Cryptography Reference
In-Depth Information
Strong
8
classical
ake
(
sc-AKE
)—This class includes any quantum-resistant
and totally classical
ake
protocol, where Alice and Bob establish an authen-
ticated secret key
s
that is not functionally dependent on the initial keys
k
A
and
k
B
, i.e., there exists a deterministic-polynomial-time classical algorithm
A
such that
•
s
=
A
(
π, r
A
,r
B
)
,
(8)
where
r
A
and
r
B
are (random variables representing) the private local ran-
dom choices of Alice and Bob respectively (made independently of the initial
keys). It includes authenticated key transport protocols based on public-key
encryption (but not those based on symmetric-key encryption); more gener-
ally, it includes the “authenticated version” of any quantum-resistant
uke
protocol, where the initial keys are used (only) to authenticate all the com-
munication of the protocol (see Remark 9).
•
Quantum
ake
(
q-AKE
)—This class includes any quantum-resistant
ake
pro-
tocol such that, whenever Eve has not interfered with the protocol, the secret
key
s
is independent of the initial keys and the classical communication
c
,
i.e., for all values
k
A
and
k
B
of the initial keys and all values
c
of the classical
communication and all values
s
of the secret key,
Pr[
s
=
s
|
k
A
=
k
A
,k
B
=
k
B
,c
=
c
]=Pr[
s
=
s
]
.
(9)
It includes the authenticated versions of the
q-UKE
-protocols and can easily
be shown not to include any classical protocols (similarly to the class
q-UKE
).
Remark 5 (Possible emptiness of classical classes).
Of the classes of
in-band key establishment protocols, only
q-UKE
and
q-AKE
are known to be
nonempty.
Remark 6 (Key pre-distribution v. dynamic key establishment).
The
union of the classes
OOB
and
PGE
contains protocols referred to collectively as
key pre-distribution schemes
[11], which is why we label these two classes differ-
ently. Note that there is no need to authenticate the in-band communication in
these protocols because there is none. Protocols that are not key pre-distribution
schemes are said to accomplish
dynamic key establishment
.
Remark 7 (Definition of
).
The class
sc-AKE
may contain protocols
that use the “quantum public-key cryptosystems” in Ref. [19], since the model
does not stipulate how initial keys are derived (i.e., they could be derived using
a quantum computer).
sc-AKE
8
Our use of the word “strong” differs from that in Ref. [18], where a key establishment
protocol is secure only if it remains secure under the reveal of any subset of the initial
(also called “long-term”) and ephemeral keys that does not contain both the initial
and ephemeral keys of one of the parties. The protocols of the class we define here
need only remain secure under the reveal of the initial keys. Indeed, the “strong” of
Ref. [18] is stronger than ours.
