Re: quantum hype

2003-10-03 Thread Peter Fairbrother
[EMAIL PROTECTED] wrote:

 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] Behalf Of Dave Howe
 
 Peter Fairbrother may well be in possession of a break for the QC hard
 problem - his last post stated there was a way to clone photons with
 high accuracy in retention of their polarization
 [SNIP]
 
 Not a break at all. The physical limit for cloning is 5/6ths of the bits will
 clone true. Alice need only send 6 bits for every one bit desired to assure
 Eve has zero information. For a 256-bit key negotiation, Alice sends 1536 bits
 and hashes it down to 256 bits for the key.

I've just discovered that that won't work. Eve can get sufficient
information to make any classical error correction or entropy distillation
techniques unuseable.

See:  http://www.gap-optique.unige.ch/Publications/Pdf/9611041.pdf


You have to use QPA instead, which has far too many theoretical assumptions
for my trust.

-- 
Peter Fairbrother

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: quantum hype

2003-09-28 Thread Peter Fairbrother
I promised some links about the 5/6 cloning figure. You've had a few
experimental ones, here are some theory ones.


Cloning machines:
http://www.fi.muni.cz/usr/buzek/mypapers/96pra1844.pdf

Theoretically optimal cloning machines:
http://www.gap-optique.unige.ch/Publications/Pdf/PRL02153.pdf

1/6 disturbance is theoretically optimal, both as a QC interception strategy
and it's an optimal cloning machine:
http://www.gap-optique.unige.ch/Publications/Pdf/PRA04238.pdf

A different approach to the 1/6 figure (2/3 cloned correctly, the 1/3
imperfectly cloned still has a 50% chance of being right):
http://arxiv.org/PS_cache/quant-ph/pdf/0012/0012121.pdf


That lot is pretty much indisputed...

...except for the optimal part; and that's a sideways argument anyway -
the math and physics theory are right as far as they go, just that they
didn't consider everything.

It may be possible to clone better than those optimal solutions,
especially in the classic QC case, or get more information like which
photons were cloned correctly, and perhaps to as near perfection as you
like, but that is in dispute. Actually it's a pretty friendly dispute,
people mostly say I don't know*. I'll post some more links on that later.


*unless someone mentions non-linear transformations. Which is a different
dispute really.
-- 
Peter Fairbrother

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: quantum hype

2003-09-24 Thread Greg Troxel
  I'm always stuck on that little step where Alice tells Bob what basis
  she used for each photon sent.  Tells him how?  They need integrity
  protection and endpoint authentication for N bits of basis.  Is the
  quantum trick converting those N bits to N/2 privacy-protected bits
  really as exciting as it's made out to be?

They need integrity and data origin authentication, but not
confidentiality.  This is what is referred to as the public channel
in QC papers.  The standard approach (in papers) is to use universal
hashing.  This is just math, with no quantum aspects.  But, it enables
authenticating an arbitrarily long string of bits with a single key,
just like one can MAC a long message with HMAC-SHA1.

The difference is that because of the hash construction there are two
key property changes from an HMAC such as used in IPsec:

  One can prove that the odds of a forgery are vanishingly small (1 in
  $2^{n-1}$ for n bit keys, or something like that), even with an
  adversary with infinite computional power.

  You can only use the key once (or perhaps twice).  Otherwise, an
  adversary can recover it.  This results in needing a constant stream
  of authentication keying material.

Whether these two properties are a good tradeoff from HMAC in practice
for any particular situation and threat model is an interesting
question.

See Universal Classes of Hash Functions, by Carter and Wegman,
Journal of Computer and System Sciences 18, 143-154 (1979) for the
canonical paper on universal hashing.

-- 
Greg Troxel [EMAIL PROTECTED]

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: quantum hype

2003-09-22 Thread Jaap-Henk Hoepman

I always understood that QKD is based on a hard problem of which the theory of
physics says it is impossible to find a solution (if not, then i'd like to
know). Then if QKD breaks, the current theory of physics was wrong.

On the other hand, if DH or RSA breaks, factoring or the discrete log turn out
to be polynomial. This is earthshattering, but doesn't imply our theory of
computing was wrong.

