On the Security of Password-Authenticated Quantum Key Exchange
C\'eline Chevalier, Marc Kaplan, Quoc Huy Vu

TL;DR
This paper explores the possibility of unconditionally secure password-authenticated quantum key exchange, providing impossibility results for strong security and a positive construction achieving everlasting security in a realistic model.
Contribution
It presents the first construction of quantum PAKE achieving everlasting security, addressing open questions about its feasibility.
Findings
Impossibility results for very strong security in quantum PAKE
A new quantum PAKE protocol with proven everlasting security
The protocol is secure in the simulation-based model after execution
Abstract
Motivated by the Quantum Key Distribution (QKD) protocol, introduced in 1984 in the seminal paper of Bennett and Brassard, we investigate in this paper the achievability of unconditionally secure password-authenticated quantum key exchange (quantum PAKE), where the authentication is implemented by the means of human-memorable passwords. We first show a series of impossibility results forbidding the achievement of very strong security, leaving open the feasibility of achieving a weaker security notion. We then answer this open question positively by presenting a construction for quantum PAKE that provably achieves everlasting security in the simulation-based model. Everlasting security is a security notion introduced by M\"uller-Quade and Unruh in 2007, which implies unconditional security after the execution of the protocol and only reduces the power of the adversary to be computational…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsCryptographic Implementations and Security · Cryptography and Data Security · Physical Unclonable Functions (PUFs) and Hardware Security
spacing=nonfrench
On the Security of Password-Authenticated
Quantum Key Exchange
Céline Chevalier CRED, Université Panthéon-Assas, Paris II, France, [email protected]
Marc Kaplan VeriQloud, France, [email protected]
Quoc Huy Vu DIENS, École normale supérieure, CNRS, INRIA, PSL University, Paris, France, [email protected]
Abstract
Motivated by the Quantum Key Distribution (QKD) protocol, introduced in 1984 in the seminal paper of Bennett and Brassard, we investigate in this paper the achievability of unconditionally secure password-authenticated quantum key exchange (quantum PAKE), where the authentication is implemented by the means of human-memorable passwords. We first show a series of impossibility results forbidding the achievement of very strong security, leaving open the feasibility of achieving a weaker security notion. We then answer this open question positively by presenting a construction for quantum PAKE that provably achieves everlasting security in the simulation-based model. Everlasting security is a security notion introduced by Müller-Quade and Unruh in 2007, which implies unconditional security after the execution of the protocol and only reduces the power of the adversary to be computational during the execution of the protocol, which seems quite a reasonable assumption for nowadays practical use-cases.
Keywords:
Quantum Cryptography Quantum Key Distribution Password-based Key Exchange Everlasting Security.
1 Introduction
In their 1984 seminal paper [BB84], Bennett and Brassard gave the first proof that the laws of quantum mechanics could lead to an achievement of unconditional security for classical cryptographic tasks. Their celebrated Quantum Key Distribution protocol (so-called QKD) allows two parties to agree on a common secret key which is information-theoretic secret, assuming a quantum channel and an authenticated (but not secret) classical channel.
Even though this protocol is a conceptual milestone in the quantum cryptography field, the need for an information-theoretically authenticated classical communication channel leads to a bootstrapping problem. In practice, implementations of unconditionally secure QKD leave no choice but requiring Alice and Bob to use a pre-shared short random secret key (to authenticate the messages with authentication codes constructed from universal hashing) in order to obtain a larger random secret key. Another unavoidable problem is that the authentication keys can be run out, because either the adversary makes the execution fail (denial-of-service attack) or due to technical problems (the parties cannot exclude that an eavesdropper was in fact present). Moreover, when considering large scale quantum networks, in which secure communication should be possible between any pair of nodes, the requirement for pre-shared randomness does not scale well: each node would have to store a number of keys, which is linear in the size of the network, let alone the problem of key management.
On the contrary, in so-called authenticated key exchange, the two parties are able to generate a shared cryptographic secret key, to be later used with symmetric primitives in order to protect communications, while interacting over an insecure network under the control of an adversary. Various authentication means have been introduced for classical networks. The most practical ones are certainly based on either Public Key Infrastructures (PKI) or human-memorable passwords. The latter leads to PAKE, standing for Password-Authenticated Key Exchange. PAKE protocols allow users to securely establish a common cryptographic key over an insecure and unauthenticated channel only using a low-entropy, human-memorable secret key called a password. The advantage of a PAKE, in sharp contrast to all QKD-like schemes, is that no authenticated channel is needed. In the classical setting, PAKE has been extensively studied, resulting in various secure and efficient protocols. However, classical PAKE protocols can only achieve computational security, where the adversary’s power is computationally limited. Thus, it is natural to ask the following question:
Can we achieve a provably stronger security notion for password-based key exchange protocols using quantum communication?
