Schneier Calls Quantum Cryptography Impressive But Pointless

KindMind writes "Bruce Schneier writes in Wired that quantum cryptography, while an awesome technology, is actually pointless (that is, of no commercial value). His point is that the science of cryptography is not the weak point, but the other links in the chain (like people, etc.) are where it breaks down."

sure...

[Lord Ender]

...but as soon as I release my algorithm which factors the products of large prime numbers in log(n) time, they will be begging for quantum crypto.

Re:

[null etc.]

Sure, where n equals infinity.

Re:sure...

[hellop2]

Yeah, but it's a small infinity.

Re:sure...

[Prof.Phreak]

factors the products of large prime numbers in log(n) time

That's easy, just use sqrt(n) computers.

Re:

[BarronVonGoerig]

i think you mean e^n [or 10^n] computers, depending on one's definition of log(n) [it's an engineering thing]

Re:

[TheIzzy]

log in the case of computational complexity is almost always base 2, so that would be 2^n [it's a binary thing]

Re:

[tixxit]

In computational complexity, log can refer to any constant base (greater than 1).

Re:

[A non-mouse Coward]

I agree. If the quantum crypto community wants to use that quantum computing power to factor the large primes in RSA, then the quantum computing community could justify selling us their quantum crypto. Make a need, sell a solution.

In reality, it's always going to be the "endpoints" that are the problem. We still cannot even know with 99.999% certainty that a transaction to a remote application came from a specific user. We use bloated software with tens of millions of lines of code. Even the best err

Re:sure...

[moderatorrater]

Quantum crypto does just that, if I remember correctly. Because of the nature of quantum mechanics, you can't intercept the message without simultaneously changing it. Having changed it, you're unable to hide your eavesdropping. The mathematics and science of cryptography is always the strongest thing about security, it's just those darned humans continually screwing things up.

Re:sure...

[cowscows]

Yeah, but in any commercially useful application of the technology, you're going to have computers at each end dealing with the data once it's decrypted.

That's Schneier's whole point really. The weak link isn't actually sending encrypted data, it's dealing with the data at either end of chain. For the data to be useful, it has to be decrypted at some point in time, and the listener's computer has to know how to do the decryption. An attacker isn't going to attack the encrypted data stream. They're going to attack either the source or the listener, and either get the stored decrypted data, or get the stored encrypted data and the necessary info to decrypt it.

If your total communications network consists only of a encrypted communications line, plus a computer on each end, and both of those computers have no other connection to any other sort of network, and also have foolproof physical security, then maybe the encryption line might become the weakest point. But in the real world, computers are generally interconnected with many others, allowing lots of directions to attack from.

Unless someone comes up with some amazing breakthrough that makes factoring very large numbers trivial, there aren't really any practical cases where the encrypted data stream is the likely target of an attack.

Re:sure...

[h4rm0ny]

Taking care of the human and physical security is my business. It's the encryption technology that I can't control / verify. So give me encryption that I can trust and I'll be able to assess my security based on the things that I can control / verify myself. Schneier has no business telling me "your set up is flawed so there's no point in giving you secure encryption." It's for me to judge and all I want is to ensure that no weak links come in from outside my control, i.e. a flawed algorithm or technology.

Re:

[Vellmont]

So give me encryption that I can trust and I'll be able to assess my security based on the things that I can control / verify myself. Schneier has no business telling me "your set up is flawed so there's no point in giving you secure encryption."

You've missed the point. Scneire's point is that you already DO have "encryption I can trust". His point isn't that "your set up is flawed", his point is that "all setups have weaknesses, and the weakest point is almost never the encryption system." Giving you "m

Re:sure...

[stony3k]

What he's actually telling you is that the existing encryption is good enough. You really need to spend more time fixing the human problems since that's where most of the attacks come from.
He's basically telling that we've reached or are close to the point of diminishing returns, where advances in cryptology (newer algorithms or quantum crypto) can no longer be justified based on the increase in cost for these advances versus the % of attacks on existing crypto.

