On the Everlasting Security of Password-Authenticated Quantum Key Exchange

by   Céline Chevalier, et al.
Cole Normale Suprieure

Quantum Key Distribution, introduced in 1984 in the seminal paper of Bennett and Brassard, allows two parties to share a common secret key in an unconditionally secure way, relying on the laws of quantum physics. This fundamental result has opened the way to the whole field of quantum cryptography, though the unconditional security is often proven impossible to achieve, with no-go results, for instance, for commitments and oblivious transfer, two fundamental cryptographic primitives. However, this celebrated key distribution protocol suffers from a very strong assumption made on the establishment of the classical channels, which are asked to be information-theoretically authenticated (but not secure) beforehand. In practice, to keep the unconditional security, one does not have much of a choice but assuming to have a pre-shared key (used to authenticate the messages with authentication codes constructed from universal hashing) in order to construct a bigger shared secret key. In this paper, we investigate the possibility of implementing this authenticated classical channel by the means of human-memorable passwords. We first show a series of impossibility results forbidding the achievement of very strong security. We thus focus on everlasting security, which is a notion introduced by Müller-Quade and Unruh in 2007. Such a notion achieves unconditional security after the execution of the protocol and only reduces the power of the adversary to be computational during the execution of the protocol, which seems quite a reasonable assumption for nowadays practical use-cases. Finally, we adapt the simulation-based framework to the quantum setting, present a construction of a quantum PAKE scheme based on QKD, and prove its everlasting security in this simulation-based model.



There are no comments yet.


page 1

page 2

page 3

page 4


Franchised Quantum Money

The construction of public key quantum money based on standard cryptogra...

Security in Quantum Cryptography

Quantum cryptography exploits principles of quantum physics for the secu...

Lightweight authentication for quantum key distribution

Quantum key distribution (QKD) enables unconditionally secure communicat...

Backflash Light as a Security Vulnerability in Quantum Key Distribution Systems

Based on the fundamental rules of quantum mechanics, two communicating p...

Forging quantum data: classically defeating an IQP-based quantum test

In 2009, Shepherd and Bremner proposed a "test of quantum capability" ar...

Authentication and Key Management Automation in Decentralized Secure Email and Messaging via Low-Entropy Secrets

We revisit the problem of entity authentication in decentralized end-to-...

Experimental study and pratical realization of a reconciliation method for quantum key distribution system

This paper investigates a reconciliation method in order to establish an...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

In their 1984 seminal paper [BB84], Bennett and Brassard gave the first proof that the laws of quantum mechanics could lead to an achievement of unconditional security for classical cryptographic tasks. Their celebrated quantum key distribution protocol (so-called QKD) allows two users to agree on a secret key which is information-theoretic secret, assuming a quantum channel and an authenticated (but not secret) classical channel.

Even though this protocol is a conceptual milestone in the quantum cryptography field, this need for an authenticated channel makes it suffer from a problem of bootstrapping. In practice, the implementation of this channel while at the same time guaranteeing unconditional security leaves no choice but requiring Alice and Bob to use a pre-shared short random secret key (to authenticate the messages with authentication codes constructed from universal hashing) in order to obtain a larger random secret key using QKD. Otherwise, the security is drastically reduced when implementing the authentication part in an efficient way with no strong assumptions.

Indeed, in so-called authenticated key exchange, the two parties are able to generate a shared high entropy secret key, to be later used with symmetric primitives in order to protect communications, while interacting over an insecure network under the control of an adversary. Various authentication means have been proposed in the literature, the most practical certainly being based on passwords, leading to PAKE, standing for Password-Authenticated Key Exchange. PAKE protocols allow users to securely establish a common cryptographic key over an insecure and unauthenticated channel only using a low-entropy, human-memorable secret key called a password. The advantage of a quantum PAKE, in sharp contrast to all QKD-like schemes, is that no authenticated channel is needed. In QKD, the authentication keys can be run out, because either the adversary makes the execution fail (denial-of-service attack) or due to technical problems (the parties cannot exclude that an eavesdropper was in fact present). In the classical setting, PAKE has been extensively studied, resulting in various secure and efficient protocols. However, classical PAKE protocols can only achieve computational security, where the adversary’s power is computationally limited. Thus, it is natural to ask the following question:

Can we achieve a provably stronger security notion for password-based key exchange protocols using quantum communication?

Unfortunately, a series of no-go theorems showed that the dream of unconditional security brought by quantum communication will never be a reality for some kind of cryptographic tasks. For instance, several attempts have been made to achieve unconditionally secure quantum bit-commitments, until Mayers and Lo et al. independently showed that statistically hiding and binding quantum commitments are impossible without additional assumptions [May97, LC97]. Recall that in a bit-commitment scheme, the committer wants to commit to a bit  to the receiver (as if he was putting it into a sealed envelope) so that he cannot change his mind later on (the binding property) and the receiver cannot see the bit hidden in the committment (the hiding property). The impossibility of quantum cryptography was further extended to oblivious transfer (OT) by Lo [Lo97]. Oblivious transfer, introduced in 1981 by Rabin [Rab81], has proven to be a fundamental primitive in cryptography since the seminal result of Kilian [Kil88], proving it is complete for multi-party computation. In such a scheme, a user asks to access a single piece of data of a database owned by a server in a double-oblivious way (the server does not learn which piece of data the user accessed and no information on the other data is leaked to the user). These impossibilities were finally extended to non-trivial two-party computation protocols by Salvail et al. and Buhrman et al. [SSS09, BCS12]. In these papers, they show that any non-trivial functionality leaks some information to the adversary, and that the security for one party implies complete insecurity for the other. The insecurity of two-party quantum protocols follows from the fact that the protocol itself allows parties to input a superposed state rather than a classical one, and perform an appropriate measurement on the outcome state. At the end of the protocol, one party can always gain more information on the input of the other than that gained using any honest strategy.

