Quantum Cryptography Has Everyone Scrambling
62 points
28 days ago
| 6 comments
| spectrum.ieee.org
| HN
tptacek
28 days ago
[-]
This is an article about QKD, a physical/hardware encryption technology that, to my understanding, cryptography engineers do not actually take seriously. It's not about post-quantum encryption techniques (PQC) like structured lattices.
reply
fsh
28 days ago
[-]
In contrast to what the article claims, it is also not a new idea. The original proposal was made 40 years ago, and it was immediately recognized that the required authenticated classical channel makes it useless in practice. Doesn't stop governments from spending vast amounts of money though.
reply
pclmulqdq
28 days ago
[-]
As far as I can tell, QKD is mainly useful to tell people to separate out the traffic that is really worth snooping onto a network that is hard to snoop on. It is much harder for someone to spy on your secrets when they don't pass through traditional network devices.

Of course, it also tells a dedicated adversary with L1 access exactly where to tap your cables.

reply
westurner
28 days ago
[-]
At the repeaters?

How do QKD systems key and timecode repeaters?

Isn't it possible to measure a photon state without causing state collapse by measuring adjacent particles affected by the passing photon? Is it possible to have entanglement communications without such measurement capacity?

reply
EliBullockPapa
28 days ago
[-]
Right, this is just an academic exercise and has no commercial use as far as I’ve heard
reply
BodyCulture
28 days ago
[-]
Thank you very much for saving me time!
reply
andutu
28 days ago
[-]
I've skimmed some literature on Quantum Crypto and from my understanding the outstanding issues currently are 1. How to make these work over long distances and 2. How to implement features found in PKI authentication (though QKD schemes are theoretically secure against MITM attacks, there still isn't a quantum cryptography scheme yet to ensure that you are talking to a non-adversary). There have been advances with the 1st problem, but the 2nd is trickier. Tbf, you don't strictly need PKE to have secure communication between 2 parties (look at Section 6 in https://signal.org/docs/specifications/sesame/).

A lot of real world implementations of quantum crypto have been with respect to satellite communications, which makes sense. The satellite is usually built by the same actors who set up the communication links from the ground the satellite and quantum particles can be transmitted by laser. But as the article points out, it probably won't see widespread use for a while. There was a paper that came out recently called "How (not) to Build Quantum PKE in Minicrypt" (https://arxiv.org/abs/2405.20295) and from my limited understanding of it, a quantum PKE system will likely have very little components from classical crypto incorporated into it. Not to mention that specially built devices have to be installed at ISPs, data centers, etc. for this to work.

Work in this space is valuable as a hedge against a world where all conventional crypto is broken. It also helps advance work in quantum mechanics more generally and other fields in physics and it's generally very interesting :)

edit: grammar corrections

reply
cycomanic
28 days ago
[-]
What is really annoying about the quantum cryptography field is the dishonesty (in my opinion) that goes on with justifying the need. The need for QKD is often justified by quantum computers, shors algorithm and how cryptography will not be future proof once quantum computers will be around and that people can store all the data and already and decrypt sometime in the future. QKD is then brought in as the solution because channels are "physically secure" and often mention as alternatives to post quantum cryptography.

Apart from the big question marks around quantum computers, the argument is dishonest. Post quantum algorithms are primarily about assymetric encryption, QKD is not a solution for the same problem at all. QKD is simply a way of ensuring that your optical channel is secure, so you can distribute onetime pads. The encryption is the onetime pad. And nobody is thinking about having QKD links between individual desktop PCs (that seems completely unfeasible atm).

Essentially QKD is the same thing as sending a guard with a suitcase full of harddrives between your end points to distribute your keys (and in fact sending a guard is typically several orders of magnitude faster considering the current distances and data rates).

In addition to the dishonest argument about the need there is the issue when they mentioning rates and distances. Often when talking about best key distribution rates proponents mention the MB/s that you can achieve with continuous variable QKD, but in the same argument they talk about the ultimate security achievable with discrete variable QKD. But data rates for discrete variable QKD are much lower, while the security of continuous variable QKD relies on statistics and more susceptible to attacks. So the arguments make QKD much better then the reality.

reply
cryptonector
28 days ago
[-]
QKD continues to be snake oil.
reply
Kwpolska
28 days ago
[-]
And IEEE Spectrum continues to post useless content under a reputable(?) name.
reply
holowoodman
28 days ago
[-]
Same as "Quantum Computing is snake oil".

