Merkle's Key Agreement Protocol is Optimal: An $O(n^2)$ Attack on any Key Agreement from Random Oracles

TL;DR

This paper proves that any key agreement protocol in the random oracle model with at most n queries can be broken with O(n^2) queries, establishing the optimality of Merkle's protocol and resolving a long-standing open question.

Contribution

The paper improves the known attack complexity from nearly n^6 to O(n^2), matching Merkle's protocol's query complexity and proving its optimality.

Findings

Any protocol with at most n queries can be broken with O(n^2) queries.

Merkle's protocol is optimal up to a constant factor.

The attack complexity is tight, matching the protocol's query count.

Abstract

We prove that every key agreement protocol in the random oracle model in which the honest users make at most $n$ queries to the oracle can be broken by an adversary who makes $O(n^2)$ queries to the oracle. This improves on the previous $\widetilde{\Omega}(n^6)$ query attack given by Impagliazzo and Rudich (STOC '89) and resolves an open question posed by them. Our bound is optimal up to a constant factor since Merkle proposed a key agreement protocol in 1974 that can be easily implemented with $n$ queries to a random oracle and cannot be broken by any adversary who asks $o(n^2)$ queries.