Jump to content

Talk:Quantum key distribution/Archive 1

Page contents not supported in other languages.
From Wikipedia, the free encyclopedia
Archive 1

Two comments:

1) The Schenier links are not related to quantum cyptography.

2) The method described in them is definitely not absolutely secure.

I agree, I've removed the links as neither looked relevant to quantum cryptography.Centie 13:29, 14 April 2007 (UTC)

Usage: Quantum computing for cryptanalysis -- falls under quantum cryptography?

Does the term "Quantum cryptography" usually include "Quantum computing for cryptanalysis"? Most usages I've seen are restricted to Quantum Key Exchange-type things. Because of this, I'd like to move the "Quantum Computing Cryptanalysis" out of this article and merge it into, for example, Cryptanalysis and Quantum computing. — Matt Crypto 12:36, 12 January 2005 (UTC)

Error in Attack description

The Attack section says that man-in-the-middle is not possible but then describes an eavesdropping attack with retransmission, not a traditional MITM attack (as defined by the MITM article). If Mallory sets up two QC systems, one for Alice and one for Bob, then a MITM is certainly possible as long as Mallory can make Alice and Bob believe that they are communicating with each other. There is also the channel Alice and Bob must use for agreement of the key bits which can be susceptable to MITM attack. And, of course, since QC is really a key exchange system (in practice), all the attacks on the conventional encryption system being used are available. In fact, given the MITM attacks on QC and the fact that a conventional encryption system must be used, I see no real advantages to a system like this, except for make money by selling it.

The reason you're confused is that a large part of this article pretends to describe quantum cryptography, but in reality describes an exotic form of classic cryptography. When real quantum cryptography with entanglement is used MITM attacks become a lot harder (if not impossible).
E.g. if Alice and Bob meet and take some entangled spins home with them then they can ask Malory a question he doesn't know the answer to. Alternatively they could publicly transmit information that only makes sense if you have the spins. In that case Malory doesn't even know the question. Of course Malory could kidnap Bob and use his spins. But I don't think there are cryptographic systems that shield their users from that kind of abuse.
Or perhaps you could send a message using quantum teleportation.
This article needs a major re-write. Unfortunately I don't know if I'm well enough into this subject to do this. Shinobu 08:58, 16 May 2005 (UTC)
Surely QC doesn't really stop man-in-the middle attacks rather than preventing eavesdropping once secure authentication has been achieved? While a MITM attack will allow eavesdropping, there are other ways to achieve it. In RSA you can brute force the RSA key long after the transmission has taken place as an example. MITM attacks the authentication stage of a cryptography scheme, not the transmission. You still need to share entangled quantum states, and this effectively corresponds to exchanging a shared key when using a symmetric cipher. In my opinion the main strength of QC is that it ensures that a successfully authenticated session is unbreakable. No system, quantum mechanical or not, can ever prevent MITM attacks simply because you need to agree to use a secure communication's channel to begin with. If Alice and Bob do not have a secure communications channel they are vulnerable to MITM and thus Alice have no way to tell Bob to start a secure transmission. She might think she has told bob to use QC or RSA or whatever, but the person she spoke to was in reality Claire impersonating him. I am not trying to say QC is useless, it does have certain advantages. In particular, with RSA or AES, and other Mathematical encryption schemes, chances are a third party can store the encrypted message, and wait for improvements in technology or mathematical breakthroughs to make them readable. Many messages that are unreadable today may very well become readable in 2050. QC prevents this since the encrypted message is guaranteed to be destroyed when it is read. It is the Quantum Physics equivalent to the Mission Impossible tapes that ignite 5 seconds after being read, except in QC the destruction of the encrypted message is instantaneous and impossible to circumvent. QC have a few serious disadvantages as well. Denial of service attacks is probably the biggest one. Because the communication collapses on any attempt to read the encrypted message, you don't even have to break the scheme to carry out a DNoS. Simply trying to read the _encrypted_ message destroys the communication channel, so the very same feature that makes eavesdropping difficult also makes DNoS easy. Contrast this with standard radio transmissions where it is virtually impossible to carry out a denial of service attack because of the large number of possible frequencies and high energy output needed to jam a signal. The corollary is of course that radio transmissions are very easy to eavesdrop on. 137.205.236.47 17:43, 1 May 2007 (UTC)
Quantum cryptography needs authentication of messages on the public channel, the same as any form of secure communication, so you know your talking to Bob and not someone else pretending to be Bob. All the QC protocols I've seen include authentication for this very reason, to avoid MITM attacks. This authentication can be done using a small amount of the key previously generated using the channel, for example unconditionally secure Wegman-Carter authentication only requires a length of key scaling logarithmically with the total key length distributed. So the reduction in key rate due to authentication is very small for prevention against MITM.
For the original poster the advantage of QC, as pointed out by others here, is that you can detect how much anyone else could have learned about your key. If it's low, you can reduce their knowledge to an arbitrarily small amount, and if it's too high you can discard that key. Also, although QC does just generate a key for a 'conventional encryption system', the main encryption proposed for QC is the vernam cipher which is provably secure from attack - if you key is secure, so is your message.
Denial of service attacks are easy with any point-to-point communication link, not just quantum ones. In order to intercept and read the photons you need physical access to the fibre, and if you've got that far you may as well just cut it. The same applies for AES over a telephone wire etc. Things like free space QKD to satellites or quantum cryptographic networks might make DoS more difficult, but by no means impossible for a determined attacker. The same applies to anything though really, with enough resources radio can be jammed or internet communication flooded.
The attack section does seem a bit confused though, mentioning MITM attacks as two different things. Reading the Man-in-the-middle attack article it sounds like both attacks could possibly be described as such, even though I think only the second one (Eve pretends to be Alice to Bob etc.) actually is. QC certainly prevents "an attack in which an attacker is able to read, insert and modify at will, messages between two parties without either party knowing that the link between them has been compromised" on the quantum channel. Maybe someone with cryptography knowledge could clarify? The section probably needs rewriting, along with a few others. Centie 17:00, 2 May 2007 (UTC)

