I'm always stuck on that little step where Alice tells Bob what basis
she used for each photon sent. Tells him how?
That's a fair question. Here's an outline of the answer.
We choose an eps << 1.
We ask how many people accurately received a fraction (1-eps) of the bits. -- perhaps nobody received that many. This will be detected. No key exchange will take place. Start over. Do not pass Go, do not collect $200.00. -- perhaps one person did. In this case, without loss of generality, we call this person Bob. -- the laws of quantum mechanics assure us that not more than one person will receive that many bits. Quanta cannot be copied.
Alice can then publish in the clear (e.g. on netnews) what basis she used for transmitting. This information is of little use to anyone except Bob (exponentially little, as a function of eps and other parameters). Anyone who tampers with this message can cause a DoS but not a compromise of the data.
Alice and Bob proceed with the integrity checks leading to the key exchange as previously described.
After the key exchange has taken place, Alice and Bob can use the key to set up a tunnel to keep their discussions private. Probably one of the first things they will do is exchange authentication messages through the newly created tunnel. Thereby Alice can decide whether this Bob is the Bob she wanted to talk to, as opposed to an impersonator. Similarly Bob ought to check Alice's creds.
> They need integrity
protection and endpoint authentication for N bits of basis.
No, the authentication etc. can quite nicely come after the quantum key exchange, as I previously mentioned.
> Is the
quantum trick ... really as exciting as it's made out to be?
We need a more specific question.
Does quantum key exchange solve all of the world's problems? Surely not.
Does quantum key exchange solve *any* of the world's problems? More specifically, is there any plausible scenario where QKE is more cost-effective than conventional modern crypto, within (say) the next ten years? I tend to doubt it, but it's hard to be sure. What is the chance of a treeemendous cryptanalytic breakthrough that will defeat all or most of the currently-used ciphers? I'd say the chance is less than 1%. But is it less than one in a million? Or perhaps more relevantly, what is the chance that an enemy black-bag artist or a traitor or a bungler will compromise all my keys and/or all my plaintext? The latter is not to be sneezed at, and puts an upper bound on what I'm willing to pay for fancy crypto.
To calibrate the sincerity of my estimate: I walked away from a potential job managing some major programs in this area.
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]