Whether one is a stronger foundation than the other is really a philosophical
question (and a an interesting one too... ;-)

Jaap-Henk

On Sun, 21 Sep 2003 16:39:17 +0200 martin f krafft [EMAIL PROTECTED] writes:
  Has anyone *proven* that there is no way to read
  a quantum bit without altering it?
 no. its the underlieing hard problem for QC. If there is
 a solution to any of the Hard Problems, nobody knows about them.

 right, so it's no better than the arguable hard problem of factoring
 a 2048 bit number.


-- 
Jaap-Henk Hoepman   |  I've got sunshine in my pockets
Dept. of Computer Science   |  Brought it back to spray the day
University of Nijmegen  |Gry Rocket
(w) www.cs.kun.nl/~jhh  |  (m) [EMAIL PROTECTED]
(t) +31 24 36 52710/531532  |  (f) +31 24 3653137

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


RE: quantum hype

2003-09-22 Thread Michael_Heyman
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] Behalf Of Dave Howe
 
 Peter Fairbrother may well be in possession of a break for the QC hard
 problem - his last post stated there was a way to clone photons with
 high accuracy in retention of their polarization
 [SNIP]

Not a break at all. The physical limit for cloning is 5/6ths of the bits will clone 
true. Alice need only send 6 bits for every one bit desired to assure Eve has zero 
information. For a 256-bit key negotiation, Alice sends 1536 bits and hashes it down 
to 256 bits for the key.

-Michael Heyman

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: quantum hype

2003-09-22 Thread Peter Fairbrother
[EMAIL PROTECTED] wrote:

 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] Behalf Of Dave Howe
 
 Peter Fairbrother may well be in possession of a break for the QC hard
 problem - his last post stated there was a way to clone photons with
 high accuracy in retention of their polarization
 [SNIP]
 
 Not a break at all. The physical limit for cloning is 5/6ths of the bits will
 clone true. Alice need only send 6 bits for every one bit desired to assure
 Eve has zero information. For a 256-bit key negotiation, Alice sends 1536 bits
 and hashes it down to 256 bits for the key.

Agreed. It's not a break, though it does make it harder. Many people think
the no-cloning theorem says you can't clone photons at all. Most COTS QC
gear only works under that false assumption.

Then there's the noise/error rates - in practice it's very hard to get  60%
single photon detection rates, even under the most favourable conditions,
and low error rates are hard to get too.

I tend to the opinion, without sufficient justification and knowledge to
make it more than an opinion, that most COTS QC products are probably secure
today in practice, but claims for theoretical security are overblown.




There may be yet another problem which I should mention. First, I'd like to
state that I'm not a quantum mechanic, and I find the math and theory quite
hard, so don't rely too much on this.

I'm not certain that the 5/6 figure is a universal physical limit. It may
just be an artifact of the particular unitary transform used in that
specific cloning process.

It _may_ be possible for the cloner to get some information about which
photons were cloned incorrectly. This is tricky, and I don't know if it's
right - it involves non-interactive measurement of virtual states, kind of.

Another possibility is to imperfectly clone the photon more than once.

The no-cloning theorem per se doesn't disallow these, it only disallows
perfect cloning, but other physics might.

QC's unbreakability isn't based on a hard problem, it's based on the
physical impossibility of perfect cloning. But exactly what that
impossibility means in practice, I wouldn't like to say. You can't clone
every photon. Can you only clone 5/6 of photons? Or 99.9...% of them? It
may be the latter.




BTW, you can decrease the wavelength of a photon by bouncing it off moving
mirrors.


-- 
Peter Fairbrother

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: quantum hype

2003-09-22 Thread Matt Crawford
BTW, you can decrease the wavelength of a photon by bouncing it off 
moving
mirrors.
Sure.  To double the energy (halve the wavelength), move the mirror at 
70% of the speed of light.  And since you don't know exactly when the 
photon is coming, keep it moving at that speed ...

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: quantum hype

2003-09-21 Thread Arnold G. Reinhold
At 6:38 PM -0400 9/18/03, John S. Denker wrote:
Yes, Mallory can DoS the setup by reading (and thereby
trashing) every bit.  But Mallory can DoS the setup by
chopping out a piece of the cable.  The two are equally
effective and equally detectable.  Chopping is cheaper and
easier.
Other key-exchange methods such as DH are comparably
incapable of solving the DoS problem.  So why bring up
the issue?
It seems to me that because key-exchange methods such as DH only 
depend on exchanging bits (as opposed to specifying a physical 
layer), they can rely on a wide variety of techniques to combat DoS. 
If Bob and Alice can safeguard their local connections to the 
Internet, its multi-routing properties provide significant DoS 
protection. Other options available to them include the switched 
telephone network, wireless, LEO satellites, cybercafes, 
steganography,  HF radio, and even postal mail. In addition, DH users 
have no need to call attention to themselves by leasing a fiber-optic 
line.