Re:

[sarkeizen]

It's the encryption technology that I can't control / verify.

First of all lets define what is being discussed: Bruce is talking about Quantum Cryptography that is to say a Quantum Key Distribution System.

Now...let's kick your ignorant ass.

A Quantum Key Distribution system isn't really any more under your control or verifiable by you than one that uses SSL. Both can have flawed implementations both are probably way beyond your skill set to verify.

So give me encryption that I can trust

A quantum key distribut

Re:

[theralfinator]

The point of "encrypting at all" is that it makes the transmission "link" of the "chain" stronger. Not extremely ridiculously amazingly stronger, but strong enough that if you really want to break the chain, you'll try breaking the other links. Let's say we have a chain made of wooden link but one of those links is made of steel. It would be pointless to remove the steel link and replace it with a titanium alloy link in order to "make the chain stronger."

Re:sure...

[Lachryma]

Give me any large prime, and I will factor it for you instantly!

Re:

[jvkjvk]

To do that you'd have to be repeating the number synchronously with me. Ok. I've chosen the prime. Now, go... :)

Who is they?

[Chuck Chunder]

Quantum encryption seems to fill a very particular niche (point to point communications) and doesn't seem to apply well to common encryption use cases (SSL , email encryption etc).

If public key encryption is broken, quantum encryption isn't going to be a good replacement for it for most things.

A billion photons...

[alexborges]

Are now running for their jobs.

Thanks bruce.

Re:A billion photons...

[The Moof]

No need to worry, I'll just observe them and put them out of their misery.

Re:

[Hoi Polloi]

Nah, you'll just make them collapse.

Re:

[account_deleted]

Comment removed based on user account deletion

ummmm

[EncryptedSoldier]

meow

What a pussy.

[Anonymous Coward]

What a pussy.

Re:

[florescent_beige]

Er...

"Bruce Schneier knows the state of Schroedinger's cat?"

Re:ummmm

[grcumb]

Er...

"Bruce Schneier knows the state of Schroedinger's cat?"

Actually, he remains ambivalent until someone asks him.

Hard to argue with the general point.

[fuzzyfuzzyfungus]

It is pretty hard to argue that point as long as the world of security is a mass of users who leave passwords on sticky notes under the keyboard(Ultimate Hiding Spot!), accounts whose passwords can be reset with a mother's maiden name, and banks less interested in customer security than WoW is.

My (admittedly layman's) understanding is that, barring dramatic advances in factorization algorithms, or extraordinary advances in the computers running them, classical asymmetric key cryptography is more than adequate(plus the convenient advantages of working over data links that aren't spiffy optical fiber).

Re:Hard to argue with the general point.

[Rogerborg]

Yes, I was thinking of putting a lock on my front door, but then I thought "Fuggit, I'll just forget to lock it sooner or later, so why waste the money?"

Re:Hard to argue with the general point.

[gnick]

I think your analogy is a little bit off. You've got a front door with a standard lock, a dead-bolt, two chains, and a huge rock sitting behind it for security. Now you're faced with a decision whether or not to upgrade your dead-bolt to a super-duper-heavy-duty-dead-bolt. But, since your wife leaves the garage door wide open 4 days a week and no amount of persuasion will convince her to stop, the decision not to upgrade seems like a no-brainer.

Re:

[darkvizier]

use rock on wife
> wife is dead
Lock door.
> you hear a grue scratching outside

Re:

[mweather]

Locking your door doesn't help unless you have unbreakable windows.

Re:

[HTH NE1]

Locking your door doesn't help unless you have unbreakable windows.

Unbreakable windows don't help unless you have car-resistant walls.

Re:

[colesw]

Car-resistant walls won't help unless you have a plane proof roof.

Re:Hard to argue with the general point.

[CrashPoint]

And what good is that plane-proof roof going to be when the Mole People come tunneling up through your foundation?

Re:

[Rogerborg]

And that is why we need Eddie Van Halen. [Air guitar]

Re:Hard to argue with the general point.

