quantum hype

[Dave Howe]

martin f krafft wrote:
>This is what I don't buy. If Mallory sees the data, it must be
>detected, because otherwise the approach is flawed.
  As I understand it, there are four possible "rotations" for the photon
( call them '\' '|' '/' and '-' ) so two choices for a filter (straight or
slant). a straight filter can reliably tell '|' and '-' apart, but '\' and
'/' are going to be unreliable; a slant filter can read '\' or '/' but not
'|' or '-'
if Mallory can guess the correct filter to use, he can reproduce the bit
to bob; if he guesses wrongly, he can still send a random bit to bob, who
will (if he uses the right filter) further randomly interpret that and
either get the right or wrong answer (50/50 chance)
of course if Mallory *is* Mallory, and not Eve, he is mounting a
Man-in-the-middle attack, so can conveniently negotiate key a with alice,
key b with bob, and do the usual :) quantum channels are just as sensitive
to Mitm as any other; without a non-interruptable (if insecure) channel no
key negotiation protocol is ever going to work.

> But in any case does Mallory have the means to completely
> DoS any attempt of communication between the parties,
> simply by reading along, unless there is a dedicated channel
> between Alice and Bob. In which case,
> why is there a need for quantum cryptography in the first place?
  QC allows you to negotiate a one-time-pad between two nodes joined by an
unbroken optical link
it says nothing about the identity of the two nodes, and relies on the
optical link being unbroken (a mitm breaks the link, turning it into two
independent QC channels that happen to be both to Mallory)

> One chance in 2^C, otherwise it would be deadly, no? But in any
> case, Reasonable keysized DH exchanges give me the same security
> with a lot more flexibility, and a lot less chance for DoS. I still
> don't buy it.
  QC really needs an insecure but unbroken link. if that is achievable,
then the crypto is OTP and unbreakable (much better than DH). if it is not
achievable (and I would doubt that it is) then the key negotiation is
broken and the crypto worthless.

>> The foregoing assumed an error-free channel.  Things get much
>> worse if the good guys need to do error correction.
>... which is almost always required.
  The incidence should be low - in fact, there are no good reasons to use
the QC channel for actual data exchange at all - use normal insecure
channels for actual data transfer, protected by the negotiated OTP key. We
then have to correct for wrongly read bits from the QC channel, and there
you will have difficulty adding EC codes (given any individual bit may be
in error) and transmitting hashes of (or worse yet, EC for) the
known-received bits insecurely would compromise the OTP key at least a
little.
I must admit my signal-processing knowledge is weak - maybe another
regular could propose a scheme that would work. to define the problem:

GIVEN a transmission line with approximately 50% bit loss, but for which
you know which bits were received, and a less than 10% error rate (say) in
the received bits, how do you detect and discard/correct the bad bits? I
assume there is something in FEC for very unreliable lines like this....

> Sending asymmetrically encrypted data over something like
> the plain old telephone system strikes me as being more secure
> than sending these data over the Internet, and that should hold
> for any encryption used. Unless QC is applicable to the Internet
> (which it won't be, as far as I can tell), I don't see any use
> beyond marketing hype.
bingo.
QC is a hype-only technology - it relies on a unbroken line impervious to
MitM, and there ain't no such beast.


> also sprach David Wagner <daw at cs.berkeley.edu>
>> I believe the following is an accurate characterization:
>>  Quantum provides confidentiality (protection against eavesdropping),
>>  but only if you've already established authenticity (protection
>>  against man-in-the-middle attacks) some other way.
.> Tell me if I got anything wrong.
>I don't think this is wrong, but I still don't see how QC guards
>against eavesdropping. No, wrong, I see how a key exchange
>with QC can make it very difficult to eavesdrop the key (more
without Mitm, it is impossible to evesdrop the photons used for key
negotiation.
even assuming you can detect a photon without distorting it in any way
(rotation or attenuation) then the *only* known way to detect the
polarization of a photon is to push it though a filter and see if it comes
out the other side. this is the "strong problem" on which QC relies; if
that fell, then QC would be worthless.

also sprach David Wagner <daw at mozart.cs.berkeley.edu>
> One could reasonably ask how often it is in practice that we have
> a physical channel whose authenticity we trust, but where
> eavesdropping is a threat.  I don't know.
I can't think of a single instance of one suitable to QC.
the usual definition is a broadcast channel - send once read many - where
anyone can read it, but the original sender can discover *fast* any
changes as the sender is also a receiver and can verify the sent data from
several places. QC relies on only a single quanta of energy being sent, so
obviously two people can't receive the same copy (and therefore the sender
can't verify his own transmission)