Mallory vs. Eve

I'm confused here. In the Attacks section, we suddenly start talking about "Mallory," whereas in the rest of the article, "Eve" is the eavesdropper. Where did "Mallory" come from? Is this because "Mallory" is a name specific to an attacker, where as "Eve" is only an eavesdropper? I probably missed something somewhere. Maybe we should make it more clear to the reader who is trying to do what.--24.50.128.226 03:58, 11 November 2005 (UTC)

See Alice and Bob.
Active attackers (like men in the middle etc.) are often called Malory (think Malicious). Shinobu 19:08, 11 November 2005 (UTC)

NPOV vs. clear-cut Information

the last sentence of the article reads "A year's supply of AES128 keys, changed at that [100/sec] rate, will fit on a high-end iPod or 11 DVD-Rs, and these have the additional advantage that they can be carried anywhere in the world with the parties." this is clear-cut information, as this pretty much shows that Quantum cryptography is not really needed, and most likely a waste of money. But this cited statement could be attacked with WP:NOR and possibly WP:NPOV.

I would even propose to add something similar to the lead paragraph. i know, we should not be tendentious, adhere to NPOV, but if it is that easy to disprove the viability of some solution, shouldn't that be mentioned at the top, so prospective readers might skip the article if they wish to?

i'm currently reading about quantum mechanics, got to this article and read it, all the while being a bit skeptic about the process described. but really, if i knew about the comparison to aes128-keyswitching from the start, i needn't have to worry and think about it at all, could have read more relevant articles. that is no attack, it is a question. thank you for your time.-- ExpImptalkcon 22:39, 19 November 2006 (UTC)

If you worry about WP:NOR, have a look at http://www.lysator.liu.se/~jc/mthesis/2_QKG_versus_courier.html which was published in 2005 and makes a similar point, except that the result is 1000 years instead of one and the proposed alternative does not degrade security with AES so it is more secure than quantum cryptography. Jc00 (talk) 05:15, 31 August 2008 (UTC)

Polarized photon section is incomplete

I've read it a couple of times now, and although it describes what you do, it doesn't describe how it works. IE, so Alice changes the polarization she uses from linear to circular... and? So what? How does Bob use that information? How does it prevent Eve from eavesdropping? Maury 23:28, 1 March 2007 (UTC)

The section has been rewritten now, and hopefully provides more information. Centie 22:52, 29 April 2007 (UTC)

This section describes communication by means of "pulses of polarized light, with one photon per pulse". It then talks about linear and circular polarizations. Talk of linear polarizations of single photons should be removed. Single photons cannot carry linear polarizations. Photons carry right or left circular polarization, corresponding to the 2 possible helicity states for the photon. Read all about it: http://en.wikipedia.org/wiki/Photon under Physical Properties. Mseslacker 15:55, 14 April 2007 (UTC)

