Cryptography Reference
In-Depth Information
The physical nature of a qke system leads to the consideration of new kinds
of attacks and adversaries. Because of the two different channels used, Eve
can now operate differently on these two channels. 13 Thus an adversary can
be defined by whether it is passive, delayed, or active on the classical and
quantum channels respectively; e.g., (p,p) means “passive on both channels”
and (a,d) means “active on the classical channel and delayed on the quantum
channel”.
With these terms in place, Table 3 shows how q-AKE -protocols have advan-
tages over the other classical protocols that also assume (at most) one-way func-
tions, for certain types of adversary; the table indicates whether secure key can
be established when the initial keys have been revealed. For any situation where
an immediate active attack is not deployed for whatever reason (e.g. not tech-
nologically feasible, or not a high priority at the time), a passive adversary who
knows the initial keys loses the ability to compromise the secret key later should
she become an active attacker later. Note that if “ sc-AKE ” appeared in the left-
most column of the table, the corresponding row of “yes”/“no” values would
look the same as the row corresponding to the class q-AKE .
Table 3. Security against reveal of initial keys. The entries (yes/no) of the chart
indicate whether the secret key generated from the key establishment protocol is secure
under the reveal of either Alice's or Bob's initial key for the given adversary (see the
main text for an explanation of the notation used to define the adversaries). The class
sc-AKE does not appear, since we are not assuming trapdoor predicates (and there is
no known sc-AKE -scheme that does not imply trapdoor predicates).
(p,p) (d,d) (a,p) (a,d) (a,a)
OOB
no
no
no
no
no
PGE
no
no
no
no
no
wc-AKE
no
no
no
no
no
q-AKE
yes
yes
yes
yes
no
Note that, in order to break a q-AKE -protocol—or, more precisely, break
the cryptosystem that comprises the q-AKE -protocol—Eve, knowing all the ini-
tial keys, can mount an active and sustained “man-in-the-middle” attack; fur-
thermore, for a q-AKE sym -system, the active attack must occur during the first
instance of the protocol (as any subsequent instance will use different and inde-
pendent initial keys). In large networks, this may pose a considerable challenge
for Eve, depending on when she learns the initial keys and whether the connec-
tions among users are fixed or ad-hoc.
Remark 18 (Perfect forward secrecy). Note that Advantage 1 is different
from perfect forward secrecy, a much weaker notion referring to whether secret
13 We define “passive” on the quantum channel to mean having no access, since it is dif-
ficult to formulate a definition of “read only” for a quantum channel. Measurement,
which seems necessary for reading, is an active process.
 
Search WWH ::




Custom Search