Quantum computing

Werner Koch wk at gnupg.org
Fri Apr 20 09:56:03 CEST 2007 

On Fri, 20 Apr 2007 09:09, skrewz at skrewz.dk said:

> This is in contrast to quantum cryptography, which, IINM, is provably
> uninterceptable (but, unlike traditional cryptography, has many
> weaknesses beyond the purely theoretical ones).

While you mention this, I can't resist to forward Perry E. Metzger's
comments:

  To: cryptography at metzdowd
  Subject: my periodic rant on quantum crypto
  From: "Perry E. Metzger" 
  Date: Mon, 12 Apr 2004 15:37:33 -0400
  
  /. is running yet another story on quantum cryptography today, with
  the usual breathless hype:
  
  http://science.slashdot.org/article.pl?sid=04/04/12/133623
  
  I'm especially unimpressed with the "Does this spell the
  end of the field of cryptography?" comment.
  
  For those who don't know much about what it is, "Quantum Cryptography"
  is a very expensive way of producing an unauthenticated link
  encryption device. It is useless for any application other than link
  encryption over a short distance and requires a dedicated optical
  fiber to work.
  
  QC has no properties that render it especially better for link
  encryption than, say, a box from one of several vendors running AES on
  the link instead. It is perhaps theoretically safer, but in practice
  no one is going to break AES either -- they're going to bribe the
  minimum wage guard at your colo to have 20 minutes alone with your box
  while they install a tap on the clear side of it (or worse, they'll
  slip in while the guard is asleep at his desk.)
  
  QC still requires link authentication (lest someone else other than
  the people you think you're talking to terminate your fiber
  instead). As a result of this, you can't really get rid of key
  management, so QC isn't going to buy you freedom from that.
  
  QC can only run over a dedicated fiber over a short run, where more
  normal mechanisms can work fine over any sort of medium -- copper, the
  PSTN, the internet, etc, and can operate without distance limitation.
  
  QC is fiendishly costly -- orders of magnitude more expensive than an
  AES based link encryption box.
  
  QC is extremely hard to test to assure there are no hardware or other
  failures -- given the key in use, I can use intercepted traffic to
  assure my AES link encryption box is working correctly, but I have no
  such mechanism for a QC box.
  
  On top of all of this, the real problems in computer security these
  days have nothing to do with stuff like how your link encryption box
  works and everything to do with stuff like buffer overflows, bad
  network architecture, etc.
  
  Given that what we're dealing with is a very limited technology that
  for a very high price will render you security that is at best not
  particularly better than what much more economical solutions will
  yield, why do people keep hyping this?  Indeed, why do people buy these
  boxes, if indeed anyone is buying them?
  
  It is stunning that a lab curiosity continues to be mentioned over
  and over again, not to mention to see venture capitalists dump money
  after it.
  
  BTW, none of this has anything to do with "Quantum Computing", which
  may indeed yield breakthroughs someday in areas such as factoring but
  which is totally unrelated...
  
  Perry




Salam-Shalom,

   Werner

More information about the Gnupg-users mailing list