Cryptography Reference
In-Depth Information
to sidestep the question of the necessity of trapdoor predicates for secret key
agreement (or trapdoor functions for trapdoor predicates [32]). We view this as
strengthening the case for signed
qke
.
If public-key encryption exists...
If trapdoor predicates do exist and are
secure in the long term, we note that Advantages 1 through 4 can variously be
achieved by
sc-AKE
-protocols to at least some degree. However, in this case,
qke
protocols may have other advantages over classical ones. Because the secret key
s
generated in a
q-AKE
-protocol is independent of the classical communication
c
, there is no mathematical way to connect these two quantities or—attribute—
the secret key to Alice's and Bob's publicly readable discussion; we say that the
secret key is
nonattributable
.
16
There are two ways in which a secret key may be considered attributable: it is
attributable to Alice's and Bob's public discussion (through its dependence on
the classical communication) and it is attributable to Alice and/or Bob (because
they participated in the classical communication). For the former way, we just
use the term
attributable
to describe the secret key; for the latter way, we say the
secret key is
party-attributable
. If the classical communication is authenticated
via a signature scheme, then the secret key may be party-attributable in a prov-
able way, or
provably party-attributable
. If the secret key is subsequently used in
an encryption scheme to encrypt a plaintext, then we say that the plaintext is
(party- or provably party-) attributable whenever the secret key is.
Because
q-AKE
-protocols do not produce an attributable secret key, a
q-
AKE
pub
-protocol may be used in composition with a one-time pad encryption
scheme, and then the secret key (and hence the plaintext) would never be at-
tributable. No totally classical scheme can achieve the same thing, i.e., non-
party-attributable, public-key, secure communication.
For symmetric-key ciphers where the bit-length of the secret key is much smaller
than the bit-length the message (e.g.,
aes
), the cipher itself provides a subrou-
tine for recognizing the secret key (i.e., if a candidate secret key
s
decrypts the
ciphertext to something sensible, then with high probability
s
equals the actual
secret key). If the secret key was produced by a
sc-AKE
pub
-protocol, then the se-
cret key (and hence the plaintext) are provably party-attributable given the secret
16
In Ref. [33], Beaver discusses “deniability” (see Refs [34,35]) of
qke
, which is similar
to nonattributability. However, in that paper, it is assumed that Alice and Bob keep
a record of their qubit-measurement outcomes (often called “raw key bits”) made
during the protocol and that, if Alice and Bob are to deny that a particular secret
key was established, this record must be consistent with any measurements made
by an eavesdropper, i.e., someone who is forcing Alice or Bob to reveal the secret
key (or the plaintext encrypted by it). We assume that Alice and Bob do not keep
such records and that it is sucient that the forcer cannot provide evidence that
attributes a particular secret key to the classical communication; any measurement
on the quantum channel that the forcer made is not publicly verifiable, so we do not
view its outcome as part of the public record. In other words, in our model, Alice and
Bob need not provide evidence to support their (tacit) denial. Incidentally, Beaver
concludes that the standard
qke
protocols do not provide deniability in his model.
