Cryptography Reference
In-Depth Information
in conjunction with a network of trusted third parties to help Bob be certain
that he has Alice's legitimate public key. 15 This is probably the reason Rivest
[31] wrote, “The notion of a digital signature may prove to be one of the most
fundamental and useful inventions of modern cryptography.”
...the bathwater. There is a price to pay for the advantages of a public-key
infrastructure. Security necessarily depends on assumptions about the hardness
of certain mathematical problems; proofs that such problems are actually hard
seem to be beyond the reach of theoretical computer scientists.
After Peter Shor discovered an ecient quantum algorithm for factoring and
computing discrete logarithms in 1994, qke protocols, the earliest of which dates
back to 1984, received renewed interest. Most literature on qke that appeared
in the 1990s and early 2000s focussed on protocols in the class q-AKE sym .And
rightfully so: it is remarkable that symmetric initial keys can be expanded into
much larger, independent, and information-theoretically secure secret keys in
band by exploiting quantum mechanics. As such, these articles, through their
reference to Shor's discovery, may have been seen as suggesting that all compu-
tational assumptions should be jettisoned at the earliest opportunity—for who
knew what problems might next succumb to the power of a quantum computer?
A new spin on quantum cryptography. It was known (though perhaps not
widely) that insisting on unconditional security was not the only way forward in
order to ensure reasonable security against quantum attacks. It was evident that
public-key signature schemes could be used to authenticate the classical channel
in a qke protocol, and that such a system would have some attractive features;
this idea first appeared in the literature in Ref. [2]. Indeed, in light of Theorem
14 and Table 2, and assuming Conjecture 17 is true, this idea becomes rather
more striking:
Quantum cryptography is the only known way to achieve (quantum-resistant)
private communication in a public-key infrastructure with the minimal com-
putational assumptions .
(If in addition Conjecture 16 is true, then the word “known” can be dropped.)
In other words, with some abuse of the metaphor, quantum cryptography po-
tentially allows us to throw out some of the bathwater—i.e., primitives with
a trapdoor property—while keeping most of the baby—i.e., authenticated en-
cryption without symmetric initial keys—and no classical scheme is known to
accomplish this. At the very least, quantum cryptography certainly allows us
15 On the Internet, this works as follows. Bob's web-browser comes from the manufac-
turer pre-loaded with the public key of a trusted third party Charlie. When Bob wants
to communicate with Alice, she shows Bob a certificate which contains her purported
public key and Charlie's signature of the certificate, which also contains Alice's name
(and other uniquely identifying and publicly-agreed-upon details about Alice). Bob
checks that Alice's public key is valid by verifying Charlie's signature using the pre-
loaded public key. In this context, signature schemes are said to offer “manageable
persistence” (via digital signature) of the binding of a name and a key [30].
 
Search WWH ::




Custom Search