Re: [Cfrg] QKD is pointless (was: Re: considering new topics for CFRG)

Watson Ladd <> Wed, 08 January 2014 18:18 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id B57A91AE073 for <>; Wed, 8 Jan 2014 10:18:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id UwimnenTqdQ8 for <>; Wed, 8 Jan 2014 10:18:43 -0800 (PST)
Received: from ( [IPv6:2a00:1450:400c:c05::22a]) by (Postfix) with ESMTP id A53F41AE04F for <>; Wed, 8 Jan 2014 10:18:42 -0800 (PST)
Received: by with SMTP id hq4so5709297wib.1 for <>; Wed, 08 Jan 2014 10:18:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=LtwP55Ap/9tHbVHkg0IkVPQp+d24JVXBNl7xRBYvx5Q=; b=taaYGVcSbrt9Qy7kgDjSaoh8WLoW7OPFi21We3owCA0McoZj5A3K421PKwvX1/n9oF 4fKh0IGZDyUSLo/V95uUmi1CUqmRSwc5vei7NaPIYY6ZLBXmZRTWFcLGb7iS5Yify96o H/Rf4DBKiUSxw7ZZhgcWaE7CqxClvAO1CgDhQ+dqGvCLtSGj7MMwb9OEY65DEoHtKCxf W9BTe1gxLV7U3LQf8Aq01bq1PYABoXr0y9iBdJKzL7V7pgbG1WLlgFdNVyRqcBiGzVDt BnPHOiYXNIZBZ6M+/ndQW3dCSZTNaA6ljGvkJjZqqKWvS0AhICAH6kkl2KC3uif118Oq yIqg==
MIME-Version: 1.0
X-Received: by with SMTP id bz6mr22852417wib.17.1389205112941; Wed, 08 Jan 2014 10:18:32 -0800 (PST)
Received: by with HTTP; Wed, 8 Jan 2014 10:18:32 -0800 (PST)
In-Reply-To: <>
References: <> <> <> <>
Date: Wed, 08 Jan 2014 10:18:32 -0800
Message-ID: <>
From: Watson Ladd <>
To: "Igoe, Kevin M." <>
Content-Type: text/plain; charset="UTF-8"
Cc: Sean Turner <>, David McGrew <>, "" <>
Subject: Re: [Cfrg] QKD is pointless (was: Re: considering new topics for CFRG)
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 08 Jan 2014 18:18:45 -0000

On Wed, Jan 8, 2014 at 10:06 AM, Igoe, Kevin M. <> wrote:
> We really need to make sure at least some of the mailing list
> has some expertise in a given area before we commit ourselves
> to working in that area, and anything with "quantum" in the name
> requires expertise I expect very few (if any) of the maining list
> possess.  I suggest before committing to a topic we poll the
> mailing list to see who has both expertise on a given topic and
> an employer who is willing to donate the time and resources
> needed to follow through.

My job is simple: do math. Granted, there is some other math/coding I
should be doing at the moment,
but I certainly can devote resources to this.
What does Post-Quantum Crypto require beyond some coding theory for
McEliece-Nedermeyer and some
algebraic geometry for Multivariate-Quadratic systems?

QKD is a different kettle of fish.