There is reputable science to be done, the experiments are worth funding as basic science. The snake oil part is all the talk about applications being just around the corner (or viable at all). Applications are decades away at least, and maybe also just impossible.

That tons of reputable scientists talk about applications anyways is based on the necessity of securing funding. Nobody founds basic science, at least not as well as a next-big-thing-application right after the funding period ends...

reply
cryptonector
27 days ago
[-]
QKD does not solve a real problem and will never, never be useful. Worse, QKD was obviously useless on day one. Quantum computing might yet turn out to be useful.
reply
holowoodman
27 days ago
[-]
That might be obvious to a security/cryptography person, but it is not obvious to a physicist.

The physicist will see "totally confidential channel" as a great useful application. Because he lacks the knowledge that a confidential channel is totally useless without authentication. At best, the authentication will be hand-waved away in the grant application as "out of scope" or "future work".

reply
cryptonector
27 days ago
[-]
The snake oil part comes from the business people, not from the physicist. And anyways, it's not that hard for the physicist to learn that there's no future in QKD, and indeed, the physicist wants to know that to avoid wasting their efforts. Being a physicist does not preclude knowledge of classical cryptography -- and vice-versa.

The credentialist approach we take to all specialty knowledge has its limits, and we must acknowledge that. Credentials do not limit one's expertise, nor really do they prove it.

reply
skywhopper
28 days ago
[-]
This article, like most things I’ve seen about quantum computing tech from ieee.org is a weird mish-mash of nonsense claims about entirely unrelated future technologies based entirely on assertions from a “quantum computing” consulting firm.

Post-quantum crypto and quantum key distribution have nothing to do with each other, beyond the word “quantum” in their names.

The article asserts post-quantum crypto algorithms might be vulnerable to quantum computing, merely based on the fact that you can’t prove they won’t be. But it doesn’t mention the fact that the actual threat to traditional public-key crypto from quantum computing is still decades away from being practical if it ever becomes so, and we know how that math would work.

But quantum computers do actually exist. Sure, they can only factor numbers smaller than 25 and get exponentially more error-prone with every added qubit. But they exist. As for quantum key distribution, it’s entirely theoretical. It depends on inventing a technology for distributing entangled photons securely ahead of time. If it can be developed at all (and the crypto shill they quote claims “5 to 10 years” which is code for “we have no clue how to build this”), it amounts to a very very expensive one-time pad.

OTPs are already “perfect” crypto, that can’t be broken by any computer... unless you attack the communication outside the bounds of the OTP. Steal the code book, or read the decrypted message, or just beat it out of the agent. QKD is no different, but it’s actually worse. Because the equipment would be unique and hyper-expensive, and because since the plaintext would be in a computer, it can then just as easily be surveilled, copied, or stored after decryption like any other plaintext.

The discussion of the supposed combination of the two technologies is complete and utter nonsense. Sure, you could do that, but there are so many other, better, simpler, cheaper ways to be far more secure. This is all a great way to bilk governments out of their money, very little more.

reply
Incipient
27 days ago
[-]
>OTPs are already “perfect” crypto, that can’t be broken by any compute

Isn't that not the case? OTPs are authentication, not encryption? The underlying algorithms are what people are concerned about quantum computing breaking. OTPs still rely on these algorithms?

reply
ackbar03
28 days ago
[-]
Where exactly are we with quantum computing? Last I remembered there was a lot of hooplah but the thing still wasn't working yet
reply
mcpherrinm
28 days ago
[-]
https://sam-jaques.appspot.com/quantum_landscape_2023

This is a reasonable overview.

It works and exists, but is not faster than classical computing. We need many orders of magnitude improvement before we get a cryptographically relevant quantum computer to break RSA etc.

It’s not clear when that will happen. 10 years or 100?

reply
fsh
28 days ago
[-]
None of the techniques achieve anywhere near the required performance metrics for useful QC. Improvements also appear to have slowed down accross the board despite massive investments. I would not hold my breath for QC to arrive anytime soon (if ever).
reply
meroes
28 days ago
[-]
Same place as 200 year old humans and AGI
reply
HeatrayEnjoyer
28 days ago
[-]
So, imminent?
reply
Spooky23
28 days ago
[-]
Any day now.
reply
ganzuul
28 days ago
[-]
Estimates on complexity are shifting by 100x per company that gets funded, so it is still rumors of black swans.
reply
fhub
28 days ago
[-]
If there have been big breakthroughs I suspect they are classified.
reply