[bornwaysouth]

No problem. I live in a total concrete and steel, all-walls, roof and floor, bunker.
Made by a big International company - bin Laden Group, based in Jidda.
Works perfectly.

To communicate with you, I am thumping on the walls.

If you are listening, could you please cut a hole in the wall.
An upgrade is necessary - I need air.
 

Re:Hard to argue with the general point.

[CroDragn]

The problem is that in the next 10-20 years there will be a extrordinary advance in commercial computers. Quantum computers, which are fantastic at breaking present day encryption, have made some major advances in the lab recently, and it wouldn't surprise me to see them operating at the government/corporate level within 20 years or so. Once these are in place, normal security will be very weak and something such as quantum security schemes will be required for most applications. So yes, quantum security is useless now, but hopefully research into it will provide with a practial model about the same time quantum computers make it necessary.

Re:

[farrellj]

The problem is, no matter how good your security is, be it traditional or quantum, people are *always* the weakest link. It is always much easier to compromise a person than a machine. Talk to any of the great computer crackers and they will tell you that they got into more systems using "social engineering" than through their computer skills.

ttyl
          Farrell

Re:

[Neoprofin]

So why give anyone to tools to secure things if some moron is going to give away their password? Is that really an argument?

Re:

[farrellj]

Unfortunately, that is true. Which is why Bruce is saying that Quantum Crypto is kind of useless. It's neat, but really geeky, but doesn't make it any more secure.

ttyl
          Farrell

Re:

[geckipede]

As quantum encryption key trading is only currently used by large organisations, and seems likely to stay that way for a while, yes, that is the argument. I should perhaps say part of the argument. To state it differently, there is no likely situation at the moment for which the expense of quantum key exchanges couldn't be better used for increasing security elsewhere... because some moron is going to give away their password.

Re:

[Tofystedeth]

Are you sure about all that? The best quantum computers I recall hearing about could play tic-tac-toe maybe. In his article even Schneier says they've factored 15.

Re:

[lgw]

Quantum computers aren't magic. They let you solve one category of previously hard problems. The NSA has been advising against using such problems as the basis for new cyrptosystems for years (stop using products of primes). All common symetric cyphers are safe, and there are good asymetric cyphers to choose from.

Quantum cryptography has little do to with quantum computing, and at this point seems to be an answer looking for a question.

Re:

[mapsjanhere]

I don't know, I remember 20 years ago in grad school (damn I'm getting old) people were doing cutting edge research on non-linear optic materials, sure to be the next thing allowing truly optical computers. Worked nice in the lab, and I still haven't seen an optical transistor in any advanced computer I'd bought since. Quantum computing has to make the step from the lab to the usable machine before I start buying into it's amazing predicted powers.
Plus, their power is only predicted to be amazing against

Re:

[ceoyoyo]

That's a little optimistic. We're not even sure whether quantum computing, as generally evangelized, is even theoretically possible yet. It's one of the experiments that will help us select between several interpretations of quantum mechanics.

Re:Hard to argue with the general point.

[Tanktalus]

Which is worse: a password that you can remember, or changing passwords every 30/60/90 days to a new password such that you can never keep up, and thus need to write it down *somewhere*?

Sometimes, the very processes intended to make us more secure (by forcing a password change regularly) instead make the entire system less secure (because "I forgot my password" too many times and you'll end up out of a job, so better to write it down than to lose your job!).

Sorry, just griping about new policies at $work.

Re:

[fuzzyfuzzyfungus]

This is particularly bad, and rather ironic, in cases where local attacks are by far the most likely and dangerous. For web-facing logins, exposed to the hostile internet; but used by more or less secure endpoints, hideously complex passwords written on sticky notes are actually a decent idea(not as good as keys; but still). For local network only logins in an environment swarming with potentially malicious actors, simplistic passwords that don't get written down are far better(odds that middle school stude

Re:

[Neoprofin]

Agreed.

