Tuesday, May 27, 2008

A comment on so called "quantum cryptography"

I've been reading a lot about cryptography lately, and naturally, came across many "quantum cryptography" related discussions. Both proponents and opponents miss something really obvious. "Quantum cryptography" is a kind of *physical security*, not really a kind of cryptography.
Lets simply compare quantum cryptography(QC) hardware & maintenance of said hardware with one time pads (OTP) that you buy from someone. You can see that all the risks of one time pads apply to quantum cryptography. Attacker can copy pads, you say?* Attacker can modify quantum hardware on the way to you just as well, with modifications ranging from smart changes like removal of filters and other protection so that attacker could send pulses along the cable and deduce state from reflection, to trivial replacement of firmware with one that doesn't care about quantum stuff and just uses some stream cipher with key that attacker knows. Bad crypto looks exactly like good crypto.
(*which requires opening hard drive in the cleanroom if its single-read hard drive.)

In both cases security boils down to physical security and trust in potentially malicious third party. Physical objects have to be physically produced and delivered (QC hardware or those hard disks with one time pads) which you need to physically protect from attacker (there's really a lot of ways how QC hardware could be modified to make it insecure). In both cases you need to trust manufacturer that it isn't complete snake oil. In both cases you rely on armored truck delivery. 
With quantum cryptography theres far more extra risks though. Man in the middle for instance. Or flawed implementations. Working with single photons is hard, naturally you can expect that almost all working solutions use many-photon pulses that can be trivially eavesdropped on. Keep in mind that the crypto hardware manufacturer is not just some neutral third party. Its a company which would any time choose to use cheap fake stuff over real if they can get away with it. So far, crypto hardware manufacturers can get away with anything.

The crucial difference: quantum crypto is thousands times more expensive to deploy and maintain than one time pads. 

Quantum cryptography is indeed just fiction now. It does not solve any existing real problems, and it could not improve security comparing to normal one time pads. It is really interesting academic thing, but not a solution to any existing problems.

Standard, mathematical cryptography, with (for example) Diffie-Hellman key exchange, public/private keys,  and things like that is far more secure than either QC or OTP. Source code is not a black box with high precision optics (or snake oil) inside, it can be reviewed. You can even do key exchange entirely "by hand" using email and Mathematica or similar package, if you don't trust cryptographic libraries. You can use really bigass exponent sizes if you worry about new methods. 
(And if one is worried that general math functions in Mathematica have backdoors, well, better to put on tinfoil hat, disconnect from internet, and make computer starting from sand, with own software).

No comments:

Post a Comment