Re: On hash breaks, was Re: First quantum crypto bank transfer
From: Jerrold Leichter [EMAIL PROTECTED] Sent: Aug 24, 2004 7:18 AM To: Joseph Ashwood [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: On hash breaks, was Re: First quantum crypto bank transfer [[Note: I've tried to sort out who wrote what, but something odd was going on in the quoting of the messages, so I may have it all wrong]] ... | Actually for years the cryptography community has been saying |retire MD5, ...because it's been seen as giving too short a hash, |and because of a minor weakness - widely described as |certificational - in the compression function that no one ever |showed lead to an attack. (While the details of the current attack |aren't yet completely clear, the fact that it worked on so many |functions strongly indicates that the particular weakness in the MD5 |compression function has nothing to do with it.) The advice may have been prudent, but it doesn't rise to the level of a theory for distinguishing good from bad hash functions. How about this: When someone finds any collision at all in your hash compression function, even a pseudocollision or a free-start collision, it's time to change hash functions. This is true, even when the alternatives are slower, and the existing attacks don't yet turn into a full attack. Also, when your collision resistance is known to be vulnerable to brute-force collision attacks, you really need to stop using it. Even when the alternatives are slower, and you think you can maybe get away with using MD5 here if the stars all line up properly. Now, for fielded hardware and (to some extent) software, you can try to phase out the use of the broken primitive, if the attack isn't yet leading to a practical fast collision-finding algorithm. If MD5 had started being phased out when the pseudocollision attack was found, or even when the Dobbertin attack was found, it seems like we'd be in better shape now. ... | So basically I encourage my clients to maintain good business | practices which means that they don't need to have belief in the | long term security of AES, or SHA-1, or RSA, or . This is | just good business, and it is a process that evolved to deal with | similar circumstances. Real good business practice has to make judgements about possible risks and trade them off against potential costs. I quite agree that your advice is sound. But that doesn't change the facts: Our theoretical bases for security are much weaker than we sometimes let on. We can still be surprised. True. But was anyone surprised at another attack on MD5, which had already had two high-profile attacks on its compression function? Was anyone surprised at an attack on HAVAL? Suppose a year ago I offered the following bet: At the next Crypto, all but one of the widely-discussed hash functions will be shown to be fundamentally flawed. What odds would you have given me? You would have lost the bet. Where's the fundamental flaw in SHA1, SHA256, SHA512, or RIPE-MD160? Where's the fundamental flaw in Whirlpool? There may *be* such flaws in any or all of these hashes, but they haven't been shown yet. (Phil Hawkes' results on SHA256 look interesting; it will be interesting to see if they lead anywhere, but it sure doesn't look trivial to control those corrective patterns with choices of message block differences.) What odds would you have given me on the following bet: At the next Crypto, an attack against AES that is substantially better than brute force will be published? If the odds were significantly different, how would you have justified the difference? Remember that we had the algebraic attacks, which claimed the ability to break the whole AES, though the attacks apparently don't work as claimed because of a miscounting of variables. (It's certainly possible that someone will find an algebraic attack on AES.) Let's update the question to today: Replace widely-discussed hash functions with SHA-1 and the related family. Keep the AES bet intact. But let's got out 5 years. Now what odds do you give me? Why? I don't know. If you had to build something today to be secure, it wouldn't be crazy to use SHA1, IMO. But you just can't ever rule out cryptanalytic advances of this kind. I think the difference between block ciphers and hash functions is that there's a much better developed theory of block cipher design and analysis in the public world than for hash function design and analysis. This may be changing, though. And new attacks (algebraic attacks, the integral attack that is so effective against reduced-round Rijndael versions) are always coming up, even so. I think seriously trying to beat up on our algorithms, publishing intermedaite results, etc., is the best we can do at our current state of knowledge. -- Jerry --John Kelsey - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: First quantum crypto bank transfer
