1 Introduction
In their 1984 seminal paper [BB84], Bennett and Brassard gave the first proof that the laws of quantum mechanics could lead to an achievement of unconditional security for classical cryptographic tasks. Their celebrated quantum key distribution protocol (socalled QKD) allows two users to agree on a secret key which is informationtheoretic secret, assuming a quantum channel and an authenticated (but not secret) classical channel.
Even though this protocol is a conceptual milestone in the quantum cryptography field, this need for an authenticated channel makes it suffer from a problem of bootstrapping. In practice, the implementation of this channel while at the same time guaranteeing unconditional security leaves no choice but requiring Alice and Bob to use a preshared short random secret key (to authenticate the messages with authentication codes constructed from universal hashing) in order to obtain a larger random secret key using QKD. Otherwise, the security is drastically reduced when implementing the authentication part in an efficient way with no strong assumptions.
Indeed, in socalled authenticated key exchange, the two parties are able to generate a shared high entropy secret key, to be later used with symmetric primitives in order to protect communications, while interacting over an insecure network under the control of an adversary. Various authentication means have been proposed in the literature, the most practical certainly being based on passwords, leading to PAKE, standing for PasswordAuthenticated Key Exchange. PAKE protocols allow users to securely establish a common cryptographic key over an insecure and unauthenticated channel only using a lowentropy, humanmemorable secret key called a password. The advantage of a quantum PAKE, in sharp contrast to all QKDlike schemes, is that no authenticated channel is needed. In QKD, the authentication keys can be run out, because either the adversary makes the execution fail (denialofservice attack) or due to technical problems (the parties cannot exclude that an eavesdropper was in fact present). In the classical setting, PAKE has been extensively studied, resulting in various secure and efficient protocols. However, classical PAKE protocols can only achieve computational security, where the adversary’s power is computationally limited. Thus, it is natural to ask the following question:
Can we achieve a provably stronger security notion for passwordbased key exchange protocols using quantum communication?
Unfortunately, a series of nogo theorems showed that the dream of unconditional security brought by quantum communication will never be a reality for some kind of cryptographic tasks. For instance, several attempts have been made to achieve unconditionally secure quantum bitcommitments, until Mayers and Lo et al. independently showed that statistically hiding and binding quantum commitments are impossible without additional assumptions [May97, LC97]. Recall that in a bitcommitment scheme, the committer wants to commit to a bit to the receiver (as if he was putting it into a sealed envelope) so that he cannot change his mind later on (the binding property) and the receiver cannot see the bit hidden in the committment (the hiding property). The impossibility of quantum cryptography was further extended to oblivious transfer (OT) by Lo [Lo97]. Oblivious transfer, introduced in 1981 by Rabin [Rab81], has proven to be a fundamental primitive in cryptography since the seminal result of Kilian [Kil88], proving it is complete for multiparty computation. In such a scheme, a user asks to access a single piece of data of a database owned by a server in a doubleoblivious way (the server does not learn which piece of data the user accessed and no information on the other data is leaked to the user). These impossibilities were finally extended to nontrivial twoparty computation protocols by Salvail et al. and Buhrman et al. [SSS09, BCS12]. In these papers, they show that any nontrivial functionality leaks some information to the adversary, and that the security for one party implies complete insecurity for the other. The insecurity of twoparty quantum protocols follows from the fact that the protocol itself allows parties to input a superposed state rather than a classical one, and perform an appropriate measurement on the outcome state. At the end of the protocol, one party can always gain more information on the input of the other than that gained using any honest strategy.
Despite these impossibility results, we answer the above question affirmatively. Noting that these impossibility results are only proven for statistical security, we find a little feasible space through three dimensions: the security models (gamebased, simulationbased, composable, etc.), the security definitions (computational, everlasting, statistical, etc.) and the trusted setup assumptions (common reference string, signature cards, etc.). Our work builds upon QKD, where the classical authentication is replaced by means of the password.
However, overcoming the impossibility results on PAKE in a quantum setting (see Section 3) requires some restriction on the adversary. One approach is to limit the adversary’s quantum memory as in the bounded quantumstorage model (BQSM) [DFSS05]. Nevertheless, most of the quantum protocols in BQSM would completely (and quite efficiently) break down in the case the assumption fails to hold. Instead, we consider here another plausible approach by assuming restrictions on the adversary’s computational power. Following MüllerQuade and Unruh [MQU07, Unr13], we consider the notion of everlasting security, where the adversary’s power is computationally bounded during the protocol execution and becomes computationally unlimited
after the execution. In other words, everlasting security assumes that, at the precise moment of the execution of the protocol, the computational power of an adversary is limited
