martin f krafft wrote: >This is what I don't buy. If Mallory sees the data, it must be >detected, because otherwise the approach is flawed. As I understand it, there are four possible "rotations" for the photon ( call them '\' '|' '/' and '-' ) so two choices for a filter (straight or slant). a straight filter can reliably tell '|' and '-' apart, but '\' and '/' are going to be unreliable; a slant filter can read '\' or '/' but not '|' or '-' if Mallory can guess the correct filter to use, he can reproduce the bit to bob; if he guesses wrongly, he can still send a random bit to bob, who will (if he uses the right filter) further randomly interpret that and either get the right or wrong answer (50/50 chance) of course if Mallory *is* Mallory, and not Eve, he is mounting a Man-in-the-middle attack, so can conveniently negotiate key a with alice, key b with bob, and do the usual :) quantum channels are just as sensitive to Mitm as any other; without a non-interruptable (if insecure) channel no key negotiation protocol is ever going to work.
> But in any case does Mallory have the means to completely > DoS any attempt of communication between the parties, > simply by reading along, unless there is a dedicated channel > between Alice and Bob. In which case, > why is there a need for quantum cryptography in the first place? QC allows you to negotiate a one-time-pad between two nodes joined by an unbroken optical link it says nothing about the identity of the two nodes, and relies on the optical link being unbroken (a mitm breaks the link, turning it into two independent QC channels that happen to be both to Mallory) > One chance in 2^C, otherwise it would be deadly, no? But in any > case, Reasonable keysized DH exchanges give me the same security > with a lot more flexibility, and a lot less chance for DoS. I still > don't buy it. QC really needs an insecure but unbroken link. if that is achievable, then the crypto is OTP and unbreakable (much better than DH). if it is not achievable (and I would doubt that it is) then the key negotiation is broken and the crypto worthless. >> The foregoing assumed an error-free channel. Things get much >> worse if the good guys need to do error correction. >... which is almost always required. The incidence should be low - in fact, there are no good reasons to use the QC channel for actual data exchange at all - use normal insecure channels for actual data transfer, protected by the negotiated OTP key. We then have to correct for wrongly read bits from the QC channel, and there you will have difficulty adding EC codes (given any individual bit may be in error) and transmitting hashes of (or worse yet, EC for) the known-received bits insecurely would compromise the OTP key at least a little. I must admit my signal-processing knowledge is weak - maybe another regular could propose a scheme that would work. to define the problem: GIVEN a transmission line with approximately 50% bit loss, but for which you know which bits were received, and a less than 10% error rate (say) in the received bits, how do you detect and discard/correct the bad bits? I assume there is something in FEC for very unreliable lines like this.... > Sending asymmetrically encrypted data over something like > the plain old telephone system strikes me as being more secure > than sending these data over the Internet, and that should hold > for any encryption used. Unless QC is applicable to the Internet > (which it won't be, as far as I can tell), I don't see any use > beyond marketing hype. bingo. QC is a hype-only technology - it relies on a unbroken line impervious to MitM, and there ain't no such beast. > also sprach David Wagner <[EMAIL PROTECTED]> >> I believe the following is an accurate characterization: >> Quantum provides confidentiality (protection against eavesdropping), >> but only if you've already established authenticity (protection >> against man-in-the-middle attacks) some other way. .> Tell me if I got anything wrong. >I don't think this is wrong, but I still don't see how QC guards >against eavesdropping. No, wrong, I see how a key exchange >with QC can make it very difficult to eavesdrop the key (more without Mitm, it is impossible to evesdrop the photons used for key negotiation. even assuming you can detect a photon without distorting it in any way (rotation or attenuation) then the *only* known way to detect the polarization of a photon is to push it though a filter and see if it comes out the other side. this is the "strong problem" on which QC relies; if that fell, then QC would be worthless. also sprach David Wagner <[EMAIL PROTECTED]> > One could reasonably ask how often it is in practice that we have > a physical channel whose authenticity we trust, but where > eavesdropping is a threat. I don't know. I can't think of a single instance of one suitable to QC. the usual definition is a broadcast channel - send once read many - where anyone can read it, but the original sender can discover *fast* any changes as the sender is also a receiver and can verify the sent data from several places. QC relies on only a single quanta of energy being sent, so obviously two people can't receive the same copy (and therefore the sender can't verify his own transmission) > How much of a threat really