Saturday, October 20, 2018

Post Quantum-Cryptography is the Off-Ramp on the On-Road to the Quantum Internet

In 1977, Rivest, Shamir, and Adleman proposed the first Public Key Encryption system, that now secures all of our financial data and much of our government data. 

The security rested on one premise, "We don't think computers can quickly factor large numbers." While the jury is still out on whether classical computers can quickly factor large numbers, we now know that quantum computers can quickly factor large numbers. 

I was at a meeting on quantum technologies on July 5th, 2018, in Munich. There, a chief scientist from Intel informed us that their conservative estimate for a universal quantum computer was 10 years. I asked, "Ten years or more?" She replied, "Ten years or less." 

Today the USA is ahead in the development of quantum computers. That lead will not last long. 

In part, due to that evanescent lead, the Chinese have decided to move to a quantum cryptography based system, which is immune to attacks by even a quantum computer. And they have invested $30B to develop a quantum computer of their own. 

In the meantime, the USA response to this threat is not to invest in a provably secure quantum cryptosystem, but rather to move to a "new" public-key crypto-system, post quantum-cryptograpy, which they hope—but cannot prove!—is immune to an attack by even a quantum computer. 

This is the US National Security Agency position on the matter, and their protocols are being tested, quantified, and standardized by the US National Institute of Science and Technology—ready soon to be rolled out.  

This is a fool's errand. 

This US approach to the threat posed by quantum computers is simplistic, nearsighted, and dangerous. 

Quantum key distribution uses an unbreakable one-time pad. This scheme is used by the US diplomatic corps, the CIA, and for the nuclear launch codes. Currently, the launch codes are distributed to the missile silos on 3.5" floppies driven around by a guy in a truck. Surely we can do better than that? 

And why are diplomatic communications, intelligence communications, and the nuclear launch codes secured with one-time pads? It is because that the users of these systems do not trust public key encryption, since it is not provable secure. Moving to a different un-provably secure public-key encryption system does not change this reality. 

The move embrace post quantum-cryptography is a move away from developing a quantum internet, for which no such public key is needed. The quantum internet is automatically secured by quantum cryptography. 

To quote myself, " The future of the quantum Internet is in photons and the short circuiting of the development of optical quantum information processors in the United States means that the future quantum Internet will have 'Made in China' stamped all over it." — Schr√∂dinger's Killer App (2013). 

The future of the the quantum internet is certainly not post quantum-cryptography. 

We have a completely unbreakable quantum key distribution protocol — why the hell don't we use it!?

Post quantum-cryptography is a small band-aid on an arterial wound. 


  1. Not true that QKD "uses an unbreakable one-time pad". First off, QKD *creates* rather than *uses* keys, and what it's really doing is creating shared, secret strings of (classical) bits. What you _do_ with those bits is up to you. If you want to use them to key a crypto session, go ahead.
    ...but that might be either a symmetric crypto session, or it might be a session you're protecting via one-time pad. Want to do OTP? You're going to need megabits or gigabits per second of generated keys, preferably between any two points on the globe. Straight QKD is out of the question; repeaters are a decade or two away from even low-bandwidth global networks, let alone those kinds of data rates.
    ...yes, I agree with you that this means we should be funding Quantum Internet research. I don't agree that post-quantum crypto is a priori useless.
    ...oh, and re: floppies, did you see this?
    btw, the IETF is working to standardize an extension to IPsec that will support out-of-band key generation, including via QKD. We proposed something similar several years ago, but hit opposition at the time. That opposition has now faded.

  2. This comment has been removed by the author.


  3. we don't use it because the manual(s) either don't exist for the intended process or are so badly written as to be not useful to the average individual. A few of us looked at the McEliece system and while it is promising, the latice size is so large as to be untenable for low bandwidth systems e.g. less than 100Gbps.