Cryptography Reference
In-Depth Information
•
Objection 1
: Quantum computers are not known to be able to break all
classical public-key cryptosystems, such as the McEliece cryptosystem or
those based on lattice problems; so we can just upgrade to these quantum-
resistant cryptosystems and forget quantum cryptography—that way, we'd
retain all the benefits of a public-key infrastructure.
•
Objection 2
: If all of classical public-key cryptography is found to be easily
breakable, then we might as well revert to using our best symmetric-key
cryptography, including block ciphers like
aes
, which we all agree is quantum
resistant; quantum cryptography would require symmetric shared initial keys
anyway in this case, so it wouldn't gain us anything.
•
Objection 3
: We don't need any means of key distribution, let alone a
quantum mechanical one—let's just exchange a lifetime's worth of symmetric
keying material at the start. If for whatever reason we do need new keys, see
Objection 4.
•
Objection 4
: We don't need any means of generating independent secret
key over telecommunication links—let's just use a trusted courier each time
we need independent secret key.
We address all of these objections.
Not Quantum Cryptography Again.
Like in pro-quantum-cryptography
articles that have come before this, we assume here that the universe is quantum
mechanical, so that, at a minimum, the secret key generated by a secure key-
establishment protocol must be secure against an adversary able to perform
probabilistic-polynomial-time computations on a quantum computer. As well,
as stated by Stebila et al. [4], we “expect the costs and challenges of using [
qke
]
to decrease to the point where [such] systems can be deployed affordably and
their behaviour can be certified.” In fact, most of the advantages of quantum
cryptography that we point out here have been noted by Paterson et al. [2] or
Stebila et al. [4].
Despite these similarities to previous works, our analysis contains distinct new
features: it
•
suggests a new way to define the classes of classical and
qke
protocols, in
order to aid their comparison,
•
deals properly with the option of using trusted couriers instead of
qke
,by
distinguishing between in-band and out-of-band actions,
•
uses the weakest possible notion of “security” in a quantum universe (i.e. com-
putational security), and therefore does not focus on information-theoretic
security—for its own sake—as an advantage of
qke
over computationally-
secure classical alternatives,
•
provides a finer-grained analysis of the computational assumptions underly-
ing the classical alternatives to
qke
,
•
highlights a property (we call it “nonattributability”) of
qke
that has re-
ceived little attention in the literature, and
•
supports a recommendation that is both theoretically and practically sound,
which both sides of the “quantum debate” can agree upon.