My old password was alphanumeric, long, and unrelated to my work, personal life, hobbies or anything else that would go in a brute force dictionary.

Now that I have to change my password every month along with a handful of other requirements my passwords are just a vertical row of keys, once with the shift key once without. Anyone who saw me type it once would know it instantly. Good thing we're more secure.

While I appreciate the spirit of the article...

[hajihill]

It has been and still is true that adept social engineering can break any security scheme, due to the vulnerability of the people involved. However, saying that it is pointless is about as valid as saying that the exploration of outer-space is pointless.

I don't think I need to explain that any further to this crowd.

Re:While I appreciate the spirit of the article...

[db32]

It is pointless. He is absolutely right and it isn't even remotely close to the space exploration issue. He didn't say the research was pointless, he said the practical application of the research is pointless. The crypto isn't the weak point, so making that point stronger is pointless.

You just spent a million dollars on your uber leet super crypto secure link to transmit your highly classified secret data to your home office. You also wrote the key down on a stickey note on the front of the device and left it posted on your monitor that faces a window. You might as well have used the cheapest encryption available because it isn't a math attack that is going to break it, its stupid user tricks.

Re:

[kestasjk]

Cathode ray tubes were pretty pointless too, the inventor said so himself..

Re:

[bugnuts]

In a very rare disagreement, I'm certain Bruce is wrong.

Either he is wrong, or he's arbitrarily drawing a cutoff line for strong crypto, where it has already reached the maximum strength it ever needs to be.

The reasoning of why he's wrong (at least from the summary) is thus:
At some point in the past, crypto could be cracked.
At some point in the past, communication could be tapped.

It's well-known that communication is tapped. Even closed systems are tapped, and have been since electronic and radio communica

Re:

[bugnuts]

If this is the holy grail of crypto that it's been described as, then it will never be the weakest link.

Bruce is saying that this technology is not significant in the overall security of things, due to many other weaker links that aren't using quantum key distribution. You can't hold this up as the holy grail, because its importance has already been dismissed in favor of bigger issues. Bruce is saying that these bigger issues occur even with our pre-quantum systems.

I'm saying that due to cost and infrastructure, this quantum system does have a use with those groups that have money and take security very ser

Re:

[ppanon]

Yeah, but do you really need quantum crypto? The strongest encryption method is a one-time pad. You've now got easy access to 8GB USB sticks that can hold one heck of a big one-time pad, or 8 slightly smaller 1 time pads. As an individual, who do you really need to communicate very securely with? Your bank? Maybe a few close friends for e-mail?

Create a new type of smart USB device that, given a passphrase, allows you to load up a one-time pad data stream associated with a keyword (say BoA123456789), Given a

Re:

[phantomcircuit]

The point of QuantumCrypto is to save our collective asses when Quantum computers capable of factoring very large numbers very quickly become a reality.

Until Quantum computers start to appear at your local NSA branch Quantum Crypto is pointless, but we should always be a step ahead shouldn't we?

Re:

[ppanon]

It would seem that USB one-time pads [slashdot.org] would be a lot easier to implement, not to mention portable and scalable in a way that quantum crypto is never likely to be.

Re:

[ppanon]

As far as I know, switching would probably break quantum entanglement. So rather than build some huge infrastructure of point-to-point links, why not use USB one-time pads [slashdot.org]instead? The portability of data storage makes that a possibility now.

Re:

[physicsphairy]

Your point is taken, but sometimes it is still significant to ensure that it is the stupid user trick that breaks your system.

Don't you think the CIA, for example, would like to be extra special certain whether the reason the Russians are breaking all their codes is because they have inserted operatives in high-places, or because they have broken large-prime algorithms?

There is also the problem that, yes, the user is the weakest link, but it is not uniformly so. Tricking one guy will get you one encryp

Re:

[devman]

You're missing the point. There are no keys to write down. If Alice wants to talk to Bob, then Alice will generate a random key and send it to Bob encoded as the quantum state of photons (There are several exchanges that go on here but for the sake of simplicity I'm not listing them). Due to quantum mechanics this exchange cannot be eavesdropped on. Once the key exchange is concluded Alice uses the key to encode her message as a One-time pad, and transmits the message via conventional means. The message can

Re:While I appreciate the spirit of the article...

