Does Quantum Cryptography Need a Reboot?

"Despite decades of research, there's no viable roadmap for how to scale quantum cryptography to secure real-world data and communications for the masses," according to IEEE Spectrum.

Wave723 shares their report: A handful of companies now operate or pay for access to networks secured using quantum cryptography in the United States, China, Austria, and Japan. According to a recent industry report, six startups plus Toshiba are leading efforts to provide quantum cryptography to governments, large companies (including banks and financial institutions), and small to medium enterprises. But these early customers may never provide enough demand for these services to scale...

From a practical standpoint, then, it doesn't appear that quantum cryptography will be anything more than a physically elaborate and costly -- and, for many applications, largely ignorable -- method of securely delivering cryptographic keys anytime soon. This is in part because traditional cryptography, relying as it does on existing computer networks and hardware, costs very little to implement. Whereas quantum crypto requires an entirely new infrastructure of delicate single-photon detectors and sources, and dedicated fiber optic lines. So its high price tag must be offset by a proven security benefit it could somehow deliver -- a benefit that has remained theoretical at best.
Though it was supposed to replace mathematical cryptography, "Math may get the last laugh," the article explains. "An emerging subfield of mathematics with the somewhat misleading name 'post-quantum cryptography' now appears better situated to deliver robust and broadly scalable cryptosystems that could withstand attacks from quantum computers." They quote the security engineer at a New York cybersecurity firm who says quantum cryptography "seems like a solution to a problem that we don't really have."

The article ends by suggesting that research may ultimately be applicable to quantum computers -- which could then be used to defeat math-based cryptography. But riffing on the article's title, sjames (Slashdot reader #1,099) quips that instead of giving quantum cryptography a reboot, maybe it just needs the boot.

Price too high?

[Lije Baley]

But security folk tell us you can't put a price on security!

Nope.

[Gravis Zero]

Price too high? But security folk tell us you can't put a price on security!

The military understands this to be true which is exactly why they are the ones funding the research and development of these and other technologies.

TinySSH

[emil]

TinySSH recently implemented sntrup4591761x25519-sha512 [tinyssh.org], which has been rolled into OpenSSH v8 as an experimental feature.

This, in addition to DJB's chacha20-poly1305, could well be all we need. I'd be very hesitant to pay for (what would likely be) inferior algorithms.

Re: Thank god AC got banned

[Way Smarter Than You]

That was such a brilliant move. It has obviously increased the quality of posts without reducing the total number of quality posts and got rid of the Nazis paste spam and other trash. That too all of what, 2 days? I give it another 48 hours before APK, the Jew haters, and the rest of the trash create throw away accounts and we're right back where we started yet without the ability to block people because that would be tech from circa 2003.

Re:

[Cipheron]

Nah it is effective. Think about the time required to make an email address, make a slashdot account, then have to verify that on email before you get to do ONE spam post, then your account gets deleted. If they use the account for more than one post, that only makes it that much easier for the mods to delete all their posts.

Meanwhile, i skimmed that post for under 1 second then modded it down since I have mod points. Trolls *lose* the game when they must expend more time and effort to post one piece of spa

Re:

[niftydude]

Nah it is effective. Think about the time required to make an email address, make a slashdot account, then have to verify that on email before you get to do ONE spam post, then your account gets deleted. If they use the account for more than one post, that only makes it that much easier for the mods to delete all their posts.

Please. This is a site for nerds. If you don't know how to automate what you described so that it takes only a few ms of human's time to create accounts, then you probably shouldn't be posting here. It was probably only effective for a couple of days because they were optimizing their scripts.

Re:

[MightyMartian]

But then the mod system will work as it should. Those accounts start with no karma and then get modded into negative karma.

Re:

[arglebargle_xiv]

QC has always been a novelty gimmick whose main use has been to separate suckers with too much money from some of it. QKD is nothing more than ultra-expensive, very-limited-range Diffie-Hellman, circa 1976.

So asking whether QC needs a reboot is like asking whether pet rocks or hula hoops need a reboot. They've pretty much reached all of the market they're ever going to reach, there's nothing to reboot.

Re:

[sexconker]

Correct.