exists in a channel encrypted with > e.g. Blowfish, 256bit keys, perfect forward secrecy, and a > session key lifetime of 30 minutes??? almost none. while OTP has no even theoretical attacks, QC is not otp ( you are negotiating a key, and are therefore transmitting a key protected by a "hard problem" - admittedly one in physics rather than maths, but the drawbacks seem to outweigh the advantages. also sprach Arnold G. Reinhold <[EMAIL PROTECTED]> [2003.09.14.0536 +0200]: > The 160 GB hard drive has a couple of advantages over quantum key > exchange: > And a disadvantage: disk corruption, which may render your > channel temporarily inaccessible. not a problem - 160 gb hard drives are inexpensive, you don't send one, you send four; if one fails, you transparently switch to the next > once someone gets hold of the data on the disk, everyone can read along. Indeed. OTP *always* breaks down to the key distribution problem - you have to get your key from point a to point b before point b can talk to point a one guy with a briefcase containing four hotswap drives is a lot easier to secure than a 200 mile fiberoptic though. > It's the same problem of all symmetric algorithms, > enhanced by the fact that the key data is stored > on a medium other than a human neural network > (which to date is only readable by one person) nothing stopping you using symmetric crypto to protect the keydisk if you want to. > Has anyone *proven* that there is no way to read > a quantum bit without altering it? no. its the "underlieing hard problem" for QC. If there is a solution to any of the Hard Problems, nobody knows about them. >also sprach Ian Grigg <[EMAIL PROTECTED]> >> What you want is to find out where the enemy is >> listening in, and when. Then, it just becomes >> another data point in the tracking game. > I use cryptography; I don't have any enemies > (at least none that I care about) cryptography is 90% paranoia - you *have* enemies, and don't know about them. if you had none at all, you wouldn't bother with crypto (as nobody would ever look at your data even accidentally). It doesn't matter if your enemy is a random ISP tech who likes browsing email spools, or a spook curious as to why you spend so much time sending encyrpted messages.... > Using just one link and no redundancy, how can you ever > check if a stream of random bytes has been correctly received > on the other side??? that is a FEC problem. as I understand it, a QC key negotiation goes as follows: host a generates 2 x 'n' random bits host a encodes its 'n' dibits with one bit determining 90% of rotation and the other 45% as polarizations of single photons and transmits them to host b host b generates 'n' random bits host b encodes its 'n' bits as filters (either 0 or 45% rotation) for the 'n' received photons host b transmits its 'n' bits plaintext to host a host a xors the 45% rotation bits it used with the rotation bits from host b to give it a "bad bit list" host a removes bits from the 90% rotation bitset if they are set in the "bad bit list" host a transmits plaintext to host b the "bad bit list" host b also removes the bad bits approximately half the bits in the "bad bit list" would be set, leaving approximately 'n'/2 bits for otp key material. (EC is a further problem I have not seen addressed) as you can see, evesdropping the individual photons is a hard problem, and evesdropping the rotation list from host b and the bad bit list from host a is worthless without the photons (and the rotation list is transmitted *only* after the photons have already been processed by host b) > Even though eavesdropping changes the data, evesdropping *destroys* the data by removing 50% of the photons almost at random. that is the quantum bit of the process - only a single photon is sent, so it can only be processed (read) by one host; reading the photon destroys its value, and the random element ensures it is incorrectly read 50% of the time. > But this technology is DoS'able and thus not > applicable to productive environments. Or is > there a way I can't easily DoS? DoS is breaking the transmission link - and a physical attack on the media (or the equipment at either end) would be required > This is what initially spawned the thread. So what is QC and > how is it secure, or even has potential? I admit to not entirely following the logic behind Quantum Cryptography but if I am understanding the popularization version - it is using quantum entanglement to run a atomic-level process simultaniously on a large number of random cases (alternate dimensions?) and identify just the case(s) that actually get the "right answer" by forcing the virtual reactions to "interfere" with the reaction in this reality so that it becomes the answer that works (a bit like how a single photon, fired at a dual slit card in front of a screen, will land in accordance with the interference pattern you would get from photons travelling *both* possible paths though the slit card). Compare with molecular computing, where you run the math as a chemical reaction on a huge number of different molecules (one per possible answer) , with the reaction that works altering the molecule representing the answer so that it can be isolated and identified. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]