Arnold Reinhold

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: quantum hype

2003-09-21 Thread Peter Fairbrother
There are lots of types of QC. I'll just mention two.

In classic QC Alice generates polarised photons at randomly chosen either
+ or x polarisations. Bob measures the received photons using a randomly
chosen polarisation, and tells Alice whether the measurement polarisation he
chose was + or x, on a authenticated but non-secret channel. Alice
replies with a list of correct choices, and the shared secret is calculated
according as to whether the + polarisations are horizontal or vertical,
similar for the slant polarisations.


If the channel is authentic then a MitM is hard - but not impossible. The
no-cloning theorem is all very well, but physics actually allows imperfect
cloning of up to 5/6 of the photons while retaining polarisation, and this
should be allowed for as well as the noise calculations. I don't know of any
existing OTS equipment that does that.

A lasing medium can in theory clone photons with up to 5/6 of them retaining
enough polarisation data to use as above, though in practice the noise is
usually high.

There is also another less noisy cloning technique which has recently been
done in laboratories, though it doubles the photon's wavelength, which would
be noticeable, and I can't see ofhand how in practice to half the wavelength
again without losing polarisation (except perhaps using changing
gravitational fields and the like); but there is no theory that says that
that can't be done.



In another type of QC Alice and Bob agree on the measurement angles (any
angles, not just multiples of 45 deg) they will use, and Alice generates a
pair of entangled photons, sending one to Bob. Both measure the individual
photons at that angle, and the shared secret is generated according to
whether the photons pass the filter.

If the agreed-on measurement angles are kept secret, and noise bounds etc
are obeyed, then a MitM is hard as before except the theoretical maximum
ratio of clonable photons is lower - but it isn't much use, except as an
otp key multiplier.



There are a zillion variations on these themes, and other types of QC. For
instance Alice can send Bob data rather than generating a random shared
secret, and without a separate channel, if she generates the quantum string
using a preshared secret. Mallory can get 1/2 of the bits, but AONT's can
defend against that, and if properly implemented no MitM is possible.

And so on.

-- 
Peter Fairbrother

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: quantum hype

2003-09-21 Thread Dave Howe
 no. its the underlieing hard problem for QC. If there is
 a solution to any of the Hard Problems, nobody knows about them.
right, so it's no better than the arguable hard problem of
factoring a 2048 bit number.
Peter Fairbrother may well be in possession of a break for the QC hard
problem - his last post stated there was a way to clone photons with
high accuracy in retention of their polarization (at the cost of a
irrelevent increase in wavelength) so that Mallory could test photons with
BOTH filters, determining the value of the bit (from the correct filter
which would show a strong bias to the correct bit value) and the
orientation (given the incorrect filter would be roughly 50/50)

 wrong. i don't consider those that shouldn't know about
 some things to be my enemies. i know that crypto is
 useful when someone actively seeks information.
Hmm. normally, the agent attempting to intercept your traffic is termed
the attacker; I don't know many attackers that aren't enemies :)

 but if i want my girlfriend not to see those
 mails i send to this other chick (i have no
 girlfriend btw),
I suspect my wife might not like it if I had one :)

 i encrypt them and guard against the risk that i leave
 the window open when she comes home and she
 accidentally hits enter to read that email.
but not against you accidentally leaving the plaintext window open, or
your system having stored a draft of the plaintext someplace.
endpoint security is typically much, much harder than transmission
security (despite key exchange not being an issue) simply because so many
standard machines and software is orientated towards data loss prevention,
not security.

 i guess it's a matter of definition, so let's just leave it there.
indeed. perhaps interceptor rather than enemy would be closer?