A photon's polarization state can be linear (and in any direction) or circular, see Photon polarization. I think the confusion arises due to differences between quantum mechanics and classical polarization, it's been discussed on the Talk:Photon#Two_States_of_Polarization page.
Essentially, you can only distinguish between two polarization states at once, for example right and left circular, or horizontal and vertical (linear). So imagine you measure a photon as right circular . If you measure it's polarization in the circular basis again every subsequent measurement of it will be right circular, never left circular. But if you then measure it in a linear basis (horizontal or vertical, for example) you will get either H or V at random with equal probability. But every time you measure in the linear basis again you will get the same result as the first time; the photon is now either vertical or horizontally polarized.
What happens if you now measure in the circular basis again? It turns out that you will get a right or left result with equal probability, even thought the photon started out as right. If this all sounds strange it is, but it's also very well tested experimentally (see Stern-Gerlach Experiment). The reason for it is basically quantum superposition; the horizontal (or vertical) linear polarization state can be expressed as a combination of right and left circular states, and the right (or left) circular state as a combination of horizontal and vertical states.
This is precisely the reason quantum cryptography works: Alice sends photons either in the circular or linear basis, and if Eve intercepts them and measures them in the wrong basis then the original information (if it was right/left or horiz/vert) is lost, even if Bob subsequently measures the photon in the same basis Alice sent.
To answer the original post: your right, the article doesn't really seem to explain this at all! The BB84 article linked is better but quite complicated, someone should really rewrite the polarized photon section here. Centie 14:07, 15 April 2007 (UTC)

I've categorised the external links section and only one of the existing links is a research group. I suggest we either add more research groups, add a link to a list of research groups (I know quantiki has one for all quantum information groups, but is there a similar one just for quantum cryptography?) or remove the section entirely.Centie 13:29, 14 April 2007 (UTC)

HUP?

I could very well be wrong, but I don’t really see what the Heisenberg uncertainty principle has to do with the photon polarisation method of QC. Does it not rely more on the Observer effect?

The original paper mentions the uncertainty principle several times, but not the observer effect. All the good descriptions (in fact all the google results too) on the web seem to do the same thing. I'm not certain this is right, but can't really find any evidence to suggest it isn't.
I think the security of BB84 can be thought of in terms of the HUP though. Rectilinear and diagonal (and circular) polarisations are all conjugate variables, so obey an uncertainty relation of the form ΔP+ΔPx > C where C is some non-0 number. If we prepare some photons in vertical polarisation states then measure each one in the rectilinear (+) basis we will always get the same result (vertical), so there is no uncertainty in this measurement and ΔP+ = 0. This must mean ΔPx = ∞ to satisfy the uncertainty relation, so if we had instead measured it in the diagonal (X) basis we would have got a totally random value. So the HUP implies measuring in the wrong basis destroys the information.
I think it can be described in terms of the observer effect too (if my understanding of this is the same as yours, the wikipedia page seems a bit hazy). Vertical polarisation can be seen as a superposition of +45 and -45 diagonal polarisation, so observing a vertically polarised photon in the diagonal bases will cause its state to collapse randomly to either of these two. This destroys the superposition and the original information (there's no way to tell it used to be vertical).
My guess is in this case the observer effect and uncertainty relation both result from the same underlying principles, so as the overwhelming majority of sources credit the UP we should keep the article the same. If anyone has any ideas about the OE/UP in quantum cryptography though please share, as I can't find any other discussions about it! Centie 23:04, 25 April 2007 (UTC)

Given that the HUP is used almost interchangeably with the Observer Effect in popular media, and people are constantly pointing out (see the HUP article and it's "Popular Culture" uses) I would tend to think that the description in this article tends to focus more on the observer-effect aspect, and less with the HUP itself. While there is certainly the possibility of the HUP's math being involved (and I'm really not the person to determine that), the usage of the HUP in this article seems almost identical to that of the OE. elecmahmElecmahm (talk) 07:31, 24 November 2007 (UTC)

Limitation: no deniability

I removed this section, since it is not correct. Any attack focused on only a very few bits of the key would be taken care of by the privacy amplification. Even if there is virtually no errors in the channel, some amount of privacy amplification is required. The research article that was referred to for justifying this section, has an incomplete view of what goes on in a QKD protocol. --V79 14:55, 17 May 2007 (UTC)

I've suspected this for a while, but was unable to access the reference article to check it. I think removal is a good decision. Centie 15:35, 18 May 2007 (UTC)

Free space

AFAIK, usage of "free space" is not applicable here. Free space represents absolute vacuum; but, the tests were done with air as medium. Praveen 18:58, 12 June 2007 (UTC)

Your right, free space is theoretically an absolute vacuum, but as noted on the free space page it's usually taken to mean a medium which doesn't substantially affect the phenomena under consideration. E.g. outer space is usually described as "free space" with regards to EM radiation. Whether this use is correct for the QKD experiments is debatable, as ultimately the distance restriction is caused by the photons being attenuated by the air. However the ARDA roadmap and most papers do seem to describe it as "free space quantum cryptography" (arxiv and google both turn up several results for this). Maybe "open-air" or "through-air" would be more correct alternatives, but I'm not sure if deviating from the most common name is a good idea? Centie 17:37, 14 June 2007 (UTC)


Revert on 14-10-2007

I've changed "Using quantum phenomena such as quantum superpositions or quantum entanglement a communication system.." back to "Using quantum states.." for the following reasons: "Quantum Phenomena" doesn't have a wp page or appear to be a particularly widely used term, but seems to refer more to higher level results of quantum mechanics (e.g. spectral lines). In contrast superposition states and entangled states are basic parts of the theory, and it is systems in these type of states which are used in QKD.