[db32]

no you missed the point. I am well aware that no real crypto system even in use today uses "written down" keys. But there are emissions at both ends of unencryoted data. One time pad all you want, your encryption means squat if it is still easy for me to get at your data in unencrypted form. It is way easier to trojanize Bobs computer with promises of naked Alice pictures than to pull a man in the middle attack or code breaking. If I can compromise your data with so many other cheap methods why would I ever care how strong your crypto is? I'm not going to invest in expensive, difficult, and time consuming efforts. He'll I could probably buy off both Alice and Bob for less than the price of anything that could break modern crypto in a reasonable time.

Re:

[setagllib]

All quantum crypto does is make it impossible to eavesdrop without being detected. It does not secure the data itself. You still use symmetric ciphers to protect the data, and those are theoretically demolished by quantum computing too.

Basically if we ever get practical quantum computing, ANY "search for solution in large space" problem is deflated, and we may as well give up on crypto entirely.

Re:While I appreciate the spirit of the article...

[tyler.lee]

Social Engineering is definitely the weakest link! I can't remember where I found the article, but it was about a team of guys (tiger team) who STRICTLY used social engineering to obtain confidential information from companies. Including employee records with SSN's, with a 100% success rate. They have never walked out of a building without getting what they came in for...and this is all done from walking around inside the building.

Re:

[Yvanhoe]

Please do. From what I understand, quantum cryptography only prevents eavesdropping by taking a part of the signal. Nothing seems to forbid a man in the middle attack (take all the signal and reproduce it), or eavesdropping at a router location. Am I mis-leaded ?

Re:

[ShadowRangerRIT]

You're a bit off. It's possible if there is no shared initial secret, but each session can establish an initial secret for the next session, so you only need to exchange a single secret up front, and once it is used, your new secrets distribute themselves as part of your communications. Take a look at Quantum crypto attacks [wikipedia.org] for a more in-depth exploration.

Re:

[Yvanhoe]

And, precisely, how is this different from regular, eavesdropable optical communication ? If there is a shared secret at the beginning of any communication, you have a secure channel, even if there is a man in the middle.

Re:

[ShadowRangerRIT]

Because if you learn the shared secret (by brute force cracking), and log the communications, you can eventually crack the whole system, permanently.

With quantum key exchange, the shared secret isn't derivable from the key exchange (you use it to verify after connecting, under 100% unbreakable encryption, since it's effectively a one-time pad).

The difference is in forward protection of your data. With normal key exchange, someone can eventually work out the key through brute force or some other means. One

Re:

[bugnuts]

From what I understand, quantum cryptography only prevents eavesdropping by taking a part of the signal. Nothing seems to forbid a man in the middle attack (take all the signal and reproduce it), or eavesdropping at a router location. Am I mis-leaded ?

You're mis-leaded. Or misled, rather.

This is quantum key distribution, which uses entangled photons to send keys. It is not vulnerable to m-i-m attacks because a m-i-m cannot reproduce an entangled photon. Even observing it breaks it... so you can't even monitor communications.

Re:

[Yvanhoe]

Well... break it, observe it, emit the same. No ?

Re:

[HTH NE1]

It has been and still is true that adept social engineering can break any security scheme, due to the vulnerability of the people involved.

And unfortunately, if you take the people out of the loop, you're letting WOPR become Skynet.

Re:

[HTH NE1]

And unfortunately, if you take the people out of the loop, you're letting WOPR become Skynet.

Then again, "unfortunately" depends on yourwelcome datacompperspective.

I know what to do

[kcbanner]

Someone encrypt his hard drive with quantum encryption...see how pointless it is then!

Re:I know what to do

[KDR_11k]

This is Bruce Schneier we're talking about. Bruce Schneier can decrypt quantum encryption by giving it a stern look.