Despite these impossibility results, we answer the above question affirmatively. Noting that these impossibility results are only proven for statistical security, we find a little feasible space through three dimensions: the security models (game-based, simulation-based, composable, etc.), the security definitions (computational, everlasting, statistical, etc.) and the trusted setup assumptions (common reference string, signature cards, etc.). Our work builds upon QKD, where the classical authentication is replaced by means of the password.

However, overcoming the impossibility results on PAKE in a quantum setting (see Section 3) requires some restriction on the adversary. One approach is to limit the adversary’s quantum memory as in the bounded quantum-storage model (BQSM) [DFSS05]. Nevertheless, most of the quantum protocols in BQSM would completely (and quite efficiently) break down in the case the assumption fails to hold. Instead, we consider here another plausible approach by assuming restrictions on the adversary’s computational power. Following Müller-Quade and Unruh [MQU07, Unr13], we consider the notion of everlasting security, where the adversary’s power is computationally bounded during the protocol execution and becomes computationally unlimited

after the execution. In other words, everlasting security assumes that, at the precise moment of the execution of the protocol, the computational power of an adversary is limited

and that certain mathematical problems are hard. This model is justified by the fact that the computational power required to break a cryptosystem might not exist now, but could exist in the future, so that the protocols should be protected after its execution. In particular, everlasting security can ensure the security of protocols executed today against future quantum computers, when they become available.

1.0.1 Related Work.

Security Models.

For classical cryptography, the two best known security models allowing for arbitrary composition are the Universal Composability (UC) framework defined by Canetti [Can01] and Abstract Cryptography introduced by Maurer and Renner [MR11]. A general quantum simulation-based model with sequential composition theorem has been refined by Fehr and Schaffner in [FS09]. Quantum security models in the UC style have been proposed by Ben-Or et al. in [BHL05] and refined by Unruh in [Unr10]. In this latter paper, Unruh also gives a theoretical separation result between the quantum and classical setting by showing that, in the quantum world, commitment is complete for statistically secure MPC, while it is not the case in the classical setting.

The concept of everlasting UC-security was first introduced by Müller-Quade and Unruh in [MQU07], in which they construct a (classically) everlasting UC-secure commitment protocol from certain strong assumptions, so-called signature cards. Unruh studied in [Unr13] the everlasting security in the quantum UC model [Unr10] and further extends impossibility results on everlastingly realizing cryptographic tasks from common trusted set-up assumptions such as the common reference string (CRS) model or the public-key infrastructure model.


Despite the apparent simplicity of Bennett and Brassard’s QKD protocol [BB84], the first complete composable security proof of QKD was only given in the mid-2000’s by [Ren05] (a first proof being given a few years before by Mayers in [May01]). This length of time can be explained by the inner difficulty of transposing the concepts of classical cryptography to the quantum world. The universal composability of QKD has been first studied by Ben-Or et al. in [BHL05]. A thorough state of the art of QKD’s proofs can be found in Tomamichel and Leverrier’s article [TL17]. Mosca, Stebila and Ustaoglu study in [MSU13] the security of QKD in the classical authenticated key exchange framework, and give a proof of the folklore theorem that QKD, when used with computationally secure authentication (e.g., quantum-secure digital signatures), is everlastingly secure (which they call long-term security). In parallel, researchers have studied the closely-related subject of the authentication of quantum channels, the latest works being that of Fehr and Salvail [FS17], and Portmann [Por17]. This is a slightly different approach, which also requires a shared secret key. The advantage is that the key can be recycled: If the message arrived unaltered, it means that the key is still secured. Furthermore, Portmann proved the composability of his result in the Abstract Cryptography model.


The main approach to construct a UC-secure PAKE protocol in the classical setting follows from the KOY-GL paradigm [KOY01, GL03], first formalized by Canetti et al. in [CHK05] and improved in order to obtain very efficient results (see [KV11, ABB13, BC16] for instance). It uses two building blocks: a CPA-secure encryption scheme supporting smooth projective hashing (SPHF), and a CCA-secure encryption scheme. Using different tools than SPHF, Jutla and Roy also proposed very efficient UC-secure PAKE schemes [JR15, JR18].

Canetti et al. proposed another approach in [CDVW12] that relies on oblivious transfer as the main cryptographic building block and bypasses the “projective hashing” paradigm. Informally, they first construct a secure protocol for randomized equality computation assuming an authenticated channel and then apply the generic Split Authentication transformation of Barak et al. [BCL11] to the protocol that realizes the “split” version of that protocol. Split functionalities adapt functionalities which assume authenticated channels to an unauthenticated channels setting. We note that by following the second approach, we could construct an everlastingly UC-secure PAKE protocol using signature cards as the trusted setup assumption. We do not follow this idea, but we briefly describe how it works as follows. First, we apply the framework of [CDVW12] using Unruh’s oblivious transfer construction [Unr13] with the signature card assumption. Then, it is not hard to see that by using a quantum-secure signature scheme, the security proof of the Split Authentication transformation carries through the quantum setting.

