quantum hype
Greg Troxel
gdt at ir.bbn.com
Wed Sep 24 08:54:24 EDT 2003
I'm always stuck on that little step where Alice tells Bob what basis
she used for each photon sent. Tells him how? They need integrity
protection and endpoint authentication for N bits of basis. Is the
quantum trick converting those N bits to N/2 privacy-protected bits
really as exciting as it's made out to be?
They need integrity and data origin authentication, but not
confidentiality. This is what is referred to as the "public channel"
in QC papers. The standard approach (in papers) is to use universal
hashing. This is just math, with no quantum aspects. But, it enables
authenticating an arbitrarily long string of bits with a single key,
just like one can MAC a long message with HMAC-SHA1.
The difference is that because of the hash construction there are two
key property changes from an HMAC such as used in IPsec:
One can prove that the odds of a forgery are vanishingly small (1 in
$2^{n-1}$ for n bit keys, or something like that), even with an
adversary with infinite computional power.
You can only use the key once (or perhaps twice). Otherwise, an
adversary can recover it. This results in needing a constant stream
of authentication keying material.
Whether these two properties are a good tradeoff from HMAC in practice
for any particular situation and threat model is an interesting
question.
See "Universal Classes of Hash Functions", by Carter and Wegman,
Journal of Computer and System Sciences 18, 143-154 (1979) for the
canonical paper on universal hashing.
--
Greg Troxel <gdt at ir.bbn.com>
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list