"Quantum" cryptography is basically bullshit. If you have the resources to establish and secure the quantum key portion of your crypto scheme, then you have the resources to do ACTUAL secure key exchange and skip all the bullshit.

Re:

[Luckyo]

Not a single coherent security professional will tell you that. Anyone who puts no price on security is not an expert on security.

This is universal across all security domains, from direct "kinetic" to IT. The natural ceiling to the security cost equals the value of the target being attacked.

Re:Price too high?

[gweihir]

Security is risk management. It is about identifying, quantifying and then managing the risk. Managing a risk usually means reducing it, accepting it (possibly after reduction) or transferring it (e.g. by using insurance, also possibly after reduction, the risk is then accepted by "somebody else"). The criteria for accepting a risk are always a cost-benefit analysis in competent risk management.

The natural ceiling to the security cost equals the value of the target being attacked.

Not really. The natural ceiling is the most damage than can happen, which may not be limited to the target. You very rarely go that high though.

Re:

[Luckyo]

The only disagreement you pulled out there is really contorted. You just redefined size of the "target" to the tune "I'm going to say that they targeted just that small part of the ship illuminated by laser designator, and not the entire ship. And now I'm going to state the obvious, that they were targeting the entire ship, much of which will be the collateral damage to actual impact damage of the laser guided missile".

Re:

[gweihir]

But security folk tell us you can't put a price on security!

No competent security person does that. Some marketing people may though. IT security novices often make the noob mistake of requiring "absolute security", but the very idea does not even make sense.

Author is confusing 3 concepts

[FeelGood314]

Concept one - There is something called quantum key exchange. It's a way that I can send a key to someone secured only using the laws of quantum mechanics. It's is mostly useless today and is really a solution looking for a problem. We can actually exchange keys in better ways already.
Concept 2 - A quantum computer could solve most of the hard problems we use for key exchange and for signatures. Whether one can actually be built is debatable.
Concept 3 - Post quantum cryptography - this is the idea of using different math problems to do key exchange and things like signatures. Math problems that a quantum computer can't solve. We already have methods for doing signatures that are based entirely on hashing functions but ideally we would like to find problems that would allow us to use the same types of protocols we have today.

Re:

[CaptainDork]

I agree.

The key exchange can detect a meddler as well. Screwing with a quantum bit in transit makes it change some of its properties and the receiving end will be at a loss.

Building a QC is all cryogenics and duct tape right now. Extending that work to a practical device is decades away, at least.

SHOULD a QC of many qubits be built, the first thing it would do is kill off current crypto all over the planet. Crypto is the firewall that protects digital assets and a QC would break that with ease.

In theory.

Aga

Re:

[WaffleMonster]

The key exchange can detect a meddler as well.

No it can't.

Screwing with a quantum bit in transit makes it change some of its properties and the receiving end will be at a loss.

If it turns out you are exchanging keys with the wrong party inability for someone else to "meddle" and or "eavesdrop" is moot.

QC is nothing more than a unique way of enhancing existing trust relationships. Without guarding secrets and using classical encryption to authenticate peers QC is no more able to prevent a MITM attack than Anon DH.

Re:

[CaptainDork]

Wrong.

QC depends on "measurement" and the only measurements that matter are the source and destination.

If we intercept a quibit, it is transformed in some way because we are making an "interim" measurement.

That's what makes quantum crypto immune to "wiretapping." There is no such thing as "passive" measuring.

Re:

[CrypticSteel]

Would that not be possible to MITM? Capture the whole key coming one way, generate a new one and send on down the line. Do the same in the other direction. Neither party would know they are communicating via a proxy. This seems so obvious I assume I am wrong, but why?

Re:

[sjames]

There's no confusion. Elements of the industry have been touting concept 1, quantum key exchange for years based primarily on FUD that concept 2, quantum computing might render all other forms of key exchange completely insecure.

However, concept 2 is really much further away than the breathless reports might have us believe IF, indeed, it ever works for more than trivial problems (that can actually be solved faster using conventional computers so far).

