At 11:20 PM 1/17/01 -0800, [EMAIL PROTECTED] wrote in part:
>>The probability that Eve's measurement will leave the result unchanged is 
>>3/4, and therefore the probability that she will perturb the result is 1/4.

OK so far.  Then, for the case of two measurements,

>>Eve's chances of perturbing the measurement have increased from
>>1/4 to 3/8 by doing two measurements rather than one..... Increasing the 
>>number of measurements to three reduces the chance of
>>success to 9/16, with a 7/16 chance of perturbation.

That's not the right way to analyze it.  My previous remarks on this 
subject were partly unclear and partly wrong... and in any case there is a 
better way to look at it.  So let me try again from scratch:

There is one distinguished participant;  call him Arthur because he sits at 
the head of the Round Table.  In broad outline, the procedure is:
   a) Arthur emits a photon
   b) The photon circulates around the ring C times
   c) Arthur catches the photon and publishes the final result.

It simplifies the discussion somewhat if Arthur is not one of the 
participants;  he just reaches in to insert the photon at the beginning, 
and reaches in to extract it at the end.

Note that each of the participants is supposed to just rotate the 
photon.  They just choose the settings on their rotators (Kerr-effect cells 
or whatever) and wait for the photon to whizz through.  They cannot do any 
additional processing without messing up the algorithm.  In particular, any 
attempt at integrity checking, no matter how well-intentioned, would damage 
the signal the same way eavesdropping would.

We can summarize what we know so far:
   1) The algorithm uses physics to more-or-less exclude passive 
attacks;  that is its strength.
   2) On the other side of the same coin, this introduces a weakness:  it 
limits the ability to detect active attacks.

Therefore, if Eve is smart, she will use an active attack.  So let's 
consider an aggressive, hyper-active attack.

Eve need not limit herself to snooping "the signal".  What she really wants 
to know is the "state of mind" of the participants, i.e. the settings of 
their rotators.  If she knows that, she knows everything.  She can, as a 
final step, synthesize a mockup of the final result and feed it to Arthur.

Eve can mount a known-plaintext attack against each rotator.  That is, she 
can send in a known photon, or if necessary multiple known photons, and see 
what comes out.

It would not be easy for the participants to detect such an attack 
directly.  They could defend against it to some degree by pre-arranging 
strict timing requirements on their signals... but they would need to keep 
these arrangements secret from Eve.  At this point AFAICT the whole scheme 
is in danger of losing its elegance, and perhaps of losing its raison d'etre.

Or does somebody have a good defense against this hyper-active attack?

Reply via email to