3

I don't understand the popularity of the idea of QKD (often coupled with OTP). From what I can tell, a quantum-safe key exchange algorithm like McEliece has just as much security while operating over current networks, through repeaters, and not requiring single-photon emitters. Combining this with AES seems convenient and practical.

  1. Why would one ever choose QKD over McEliece?

The only reason I can discern is that there is some possibility that a yet-to-be-discovered algorithm may weaken McEliece or AES.

Patriot
  • 3,132
  • 3
  • 18
  • 65
Evariste
  • 124
  • 6
  • 1
    "often coupled with OTP"; actually, from my view of the QKD community, QKD is most often coupled with AES (so that you're not limited by the bandwidth limitations of QKD, which has been improving over time, but still has limits). Of course, if you do that, you lose the supposed "security guaranteed by Quantum Physics" claim QKD makes, but still, that's what it appears people do in practice... – poncho Feb 21 '20 at 19:41
  • It boils down to what you mean by "just as much security": practically? There's something to be said about "perfect" even if most people don't need perfect. Remember that most of the current work is research. Production scaling/efficiency is not a criterion for people working with QKD at this time. – dandavis Feb 21 '20 at 20:18
  • I oughtn't to have said "just as much security". That is not quite true. Even though most of the current work is research, though, there are commercially-available QKD systems (I think), but I can't figure out why there is even a market. – Evariste Feb 21 '20 at 20:33
  • There are most certainly QKD systems on the market (and have been for a number of years). – poncho Feb 21 '20 at 20:46
  • Quantum Key Distribution is rightly popular as an experimentation and research field for quantum physicists. It's a time-proven way to get the attention of the press and attract public money. But it's far from universally popular among cryptographers and security professionals. My perception is that most are close to my opinion: there's no need for QKD. Read the position of French security authorities, with links to their US and UK counterparts. – fgrieu Apr 19 '23 at 14:55

2 Answers2

1

QKD is "popular" as it doesn't rely on an algorithm that can possibly be broken. McEliece doesn't have a security proof. So although it is thought to be secure after many years of analysis, it may be broken.

McEliece may even be practically broken now without the cryptographic community knowing about it. This is not very likely and it goes for any cryptographic algorithm that is not theoretically secure, but it is not impossible and cannot be disproven.

Of course, using QKD does have very real drawbacks, which are indicated in the this Q/A on our site. This is why it is not that popular in the cryptographic community despite it being theoretically secure.

Maarten Bodewes
  • 92,551
  • 13
  • 161
  • 313
  • You just know that I can’t let this go Uncharacteristically, you’ve acknowledged that McEliece may have been clandestinely broken (see NOBUS). Might you then accept the same for AES? And are you not then driven by Hobson’s Choice towards QKDNs & OTPs? – Paul Uszak Dec 16 '23 at 00:18
  • These are not schemes that have been invented by the NSA. Afaik neither scheme has been significantly altered by NIST either. This is something different from e.g. Dual-DRBG. From AES I know that few cryptographers doubt the construction. So no, I don't think it's the same thing. And please remind yourself that for QKD's you're still dependent on suppliers. I think you've pointed out a Swiss company not too long ago. It's not like crypto boxes from Swiss have always been secure, right? – Maarten Bodewes Dec 17 '23 at 03:50
0

Because it's the Holy Grail of cryptography.

To be specific, it's not unbreakable as the layman's literature suggests. It's that a quantum transmission of key material cannot be intercepted without the sending/receiving parties noticing. It is the Observer Effect in physics and a fundamental part of the Universes. Knowing that you're being spied upon in many ways gives you the advantage.

And if you can securely transmit a lot of key material, you can then use one time pad (OTP) techniques for the encryption. And OTPs are provably secure via information theory. McEliece/AES being limited key length based ciphers are not. Just because the academic community can't break McEliece or AES, doesn't mean that they haven't already been by state actors, or will be tomorrow by Alexander Verykleverkov in his university dorm room. Perhaps Shor's 3rd improved algorithm might work against McEliece. The point I'm labouring is that you can prove photon interception/OTP security now, but not McEliece/AES. All we have is an absence of evidence for them.

The only reason I can discern is that there is some possibility that a yet-to-be-discovered algorithm may weaken McEliece or AES.

You've answered your own question :-) Israel can keep defence-related documents sealed for 70 years. The UK had 50. Their transmission may have been intercepted or copied and stored. You cannot guarantee that they won't be teaching McEliece/AES breaking in high schools by 2091.

That's why there is a market for QKDNs. See all the interest in this older answer, and ponder the quotation at it's end. It's incredibly alluring, and if you want one, buy one of these:-

enter image description here

It's a node for commercial QKDNs. Cerberis from ID Quantique.