Further, even IF concept 2 (quantum computing) can ever

Re:Author is confusing 3 concepts

[swillden]

The confusion is in the claim that the name "post-quantum cryptography" is misleading. The author confused the use of "quantum" in that phrase with the word in "quantum cryptography" when in fact it's from the word in "quantum computing". That confusion does make the name odd and misleading, but if you understand the referent, it makes perfect sense.

Re:

[sjames]

I saw that confusion as well, but it was just a minor confusion over how the nomenclature came about that doesn't affect the reasoning or conclusions in any way.

Re:

[Mononymous]

Time to update your sig. There are no ACs anymore.

Re:

[WaffleMonster]

Concept one - There is something called quantum key exchange. It's a way that I can send a key to someone secured only using the laws of quantum mechanics.

1. You can't send someone a key you can only agree upon one.

2. It is impossible to accomplish any such thing "securely" using "only laws of quantum mechanics". This is because there is no way to identify which "someone" you are agreeing upon a key with. Classical sources of trust, cryptography and communications are REQUIRED to facilitate that process.

Quantum mechanics ...

[CaptainDork]

... is no where near ready for this.

Here's the evidence:

A usable quantum computer (QC) would be able to break current cryptography quite easily and yet fintech, and others, is not changing alogos.

The first money is on breaking crypto. That's not gonna happen for a long time because QC is too difficult.

It's also true that, in theory, QC can create crypto that cannot be broken, but again, it's way too early.

Quantum particles "jiggle," and taming them is like herding cats. Particularly challenging is controlling a bunch of quantum bits (qubits).

Go take a look at the research labs online and see what they are working with. The primitive computers have few qubits and a shit load of cryogenics.

They are huge and klunky and experiments with them are frustrating. Like any startup technology, QC requires a lot of testing, false starts, rethinking, and experimental maturity.

We are not close.

Think of a very, very bad case of blockchain implementation. It's all buzz and no bee.

Re:

[burtosis]

We are not close

Well, like the summary says we just need a roadmap, you know, like a list of places to visit but you want to know the shortest path to achieving all the goals. I'm pretty sure this is exactly the type of problem that's easier to solve with a quantum computer.

That's not correct

[Gaglia]

Sorry, but your claim is quite bold [wikipedia.org].

The first money is on breaking crypto. That's not gonna happen for a long time because QC is too difficult.

This is not correct. The civilian applications of a QC would be far more remunerative (think of drug discovery, logistics optimization, new chemical reactions, real-time financial risk compensation, etc). Furthermore, many of these applications require way less qubits, and way less entanglement, than Shor's algorithm (necessary to break RSA). So, arguably it is not really cryptography that is pushing the investment in quantum computing (although "breaking crypto" is the h

Re:

[gweihir]

There is no actual evidence QCs will ever scale to any useful size. My pocket calculator could factor 64 bit numbers 30 years ago. Wake me up when QCs get there and not by faking it, but by really doing the full core calculations on a QC and also chaining them on that QC. My guess is that we may not even get to this level. Scaling will be killed by noise before that. Factoring 2048 bit RSA keys is so far out of reach, it is utterly ridiculous. And that is after 40 years or so of research into QC hardware.

Fo

Re:

[Gaglia]

There is no actual evidence QCs will ever scale to any useful size.

There is also no evidence of the contrary, this is what research is for.

My pocket calculator could factor 64 bit numbers 30 years ago.

Let me repeat it: factoring integers is not going to be the first nor main use of a quantum computer.

My guess is that we may not even get to this level. Scaling will be killed by noise before that.

Sorry, but may I ask you what your qualifications are, and how did you reach these conclusions? I am in no way omniscent, but I would be happy to learn if there is some useful information that I am missing.

Just as a reference: I have talked to one of IBM's lead researchers in the quantum computing area just three days ago. He would not s

Re:

[CaptainDork]

Sorry, but may I ask you what your qualifications are ...

I know what his qualifications are. He's a fundamentalist like me.

His qualifications are clearly evident in his answer.

This is my wheelhouse and I agree totally with him.

I know your qualifications as well.

I know them just like you can tell the difference between a programmer and a script kiddie.

Google "image quantum computer." The photo alone will give you the heebie jebiees.

Re:

[gweihir]

Sorry, but may I ask you what your qualifications are ...

