Cryptography Reference
In-Depth Information
It includes (some versions of) the well-known
qke
protocols and can easily
be shown not to include any classical protocols.
7
Remark 4 (Secret key agreement).
The cryptographic primitive realized by
protocols in
c-UKE
is usually referred to as
secret key agreement
(or sometimes
just
secret agreement
) in the literature. Note that this primitive is also realized
by protocols in
q-UKE
.
Authenticated key establishment protocols:
•
Out-of-band key establishment
(
OOB
)—This class includes any
ake
protocol
where Alice and Bob are preloaded with the secret key out of band, i.e.,
s
=
k
A
=
k
B
.
(5)
It includes protocols that employ a trusted courier. The initial keys in such
protocols are typically much larger than in protocols belonging to the classes
below.
•
Pseudorandom generator expansion
(
PGE
)—This class includes any
quantum-resistant and totally classical
ake
protocol not in
OOB
that uses
symmetric initial keys where Alice and Bob establish a secret key that is
eciently computable from the initial keys, i.e., there exists a deterministic-
polynomial-time classical algorithm
A
such that
s
=
A
(
π, k
)
.
(6)
It includes protocols that use a pseudorandom generator to expand the initial
keys into a secret key.
•
Weak classical
ake
(
wc-AKE
)—This class includes any quantum-resistant
and totally classical
ake
protocol in neither
PGE
nor
OOB
that uses sym-
metric initial keys. Note such protocols have the property that the secret key
is eciently computable from the initial keys and the communication, i.e.,
there exists a deterministic-polynomial-time classical algorithm
A
such that
s
=
A
(
π, k, c
)
.
(7)
The class includes authenticated key transport protocols based on symmetric-
key encryption.
7
We note that not all versions of the well-known
qke
protocols satisfy this definition.
We sketch a proof of the latter fact that no purely classical protocol can be quantum
resistant and satisfy (4). Let
r
A
and
r
B
be binary strings encoding the private
local randomness that Alice and Bob respectively use in the protocol. Consider
the sequence
c
1
,c
2
,...
of messages passed between Alice and Bob. Each
c
i
places
constraints on the values of
r
A
and
r
B
. Since, at the end of the protocol, the secret key
s
is uniquely determined, it must be that
r
A
and
r
B
are determined by the classical
communication
c
up to implying a unique
s
, i.e.,
H
(
s|c
)=0,where
H
is the Shannon
entropy. For any two random variables
X
and
Y
,
H
(
X|Y
)=
H
(
X
) if and only if
X
and
Y
are independent [17]. Therefore, if (4) holds, then
H
(
s
)=
H
(
s|c
) = 0, so that
s
is a constant and thus the protocol is not quantum resistant.