July 26 – 31 , 2009, Dagstuhl Seminar 09311
Classical and Quantum Information Assurance Foundations and Practice
For support, please contact
From 26 July 2009 to 31 July 2009, the Dagstuhl Seminar 09311 ``Classical and Quantum Information Assurance Foundations and Practice'' was held in Schloss Dagstuhl--Leibniz Center for Informatics. The workshop was intended to explore the latest developments and discuss the open issues in the theory and practice of classical and quantum information assurance. A further goal of the workshop was to bring together practitioners from both the classical and the quantum information assurance communities. To date, with a few exceptions, these two communities seem to have existed largely separately and in a state of mutual ignorance. It is clear however that there is great potential for synergy and cross-fertilization between and this we sought to stimulate and facilitate.
The program included tutorials from both communities aimed at bringing members of the the other camp up to speed:
- Intro to modern cryptography (Bart Preneel)
- Intro to provable security (Kenny Paterson)
- Intro to the modelling and formal analysis of cryptographic protocols (Peter Ryan)
- Intro to the theory of quantum cryptography (Charles Bennett)
- Towards quantum key distribution with testable assumptions: a tutorial (Hoi-Kwong Lo)
- Introduction to Universal Composability (Dominique Unruh)
- Practical aspects of QKD (Gregoire Ribordy)
The workshop generated simulating and at times heated debates on the merits and demerits of quantum cryptography. A participant from the conventional cryptography community claimed that quantum cryptography is essentially useless in practice because of its high cost, low key rate, short distance, limited applications and the need to distribute the initial authentication key material. Moreover, his view was that quantum cryptography is not an effective counter-measure against the threat of quantum computing. He believed that public key cryptographic systems such as NTRU and McEliece could be used, if a quantum computer were ever built in future.
The quantum community countered as follows. First, there is a need for top secret long-term security and quantum cryptography can never reduce security. Second, to break a quantum cryptographic system, one needs to eavesdrop today because there is no classical transcript for a quantum communication. This means an eavesdropper has to invest in quantum technologies in order to eavesdrop. Third, current technological limitations of quantum cryptography such as key rate and distance may be overcome in future. For instance, quantum repeaters could, in principle, extend the distance of quantum cryptography arbitrarily. Fourth, the cost of the quantum cryptographic systems may be absorbed through savings in multiplexing of optical channel in telecom fibers. Fifth, since few quantum people are working on breaking NTRU or McEliece crypto-systems these days, the security of those systems against quantum attacks is largely unknown.
Perhaps, a more balanced view to take is that it is important to explore future cryptographic infra-structure. Quantum cryptography, while probably not the only solution, may well play a part in such a future infra-structure.
During the seminar, several participants presented their current research, and ongoing work and open problems were discussed. Abstracts of the presentations given during the seminar as well as abstracts of seminar results and ideas are put together in this paper. Links to extended abstracts or full papers are provided, where available.
- Classical and quantum cryptography and computation