Learned from Chuck?

[teko_teko]

I didn't know Bruce Schneier is Chuck Noris' student.

Quantum computing breaks normal encryption?

[nategoose]

I think I remember reading that one of the hard to compute problems that quantum computing would make short work of was breaking standard cryptography. If I in fact did read that, and if it was true, then quantum cryptography might still have points.

Solving the wrong problem

[Checkered Daemon]

Encryption is easy. Authentication is hard. Quantum cryptography is a solution of the wrong problem.

So quantum auithentication...

[John Hasler]

...is obviously what we need. Get to work, Bruce.

Hmm. Sounds Familiar

[StickyWidget]

That's what they said about public key cryptography in the beginning too. And it defined an entire industry. ~Sticky

Re:

[Daffy Duck]

Enlighten us... who said public key cryptography was pointless in the beginning?

ObCasinoRoyale [imdb.com]

What Schneier is trying to say:

[paniq]

Quantum cryptography may appear like serious matter on close inspection, but when you look away, it's just a wave.

Re:

[exley]

Are you certain about that?

one less cause of defect

[Catil]

I think that having one less cause of defect during a transmisson by completly ruling out that data could either be unknowingly viewed, intercepted or altered by a middleman is a value not to be underestimated. It is certainly not pointless.
As far as I know, Switzerland already successfully tested it during last year's elections by transfering voting data from a few selected stations to the voting headquarters. Given all the problems with voting machines, that's a quite obvious area of application. However

Re:

[HTH NE1]

As far as I know, Switzerland already successfully tested it during last year's elections by transfering voting data from a few selected stations to the voting headquarters. Given all the problems with voting machines, that's a quite obvious area of application.

You can still transmit falsified data over a secure connection. In fact, it can be falsified at either end without breaking the security of the connection.

(Not that I'm suggesting there was any falsified data in Switzerland's elections.)

Re:

[Catil]

Of course, but not by a completely unrelated middle-man (later to be used as scape-goat if there is proof of manipulation. /tinfoil hat)
If security is otherwise strong and kept up, there would be a rather small list of suspects that had access to the voting machines and the data, all known by name, and at least one of them has to be involved.

Re:

[theLOUDroom]

And the QC transfer hardware is built into the voting machines.... or are there two boxes and a non-QC link?

QC throws a lot of money and time at a part of the system that really doesn't need the help.

Voting machines are a terrible application for cryptography in the first place.
How the hell do I, even with my degree in electrical engineering, montior what the hell is going on inside a voting machine?

Voting should be done with paper. It's simple and also very difficult to rig on a large scale.

E-vot

Who are the users?

[SirGarlon]

I have always thought of quantum cryptography more as something for CIA-to-Pentagon or Swiss-bank-to-Swiss-bank kinds of communication, not something for Aunt Tillie. I think the vulnerability of the system depends on who's using it.

Nope

[Joce640k]

CIA/Banks don't need public key cryptography (which is the only kind quantum computing could break, assuming they ever get it working).

If I was the CIA or a Swiss bank I'd be using 3DES - invented in the 70s and one of the most analyzed algorithms in all of history.

Like he says, the algorithm isn't the problem, it's the people who write choose crappy passwords. This is why the USA eventually dropped restrictions on crypto export - it's much easier to install a key logger or guess a password than to crack ev

Re:

[John Hasler]

If you were the CIA you'd be using AES as that is the US Government standard.

Re:

[Eberlin]

This is clearly not for Aunt Tillie, as you mentioned. Bob and Alice, on the other hand, may want to check their credit reports more frequently.

Not news

[dachshund]

Bruce has said this dozens of times before this, and he's right. Quantum Cryptography (or alternatively, Quantum Key Distribution) has no commercial application today, outside of (maybe) a few paranoid and high-security government applications. But the latter can hardly be much of a commercial application, since the existence of a large government market would send a strong signal that governments aren't confident in existing cryptographic algorithms. That would be a bad signal to send.

