Re: [Cfrg] QKD is pointless

David Wagner <daw@cs.berkeley.edu> Mon, 13 January 2014 23:32 UTC

Return-Path: <daw@cs.berkeley.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 488981AE1D8 for <cfrg@ietfa.amsl.com>; Mon, 13 Jan 2014 15:32:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.935
X-Spam-Level:
X-Spam-Status: No, score=-1.935 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_SOFTFAIL=0.665] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5IQwJz4frUUt for <cfrg@ietfa.amsl.com>; Mon, 13 Jan 2014 15:32:18 -0800 (PST)
Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com [66.111.4.27]) by ietfa.amsl.com (Postfix) with ESMTP id 1C7EA1AE1B4 for <cfrg@irtf.org>; Mon, 13 Jan 2014 15:32:18 -0800 (PST)
Received: from compute2.internal (compute2.nyi.mail.srv.osa [10.202.2.42]) by gateway1.nyi.mail.srv.osa (Postfix) with ESMTP id 875C520FB1 for <cfrg@irtf.org>; Mon, 13 Jan 2014 18:32:06 -0500 (EST)
Received: from web2 ([10.202.2.212]) by compute2.internal (MEProxy); Mon, 13 Jan 2014 18:32:06 -0500
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=message-id:from:to:mime-version :content-transfer-encoding:content-type:subject:date:in-reply-to :references; s=smtpout; bh=bYY9WHVK53sHRMKsBVTgThZdOcc=; b=HOJjH 4SuhkpBmSetfnXDFRyxTFxf/XuULUU6u/IacS94ShMPTv7k9oamjG3z1e9w67LyP FJ94ycp93BdOfOotZ1FA3Sj2FP3plByuQ7n1YKgVDC7smbHUwCb/RBiwV6TcYL6d fK73TbJZTACOZBiovPP4t7AnxHtAGLNAGa33dI=
Received: by web2.nyi.mail.srv.osa (Postfix, from userid 99) id 4F758540382; Mon, 13 Jan 2014 18:32:06 -0500 (EST)
Message-Id: <1389655926.23536.70338753.20AC4DE5@webmail.messagingengine.com>
X-Sasl-Enc: IIjiCPPPmFgQm3o3Ds/XvGH5WFJ+xOEt6pLWTtG9iAC+ 1389655926
From: David Wagner <daw@cs.berkeley.edu>
To: cfrg@irtf.org
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain
X-Mailer: MessagingEngine.com Webmail Interface - ajax-064ceef5
Date: Mon, 13 Jan 2014 15:32:06 -0800
In-Reply-To: <52CF3890.4010309@cisco.com>
References: <52C755AA.70200@cisco.com> <33E0BF53-A331-4646-B080-FD4F6E13916E@ieca.com> <52CD314B.2000604@cisco.com> <3C4AAD4B5304AB44A6BA85173B4675CABA9A1129@MSMR-GH1-UEA03.corp.nsa.gov> <52CF3890.4010309@cisco.com>
Subject: Re: [Cfrg] QKD is pointless
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Jan 2014 23:32:20 -0000

I agree 100% with David McGrew's message and
recommendations for the group.  I agree with his
assessment of QKD; QKD is pointless.  At present
it doesn't solve any real-world problem we actually
have.  Also, all considered, I agree that it is not a
good use of CFRG's time to develop QKD protocols
or I-D's describing how to do QKD.

Basically, I second everything David McGrew wrote.

