A New Spin on Quantum Cryptography: Avoiding Trapdoors and Embracing Public Keys - Post-Quantum Cryptography

Cryptography Reference

In-Depth Information

It includes (some versions of) the well-known qke protocols and can easily

be shown not to include any classical protocols. 7

Remark 4 (Secret key agreement). The cryptographic primitive realized by

protocols in c-UKE is usually referred to as secret key agreement (or sometimes

just secret agreement ) in the literature. Note that this primitive is also realized

by protocols in q-UKE .

Authenticated key establishment protocols:

•

Out-of-band key establishment ( OOB )—This class includes any ake protocol

where Alice and Bob are preloaded with the secret key out of band, i.e.,

s = k A = k B .

(5)

It includes protocols that employ a trusted courier. The initial keys in such

protocols are typically much larger than in protocols belonging to the classes

below.

•

Pseudorandom generator expansion ( PGE )—This class includes any

quantum-resistant and totally classical ake protocol not in OOB that uses

symmetric initial keys where Alice and Bob establish a secret key that is

eciently computable from the initial keys, i.e., there exists a deterministic-

polynomial-time classical algorithm A such that

s = A ( π, k ) .

(6)

It includes protocols that use a pseudorandom generator to expand the initial

keys into a secret key.

•

Weak classical ake ( wc-AKE )—This class includes any quantum-resistant

and totally classical ake protocol in neither PGE nor OOB that uses sym-

metric initial keys. Note such protocols have the property that the secret key

is eciently computable from the initial keys and the communication, i.e.,

there exists a deterministic-polynomial-time classical algorithm A such that

s = A ( π, k, c ) .

(7)

The class includes authenticated key transport protocols based on symmetric-

key encryption.

7 We note that not all versions of the well-known qke protocols satisfy this definition.

We sketch a proof of the latter fact that no purely classical protocol can be quantum

resistant and satisfy (4). Let r A and r B be binary strings encoding the private

local randomness that Alice and Bob respectively use in the protocol. Consider

the sequence c 1 ,c 2 ,... of messages passed between Alice and Bob. Each c i places

constraints on the values of r A and r B . Since, at the end of the protocol, the secret key

s is uniquely determined, it must be that r A and r B are determined by the classical

communication c up to implying a unique s , i.e., H ( s|c )=0,where H is the Shannon

entropy. For any two random variables X and Y , H ( X|Y )= H ( X ) if and only if X

and Y are independent [17]. Therefore, if (4) holds, then H ( s )= H ( s|c ) = 0, so that

s is a constant and thus the protocol is not quantum resistant.

Post-Quantum Cryptography

Search WWH ::

Custom Search

Home