I've removed the link to the bell test experiments from "The security of quantum cryptography relies only on the well tested foundations of quantum mechanics", as these experiments only tested the validity of entanglement (as opposed to some sort of hidden variable theory). Quantum cryptography relies on much of the foundations of QM, which have been tested in innumerable experiments, so it seems misleading to only mention one.

Apologies for removing your first two edits to the page, I'm just trying to keep everything as clear as possible, don't be put off editing it more! Centie 17:09, 14 October 2007 (UTC)

Hello Centie! I agreed with Quantum Phenomena statement, when I first seen it. I thought the sentence a little clumsy, stating that Quantum Superposition is a quantum state, when it is a classification of a state. But you made some good points so I attempted to strike a balance between your concerns and my own.
In my opinion, your edit was not minor one. I would suggest you be more critical in assigning such a label.
I made some other changes to those two paragraphs. I would appreciate you could taking a look. Skippydo 21:34, 14 October 2007 (UTC)
After reading the introduction again I've had another try at reworking it. I realise some of the changes are similar to my original edits, but I think it's important to get the key elements of quantum cryptography mentioned there, while keeping it as succinct as possible.
I marked my edit as minor as I was reverting two minor edits by another user. Your probably right though (I haven't actually read the definition of 'minor edit'), I'll use 'minor' only for correcting typos etc. in future. Centie (talk) 19:54, 23 November 2007 (UTC)

Excessively cautious wording

Unless I'm missing something, "a range of the order of ~100 km" is excessively cautious (and probably unnecessarily imprecise. If we are talking orders of magnitude, then the "~" for approximation seems a bit excessively cautious. However, I'm guessing that something more precise could be said (and cited). After all, "the order of ~100 km" means ~10 km to ~1000 km. Again, unless I'm missing something. - Jmabel | Talk 22:03, 22 November 2007 (UTC)

Something more precise is said, and cited, in the Prospects section. That section should probably be renamed, and moved above history, to make it clear it's dealing with current implementations. I've removed that paragraph from the introduction as it didn't add any new information, and just confused what is meant to be a brief overview (the lack of quantum repeaters should probably be mentioned in the Prospects/Implementation section though). Centie (talk) 19:43, 23 November 2007 (UTC)

2007 figure referenced w. a 2002 document?!

There's no link to the document cited as reference #2, so I have to take this at face value and ask: how can a 2002 document be a source for the error threshold given as "20% as of April 2007"? Was there a plan in 2002 to make a later change to the official(?) threshold value? Or perhaps a proposition adopted only 5 years after its formulation? D0nj03 (talk) 16:15, 8 January 2008 (UTC)

The paper cited shows a method that allows secure communication to be carried out whenever the bit error rate is equal or less than 20.0% (for the BB84 protocol). The "as of 2007.." means that when that part of the article was written this was still the highest error rate that it's been shown to be possible to extract a secure key with, i.e. no papers published since then have improved on this. Google turned up a link to the paper if you want to read it btw, [1], the bit about BB84 is in the final bit of the conclusion (the 27% rate refers to a different protocol). Centie (talk) 19:35, 10 January 2008 (UTC)
Well, then. And here I was, just about to correct another such "as of..." that I found in there. :) It seems to me quite strange that someone would record the "state of the art" at the time they're making their edit instead of writing when that particular result was actually obtained. Are we really to believe that any (possibly anonymous) editor is perfectly aware of the "s.o.t.a." (of all the papers published everywhere on the subject) up to the moment of their contribution? How plausible can such a claim ever be?
D0nj03 (talk) 11:39, 14 January 2008 (UTC)
Ideally the page should be up to date all the time, but as this is unlikely to happen it seems like the next best thing is to record when details such as this were correct. Then the page at least stays accurate if new results are discovered, instead of misleading people. Plus, if someone needs up the minute data they can check for results since that date, and hopefully update the page accordingly. After a quick search I found the Wikipedia:As_of page, which suggests this construct is standard practice, and in fact should probably be linked to make it easier to update. I'm not sure if linking it might just create confusion though. Adding the year the result was obtained is possible, although it might make the sentences more clumsy and this information is already in the references section.
All the edits to this article are made by anonymous editors, like all wikipedia articles. You don't have to believe anything in the article, be it the description of BB84 or the current distance achieved. The references are the authoritative sources, and should be used to verify claims, and so really everything should be referenced. But that would get messy, as well as being time consuming. The source for the 20% error rate claim is the review article 3rd down in the external links section ([2]), written in March 2007. It's unlikely anyone is perfectly aware of all the papers published anywhere on the subject, but Lo and Lutkenhaus can probably be believed. A citation to this article could be added just after the "As of March 2007.." bit if you think it's needed? Centie (talk) 15:55, 23 January 2008 (UTC)