> How much of a threat really exists in a channel encrypted with
> e.g. Blowfish, 256bit keys, perfect forward secrecy, and a
> session key lifetime of 30 minutes???
almost none. while OTP has no even theoretical attacks, QC is not otp (
you are negotiating a key, and are therefore transmitting a key protected
by a "hard problem" - admittedly one in physics rather than maths, but the
drawbacks seem to outweigh the advantages.

also sprach Arnold G. Reinhold <reinhold at world.std.com> [2003.09.14.0536
+0200]:
> The 160 GB hard drive has a couple of advantages over quantum key
> exchange:
> And a disadvantage: disk corruption, which may render your
> channel temporarily inaccessible.
not a problem - 160 gb hard drives are inexpensive, you don't send one,
you send four; if one fails, you transparently switch to the next

> once someone gets hold of the data on the disk, everyone can read along.
Indeed. OTP *always* breaks down to the key distribution problem - you
have to get your key from point a to point b before point b can talk to
point a
one guy with a briefcase containing four hotswap drives is a lot easier to
secure than a 200 mile fiberoptic though.

> It's the same problem of all symmetric algorithms,
> enhanced by the fact that the key data is stored
> on a medium other than a human neural network
> (which to date is only readable by one person)
nothing stopping you using symmetric crypto to protect the keydisk if you
want to.

> Has anyone *proven* that there is no way to read
> a quantum bit without altering it?
no. its the "underlieing hard problem" for QC. If there is a solution to
any of the Hard Problems, nobody knows about them.

>also sprach Ian Grigg <iang at systemics.com>
>> What you want is to find out where the enemy is
>> listening in, and when.  Then, it just becomes
>> another data point in the tracking game.
> I use cryptography; I don't have any enemies
> (at least none that I care about)
cryptography is 90% paranoia - you *have* enemies, and don't know about
them. if you had none at all, you wouldn't bother with crypto (as nobody
would ever look at your data even accidentally). It doesn't matter if your
enemy is a random ISP tech who likes browsing email spools, or a spook
curious as to why you spend so much time sending encyrpted messages....

> Using just one link and no redundancy, how can you ever
> check if a stream of random bytes has been correctly received
> on the other side???
that is a FEC problem.
as I understand it, a QC key negotiation goes as follows:
host a generates 2 x 'n' random bits
host a encodes its 'n' dibits with one bit determining 90% of rotation and
the other 45% as polarizations of single photons and transmits them to
host b
host b generates 'n' random bits
host b encodes its 'n' bits as filters (either 0 or 45% rotation) for the
'n' received photons
host b transmits its 'n' bits plaintext to host a
host a xors the 45% rotation bits it used with the rotation bits from host
b to give it a "bad bit list"
host a removes bits from the 90% rotation bitset if they are set in the
"bad bit list"
host a transmits plaintext to host b the "bad bit list"
host b also removes the bad bits
approximately half the bits in the "bad bit list" would be set, leaving
approximately 'n'/2 bits for otp key material. (EC is a further problem I
have not seen addressed)

as you can see, evesdropping the individual photons is a hard problem, and
evesdropping the rotation list from host b and the bad bit list from host
a is worthless without the photons (and the rotation list is transmitted
*only* after the photons have already been processed by host b)

> Even though eavesdropping changes the data,
evesdropping *destroys* the data by removing 50% of the photons almost at
random. that is the quantum bit of the process - only a single photon is
sent, so it can only be processed (read) by one host; reading the photon
destroys its value, and the random element ensures it is incorrectly read
50% of the time.

> But this technology is DoS'able and thus not
> applicable to productive environments. Or is
> there a way I can't easily DoS?
DoS is breaking the transmission link - and a physical attack on the media
(or the equipment at either end) would be required

> This is what initially spawned the thread. So what is QC and
> how is it secure, or even has potential?
I admit to not entirely following the logic behind Quantum Cryptography
but if I am understanding the popularization version - it is using quantum
entanglement to run a atomic-level process simultaniously on a large
number of random cases (alternate dimensions?) and identify just the
case(s) that actually get the "right answer" by forcing the virtual
reactions to "interfere" with the reaction in this reality so that it
becomes the answer that works (a bit like how a single photon, fired at a
dual slit card in front of a screen, will land in accordance with the
interference pattern you would get from photons travelling *both* possible
paths though the slit card).
Compare with molecular computing, where you run the math as a chemical
reaction on a huge number of different molecules (one per possible answer)
, with the reaction that works altering the molecule representing the
answer so that it can be isolated and identified.


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com