On 09/19/2003 12:07 PM, Matt Crawford wrote:
I'm always stuck on that little step where Alice tells Bob what basis
she used for each photon sent. Tells him how?

That's a fair question. Here's an outline of the answer.

We choose an eps << 1.

We ask how many people accurately received a
fraction (1-eps) of the bits.
 -- perhaps nobody received that many.  This
    will be detected.  No key exchange will
    take place.  Start over.  Do not pass Go,
    do not collect $200.00.
 -- perhaps one person did.  In this case,
    without loss of generality, we call this
    person Bob.
 -- the laws of quantum mechanics assure us
    that not more than one person will receive
    that many bits.  Quanta cannot be copied.

Alice can then publish in the clear (e.g. on
netnews) what basis she used for transmitting.
This information is of little use to anyone
except Bob (exponentially little, as a function
of eps and other parameters).  Anyone who
tampers with this message can cause a DoS but
not a compromise of the data.

Alice and Bob proceed with the integrity checks
leading to the key exchange as previously described.

After the key exchange has taken place, Alice
and Bob can use the key to set up a tunnel to
keep their discussions private.  Probably one
of the first things they will do is exchange
authentication messages through the newly
created tunnel.  Thereby Alice can decide
whether this Bob is the Bob she wanted to
talk to, as opposed to an impersonator.
Similarly Bob ought to check Alice's creds.

> They need integrity
protection and endpoint authentication for N bits of basis.

No, the authentication etc. can quite nicely come after the quantum key exchange, as I previously mentioned.

> Is the
quantum trick ... really as exciting as it's made out to be?

We need a more specific question.


Does quantum key exchange solve all of the world's
problems?  Surely not.

Does quantum key exchange solve *any* of the world's
problems?  More specifically, is there any plausible
scenario where QKE is more cost-effective than
conventional modern crypto, within (say) the next
ten years?  I tend to doubt it, but it's hard to
be sure.  What is the chance of a treeemendous
cryptanalytic breakthrough that will defeat all or
most of the currently-used ciphers?  I'd say the
chance is less than 1%.  But is it less than one
in a million?  Or perhaps more relevantly, what
is the chance that an enemy black-bag artist or a
traitor or a bungler will compromise all my keys
and/or all my plaintext?  The latter is not to
be sneezed at, and puts an upper bound on what
I'm willing to pay for fancy crypto.

To calibrate the sincerity of my estimate:  I
walked away from a potential job managing some
major programs in this area.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to