| ... the comments I've seen on this list and elsewhere have been much | broader, and amount to QM secure bit distribution is dumb, it solves | no problem we haven't already solved better with classical | techniques. | | Most of the comments on this list are more nuanced than that. Perhaps we hear them differently. | Examples of sensible comments include: | -- We have seen claims that QM solves the key distribution |problem. These claims are false. I'm not sure what the key distribution problem would be or what solving it would mean. As we all know, the real problem with OTP systems is that you have to distribute as much keying material, securely, as you have material to protect. So OTP pretty much comes down to leveraging a single secure channel to produce another. In all practical instances I know of, the two channels are separated in time and space: You leverage the security of your diplomatic pouch today to get secure messages from a spy tomorrow. QM key sharing lets you build an OTP with a shared transmission medium and an arbitrarily small time separation. This is new. It gives you guarantees that the bits sent have not been intercepted. That's new. Certainly, it doesn't solve MITM attacks, as mathematical abstractions. What it does is reduce protection from MITM attacks to protection of physical assets. All crypto ultimately has to rest on that - if you can't protect your keys, nothing works. The nature of the system that must be protected, and the kind of protection, are somewhat different than in traditional systems, but the inherent problem is neither eliminated nor made inherently worse. | -- _Commercialization_ of QM bit-exchange is dumb, for now |and for the forseeable future Here, I'll pretty much agree with you. | Also, there is a world of difference between: | | 1. Showing something is possible in principle; | 2. Making it work on the lab bench; | 3. Making it into something that works in the real world. | | For QM key exchange, step 1 goes back maybe 10-15 years, and most | people thought it was a curiosity - that you could never maintain | coherence except in free space and over short distances. | | That's backwards. Quantum crypto free in space is hard. The thought experiments on this always involve simple pictures in free space. I agree, actually *doing* anything in free space over macroscopic distances is a non-starter. | It's | much easier to use a single-mode fiber, over distances such | that there is little total attenuation (which can be a quite | macroscopic distance, since the attenuation is a fraction of | a db/km if you do it right). | | Step 2 is a couple of years back, the first surprise being that you | could actually make things work through fiber, then through a couple | of Km of fiber coiled on a bench. | | Again, that diametrically misstates the physics. Propagation | through a couple km of fiber shouldn't have surprised anybody. I think that's obvious now, but might not have been so obvious 20 years ago. (For that matter, just how long have we had usable multi-km single-mode fibers?) | BTW, if we look at QM *computation* in comparison, we've barely made | it through Step 1. There are still plausible arguments that you | can't maintain coherence long enough to solve any interesting | problems. | | Within a year of the invention of quantum computation, | people were working on quantum error correction. Actually, they started off pointing out that error correction couldn't be done in QM systems without unmixing the states, thus losing the essense of the computation. Well, it turned out that things are more subtle than that. Don't take this as a criticism of those who sayd quantum error correction was impossible! This is all new, complex physics. We're wrong before we're right. | This | is interesting work and has had spin-offs in the form | of changing how people think about error correction even | in non-quantum systems. And it has had spin-offs | applicable to quantum cryptography, i.e. showing how it | is possible to survive a modest amount of attenuation. | | Some of the papers I've seen solve the problem only in their titles: | They use a QM system, but they seem to only make classical bits | available for general use. | | Huh? The world abounds in QM systems that produce classical | results, including e.g. transistors, lasers, practically all of | chemistry, etc. etc. etc. Quantum computers produce classical | results because that is what is desired. You miss my point. Papers have been published _ there's not much point dredging them up - whose title and abstract implies that they are providing a way to store and manipulate qubits, but when you look at what they actually end up providing, you can't *use* them as qubits, just classical bits. (What a surprise: There are poor papers
Re: First quantum crypto bank transfer
Jerrold Leichter wrote: ... the comments I've seen on this list and elsewhere have been much broader, and amount to QM secure bit distribution is dumb, it solves no problem we haven't already solved better with classical techniques. Most of the comments on this list are more nuanced than that. Examples of sensible comments include: -- We have seen claims that QM solves the key distribution problem. These claims are false. -- _Commercialization_ of QM bit-exchange is dumb, for now and for the forseeable future. I am reminded of a slide Whit Diffie showed (in a different context) of an attempt to build a picket fence consisting of a single narrow pale a mile high ... while the rest of the perimeter remains undefended. That's a dumb allocation of resources. The opposition aren't going to attack the mega-pale; they are going to go around it. QM doesn't solve the whole problem. Sensible research should not be directed toward making the tall pale taller; instead it should be directed toward filling in the gaps in the fence. Even if some snake-oil salesmen have attached themselves to the field doesn't say