Re: [Cfrg] QKD is pointless (was: Re: considering new topics for CFRG)
Watson Ladd <watsonbladd@gmail.com> Wed, 08 January 2014 18:18 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B57A91AE073 for <cfrg@ietfa.amsl.com>; Wed, 8 Jan 2014 10:18:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UwimnenTqdQ8 for <cfrg@ietfa.amsl.com>; Wed, 8 Jan 2014 10:18:43 -0800 (PST)
Received: from mail-wi0-x22a.google.com (mail-wi0-x22a.google.com [IPv6:2a00:1450:400c:c05::22a]) by ietfa.amsl.com (Postfix) with ESMTP id A53F41AE04F for <cfrg@irtf.org>; Wed, 8 Jan 2014 10:18:42 -0800 (PST)
Received: by mail-wi0-f170.google.com with SMTP id hq4so5709297wib.1 for <cfrg@irtf.org>; Wed, 08 Jan 2014 10:18:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=LtwP55Ap/9tHbVHkg0IkVPQp+d24JVXBNl7xRBYvx5Q=; b=taaYGVcSbrt9Qy7kgDjSaoh8WLoW7OPFi21We3owCA0McoZj5A3K421PKwvX1/n9oF 4fKh0IGZDyUSLo/V95uUmi1CUqmRSwc5vei7NaPIYY6ZLBXmZRTWFcLGb7iS5Yify96o H/Rf4DBKiUSxw7ZZhgcWaE7CqxClvAO1CgDhQ+dqGvCLtSGj7MMwb9OEY65DEoHtKCxf W9BTe1gxLV7U3LQf8Aq01bq1PYABoXr0y9iBdJKzL7V7pgbG1WLlgFdNVyRqcBiGzVDt BnPHOiYXNIZBZ6M+/ndQW3dCSZTNaA6ljGvkJjZqqKWvS0AhICAH6kkl2KC3uif118Oq yIqg==
MIME-Version: 1.0
X-Received: by 10.180.90.230 with SMTP id bz6mr22852417wib.17.1389205112941; Wed, 08 Jan 2014 10:18:32 -0800 (PST)
Received: by 10.194.242.131 with HTTP; Wed, 8 Jan 2014 10:18:32 -0800 (PST)
In-Reply-To: <3C4AAD4B5304AB44A6BA85173B4675CABA9A1129@MSMR-GH1-UEA03.corp.nsa.gov>
References: <52C755AA.70200@cisco.com> <33E0BF53-A331-4646-B080-FD4F6E13916E@ieca.com> <52CD314B.2000604@cisco.com> <3C4AAD4B5304AB44A6BA85173B4675CABA9A1129@MSMR-GH1-UEA03.corp.nsa.gov>
Date: Wed, 08 Jan 2014 10:18:32 -0800
Message-ID: <CACsn0c=-RN5mieULefK+pwPLJK0Ztv52_anjm3a_4a1sFUHzOg@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: "Igoe, Kevin M." <kmigoe@nsa.gov>
Content-Type: text/plain; charset="UTF-8"
Cc: Sean Turner <TurnerS@ieca.com>, David McGrew <mcgrew@cisco.com>, "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] QKD is pointless (was: Re: considering new topics for CFRG)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jan 2014 18:18:45 -0000
On Wed, Jan 8, 2014 at 10:06 AM, Igoe, Kevin M. <kmigoe@nsa.gov> wrote: > We really need to make sure at least some of the mailing list > has some expertise in a given area before we commit ourselves > to working in that area, and anything with "quantum" in the name > requires expertise I expect very few (if any) of the maining list > possess. I suggest before committing to a topic we poll the > mailing list to see who has both expertise on a given topic and > an employer who is willing to donate the time and resources > needed to follow through. My job is simple: do math. Granted, there is some other math/coding I should be doing at the moment, but I certainly can devote resources to this. What does Post-Quantum Crypto require beyond some coding theory for McEliece-Nedermeyer and some algebraic geometry for Multivariate-Quadratic systems? QKD is a different kettle of fish. > > >> -----Original Message----- >> From: David McGrew [mailto:mcgrew@cisco.com] >> Sent: Wednesday, January 08, 2014 6:07 AM >> To: Sean Turner >> Cc: Igoe, Kevin M.; cfrg@irtf.org >> Subject: QKD is pointless (was: Re: considering new topics for CFRG) >> >> Hi Sean, >> >> On 01/08/2014 12:26 AM, Sean Turner wrote: >> > My list is kind of short: >> >> thanks for sharing your top of mind list, it will help us to prioritize >> work. >> >> > >> > 0) Could the CFRG get behind these recommendations for RSA-OAEP/PSS >> or not: >> > http://www.ietf.org/mail-archive/web/saag/current/msg04481.html >> > http://www.ietf.org/mail-archive/web/saag/current/msg04482.html >> > >> > If so, let's do a draft! >> > >> > 1) Assuming RSA goes kaput, it seems like we're moving towards EC (am >> I wrong here) then are these EC-based documents worth saying more about >> (e.g., in the next version of the protocol use this or run away in >> fear): >> > https://datatracker.ietf.org/doc/rfc6979/ >> > https://datatracker.ietf.org/doc/draft-peck-ecdhpop/ >> > https://datatracker.ietf.org/doc/draft-jivsov-ecc-compact/ >> > >> > 2) Is QKD something we need to start considering: >> > http://tools.ietf.org/id/draft-nagayama-ipsecme-ipsec-with-qkd-00.txt >> > http://tools.ietf.org/id/draft-ghernaouti-sfaxi-ppp-qkd-00.txt >> >> #0 and #1 are