Unfortunately, even if QKD raised a lot of hope on unconditional security using quantum mechanics, a series of no-go theorems showed that the dream of unconditional security brought by quantum communication will never be a reality for many cryptographic tasks. For instance, several attempts have been made to achieve unconditionally secure quantum bit-commitments, until Mayers and Lo and Chau independently showed that statistically hiding and binding quantum commitments are impossible [May97, LC97].
The impossibility of quantum cryptography was further extended to oblivious transfer (OT) by Lo [Lo97], and finally extended to non-trivial two-party computation protocols by Salvail et al. and Buhrman et al. [SSS09, BCS12]. In these papers, the authors show that any non-trivial functionality leaks some information to the adversary, and that the security for one party implies complete insecurity for the other. Intuitively, the insecurity of two-party quantum protocols follows from the fact that the protocol itself allows parties to input a superposed state rather than a classical one, and perform an appropriate measurement on the outcome state. At the end of the protocol, one party can always gain more information on the input of the other than that gained using any honest strategy.
Despite these impossibility results, we answer the above question affirmatively. Noting that these impossibility results are only proven for statistical security, we remark that overcoming the impossibility results on PAKE in a quantum setting requires some restriction on the adversary. One approach is to limit the adversary’s quantum memory as in the bounded quantum-storage model (BQSM) [DFSS05]. Nevertheless, most of the quantum protocols in BQSM would completely (and quite efficiently) break down in the case the assumption fails to hold. Instead, we consider here another plausible approach by assuming restrictions on the adversary’s computational power. Following Müller-Quade and Unruh [MQU07, Unr13], we consider the notion of everlasting security, where the adversary’s power is computationally bounded during the protocol execution and becomes computationally unlimited after the execution. In other words, everlasting security assumes that, at the precise moment of the execution of the protocol, the computational power of an adversary is limited and that certain mathematical problems are hard. This notion is justified by the fact that the computational power required to break a cryptosystem might not exist now, but could exist in the future, and that the protocols should also be protected after its execution. In particular, everlasting security can ensure the security of protocols executed today against future quantum computers, when they become available.
Unfortunately, even in this weaker setting, some impossibility results still hold, so that we first conduct a comprehensive review in different settings: security models for composition (simulation-based or stand-alone for sequential composition, universal composability for universal composition), security definitions (everlasting and statistical), and finally trusted setup assumptions (none, standard ones such as a common reference string and strong ones such as signature cards). We show that some settings do not suffer from the impossibility results and manage to construct, in a simulation-based model, an everlastingly secure quantum PAKE assuming a common reference string as setup assumption. Our work builds upon QKD, where the authentication is soly guaranteed by means of the password.
1.0.1 Related Work.
Security Models.
Definitions for security allowing composition are usually based on the real-world/ideal-world simulation paradigm in so-called simulation-based models. The simplest one (sometimes called stand-alone) requires the composition to be only sequential (it requires that at any point, only one protocol invocation be in progress). Stronger and more complicated models allow for self-concurrent composition, or even arbitrary composition. In the classical setting, the two best known security models allowing for arbitrary composition are the Universal Composability (UC) framework introduced by Canetti [Can01] and Abstract Cryptography introduced by Maurer and Renner [MR11]. A general quantum simulation-based model with a sequential composition theorem has been refined by Fehr and Schaffner in [FS09]. Quantum security models in the UC style have been proposed by Ben-Or et al. in [BHL*+*05] and refined by Unruh in [Unr10]. In this latter paper, Unruh also gives a theoretical separation result between the quantum and classical setting by showing that, in the quantum world, bit-commitments are complete for statistically secure MPC, while it is not the case in the classical setting.
Everlasting Security.
The concept of everlasting UC-security was first introduced by Müller-Quade and Unruh in [MQU07], in which they construct a (classically) everlasting UC-secure commitment protocol from certain strong assumptions, so-called signature cards. Unruh studies in [Unr13] the everlasting security in the quantum UC model [Unr10] and further extends impossibility results on everlastingly realizing cryptographic tasks from standard trusted set-up assumptions such as CRS or PKI.
QKD.