No known way vs. impossible

“Mallory cannot use a man-in-the-middle attack, since he would have to measure an entangled photon and disrupt the other photon, then he would have to re-emit both photons. There is currently no known way to do this, according to widely-accepted theory in quantum physics.” Surely this should say that it’s impossible according to accepted quantum physics theory? This is a much stronger claim than merely “no known way”, but it’s the provable impossibility of attacks that makes quantum cryptography interesting in the first place. -213.115.77.102 (talk) 14:25, 24 January 2008 (UTC)

Your right, it should. The whole attacks section is in need of a re-write (it's on the todo list on this page at least!), the information in there is incomplete at best and some of it's just wrong. The part you quoted is highly suspect, for a start it describes an intercept-resend attack; man-in-the-middle needs to be defeated with authentication.. which I think is mentioned later in the section(!). Centie (talk) 12:42, 25 January 2008 (UTC)

interactive BB84 demo

I just made available an interactive BB84 demo which I wrote about 10 years ago but which has moved several times and has been unavailable for the past year. Feel free to link to it if you think it is useful. It's at http://fredhenle.net/bb84/. Fred (talk) 17:19, 6 February 2008 (UTC)

Quantum Non-Locality

The article mentions that the results between Alice and Bob will not be perfectly correlated, but they will be correlated better than if they weren't entangled. This is false; their results must be 100% correlated because, in the case of entangled electron spins, angular momentum has to be conserved. So if Alice measures UP, Bob MUST measure down with 100% probability. The same is true with entangled photons. So this paragraph should be removed from the section. —Preceding unsigned comment added by 68.41.69.22 (talk) 15:21, 13 February 2008 (UTC)

Yes, if the photons are entangled, there would be no way for Bob to detect eavesdropping since the key has already been measured by Alice at the outset. Orangedolphin (talk) 23:06, 10 August 2008 (UTC)
The entire Ekert 91 section is badly in need of a re-write, but maybe the information is so confusing/misleading deletion is the best option? I think what it was trying to get at though is to do with the CHSH version of the Bell inequality, which is used in testing the security of communication using entangled states. This gives the amount of correlation when Alice and Bob measure in different basis, so if Alice measures up what happens if Bob tries to measure ±30°? In this case the results won't be 100% correlated, but will have a probability distribution. The CHSH inequality basically says if you measure in different pairs of basis, then compare the amount of correlation, the result will only be a certain value if the photons pairs were entangled. If they had been intercepted and were not entangled when they were measured, the amount of correlation would be less than this value. Sorry this is all a bit vague, but you can read one of the links to E91 to explain it better if you want. -- Centie (talk) 03:00, 2 March 2008 (UTC)

Quantum Attacks

I deleted a paragraph from the 'Attacks' section, because it doesn't really belong.

While it is true that Mallory may be able to determine the state of Alice's polarizer by reflecting photons off of it, Alice and Bob will surely detect this, abandon transmission and start over again with a different polarizing scheme. Besides, just knowing the position of the polarizer doesn't tell Mallory anything about the key, because the polarizing angle may change between every bit transmission.--MaizeAndBlue86 (talk) 01:13, 29 February 2008 (UTC)

I think it's an interesting attack that's worth mentioning. Once you've noticed that it's possible you may be able to redesign the system to make it impossible, but that's expected—it's why attacks are published in the first place. They can continue to apply for years to old systems and standards that can't easily be updated, and they're an important influence on the design of new systems. -- BenRG (talk) 12:00, 29 February 2008 (UTC)
I think that it should probably stay, as an example of while the protocol may be secure, the implementation can be vulnerable to side channel attacks. I've added another sentence to this effect, as well as a bit more about authentication, see if you think it's ok. -- Centie (talk) 02:37, 2 March 2008 (UTC)

Quantum cryptography MITM attacks

(Copied from User_talk:BenRG)

The article is correct, MITM attacks are impossible, given that both Alice and Bob use a good transmission method. Remember that they are only transmitting the key, and if they detect eavesdropping they will abandon and start over, or use a different quantum channel for transmission. So it is not susceptable to MITM attacks like "any other method".--MaizeAndBlue86 (talk) 01:07, 29 February 2008 (UTC)