Although we are not aware of any quantum PAKE protocol, Damgård et al. proposed in [DFSS07] two password-based identification protocols in the bounded quantum storage model: Q-ID, which is only secure against dishonest Alice or Bob, and Q-ID, which is also secure against man-in-the-middle attacks. However, only Q-ID is truly password-based; in Q-ID

, Alice and Bob, in addition to the password, also need to share a high-entropy key. On the negative side, no quantum computing power at all is necessary to break the scheme, only sufficient quantum storage, because the dishonest party could store all the communicated qubits as they are, and measure them one by one in either the computational or the Hadamard basis and completely break the scheme. Subsequent works improve Q-ID schemes and prove their security based on various uncertainty relations

[BFGGS12], or in a different security model, e.g., the computational security by using the Commit-and-Open technique [DFL09].

1.0.2 Our Contributions.

Our main contribution consists in constructing a quantum PAKE protocol achieving a security notion close to everlasting UC-security (and thus providing a password-authenticated variant of QKD). Towards this goal, we give several flavors of results:

  • We first study and understand which security results are impossible and which ones might be achievable for quantum-polynomial-time PAKE protocols within different settings. We partially answer the question for protocols considered in the Universal Composability (UC) framework introduced by [Can01], be they statistically or everlastingly secure. We employ the reduction notion between protocols and show that PAKE is non-trivial by a reduction to oblivious transfer protocols. The impossibilities then follow from general results proven by Unruh for everlastingly secure multi-party computation [Unr13]. These results are given in Section 3.

  • Second, we present a new framework for the simulation-based model that extends the classical framework to the quantum setting, and a definition of everlasting security in that model. Our model is simple, expressive and simultaneously enjoys the general sequential composition theorem. Different from the model proposed by [FS09], ours employs a single security definition, instead of separate definitions for correctness, and security for each party. Thus, it seems easier to deal with: one can analyze protocols and prove their security by formally defining simulation strategies. These results are given in Section 4.

  • Finally, we show that our protocol is indeed everlastingly secure in this model. Our construction is inspired by the Commit-and-Open technique introduced in [DFL09]. Our work extends and improves on this result by showing that a stronger security notion (namely everlasting security in the simulation-based model) can be achieved. Lying at the core of our proof is a simulation strategy that allows the simulator to change the output of the simulated adversary. In the UC model (as opposed to the simulation-based model), the environment machine, which is an interactive distinguisher, externally interacts with the adversary throughout the execution. One very important artifact of this definition is that the simulator no longer has control over the output of the simulated adversary. In fact, the adversary is completely controlled by the environment. This is because the UC framework models the fact that the real-world adversary may have additional information from the environment, e.g., from other running instances of the protocol, or from other concurrently running protocols as well. On the other hand, in the simulation-based model, the adversary is internally simulated by the simulator. The simulated adversary outputs nothing, and the simulator is in charge of its output: it can apply any arbitrary function to the prescribed input of the adversary. This is safe in the simulation-based model, because the adversary is “detached” from the environment. By exploiting this major difference, we show that our protocol is provably secure in the simulation-based model. These results are given in Section 5.

2 Preliminaries

2.1 Notations

For a set and a -bit string , we write . It is sometimes convenient that all substrings of this form have the same length, irrespective of the actual size of the index set . Therefore,

is implicitly padded with sufficiently many zeros. For

, denote the closed integer interval , and denote the open real interval .

The logarithms in this paper are with respect to base 2 and denoted by . We write for the binary entropy function . The notation denotes any function such that , and denotes any function such that for some . Let be the Hamming distance, and let denote the relative Hamming distance between two strings, i.e., the Hamming distance normalized by their length.

2.2 Quantum Computation

In this section, we give a very brief introduction to the quantum notions we use in this paper, we refer to [Ren05, NC11] for further explanations.

2.2.1 Systems and States.

For any positive integer , stands for the complex Hilbert space of dimension . Sometimes, we omit the dimension and simply write . The state of a quantum-mechanical system in is described by a density operator . A density operator is normalized with respect to the trace norm (), Hermitian (

) and has no negative eigenvalues.

denotes the set of all density operators for a system .

denotes the identity matrix. When it is normalized with the dimension, denoted by

, it represents the fully mixed state.

A generalized measurement on a system is a set of linear operators such that

. The probability

of observing outcome is , and the state of the system after the measurement, conditioned on the outcome , is .

A quantum state is called pure if it is of the form

for a (normalized) vector

. For a density matrix of a composite quantum system , we write for the state obtained by tracing out system . We sometimes omit the index of the subspace that is traced out if it is clear from the context.

The pair (also written as ) denotes the computational or -basis, the pair (also written as ) denotes the Hadamard or -basis, where and . We write for the -qubit state where string in encoded in bases .

We often consider cases where a quantum state may depend on some classical random variable

. In that case the state is described by the density matrix if and only if . For an observer who has access to the state but not , the reduced state is determined by the density matrix , whereas the joint state, consisting of the classical and the quantum register is described by the density matrix , where we understand to be the computational basis of . Joint states with such classical and quantum parts are called cq-states. We also write for the quantum representation of the classical random variable . This notation extends naturally to quantum states that depend on several classical random variables (i.e., to ccq-states, cccq-states, etc.). Given a cq-state as above, by saying that there exists a random variable such that satisfies some condition, we mean that can be understood as for some ccq-state and that satisfies the required condition.

By , we denote the trace distance between two quantum states and . We call two quantum states and trace-indistinguishable, denoted , if there is a negligible function such that for a , .

Definition 1.