research in the field is worthless. Be that as it may, there are other grounds for judging the commercialization projects to be near-worthless. Also, there is a world of difference between: 1. Showing something is possible in principle; 2. Making it work on the lab bench; 3. Making it into something that works in the real world. For QM key exchange, step 1 goes back maybe 10-15 years, and most people thought it was a curiosity - that you could never maintain coherence except in free space and over short distances. That's backwards. Quantum crypto free in space is hard. It's much easier to use a single-mode fiber, over distances such that there is little total attenuation (which can be a quite macroscopic distance, since the attenuation is a fraction of a db/km if you do it right). Step 2 is a couple of years back, the first surprise being that you could actually make things work through fiber, then through a couple of Km of fiber coiled on a bench. Again, that diametrically misstates the physics. Propagation through a couple km of fiber shouldn't have surprised anybody. BTW, if we look at QM *computation* in comparison, we've barely made it through Step 1. There are still plausible arguments that you can't maintain coherence long enough to solve any interesting problems. Within a year of the invention of quantum computation, people were working on quantum error correction. This is interesting work and has had spin-offs in the form of changing how people think about error correction even in non-quantum systems. And it has had spin-offs applicable to quantum cryptography, i.e. showing how it is possible to survive a modest amount of attenuation. Some of the papers I've seen solve the problem only in their titles: They use a QM system, but they seem to only make classical bits available for general use. Huh? The world abounds in QM systems that produce classical results, including e.g. transistors, lasers, practically all of chemistry, etc. etc. etc. Quantum computers produce classical results because that is what is desired. The contrast between this work and QM key exchange is striking. If the intent is to make quantum cryptography sound better than quantum computation, the point is implausible and unproven. If the intent it so make the best results in quantum crypto sound better than the lamest parts of quantum computation, then the comparision is (a) unfair and (b) hardly a ringing endorsement of quantum crypto. after all, transistors were invented to build phone lines, not computers! It's not true that transistors were invented solely for application to phone lines. Even if it were true, it would be irrelevant for mulitple reasons. For starters, keep in mind that the big computers built during the 1940s were built using vast amounts of telecom switch gear. Bletchley Park relied on engineers from the Post Office (which was the 'phone company' in those days). And even if the facts had been otherwise, arguments about the near-term applicability of one technology are largely irrelevant to the near-term applicability of another technology. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: First quantum crypto bank transfer
At 02:02 AM 8/23/2004, Florian Weimer wrote: * Bill Stewart: I agree that it doesn't look useful, but lawful intercept is harder, if you're defining that as undetected eavesdropping with possible cooperation of the telco in the middle, because quantum crypto needs end-to-end fiber so there's nothing the telco can help with except installing dark fiber, and the quantum crypto lets you detect eavesdroppers. But this doesn't scale. You'd need dark fiber to all communication partners. Yes. That's part of one definition of doesn't look useful. So if quantum key distribution was mandated for applications involving more than just a handful communication partners, you'd need relays (or rather unlikely advances in optical circuit switching). It would be possible to use it as link encryption, giving up the benefits of end-to-end in return for better scaling, but you could still make all the relaying happen in the user organization's facilities, rather than in a telco building that's outside the user organization's control. (Just because something isn't very useful doesn't mean you can't at least try to do the job semi-correctly...) By the way, the complete bashing of the recent QKD experiment is probably not totally deserved. Apparently, the experimenters used a QKD variant that relies on quantum teleportation of photons. This QKD variant is currently *not* available commercially, and the experiment itself could well be an important refinement of Zeilinger's earlier work in this area. That's at least interesting, though I don't see why you'd take the experiment out of the lab without a really well-defined benefit to the end user (unless you've got a research grant.) I'm surprised to hear that _any_ quantum key distribution variant is available commercially, given the costs of dedicating fiber and the effectiveness of current mathematical crypto or the alternative approach of couriers with briefcases and handcuffs. Bill Stewart [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: On hash breaks, was Re: First quantum crypto bank transfer