I know what his qualifications are. He's a fundamentalist like me.

I would not say that. But I have followed this research for 30 years now and I see the progress or rather lack thereof. What happened about 30 years ago was that a PhD researcher in the area explained to me that he did it for the mathematics and that his belief was that this may not scale enough in reality. He also said that this was pretty much the consensus back then behind closed doors when nobody responsible for funding was present. Now, that did intrigue me: Something that has a basic computing element

Re:

[Gaglia]

OK that settles it, I cannot really argue with you guys. Plus, your IDs summed up together are lower than mine, so I guess I should get off your lawn :)

Re:

[gweihir]

Sorry about that. But when you follow certain developments over a long time, eventually a pattern becomes obvious.

Re:

[gweihir]

Sorry, but may I ask you what your qualifications are, and how did you reach these conclusions?

I have followed the research and the hardware evolution for about 30 years. And I do understand scalability. Your IBM guy primarily wants his funding not to dry up, so he will not give you his actual estimates.

Re:

[AmiMoJo]

None of which is relevant to quantum crypto. With quantum crypto all you are doing is distributing the keys via a link that can detect eavesdropping. Rather than, or in addition to, public key crypto you use QC to distribute your key over an expensive low bandwidth link, and then communicate with ordinary symmetric crypto over a cheaper, faster link.

The only real advantage is perfect forward secrecy. With public key crypto it's possible that in the future someone will find a way to recover the private key a

Re:

[gweihir]

The only real advantage is perfect forward secrecy.

Well, true. You get the same with a one-time key-list that was sent by postal mail or handed over personally or not intercepted on the wire as well. And without all the massive disadvantages and costs quantum key exchange (no crypto in there) has. The whole idea is stupid from a practical point of view.

There are also cryptographic protocols that pretty much give you perfect forward security as well, with reasonable assumptions.

Re:

[CaptainDork]

The only real advantage is perfect forward secrecy.

This has nothing to do with your post.

A QC is not going to be able to peer inside an envelope. Some sunflowers are not married.

The point is that QC crypto is immune to middleman peeks because that observation changes the original. For anyone who observes a transit QC crypto, THEY receive the final answer, which will be useless, and the expected recipient will get garbage.

Perfect forward secrecy is precisely the secret sauce of QC crypto.

Re:

[gweihir]

The point is that QC crypto is immune to middleman peeks because that observation changes the original.

In theory, yes. And with that you get forward secrecy a lot easier than with methods that allow recording of the key exchange. In practice, as far as I am aware, all implementations available to researchers have been broken.

The second practical problem is that this communication cannot really be routed or only with serious problems. Since the quantum channel is only used for the key exchange, it may just be cheaper and pretty much as secure to do things another way.

Re:

[gweihir]

Pretty much this. We may well be in "practically impossible" territory here. And when you take into account that QCs are noisy analog computers, this pretty much becomes obvious. Analog measurements are limited to something like 32 bit of resolution. You can get higher with extraordinary effort, but not that much higher. All current QC implementations are well below this level, after half a century of research. How anybody can seriously believe something like 2048 bit RSA is threatened by this is beyond me.

Re:

[CaptainDork]

I agree.

How anybody can seriously believe ...

I run into this all the time.

For those of us who invest the time reading and understanding both the theory and the state of the art, the convo structure is: "The student asks the questions and the teacher answers those questions."

I don't reward random statements not ever presented in class or a book on the subject.

We're not smarter than anyone else, but we are more experienced because we have invested the time (and it's not easy) to understand.

Reboot

[techdolphin]

I don't know if quantum cryptography needs a reboot, but I do know my computer will need one shortly.