Let be a cq-state classical on . The trace-distance from uniform of given is defined by

2.2.2 Conditional Independence.

We need to express that a random variable is independent of a quantum state when given a random variable . Independence means that when given , the state gives no additional information on . Another way to understand this is that can be obtained from and by solely processing . Formally, adopting the notion introduced in [DFSS07], this is expressed by requiring that equals , where the latter is defined as

In other words, precisely if for all and . To further illustrate its meaning, notice that if the -register is measured and value is obtained, then the state collapses to , so that indeed no further information on can be obtained from the -register. This notation naturally extends to

2.2.3 (Conditional) Smooth Entropies.

We briefly introduce the notions of min- and max-entropy. For a bipartite cq-state , we define

where the optimization goes over all generalized measurements on .

Definition 2.

Let be a bipartite density operator. The min-entropy and max-entropy of conditioned on is defined as

where is any pure state with .

Definition 3.

Let be a bipartite density operator and let . The -smooth min- and max-entropy of conditioned on is defined as

where the supremum ranges over all density operator which are -close to .

We sometimes omit the subscript if the state is clear from the context.

2.2.4 Privacy Amplification.

Recall that a class of hash functions from to is called two-universal, if for any and for uniformly chosen from , the collision probability is upper bounded by . We recall the quantum-privacy-amplification theorem of [RK05] as formulated in [Ren05, Corollary 5.6.1].

Theorem 2.1.

Let be a cq-state classical on , let be a family of two-universal hash functions from to , and let . Then,

for defined by .

2.2.5 Private Error Correction.

Finally, we recall the private error correction technique introduced in [DS05] and generalized to the quantum setting in [FS08]. This tool allows to correct a constant fraction of errors, by using a family of efficiently decodable linear codes, where the syndrome of a string is close to uniform if the string has enough min-entropy and the code is chosen at random from the family. Specifically, they show that for every , there exists a -biased (as defined in [DS05]) family of -codes with .

The following theorem, which is a variant of Theorem 3.2 in [FS08], establishes the closeness of the syndrome of a string to random, given a random index and any -qubit state that may depend on .

Theorem 2.2.

Let the density matrix be a cq-state classical on with . For any constant , let be a -biased family of random variables over having square bias , and let be uniformly and independently distributed over . Then


The original theorem in [FS08] states for . By using Jensen’s inequality on Rényi entropy and means of smoothing, our theorem follows immediately. ∎

2.3 Security Models

We provide a brief overview of security models for multi-party computation (MPC), in which players interact in order to compute securely a given function of their inputs. Formally, consider players , each owning an input , and a classical -input function . The goal is to compute such that each player learns , and cheating players cannot change the outcome of the computation (other than choosing a different input) and do not learn more about the input (and possibly the output) of honest players than what can be derived from their own input and the output of the function evaluation.

2.3.1 The Simulation-based Paradigm.

The first step towards the solution for this security definition is the simulation paradigm. Instead of introducing different notion for each security property, we consider for each protocol, the “ideal behavior” it should have. Intuitively, we introduce the notion of “ideal world” where there is a trusted party who collects the inputs from all players, computes the output and distributes the output to the players. A real protocol is compared to an ideal protocol, and the real protocol is said to be at least as secure as the ideal protocol if the real protocol and the ideal protocol have an indistinguishable input output behavior. The level of security reached thus also depends on the specification of the ideal protocol. The formal description of the simulation-based model in the quantum setting is given in Section 4.

2.3.2 Universal Composability.

However, as being pointed out in the literature, this ability of simulating does not play well with composition. The simulation-based paradigm only achieves Sequential Composition, i.e., a protocol that is secure under sequential composition maintains its security when run multiple times, as long as the executions are run sequentially (meaning that each execution concludes before the next execution begins). In the case of Concurrent Composition in which many instances of the same protocol with correlated inputs are run concurrently, some problems may occur. For example, the messages from one protocol could be fed into another, or a message from one sub-protocol of a larger application is fed into another sub-protocol and the overall application becomes insecure. In order to solve this inherent problem, the so-called UC (for Universal Composability) framework was introduced. We refer the reader to [Can01] for more details on the classical version and [Unr10] on the quantum version.

Ideal World and Real World.

We define in the ideal world an entity that one can never corrupt, called the ideal functionality and usually denoted as . The players privately send their inputs to this entity, and receive their corresponding output the same way. There is no communication between the different players. is assumed to behave in a perfectly correct way, without revealing information other than required, and without being possibly corrupted by an adversary. Once is defined, the goal of a protocol , executed in a real world in the presence of an adversary, is then to create a situation equivalent to that obtained with .

Protocol, Adversary, and Environment.

Apart from the protocol participants which are specified by the protocol, there are two more machines taking part in the protocol execution. The adversary (or in the ideal model) is the machine coordinating all corrupted participants analogous to the simulation-based model. The environment machine , playing the role of the distinguisher, models “everything that is outside the protocol being executed”. It chooses the inputs, sees the outputs, and may communicate with the adversary at any time. The adversary has access to the communication between players, but not to the inputs and outputs of the honest players (it completely controls the dishonest or corrupted players). On the contrary, the environment has access to the inputs and outputs of all players, but not to their communication, nor to the inputs and outputs of the subroutines they can invoke.

A protocol securely realizes a functionality if for every real-world adversary there exists an ideal-world adversary , called the simulator, such that no environment can distinguish whether it is witnessing the real-world execution with adversary or the ideal-world execution with simulator , with a non-negligible advantage. Depending on the assumed computing power of the adversary and the environment we distinguish between computational security, where they are all considered to be polynomially bounded machines, and statistical security, where they are assumed to be computationally unbounded. Furthermore, in [Unr13], the author introduces the notion of everlasting security, where the adversary is considered to be polynomial-time machines but the environment is assumed to have unbounded computational power.