Paul Uszak
  • 15,390
  • 2
  • 28
  • 77
  • 4
    Of course, Paul doesn't mention some issues with QKD systems; for one, they are prone to side channel attacks (which would leak the shared bits), for another, in practice they don't generate key bits fast enough for OTP, hence they often use the bits as AES key bits (and hence the entire system is no stronger than AES), for a third, there is a distance limitation (unless you use trusted repeaters, which is often not an option - they're working on untrusted repeaters, but that's years away...) – poncho Feb 02 '21 at 16:00
  • @poncho You raise an important point. What is the necessary bit rate to use a one time pad? This question always arises on this site, and is always immediately dismissed. Even though my linked answer features the Tokyo and NIST video systems, and the smart phone phone that all run as pure OTPs. And that was based on years old literature. Thus is was fast enough for pure OTP video years ago. – Paul Uszak Feb 02 '21 at 16:37
  • 1
    @poncho I would also suggest that side channel attacks are irrelevant within this context. AES leaks just as much when I have to write down my banking password on a post it note due to daft complexity requirements. This question concerns fundamental differences and what can be mathematically proven, not really the implementation irregularities which can undermine any and all crypto systems. – Paul Uszak Feb 02 '21 at 16:39
  • I do not believe that side channel attacks are irrelevant; we can perform our AES implementation in (say) a Faraday cage; in contrast, the current QKD designs need a sensor that interacts directly with the quantum events (which are tiny) from the other side (or an attacker), and hence side channel attacks on this sensor are far more difficult to shield. Now, there is work on "device independent QKD" which might be inherently stronger, however most (if not all) current QKD devices don't attempt to implement this. – poncho Feb 02 '21 at 19:07
  • 2
    Perhaps Shor's 3rd improved algorithm might work against McEliece – Are you aware that McEliece is not in BQP? Furthermore, the reason AES et al aren't considered information theoretic secure is not because they have a finite key space. After all, Poly1305 is information theoretic secure but is not secure against a computationally-unbound adversary (it has a finite "key size"). – forest Feb 07 '21 at 22:09
  • @poncho what do you mean by repeater when it comes to QKD? Quantum states cannot be copied, so how would it even work? – João Bravo Feb 18 '21 at 16:02
  • 2
    @JoãoBravo: well, the easiest way to have a 'QKD repeater' would be to have the repeater have two QKD endpoints; one connected to Alice and one connected to Bob. Alice and the repeater would establish a shared key, and Bob and the repeater would establish another shared key, and the repeater would (say) published the xor of the two keys (so Alice and Bob could derive the same key). This is a 'trusted repeater' (because the repeater is also privy to the computed key); there is also the possibility of an untrusted repeater, but that is considerably less trivial – poncho Feb 18 '21 at 16:17
  • 1
    @JoãoBravo: if you're asking about an untrusted repeater, well, one way to do this is to have a link between devices where the two endpoints would get mutually entangled qubits (which some QKD devices can do, but most can't). Alice and the repeater are endpoints of such a link, and share an entangled qubit, and Bob and the repeater share an entangled qubit. Then the repeater does 'entanglement swapping', where Alice and Bob's qubit becomes entangled (without the repeater learning anything about what that entangled qubit is); Alice and Bob can use their entangled qubit to communicate. – poncho Feb 18 '21 at 16:25
  • @poncho that was very clear, thank you! – João Bravo Feb 18 '21 at 17:30
  • 1
    i don't see why this answer had a negative vote. – QuestionEverything Dec 20 '22 at 03:17
  • 1
    @QuestionEverything It's a combination of the author's name and the fact that quantum is taboo here (along with one time pads). – Paul Uszak Dec 20 '22 at 12:37
  • @JoãoBravo See section 4.3 of https://ietresearch.onlinelibrary.wiley.com/doi/full/10.1049/qtc2.12044. – Paul Uszak Dec 20 '22 at 12:38
  • @PaulUszak You start off your answer by saying that PQD is the "holy grail", which just isn't true. The fact that it requires significant infrastructure, that it doesn't provide authentication of the links or messages and that it is prone to practical attacks all make it very clear that it is VERY FAR from being a holy grail. This holy grail is just as elusive as the actual one, and it was definitely enough to immediately gain a downvote from me. – Maarten Bodewes Dec 15 '23 at 20:56
  • @QuestionEverything I've written a response for that and another answer for the simple reason that at least it doesn't start off with "QKD is the holy grail". It isn't, and if Paul wants to argue that it is then he'll have to convince us that everybody is seeking after it as that's the point of the holy grail. We aren't and I can prove that, as I'm not. – Maarten Bodewes Dec 15 '23 at 21:17