Jaap-Henk Hoepman, <[EMAIL PROTECTED]>, writes:
> In the `traditional' DC Net, how is absence of a message detected?
A practical implementation of a DC Net would require multiple protocol
layers. The lowest layer is the "raw" DC net itself, which has the
property that each person sends a bit stream all the time, and the net
produces the XOR of all their bit streams.
To turn this into a practical anonymous transmission net you need a
higher level protocol. One approach is to have a reservation phase where
someone who wants to transmit outputs a 1 at a random location in a block
of reservation bits which is large enough that collision is unlikely.
Then the various transmitters send their messages in the order that
their 1's appear (they each know which 1 is theirs so they know the order).
Chaum's original paper is available online at
http://www.nyx.net/~awestrop/crypt/diningcr.htm. The PhD thesis of
Jurjen Bos discusses some of the protocol issues in much more detail.
There were several papers on the topic published at Eurocrypt 89,
including http://www.semper.org/sirene/publ/WaPf1_89DiscoEngl.ps.gz and
http://www.semper.org/sirene/publ/Waid_90fail-stopDC.ps.gz.
> If this is a seperately distinguishable outcome of a round, each round may
> return three outcomes: `0', `1' and `none'. To represent these quantum
> mechanically, you need at least a 3-state quantum system (to make the outcomes
> perfectly distinguishable).
Much of the work on higher level protocols would apply to the SC Net as
well as to the DC Net so a two state system should be adequate. However
if the two state system can be established to be secure, perhaps a three
state system could be developed and could avoid the need for higher level
protocols to some degree.
> In the proposals so far (for using quantum physics to protect the anonymity of
> the sender), the quarantee is not that the sender is always anonymous. It's
> merely that any eavesdropping will be detected. This is a weaker
> guarantee.
Yes, good point, although we can in principle adjust things so that the
eavesdropping will be detected *before* Eve learns anything significant
about the sending party. In other words, for each photon she disrupts she
learns only a tiny amount of information about where it came from. She
could be caught before she had learned enough to break the anonymity.
> Moreover, it is not clear how in the current proposal, eavesdropping
> is distinguished from collisions (ie two cryptographers trying to send
> simultaneously).
The higher level protocols are designed to largely prevent collisions.
If those are used, Eve would need to do her measurements during a slot
reserved for one party to transmit. She would garble the transmitted
data, which would be detectable. This would not resemble an accidental
collision, but rather intentional disruption by a member of the group.
The higher level protocols do have mechanisms to recover from disruption,
but I don't think those parts would work on the SC Net since they are
cryptographic in nature. More work would be needed on ways of responding
to evidence of eavesdropping, but at least it can't go on unnoticed.
> Also, using a photon circulation scheme implies that _one_ cryptographer is
> made responsible for firing the photon. This gives him extra power (eg firing
> two photons simultaneously...).
Yes, that could be bad. I think it would be possible in principle for
the parties to detect the presence of multiple photons without altering
their polarization, but it would present practical difficulties.
> The idea to use quantum physics to get rid of the shared randomness is
> nice. I'm not sure that the approach outlined by Hal can be made to work.
It is still in the early stages of development. I appreciate the many
helpful comments.
Hal
