Quantum crypto broken?
John Lowry
jlowry at bbn.com
Mon May 13 15:02:51 EDT 2002
(Greg and I work on the same project ...)
The Oxford announcement doesn't present quite
the risk implied. Cloning in their case results
in an energy loss of 1/2 which is easily detected
through various means including error rate.
You have to conserve of energy ...
For a quick discussion on the no-cloning theory
see http://physics.about.com/library/weekly/aa070101a.htm
A notional QKD system can tolerate about a 15% error rate (14.86%
to be exact) before mutual information becomes an issue.
(For transmissions of >100 qbits)
5/6ths represents an error rate of 16% above that of the
baselined quantum system even if energy weren't conserved.
(Back of the envelope ...) For the system we're building,
cutting power in half, greater probability of absorbtion, etc.,
yields another 20% error making _at least_ 36% error on
top of the baselined system.
There is a lot of math and implementation detail which
I won't go into but the physical and mathematical proofs
indicate that this is not a threat. If perfect cloning were
possible this would be a _very_ different universe.
John
> -----Original Message-----
> From: owner-cryptography at wasabisystems.com
> [mailto:owner-cryptography at wasabisystems.com]On Behalf Of Greg Troxel
> Sent: Monday, May 13, 2002 8:42 AM
> To: Michael_Heyman at NAI.com
> Cc: cryptography at wasabisystems.com
> Subject: Re: Quantum crypto broken?
>
>
> Quantum Key Distribution involves a step called "Privacy
> Amplification", which is essentially hashing down the bits that were
> received to a smaller number to account for the possibility that an
> eavesdropper knows some of them. The essential point is that the two
> parties must estimate the amount of information that could have been
> gained by an eavesdropper; errors are one component of this estimation
> process. Another component is the probability that the "single
> photon" sent was really more than one photon --- typical "weak
> coherent" links send multiple photons signifcantly often.
>
> It is important to realize that eavesdropping is a probabilistic
> operation --- when an attacker who measures a photon and retransmits
> it there is some probability (as much as 50% in a noise-free system)
> that no error will be induced. (Essentially, this happens when the
> attacker's choice of basis matches the sender's choice of basis.)
> Thus, there can be no absolute guarantee of security, only probability
> bounds. This is really no different from traditional cryptography, as
> an attacker has a 1 in 2^1024 chance of guessing a 1024 bit RSA key
> with a trivial strategy.
>
> Slutsky et al discuss the issue of deciding how many bits to hash down
> in the context of desiring to bound the probability that an attacker
> will have gained some amount of information about the bits that remain
> after privacy amplification. Slutsky's paper can be found at
>
> http://kfir.ucsd.edu/papers/defense.pdf
>
> See reference 11 for a discussion of privacy amplification.
>
> This paper addresses "individual attacks", in which a probe interacts
> with each photon and then a measurement is made on the probe.
> "Collective" and "joint" attacks in which multiple (sequential)
> photons are measured together are more complicated.
>
> Greg Troxel <gdt at ir.bbn.com>
>
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to
> majordomo at wasabisystems.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list