[klickverbot]

First author of one of the preprints mentioned in the article here (theory in Paris/Geneva/Zürich/Lausanne, experiment in Oxford) – happy to answer any questions! I obviously speak only for myself, not for any of my colleagues, and as a matter of course, I should also mention that publication in a peer-reviewed journal is still pending for these results.

One point to mention — which I feel quite strongly about, and I think my collaborators do as well – is that sweeping generalisations like "perfect security" are really not the point, and, if anything, have mostly done the field a disservice. Such statements do make for catchy headlines, and while there is a solid technical meaning attached to them (information-theoretic security), to a wider audience they might suggest that QKD replaces the need for careful security engineering, which is definitely not the case: if your processing nodes, say, leak out the generated key material via a classical side channel, no amount of theoretical security guarantees will save you!

Rather, device-independent quantum key distribution allows you to scale back the assumptions on your implementation to a well-motivated, minimal set. To me, this is already intriguing enough without the need for hyperbole!

[fsh]

The first sentence of your paper abstract is:

Cryptographic key exchange protocols traditionally rely on computational conjectures such as the hardness of prime factorisation to provide security against eavesdropping attacks. Remarkably, quantum key distribution protocols like the one proposed by Bennett and Brassard provide information-theoretic security against such attacks, a much stronger form of security unreachable by classical means.

This is not wrong, but in my opinion quite misleading. QKD is no replacement for asymmetric cryptography since it requires exchanging a secret key before the communication can take place. This makes it functionally equivalent to a symmetric stream cipher. So why do you mention prime factorization and cite RSA? The security of QKD should be compared to that of the best symmetric algorithms, not that of asymmetric ones.

I have seen this pattern in many talks and papers from the field. Maybe the issue is that the QKD community seems to have almost no overlap with the IT security community. In my experience, QKD people almost never talk about how you would actually use and/or attack a system in practice.

[klickverbot]

> QKD is no replacement for asymmetric cryptography since it requires exchanging a secret key before the communication can take place.

Your general point about QKD "promises" vs. practical IT security is well taken, particularly as I am much more of a general quantum physicist and spare-time compiler/infosec geek than a QKD person myself.

However, note that asymmetric cryptography doesn't really solve the authentication problem you mention either. If you don't want to place your trust in some sort of PKI, you are back to Alice and Bob having to meet first to exchange some sort of key material (e.g. their public keys) to later avoid impersonation. Given an authenticated channel, both QKD and classical public-key cryptography can construct a secure channel for messages of arbitrary length, but the latter only for computationally bounded attackers. Of course, this is not to say that a trusted PKI can't be a sensible assumption in practice.

[fsh]

All of this is correct. But I still think it is misleading to create the impression that QKD could be a replacement for RSA. Especially, since asymmetric cryptography and PKI are cornerstones of the modern internet. Why don't you change the abstract and cite Rijndael or something like that? Your work is a very impressive achievement, I am sure Nature will publish it either way.

[hannob]

QKD advocates have been doing this for ages, it's been pointed out repeatedly that they make dishonest claims and they continue to do so. Here's a paper from 2004(!) pointing this out: https://eprint.iacr.org/2004/156

It's not an accident, it's deliberate deception.

[CodesInChaos]

I believe you can achieve secure communication by combining QKD with an asymmetric signature algorithm (hash signatures being a particularly interesting choice), while that's not possible by combining a stream cipher with a signature algorithm.

[NoKnowledge]

> Rather, device-independent quantum key distribution allows you to scale back the assumptions on your implementation to a well-motivated, minimal set. To me, this is already intriguing enough without the need for hyperbole!

Would it be accurate to say it is scaled back to the level achieved by classical (non-quantum) cryptography?

[klickverbot]

> Would it be accurate to say it is scaled back to the level achieved by classical (non-quantum) cryptography?

Not quite. Classical cryptography of course requires the additional assumption that the computational capacity of the attacker is limited (at least if the amount of key material available is less than the length of the messages to be exchanged). QKD does not need any such computational assumptions. Looking at this purely from a theoretical perspective, I hope you'll agree that the ability to create new shared randomness "out of thin air" by drawing on quantum correlations, and to do so an information-theoretically secure fashion, is a pretty neat trick.