>> -----Original Message-----
>> From: David McGrew []
>> Sent: Wednesday, January 08, 2014 6:07 AM
>> To: Sean Turner
>> Cc: Igoe, Kevin M.;
>> Subject: QKD is pointless (was: Re: considering new topics for CFRG)
>> Hi Sean,
>> On 01/08/2014 12:26 AM, Sean Turner wrote:
>> > My list is kind of short:
>> thanks for sharing your top of mind list, it will help us to prioritize
>> work.
>> >
>> > 0) Could the CFRG get behind these recommendations for RSA-OAEP/PSS
>> or not:
>> >
>> >
>> >
>> > If so, let's do a draft!
>> >
>> > 1) Assuming RSA goes kaput, it seems like we're moving towards EC (am
>> I wrong here) then are these EC-based documents worth saying more about
>> (e.g., in the next version of the protocol use this or run away in
>> fear):
>> >
>> >
>> >
>> >
>> > 2) Is QKD something we need to start considering:
>> >
>> >
>> #0 and #1 are well worth discussion.   For now, I will only comment on
>> #2.
>> Quantum Key Distribution does not provide a solution to any problem
>> that we have at hand, and is not worthy of serious consideration for
>> extensive use in the Internet.
>> The one benefit of QKD is that it does not rely on any computational
>> assumptions for security.   However, it relies on physical assumptions
>> for its security; that is, it can be attacked at the physical layer.
>> This is a terrible tradeoff, since physical attacks are possible at any
>> point between the encrypter and decrypter.   In addition, QKD requires
>> large amounts of raw entropy, and entropy generation is a harder
>> problem
>> in the real world than pseudorandomnes.   (In other words: a QKD system
>> could use AES-CTR to generate the large amounts of unpredictable
>> elements that it needs, but if we trust AES-CTR, why not just use that
>> algorithm directly to encrypt traffic?)
>> QKD relies on point-to-point secret keys, and it is inherently and very
>> severely limited in what data rates and ranges that it can support.
>> The claimed speed record the last time that I checked was one megabit
>> per second at 20 KM range.   Using that technology, we need 10,000
>> repeaters to get global scale communication.   This would require the
>> pre-placement to 9,999 shared secrets between pairs of repeaters along
>> the communication path, and it would require that infrastructure to be
>> trusted.  There are theoretical designs for repeaters that would not
>> need to be trusted,
>> The idea of "hybrid QKD", in which QKD is used to distribute keys for a
>> conventional symmetric cryptosystem like AES, is a seriously bad idea.
>> It suffers from the physical layer vulnerabilities of QKD as well as
>> whatever vulnerabilities the symmetric cryptosystem has.   It is *more*
>> vulnerable than a conventional symmetric system that uses the same
>> cipher for both traffic encryption and key distribution.
>> QKD relies on the point to point transmission of individual photons,
>> and thus is inherently incompatible with wireless technologies such as
>> 4G
>> and 802.11.   The photons used in WiFi have 100,000 times less energy
>> than those used in the fibre optic links of QKD, and WiFi is not
>> geometrically point to point.   So even if QKD didn't suffer from the
>> problems described above, it would not be able to help the > 6 billion
>> cellular wireless subscribers, or the vast number of WiFi users.
>> QKD is inherently unsuited for all of the important trends in
>> information technology, including the "bring your own device" trend,
>> Could, virtualization, and collaboration.
>> I gave an invited talk at the 2012 HP Information Security Colloquium
>> Royal Holloway with the title "The Vernam cipher is better than quantum
>> key distribution", which presented an analysis that backs up the claim
>> in the title.   The important observation here is that the classical
>> Vernam cipher, in which a long one-time pad is copied onto a portable
>> storage medium then used for information-theoretically secure
>> communication, is quantifiably better than QKD.   Vernam does not have
>> any physical-layer vulnerabilities, it does not have any range
>> limitations, and it can be used over wireless.   Its data rate will
>> depend on how frequently new pad material can be transported by a
>> trusted physical courier, but given the low data rates of QKD, a
>> courier
>> need not travel that often to match its data rate.   The important
>> inference is: if we were actually concerned about the possibility that
>> all symmetric ciphers could be vulnerable to cryptanalysis, then we
>> would be pursuing Vernam-type information theoretic secure systems, and
>> not QKD.   The reality is that there is no such concern, and interest
>> in
>> QKD is driven by its novelty, and not by any logical consideration of
>> what would be useful in information security.
>> My talk isn't online (just mentioned but not archived
>>   If we need
>> to get these points understood more widely, we could publish something
>> on it.
>> David
>> >
>> > spt
> _______________________________________________
> Cfrg mailing list

"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin