At 08:35 PM 1/16/01 -0800, [EMAIL PROTECTED] wrote:
>To recap, a group of cryptographers wants to communicate anonymously,
>without the sender of a message being traced.
To recap in more detail, as I understand it:
1) The desired result is a plain broadcast message, open to the world
(including Eve).
2) Another desired property is that nobody can determine who in the
group originated the message.
3a) For the original dining philosophers, there is a first phase where
participants exchange random keys pairwise in private.
3b) The point of _shining_ philosophers is that this phase is absent.
4) Thereafter there is a second phase wherein open messages are passed
among the participants. Eve can tap these messages in any way permitted by
the laws of physics.
If this is not a correct statement of the problem, please clarify.
>In the case of circulation counts greater than 1, each individual rotation
>can be chosen in such a way that it is uniformly distributed between 0
>and 180 degrees.
Fine. We are using the physics of photons to do modular arithmetic, mod
180 degrees.
>Now we asssume that Eve, the eavesdropper, has corrupted some of the
>cryptographers and is able to make them behave improperly. She wants
>to determine who is sending a given message by making extra measurements
>on the photon as it passes through the stations she has corrupted.
IMHO that's an odd threat model. If she has corrupted the actual sender,
the problem is trivial. If she has corrupted all stations except the
actual sender, the problem is trivial. If she has corrupted M out of the N
total stations, she can narrow down the sender to one of the N-M
uncorrupted stations.
Based on Hal's statements below, I assume the threat model also includes
attempts by Eve to tap the phase-2 communications between the
participants. I assume this was just accidentally not mentioned above.
>Note that photon polarization is a two-state system. Once a basis has
>been chosen for measuring the polarization, any such measurement collapses
>the photon into one of the two pure states of that basis. Eve has the
>power to choose the basis she will use for her measurement, but she cannot
>avoid collapsing the photon state.
That is not a fully correct statement of the physics. We agree that there
exist a class of measurement operators ("strong" measurements) which do
behave as described above. However, there also exist "weak" measurements
which couple only weakly to the signal being measured. They return less
information than a strong measurement, and perturb the signal to a lesser
degree.
This is important because any real-world quantum computer would have to
make allowances for imperfections in its own apparatus. A skillful
eavesdropper could conceal her actions by making them look like only a
small increase in the natural noise.
Classical algorithms do not share the same vulnerability, since they can
make sure that each piece of the apparatus is very reliable.
>Eve's effect on the photon does not depend on where
>she makes the measurement, and for simplicity we can consider the case
>where the measures the photon immediately before it is measured by the
>final cryptographer.
This seems to overlook the possibility of multiple weak
measurements. Beware, the laws of physics do not exclude this.
>The first result I have is that ...
The aforementioned quibbles about the physics, and about the threat model,
somewhat undermine the conclusions. It may be possible to re-establish the
main conclusions, but it appears a more detailed argument is necessary.