| Alternatively, how anyone can have absolute confidence in conventional | crypto | in a week when a surprise attack appears against a widely-fielded | primitive | like MD5 is beyond me. Is our certainty about AES's security really any | better today than was our certainty about RIPEM - or even SHA-0 - was | three | weeks ago? | -- Jerry | | Actually for years the cryptography community has been saying retire MD5, ...because it's been seen as giving too short a hash, and because of a minor weakness - widely described as certificational - in the compression function that no one ever showed lead to an attack. (While the details of the current attack aren't yet completely clear, the fact that it worked on so many functions strongly indicates that the particular weakness in the MD5 compression function has nothing to do with it.) The advice may have been prudent, but it doesn't rise to the level of a theory for distinguishing good from bad hash functions. | SHA-0 has been required to be replaced by SHA-1 for some time, because the NSA said so. It turns out they were ahead of public crypto by a couple of years. I will grant you that this is indirect evidence that NSA has no attacks on AES, since this is now the second time that they've strengthened a proposed primitive against which no publically-known attacks existed. It tells us little about how strong AES actually is - and absolutely nothing about any other system out there, since NSA has no reason to comment on those and every reason not to. | the RIPEM | series is functionally-speaking unused ...but not because anyone thought there was a weakness. MD5 happened to be widely used, SHA-1 had standards pushing it; little room was left for another hash. |and represented the only real | surprise. Except for RIPEM there were known to be reasons for this, MD5 was | known to be flawed, SHA-0 was replaced because it was flawed (although | knowledge of the nature of the flaw was hidden). Even with RIPEM (and SHA-1 | for the same reason) I have plans in place (and have had for some time) the | move away from 160-bit hashes to larger ones, so the attack on RIPEM had | little effect on me and my clients, even a full attack on SHA-1 would have | little effect on the clients that actually listen (they all have backup | plans that involve the rest of the SHA series and at the very least | Whirlpool). Moving to a larger hash function with no underlying theory isn't very far from the million-bit key algorithms you see all over the place. Bigger probably can't be worse, but is it really better? | So basically I encourage my clients to maintain good business practices | which means that they don't need to have belief in the long term security of | AES, or SHA-1, or RSA, or . This is just good business, and it is a | process that evolved to deal with similar circumstances. Real good business practice has to make judgements about possible risks and trade them off against potential costs. I quite agree that your advice is sound. But that doesn't change the facts: Our theoretical bases for security are much weaker than we sometimes let on. We can still be surprised. Suppose a year ago I offered the following bet: At the next Crypto, all but one of the widely-discussed hash functions will be shown to be fundamentally flawed. What odds would you have given me? What odds would you have given me on the following bet: At the next Crypto, an attack against AES that is substantially better than brute force will be published? If the odds were significantly different, how would you have justified the difference? Let's update the question to today: Replace widely-discussed hash functions with SHA-1 and the related family. Keep the AES bet intact. But let's got out 5 years. Now what odds do you give me? Why? -- Jerry - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: On hash breaks, was Re: First quantum crypto bank transfer
Joe Ashwood writes: Except for RIPEM there were known to be reasons for this, MD5 was known to be flawed, SHA-0 was replaced because it was flawed (although knowledge of the nature of the flaw was hidden). Even with RIPEM (and SHA-1 for the same reason) I have plans in place (and have had for some time) the move away from 160-bit hashes to larger ones, so the attack on RIPEM had little effect on me and my clients... A minor terminology correction: the hash is RIPEMD, the more recent (and still unbroken) version being RIPEMD-160. RIPEMD is the RIPE Message Digest, where RIPE is the EU's RACE Integrity Primitives Evaluation project, and I haven't been able to find out what RACE stands for. RIPEM was an old implementation by Mark Riordan of the PEM (Privacy Enhanced Email) standard which preceded S/MIME. Hal Finney - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: On hash breaks, was Re: First quantum crypto bank transfer
