|
> My naive security architect view is, I get the impression the people doing quantum engineering and those working as cryptographers have a very narrow overlap. You probably aren't wrong, but also note that popular science articles are probably not the best basis for judging this. :) A number of people working on QKD have done serious work on classical cryptosystems as well, although the overlap of that set with people working "in the trenches" of practical IT security is of course yet another topic. > To do the data exchange, it's not encrypted to a key per se […] I'm not sure whether this is what you are wondering about, but the actual data exchange is completely separate from the key distribution. Particularly for the entanglement-based protocols like used in device-independent scenarios, there isn't really any data exchange between the parties during the key distribution stage at all (apart from the classical post-processing steps such as error correction after the fact). Rather, the quantum resource provides random, but correlated bit strings at the two nodes. Only after the QKD protocol has finished is there actual data exchange using the secret key material, probably using the key as a one-time pad to keep the information-theoretic security guarantees. Thus, trying to think about these protocols in terms of data transfer doesn't strike me as particularly natural; in fact, if the entangled state shared between Alice and Bob is maximally entangled, the raw bits obtained from the quantum devices are always going to be completely random. The security proofs are indeed based on careful entropy considerations. You mentioned implementation details of classical cryptosystems. These primitives – S-boxes, etc. – motivate why we should reasonably expect cryptanalysis on such algorithms to be hard in practice, even though we know that they can't be secure considering information theory only. In the QKD case, however, we can make information-theoretic security statements without any reference to computational power. Thus, a security analysis will look at quite a different set of things: on one hand, whether the entropy accounting is correct, and on the other hand, whether the practical implementation actually corresponds to what that accounting assumes. |
Popular science articles aren't sufficient to reason about the science - but they are at least as rigorous as the product spec sheets people will make their security decisions on, so I'd propose pop articles are admissable in discussing the security of the scheme. It's not on the consumer to understand, but on the producer to demonstrate.
The issue with QKD right now is that the risk/benefit isn't there from a security product perspective. If I have something that needs quantum security, I necessarily don't trust a bunch of people who say, "trust me, it's science," as I am looking at where the risk goes. If I'm using crypto on classical computers, most of my risk gets diffused through standards bodies (NIST, essentially), and then my vendors, banks, insurers, etc. QKD and PUFs have the same problem, which is snakeoil risk.
The information theoretic security (as a function of entropy) of an algorithm is scientifically interesting, but when it comes to applying it to risk management (e.g. distributing accountability), there is a ceiling on that. Measuring security based on work or operations over a classical compute cost / complexity class, I agree, is an orthogonal concern with QKD, but security as defined by where the risk goes needs a definition it can reason about.
I agree it (the analysis) will look different, and if I were to equip my fellow security analysts with a tool, it would be to not be persuaded that their lack of a quantum physics background disqualifies them from interrogating the real security benefits of QKD proposals.