well worth discussion. For now, I will only comment on >> #2. >> >> Quantum Key Distribution does not provide a solution to any problem >> that we have at hand, and is not worthy of serious consideration for >> extensive use in the Internet. >> >> The one benefit of QKD is that it does not rely on any computational >> assumptions for security. However, it relies on physical assumptions >> for its security; that is, it can be attacked at the physical layer. >> This is a terrible tradeoff, since physical attacks are possible at any >> point between the encrypter and decrypter. In addition, QKD requires >> large amounts of raw entropy, and entropy generation is a harder >> problem >> in the real world than pseudorandomnes. (In other words: a QKD system >> could use AES-CTR to generate the large amounts of unpredictable >> elements that it needs, but if we trust AES-CTR, why not just use that >> algorithm directly to encrypt traffic?) >> >> QKD relies on point-to-point secret keys, and it is inherently and very >> severely limited in what data rates and ranges that it can support. >> The claimed speed record the last time that I checked was one megabit >> per second at 20 KM range. Using that technology, we need 10,000 >> repeaters to get global scale communication. This would require the >> pre-placement to 9,999 shared secrets between pairs of repeaters along >> the communication path, and it would require that infrastructure to be >> trusted. There are theoretical designs for repeaters that would not >> need to be trusted, >> >> The idea of "hybrid QKD", in which QKD is used to distribute keys for a >> conventional symmetric cryptosystem like AES, is a seriously bad idea. >> It suffers from the physical layer vulnerabilities of QKD as well as >> whatever vulnerabilities the symmetric cryptosystem has. It is *more* >> vulnerable than a conventional symmetric system that uses the same >> cipher for both traffic encryption and key distribution. >> >> QKD relies on the point to point transmission of individual photons, >> and thus is inherently incompatible with wireless technologies such as >> 4G >> and 802.11. The photons used in WiFi have 100,000 times less energy >> than those used in the fibre optic links of QKD, and WiFi is not >> geometrically point to point. So even if QKD didn't suffer from the >> problems described above, it would not be able to help the > 6 billion >> cellular wireless subscribers, or the vast number of WiFi users. >> >> QKD is inherently unsuited for all of the important trends in >> information technology, including the "bring your own device" trend, >> Could, virtualization, and collaboration. >> >> I gave an invited talk at the 2012 HP Information Security Colloquium >> Royal Holloway with the title "The Vernam cipher is better than quantum >> key distribution", which presented an analysis that backs up the claim >> in the title. The important observation here is that the classical >> Vernam cipher, in which a long one-time pad is copied onto a portable >> storage medium then used for information-theoretically secure >> communication, is quantifiably better than QKD. Vernam does not have >> any physical-layer vulnerabilities, it does not have any range >> limitations, and it can be used over wireless. Its data rate will >> depend on how frequently new pad material can be transported by a >> trusted physical courier, but given the low data rates of QKD, a >> courier >> need not travel that often to match its data rate. The important >> inference is: if we were actually concerned about the possibility that >> all symmetric ciphers could be vulnerable to cryptanalysis, then we >> would be pursuing Vernam-type information theoretic secure systems, and >> not QKD. The reality is that there is no such concern, and interest >> in >> QKD is driven by its novelty, and not by any logical consideration of >> what would be useful in information security. >> >> My talk isn't online (just mentioned but not archived >> http://bristolcrypto.blogspot.com/2012_12_01_archive.html) If we need >> to get these points understood more widely, we could publish something >> on it. >> >> David >> >> > >> > spt > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > http://www.irtf.org/mailman/listinfo/cfrg -- "Those who would give up Essential Liberty to purchase a little Temporary Safety deserve neither Liberty nor Safety." -- Benjamin Franklin
