Cryptography Reference
In-Depth Information
key distribution centre after their first
q-AKE
sym
-session. Thus, any compromise
of the key distribution centre after the first
q-AKE
sym
-session does not necessarily
affect Alice and Bob.
•
Advantage 4: Long-term security from short-term security
The secret key generated by any
q-AKE
-protocol will be information-theoretically
secure even if the authentication algorithm is broken in the short term—as long
as the break occurs after the key establishment protocol is completed. We may
refer to this as “conditional information-theoretic security”. This allows for the
use of authentication algorithms that are perhaps less secure in the long term
but are easier to manage with regard to initial keys, i.e., public-key algorithms.
Note that any
q-AKE
pub
-system has the extra advantage over a
q-AKE
sym
-system
that it is less susceptible to running out of authentication key due to noise or
eavesdropping, because there is no practical limit on how many classical messages
may be authenticated. In other words, using public-key authentication guards
against at least one type of denial-of-service attack.
Also, Alice and Bob may not need to rely on the same type of authentication
used for the first
q-AKE
-session for subsequent
q-AKE
-sessions, i.e., for the first
session, Alice and Bob may execute a
q-AKE
pub
-protocol, but, for all subsequent
sessions (in principle, i.e., in the absence of suciently heavy adversarial action
or noise), they may execute a
q-AKE
sym
-protocol. Two potential advantages of
such a two-phase system are that (1) subsequent key establishment sessions
may run faster (since the symmetric-key algorithms may be more ecient than
public-key algorithms for the required level of security) and (2) subsequent key
establishment sessions may not need to rely on any computational assumptions.
If quantum computers can be assumed not to exist in the short term, i.e., for
the service-lifetime of the public keys, then one can even use public-key signature
schemes whose security relies on the assumption of hardness of factoring and the
discrete logarithm problem for classical computers.
We believe that its ability to derive long-term from short-term security, also
known as
everlasting security
,
14
may be the most attractive aspect of
qke
sys-
tems from a security perspective.
The baby...
The advent of public-key cryptography revolutionized secure
telecommunications, by vastly simplifying the problems of key distribution and
key management: Alice and Bob no longer needed to pre-share a symmetric key.
Instead, Alice could publish her own public key, and that would be sucient for
her to receive encrypted messages from anyone who got a hold of it.
Of course, “publishing” a public key is easier said than done, but public-key
cryptography helps solve this problem, too. A signature scheme can be used
14
The term “everlasting security” has been used in the context of the bounded storage
model (see, e.g., Ref. [28]), where, e.g., it describes the case where encryption is secure
even if the adversary, at some later time, learns the pre-shared symmetric key, as
long as, at the time of transmission of the ciphertext, the adversary has bounded
storage capability (see Ref. [29]). The term seems equally well suited to
qke
.
