Cryptography Reference
In-Depth Information
keys established in
past sessions
(with old initial keys no longer stored on Al-
iceandBob)aresecureonce
current
initial keys are revealed. While
q-AKE
-
protocols certainly have perfect forward secrecy, Bernstein [5] has noted that
well-implemented
PGE
-protocols do, too.
•
Advantage 2: Reduced dependence on out-of-band actions
Because a
q-AKE
sym
-protocol generates secret key that is independent of the
initial keys and the classical communication, initial keys can be smaller in the
q-AKE
sym
-protocolthaninan
OOB
-protocol, i.e., less initial entropy is needed to
prime the system. Also, a
q-AKE
sym
-system may require fewer subsequent out-of-
band actions for refreshing initial keys, compared to
PGE
-and
wc-AKE
-systems
(at the very least because the latter are more vulnerable to initial-key-reveal
attacks—see above).
•
Advantage 3: Reduced dependence on trusted third parties
In a network, key establishment can be done in a mediated fashion, via a trusted
key distribution centre
,whosejobistogive
session keys
to Alice and Bob so that
they may communicate securely. As part of the setup, every user in the network,
including Alice and Bob, shares an initial key (established out of band) with
the key distribution centre; in principle, these initial keys may be asymmetric
or symmetric. An example of such a system is Kerberos, where the initial keys
are symmetric, and, upon request by either Alice or Bob, the key distribution
centre generates a symmetric key and sends it (encrypted using the initial keys)
to Alice and Bob, who then use it to encrypt and decrypt messages between each
other.
Quantum key establishment may also be done in a mediated fashion, so that
the channels connecting Alice to Bob go through a key distribution centre, which
gives Alice and Bob a session key to be used as a symmetric initial key in a
q-
AKE
sym
-protocol.
If trapdoor predicates are not assumed to exist, then any classical mediated
key establishment system must use symmetric initial keys; this is because the
key distribution centre must send keys to Alice and Bob, and these keys must
be, at least partially, encrypted (assuming the key distribution centre is not to
play an active part in the communication between Alice and Bob). Similarly, the
session keys must be symmetric keys, too.
Comparing any classical mediated key establishment system to one where
Alice and Bob use their symmetric session keys as initial keys in a
q-AKE
sym
-
protocol, we see that, in the quantum case, Alice and Bob do not need to trust
the key distribution centre after their key establishment protocol is complete.
By contrast, in the classical case, the key distribution centre must always be
trusted, since it knows the keys that Alice and Bob use to communicate securely.
As well, Alice and Bob may be able to decouple themselves completely from the