In addition, the notion of “hybrid models” is also introduced to model the concept of set-up assumptions. A protocol is said to be realized “in the -hybrid model” if can invoke the ideal functionality as a subroutine multiple times. We note that the environment can never interact directly with , and thus, is usually never invoked at all in the ideal world, and the implementation of is simulated solely by the ideal adversary . The model with no trusted set-up is called plain.

Ideal Functionalities.

We denote the common reference string functionality, the oblivious transfer functionality, the bit commitment functionality. The definitions of these functionalities are given in Appendix 0.B.

2.4 Cryptographic Primitives

2.4.1 Dual-mode Commitment.

We give here an informal security definitions for commitment schemes, and refer the reader to [Gol01] for a formal definition. A commitment scheme is defined by 3 algorithms:

  • , where is the security parameter, generates the global parameters param of the scheme (which includes the commitment key), implicitly given as input to the other algorithms;

  • produces a commitment on the input message from a message space , using the random coins from a randomizer space , and also outputs the opening information ;

  • verifies the commitment of the message using the opening information ; it outputs the message , or if the opening check fails.

To be useful in practice, a commitment scheme should satisfy two basic security properties. The first one is hiding, which informally guarantees that no information about is leaked through the commitment . The second one is binding, which guarantees that the committer cannot generate a commitment that can be successfully opened to two different messages. A commitment can be either perfect hiding (in which case it is perfectly secure from the committer’s point of view) or perfect binding (in which case it is perfectly secure from the receiver’s point of view). Interestingly, it is proven that information-theoretically secure commitment protocols (which are both perfect hiding and perfect binding) cannot exist classically, nor even if we allow to use quantum mechanics [LC97, May97].

Our construction uses a non-interactive commitment scheme with some special properties. This scheme, with a quantum-safe construction based on lattice assumptions, is used in the Commit-and-Open technique introduced in [DFL09]. First, we want a commitment scheme that has two different flavors of keys, where the corresponding commitment key is generated by one of two possible key-generation algorithms: or . For a key generated by , the commitment scheme is perfectly hiding, in which case the commitment reveals no information about the message. Alternatively, the commitment key generated by can be perfectly binding, in which case a valid commitment uniquely defines one possible message. Both key generation algorithms are probabilistic polynomial time. They output a commitment key and also some trapdoor information such that we can either open a commitment to any message (if the commitment key is perfectly hiding, i.e., generated by ), or efficiently extract the committed value (if the commitment key is perfectly binding, i.e., generated by ). Furthermore, we require that keys generated by and are computationally indistinguishable, even against quantum adversaries.

The formal definition of dual-mode commitment scheme is given in Appendix 0.A. For simplicity and efficiency, we consider the common reference string model, and we assume the commitment key to be contained in the CRS.

3 On the Feasibility of Securely Realizing PAKE

In this section, we show negative results on the achievable security of Password-based Key Exchange protocols when allowed to use quantum communication. We recall an important property of a PAKE protocol: it guarantees that if the same password was entered, the generated session key is the same for both parties, but they might not know at the end of the protocol whether it is so. This property is known as implicit authentication, as opposed to explicit authentication, in which the parties know whether they share the same session key at the end of the protocol. (In both cases, the protocol should guarantee that if the passwords were different, the session keys are independent and random.) In the former form, at the end of the protocol, the two parties may have a common high-entropy cryptographic key (if the session succeeded) or random and independent keys (if the session failed).

3.1 Simulation-based Secure PAKE

Theorem 3.1.

There is no statistically simulation-based secure PAKE protocol with explicit authentication in the plain model.

To prove this theorem, we employ a general result which proves that for the class of deterministic, two-sided functionalities, the security for one party implies complete insecurity for the other in the simulation-based model.

Lemma 1 ([Bcs12, Theorem 2]).

If a protocol for the evaluation of is -correct and -secure against Bob, then there is a cheating strategy for Alice (where she uses input and Bob has input ) which gives her distributed according to some distribution such that for all : .

Proof (Theorem 3.1).

We first show that secure computation of equality of strings (denoted by EQUALITY function, in which both parties learn the output) is equivalent to a password-based identification (PID) scheme. The reduction from a secure computation of EQUALITY function to a PID scheme works as follows. Let be the secret pass-string of Alice and Bob, respectively. Then, Alice and Bob run the PID protocol on input and , if the authentication succeeds, the output is set to 1, otherwise, the output is set to 0. In the inverse direction, assume we have a secure computation of EQUALITY function, a PID scheme can be easily constructed by running the secure computation of EQUALITY function on two pass-strings. Since an explicitly authenticated PAKE implies PID, it follows that explicitly authenticated PAKE protocols can be reduced to an EQUALITY computation.

The proof is completed by Lemma 1. ∎

3.2 Quantum-UC Secure PAKE

Assuming some trusted setup, the following theorem states the impossibility of everlastingly realizing EQUALITY using only passively-realizable functionalities (which are the ones that can be securely realized with respect to unbounded passive adversaries), including (described in Figure 5).

Theorem 3.2.

There is no statistically or everlastingly quantum-UC secure protocol that realizes EQUALITY which only uses passively-realizable functionalities as trusted setup assumptions.

Corollary 1.

There is no statistically or everlastingly quantum-UC secure PAKE protocol with explicit authentication which only uses passively-realizable functionalities as trusted setup assumptions.

Before proving Theorem 3.2, we recall the impossibility of everlastingly quantum-UC-secure oblivious transfer.

Lemma 2 ([Unr13, Theorem 5]).

There is no statistically or everlastingly quantum-UC secure OT protocol which only uses passively-realizable functionalities as trusted setup assumptions.