Furthermore, QKD networks have issues including side channel attacks, where the machinery for transmitting/receiving photons actually leaks information via EM emissions, measurable power consumption, or even sound. In fact, one of the big issues they've had in research networks is that historically the transmission machinery has been noisy as hell.

Sorry, Bruce, you're just plain simply WRONG...

[somethingwicked]

It is far from pointless.

Poor implementation of cryptography and who you trust with the keys being unreliable do not mean that making it stronger has no practical benefit.

*I* can control who I give the keys to. Just because most people/implementations do not does not mean there isn't a reason for better cryptography.

The problem is that cryptography is used for many things that either are not important enough to the person that has the keys for them to protect. If I have the keys, and the only keys to my s

Nope, he's right...

[Joce640k]

Even 3DES (or variations on it) is strong enough for all practical security problems.

AES was mainly developed because software DES is very inefficient, not because DES was broken*.

It's hard to see a practical benefit to developing new algorithms. Much better to devote the effort to analyzing the existing ones.

[*] Obviously plain 56-bit DES is quite weak these days but 3DES is still secure for the foreseeable future.

Re:

[devman]

It isn't a new algorithm, it's a secure method to share a secret. You use the photon states to establish a shared secret and then used that shared secret as the key for a one-time pad (which is unbreakable). No one can eavesdrop the key exchange because quantum mechanics prevents that, and no one can break the one-time pad used for transmission of the actual payload over conventional lines, because it is mathematically unbreakable.

Stake out

[statemachine]

Bruce,

Whose attack are we defending from here? And who's being attacked? When you say there's no commercial value and only a few technophiles will use it, do you also include well-funded adversaries and governments in the commercial category -- or are they the technophiles?

I'm sure we all can think of many applications where it's a lot easier to attempt interception than go after the endpoints which would be heavily guarded and/or have highly trained personnel who would die rather than divulge information.

O

It's ok to develop stuff for a small user base

[danimrich]

It is rather pointless to argue that there is no use for quantum cryptography because the current methods of distributing keys are strong enough for most users and the weakest link is usually somewhere else. If some companies, agencies, etc. decide to adopt an expensive quantum physics-based key distribution system, they will probably know quite well why they are putting money into it. You surely know that some IBM chap once said "There is a world market for about five computers." Fine. Nowadays, there is a world market for about five billion computers, but that's not the point. The point is that back then some companies were not reluctant to develop computers for that small market, and so are the folks who develop quantum key distribution systems today. Who knows, maybe it'll be commonplace technology in a few decades.

About the quantum network demo

[Vadim Makarov]

Schneier's article appears to be a reaction to the recent quantum network demo set up in the city of Vienna and surroundings. For those who missed it, here is some information.

I have been there, and can give my impresson. I think, this is a big milestone for quantum cryptography. This has been the most massive and convincing demonstration of the technology up to the date, nothing like any before. Yet, it seems to have received relatively little press attention.

The demonstration was a conclusion of an European project [secoqc.net] in which several tens of research groups collaborated. The main thing it produced are network protocols for a quantum cryptography network. Several months ago, the plan for this demo was four quantum cryptographic links. However, it was easy to plug any quantum crypto link into the network, so six research groups and one commercial company ended up bringing their systems to Vienna (the latter, idQuantique [idquantique.com], actually contributed three links to the network).

Out of these nine systems, seven performed flawlessly for several days, one worked for half an hour and then died (the secure key produced in the first half an hour was still used by the network; the failure was blamed on a software problem in that system), and one prototype did not quite survive the flight to Vienna (hard disk was trashed by baggage handlers). Given that most of the systems were research prototypes, the statistics actually looks good to me.