- Original Message - From: Jerrold Leichter [EMAIL PROTECTED] Subject: Re: On hash breaks, was Re: First quantum crypto bank transfer | (they all have backup | plans that involve the rest of the SHA series and at the very least | Whirlpool). Moving to a larger hash function with no underlying theory isn't very far from the million-bit key algorithms you see all over the place. Bigger probably can't be worse, but is it really better? The key expansion problem is why the rest of the SHA series is present, and Whirlpool is present because of the fundamental flaw problem. The truth is that having a diversity of options for this is simple enough, it takes only a small amount of additional work to allow a cryptographic function to be easily replaced, and making it replacable by 1000 is only marginally more difficult than 2, the four I listed are well-built, which is why they are the recommended ones. Suppose a year ago I offered the following bet: At the next Crypto, all but one of the widely-discussed hash functions will be shown to be fundamentally flawed. What odds would you have given me? I think it would be important to change the phrasing a bit to make the odds more quantifiable, simply chagne At the next Crypto to By the end of the next Crypto. With that said considering history, I would've put the odds at ~~5:1 (Current hash functions seem to be broken quite often, and being the house I want the odds in my favor). But you are correct in that this represents a major advance in the state of the art, one that has taken large portions of the security community completely blind, I simply took the opportunity to push the concept of good business planning into this as a way that allows a good escape plan should anything happen. What odds would you have given me on the following bet: At the next Crypto, an attack against AES that is substantially better than brute force will be published? If the odds were significantly different, how would you have justified the difference? Very different odds actually, we as a group have a much better understanding of block ciphers than hash functions, as evidence the just published 4 for the price of 2 break (cryptography list post by Hal Finney Subject: More problems with hash functions 8/20/2004). However AES has one of the smallest security margins available, so let's put it around 10:1, I really don't expect a break, but I would not be excessively shocked to see one made. It is for this very reason that again I recommend to all my clients that the have backup plans here as well, all the AES finalists, and Camellia because of it's Nessie selection. Let's update the question to today: Replace widely-discussed hash functions with SHA-1 and the related family. Keep the AES bet intact. But let's got out 5 years. Now what odds do you give me? Why? SHA series 1:1 AES 3:1 Whirlpool 3:1 (even though it wasn't asked) Camellia 3:1 Of SHA and Whirlpool being felled by the same attack in the next 5 years 100:1 AES and Camellia by the same attack within 5 years 30:1 SHA in five years because the SHA methodology is showing some cracks, there are only minor differences between SHA-0 and SHA-1, and the differences between SHA-1 and SHA-256/384/512 are basically just matters of scale, I expect to see a major break against the methodology within 10 years, and with the current renewed interest in hash functions I expect the manpower to be available very soon to find that break. AES is a very solid algorithm, but it's security margin is too close for me, this is always solid evidence that a break may be just around the corner, that the evidence is that various agencies don't have a break is irrelevant, the current evidence is that the general cryptographic community is 10 years behind and gaining quickly.. Whirlpool has the same odds as AES because the underlying cipher is based on the same methodology, by the same people, so if it has a flaw it is likely to be extremely similar. Camellia simply does not have the examination behind it that the AES finalists do, something that makes me nervous and why it is only a backup algorithm. SHA and Whirlpool are unlikely to all at the same time because they have fundamentally different cores, SHA is a hash constructed primitive, Whirlpool a block cipher constructed primitive based on a chaining mode. This makes the odds of a single attack felling both slim at best. This odd is probably slanted too far in my favor. AES and Camellia by the same attack is more likely because the tools against block ciphers are generally cross borders capable, and the differences between the styles in Camellia and AES are simply not great enough to prevent this. The difference in the styles though represents the additional 3.333:1 odds. All my odds on this are conservative and based on sloppy meanings (you and I may have very different meanings
Re: First quantum crypto bank transfer
* Bill Stewart: I agree that it doesn't look useful, but lawful intercept is harder, if you're defining that as undetected eavesdropping with possible cooperation of the telco in the middle, because quantum crypto needs end-to-end fiber so there's nothing the telco can help with except installing dark fiber, and the quantum crypto lets you detect eavesdroppers. But this doesn't scale. You'd need dark fiber to all communication partners. So if quantum key distribution was mandated for applications involving more than just a handful communication partners, you'd need relays (or rather unlikely advances in optical circuit switching). By the way, the complete bashing of the recent QKD experiment is probably not totally deserved. Apparently, the experimenters used a QKD variant that relies on quantum teleportation of photons. This QKD variant is currently *not* available commercially, and the experiment itself could well be an important refinement of Zeilinger's earlier work in this area. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: First quantum crypto bank transfer