Despite the apparent simplicity of Bennett and Brassard’s QKD protocol [BB84], the first complete composable security proof of QKD was only given in the mid-2000’s by Renner [Ren05]. This length of time between the protocol and the proof can be explained by the inner difficulty of transposing the concepts of classical cryptography to the quantum world. The universal composability of QKD has been first studied by Ben-Or et al. in [BHL*+*05]. A thorough state of the art of QKD’s proofs can be found in Tomamichel and Leverrier’s article [TL17]. Mosca, Stebila and Ustaoglu study in [MSU13] the security of QKD in the classical authenticated key exchange framework, and give a proof of the folklore theorem that QKD, when used with computationally secure authentication (e.g., quantum-secure digital signatures), is everlastingly secure (which they call long-term security). In parallel, researchers have studied the closely-related subject of the authentication of quantum channels, the latest works being that of Fehr and Salvail [FS17], and Portmann [Por17]. This is a slightly different approach, which also requires a shared secret key. The advantage is that the key can be recycled: If the message arrived unaltered, it means that the key is still secured. Furthermore, Portmann proved the composability of his result in the Abstract Cryptography model.
PAKE.
The main approach to construct a UC-secure PAKE protocol in the classical setting follows from the KOY-GL paradigm [KOY01, GL03], first formalized by Canetti et al. in [CHK*+*05] and improved in order to obtain very efficient results (see [KV11, ABB*+*13, BC16] for instance). It uses two building blocks: a CPA-secure encryption scheme supporting smooth projective hashing (SPHF), and a CCA-secure encryption scheme. Using different tools than SPHF, Jutla and Roy also proposed very efficient UC-secure PAKE schemes [JR15, JR18].
Canetti et al. proposed another approach in [CDVW12] that relies on oblivious transfer as the main cryptographic building block and bypasses the “projective hashing” paradigm. Informally, they first construct a secure protocol for randomized equality computation assuming an authenticated channel and then apply the generic Split Authentication transformation of Barak et al. [BCL*+*11] to the protocol that realizes the “split” version of that protocol. Split functionalities adapt functionalities which assume authenticated channels to an unauthenticated channels setting.
Although we are not aware of any quantum PAKE protocol, Damgård et al. proposed in [DFSS07] two password-based identification protocols in the bounded quantum storage model: Q-ID, which is only secure against dishonest Alice or Bob, and Q-ID+, which is also secure against man-in-the-middle attacks. However, only Q-ID is truly password-based; in Q-ID+, Alice and Bob, in addition to the password, also need to share a high-entropy key. On the negative side, no quantum computing power at all is necessary to break the scheme, only sufficient quantum storage, because the dishonest party could store all the communicated qubits as they are, and measure them one by one in either the computational or the Hadamard basis and completely break the scheme. Subsequent works improve Q-ID schemes and prove their security based on various uncertainty relations [BFGGS12], or in a different security model, e.g., the computational security by using the Commit-and-Open technique [DFL*+*09].
1.0.2 Our Contributions.
Our main contribution consists in constructing a quantum PAKE protocol achieving an everlasting security notion (and thus providing a password-authenticated variant of QKD). Towards this goal, we conduct the following study:
- •
We first study and understand which security results are impossible and which ones might be achievable for quantum-polynomial-time PAKE protocols within different settings. We partially answer the question by showing that, in the simulation-based model, statistically secure PAKE with explicit authentication is impossible in the plain model. The question remains open for statistical security with trusted setups and everlasting security without trusted setups, and we answer it positively for everlasting security with a trusted setup, by actually constructing an everlastingly secure PAKE in the simulation-based model, given a CRS as a trusted setup. In the universal composability model, we show that statistically or everlastingly secure PAKE with explicit authentication is impossible with standard trusted setups including CRS or PKI.
- •
Second, as a side contribution, we improve the framework for the simulation-based model proposed by Fehr and Schaffner in [FS09] by employing a single security definition, instead of separate definitions for correctness and security for each party. Thus, it seems easier to deal with: one can analyze protocols and prove their security by formally defining simulation strategies. Our model is simple, expressive and simultaneously enjoys a general sequential composition theorem. These results are given in Section 4. This extends the classical framework to the quantum setting, and we give a definition of everlasting security in that model.
