A New Spin on Quantum Cryptography: Avoiding Trapdoors and Embracing Public Keys - Post-Quantum Cryptography

Cryptography Reference

In-Depth Information

Definition 3 (Quantum-resistant key-establishment protocol (with

respect to privacy)). Assuming the above definitions, a point-to-point key-

establishment protocol π is quantum-resistant (with respect to privacy) if, for

any such distinguisher, the quantity

Pr[ B =1

]

−

Pr[ B =1

( π )]

(3)

is negligible for all suciently large n ,where Pr[ B =1

] and Pr[ B =1

( π )]

are the probabilities that B =1 when the distinguisher interacts with

and

( π ) , respectively.

We give this (semi-formal) definition for completeness; we refer the reader to

Refs [14,15,7,16] for how to rigorize such a definition.

As a final specification of our basic setup, it will be helpful to define the

classical communication c in a key establishment protocol. For classical proto-

cols, the classical communication is all the communication between Alice and

Bob. For arbitrary (quantum) protocols, defining the classical communication is

a bit more subtle; we refrain from giving a formal definition here (for the sake

of the reader who may be unfamiliar with quantum measurement). Rather, for

the quantum protocols we care about, it suces to define the classical commu-

nication tautologically as the classical communication specified in the protocol,

since these protocols clearly and naturally distinguish the classical and quantum

information sent between Alice and Bob.

The contenders. Below are listed and defined two main classes of point-to-

point uke protocols as well as the five main classes of point-to-point ake pro-

tocols that are considered in the literature when evaluating the usefulness of

quantum cryptography in comparison to classical techniques for key establish-

ment. These classes, as defined, do not cover all conceivable protocols, but do

cover all the ones that are usually considered (which suces here). In defining

these classes, we restrict to quantum-resistant protocols (because the universe

is quantum). It will help to view the quantities k A , k B , k , s ,and c introduced

above as random variables. For example, in the case of symmetric initial keys,

the quantity k may be viewed as a uniformly distributed random variable in

{

,forsomefixed

> 0 that determines the length of the initial keys.

0 , 1

}

∈ Z

Unauthenticated key establishment protocols:

•

Classical uke ( c-UKE )—This class includes any quantum-resistant and to-

tally classical uke protocol. It includes unauthenticated key transport proto-

cols based on public-key encryption (but not those based on symmetric-key

encryption).

•

Quantum uke ( q-UKE )—This class includes any quantum-resistant uke pro-

tocol such that, whenever Eve has not interfered with the protocol, the secret

key s is independent of the classical communication c , i.e., for all values c

of the classical communication and all values s of the secret key,

Pr[ s = s |

c = c ]=Pr[ s = s ] .

(4)

Post-Quantum Cryptography

Search WWH ::

Custom Search

Home