I'm always stuck on that little step where Alice tells Bob what basis
  she used for each photon sent.  Tells him how?  They need integrity
  protection and endpoint authentication for N bits of basis.  Is the
  quantum trick converting those N bits to N/2 privacy-protected bits
  really as exciting as it's made out to be?

They need integrity and data origin authentication, but not
confidentiality.  This is what is referred to as the "public channel"
in QC papers.  The standard approach (in papers) is to use universal
hashing.  This is just math, with no quantum aspects.  But, it enables
authenticating an arbitrarily long string of bits with a single key,
just like one can MAC a long message with HMAC-SHA1.

The difference is that because of the hash construction there are two
key property changes from an HMAC such as used in IPsec:

  One can prove that the odds of a forgery are vanishingly small (1 in
  $2^{n-1}$ for n bit keys, or something like that), even with an
  adversary with infinite computional power.

  You can only use the key once (or perhaps twice).  Otherwise, an
  adversary can recover it.  This results in needing a constant stream
  of authentication keying material.

Whether these two properties are a good tradeoff from HMAC in practice
for any particular situation and threat model is an interesting

See "Universal Classes of Hash Functions", by Carter and Wegman,
Journal of Computer and System Sciences 18, 143-154 (1979) for the
canonical paper on universal hashing.

        Greg Troxel <[EMAIL PROTECTED]>

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to