We use the notion of reductions between MPC functionalities, that allows us to form “classes” of functionalities with similar cryptographic complexity: a functionality is trivial 111We use trivial and feasible exchangeably hereafter. if it can be realized in the UC framework with no setup assumptions, or complete if it is sufficient for computing arbitrary other functions, under appropriate complexity assumptions. We recall the following results that are proven in [Unr10, FKS13].

Lemma 3 ([Unr10, Fks13]).

The following statements hold:

  1. If a protocol statistically UC realizes a functionality , then statistically quantum-UC realizes the functionality .

  2. Feasibility in the quantum world is equivalent to classical feasibility, in both the computational and statistical setting.

To show a reduction from EQUALITY to OT, we employ these following intermediate results.

Definition 4 (OT-cores).

Let be a deterministic two-party function, , be the input alphabet of two parties, , be the output distribution of two parties, and is the output values of the two parties. A quadruple is an OT-core of , if the following three conditions are met:

  1. We have that .

  2. We have that .

  3. We have that or (or both).

In [KMQ11] the so-called Classification theorem was proven, which shows a necessary and sufficient condition to have a reduction protocol from an ideal functionality to .

Theorem 3.3 (The Classification Theorem [Kmq11]).

There exists an OT protocol that is statistically secure against passive adversaries in the -hybrid model, for some , if and only if has an OT-core.

Proof of Theorem 3.2.

Because the reduction protocol in Theorem 3.3 is statistically secure in the classical setting, the statement can be translated to quantum-UC setting by Lemma 3.

Consider the EQUALITY function , without loss of generality, assume . Let be a random value drawn from the input distribution, then a quadruple is an OT-core of because:

Then Theorem 3.3 tells us that there exists an OT protocol that is statistically secure again quantum-passive adversaries in the EQUALITY-hybrid model.

Assume that there exists a quantum-polynomial-time everlasting quantum-UC EQUALITY protocol which only uses passively-realizable functionalities. Let be the protocol resulting from by replacing invocations of EQUALITY by invocations of the subprotocol . Then is a quantum everlasting OT protocol which only uses quantum-passively realizable functionalities against quantum-passive adversaries. This contradicts Lemma 2.

The proof of statistical security follows easily from the proof of everlasting security. ∎

Avoiding Impossibility Results.

In summary, we have shown that unconditionally or everlastingly secure PAKE with explicit authentication is impossible in the simulation-based model with no trusted setups, and only possible in the UC model given very strong trusted setup assumptions like signature cards 222[Unr13] proves that signature cards assumption is complete for everlasting secure two-party computation.. However, the door for finding secure quantum protocols for PAKE is not closed completely: we avoid these impossibilities by constructing a quantum PAKE protocol with only implicit authentication, in the simulation-based model given the CRS as a trusted setup.

4 Definition of Security

4.1 Description of the Simulation-based Model

Our definition is based on the real-world/ideal-world simulation paradigm which has been used extensively in both the classical setting [Can00] and quantum setting [FS09, DFL09]. In particular, we follow the framework put forward in [FS09]. This framework models classical functionalities which have classical inputs and outputs, and provides a composition theorem. However, the composability of protocols proven to be secure in this model admit only sequential composition: it requires that at any point, only one protocol invocation be in progress. This is weaker than the notion of universal composability, where many instances and subroutines may be executed concurrently. A main feature of our model is that it is formally sound, simple and expressive, benefits from a simpler security definition tailored to various assumptions on the adversary’s computational power. In addition, it still enjoys the sequential composition theorem because of the equivalence with [FS09]’s model.

Since we are interested in two-party quantum computations, we will formalize the real and ideal model executing the task with two parties and a static adversary who can control an arbitrary but fixed corrupted party. We only consider either the setting where one of the parties is corrupted, or the setting where none of the parties is corrupted, in which case the adversary seeing the transcript between the parties should learn nothing.

Execution in the ideal model.

Denote the participating parties by and and let denote the index of the corrupted party, controlled by an adversary . An ideal execution for an ideal functionality proceeds as follows:

  • [align=left]

  • We fix an arbitrary distribution for ’s input, for ’s input. For honest and , we assume the common input state to be classical, i.e. of the form

    for some probability distribution

    . The adversary also has an auxiliary classical input denoted by as well as a quantum state which only depends on , such that for any honest player’s input and his classical “side information” : . All parties are initialized with the same value on their security parameter tape (including the trusted party).

  • The honest party sends its prescribed input to the trusted party. The corrupted party controlled by may either abort (by replacing the input with a special message), send its prescribed input, or send some other input of the same length to the trusted party by applying some completely positive trace-preserving (CPTP) map. This decision is made by and may depend on its auxiliary input and the input value of . Denote the common input state sent to the trusted party by . Upon receipt of input from the parties, the trusted party measures the inputs in the computational basis.

  • If the trusted party receives an input of the form for some , it sends to the honest party and the ideal execution terminates. Otherwise, the execution proceeds to the next step.

  • At this point the trusted party computes and let and and sends to party (i.e. it sends the corrupted party its output).

  • sends either continue or to the trusted party. If it sends continue, the trusted party sends to the honest party . Otherwise, if sends , the trusted party sends to party .

  • The honest party always outputs the output value it obtained from the trusted party. The corrupted party outputs nothing. The adversary outputs any arbitrary CPTP map of the prescribed input of the corrupted party, the auxiliary classical input , and the value obtained from the trusted party.

The , denoted by , is defined as the overall output state (augmented with honest inputs) of the honest party and the adversary from the above ideal execution.

Execution in the real model.

