At 11:20 PM 1/17/01 -0800, [EMAIL PROTECTED] wrote in part: >>The probability that Eve's measurement will leave the result unchanged is >>3/4, and therefore the probability that she will perturb the result is 1/4. OK so far. Then, for the case of two measurements, >>Eve's chances of perturbing the measurement have increased from >>1/4 to 3/8 by doing two measurements rather than one..... Increasing the >>number of measurements to three reduces the chance of >>success to 9/16, with a 7/16 chance of perturbation. That's not the right way to analyze it. My previous remarks on this subject were partly unclear and partly wrong... and in any case there is a better way to look at it. So let me try again from scratch: There is one distinguished participant; call him Arthur because he sits at the head of the Round Table. In broad outline, the procedure is: a) Arthur emits a photon b) The photon circulates around the ring C times c) Arthur catches the photon and publishes the final result. It simplifies the discussion somewhat if Arthur is not one of the participants; he just reaches in to insert the photon at the beginning, and reaches in to extract it at the end. Note that each of the participants is supposed to just rotate the photon. They just choose the settings on their rotators (Kerr-effect cells or whatever) and wait for the photon to whizz through. They cannot do any additional processing without messing up the algorithm. In particular, any attempt at integrity checking, no matter how well-intentioned, would damage the signal the same way eavesdropping would. We can summarize what we know so far: 1) The algorithm uses physics to more-or-less exclude passive attacks; that is its strength. 2) On the other side of the same coin, this introduces a weakness: it limits the ability to detect active attacks. Therefore, if Eve is smart, she will use an active attack. So let's consider an aggressive, hyper-active attack. Eve need not limit herself to snooping "the signal". What she really wants to know is the "state of mind" of the participants, i.e. the settings of their rotators. If she knows that, she knows everything. She can, as a final step, synthesize a mockup of the final result and feed it to Arthur. Eve can mount a known-plaintext attack against each rotator. That is, she can send in a known photon, or if necessary multiple known photons, and see what comes out. It would not be easy for the participants to detect such an attack directly. They could defend against it to some degree by pre-arranging strict timing requirements on their signals... but they would need to keep these arrangements secret from Eve. At this point AFAICT the whole scheme is in danger of losing its elegance, and perhaps of losing its raison d'etre. Or does somebody have a good defense against this hyper-active attack?

- The Shining Cryptographers Net hal
- Re: The Shining Cryptographers Net John Denker
- Re: The Shining Cryptographers Net Jaap-Henk Hoepman
- Re: The Shining Cryptographers Net hal
- Re: The Shining Cryptographers Net hal
- Re: The Shining Cryptographers Net John Denker
- Re: The Shining Cryptographers Net John Denker
- Re: The Shining Cryptographers Net John Denker

- Re: The Shining Cryptographers Net hal
- Re: The Shining Cryptographers Net Jaap-Henk Hoepman

- Re: The Shining Cryptographers Net hal
- Re: The Shining Cryptographers Net hal
- Re: The Shining Cryptographers Net Bill Stewart

- Re: The Shining Cryptographers Net hal
- Re: The Shining Cryptographers Net Ray Dillinger
- Re: The Shining Cryptographers Net John Denker

- Re: The Shining Cryptographers Net hal
- Re: The Shining Cryptographers Net hal