and that certain mathematical problems are hard. This model is justified by the fact that the computational power required to break a cryptosystem might not exist now, but could exist in the future, so that the protocols should be protected after its execution. In particular, everlasting security can ensure the security of protocols executed today against future quantum computers, when they become available.1.0.1 Related Work.
Security Models.
For classical cryptography, the two best known security models allowing for arbitrary composition are the Universal Composability (UC) framework defined by Canetti [Can01] and Abstract Cryptography introduced by Maurer and Renner [MR11]. A general quantum simulationbased model with sequential composition theorem has been refined by Fehr and Schaffner in [FS09]. Quantum security models in the UC style have been proposed by BenOr et al. in [BHL05] and refined by Unruh in [Unr10]. In this latter paper, Unruh also gives a theoretical separation result between the quantum and classical setting by showing that, in the quantum world, commitment is complete for statistically secure MPC, while it is not the case in the classical setting.
The concept of everlasting UCsecurity was first introduced by MüllerQuade and Unruh in [MQU07], in which they construct a (classically) everlasting UCsecure commitment protocol from certain strong assumptions, socalled signature cards. Unruh studied in [Unr13] the everlasting security in the quantum UC model [Unr10] and further extends impossibility results on everlastingly realizing cryptographic tasks from common trusted setup assumptions such as the common reference string (CRS) model or the publickey infrastructure model.
Qkd.
Despite the apparent simplicity of Bennett and Brassard’s QKD protocol [BB84], the first complete composable security proof of QKD was only given in the mid2000’s by [Ren05] (a first proof being given a few years before by Mayers in [May01]). This length of time can be explained by the inner difficulty of transposing the concepts of classical cryptography to the quantum world. The universal composability of QKD has been first studied by BenOr et al. in [BHL05]. A thorough state of the art of QKD’s proofs can be found in Tomamichel and Leverrier’s article [TL17]. Mosca, Stebila and Ustaoglu study in [MSU13] the security of QKD in the classical authenticated key exchange framework, and give a proof of the folklore theorem that QKD, when used with computationally secure authentication (e.g., quantumsecure digital signatures), is everlastingly secure (which they call longterm security). In parallel, researchers have studied the closelyrelated subject of the authentication of quantum channels, the latest works being that of Fehr and Salvail [FS17], and Portmann [Por17]. This is a slightly different approach, which also requires a shared secret key. The advantage is that the key can be recycled: If the message arrived unaltered, it means that the key is still secured. Furthermore, Portmann proved the composability of his result in the Abstract Cryptography model.
Pake.
The main approach to construct a UCsecure PAKE protocol in the classical setting follows from the KOYGL paradigm [KOY01, GL03], first formalized by Canetti et al. in [CHK05] and improved in order to obtain very efficient results (see [KV11, ABB13, BC16] for instance). It uses two building blocks: a CPAsecure encryption scheme supporting smooth projective hashing (SPHF), and a CCAsecure encryption scheme. Using different tools than SPHF, Jutla and Roy also proposed very efficient UCsecure PAKE schemes [JR15, JR18].
Canetti et al. proposed another approach in [CDVW12] that relies on oblivious transfer as the main cryptographic building block and bypasses the “projective hashing” paradigm. Informally, they first construct a secure protocol for randomized equality computation assuming an authenticated channel and then apply the generic Split Authentication transformation of Barak et al. [BCL11] to the protocol that realizes the “split” version of that protocol. Split functionalities adapt functionalities which assume authenticated channels to an unauthenticated channels setting. We note that by following the second approach, we could construct an everlastingly UCsecure PAKE protocol using signature cards as the trusted setup assumption. We do not follow this idea, but we briefly describe how it works as follows. First, we apply the framework of [CDVW12] using Unruh’s oblivious transfer construction [Unr13] with the signature card assumption. Then, it is not hard to see that by using a quantumsecure signature scheme, the security proof of the Split Authentication transformation carries through the quantum setting.
Although we are not aware of any quantum PAKE protocol, Damgård et al. proposed in [DFSS07] two passwordbased identification protocols in the bounded quantum storage model: QID, which is only secure against dishonest Alice or Bob, and QID, which is also secure against maninthemiddle attacks. However, only QID is truly passwordbased; in QID
, Alice and Bob, in addition to the password, also need to share a highentropy key. On the negative side, no quantum computing power at all is necessary to break the scheme, only sufficient quantum storage, because the dishonest party could store all the communicated qubits as they are, and measure them one by one in either the computational or the Hadamard basis and completely break the scheme. Subsequent works improve QID schemes and prove their security based on various uncertainty relations
[BFGGS12], or in a different security model, e.g., the computational security by using the CommitandOpen technique [DFL09].1.0.2 Our Contributions.
Our main contribution consists in constructing a quantum PAKE protocol achieving a security notion close to everlasting UCsecurity (and thus providing a passwordauthenticated variant of QKD). Towards this goal, we give several flavors of results:

We first study and understand which security results are impossible and which ones might be achievable for quantumpolynomialtime PAKE protocols within different settings. We partially answer the question for protocols considered in the Universal Composability (UC) framework introduced by [Can01], be they statistically or everlastingly secure. We employ the reduction notion between protocols and show that PAKE is nontrivial by a reduction to oblivious transfer protocols. The impossibilities then follow from general results proven by Unruh for everlastingly secure multiparty computation [Unr13]. These results are given in Section 3.

Second, we present a new framework for the simulationbased model that extends the classical framework to the quantum setting, and a definition of everlasting security in that model. Our model is simple, expressive and simultaneously enjoys the general sequential composition theorem. Different from the model proposed by [FS09], ours employs a single security definition, instead of separate definitions for correctness, and security for each party. Thus, it seems easier to deal with: one can analyze protocols and prove their security by formally defining simulation strategies. These results are given in Section 4.

Finally, we show that our protocol is indeed everlastingly secure in this model. Our construction is inspired by the CommitandOpen technique introduced in [DFL09]. Our work extends and improves on this result by showing that a stronger security notion (namely everlasting security in the simulationbased model) can be achieved. Lying at the core of our proof is a simulation strategy that allows the simulator to change the output of the simulated adversary. In the UC model (as opposed to the simulationbased model), the environment machine, which is an interactive distinguisher, externally interacts with the adversary throughout the execution. One very important artifact of this definition is that the simulator no longer has control over the output of the simulated adversary. In fact, the adversary is completely controlled by the environment. This is because the UC framework models the fact that the realworld adversary may have additional information from the environment, e.g., from other running instances of the protocol, or from other concurrently running protocols as well. On the other hand, in the simulationbased model, the adversary is internally simulated by the simulator. The simulated adversary outputs nothing, and the simulator is in charge of its output: it can apply any arbitrary function to the prescribed input of the adversary. This is safe in the simulationbased model, because the adversary is “detached” from the environment. By exploiting this major difference, we show that our protocol is provably secure in the simulationbased model. These results are given in Section 5.
2 Preliminaries
2.1 Notations
For a set and a bit string , we write . It is sometimes convenient that all substrings of this form have the same length, irrespective of the actual size of the index set . Therefore,
is implicitly padded with sufficiently many zeros. For
, denote the closed integer interval , and denote the open real interval .The logarithms in this paper are with respect to base 2 and denoted by . We write for the binary entropy function . The notation denotes any function such that , and denotes any function such that for some . Let be the Hamming distance, and let denote the relative Hamming distance between two strings, i.e., the Hamming distance normalized by their length.
2.2 Quantum Computation
In this section, we give a very brief introduction to the quantum notions we use in this paper, we refer to [Ren05, NC11] for further explanations.
2.2.1 Systems and States.
For any positive integer , stands for the complex Hilbert space of dimension . Sometimes, we omit the dimension and simply write . The state of a quantummechanical system in is described by a density operator . A density operator is normalized with respect to the trace norm (), Hermitian (
) and has no negative eigenvalues.
denotes the set of all density operators for a system .denotes the identity matrix. When it is normalized with the dimension, denoted by
, it represents the fully mixed state.A generalized measurement on a system is a set of linear operators such that
. The probability
of observing outcome is , and the state of the system after the measurement, conditioned on the outcome , is .A quantum state is called pure if it is of the form
for a (normalized) vector
. For a density matrix of a composite quantum system , we write for the state obtained by tracing out system . We sometimes omit the index of the subspace that is traced out if it is clear from the context.The pair (also written as ) denotes the computational or basis, the pair (also written as ) denotes the Hadamard or basis, where and . We write for the qubit state where string in encoded in bases .
We often consider cases where a quantum state may depend on some classical random variable
. In that case the state is described by the density matrix if and only if . For an observer who has access to the state but not , the reduced state is determined by the density matrix , whereas the joint state, consisting of the classical and the quantum register is described by the density matrix , where we understand to be the computational basis of . Joint states with such classical and quantum parts are called cqstates. We also write for the quantum representation of the classical random variable . This notation extends naturally to quantum states that depend on several classical random variables (i.e., to ccqstates, cccqstates, etc.). Given a cqstate as above, by saying that there exists a random variable such that satisfies some condition, we mean that can be understood as for some ccqstate and that satisfies the required condition.By , we denote the trace distance between two quantum states and . We call two quantum states and traceindistinguishable, denoted , if there is a negligible function such that for a , .
Definition 1.
Let be a cqstate classical on . The tracedistance from uniform of given is defined by
2.2.2 Conditional Independence.
We need to express that a random variable is independent of a quantum state when given a random variable . Independence means that when given , the state gives no additional information on . Another way to understand this is that can be obtained from and by solely processing . Formally, adopting the notion introduced in [DFSS07], this is expressed by requiring that equals , where the latter is defined as
In other words, precisely if for all and . To further illustrate its meaning, notice that if the register is measured and value is obtained, then the state collapses to , so that indeed no further information on can be obtained from the register. This notation naturally extends to
2.2.3 (Conditional) Smooth Entropies.
We briefly introduce the notions of min and maxentropy. For a bipartite cqstate , we define
where the optimization goes over all generalized measurements on .
Definition 2.
Let be a bipartite density operator. The minentropy and maxentropy of conditioned on is defined as
where is any pure state with .
Definition 3.
Let be a bipartite density operator and let . The smooth min and maxentropy of conditioned on is defined as
