Archive for February, 2006
I never knew the origin of this phrase.
This is a long post. If you don’t read all of it, please read the last sentence. Kish’s scheme depends on the behavior of individual atoms and electrons. Classical electrodynamics does not deal with point charges or individual particles, and does not predict the Johnson-Nyquist noise. The scheme is not so classical as it might appear.
Regarding Matthew Skala’s comments here and on his web site http://ansuz.sooke.bc.ca/software/security/kish-classical-crypto.php:
See especially the new preprint http://arxiv.org/pdf/physics/0602013. It mentions that another paper is also in preparation which will address practical issues.
Skala is concerned that Eve can record voltage and current as function of time at high bandwidth and at several positions along the wire. This would then help determine which end has the larger resistor, because of propagation delays. Note that Eve does not have to inject any current into the wire.
for a derivation of the Nyquist relation. See also http://en.wikipedia.org/wiki/Fluctuation_dissipation_theorem.
(Laszlo: perhaps you would contribute to that article, which is a little sparse?)
The average squared noise voltage <V^2> across a resistor is directly proprotional to bandwidth delta nu (Hz). Higher bandwidth gives higher <V^2>. But the wire has a limited bandwidth. Also, in the practical case described in the new preprint, there are low-pass filters at each end of the wire limiting the bandwidth of the noise. Thus, Eve can measure the voltage at high bandwidth, but the low-pass filters will smooth out the signal Eve was hoping to observe.
Information leakage due to taps at each end of a wire which has finite resistance is to be avoided by choosing suitable resistor values such that there will not be enough time to determine the position of the larger resistor before the end of the clock period.
Bollinger’s concerns that this classical method lacks something which is present in the quantum approach:
In my opinion, the difference between “classical” and “quantum” physics is much overrated. As Einstein noted, “there is, strictly speaking, today, no such thing as a classical field-theory” (A.E. Philosopher Scientist, P.A. Schilpp, ed., vol 2 p. 675). The work of Maxwell, Boltzmann, Gibbs, and others on electrodynamics and statistical mechanics is quite different from Newtonian mechanics. But regardless of how we define a classical theory, the problem here arises because people suppose they know for sure that there is a “classical domain” and a “quantum domain” and that experiments in the classical domain somehow cannot benefit from quantum effects.
In “quantum cryptography,” the actual physical state of the photon (e.g. its polarization) cannot be known before it is measured, and even then, only the measurement result is known, not the full state. Because a single photon (or a pair of entangled photons) is involved, we are supposed to believe that this is fundamentally different from the situation where one or another macroscopic resistor is switched into a circuit. But, with the resistor, there are also many things which cannot be known even after the measurement. We know nothing about the microscopic environment of each electron in the resistor, and after we measure a noise voltage, we know only the average squared voltage. Just as measuring photon polarization tells us almost nothing about the full state of the photon, measuring the voltage tells us very little about the microscopic state of the resistor.
Look at the Sonoda derivation of the Nyquist relation. A resistor is modeled as containing N electrons distributed along length L. Each electron has thermal kinetic energy in the x direction of 1/2 kT, and there is a local electric field which accelerates it randomly. All we know about these fields is that they average to zero, that they are uncorrelated, and that they must maintain the average kinetic energy 1/2 kT for each electron. From this we derive the Johnson noise.
One may consider a theory classical if it doesn’t involve Planck’s constant, but I suggest that the appearance of Boltzmann’s constant also makes the theory non-classical. Individual particles and point sources are non-classical.
In quantum cryptography, detection of the evesdropper occurs when Alice and Bob learn they had their polarizers set at equal angles but did not observe compatible results. (By the way, in QC, the transmitted key is used only after Alice and Bob determine that it was not overheard, so the fact that evesdropping is not noticed instantly is not a problem). In Kish’s scheme, evesdropping is detected when Alice and Bob find that they are measuring significantly different voltages and currents.
The point is, in both schemes, the evesdropper cannot measure the physical property of interest without disturbing it. There is nothing more magical about polarization of a single photon than there is about the voltage and current arising from a pair of resistors at opposite ends of a wire. To detect the polarization of a passing photon, you have to insert a polarizer into the fiber. To determine the location of the larger resistor, you have to inject current into the wire. The low-pass filters and the finite clock period serve the same purpose as the photon number: there is not enough information available to a passive evesdropper to detect the randomly chosen polarization or resistance setting, but Alice and Bob know their own instrument setting, and hence have enough additional information to establish a shared secret.
Archimerged has been sidetracked the past couple of weeks. He was working on the P-V and T-S diagrams for the Ericsson Cycle. They will be in SVG, scalable vector graphics, and use color to show T-S on the same diagram as P-V.
But for various reasons he got temporarily obsessed with anonymity, and was looking at how various anonymous web access systems work. That won’t help keeping his identity secret, since he already signed up on lots of systems without the benefit of an anonymous proxy, but the question is interesting anyway.
Thinking of running a proxy node himself, he realized that he can’t be sure of keeping a private key private. A video camera hidden in the ceiling over his keyboard could grab his passphrase… Then his node is compromised even though he himself didn’t give anyone his key. So what sort of system would he trust to keep a secret?
- It can’t have any non-volatile storage except ROM.
- It has to have very simple software and not do very much.
- It has to be kept inside a faraday cage and be sealed in such a way that any attempt to open the box shorts out the power and erases all memory. (Many years ago Archimerged ran across a similar idea in Atlas Shrugged, just to give credit where it is due without making any endorsement of Ayn Rand.)
- Two of these systems need to be able to share a secret across an unsecure wire. See http://www.ece.tamu.edu/~noise/research_files/research_secure.htm
- Anyone should be able to examine the system and know that it has not been tampered with or bugged.
This works for secrets that are temporary and replacable, like session keys. But what about the encryption key for his permanent data storage? For this, he wants a system that permits him to enter a key from memory in a way which cannot be snooped out.
He imagines a small tube-shaped monocular with a color display of perhaps 400×400 pixels that can only be seen by the person looking down the tube, and a button that can be pressed when the cursor points at the proper location. An image, say of the Mandelbrot set, is displayed, and a cursor jumps at random around the image. When it lands close to the correct point, the user presses the button and the image zooms in to that point. The process is continued at higher resolution, to select additional bits of key. Once the key is entered, it is transmitted securely to the system which needs it, such as the hard disk encryption device.