Cryptography Reference
In-Depth Information
Generally, we hope the reader finds this article to benefit from a more precise
cryptographic analysis, despite its more limited scope in taking an idealized view
and thus not discussing the more technological or economical aspects of qke
(including side-channel attacks). In other words, this paper studies the value of
the qke primitive assuming it is available in practice and is as cost-effective as
any type of “in-band” classical key establishment (see Definition 1). 3 We adopt
the same foundational approach that Goldreich does in Refs. [7,8]. This basically
means that, when reviewing which computational assumptions are known to
be necessary or sucient for certain cryptographic primitives, we ignore those
assumptions (and the schemes based on them) that are ad hoc: we deal only in
fundamental computational assumptions, in particular, one-way functions and
trapdoor predicates.
But the foregoing analysis is not as complete as it could be. In particular,
we do not treat the distributed authenticated key establishment problem (i.e.,
in a network setting and where simultaneous, multiple key establishment ses-
sions among many pairs of users are considered) as rigorously as it deserves (e.g.
[9,10]). That is, we implicitly assume that point-to-point 4 unauthenticated key
establishment protocols (whether they be key transport protocols or key agree-
ment protocols 5 ) and message-authentication protocols (whether they be digital
signature schemes or message authentication codes) may be combined in such
a way as to form robust distributed authenticated key establishment protocols,
without stating the details of how this combining—especially with regard to
authentication—actually works. 6
This deficiency is manifest in the definition of
3 The practical availability of the qke primitive between a typical real-world Alice and
Bob is a very non-trivial assumption. For a fairly recent status report on practical
qke systems, one can see Ref. [6], where it is evident that key-rate, distance and
availability remain serious obstacles for most practical applications today. In the
cases that one believes that qke could in principle add value, one will need to do
an in depth analysis of the various costs and practical limitations before deciding
whether in some particular practical situation qke will be the preferred alternative.
Weighing the costs against the value depends on many parameters which vary widely
from place to place and over time, and analyzing this broad spectrum is beyond the
scope of this paper.
4 By “point-to-point” protocols or key establishment systems we mean those that
presume a unique pair of honest participants in the protocol; in other words, Alice
and Bob are fixed.
5 Recall that a key transport protocol is a key establishment protocol where the final
secret key is generated by one party and sent to the other party (using some kind of
encryption mechanism). By contrast, a key agreement protocol is a key establishment
protocol where both parties contribute to the generation of the final secret key. See
Ref. [11] for more details.
6 We follow Ref. [11] in our use of the terms “authenticated (key establish-
ment)” and “unauthenticated (key establishment)”. In this convention, the word
“(un)authenticated” describes the guaranteed condition of the final shared key re-
sulting from the protocol. We note that this convention is the opposite of that in Ref.
[8], where “(un)authenticated” describes the a priori assumption on the (classical)
communication channel used in the protocol.
 
Search WWH ::




Custom Search