We next consider the real model in which a real two-party quantum protocol is executed with no trusted parties. In this case, the adversary sends all messages in place of the corrupted party, and may follow an arbitrary strategy. In contrast, the honest party follows the instructions of . We consider a simple network setting where the protocol proceeds in rounds, where in each round one party sends a message to the other party.

Let as above and let be a two-party quantum protocol for computing . When and are both honest, we fix an arbitrary joint probability distribution for the inputs and , resulting in a common output state with a well defined joint probability distribution , where is the adversary’s quantum system. For an honest and a dishonest who takes as input a classical and a quantum state and output (the same) and a quantum state , then the resulting overall output state (augmented with the honest party’s input and ) is .

The , denoted by , is defined as the overall output state of the honest party and the adversary from the real execution of .

Definition 5.

A two-party quantum protocol is said to statistically -securely emulate an ideal classical functionality with abort in the presence of static malicious adversaries if for every (possibly unbounded) adversary for the real model, there exists an (possibly unbounded) adversary (called the simulator) for the ideal model, such that

where and .

We also give here an adapted definition of everlasting security in the simulation-based paradigm. The execution in the ideal model and the real model stay the same as unconditional security, but we require that the real-world adversary and ideal-world adversary are computationally bounded.

Definition 6.

A two-party quantum protocol is said to everlastingly -securely emulate an ideal classical functionality with abort in the presence of static malicious adversaries if for every quantum-polynomial-time adversary for the real model, there exists a quantum-polynomial-time adversary (called the simulator) for the ideal model, such that

where and .

4.2 PAKE Ideal Functionality

Our definition of the password-based key-exchange functionality (Fig. 1) is identical to the description in [CHK05]. A natural property of PAKE is that due to the low entropy of passwords, PAKE protocols are subject to dictionary attacks. The adversary can break the security of the scheme by trying all values for the password in the small set of the possible values (i.e., the dictionary). Unfortunately, these attacks can be quite damaging since the attacker has a non-negligible probability of succeeding. To address this problem, one should invalidate or block the use of a password whenever a certain number of failed attempts occurs. However, this is only effective in the case of online dictionary attacks in which the adversary must be present and interact with the system in order to be able to verify whether its guess is correct. Thus, the goal of PAKE protocol is restrict the adversary to online dictionary attacks only. In other words, off-line dictionary attacks, in which the adversary verifies if a password guess is correct without interacting with the system, should not be possible in a PAKE protocol. We refer the reader to [CHK05] for motivating discussion regarding the particular choices made in this formulation of the functionality. In particular, this formulation captures PAKE protocols with implicit authentication.

[colback=white,size=small,sharp corners,colframe=black] The functionality

The functionality is parameterized by a security parameter . It interacts with an adversary and a set of parties via the following queries:

  • [leftmargin=*,label=]

  • Upon receiving a query from party :

    • [label=]

    • Send to . In addition, if this is the first NewSession query, or if this is the second NewSession query and there is a record , then record and mark this record fresh.

  • Upon receiving a query from the adversary :

    • [label=]

    • If there is a record of the form which is fresh, then do: If , mark the record compromised and reply to with “correct guess”. If , mark the record interrupted and reply with “wrong guess”.

  • Upon receiving a query from , where :

    • [label=]

    • If there is a record of the form , and this is the first NewKey for , then:

      • [leftmargin=*,label=]

      • If this record is compromised, or either or is corrupted, then output to player .

      • If this record is fresh, and there is a record with , and a key was already sent to , and was fresh at the time, then output to .

      • In any other case, pick a new random key of length and send to .

    • Either way, mark the record as completed.

Figure 1: The password-based key-exchange functionality .

4.3 Split Authentication: From Passively Unconditional Security to Actively Everlasting Security

A common approach in designing multi-party quantum cryptography protocols is to treat the classical authenticated communication aspect of the problem as extraneous to the actual protocol design. That is, the adversary is assumed to be unable to send classical messages in the name of uncorrupted parties, or modify classical messages that the uncorrupted parties send to each other. This means that authentication must be provided by some mechanism that is external to the protocol itself, whereas our end goal, of course, is to implement PAKE without any classical authenticated channels. Thus, our approach is to follow the Split Authentication transformation of [BCL11]: we consider a completely unauthenticated setting, where all classical messages sent by the parties may be tampered with and modified by the adversary without the uncorrupted parties being able to detect this fact. Nevertheless, all the adversary can do is to partition the network into disjoint sets, where in each set the computation is secure in itself, and also independent of the computation in the other sets. In this model, it is not possible to achieve the same level of security as in the authenticated-channel setting.

We first consider the security of a two-party quantum protocol in the presence of (possibly unbounded) classically specious adversaries (we give the definition below), and our second step is to transform these protocols into ones that do not assume authenticated channels using the Split Authentication transformation, in the presence of quantum-polynomial-time malicious adversaries. “Specious” here means that at every step, no audit can distinguish the behavior of the adversary from the honest one. Intuitively, in the case where both parties are honest, the split authentication mechanism does not change anything on the quantum part of the adversary. However, it changes the adversary in the sense that it cannot carry active attack in the classical channel without being caught. When we consider quantum-polynomial-time adversaries, the classical part of the adversary thus becomes passive, but the quantum part remains malicious. In the case where one of the parties is corrupted, the adversary can always legitimately generate classical messages using its own secret key, and thus, it is identical to the malicious one.

Definition 7 (Classically-Specious adversaries).

An adversary is called -classical-specious, if the following holds:

  • If one of the parties is corrupted, may arbitrarily deviate from the protocol specification, i.e. it is identical to a malicious one.