 You seem to have a lot more of a grasp than I.
I am (as usual) standing on the shoulders of giants; I am simply repeating
my understanding of what they said trying to dumb it down to my miserable
level :)

 Anyhow, we are deviating here and there from the topic.
 So let me summarise:
   - QC, if correctly used, can serve as the basis for OTP
encryption.
correct - it is a key negotiation method, not an actual transmission
method.

  - The provable security of QC thus actually comes from OTP.
no, the provable security of OTP is a given. the security of QC comes from
not being able to determine the polarization of a photon without pushing
it though a filter and seeing if it fits :)

  - QC needs an unbroken channel. The channel does not have to be
private because an observer destroys photons, which can be
detected.
destroying photons would mean breaking (diverting the flow of photons
down) the channel, so there is no real distinction.

  - This observer could DoS the communication, but that's akin to
cutting the land-line.
indeed. not only akin, but actually a case of :)

  - Actually, no, because if I don't rely on QC but have other
means, I can switch to another medium if someone cuts my
landline.
in fact, you would be better served using another channel (or channels)
for actual data, and keeping the optical channel for key negotiation only.
a successful MiTM attack relies on controlling *all* the communications
between alice and bob. if there are multiple channels, and even one is
missed, alice and bob can determine there was a middleman involved and the
attack breaks down. Ideal for transmitting the actual data would be (say)
a broadcast medium; alice can check her own trasmissions, and bob can read

 Btw: is this list archived?
yes
http://www.mail-archive.com/cryptography%40metzdowd.com/index.html
and in general terms, always assume mailing lists are not only archived,
but read avidly by the enemies I have and you haven't got ;)

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: quantum hype

2003-09-21 Thread Andreas Gunnarsson
On Sun, Sep 21, 2003 at 01:37:21PM +0100, Peter Fairbrother wrote:
[cloning photons]
 There is also another less noisy cloning technique which has recently been
 done in laboratories, though it doubles the photon's wavelength, which would
 be noticeable,

To get rid of the wavelength change it sounds like you just have to
produce a new photon with half the wavelength, clone it and then clone
one of the clones and measure whether it matches the intercepted one. If
it does, forward its clone, otherwise choose another one.

I am a little skeptic though, does this really work? I would expect that
measuring one clone would affect its twin just as if it was measured
directly.

   Andreas

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: quantum hype

2003-09-20 Thread R. Hirschfeld
 Date: Fri, 19 Sep 2003 11:57:22 -0400
 From: Ian Grigg [EMAIL PROTECTED]

 If I understand this correctly, this is both
 an eavesdropping scenario and an MITM scenario.
 
 In the above, Eve is acting as Mallory, as she
 is by definition intercepting the bits and re-
 sending them on?

As Dave Howe pointed out, Eve is acting as a repeater and tries not to
alter the bits.  This seems a sensible model of eavesdropping for QKD.
The threat is that Alice and Bob might incorporate bits that were seen
by Eve into their key.  If Bob never receives a bit, it won't be used.

 That is, the Quantum Property is that Eve can
 be detected because she destroys photos in the
 act of listening, and Mallory, who can resend
 the photons, has only a 50% chance of reading
 each bit correctly in advance, so he can be
 detected after the fact as well, as 25% of his
 bits are wrong.

The terminology destroy is used a bit loosely.  I think the
important thing for QKD is that if a photon is measured with the wrong
basis, the information it is carrying about the key is lost.

Ray

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: quantum hype

2003-09-16 Thread John Lowry
QC is currently a one-time pad distribution mechanism - or at lower rates a
key establishment mechanism most suitable for symmetric algorithms.

You are correct that authentication is not inherent.  Then again, this is
also true for classical symmetric and PKI schemes.  To be usable, all
crypto requires some kind of authentication mechanism or scheme.

The QC community is well aware of this problem and is working on it.
Please don't give up yet !  In the mean time, manual establishment of an
authentication secret works as do physical means e.g., optical viewing of a
satellite from a ground station.

Please remember that it's early days yet; the problems are real and hard.
Come join the fun.

And watch out for snake oil from early attempts at commercialization  ;-)

John
PS: a small nit.  The quantum channel is tamper _detectable_.  There is no
claim to being untamperable.  You can always detect tampering (and throw
away those bits) regardless of who you are talking to.  Multiple reads of
a photon (several approaches have been considered) is either equivalent to
tampering or yields no information.  Physics is fun !