- •
Finally, using the ideas from the split authentication mechanism proposed in [BCL*+*11] to get rid of authenticated channels, we propose a quantum PAKE protocol which is indeed everlastingly secure in the security model described above. Our construction is inspired by the Commit-and-Open technique introduced in [DFL*+*09]. Our work extends and improves on this result by showing that a stronger security notion (namely everlasting security in the simulation-based model) can be achieved. Lying at the core of our proof is a simulation strategy that allows the simulator to change the output of the simulated adversary. In the UC model (as opposed to the simulation-based model), the environment machine, which is an interactive distinguisher, externally interacts with the adversary throughout the execution. One very important artifact of this definition is that the simulator no longer has control over the output of the simulated adversary. In fact, the adversary is completely controlled by the environment. This is because the UC framework models the fact that the real-world adversary may have additional information from the environment, e.g., from other running instances of the protocol, or from other concurrently running protocols as well. On the other hand, in the simulation-based model, the adversary is internally simulated by the simulator. The simulated adversary outputs nothing, and the simulator is in charge of its output: it can apply any arbitrary function to the prescribed input of the adversary. This is safe in the simulation-based model, because the adversary is “detached” from the environment. By exploiting this major difference, we show that our protocol is provably secure in the simulation-based model. These results are given in Section 5.
2 Preliminaries
2.1 Notations
For a set and a -bit string , we write . It is sometimes convenient that all substrings of this form have the same length, irrespective of the actual size of the index set . Therefore, is implicitly padded with sufficiently many zeros. For , denote the closed integer interval , and denote the open real interval .
The logarithms in this paper are with respect to base 2 and denoted by . We write for the binary entropy function . The notation denotes any function such that , and denotes any function such that for some . Let be the Hamming distance, and let denote the relative Hamming distance between two strings, i.e., the Hamming distance normalized by their length.
2.2 Security Models
Throughout this paper, we assume basic familiarity with multiparty computation and associated security models, mainly the real world-ideal world paradigm, either in the simulation-based setting [Can00, FS09] or the universal composability framework [Can01, Unr10]. We refer the interested reader to Appendix 0.A.1 for a brief overview of these models.
2.3 Quantum Computation
In this section, we give a very brief introduction to the quantum notions we use in this paper, we refer to [Ren05, NC11] for further explanations.
2.3.1 Systems and States.
For any positive integer , stands for the complex Hilbert space of dimension . Sometimes, we omit the dimension and simply write . The state of a quantum-mechanical system in is described by a density operator . A density operator is normalized with respect to the trace norm (), Hermitian () and has no negative eigenvalues. denotes the set of all density operators for a system . denotes the identity matrix. When it is normalized with the dimension, denoted by , it represents the fully mixed state.
A generalized measurement on a system is a set of linear operators such that . The probability of observing outcome is .
A quantum state is called pure if it is of the form for a (normalized) vector . For a density matrix of a composite quantum system , we write for the state obtained by tracing out system . We sometimes omit the index of the subspace that is traced out if it is clear from the context.
The pair (also written as ) denotes the computational or -basis, the pair (also written as ) denotes the Hadamard or -basis, where and . We write for the -qubit state where string in encoded in bases .
We often consider cases where a quantum state may depend on some classical random variable . In that case the state is described by the density matrix if and only if . For an observer who has access to the state but not , the reduced state is determined by the density matrix , whereas the joint state, consisting of the classical and the quantum register is described by the density matrix , where we understand to be the computational basis of . Joint states with such classical and quantum parts are called cq-states. We also write for the quantum representation of the classical random variable .
By , we denote the trace distance between two quantum states and . We call two quantum states and trace-indistinguishable, denoted , if there is a negligible function such that for a , .
Definition 1.
Let be a cq-state classical on . The trace-distance from uniform of given is defined by
[TABLE]
2.3.2 (Conditional) Smooth Entropies.
We briefly introduce the notions of min- and max-entropy. For a bipartite cq-state , we define
[TABLE]
where the optimization goes over all generalized measurements on .
Definition 2.
Let be a bipartite density operator. The min-entropy and max-entropy of conditioned on is defined as
[TABLE]
where is any pure state with .
Definition 3.
Let be a bipartite density operator and let . The -smooth min- and max-entropy of conditioned on is defined as
[TABLE]
where the supremum ranges over all density operator which are -close to .
We sometimes omit the subscript if the state is clear from the context.
2.3.3 Privacy Amplification.
Recall that a class of hash functions from to is called two-universal, if for any and for uniformly chosen from , the collision probability is upper bounded by . We recall the quantum-privacy-amplification theorem of [RK05] as formulated in [Ren05, Corollary 5.6.1].
