I'm always stuck on that little step where Alice tells Bob what basis she used for each photon sent. Tells him how? They need integrity protection and endpoint authentication for N bits of basis. Is the quantum trick converting those N bits to N/2 privacy-protected bits really as exciting as it's made out to be?

They need integrity and data origin authentication, but not confidentiality. This is what is referred to as the "public channel" in QC papers. The standard approach (in papers) is to use universal hashing. This is just math, with no quantum aspects. But, it enables authenticating an arbitrarily long string of bits with a single key, just like one can MAC a long message with HMAC-SHA1. The difference is that because of the hash construction there are two key property changes from an HMAC such as used in IPsec: One can prove that the odds of a forgery are vanishingly small (1 in $2^{n-1}$ for n bit keys, or something like that), even with an adversary with infinite computional power. You can only use the key once (or perhaps twice). Otherwise, an adversary can recover it. This results in needing a constant stream of authentication keying material. Whether these two properties are a good tradeoff from HMAC in practice for any particular situation and threat model is an interesting question. See "Universal Classes of Hash Functions", by Carter and Wegman, Journal of Computer and System Sciences 18, 143-154 (1979) for the canonical paper on universal hashing. -- Greg Troxel <[EMAIL PROTECTED]> --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]