Re: quantum hype

2003-09-21 Thread Arnold G. Reinhold
At 6:38 PM -0400 9/18/03, John S. Denker wrote:
Yes, Mallory can DoS the setup by reading (and thereby
trashing) every bit.  But Mallory can DoS the setup by
chopping out a piece of the cable.  The two are equally
effective and equally detectable.  Chopping is cheaper and
easier.
Other key-exchange methods such as DH are comparably
incapable of solving the DoS problem.  So why bring up
the issue?
It seems to me that because key-exchange methods such as DH only 
depend on exchanging bits (as opposed to specifying a physical 
layer), they can rely on a wide variety of techniques to combat DoS. 
If Bob and Alice can safeguard their local connections to the 
Internet, its multi-routing properties provide significant DoS 
protection. Other options available to them include the switched 
telephone network, wireless, LEO satellites, cybercafes, 
steganography,  HF radio, and even postal mail. In addition, DH users 
have no need to call attention to themselves by leasing a fiber-optic 
line.

Arnold Reinhold

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: quantum hype

2003-09-21 Thread Peter Fairbrother
There are lots of types of QC. I'll just mention two.

In classic QC Alice generates polarised photons at randomly chosen either
+ or x polarisations. Bob measures the received photons using a randomly
chosen polarisation, and tells Alice whether the measurement polarisation he
chose was + or x, on a authenticated but non-secret channel. Alice
replies with a list of correct choices, and the shared secret is calculated
according as to whether the + polarisations are horizontal or vertical,
similar for the slant polarisations.


If the channel is authentic then a MitM is hard - but not impossible. The
no-cloning theorem is all very well, but physics actually allows imperfect
cloning of up to 5/6 of the photons while retaining polarisation, and this
should be allowed for as well as the noise calculations. I don't know of any
existing OTS equipment that does that.

A lasing medium can in theory clone photons with up to 5/6 of them retaining
enough polarisation data to use as above, though in practice the noise is
usually high.

There is also another less noisy cloning technique which has recently been
done in laboratories, though it doubles the photon's wavelength, which would
be noticeable, and I can't see ofhand how in practice to half the wavelength
again without losing polarisation (except perhaps using changing
gravitational fields and the like); but there is no theory that says that
that can't be done.



In another type of QC Alice and Bob agree on the measurement angles (any
angles, not just multiples of 45 deg) they will use, and Alice generates a
pair of entangled photons, sending one to Bob. Both measure the individual
photons at that angle, and the shared secret is generated according to
whether the photons pass the filter.

If the agreed-on measurement angles are kept secret, and noise bounds etc
are obeyed, then a MitM is hard as before except the theoretical maximum
ratio of clonable photons is lower - but it isn't much use, except as an
otp key multiplier.



There are a zillion variations on these themes, and other types of QC. For
instance Alice can send Bob data rather than generating a random shared
secret, and without a separate channel, if she generates the quantum string
using a preshared secret. Mallory can get 1/2 of the bits, but AONT's can
defend against that, and if properly implemented no MitM is possible.

And so on.

-- 
Peter Fairbrother

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: quantum hype

2003-09-21 Thread Dave Howe
 no. its the underlieing hard problem for QC. If there is
 a solution to any of the Hard Problems, nobody knows about them.
right, so it's no better than the arguable hard problem of
factoring a 2048 bit number.
Peter Fairbrother may well be in possession of a break for the QC hard
problem - his last post stated there was a way to clone photons with
high accuracy in retention of their polarization (at the cost of a
irrelevent increase in wavelength) so that Mallory could test photons with
BOTH filters, determining the value of the bit (from the correct filter
which would show a strong bias to the correct bit value) and the
orientation (given the incorrect filter would be roughly 50/50)

 wrong. i don't consider those that shouldn't know about
 some things to be my enemies. i know that crypto is
 useful when someone actively seeks information.
Hmm. normally, the agent attempting to intercept your traffic is termed
the attacker; I don't know many attackers that aren't enemies :)

 but if i want my girlfriend not to see those
 mails i send to this other chick (i have no
 girlfriend btw),
I suspect my wife might not like it if I had one :)

 i encrypt them and guard against the risk that i leave
 the window open when she comes home and she
 accidentally hits enter to read that email.
but not against you accidentally leaving the plaintext window open, or
your system having stored a draft of the plaintext someplace.
endpoint security is typically much, much harder than transmission
security (despite key exchange not being an issue) simply because so many
standard machines and software is orientated towards data loss prevention,
not security.

 i guess it's a matter of definition, so let's just leave it there.
indeed. perhaps interceptor rather than enemy would be closer?