Theorem 2.1.
Let be a cq-state classical on , let be a family of two-universal hash functions from to , and let . Then,
[TABLE]
for defined by .
2.3.4 Private Error Correction.
Finally, we recall the private error correction technique introduced in [DS05] and generalized to the quantum setting in [FS08]. This tool allows to correct a constant fraction of errors, by using a family of efficiently decodable linear codes, where the syndrome of a string is close to uniform if the string has enough min-entropy and the code is chosen at random from the family. Specifically, they show that for every , there exists a -biased (as defined in [DS05]) family of -codes with .
The following theorem, which is a variant of Theorem 3.2 in [FS08], establishes the closeness of the syndrome of a string to random, given a random index and any -qubit state that may depend on .
Theorem 2.2.
Let the density matrix be a cq-state classical on with . For any constant , let be a -biased family of random variables over having square bias , and let be uniformly and independently distributed over . Then
[TABLE]
Proof.
The original theorem in [FS08] states for . By using Jensen’s inequality on Rényi entropy and means of smoothing, our theorem follows immediately. ∎
2.4 Cryptographic Primitives
We assume basic familiarity with signatures schemes, denoted as , which are strongly existentially unforgeable under a quantum chosen-message attack, and with commitment schemes, more precisely dual-mode commitment schemes, denoted as , where stands for hiding keys and for binding keys. Definitions can be found in Appendix 0.A.2.
3 On the Feasibility of Securely Realizing PAKE
In this section, we show negative results on the achievable security of Password-based Key Exchange protocols when allowed to use quantum communication. We focus on two composability settings: Either a “minimal” simulation-based security following a real world-ideal world paradigm, as defined in [FS09, Can00], or the full universally composable security [Can01, Unr10].
Following the literature, we call plain model the setting in which there are no setup assumptions (such as public-key infrastructure (PKI), common reference string (CRS), random oracles (ROM), etc.). Following for instance [KLR06], in which the authors study the connections between information-theoretic security and security under composition, we consider here the information-theoretic setting, in which the adversary is polynomially unbounded. Informally, the output of a real execution of the protocol with a real adversary must be (perfectly or statistically) the same as the output of an ideal execution with a trusted party and an ideal-world adversary/simulator. On the contrary, in the computational setting, we focus on the notion of everlasting security [MQU07, Unr13], which informally means that the adversary is polynomially bounded during the execution of the protocol, and unbounded afterwards. This models an adversary possibly saving transcripts today, in order to potentially use them at the time a quantum computer is built.
3.1 Implicit or Explicit Authentication
We recall an important property of a PAKE protocol: it guarantees that if the same password was entered, the generated session key is the same for both parties, but they might not know at the end of the protocol whether it is so. This property is known as implicit authentication, as opposed to explicit authentication, in which the parties know whether they share the same session key at the end of the protocol. In both cases, the protocol should guarantee that if the passwords were different, the session keys are independent and random.
The line of work for impossibility results that we continue here focuses on non-trivial protocols111As explained for instance in [CHK*+*05, Section 7], the results are only interesting for what they call non-trivial protocols, in which two parties agree on a shared secret key at the end of the execution of the protocol (except perhaps with negligible probability), if 1) they use the same password and 2) the adversary passes all messages between the parties without modifying them or inserting any messages of its own. This is required since otherwise the empty protocol in which parties do nothing would securely realize any PAKE functionality. with explicit authentication. It is known at least since [BPR00, Section 5] that explicit authentication can be added at no security cost to any protocol with implicit authentication, using a key confirmation technique. The obtained key would be used as the key for a PRF secure for 3 queries, one of the players would send to the other, the other would send to the first one, and both would end up using as the final session key222A trivial construction of such a (perfect) PRF would be to split the key into three parts, use the two first parts as key confirmations and the last one as the real session key.. This implies that the following results also hold for protocols with implicit authentication.
3.2 Impossibility in the Simulation-Based Model
Theorem 3.1.
There is no statistically simulation-based secure PAKE protocol with explicit authentication in the plain model.
To the best of our knowledge, no equivalent result is known for everlasting security or when allowing setup assumptions, such as a common reference string.
This theorem is proven in Section 0.B.2.