  • If neither of both parties is corrupted, ’s classical output is (computationally) -close to the classical output of the honest parties.

[colback=white,size=small,sharp corners,colframe=black,before upper=]

Link Initialization

Upon activation, does the followings:

  1. chooses a key pair for the signature scheme.

  2. sends to . (Recall that in an unauthenticated network, sending to only means that the message is given to the adversary.)

  3. waits until it receives a key from (Recall that this key is actually received from the adversary and does not necessarily correspond to the key sent by the other party.) and defines .

  4. computes and sends to .

  5. waits until it receives a message from . Then it checks that and that . If all of these check pass, then outputs .

Core Protocol Execution

  1. initializes a counter to zero.

  2. runs protocol according to the protocol specification, with some slight modifications for classical messages authentication:

    1. When wants to send a classical message to , it signs on together with , the recipient identity, and the counter value. That is, computes , sends to and increments .

    2. Upon receiving a message allegedly from , first verifies that did not appear in a message received from in the past. It then verifies that is a valid signature on using the verification key . If the verification fails, it halts.

Figure 2: Compiled protocol .
Theorem 4.1.

Assume that the signature scheme used in the compiler (Fig. 2) is existentially unforgeable under adaptive chosen message attacks. Let be a two-party quantum protocol, unconditionally (resp. everlastingly) -secure against unbounded (resp. quantum-polynomial-time) -classically-specious adversaries. Then, the compiled protocol , resulting by applying the Split Authentication transformation, is everlastingly -secure against quantum-polynomial-time malicious adversaries, according to Definition 6, in the plain model.

The formal proof of this theorem is provided in Appendix 0.C.

5 Our Protocol

A High-Level Description.

The protocol is started with a preparation phase, where the client samples random binary strings and , and sends the encoded quantum state of using basis

. Next, a parameter estimation phase is done by means of a perfectly hiding commitment scheme. (For our security proof, we need to use a dual-mode commitment scheme instead.) The main difference between our PAKE protocol and QKD is that we also need to consider the cases where one of the parties is corrupted. This is in contrast to QKD, where the security proof is only considered in the presence of a malicious adversary with access to the communication channels, and both parties are always honest. Indeed, two-party quantum protocols can easily be broken by the

adversary purification attack: the dishonest party can purify his actions at the expense of additional quantum memory, and delay the measurements until the other party reveals her chosen basis at a later stage, and learn more information than what he was supposed to. The basic technique we use to enforce the honest behavior is the Commit-and-Open compiler formally introduced in [DFL09], applied to both parties. This forces both parties to measure by asking them to commit to all the basis choices and measurement results, and open some of them later.

After the commit-and-open phase, we embed the (encoded) password to the sifting step, which can be seen as one-time pad encryptions of the password. We show that the session keys of both parties at the end are random and independent for any pair of two different passwords.

Finally, similar to QKD, we do error correcting and privacy amplification. Another problem lies in the error correcting step: to correct the errors caused by either the adversary or the imperfection of the quantum channel, one party may send a syndrome of the generated secret key to allow the other party recover the same key from its noisy version. However, the syndrome may give extra information to a dishonest party. To circumvent this problem, we employ the -biased linear binary codes introduced in [DS05], which has an additional property that the syndrome of a string with high min-entropy is close to uniform.

5.0.1 Notations and Building Blocks.

Let denote the security parameter and let and some . Assume that both parties share some password . Let be the encoding function of a binary code of length with codewords and minimal distance . is chosen such that is linear in or larger, and is linear in , i.e. , for some constant (see [DFSS07]). Let be a strongly two-universal class of hash functions from to for some parameter .

Let be the family of syndrome functions corresponding to a -biased family of linear error correcting codes of size , where , for some constant . A random allows to efficiently correct a -fraction of errors for some constant , and for some random , the syndrome of a string with bits of min-entropy is -close to uniform.

We fix the following notation for dual-mode proof commitment schemes: If is a dual-mode proof commitment scheme, we denote by an execution of the commit phase of a message (with some randomness). We assume that the opening phase consists in the sender sending (and some randomness used in the commit phase) and the receiver verifying the open phase via a deterministic function .

5.0.2 Construction.

The full description of our PAKE protocol is provided in Fig. 3 and its schematic diagram is given in Fig. 4.

[colback=white,size=small,sharp corners,colframe=black,before upper=]

Common reference string: A pair , which are the two perfectly hiding commitment keys for the dual-mode proof commitment scheme .

Protocol Steps:

  1. Upon activation, chooses , , encodes each data bit from according to the corresponding basis bit , let the encoded state be and sends to .

  2. Upon receipt of from , chooses , measures in basis to get a classical string . For each pair of bits of and , it uses to commit , then sends to .

  3. Upon receipt of from , chooses a random subset such that , and sends to .

  4. Upon receipt of from , opens all the commitments restricted to the indices and sends to .

  5. Upon receipt of from , verifies all the commitments restricted to the indices : and . Furthermore, it sets and verifies that . It aborts if the verifications fail.

    For each pair of bits of and restricted to the set , it uses to commit , then sends to , where .

  6. Upon receipt of from , chooses a random subset such that , and send to .

  7. Upon receipt of from , opens all the commitment restricted to the indices and sends to .

  8. Upon receipt of from , verifies all the commitment restricted to the indices : and . It also sets and verifies that . It aborts if the verifications fail.

  9. Both parties set . computes , and computes . sends to .

  10. Upon receipt of from , sends to .

  11. Both parties set . chooses , computes and sends to .

  12. Upon receipt of from , recovers from