Is manually provisioned Pre-shared key for symmetric encryption quantum-safe? What benefits would QKD solution have over using manual configured PSK?

Crypto-Student

10/20/23, 5:52 PM

RFC 8784 introduces a staightforward mechanism to use a pre-shared key to make modified IKEv2 key agreement resistant to a quantum computer Shor algorithm attack- thus providing a "quantum-safe" infomation channel. One use of this information channel could be to share keys.

QKD authentication requires a PSK in order to be quantum safe. And then can provide a quantum safe channel to share keys.

Both RFC 8784 and a QKD solution depend on a pre-shared key that has not been compromised. What tangible benefits of using QKD solution versus using RFC 8784 if the objective is key sharing over the channel?

129

1 + 6

quantum-key-distribution

kelalaka

10/20/23, 6:26 PM

This was asked as a canonical question [Why Quantum Key Distribution (QKD) is impractical](https://crypto.stackexchange.com/q/93830/18298) that answer many of the distinction.

Crypto-Student

10/20/23, 10:56 PM

The discussion in the canonical question does not address the question asked: Even if all the issues with QKD practically were addressed, what advantage or attack vectors could QKD protect against as compared to just using PSK with RFC8784? Potentially, a stolen PSK would allow an adversary to use man in the middle attacks against either QKD or RFC8784. Both need a PSK, and both promise quantum safe transfer. Is RFC8784 susceptible to more attack vectors that a proponent of QKD could use to indicate the QKD is solving something better than RFC8784? I could not think of any.

K.G.

10/22/23, 3:14 PM

A hypothetical secure QKD system would be secure regardless of future developments, including leaking key material. That is, it would provide information-theoretical security. Unlike a cryptographic key exchange scheme. This is typically considered insufficiently important to bother with QKD.

Crypto-Student

10/25/23, 11:22 AM

A hypothetical secure QKD system would still need to rely on a PSK or seed for authentication at start-up to protect against masquerade attacks. Once one concedes at least one PSK is needed for QKD authentication, and the scheme must rely on a set of protections to keep a single PSK safe, then QKD fails to demonstate serious advantage over RFC8784: Both solutions rely on a PSK; Both solutions must protect from both masquerade and eavesdrop attacks. Cost of masquerade is much higher for QKD which could be deterrent to attack, but only because QKD is so expensive compared to simpler solutions.

K.G.

10/26/23, 4:13 PM

@Crypto-Student Please note the words «future developments». A hypothetical secure QKD only needs computational security *at the time of communication*. A non-QKD scheme needs computational security also in the future. I am not a fan of QKD, but you still need to properly understand its properties.

Crypto-Student

10/27/23, 12:06 AM

I'm only aware of QKD that always has at least one preshared key or seed to be able to restart the QKD channel and to prevent masquerade attacks. So the PSK for QKD has some non-zero lifetime and needs protection for that lifetime. The PSK for a RFC8784 needs protection forever. If one can protect a PSK for a non-zero lifetime, one could expect one could protect RFC8784 key forever.

Score:0

Crypto

Crypto-Student

10/26/23, 12:25 PM

The French cybersecurity organization, ANSSI, has seemed to address this comparison of purely symmetric-cryptography-based solution compared to QKD solutions.

https://www.ssi.gouv.fr/en/publication/should-quantum-key-distribution-be-used-for-secure-communications/

A second, less-known fact is that a purely symmetric-cryptography-based solution compares favorably with practical QKD, that is, QKD paired with symmetric cryptography: it is much easier to deploy than QKD because it only requires standard network infrastructure; and offers comparable security, because it uses the same computational cryptography primitives.

Secure communications based only on symmetric cryptography may by appealing when users sets are fixed or can be managed centrally, and when one sees a value in avoiding the use of asymmetric cryptography altogether, for instance as an extra measure of caution against unknown cryptanalysis algorithms, quantum or otherwise. Publication [4] provides an example of a protocol that could be used in such a case.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Is manually provisioned Pre-shared key for symmetric encryption quantum-safe? What benefits would QKD solution have over using manual configured PSK?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.