# Re: The Shining Cryptographers Net

At 11:20 PM 1/17/01 -0800, [EMAIL PROTECTED] wrote in part:
>>The probability that Eve's measurement will leave the result unchanged is
>>3/4, and therefore the probability that she will perturb the result is 1/4.

OK so far.  Then, for the case of two measurements,

>>Eve's chances of perturbing the measurement have increased from
>>1/4 to 3/8 by doing two measurements rather than one..... Increasing the
>>number of measurements to three reduces the chance of
>>success to 9/16, with a 7/16 chance of perturbation.

That's not the right way to analyze it.  My previous remarks on this
subject were partly unclear and partly wrong... and in any case there is a
better way to look at it.  So let me try again from scratch:

There is one distinguished participant;  call him Arthur because he sits at
the head of the Round Table.  In broad outline, the procedure is:
a) Arthur emits a photon
b) The photon circulates around the ring C times
c) Arthur catches the photon and publishes the final result.

It simplifies the discussion somewhat if Arthur is not one of the
participants;  he just reaches in to insert the photon at the beginning,
and reaches in to extract it at the end.

Note that each of the participants is supposed to just rotate the
photon.  They just choose the settings on their rotators (Kerr-effect cells
or whatever) and wait for the photon to whizz through.  They cannot do any
additional processing without messing up the algorithm.  In particular, any
attempt at integrity checking, no matter how well-intentioned, would damage
the signal the same way eavesdropping would.

We can summarize what we know so far:
1) The algorithm uses physics to more-or-less exclude passive
attacks;  that is its strength.
2) On the other side of the same coin, this introduces a weakness:  it
limits the ability to detect active attacks.

Therefore, if Eve is smart, she will use an active attack.  So let's
consider an aggressive, hyper-active attack.

Eve need not limit herself to snooping "the signal".  What she really wants
to know is the "state of mind" of the participants, i.e. the settings of
their rotators.  If she knows that, she knows everything.  She can, as a
final step, synthesize a mockup of the final result and feed it to Arthur.

Eve can mount a known-plaintext attack against each rotator.  That is, she
can send in a known photon, or if necessary multiple known photons, and see
what comes out.

It would not be easy for the participants to detect such an attack
directly.  They could defend against it to some degree by pre-arranging
strict timing requirements on their signals... but they would need to keep
these arrangements secret from Eve.  At this point AFAICT the whole scheme
is in danger of losing its elegance, and perhaps of losing its raison d'etre.

Or does somebody have a good defense against this hyper-active attack?