On 9/16/03 16:03, Hadmut Danisch [EMAIL PROTECTED] wrote:

 On Sat, Sep 13, 2003 at 09:06:56PM +, David Wagner wrote:
 
 You're absolutely right.  Quantum cryptography *assumes* that you
 have an authentic, untamperable channel between sender and receiver.
 
 So as a result, Quantum cryptography depends on the known
 methods to provide authenticity and integrity. Thus it can not
 be any stronger than the known methods. Since the known methods
 are basically the same a for confidentiality (DLP, Factoring),
 and authentic channels can be turned into confidential channels
 by the same methods (e.g. DH), Quantum cryptography can not be
 stronger than known methods, I guess.
 
 On the other hand, quantum cryptography is based on several
 assumptions. Is there any proof that the polarisation of a
 photon can be read only once and only if you know how to turn
 your detector? 
 
 AFAIK quantum cryptography completey lacks the binding to
 an identity of the receiver. Even if it is true that just a single
 receiver can read the information, it is still unknown, _who_
 it is. All you know is that you send information which can be read
 by a single receiver only. And you hope that this receiver was the
 good guy.
 
 Hadmut
 
 -
 The Cryptography Mailing List
 Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: quantum hype

2003-09-15 Thread Ed Gerck
martin f krafft wrote:

 So MagiQ and others claim that the technology is theoretically
 unbreakable. How so? If I have 20 bytes of data to send, and someone
 reads the photon stream before the recipient, that someone will have
 access to the 20 bytes before the recipient can look at the 20
 bytes, decide they have been tampered with, and alert the sender.

This is not relevant when the technology is correctly used for Q key
transmission because the sender would not be in the dark (sorry for the
double pun) for so long.

 So I use symmetric encryption and quantum cryptography for the key
 exchange... the same situation here. Maybe the recipient will be
 able to tell the sender about the junk it receives, but Mallory
 already has read some of the text being ciphered.

This should not happen in a well-designed system. The sender sends
the random key in the Q channel in such a way that compromises in
key transmission are detected before the key is used.

That said, Q cryptography is something else and should not be confused
with Q key distribution.

Cheers,
Ed Gerck


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: quantum hype

2003-09-14 Thread David Wagner
Arnold G. Reinhold wrote:
I think there is another problem with quantum cryptography. Putting 
aside the question of the physical channel, there is the black box at 
either end that does all this magical quantum stuff. One has to trust 
that black box.

- Its design has to thoroughly audited  and the integrity of each unit verified
- It has to be shipped securely from some factory or depot to each end point
- It has to be continuously protected from tampering.

Yes.  Several years ago, Adi Shamir presented some fascinating
attacks on the implementation of such black boxes at Cryptrec, so
it is not something that should be taken for granted.

It seems to me one could just as well ship a 160 GB hard drive filled 
with random keying material to each endpoint.

Well, I agree.  If we get to use complexity-based crypto that is
not proven secure, like AES, RSA, or the like, then we can do much
better than quantum crypto.  The only real attraction of quantum crypto
that I can see is that its security does not rely on unproven
complexity-theoretic conjectures.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


quantum hype

2003-09-13 Thread martin f krafft
Dear Cryptoexperts,

With

  http://www.magiqtech.com/press/navajounveiled.pdf

and the general hype about quantum cryptography, I am bugged by
a question that I can't really solve. I understand the quantum
theory and how it makes it impossible for two parties to read the
same stream. However, what I don't understand is how that adds to
security.

The main problem I have with understanding the technology is in the
fact that any observation of the quantum stream is immediately
detectable -- but at the recipient's side, and only if checksums are
being employed, which are not disturbed by continual or sporadic
photon flips.

So MagiQ and others claim that the technology is theoretically
unbreakable. How so? If I have 20 bytes of data to send, and someone
reads the photon stream before the recipient, that someone will have
access to the 20 bytes before the recipient can look at the 20
bytes, decide they have been tampered with, and alert the sender.
So I use symmetric encryption and quantum cryptography for the key
exchange... the same situation here. Maybe the recipient will be
able to tell the sender about the junk it receives, but Mallory
already has read some of the text being ciphered.

In addition to that, the MITM attack seems to be pertinent, unless
I use public-key encryption and authentication. But then I am back
to cryptography whose strength is based on intractability and not on
a proof. And now I fail to see why quantum crypto is hyped so much.

