On the Everlasting Security of Password-Authenticated Quantum Key Exchange
share
Quantum Key Distribution, introduced in 1984 in the seminal paper of Bennett and Brassard, allows two parties to share a common secret key in an unconditionally secure way, relying on the laws of quantum physics. This fundamental result has opened the way to the whole field of quantum cryptography, though the unconditional security is often proven impossible to achieve, with no-go results, for instance, for commitments and oblivious transfer, two fundamental cryptographic primitives. However, this celebrated key distribution protocol suffers from a very strong assumption made on the establishment of the classical channels, which are asked to be information-theoretically authenticated (but not secure) beforehand. In practice, to keep the unconditional security, one does not have much of a choice but assuming to have a pre-shared key (used to authenticate the messages with authentication codes constructed from universal hashing) in order to construct a bigger shared secret key. In this paper, we investigate the possibility of implementing this authenticated classical channel by the means of human-memorable passwords. We first show a series of impossibility results forbidding the achievement of very strong security. We thus focus on everlasting security, which is a notion introduced by Müller-Quade and Unruh in 2007. Such a notion achieves unconditional security after the execution of the protocol and only reduces the power of the adversary to be computational during the execution of the protocol, which seems quite a reasonable assumption for nowadays practical use-cases. Finally, we adapt the simulation-based framework to the quantum setting, present a construction of a quantum PAKE scheme based on QKD, and prove its everlasting security in this simulation-based model.
READ FULL TEXT