RSA and a Quantum computer

[FeelGood314]

A quantum computer can find the period of a function. Consider RSA with n = 15. The numbers co-prime to 15, (1, 2, 4, 7, 8. 11. 13 14), form a multiplicative group modulo 15 (if you multiply any two of them together and take the remainder when dividing by 15 you get another member of the group). Also if I multiply any number in that group by itself a certain number of times I get that number back again. The number of times is the number of elements in the group plus 1. In this case my magic number is 9 because there are 8 elements of the group. So any number raised to the power of 3 and then raised again to the power of 3 would give the original number back again. Here my secret key would be 3 and my public key would be 3 also (OK - it isn't exciting with small numbers). So if you wanted to send me 7, you send 7^3 (mod 15) = 13. I then calculate 13^3 (mod 15) = 7. Now RSA is secure because I can give you really big n = p*q and the number of numbers in our multiplicative group is actually (p-1)*(q-1). Except if you don't know p and q then finding p and q and hence (p-1)*(q-1) is really really hard . A quantum computer though could find (p-1)*(q-1) directly since it is the period of the function f(n) = 2^n.

Re:

[gweihir]

That is the theory. The practice is that scalability is, at best, uncertain. First, even tiny unknown effects would limit these calculations dramatically in the bit-lengths that can be reached. Physical measurements we can do today are limited to something like 32-64 bit of precision (depending on what is measured) and effects that are smaller would not even have been noticed so far. That would really mess with a 2048 bit RSA calculation. And second, from the progression so far, it seems that QC sizes scale

Yep

[dohzer]

Oh yeah, I'm sure the powers that be will allow us to have quantum cryptography. Uh huh.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[swillden]

If you look at the Hype cycle for 'AI' there are now signs that it is finally starting to come down from the "peak of inflated expectations". Which is a good thing. Maybe we will be able to talk about software again without people shouting "use AI" all the time.

Only because people will actually be using it, rather than shouting about using it. There are whole classes of problems for which AI (meaning deep neural networks) is now the go-to solution and no one even tries manually-programmed solutions. That's not going to change, except that the space of problems we apply AI to is going to gradually increase, and more and more of our devices are going to come with purpose-built NN hardware.

QC on the other hand has just started climbing the peak curve. So just like with 'AI', get ready for 'QC' being applied fast and loose for things not even remotely relevant to the subject just to generate PR.

What are you referring to with "QC"? Quantum computing, or quantum cryptogra

Misleading

[Gaglia]

As many similar articles, there is a confusion (both in concepts and terminology) between quantum cryptography, quantum key distribution (QKD) and post-quantum cryptography. It is not the submitter's fault, but I wish this confusion vanished in the popular literature, it is not so difficult to grasp after all, and makes the work of us scientists much more difficult in explaining our results.

Let me recap it for you:

Quantum Computing (QC) is the computing technology being researched right now. A few misconcep

Re:

[gweihir]

They did? Excellent. I have stopped reading the AC stuff quite a while ago anyways.

I'm a Luddite

[vbdasc]

Personally, I want the quantum cryptography (and the entire quantum computing with it) to fail miserably. As a person, decently educated in mathematics and classical physics, I have an explanation for every process that goes in the computer which sits before me right now, and I feel that I can explain all that to a child, layer by layer, down to the guts. But quantum computing remains an abracadabra to me, or if you prefer, black magic, with its superpositions, Heisenberg principles, qubits and whatnot. If

Re:

[gweihir]

Just look at the scaling. 20 years ago or so, they could factorize 12. Now they can "factorize" 16 bit numbers, but only if they do not do the full computation on a QC, just the individual steps. That implies worse than linear scaling over time, may well be something like inverse exponential. And that means, even if the physics really scales (not tested enough yet, and tiny new effects scan sabotage the thing easily), these things will never get to useful sizes.

No Need

[EuropeanConsultant]

AES256_attacked_by_quantum_computer is as strong as AES128_attacked_without_quantum_computer. So ? AES256 is more than good enough for all commercial purposes. Don't use the asymmetric stuff - it will only create new problems for you. Mail the key with a closed envelope or use a courier. Secure enough for 99% of use cases.

Re:

[gweihir]

"Don't use the asymmetric stuff"? Seriously? Do you have any actual clue how encryption works in the real world? Obviously not.

Why is it that on any story about encryption, all those without a real clue feel entitled to push their disconnected views on everybody?

It needs to die

[gweihir]

The whole idea is stupid and completely worthless. For actual data transfer, you go to real encryption anyways and hence you can do the same for key-exchange.

Does quantum crypto need a reboot?

[hey!]

Yes and no.