I think the problem is that man-in-the-middle attack was misdefining the term, which I've now fixed. Quantum cryptography is vulnerable to MITM attacks as the term is used by cryptographers, and in fact the section already said so before my edit: "Quantum cryptography is still vulnerable to a type of MITM where...", followed by a description of a real MITM attack. -- BenRG (talk) 10:17, 29 February 2008 (UTC)
Aha, glad this finally got sorted out, the different definitions of MITM in the attack section has been discussed before.. see my reply to the "Error in Attack description" section above. I agree that quantum key distribution is susceptible to MITM the same as any classical protocol, when used without authentication. This authentication can be done using a small amount of the key previously generated using the channel, for example unconditionally secure Wegman-Carter authentication only requires an amount of key scaling logarithmically with the total key length distributed. So QKD allows for an exponential expansion of key material, provided you start with a shared secret. There are quite a few proposals (googling qkd authentication brings up some) for ways to generate this shared secret between any two users, most appear to rely on a trusted 3rd party/certificate authority or entanglement. I suspect in practice for the near future this initial key would be built in to the two "boxes" that sit at each end of a QKD link; these need to be transported to there final location securely anyway to avoid tampering with (e.g. random number generator attack), so storing the initial authentication key on them wouldn't introduce any additional security constraints. -- Centie (talk) 01:13, 2 March 2008 (UTC)

Radio vs light?

Currently, the article states, "The sender ... and the receiver .. are connected by a quantum communication channel which allows quantum states to be transmitted. In the case of photons this channel is generally either an optical fibre or simply free space. In addition they communicate via a public classical channel, for example using radio waves or the internet."

But radio waves are, like the light waves transmitted in optic fibres, photonic. Also, the passage above states that free space is a suitable propagation medium for quantum signals; but radio signals can certainly be transmitted through free space. So, my question: in what way is radio transmission "publicly classical" and not "quantum"? zazpot (talk) 10:47, 21 September 2008 (UTC)

The more photons per qubit, the more classical the signal. I changed "radio waves" to "broadcast radio" to try to clarify this. -- BenRG (talk) 12:14, 21 September 2008 (UTC)
Thanks for the clarification. I'm intrigued that a signal can be "more" classical - in other words, that this is a matter of degree. Learn a new thing every day... ;) zazpot (talk) 15:22, 23 September 2008 (UTC)

Quantum Key Distribution

Quantum Key Distribution (QKD) is NOT synonymous with Quantum Cryptography. Using the terms as such is extremely misleading. In the past 7 or so years many Quantum Secure Direct Communication (QSDC) protocols have been proposed which claim to be provably secure. If they are, then QSDC is probably superior to QKD. Some also claim to have solved the authenticated line problem. Google Quantum Secure Direct Communication for some examples. Redsecure (talk) 23:52, 21 March 2009 (UTC)

I've created the page Quantum Secure Direct Communication redirecting to Quantum cryptography. Feel free to add a section in Quantum cryptography or give it it's own article and we can add a note at the top of Quantum cryptography. Skippydo (talk) 03:41, 23 March 2009 (UTC)

FPB attack

(Moved from User talk:BenRG)

I recognized that you roll-backed the contents about FPB attack on Quantum Cryptography. But FPB attack is experimentally prooved on 2006. For more information, please see this(paper about the FPB attack experiment). Or what about to describe like this? "Quantum Cryptography is vulnerable to attacks using QND"
Modamoda (talk) 07:40, 19 July 2009 (UTC)

This attack is just the most general form of eavesdropping on the communication channel. QKD protocols are designed to protect against it. It's an attack on QKD in the same way that chosen-plaintext is an attack on ordinary cryptosystems: it's something the designers know about and protect against so that the attack doesn't work in practice. This experimental test doesn't add much because it just verifies the quantum mechanical prediction, which everybody believed anyway. Quantum mechanics is far too well tested to fail in a simple experiment like this. I have nothing against the paper, but if we added a paragraph about every paper like this to the article it would grow ridiculously long. This attack isn't really using Quantum Nondemolition measurement. Saying that QKD is vulnerable to QND measurement is the same as saying that classical cryptography is vulnerable to someone who guesses the key by sheer luck. It's technically true, but we don't worry about it. -- BenRG (talk) 12:06, 19 July 2009 (UTC)
Thanks for replying. :)
Modamoda (talk) 15:21, 19 July 2009 (UTC)

One Time Pad

I have never suggested anything on Wikipedia before, and I am certainly not an expert on cryptography or quantum cryptography. However, I do not undestand this: "The algorithm most commonly associated with QKD is the one-time pad, as it is provably secure when used with a secret, random key." My understanding of the one-time pad is that it must be (at least) the same length (number of bits) as the plaintext, never re-used, and certainly not computable from any shorter "secret, random key". Unless I am misinformed, the quoted statement is incorrect and should be removed. —Preceding unsigned comment added by 24.78.1.239 (talk) 17:41, 13 September 2009 (UTC)

My knowledge about OTP(One-time pad) is not like that. I think OTPs don't have to have(or generate) same length with the Plaintext.
- Modamoda (talk) 09:52, 14 September 2009 (UTC)

" Perfect data secrecy may not seem possible, particularly if potential attackers are given absurd amounts of time (and can run brute force searches in parallel). But, oddly enough, there is an encryption algorithm that can't be broken if used properly: the one-time pad. What is even stranger is that the algorithm is incredibly simple.