-- David

On Thu, Jan 9, 2014, at 04:02 PM, David McGrew wrote:
> Hi Kevin,
> 
> On 01/08/2014 01:06 PM, Igoe, Kevin M. wrote:
> > We really need to make sure at least some of the mailing list
> > has some expertise in a given area before we commit ourselves
> > to working in that area,
> 
> I completely agree, the RG needs to be cautious about making sure that 
> it does not overcommit to work.
> 
> > and anything with "quantum" in the name
> > requires expertise I expect very few (if any) of the maining list
> > possess.  I suggest before committing to a topic we poll the
> > mailing list to see who has both expertise on a given topic and
> > an employer who is willing to donate the time and resources
> > needed to follow through.
> 
> I think I was not clear in what I meant, please see inline below:
> 
> >
> >> -----Original Message-----
> >> From: David McGrew [mailto:mcgrew@cisco.com]
> >> Sent: Wednesday, January 08, 2014 6:07 AM
> >> To: Sean Turner
> >> Cc: Igoe, Kevin M.; cfrg@irtf.org
> >> Subject: QKD is pointless (was: Re: considering new topics for CFRG)
> >>
> >> Hi Sean,
> >>
> >> On 01/08/2014 12:26 AM, Sean Turner wrote:
> >>> My list is kind of short:
> >> thanks for sharing your top of mind list, it will help us to prioritize
> >> work.
> >>
> >>> 0) Could the CFRG get behind these recommendations for RSA-OAEP/PSS
> >> or not:
> >>> http://www.ietf.org/mail-archive/web/saag/current/msg04481.html
> >>> http://www.ietf.org/mail-archive/web/saag/current/msg04482.html
> >>>
> >>> If so, let's do a draft!
> >>>
> >>> 1) Assuming RSA goes kaput, it seems like we're moving towards EC (am
> >> I wrong here) then are these EC-based documents worth saying more about
> >> (e.g., in the next version of the protocol use this or run away in
> >> fear):
> >>> https://datatracker.ietf.org/doc/rfc6979/
> >>> https://datatracker.ietf.org/doc/draft-peck-ecdhpop/
> >>> https://datatracker.ietf.org/doc/draft-jivsov-ecc-compact/
> >>>
> >>> 2) Is QKD something we need to start considering:
> >>> http://tools.ietf.org/id/draft-nagayama-ipsecme-ipsec-with-qkd-00.txt
> >>> http://tools.ietf.org/id/draft-ghernaouti-sfaxi-ppp-qkd-00.txt
> >> #0 and #1 are well worth discussion.   For now, I will only comment on
> >> #2.
> >>
> >> Quantum Key Distribution does not provide a solution to any problem
> >> that we have at hand, and is not worthy of serious consideration for
> >> extensive use in the Internet.
> >>
> >> The one benefit of QKD is that it does not rely on any computational
> >> assumptions for security.   However, it relies on physical assumptions
> >> for its security; that is, it can be attacked at the physical layer.
> >> This is a terrible tradeoff, since physical attacks are possible at any
> >> point between the encrypter and decrypter.   In addition, QKD requires
> >> large amounts of raw entropy, and entropy generation is a harder
> >> problem
> >> in the real world than pseudorandomnes.   (In other words: a QKD system
> >> could use AES-CTR to generate the large amounts of unpredictable
> >> elements that it needs, but if we trust AES-CTR, why not just use that
> >> algorithm directly to encrypt traffic?)
> >>
> >> QKD relies on point-to-point secret keys, and it is inherently and very
> >> severely limited in what data rates and ranges that it can support.
> >> The claimed speed record the last time that I checked was one megabit
> >> per second at 20 KM range.   Using that technology, we need 10,000
> >> repeaters to get global scale communication.   This would require the
> >> pre-placement to 9,999 shared secrets between pairs of repeaters along
> >> the communication path, and it would require that infrastructure to be
> >> trusted.  There are theoretical designs for repeaters that would not
> >> need to be trusted,
> >>
> >> The idea of "hybrid QKD", in which QKD is used to distribute keys for a
> >> conventional symmetric cryptosystem like AES, is a seriously bad idea.
> >> It suffers from the physical layer vulnerabilities of QKD as well as
> >> whatever vulnerabilities the symmetric cryptosystem has.   It is *more*
> >> vulnerable than a conventional symmetric system that uses the same
> >> cipher for both traffic encryption and key distribution.
> >>
> >> QKD relies on the point to point transmission of individual photons,
> >> and thus is inherently incompatible with wireless technologies such as
> >> 4G
> >> and 802.11.   The photons used in WiFi have 100,000 times less energy
> >> than those used in the fibre optic links of QKD, and WiFi is not
> >> geometrically point to point.   So even if QKD didn't suffer from the
> >> problems described above, it would not be able to help the > 6 billion
> >> cellular wireless subscribers, or the vast number of WiFi users.
> >>
> >> QKD is inherently unsuited for all of the important trends in
> >> information technology, including the "bring your own device" trend,
> >> Could, virtualization, and collaboration.
> >>
> >> I gave an invited talk at the 2012 HP Information Security Colloquium
> >> Royal Holloway with the title "The Vernam cipher is better than quantum
> >> key distribution", which presented an analysis that backs up the claim
> >> in the title.   The important observation here is that the classical
> >> Vernam cipher, in which a long one-time pad is copied onto a portable
> >> storage medium then used for information-theoretically secure
> >> communication, is quantifiably better than QKD.   Vernam does not have
> >> any physical-layer vulnerabilities, it does not have any range
> >> limitations, and it can be used over wireless.   Its data rate will
> >> depend on how frequently new pad material can be transported by a
> >> trusted physical courier, but given the low data rates of QKD, a
> >> courier
> >> need not travel that often to match its data rate.   The important
> >> inference is: if we were actually concerned about the possibility that
> >> all symmetric ciphers could be vulnerable to cryptanalysis, then we
> >> would be pursuing Vernam-type information theoretic secure systems, and
> >> not QKD.   The reality is that there is no such concern, and interest
> >> in
> >> QKD is driven by its novelty, and not by any logical consideration of
> >> what would be useful in information security.
> >>
> >> My talk isn't online (just mentioned but not archived
> >> http://bristolcrypto.blogspot.com/2012_12_01_archive.html)   If we need
> >> to get these points understood more widely, we could publish something
> >> on it.
> 
> Instead of the last sentence, what I should have said is: if there is a 
> need to better explain and/or defend the points outlined above, I 
> personally would be willing to spend the time to write them up.
> 
> Speaking as an individual here: I don't think QKD is something worth the 
> RG's time.   Post-quantum crypto, on the other hand, is something I 
> would be very glad to see work on.
> 
> David
> 
> >>
> >> David
> >>
> >>> spt
> > .
> >
> 
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg