On Fri, Jun 22, 2007 at 08:21:25PM -0400, Leichter, Jerry wrote: > BTW, on the quantum subway tokens business: In more modern terms, > what this was providing was unlinkable, untraceable e-coins which > could be spent exactly once, with *no* central database to check > against and none of this "well, we can't stop you from spending it > more than once, but if we ever notice, we'll learn all kinds of > nasty things about you". (The coins were unlinkable and untraceable > because, in fact, they were *identical*.) Now, of course, they > were also physical objects, not just collections of bits. The same > is true of the photons used in quantum key exchange. Otherwise, > it wouldn't work. We're inherently dealing with a different model > here. Where it ends up is anyone's guess at this point.
This relates back to the inutility of QKD as follows: when physical exchanges are required you cannot run such exchanges end-to-end over an Internet -- the middle boxes (routers, etc...) get in the way of the physical exchange. This too is a *fundamental* difference between QKD and classical cryptography. That difference makes QKD useless in *today's* Internet. IF we had a quantum authentication facility then we could build hop-by-hop authentication to build an Internet out of QKD and QA (quantum authentication). That's a *big* condition, and the change in security models is tremendous, and for the worse: since the trust chains get enormously enlarged. IMO, QKD's ability to discover passive eavesdroppers is not even interesting (except from an intellectual p.o.v.) given: its inability to detect MITMs, its inability to operate end-to-end across across middle boxes, while classical crypto provides protection against eavesdroppers *and* MITMs both *and* supports end-to-end operation across middle boxes. Nico -- --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]