TY - GEN
T1 - Provably secure key establishment against quantum adversaries
AU - Belovs, Aleksandrs
AU - Brassard, Gilles
AU - Høyer, Peter
AU - Kaplan, Marc
AU - Laplante, Sophie
AU - Salvail, Louis
N1 - Publisher Copyright:
© Aleksandrs Belovs, Gilles Brassard, Peter Høyer, Marc Kaplan, Sophie Laplante, and Louis Salvail; licensed under Creative Commons License CC-BY 12th Conference on the Theory of Quantum Computation, Communication, and Cryptography (TQC 2017).
PY - 2018/2/1
Y1 - 2018/2/1
N2 - At Crypto 2011, some of us had proposed a family of cryptographic protocols for key establishment capable of protecting quantum and classical legitimate parties unconditionally against a quantum eavesdropper in the query complexity model. Unfortunately, our security proofs were unsatisfactory from a cryptographically meaningful perspective because they were sound only in a worst-case scenario. Here, we extend our results and prove that for any ε > 0, there is a classical protocol that allows the legitimate parties to establish a common key after O(N) expected queries to a random oracle, yet any quantum eavesdropper will have a vanishing probability of learning their key after O(N1.5−ε) queries to the same oracle. The vanishing probability applies to a typical run of the protocol. If we allow the legitimate parties to use a quantum computer as well, their advantage over the quantum eavesdropper becomes arbitrarily close to the quadratic advantage that classical legitimate parties enjoyed over classical eavesdroppers in the seminal 1974 work of Ralph Merkle. Along the way, we develop new tools to give lower bounds on the number of quantum queries required to distinguish two probability distributions. This method in itself could have multiple applications in cryptography. We use it here to study average-case quantum query complexity, for which we develop a new composition theorem of independent interest.
AB - At Crypto 2011, some of us had proposed a family of cryptographic protocols for key establishment capable of protecting quantum and classical legitimate parties unconditionally against a quantum eavesdropper in the query complexity model. Unfortunately, our security proofs were unsatisfactory from a cryptographically meaningful perspective because they were sound only in a worst-case scenario. Here, we extend our results and prove that for any ε > 0, there is a classical protocol that allows the legitimate parties to establish a common key after O(N) expected queries to a random oracle, yet any quantum eavesdropper will have a vanishing probability of learning their key after O(N1.5−ε) queries to the same oracle. The vanishing probability applies to a typical run of the protocol. If we allow the legitimate parties to use a quantum computer as well, their advantage over the quantum eavesdropper becomes arbitrarily close to the quadratic advantage that classical legitimate parties enjoyed over classical eavesdroppers in the seminal 1974 work of Ralph Merkle. Along the way, we develop new tools to give lower bounds on the number of quantum queries required to distinguish two probability distributions. This method in itself could have multiple applications in cryptography. We use it here to study average-case quantum query complexity, for which we develop a new composition theorem of independent interest.
UR - https://www.scopus.com/pages/publications/85045480682
M3 - Conference paper
AN - SCOPUS:85045480682
T3 - Leibniz International Proceedings in Informatics, LIPIcs
SP - 31
EP - 317
BT - 12th Conference on the Theory of Quantum Computation, Communication, and Cryptography, TQC 2017
A2 - Wilde, Mark M.
PB - Schloss Dagstuhl- Leibniz-Zentrum fur Informatik GmbH, Dagstuhl Publishing
T2 - 12th Conference on the Theory of Quantum Computation, Communication, and Cryptography, TQC 2017
Y2 - 14 June 2017 through 16 June 2017
ER -