Maybe I am completely misguided, but I would really appreciate some
explanation or even pointers. Or someone wants to spend a couple of
minutes to explain the process of theoretically unbreakable quantum
cryptography step-by-step.

Note: I am reading MagiQ's press release with the
subtract-marketing-b/s grain of salt. Of course, their technology is
superior to everything. However, most of my information and the food
for my questions stem from the more scientific side, having read
about it in articles in renowned magazines and mailing list posts.

Thanks,

-- 
martin;  (greetings from the heart of the sun.)
  \ echo mailto: !#^.*|tr * mailto:; [EMAIL PROTECTED]
 
invalid/expired pgp subkeys? use subkeys.pgp.net as keyserver!
 
joan of arc heard voices too.


pgp0.pgp
Description: PGP signature


Re: quantum hype

2003-09-13 Thread David Wagner
martin f krafft  wrote:
So MagiQ and others claim that the technology is theoretically
unbreakable. How so? If I have 20 bytes of data to send, and someone
reads the photon stream before the recipient, that someone will have
access to the 20 bytes before the recipient can look at the 20
bytes, decide they have been tampered with, and alert the sender.

You're absolutely right.  Quantum cryptography *assumes* that you
have an authentic, untamperable channel between sender and receiver.
The standard quantum key-exchange protocols are only applicable when
there is some other mechanism guaranteeing that the guy at the other end
of the fibre optic cable is the guy you wanted to talk to, and that noone
else can splice into the middle of the cable and mount a MITM attack.

One corollary of this is that, if we want end-to-end security, one can't
stick classical routers or other such equipment in the middle of the
connection between you and I.  If we want to support quantum crypto,
the conventional network architectures just won't work, because any two
endpoints who want to communicate have to have a direct piece of glass.
Quantum crypto might work fine for dedicated point-to-point links,
but it seems to be lousy for large networks.

For these reasons, and other reasons, quantum crypto looks pretty
impractical to me, for most practical purposes.  There is some very
pretty theory behind it, but I predict quantum crypto will never replace
general-purpose network encryption schemes like SSH, SSL, and IPSec.

As you say, there is a lot of hype out there, but as you're discovering,
it has to be read very carefully.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: quantum hype

2003-09-13 Thread martin f krafft
also sprach David Wagner [EMAIL PROTECTED] [2003.09.13.2306 +0200]:
 You're absolutely right.  Quantum cryptography *assumes* that you
 have an authentic, untamperable channel between sender and
 receiver. The standard quantum key-exchange protocols are only
 applicable when there is some other mechanism guaranteeing that
 the guy at the other end of the fibre optic cable is the guy you
 wanted to talk to, and that noone else can splice into the middle
 of the cable and mount a MITM attack.

Uh, so if I have a channel of that sort, why don't I send cleartext?

-- 
martin;  (greetings from the heart of the sun.)
  \ echo mailto: !#^.*|tr * mailto:; [EMAIL PROTECTED]
 
invalid/expired pgp subkeys? use subkeys.pgp.net as keyserver!
 
the public is wonderfully tolerant.
 it forgives everything except genius.
-- oscar wilde


pgp0.pgp
Description: PGP signature


Re: quantum hype

2003-09-13 Thread David Wagner
 On 09/13/2003 05:06 PM, David Wagner wrote:
   Quantum cryptography *assumes* that you
   have an authentic, untamperable channel between sender and receiver.
 
 Not true.  The signal is continually checked for
 tampering;  no assumption need be made.

Quantum crypto only helps me exchange a key with whoever
is on the other end of the fibre optic link.  How do I know
that the person I exchanged a key with is the person I wanted
to exchange a key with?  I don't ... unless I can make extra
assumptions (such as that I have a guaranteed-authentic channel
to the party I want to communicate with).

If I can't make any physical assumptions about the authenticity
properties of the underlying channel, I can end up with a scenario
like this: I wanted to exchange a key securely with Bob, but instead,
unbeknownest to me, I ended up securely exchanging key with Mallet.

I believe the following is an accurate characterization:
 Quantum provides confidentiality (protection against eavesdropping),
 but only if you've already established authenticity (protection
 against man-in-the-middle attacks) some other way.
Tell me if I got anything wrong.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]