| However, I still don't believe that quantum cryptography can buy you | anything but research funding (and probably easier lawful intercept | because end-to-end encryption is so much harder). Not to attack you personally - I've heard the same comments from many other people - but this is a remarkably parochial attitude. Quantum crypto raises fundamental issues in physics. But we aren't physicists. Hey! It isn't research any more. There are companies trying to *sell this*. Please don't blame the physicists for that. It is still research, but someone is selling tincture of quantum physics in their snake-oil bottles. Too bad that may poison the market for a really useful development a few years from now, but it does help shake the money tree for research. And physics can use every dime it can get right now. Matt Crawford [EMAIL PROTECTED] Fermilab Computer Security Coordinator http://www.fnal.gov/ - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: First quantum crypto bank transfer
At 01:00 PM 8/21/2004, Florian Weimer wrote: However, I still don't believe that quantum cryptography can buy you anything but research funding (and probably easier lawful intercept because end-to-end encryption is so much harder). I agree that it doesn't look useful, but lawful intercept is harder, if you're defining that as undetected eavesdropping with possible cooperation of the telco in the middle, because quantum crypto needs end-to-end fiber so there's nothing the telco can help with except installing dark fiber, and the quantum crypto lets you detect eavesdroppers. On the other hand, at least in the US and probably in Germany, if the government wants the records of a bank's transactions, all they need is the locally-proper paperwork demanding the data, which is a threat model that quantum crypto doesn't help with, especially since the costs of that attack are much lower than tapping quantum fiber transactions. An intermediate level of weakness is detection of who the bank is communicating with. In the case of quantum crypto, it's simple - just follow the fiber to the other end. But banks are a semi-special case for this threat also, because you know that a bank's headquarters will talk to other buildings belonging to that bank, so it's no information leak... - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: First quantum crypto bank transfer
* Jerrold Leichter: | Not quite correct, the first bank transfer occurred earlier this year, | in a PR event arranged by the same group: | | http://www.quantenkryptographie.at/rathaus_press.html | | However, I still don't believe that quantum cryptography can buy you | anything but research funding (and probably easier lawful intercept | because end-to-end encryption is so much harder). Not to attack you personally - I've heard the same comments from many other people - but this is a remarkably parochial attitude. I'm the last person to argue against basic research, but I'm really against presenting it as if had direct practical relevance. Basic research such receive government funding, but not based on the false claim that it can secure bank transfers. Quantum crypto raises fundamental issues in physics. The interaction of information and QM is complex and very poorly understood. No one really knows what's possible. This is neat stuff, and really nice research. New results are appearing at a rapid pace. I fully agree. Experimental quantum physics *is* important, but much more from a physics point of view than from a cryptography point of view. Will this end up producing something new and useful? Who can say? Right now, we're seeing the classic uses for a new technique or technology: Solving the old problems in ways that are probably no better than the old solutions. My trouble with quantum key distribution is that at the current stage, the experiments are stunning, but it's snake oil from a cryptography perspective. Have you actually at some of the quantum key distribution papers? The ones I examined even lack such a simple thing as a threat model, and as a result, the authors completely miss man-in-the-middle attacks where the attacker splits the fiber into two pieces, runs two instances of the QKD protocol, and reencrypts the communication after key distribution. Alternatively, how anyone can have absolute confidence in conventional crypto in a week when a surprise attack appears against a widely-fielded primitive like MD5 is beyond me. Is our certainty about AES's security really any better today than was our certainty about RIPEM - or even SHA-0 - was three weeks ago? If we postulate that man-in-the-middle attacks are non-existent, convential cryptography is suddenly much stronger, too. 8-) - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
First quantum crypto bank transfer
--- begin forwarded text From: Andrew Thomas [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: First quantum crypto bank transfer Date: Fri, 20 Aug 2004 09:05:58 +0200 Sender: [EMAIL PROTECTED] Cryptography system goes underground (Aug 19) http://physicsweb.org/article/news/8/8/13 A group of scientists in Austria and Germany has installed an optical fibre quantum cryptography system under the streets of Vienna and used it to perform the first quantum secure bank wire transfer (A Poppe et al. 2004 Optics Express 12 3865). The quantum cryptography system consisted of a transmitter (Alice) at Vienna's City Hall and a receiver (Bob) at the headquarters of an Austrian bank. The sites were linked by 1.45 kilometres of single-mode optical fibre. -- Andrew G. Thomas --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]