- Re: [Cfrg] considering new topics for CFRG David McGrew
- Re: [Cfrg] considering new topics for CFRG David McGrew
- Re: [Cfrg] considering new topics for CFRG Trevor Perrin
- [Cfrg] considering new topics for CFRG David McGrew
- Re: [Cfrg] considering new topics for CFRG Sean Turner
- Re: [Cfrg] considering new topics for CFRG Henrick Hellström
- Re: [Cfrg] considering new topics for CFRG David Wagner
- Re: [Cfrg] considering new topics for CFRG Henrick Hellström
- Re: [Cfrg] considering new topics for CFRG Henrick Hellström
- Re: [Cfrg] considering new topics for CFRG Paul Lambert
- Re: [Cfrg] considering new topics for CFRG David McGrew
- Re: [Cfrg] considering new topics for CFRG Paul Lambert
- Re: [Cfrg] considering new topics for CFRG Stephen Farrell
- Re: [Cfrg] considering new topics for CFRG William Whyte
- Re: [Cfrg] considering new topics for CFRG Stephen Farrell
- Re: [Cfrg] considering new topics for CFRG Watson Ladd
- Re: [Cfrg] considering new topics for CFRG Paul Lambert
- Re: [Cfrg] considering new topics for CFRG Dan Brown
- Re: [Cfrg] considering new topics for CFRG Blumenthal, Uri - 0558 - MITLL
- Re: [Cfrg] considering new topics for CFRG Paul Lambert
- Re: [Cfrg] considering new topics for CFRG William Whyte
- Re: [Cfrg] considering new topics for CFRG Max Pritikin (pritikin)
- Re: [Cfrg] considering new topics for CFRG Watson Ladd
- Re: [Cfrg] considering new topics for CFRG Sean Turner
- Re: [Cfrg] considering new topics for CFRG Sean Turner
- Re: [Cfrg] considering new topics for CFRG Adam Back
- [Cfrg] QKD is pointless (was: Re: considering new… David McGrew
- Re: [Cfrg] considering new topics for CFRG Stephen Farrell
- Re: [Cfrg] QKD is pointless (was: Re: considering… Paterson, Kenny
- Re: [Cfrg] QKD is pointless (was: Re: considering… Sean Turner
- Re: [Cfrg] considering new topics for CFRG Sean Turner
- Re: [Cfrg] considering new topics for CFRG Max Pritikin (pritikin)
- Re: [Cfrg] considering new topics for CFRG Dan Brown
- Re: [Cfrg] considering new topics for CFRG Paul Lambert
- Re: [Cfrg] QKD is pointless (was: Re: considering… Igoe, Kevin M.
- Re: [Cfrg] QKD is pointless (was: Re: considering… Igoe, Kevin M.
- Re: [Cfrg] QKD is pointless (was: Re: considering… Watson Ladd
- [Cfrg] DANE in the IETF (was: Re: considering new… Paul Hoffman
- [Cfrg] One Key -> RE: considering new topics for … Paul Lambert
- Re: [Cfrg] QKD is pointless (was: Re: considering… Paul Lambert
- [Cfrg] ReL DANE in the IETF (was: Re: considering… Paul Hoffman
- Re: [Cfrg] QKD is pointless David McGrew
- Re: [Cfrg] QKD is pointless Hilarie Orman
- [Cfrg] likelihood that someone has a quantum comp… David McGrew
- Re: [Cfrg] considering new topics for CFRG dan
- Re: [Cfrg] likelihood that someone has a quantum … David Jacobson
- Re: [Cfrg] likelihood that someone has a quantum … William Whyte
- Re: [Cfrg] likelihood that someone has a quantum … Watson Ladd
- Re: [Cfrg] likelihood that someone has a quantum … Yoav Nir
- Re: [Cfrg] likelihood that someone has a quantum … Stephen Farrell
- Re: [Cfrg] likelihood that someone has a quantum … William Whyte
- Re: [Cfrg] likelihood that someone has a quantum … David McGrew
- Re: [Cfrg] likelihood that someone has a quantum … David McGrew
- Re: [Cfrg] likelihood that someone has a quantum … William Whyte
- Re: [Cfrg] likelihood that someone has a quantum … arne renkema-padmos
- Re: [Cfrg] likelihood that someone has a quantum … Igoe, Kevin M.
- Re: [Cfrg] QKD is pointless David Wagner
- Re: [Cfrg] likelihood that someone has a quantum … William Whyte
- Re: [Cfrg] likelihood that someone has a quantum … William Whyte
- Re: [Cfrg] likelihood that someone has a quantum … William Whyte
- Re: [Cfrg] likelihood that someone has a quantum … David McGrew
- Re: [Cfrg] likelihood that someone has a quantum … arne renkema-padmos
- Re: [Cfrg] considering new topics for CFRG Paul Lambert
- Re: [Cfrg] considering new topics for CFRG Igoe, Kevin M.
- Re: [Cfrg] considering new topics for CFRG Paul Lambert
- Re: [Cfrg] considering new topics for CFRG David McGrew
- [Cfrg] 'key centric' architecture (was: Re: consi… Rene Struik
- Re: [Cfrg] 'key centric' architecture (was: Re: c… Richard Barnes
- Re: [Cfrg] considering new topics for CFRG David McGrew