The Long-Term Future of the Cryptography Policy Debate

[Stefek Zaba]

For anyone who wants to follow quantum crypto work in blow-by-blow detail,
I can recommend (shameless plug!) the work of my colleagues in HPLabs Bristol;
try http://www.hpl.hp.com/cgi-bin/AT-Tech_Reportssearch.cgi and ask the
search engine for hits on the single word "quantum". There's a mixture of
abstracts, full reports (some in useful Postscript or PDF, some as scanned
images only), and a chance to order hardcopy. 

There are some interesting results emerging, both negative (e.g. quantum
bit commitment protocols found to be necessarily insecure) and positive 
(quantum key distribution not only theoretically possible but demonstrated
in practice at BT Labs over 10km of optical fibre, if I remember it right).

Quantum computation faces some pretty stiff engineering challenges: the more
simultaneous states you try to superpose (i.e. "solutions" you investigate
at once), the harder it is to keep the whole thing from "losing it" (a deep
technical term :-) In particular searching through 2**256 or so states, as you
might want to do for factoring attacks on 1024-bit RSA, is more than marginally
beyond the state of the theoretical art... for now...

In the policy debate, note that quantum key distribution would again change
the playing field: the whole point of quantum key distribution is that it
gives you a *physically* secure channel, i.e. you can *tell*, reliably, if
someone is snooping the fibre or whatever's carrying the quanta. (This works
because the observer has to make an observation, thus changing the bits
encoded by the quanta.) That makes the distinguishing law enforcement
requirement - that the subject of a wiretap not know that s/he is under
surveillance - impossible to achieve. Now there's a challenge for the
would-be regulators - laws of the land vs. laws of physics...

Stefek