnerable than a conventional symmetric system that uses the same
> cipher for both traffic encryption and key distribution.
> QKD relies on the point to point transmission of individual photons,
> and thus is inherently incompatible with wireless technologies such as
> 4G
> and 802.11.   The photons used in WiFi have 100,000 times less energy
> than those used in the fibre optic links of QKD, and WiFi is not
> geometrically point to point.   So even if QKD didn't suffer from the
> problems described above, it would not be able to help the > 6 billion
> cellular wireless subscribers, or the vast number of WiFi users.
> QKD is inherently unsuited for all of the important trends in
> information technology, including the "bring your own device" trend,
> Could, virtualization, and collaboration.
> I gave an invited talk at the 2012 HP Information Security Colloquium
> Royal Holloway with the title "The Vernam cipher is better than quantum
> key distribution", which presented an analysis that backs up the claim
> in the title.   The important observation here is that the classical
> Vernam cipher, in which a long one-time pad is copied onto a portable
> storage medium then used for information-theoretically secure
> communication, is quantifiably better than QKD.   Vernam does not have
> any physical-layer vulnerabilities, it does not have any range
> limitations, and it can be used over wireless.   Its data rate will
> depend on how frequently new pad material can be transported by a
> trusted physical courier, but given the low data rates of QKD, a
> courier
> need not travel that often to match its data rate.   The important
> inference is: if we were actually concerned about the possibility that
> all symmetric ciphers could be vulnerable to cryptanalysis, then we
> would be pursuing Vernam-type information theoretic secure systems, and
> not QKD.   The reality is that there is no such concern, and interest
> in
> QKD is driven by its novelty, and not by any logical consideration of
> what would be useful in information security.
> My talk isn't online (just mentioned but not archived
>   If we need
> to get these points understood more widely, we could publish something
> on it.
> David
> >
> > spt