 You seem to have a lot more of a grasp than I.
I am (as usual) standing on the shoulders of giants; I am simply repeating
my understanding of what they said trying to dumb it down to my miserable
level :)

 Anyhow, we are deviating here and there from the topic.
 So let me summarise:
   - QC, if correctly used, can serve as the basis for OTP
encryption.
correct - it is a key negotiation method, not an actual transmission
method.

  - The provable security of QC thus actually comes from OTP.
no, the provable security of OTP is a given. the security of QC comes from
not being able to determine the polarization of a photon without pushing
it though a filter and seeing if it fits :)

  - QC needs an unbroken channel. The channel does not have to be
private because an observer destroys photons, which can be
detected.
destroying photons would mean breaking (diverting the flow of photons
down) the channel, so there is no real distinction.

  - This observer could DoS the communication, but that's akin to
cutting the land-line.
indeed. not only akin, but actually a case of :)

  - Actually, no, because if I don't rely on QC but have other
means, I can switch to another medium if someone cuts my
landline.
in fact, you would be better served using another channel (or channels)
for actual data, and keeping the optical channel for key negotiation only.
a successful MiTM attack relies on controlling *all* the communications
between alice and bob. if there are multiple channels, and even one is
missed, alice and bob can determine there was a middleman involved and the
attack breaks down. Ideal for transmitting the actual data would be (say)
a broadcast medium; alice can check her own trasmissions, and bob can read

 Btw: is this list archived?
yes
http://www.mail-archive.com/cryptography%40metzdowd.com/index.html
and in general terms, always assume mailing lists are not only archived,
but read avidly by the enemies I have and you haven't got ;)

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: quantum hype

2003-09-21 Thread Andreas Gunnarsson
On Sun, Sep 21, 2003 at 01:37:21PM +0100, Peter Fairbrother wrote:
[cloning photons]
 There is also another less noisy cloning technique which has recently been
 done in laboratories, though it doubles the photon's wavelength, which would
 be noticeable,

To get rid of the wavelength change it sounds like you just have to
produce a new photon with half the wavelength, clone it and then clone
one of the clones and measure whether it matches the intercepted one. If
it does, forward its clone, otherwise choose another one.

I am a little skeptic though, does this really work? I would expect that
measuring one clone would affect its twin just as if it was measured
directly.

   Andreas

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


The Code Book - in CD form

2003-09-21 Thread Ian Grigg
Has anyone reviewed Simon Singh's CD version
of The Code Book ?


=
http://www.simonsingh.net/The_CDROM.html

After 12 months of intense development, the interactive
CD-ROM version of The Code Book is now available. I might
be biased, but I think that it is brilliant. Don't be
confused by the ridiculously low price, because this
CD-ROM contains tons of fascinating and dynamic material,
including:
 
  1. Encryption tools,
  2. Code breaking tools,
  3. Dozens of video clips,
  4. Coded messages to crack,
  5. Material for teachers, e.g., worksheets,
  6. A realistic, virtual Enigma cipher machine,
  7. A beginner's cryptography tutorial,
  8. A history of codes from 1000BC to 2000AD,
  9. Material for junior codebreakers,
10. Interviews with Whit Diffie and Clifford Cocks, 
11. Sections on public key crypto  RSA,
12. An animated section on quantum cryptography.
 
 
The CD-ROM is ideal for teenagers, parents who want to
encourage an interest in science and mathematics in their
children, grown-ups interested in the history of cryptography,
amateur codebreakers and anybody who wants to know about
encryption in the Information Age.
snip
=

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]