Quantum Cryptography

Leichter, Jerry leichter_jerrold at emc.com
Fri Jun 22 11:33:38 EDT 2007 

| > >    - Quantum Cryptography is "fiction" (strictly claims that it solves
| > >      an applied problem are fiction, indisputably interesting Physics).
| > 
| > Well that is a broad (and maybe unfair) statement.
| > 
| > Quantum Key Distribution (QKD) solves an applied problem of secure key
| > distribution. It may not be able to ensure "unconditional" secrecy
| > during key exchange, but it can detect any eavesdropping. Once
| > eavesdropping is detected, the key can be discarded.
| 
| Secure in what sense? Did I miss reading about the part of QKD that
| addresses MITM (just as plausible IMHO with fixed circuits as passive
| eavesdropping)?
| 
| Once QKD is augmented with authentication to address MITM, the "Q"
| seems entirely irrelevant.
The unique thing the "Q" provides is the ability to detect eaves-
dropping.  I think a couple of weeks ago I forwarded a pointer to
a paper showing that there were some limits to this ability, but
even so, this is a unique feature that no combination of existing
primitives can provide.  One can argue about what this adds.  The
current approach of the QKD efforts is to assume that physical
constraints are sufficient to block MITM, while quantum contraints
block passive listening (which is assumed not to be preventable
using physical constraints).  It's the combination that gives you
security.

One can argue about the reasonableness of this model - particularly
about the ability of physical limitations to block MITM.  It does
move the center of the problem, however - and into a region (physical
protection) in which there is much more experience and perhaps
some better intuition.  Valid or not, it certainly is easier to
give people the warm fuzzies by talking about physical protection
than by talking about math....

In the other direction, whether the ability to detect eavesdropping lets
you do anything interesting is, I think, an open question.  I wouldn't
dismiss it out of hand.  There's an old paper that posits related
primitive, Verify Once Memory:  Present it with a set of bits, and it
answers either Yes, that's the value stored in me or No, wrong value.
In either case, *the stored bits are irrevokably scrambled*.  (One
could, in principle, build such a thing with quantum bits, but beyond
the general suggestions in the original paper, no one has worked out how
to do this in detail.)  The paper uses this as a primitive to construct
"unforgeable" subway tokens:  Even if you buy a whole bunch of valid
tokens, and get hold of a whole bunch of used ones, you have no way
to construct a new one.  (One could probably go further - I don't
recall if the paper does - and have a "do the two of you match"
primitive, which would use quantum bits in both the token and the
token validator.  Then even if you had a token validator, you couldn't
create new tokens.  Obviously, in this case you don't want to scramble
the validator.)
							-- Jerry

| -- 
| 
|  /"\ ASCII RIBBON                  NOTICE: If received in error,
|  \ / CAMPAIGN     Victor Duchovni  please destroy and notify
|   X AGAINST       IT Security,     sender. Sender does not waive
|  / \ HTML MAIL    Morgan Stanley   confidentiality or privilege,
|                                    and use is prohibited.
| 
| ---------------------------------------------------------------------
| The Cryptography Mailing List
| Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
| 
| 

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list