3.3 Impossibility in the Universally Composability Model
As in the classical case (Canetti et al. prove in [CHK*+*05] the impossibility of universally composable PAKE in the plain model), the (im)possibility of PAKE depends on the existence of some setup assumption. As shown by Unruh in [Unr13], the classical notion of passive adversaries (which copy all data) does not make sense in the quantum case. He thus considers only unitary protocols, which perform no measurements (any protocol can be transformed into such a protocol using additional quantum memory). Unruh then defines a functionality to be quantum-passively-realizable it there exists a unitary protocol that realizes with respect to passive unlimited adversaries (that follow the protocol exactly and do not even copy information). The following lemma gives examples of quantum-passively-realizable functionalities.
Lemma 1 ([Unr13, Lemma 8]).
The following functionalities are quantum-passively-realizable: (coin-toss), (common reference string), (predistributed EPR pair), (public key infrastructure; assuming that the secret key is uniquely determined by the public key).
We state the following impossibility theorem, proven in Section 0.B.3.
Theorem 3.2.
There is no statistically or everlastingly quantum-UC-secure PAKE protocol with explicit authentication which only uses quantum-passively-realizable functionalities as trusted setup assumptions.
3.4 Avoiding Impossibility Results
In summary, we have shown that, in the simulation-based model, statistically secure PAKE with explicit authentication is impossible in the plain model. The question remains open for statistical security with a trusted setup, or for everlasting security with or without trusted setups. In the following, we partially solve these open questions, by actually constructing an everlastingly secure PAKE in the simulation-based model, given a CRS as a trusted setup.
In the universal composability model, statistically or everlastingly secure PAKE with explicit authentication is impossible with quantum-passively-realizable functionalities as trusted setups. Unruh shows in [Unr13] that it is possible using signature cards as a trusted setup (he even shows that this setup assumption is indeed complete for everlastingly secure two-party computation).
4 Definition of Security
4.1 Description of the Simulation-based Model
Our definition follows the framework based on the real-world/ideal-world simulation paradigm put forward in [FS09] and enjoys sequential composition. The main features of our model are that it is formally sound, simple and expressive, benefits from a simpler security definition tailored to various assumptions on the adversary’s computational power.
Since we are interested in two-party quantum computations, we formalize the real and ideal model executing the task with two parties and a static adversary who can control an arbitrary but fixed corrupted party. We only consider either the setting where one of the parties is corrupted, or the setting where none of the parties is corrupted, in which case the adversary seeing the transcript between the parties should learn nothing.
4.1.1 Execution in the ideal model.
Denote the participating parties by and and let denote the index of the corrupted party, controlled by an adversary . An ideal execution for an ideal functionality proceeds as follows:
- Inputs:
We fix an arbitrary distribution for ’s input, for ’s input. For honest and , we assume the common input state to be classical, i.e. of the form for some probability distribution . The adversary also has an auxiliary classical input denoted by as well as a quantum state which only depends on , such that for any honest player’s input and his classical “side information” : . All parties are initialized with the same value on their security parameter tape (including the trusted party).
- Send inputs to trusted party:
The honest party sends its prescribed input to the trusted party. The corrupted party controlled by may either abort (by replacing the input with a special message), send its prescribed input, or send some other input of the same length to the trusted party by applying some completely positive trace-preserving (CPTP) map. This decision is made by and may depend on its auxiliary input and the input value of . Denote the common input state sent to the trusted party by . Upon receipt of input from the parties, the trusted party measures the inputs in the computational basis.
- Early abort option:
If the trusted party receives an input of the form for some , it sends to the honest party and the ideal execution terminates. Otherwise, the execution proceeds to the next step.
- Trusted party sends output to adversary:
At this point the trusted party computes and let and and sends to party (i.e. it sends the corrupted party its output).
- Adversary instructs trusted party to continue or halt:
sends either continue or to the trusted party. If it sends continue, the trusted party sends to the honest party . Otherwise, if sends , the trusted party sends to party .
- Outputs:
The honest party always outputs the output value it obtained from the trusted party. The corrupted party outputs nothing. The adversary outputs any arbitrary CPTP map of the prescribed input of the corrupted party, the auxiliary classical input , and the value obtained from the trusted party.
The , denoted by , is defined as the overall output state (augmented with honest inputs) of the honest party and the adversary from the above ideal execution.
4.1.2 Execution in the real model.
We next consider the real model in which a real two-party quantum protocol is executed with no trusted parties. In this case, the adversary sends all messages in place of the corrupted party, and may follow an arbitrary strategy. In contrast, the honest party follows the instructions of . We consider a simple network setting where the protocol proceeds in rounds, where in each round one party sends a message to the other party.