Now, if you asked me how likely it is _in practice_ that $THREE_LETTER_AGENCY has broken your cryptosystem to the point where they can feasibly attack it/have backdoored it, compared to the likelihood that they've bugged your devices in a supply chain attack or found any number of other ways to compromise the practical implementation, I suspect my answer wouldn't be much different to yours. Nevertheless, I still think it is interesting to explore additions to the cryptographer's toolbox that, in a very practical sense, have a rather different profile of assumptions and tradeoffs.

[NoKnowledge]

Oh absolutely, the theory behind QKD is fascinating! And I do think that some day there may be actually secure practical implementations, maybe even ones that are practical for more than a few niche applications.

But you mentioned the assumptions on the implementation, not on the underlying mathematics. The thing that concerns me is that QKD introduces additional hardware to operate, and there have been many demonstrations of weaknesses in that hardware that threaten the overall security of the system. With DIQKD you ensure that those issues no longer affect security (again it is absolutely remarkable that this is possible at all), but now you still have to concern yourself with all the implementation vulnerabilities that also plague classical cryptography. In that sense I mean that the implementation assumptions are now the same.

[lanstin]

I always read perfect secrecy as a term of art with some technical meaning.

This protocol seems to solve the communication at a distance problem for which asymmetric encryption was developed but since then a lot of other uses for public key, e.g. signing and multi-party decryption and so on have come out of public key. Do you think there will be entanglement based replacements for these?

[klickverbot]

> I always read perfect secrecy as a term of art with some technical meaning.

That's indeed the case, but I fear the subtle technical definition here is usually one of the first things to go in the cycle of press releases and news articles, entirely too quickly giving rise to headlines that speak of “unhackable cryptography" or things like that. I've slightly edited my above post to clarify this, thanks.

> Do you think there will be entanglement based replacements for these [other protocols]?

One thing to note is that QKD is fundamentally a primitive to create shared, private randomness, not a communication channel – of course, the output can be used as the key for one-time pad encryption, but you might as well use it some different way.

For applications beyond that, I am really not an expert, but from what I know, people are looking into a variety of protocols, such as for leader election. There was a review article a few years back by Wehner et al., "Quantum internet: A vision for the road ahead" (https://www.science.org/doi/10.1126/science.aam9288), which highlights some proposals.

As for applications like signing, one aspect to consider is that quantum entanglement will, at least for another decade or two, always be much shorter-lived than classical data at rest. Thus, most practical quantum protocols will boil down to creating and making use of entanglement in a short amount of time, e.g. to initially establish some sort of shared secret, make a coordinated decision, etc.

[thaumasiotes]

> a lot of other uses for public key, e.g. signing and multi-party decryption and so on have come out of public key

To the best of my knowledge, multi-party decryption isn't really related to public key cryptography. Sending a message to a single recipient looks like this:

1. You write a message.

2. You encrypt it with a symmetric algorithm.

3. You encrypt the key to the encryption in step (2) with an asymmetric algorithm, using your recipient's public key.

4. You send them the combined message, encrypted ciphertext plus encrypted key-to-the-ciphertext.

5. They use their private key to decrypt the key-to-the-ciphertext.

6. They decrypt the message using the key you just sent them.

It's done that way, as far as I've learned, mostly because symmetric encryption is faster than asymmetric encryption.

But multi-party decryption is exactly the same:

1. You write a message.

2. You encrypt it with a symmetric algorithm.

3. You encrypt the key to the encryption in step (2) using the various public keys associated with each of your intended recipients.

...

So instead of a single-recipient message being a ciphertext accompanied by a header revealing the encryption key to the ciphertext, a ten-recipient message is a ciphertext -- exactly the same ciphertext! -- accompanied by ten headers, each of which is only readable by a particular private key. There's nothing about this method that draws on public key cryptography; if I've exchanged OTP material with each of ten people, I could send a multi-recipient message exactly the same way. (And doing so would be at least as valuable as it is in the public-key case -- doing things that way allows me to send a message of arbitrary length while only consuming a bounded amount of OTP material.)

[Vervious]

can you link the preprint by chance? I can never find the actual papers from quanta...

[cryptonector]

QKD continues to be cryptography snake oil. Interesting for research, useless for actual real-life use.