The basic idea behind a one-time pad is that there's as much key material as there is text. The encryption operation can be simple modular addition. In computer-based uses, it is often XOR.

"Here's the simple algorithm for one-time pads: For each plain text message, generate a random secret key. The key should be exactly the same length as the plain text message. The cipher text is created by simply XOR-ing the plain text with the key." (from http://www.ibm.com/developerworks/library/s-pads.html ) —Preceding unsigned comment added by 24.78.1.239 (talk) 22:21, 14 September 2009 (UTC)

Using a one-time pad with QKD is indeed meaningful. And as you point out, a one-time pad isn't computed from a shorter secret key -- basically, you'd use just whatever you got from the QKD. And of course, you'd use each bit of quantum-arranged key exactly once. Asrabkin (talk) 22:03, 8 October 2009 (UTC)


Quantum Cryptography vs QKD

(moved from TODO list)

This page should really be called "Quantum Key Distribution" NOT "quantum cryptography" since the latter refers to a much wider range of tasks (e.g. Quantum bit commitment) —Preceding unsigned comment added by 192.33.98.48 (talk) 26 January 2019 (UTC)

I think this has been mentioned before, and the "quantum key distribution" page does redirect to here. However as there's very few non-qkd quantum cryptography pages (there is no quanutm bit commitment page for example) on wikipedia, a general quantum crytography page would probably just link to this page currently. If anyone can find enough non-qkd pages to make a quantum cryptography article viable, this page could be moved to "quantum key distribution". We'd have to make sure we avoid confusion though, as almost everyone looking up "quantum cryptography" is looking for information on qkd, and probably arn't aware of the technical difference. centie (talk) 13:13, 23 March 2010 (UTC)

NO, i think the name of this page is correct, because mainly quantum cryptography consist in distribution of the key in a secure proofed way, then after key distribution classical cryptographic system (one time pad) are used to exchange messages. I have many references articles about this and i am surprised that any one of them is not in this page. -Undestading Quantum cryptography - idquantique -Talking on quantum cryptography- Samuel J.Lomonaco -Experimental Quatum cryptography- Bennet, Bessete, Brassard (actually i am studing quatum authentication) —Preceding unsigned comment added by Albanx (talkcontribs) 20:19, 31 May 2010 (UTC)

It is certainly not correct that quantum cryptography is the same as QKD. In fact, a lot of today's quantum papers in the crypto community deal with other quantum cryptographical problems. For example, in this year's Crypto and Eurocrypt (arguably the most important cryptography conferences), there are five quantum papers, and only one of them deals with QKD. And if you would prefer the opinion of a recognized authority, I talked to Charles Bennett, and he agreed that the fact that Wikipedia considers quantum crypto as a synonym for QKD is misleading. I agree with Centie's comment that most people are not aware of the difference between QKD and quantum cryptography, but I believe that this is even more of a reason to make the difference clear (Wikipedia should educate, not reinforce preconceptions). But of course, the intro of a quantum crypto article should make it quite clear that QKD is a main application, and prominently link to it (to avoid any confusion). My suggestion is the following structure:

  • Move the current quantum crypto article to a QKD article
  • Write a quantum crypto article with the following content
    • Intro: What is quantum crypto ("any crypto that uses or is secure against quantum") + prominent link to QKD
    • (Very short) sections on different quantum crypto topics:
      • QKD (a short summary with link to the full article)
      • Quantum OT from commitment (following Crepeau, Kilian, FOCS 88)
      • Impossibility of unconditionally secure quantum commitment
      • Bounded quantum storage model
      • Quantum zero-knowledge
      • Post-quantum cryptography
      • Quantum multi-party computation

I would be willing to do all this, assuming there are no good arguments against this. Dominique Unruh (talk) 07:37, 13 July 2010 (UTC)

Serna

I've never heard of Serna or his protocol. The only documentation at all is one three-page brief on the arXiv that has apparently never been refereed or published. With only an IP address (and the same IP address) having put in the edits for Serna, seems likely to be a self-insertion. Should be deleted? Rdv (talk) 13:28, 22 October 2011 (UTC)

The article is unpublished, unreferenced (save 1 survey), and I can find no evidence Serna is a scientist. I'm sure we can find some wiki policies to support removal on that basis.
As for the science, the article is poorly written and lacks prior plausibility, claiming to be immune to man-in-the-middle attacks. I don't think the article is worth reading carefully. Skippydo (talk) 18:23, 22 October 2011 (UTC)
Personally, I agree as to the quality of the paper, but that's not the right basis for editing Wikipedia. It's more the matter of the scientific community's judgment, which seems to be clearly on the side of the paper being below the threshold for attention. Rdv (talk) 22:31, 22 October 2011 (UTC)