Let be as above and let be a two-party quantum protocol for computing . When and are both honest, we fix an arbitrary joint probability distribution for the inputs and , resulting in a common output state with a well defined joint probability distribution , where is the adversary’s quantum system. For an honest and a dishonest who takes as input a classical and a quantum state and output (the same) and a quantum state , then the resulting overall output state (augmented with the honest party’s input and ) is .
The , denoted by , is defined as the overall output state of the honest party and the adversary from the real execution of .
Definition 4.
A two-party quantum protocol is said to statistically -securely emulate an ideal classical functionality with abort in the presence of static malicious adversaries if for every (possibly unbounded) adversary for the real model, there exists an (possibly unbounded) adversary (called the simulator) for the ideal model, such that
[TABLE]
where and .
We also give here an adapted definition of everlasting security in the simulation-based paradigm. The execution in the ideal model and the real model stays the same as for unconditional security, but we require that the real-world adversary and ideal-world adversary are computationally bounded.
Definition 5.
A two-party quantum protocol is said to everlastingly -securely emulate an ideal classical functionality with abort in the presence of static malicious adversaries if for every quantum-polynomial-time adversary for the real model, there exists a quantum-polynomial-time adversary (called the simulator) for the ideal model, such that
[TABLE]
where and .
4.2 Split Authentication: From Passive Security to
Active Security
A common approach in designing multi-party quantum cryptographic protocols is to treat the authenticated communication aspect of the problem as extraneous to the actual protocol design. That is, the adversary is assumed to be unable to send classical messages in the name of uncorrupted parties, or modify classical messages that the uncorrupted parties send to each other. This means that authentication must be provided by some mechanism that is external to the protocol itself, such as classical authenticated channels, as in QKD.
On the contrary, it makes no sense to rely on authenticated channels for realizing authenticated key-exchange, such as PAKE. But in the absence of such strong authentication mechanisms, honest parties cannot distinguish the case in which they interact with each other from the case in which they interact with the adversary, so that the adversary can always partition the players and engage in separate executions of the protocols with each of them, playing the role of the other player.
To overcome this difficulty, our approach is to follow the Split Authentication transformation of [BCL*+*11]: We consider a completely unauthenticated setting, where all classical messages sent by the parties may be tampered with and modified by the adversary without the uncorrupted parties being able to detect this fact. Then we modify the protocol as described on LABEL:fig:compiler: We add an extra first flow in which the players exchange public verification keys for a signature scheme, and check these values by exchanging signatures on these keys. Each classical flow of the subsequent protocol is then signed using the associated private signing key, and verified by the other player, who aborts in case it does not match.
This transformation implies that the only attack that the adversary can carry out is to completely “disconnect” the two uncorrupted parties (during the added first flow), and engage in completely separate executions with each one of the two parties, where in each execution the adversary plays the role of the other party. Intuitively, the transformation guarantees that the adversary is limited to pursuing one of the two following strategies:
Passive attacks: In this strategy, the adversary does not tamper with the first flow, so that it can only carry out active attacks on the quantum part of the channel, but it cannot carry active attacks on the classical channel without being caught. 2. 2.
Independent executions: In this strategy, the adversary intercepts the first flows between the parties and engages in independent, separate executions with each of them. We note that, in our simulation-based model, the adversary can only run one execution at any point. Then, the security is exactly the same as in the case where one of the parties is corrupted.
Theorem 4.1.
Assume the existence of signature schemes that are existentially unforgeable under an adaptive quantum chosen message attack (see definitions in 0.A.2). Let be a two-party quantum protocol that is everlastingly secure in the authenticated-channel setting. Then, the compiled protocol , resulting by applying the transformation given in Figure LABEL:fig:compiler, is everlastingly secure against static, malicious adversaries, according to Definition 5, with no authenticated channels.
The proof works almost the same as the proof given in [BCL*+*11], and is given in Appendix 0.C.
5 Our Protocol
5.0.1 High-Level Description.
We use the split authentication mechanism given in Section 4.2, so that we focus on the “inner” protocol construction, which is a quantum PAKE assuming authenticated classical channels (which means that the adversary is assumed to be unable to modify classical messages sent by the uncorrupted parties). Applying the transformation described in LABEL:fig:compiler (using digital signatures) will thus lead to a quantum PAKE where the authentication between two honest parties is solely guaranteed by the password.
