The Shining Cryptographers Net
Here is a rough idea for a quantum-cryptography variant on the DC Net,
the Dining Cryptographers Net invented by David Chaum. It does not
provide as much anonymity as the DC Net, but perhaps will inspire others
to look for a more powerful design.
In a simple version of the DC Net, each pair of cryptographers initially
shares a unique, secret random string (or perhaps they share a seed for
a stream cipher).
A token carrying a bit is passed around the net, and each cryptographer
who has nothing to say XORs the bit with the XOR of the next bit of each
of his random strings. After passing through all the cryptographers,
each random bit has been XORed in twice (once for each of the two
cryptographers who share the string holding that bit) and so the bit
value has not changed in total.
If a cryptographer wants to send a message, when he does his XOR he also
XORs in the next bit of the message. At the end the value of the message
bit will equal the bit which was sent (as long as two people don't try
to talk at once). The source of the message is hidden as each party
sees only random data arriving.
For the quantum version, a photon is passed around the ring instead
of a logical bit. These are thus dubbed the Shining Cryptographers.
The photon starts off with vertical polarization. Each cryptographer
manages a station through which the photon passes, which can be configured
to either rotate the photon polarization 90 degrees, or to leave it alone.
If the cryptographer has nothing to say he leaves the photon alone.
If he wants to say something he uses the next bit of his message to
determine whether to rotate the photon 90 degrees or not.
At the end, the photon polarization is measured by attempting to pass it
through a vertical polarizer. If it passes, the photon has not been
rotated, while if it is absorbed, it was rotated. In this way the
message bit is recovered.
Anonymity derives from the inability of an attacker to measure the photon
without destroying it, unless he can guess its state. The attacker can
confirm a guess at the state, but as soon as he guesses wrong, the photon
will be destroyed. This will allow the attacker's presence to be detected
as soon as he makes a wrong guess. Unfortunately the attacker may be able
to get lucky and acquire considerable information before he is detected.
Here is a way to strengthen the anonymity. Let the photon go around the
ring twice. Each cryptographer randomly chooses whether to rotate the
photon or leave it alone. He does the same transformation both times,
if he has nothing to say. These will then cancel out. However if he
wishes to transmit a 1, he does a different transformation each time,
so there is no canceling. In fact with this system, the cryptographers
are not restricted to 90 degree rotations, but they can choose any pair
of rotations which will add as required.
The attacker now has to guess how much his target is going to rotate
the beam and put probes before and after, and hope he guessed right.
In itself this tells him nothing. He has to further guess whether the
target will rotate by the same or different amount on the second pass,
adjust his probes accordingly, and again hope for a correct guess.
The same principle can be extended by letting the photon go around
the ring multiple times. Players must arrange to rotate the photon by
varying amounts which add to an even multiple of 90 degrees if they are
not sending, or an odd multiple if they are sending a 1. By increasing
the number of times through the loop, the chance of an attacker guessing
right on every transformation can be reduced to a low level.
Hal Finney