Kish cipher

I removed the reference to Kish cypher as a "competing classical technique" because I don't see how it can be said to compete with quantum cryptography, notwithstanding Kish's claims. People are interested in quantum cryptography only because there's a proof from basic physical principles of security against certain attacks. Classical ciphers are orders of magnitude faster, cheaper, and more versatile, but we have no security proof for them (though they seem to be secure). The Kish cipher is comparable to quantum cryptography in speed and versatility, and I can't find any evidence that Kish or anyone else has proved its security. So it seems to combine the disadvantages of classical cryptography with the disadvantages of quantum cryptography, and I don't understand why anyone is interested in it at all. -- BenRG (talk) 11:25, 27 September 2008 (UTC)

While agreeing with the removal of the KLJN ("Kish cypher") because of its irrelevance for quantum physics, one should note that there are general security proofs for it. The most recent and most general one is actually published in a quantum security journal: "On the security of the Kirchhoff-law-Johnson-noise (KLJN) communicator", Quantum Information Processing (2014), see it pre-published on the website of Quantum Information Processing , or DOI 10.1007/s11128-014-0729-7 . The general security proof is based on the continuity of functions in stable classical physical systems, which is the foundation of classical physics. On the other hand, recent cracks and debates of quantum key distribution indicate that the security proof of QKD have been incomplete, thus a general quantum security proof is yet to come. About this and some other issues, see the extensive criticism of quantum informatics founder Charles Bennett's claims about KLN: Critical Analysis of the Bennett–Riedel Attack on Secure Cryptographic Key Distributions via the Kirchhoff-Law–Johnson-Noise Scheme , PLoS ONE 8(12): e81810 . The most recent public debate video on the security of QKD can be seen here, where leading experts of quantum security challenge the security of QKD.

165.91.12.244 (talk) 18:09, 6 February 2014 (UTC)

add Experimental quasi-single-photon citation?

Maybe cite at section Implementations/Experimental? recent (2013) "Experimental quasi-single-photon transmission from satellite to earth", Juan Yin et all.

NOTE: there are significant conclusions, "These results are sufficient to set up an unconditionally secure QKD link between satellite and earth, technically (...) results represent an crucial step towards the final implementation of high-speed QKD between the satellite and the ground stations, which will also serve as a test bed for secure intercontinental quantum communication".

--Krauss (talk) 00:42, 14 December 2014 (UTC)

Hello fellow Wikipedians,

I have just modified 11 external links on Quantum key distribution. Please take a moment to review my edit. If you have any questions, or need the bot to ignore the links, or the page altogether, please visit this simple FaQ for additional information. I made the following changes:

When you have finished reviewing my changes, please set the checked parameter below to true or failed to let others know (documentation at {{Sourcecheck}}).

This message was posted before February 2018. After February 2018, "External links modified" talk page sections are no longer generated or monitored by InternetArchiveBot. No special action is required regarding these talk page notices, other than regular verification using the archive tool instructions below. Editors have permission to delete these "External links modified" talk page sections if they want to de-clutter talk pages, but see the RfC before doing mass systematic removals. This message is updated dynamically through the template {{source check}} (last update: 5 June 2024).

  • If you have discovered URLs which were erroneously considered dead by the bot, you can report them with this tool.
  • If you found an error with any archives or the URLs themselves, you can fix them with this tool.

Cheers.—InternetArchiveBot (Report bug) 16:33, 16 July 2016 (UTC)

Hello fellow Wikipedians,

I have just modified 8 external links on Quantum key distribution. Please take a moment to review my edit. If you have any questions, or need the bot to ignore the links, or the page altogether, please visit this simple FaQ for additional information. I made the following changes:

When you have finished reviewing my changes, please set the checked parameter below to true or failed to let others know (documentation at {{Sourcecheck}}).

This message was posted before February 2018. After February 2018, "External links modified" talk page sections are no longer generated or monitored by InternetArchiveBot. No special action is required regarding these talk page notices, other than regular verification using the archive tool instructions below. Editors have permission to delete these "External links modified" talk page sections if they want to de-clutter talk pages, but see the RfC before doing mass systematic removals. This message is updated dynamically through the template {{source check}} (last update: 5 June 2024).

  • If you have discovered URLs which were erroneously considered dead by the bot, you can report them with this tool.
  • If you found an error with any archives or the URLs themselves, you can fix them with this tool.

Cheers.—InternetArchiveBot (Report bug) 12:46, 21 July 2016 (UTC)