The full description of our PAKE protocol is provided in Figure 1 and its schematic diagram is given in Figure 5.0.3. From a high point of view, it starts with a preparation phase, in which the client samples random binary strings and , and sends the encoded quantum state of using basis . Next, a parameter estimation phase is done by means of a dual-mode commitment scheme, which can be either perfectly hiding or perfectly binding, depending on the chosen commitment key (see details in Section 0.A.2.1). The main difference between the security of a PAKE protocol and QKD is the need to consider the cases where one of the parties is corrupted. Two-party quantum protocols can easily be broken by the adversary purification attack: the dishonest party can purify his actions at the expense of additional quantum memory, and delay the measurements until the other party reveals her chosen basis at a later stage, and learn more information than what he was supposed to. In order to enforce honest behavior, we use the Commit-and-Open compiler formally introduced in [DFL*+*09], and apply it to both parties. This forces both parties to measure by asking them to commit to all the basis choices and measurement results, and open some of them later.
After the estimation phase, both parties exchange a one-time pad of their password encrypted using the chosen random basis. We show that the session keys of both parties at the end are random and independent for any pair of different passwords.
Finally, the post-processing phase consists, as QKD, of error correcting and privacy amplification. A new problem lies, however, in the error correcting step: to correct the errors caused by either the adversary or the imperfection of the quantum channel, one party may send a syndrome of the generated secret key to allow the other party to recover the same key from its noisy version. However, the syndrome may give extra information to a dishonest party. To circumvent this problem, we employ the -biased linear binary codes introduced in [DS05], which has an additional property that the syndrome of a string with high min-entropy is close to uniform.
5.0.2 Notations and Building Blocks.
Let denote the security parameter and let and some . Assume that both parties share some password . We denote:
- •
the encoding function of a binary code of length with codewords and minimal distance . is chosen such that is linear in or larger, and is linear in , i.e. , for some constant .
- •
a strongly two-universal class of hash functions from to for some parameter .
- •
the family of syndrome functions corresponding to a -biased family of linear error correcting codes of size , where , for some constant . Let be the corresponding decoding function. A random allows to efficiently correct a -fraction of errors for some constant .
- •
a dual-mode proof commitment scheme, and we denote an execution of the commit phase of a message (with some randomness). We assume that the opening phase consists in the sender sending (and some randomness used in the commit phase) and the receiver verifying via a deterministic function .
5.0.3 Security Result.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[ABB + 13] Michel Abdalla, Fabrice Benhamouda, Olivier Blazy, Céline Chevalier, and David Pointcheval. SPHF-friendly non-interactive commitments. In Kazue Sako and Palash Sarkar, editors, ASIACRYPT 2013, Part I , volume 8269 of LNCS , pages 214–234. Springer, Heidelberg, December 2013.
- 2[ACCP 09] Michel Abdalla, Dario Catalano, Céline Chevalier, and David Pointcheval. Password-authenticated group key agreement with adaptive security and contributiveness. In Bart Preneel, editor, AFRICACRYPT 09 , volume 5580 of LNCS , pages 254–271. Springer, Heidelberg, June 2009.
- 3[BB 84] C. H. Bennett and G. Brassard. Quantum cryptography: Public key distribution and coin tossing. In Proceedings of IEEE International Conference on Computers, Systems, and Signal Processing , page 175, 1984.
- 4[BC 16] Olivier Blazy and Céline Chevalier. Structure-preserving smooth projective hashing. In Jung Hee Cheon and Tsuyoshi Takagi, editors, ASIACRYPT 2016, Part II , volume 10032 of LNCS , pages 339–369. Springer, Heidelberg, December 2016.
- 5[BCL + 11] Boaz Barak, Ran Canetti, Yehuda Lindell, Rafael Pass, and Tal Rabin. Secure computation without authentication. Journal of Cryptology , 24(4):720–760, October 2011.
- 6[BCNP 04] Boaz Barak, Ran Canetti, Jesper Buus Nielsen, and Rafael Pass. Universally composable protocols with relaxed set-up assumptions. In 45th FOCS , pages 186–195. IEEE Computer Society Press, October 2004.
- 7[BCS 12] Harry Buhrman, Matthias Christandl, and Christian Schaffner. Complete insecurity of quantum protocols for classical two-party computation. Physical review letters , 109(16):160501, 2012.
- 8[BFGGS 12] Niek J Bouman, Serge Fehr, Carlos González-Guillén, and Christian Schaffner. An all-but-one entropic uncertainty relation, and application to password-based identification. In Conference on Quantum Computation, Communication, and Cryptography , pages 29–44. Springer, 2012.
