Cryptography Reference
In-Depth Information
key; however, if the secret key was produced by a
q-AKE
pub
-protocol, it is not at-
tributable at all. This is a potential advantage of using
qke
to generate
aes
keys.
Closing Remarks.
Recall the objections to
qke
that we listed earlier (see Page
255). We have addressed Objection 4 early on, by highlighting the fundamen-
tal distinction between in-band and out-of-band key establishment protocols.
We believe there exist (or will exist) applications where in-band generation of
entropy is desirable.
Objections 2 and 3 both propose using (potentially very long) symmetric
initial keys in
OOB
or
PGE
protocols. We have presented a considerable list of
advantages that
qke
has over these protocols.
Objection 1 is the strongest one, but it relies on the computational assumption
of a trapdoor predicate, which (until any lower bounds are proven) incurs risk
when public-key encryption is used for long-term secrets. The field of quantum
algorithms is still relatively young, so it is probably unwise to assume any partic-
ular candidate trapdoor predicate with a particular set of parameters is secure
(the recent discovery of a subexponential-time quantum algorithm for elliptic
curve isogenies supports this perspective [36]). However, in addition to these
standard counter-arguments for Objection 1, we have shown that
qke
may offer
the benefit of nonattributability in scenarios where no purely classical scheme
can. We also note that it is conceivable that, in the future, a
q-AKE
-system may
be more ecient (i.e. have a higher secret key rate) than a
sc-AKE
-system, as
public-key encryption is known to be rather slow. As well,
q-AKE
-systems may
be more cost-effectively resistant to side-channel attacks, which are notoriously
dicult to defend against in the classical world.
The debate on the merits of
qke
may have suffered from a focus on uncon-
ditional security, which may have given the impression that it is of no value to
practical cryptography. The message from classical cryptographers has been loud
and clear: the pre-sharing of symmetric keys is costly and thus to be avoided in the
majority of key-establishment applications: e.g., Paterson et al. [2] wrote, “[Quan-
tum key establishment], when unconditionally secure, does not solve the problem
of key distribution. Rather, it exacerbates it, by making the pre-establishment of
symmetric keys a requirement.” They also wrote, “It is likely that using [
qke
]
with public key authentication [...] has security benefits [...]. However, [
qke
]loses
much of its appeal in [this setting], as the overall system security is no longer
guaranteed by the laws of quantum physics alone.” Our article is completely in
accordance with the former comment and, with regard to the latter comment, ex-
pands on the “benefits” of signed
qke
in order to bolster its “appeal”. As such,
we hope to have firmed up the middle ground between unconditionally-secure
qke
and computationally-secure classical key establishment in the “quantum debate”.
Acknowledgements.
We are indebted to Alfred Menezes for contributing
many ideas to this paper. We thank Douglas Stebila for alerting us to the open
problem of distributed quantum key distribution. We thank Phillip R. Kaye
and Renato Renner for fruitful discussions. L. M. Ioannou was supported by
QuantumWorks, MITACS, and IQC. M. Mosca was supported by NSERC, CFI,
CIFAR, Ontario-MRI, CRC, OCE, QuantumWorks and MITACS.