Since the network topology [secoqc.net] allowed for redundant paths between most of the nodes, the actual failure of one link and simulated failure of another did not prevent the network from operating. (The network topology on the picture as not quite complete: at the last moment, eighth link and one more node were added off the topmost node.) During the demo, there were shown securely encrypted video links between the nodes, and telephone calls. The video links were encrypted with AES with session keys provided by the network. The telephone calls were encrypted with one-time-pad provided by the network. Resiliency to failures was demonstrated: one link was broken on purpose (eavesdropping was simulated by inserting a polarizer, I think), and a key store in another was exhausted during one of the one-time-pad encrypted telephone calls. In both cases, the key distribution was automatically re-routed through other paths and nodes.

The network software implemented so far requires all nodes be trusted and secure. However, I know that algorithms are under development that would allow secure key distribution in a bigger network where up to a certain percentage of nodes might have been compromised.

The demo was on the first day of the meeting. The other two days were just a very good research conference, with no press attending. (I apologize if I got some details above not fully correct.)

Regarding Schenier's position, I respect it but it might be too short-sighted and grounded. And pessimistic. Remember the famous sayings how many computers the world has maybe a market for (five), 640 kB should be enough for everybody, and so on. Classical cryptography has a nasty property to be retroactively crackable. One can record the encrypted classical communication now, wait until it is broken, decipher. Puff, your old secret is suddenly public. For some types of secrets, this is just not an option. Also, Schenier conveniently misses the fact that one can use one-time-pad with quantum key, the combination IS unbreakable, and quantum key distribution speeds steadily improve.

A final remark, there appear to be three commercial companies actually selling quantum key distribution equipment:

• id Quantique [idquantique.com] (Switserland)
• MagiQ Technologies [magiqtech.com] (USA)
• SmartQuantu [smartquantum.com]

The point of pointless research

[jandersen]

...is actually pointless (that is, of no commercial value)...

It's an interesting definition of "pointless" he's got there; symptomatic of the ultra-capitalistic mindset that has just been demonstrated to be far from optimal by the current financial crisis. Look at it this way: He is saying that the only thing that matters in the world is whether you can make a profit. This is the ideological basis for such things a the lack of regulations that have brought us the crisis; it is also the reason why making a fast profit has been giving priority over long-term financial stability in so many companies, banks not least.

Apart from that - basic research is not pointless, even if there are no short-term profits to be made. Basic research is necessary because we are not able to tell what we are going to need to know in the future - take the early research into quantum mechanics. It was basic research, utterly pointless according to this definition, but we wouldn't have semiconductors today, and thus no PCs nor the endless numbers of electronic gadgets we have now, were it not for that "pointless" research.

It really is time to stop dreaming about "the market" as something magical that will sort everything out for us without requiring us to think and take responsibility.

Re:Quantum Key Exchange not Quantum Computing

[SpicyLemon]

That's what I was thinking as I read a bunch of these posts. The only thing quantum computing and quantum encryption have in common is the word "quantum."

Quantum computers use the superposition of states to form qubits used to do computations using multiple numbers at the same time.

Quantum encrypting uses polarization of light and different alignments of filters to communicate a shared key used to encrypt data. If someone's listening in, they will disturb the polarization causing red flags to go up during the communication of the key. That tells you it's not safe to transmit the message. Furthermore, even if you did, it would just be garbled anyway.

The downside to quantum encryption is that you have to have an uninterrupted fiber optic line from one point to the other. If, at any point, that line has to go through a switch of some sort, you now have a weak point in the encryption where someone can be listening in without you knowing.

It's probably important, too, to point out that we have both quantum computers and quantum encryption. However, the current quantum computers don't have nearly enough qubits to be a threat to public key encryption and the single fiber optic line constraint of quantum encryption is holding it back.

Until quantum computers have thousands of qubits and are easily obtainable, we don't have much to worry about anyway.

Re:

[mapsjanhere]

Don't you think that the optical fiber you're dragging behind the sub will be a dead giveaway?

Re:

[John Hasler]

But of course that's what they'd want you to think, isn't it?

Re:

[definate]

Shut your mouth!

I think you need to read some facts about Bruce Schneier!

http://geekz.co.uk/schneierfacts/ [geekz.co.uk]