where the supremum ranges over all density operator which are close to .
We sometimes omit the subscript if the state is clear from the context.
2.2.4 Privacy Amplification.
Recall that a class of hash functions from to is called twouniversal, if for any and for uniformly chosen from , the collision probability is upper bounded by . We recall the quantumprivacyamplification theorem of [RK05] as formulated in [Ren05, Corollary 5.6.1].
Theorem 2.1.
Let be a cqstate classical on , let be a family of twouniversal hash functions from to , and let . Then,
for defined by .
2.2.5 Private Error Correction.
Finally, we recall the private error correction technique introduced in [DS05] and generalized to the quantum setting in [FS08]. This tool allows to correct a constant fraction of errors, by using a family of efficiently decodable linear codes, where the syndrome of a string is close to uniform if the string has enough minentropy and the code is chosen at random from the family. Specifically, they show that for every , there exists a biased (as defined in [DS05]) family of codes with .
The following theorem, which is a variant of Theorem 3.2 in [FS08], establishes the closeness of the syndrome of a string to random, given a random index and any qubit state that may depend on .
Theorem 2.2.
Let the density matrix be a cqstate classical on with . For any constant , let be a biased family of random variables over having square bias , and let be uniformly and independently distributed over . Then
Proof.
The original theorem in [FS08] states for . By using Jensen’s inequality on Rényi entropy and means of smoothing, our theorem follows immediately. ∎
2.3 Security Models
We provide a brief overview of security models for multiparty computation (MPC), in which players interact in order to compute securely a given function of their inputs. Formally, consider players , each owning an input , and a classical input function . The goal is to compute such that each player learns , and cheating players cannot change the outcome of the computation (other than choosing a different input) and do not learn more about the input (and possibly the output) of honest players than what can be derived from their own input and the output of the function evaluation.
2.3.1 The Simulationbased Paradigm.
The first step towards the solution for this security definition is the simulation paradigm. Instead of introducing different notion for each security property, we consider for each protocol, the “ideal behavior” it should have. Intuitively, we introduce the notion of “ideal world” where there is a trusted party who collects the inputs from all players, computes the output and distributes the output to the players. A real protocol is compared to an ideal protocol, and the real protocol is said to be at least as secure as the ideal protocol if the real protocol and the ideal protocol have an indistinguishable input output behavior. The level of security reached thus also depends on the specification of the ideal protocol. The formal description of the simulationbased model in the quantum setting is given in Section 4.
2.3.2 Universal Composability.
However, as being pointed out in the literature, this ability of simulating does not play well with composition. The simulationbased paradigm only achieves Sequential Composition, i.e., a protocol that is secure under sequential composition maintains its security when run multiple times, as long as the executions are run sequentially (meaning that each execution concludes before the next execution begins). In the case of Concurrent Composition in which many instances of the same protocol with correlated inputs are run concurrently, some problems may occur. For example, the messages from one protocol could be fed into another, or a message from one subprotocol of a larger application is fed into another subprotocol and the overall application becomes insecure. In order to solve this inherent problem, the socalled UC (for Universal Composability) framework was introduced. We refer the reader to [Can01] for more details on the classical version and [Unr10] on the quantum version.
Ideal World and Real World.
We define in the ideal world an entity that one can never corrupt, called the ideal functionality and usually denoted as . The players privately send their inputs to this entity, and receive their corresponding output the same way. There is no communication between the different players. is assumed to behave in a perfectly correct way, without revealing information other than required, and without being possibly corrupted by an adversary. Once is defined, the goal of a protocol , executed in a real world in the presence of an adversary, is then to create a situation equivalent to that obtained with .
Protocol, Adversary, and Environment.
Apart from the protocol participants which are specified by the protocol, there are two more machines taking part in the protocol execution. The adversary (or in the ideal model) is the machine coordinating all corrupted participants analogous to the simulationbased model. The environment machine , playing the role of the distinguisher, models “everything that is outside the protocol being executed”. It chooses the inputs, sees the outputs, and may communicate with the adversary at any time. The adversary has access to the communication between players, but not to the inputs and outputs of the honest players (it completely controls the dishonest or corrupted players). On the contrary, the environment has access to the inputs and outputs of all players, but not to their communication, nor to the inputs and outputs of the subroutines they can invoke.
A protocol securely realizes a functionality if for every realworld adversary there exists an idealworld adversary , called the simulator, such that no environment can distinguish whether it is witnessing the realworld execution with adversary or the idealworld execution with simulator , with a nonnegligible advantage. Depending on the assumed computing power of the adversary and the environment we distinguish between computational security, where they are all considered to be polynomially bounded machines, and statistical security, where they are assumed to be computationally unbounded. Furthermore, in [Unr13], the author introduces the notion of everlasting security, where the adversary is considered to be polynomialtime machines but the environment is assumed to have unbounded computational power.
In addition, the notion of “hybrid models” is also introduced to model the concept of setup assumptions. A protocol is said to be realized “in the hybrid model” if can invoke the ideal functionality as a subroutine multiple times. We note that the environment can never interact directly with , and thus, is usually never invoked at all in the ideal world, and the implementation of is simulated solely by the ideal adversary . The model with no trusted setup is called plain.
Ideal Functionalities.
We denote the common reference string functionality, the oblivious transfer functionality, the bit commitment functionality. The definitions of these functionalities are given in Appendix 0.B.
2.4 Cryptographic Primitives
2.4.1 Dualmode Commitment.
We give here an informal security definitions for commitment schemes, and refer the reader to [Gol01] for a formal definition. A commitment scheme is defined by 3 algorithms:

, where is the security parameter, generates the global parameters param of the scheme (which includes the commitment key), implicitly given as input to the other algorithms;

produces a commitment on the input message from a message space , using the random coins from a randomizer space , and also outputs the opening information ;

verifies the commitment of the message using the opening information ; it outputs the message , or if the opening check fails.
To be useful in practice, a commitment scheme should satisfy two basic security properties. The first one is hiding, which informally guarantees that no information about is leaked through the commitment . The second one is binding, which guarantees that the committer cannot generate a commitment that can be successfully opened to two different messages. A commitment can be either perfect hiding (in which case it is perfectly secure from the committer’s point of view) or perfect binding (in which case it is perfectly secure from the receiver’s point of view). Interestingly, it is proven that informationtheoretically secure commitment protocols (which are both perfect hiding and perfect binding) cannot exist classically, nor even if we allow to use quantum mechanics [LC97, May97].
Our construction uses a noninteractive commitment scheme with some special properties. This scheme, with a quantumsafe construction based on lattice assumptions, is used in the CommitandOpen technique introduced in [DFL09]. First, we want a commitment scheme that has two different flavors of keys, where the corresponding commitment key is generated by one of two possible keygeneration algorithms: or . For a key generated by , the commitment scheme is perfectly hiding, in which case the commitment reveals no information about the message. Alternatively, the commitment key generated by can be perfectly binding, in which case a valid commitment uniquely defines one possible message. Both key generation algorithms are probabilistic polynomial time. They output a commitment key and also some trapdoor information such that we can either open a commitment to any message (if the commitment key is perfectly hiding, i.e., generated by ), or efficiently extract the committed value (if the commitment key is perfectly binding, i.e., generated by ). Furthermore, we require that keys generated by and are computationally indistinguishable, even against quantum adversaries.
The formal definition of dualmode commitment scheme is given in Appendix 0.A. For simplicity and efficiency, we consider the common reference string model, and we assume the commitment key to be contained in the CRS.
3 On the Feasibility of Securely Realizing PAKE
In this section, we show negative results on the achievable security of Passwordbased Key Exchange protocols when allowed to use quantum communication. We recall an important property of a PAKE protocol: it guarantees that if the same password was entered, the generated session key is the same for both parties, but they might not know at the end of the protocol whether it is so. This property is known as implicit authentication, as opposed to explicit authentication, in which the parties know whether they share the same session key at the end of the protocol. (In both cases, the protocol should guarantee that if the passwords were different, the session keys are independent and random.) In the former form, at the end of the protocol, the two parties may have a common highentropy cryptographic key (if the session succeeded) or random and independent keys (if the session failed).
3.1 Simulationbased Secure PAKE
Theorem 3.1.
There is no statistically simulationbased secure PAKE protocol with explicit authentication in the plain model.
To prove this theorem, we employ a general result which proves that for the class of deterministic, twosided functionalities, the security for one party implies complete insecurity for the other in the simulationbased model.
Lemma 1 ([Bcs12, Theorem 2]).
If a protocol for the evaluation of is correct and secure against Bob, then there is a cheating strategy for Alice (where she uses input and Bob has input ) which gives her distributed according to some distribution such that for all : .
Proof (Theorem 3.1).
We first show that secure computation of equality of strings (denoted by EQUALITY function, in which both parties learn the output) is equivalent to a passwordbased identification (PID) scheme. The reduction from a secure computation of EQUALITY function to a PID scheme works as follows. Let be the secret passstring of Alice and Bob, respectively. Then, Alice and Bob run the PID protocol on input and , if the authentication succeeds, the output is set to 1, otherwise, the output is set to 0. In the inverse direction, assume we have a secure computation of EQUALITY function, a PID scheme can be easily constructed by running the secure computation of EQUALITY function on two passstrings. Since an explicitly authenticated PAKE implies PID, it follows that explicitly authenticated PAKE protocols can be reduced to an EQUALITY computation.
The proof is completed by Lemma 1. ∎
3.2 QuantumUC Secure PAKE
Assuming some trusted setup, the following theorem states the impossibility of everlastingly realizing EQUALITY using only passivelyrealizable functionalities (which are the ones that can be securely realized with respect to unbounded passive adversaries), including (described in Figure 5).
Theorem 3.2.
There is no statistically or everlastingly quantumUC secure protocol that realizes EQUALITY which only uses passivelyrealizable functionalities as trusted setup assumptions.
Corollary 1.
There is no statistically or everlastingly quantumUC secure PAKE protocol with explicit authentication which only uses passivelyrealizable functionalities as trusted setup assumptions.
Before proving Theorem 3.2, we recall the impossibility of everlastingly quantumUCsecure oblivious transfer.
Lemma 2 ([Unr13, Theorem 5]).
There is no statistically or everlastingly quantumUC secure OT protocol which only uses passivelyrealizable functionalities as trusted setup assumptions.
We use the notion of reductions between MPC functionalities, that allows us to form “classes” of functionalities with similar cryptographic complexity: a functionality is trivial ^{1}^{1}1We use trivial and feasible exchangeably hereafter. if it can be realized in the UC framework with no setup assumptions, or complete if it is sufficient for computing arbitrary other functions, under appropriate complexity assumptions. We recall the following results that are proven in [Unr10, FKS13].
Lemma 3 ([Unr10, Fks13]).
The following statements hold:

If a protocol statistically UC realizes a functionality , then statistically quantumUC realizes the functionality .

Feasibility in the quantum world is equivalent to classical feasibility, in both the computational and statistical setting.
To show a reduction from EQUALITY to OT, we employ these following intermediate results.
Definition 4 (OTcores).
Let be a deterministic twoparty function, , be the input alphabet of two parties, , be the output distribution of two parties, and is the output values of the two parties. A quadruple is an OTcore of , if the following three conditions are met:

We have that .

We have that .

We have that or (or both).
In [KMQ11] the socalled Classification theorem was proven, which shows a necessary and sufficient condition to have a reduction protocol from an ideal functionality to .
Theorem 3.3 (The Classification Theorem [Kmq11]).
There exists an OT protocol that is statistically secure against passive adversaries in the hybrid model, for some , if and only if has an OTcore.
Proof of Theorem 3.2.
Because the reduction protocol in Theorem 3.3 is statistically secure in the classical setting, the statement can be translated to quantumUC setting by Lemma 3.
Consider the EQUALITY function , without loss of generality, assume . Let be a random value drawn from the input distribution, then a quadruple is an OTcore of because:
Then Theorem 3.3 tells us that there exists an OT protocol that is statistically secure again quantumpassive adversaries in the EQUALITYhybrid model.
Assume that there exists a quantumpolynomialtime everlasting quantumUC EQUALITY protocol which only uses passivelyrealizable functionalities. Let be the protocol resulting from by replacing invocations of EQUALITY by invocations of the subprotocol . Then is a quantum everlasting OT protocol which only uses quantumpassively realizable functionalities against quantumpassive adversaries. This contradicts Lemma 2.
The proof of statistical security follows easily from the proof of everlasting security. ∎
Avoiding Impossibility Results.
In summary, we have shown that unconditionally or everlastingly secure PAKE with explicit authentication is impossible in the simulationbased model with no trusted setups, and only possible in the UC model given very strong trusted setup assumptions like signature cards ^{2}^{2}2[Unr13] proves that signature cards assumption is complete for everlasting secure twoparty computation.. However, the door for finding secure quantum protocols for PAKE is not closed completely: we avoid these impossibilities by constructing a quantum PAKE protocol with only implicit authentication, in the simulationbased model given the CRS as a trusted setup.
4 Definition of Security
4.1 Description of the Simulationbased Model
Our definition is based on the realworld/idealworld simulation paradigm which has been used extensively in both the classical setting [Can00] and quantum setting [FS09, DFL09]. In particular, we follow the framework put forward in [FS09]. This framework models classical functionalities which have classical inputs and outputs, and provides a composition theorem. However, the composability of protocols proven to be secure in this model admit only sequential composition: it requires that at any point, only one protocol invocation be in progress. This is weaker than the notion of universal composability, where many instances and subroutines may be executed concurrently. A main feature of our model is that it is formally sound, simple and expressive, benefits from a simpler security definition tailored to various assumptions on the adversary’s computational power. In addition, it still enjoys the sequential composition theorem because of the equivalence with [FS09]’s model.
Since we are interested in twoparty quantum computations, we will formalize the real and ideal model executing the task with two parties and a static adversary who can control an arbitrary but fixed corrupted party. We only consider either the setting where one of the parties is corrupted, or the setting where none of the parties is corrupted, in which case the adversary seeing the transcript between the parties should learn nothing.
Execution in the ideal model.
Denote the participating parties by and and let denote the index of the corrupted party, controlled by an adversary . An ideal execution for an ideal functionality proceeds as follows:

[align=left]

We fix an arbitrary distribution for ’s input, for ’s input. For honest and , we assume the common input state to be classical, i.e. of the form
for some probability distribution
. The adversary also has an auxiliary classical input denoted by as well as a quantum state which only depends on , such that for any honest player’s input and his classical “side information” : . All parties are initialized with the same value on their security parameter tape (including the trusted party). 
The honest party sends its prescribed input to the trusted party. The corrupted party controlled by may either abort (by replacing the input with a special message), send its prescribed input, or send some other input of the same length to the trusted party by applying some completely positive tracepreserving (CPTP) map. This decision is made by and may depend on its auxiliary input and the input value of . Denote the common input state sent to the trusted party by . Upon receipt of input from the parties, the trusted party measures the inputs in the computational basis.

If the trusted party receives an input of the form for some , it sends to the honest party and the ideal execution terminates. Otherwise, the execution proceeds to the next step.

At this point the trusted party computes and let and and sends to party (i.e. it sends the corrupted party its output).

sends either continue or to the trusted party. If it sends continue, the trusted party sends to the honest party . Otherwise, if sends , the trusted party sends to party .

The honest party always outputs the output value it obtained from the trusted party. The corrupted party outputs nothing. The adversary outputs any arbitrary CPTP map of the prescribed input of the corrupted party, the auxiliary classical input , and the value obtained from the trusted party.
The , denoted by , is defined as the overall output state (augmented with honest inputs) of the honest party and the adversary from the above ideal execution.
Execution in the real model.
We next consider the real model in which a real twoparty quantum protocol is executed with no trusted parties. In this case, the adversary sends all messages in place of the corrupted party, and may follow an arbitrary strategy. In contrast, the honest party follows the instructions of . We consider a simple network setting where the protocol proceeds in rounds, where in each round one party sends a message to the other party.
Let as above and let be a twoparty quantum protocol for computing . When and are both honest, we fix an arbitrary joint probability distribution for the inputs and , resulting in a common output state with a well defined joint probability distribution , where is the adversary’s quantum system. For an honest and a dishonest who takes as input a classical and a quantum state and output (the same) and a quantum state , then the resulting overall output state (augmented with the honest party’s input and ) is .
The , denoted by , is defined as the overall output state of the honest party and the adversary from the real execution of .
Definition 5.
A twoparty quantum protocol is said to statistically securely emulate an ideal classical functionality with abort in the presence of static malicious adversaries if for every (possibly unbounded) adversary for the real model, there exists an (possibly unbounded) adversary (called the simulator) for the ideal model, such that
where and .
We also give here an adapted definition of everlasting security in the simulationbased paradigm. The execution in the ideal model and the real model stay the same as unconditional security, but we require that the realworld adversary and idealworld adversary are computationally bounded.
Definition 6.
A twoparty quantum protocol is said to everlastingly securely emulate an ideal classical functionality with abort in the presence of static malicious adversaries if for every quantumpolynomialtime adversary for the real model, there exists a quantumpolynomialtime adversary (called the simulator) for the ideal model, such that
where and .
4.2 PAKE Ideal Functionality
Our definition of the passwordbased keyexchange functionality (Fig. 1) is identical to the description in [CHK05]. A natural property of PAKE is that due to the low entropy of passwords, PAKE protocols are subject to dictionary attacks. The adversary can break the security of the scheme by trying all values for the password in the small set of the possible values (i.e., the dictionary). Unfortunately, these attacks can be quite damaging since the attacker has a nonnegligible probability of succeeding. To address this problem, one should invalidate or block the use of a password whenever a certain number of failed attempts occurs. However, this is only effective in the case of online dictionary attacks in which the adversary must be present and interact with the system in order to be able to verify whether its guess is correct. Thus, the goal of PAKE protocol is restrict the adversary to online dictionary attacks only. In other words, offline dictionary attacks, in which the adversary verifies if a password guess is correct without interacting with the system, should not be possible in a PAKE protocol. We refer the reader to [CHK05] for motivating discussion regarding the particular choices made in this formulation of the functionality. In particular, this formulation captures PAKE protocols with implicit authentication.
4.3 Split Authentication: From Passively Unconditional Security to Actively Everlasting Security
A common approach in designing multiparty quantum cryptography protocols is to treat the classical authenticated communication aspect of the problem as extraneous to the actual protocol design. That is, the adversary is assumed to be unable to send classical messages in the name of uncorrupted parties, or modify classical messages that the uncorrupted parties send to each other. This means that authentication must be provided by some mechanism that is external to the protocol itself, whereas our end goal, of course, is to implement PAKE without any classical authenticated channels. Thus, our approach is to follow the Split Authentication transformation of [BCL11]: we consider a completely unauthenticated setting, where all classical messages sent by the parties may be tampered with and modified by the adversary without the uncorrupted parties being able to detect this fact. Nevertheless, all the adversary can do is to partition the network into disjoint sets, where in each set the computation is secure in itself, and also independent of the computation in the other sets. In this model, it is not possible to achieve the same level of security as in the authenticatedchannel setting.
We first consider the security of a twoparty quantum protocol in the presence of (possibly unbounded) classically specious adversaries (we give the definition below), and our second step is to transform these protocols into ones that do not assume authenticated channels using the Split Authentication transformation, in the presence of quantumpolynomialtime malicious adversaries. “Specious” here means that at every step, no audit can distinguish the behavior of the adversary from the honest one. Intuitively, in the case where both parties are honest, the split authentication mechanism does not change anything on the quantum part of the adversary. However, it changes the adversary in the sense that it cannot carry active attack in the classical channel without being caught. When we consider quantumpolynomialtime adversaries, the classical part of the adversary thus becomes passive, but the quantum part remains malicious. In the case where one of the parties is corrupted, the adversary can always legitimately generate classical messages using its own secret key, and thus, it is identical to the malicious one.
Definition 7 (ClassicallySpecious adversaries).
An adversary is called classicalspecious, if the following holds:

If one of the parties is corrupted, may arbitrarily deviate from the protocol specification, i.e. it is identical to a malicious one.

If neither of both parties is corrupted, ’s classical output is (computationally) close to the classical output of the honest parties.
Theorem 4.1.
Assume that the signature scheme used in the compiler (Fig. 2) is existentially unforgeable under adaptive chosen message attacks. Let be a twoparty quantum protocol, unconditionally (resp. everlastingly) secure against unbounded (resp. quantumpolynomialtime) classicallyspecious adversaries. Then, the compiled protocol , resulting by applying the Split Authentication transformation, is everlastingly secure against quantumpolynomialtime malicious adversaries, according to Definition 6, in the plain model.
The formal proof of this theorem is provided in Appendix 0.C.
5 Our Protocol
A HighLevel Description.
The protocol is started with a preparation phase, where the client samples random binary strings and , and sends the encoded quantum state of using basis
. Next, a parameter estimation phase is done by means of a perfectly hiding commitment scheme. (For our security proof, we need to use a dualmode commitment scheme instead.) The main difference between our PAKE protocol and QKD is that we also need to consider the cases where one of the parties is corrupted. This is in contrast to QKD, where the security proof is only considered in the presence of a malicious adversary with access to the communication channels, and both parties are always honest. Indeed, twoparty quantum protocols can easily be broken by the
adversary purification attack: the dishonest party can purify his actions at the expense of additional quantum memory, and delay the measurements until the other party reveals her chosen basis at a later stage, and learn more information than what he was supposed to. The basic technique we use to enforce the honest behavior is the CommitandOpen compiler formally introduced in [DFL09], applied to both parties. This forces both parties to measure by asking them to commit to all the basis choices and measurement results, and open some of them later.After the commitandopen phase, we embed the (encoded) password to the sifting step, which can be seen as onetime pad encryptions of the password. We show that the session keys of both parties at the end are random and independent for any pair of two different passwords.
Finally, similar to QKD, we do error correcting and privacy amplification. Another problem lies in the error correcting step: to correct the errors caused by either the adversary or the imperfection of the quantum channel, one party may send a syndrome of the generated secret key to allow the other party recover the same key from its noisy version. However, the syndrome may give extra information to a dishonest party. To circumvent this problem, we employ the biased linear binary codes introduced in [DS05], which has an additional property that the syndrome of a string with high minentropy is close to uniform.
5.0.1 Notations and Building Blocks.
Let denote the security parameter and let and some . Assume that both parties share some password . Let be the encoding function of a binary code of length with codewords and minimal distance . is chosen such that is linear in or larger, and is linear in , i.e. , for some constant (see [DFSS07]). Let be a strongly twouniversal class of hash functions from to for some parameter .
Let be the family of syndrome functions corresponding to a biased family of linear error correcting codes of size , where , for some constant . A random allows to efficiently correct a fraction of errors for some constant , and for some random , the syndrome of a string with bits of minentropy is close to uniform.
We fix the following notation for dualmode proof commitment schemes: If is a dualmode proof commitment scheme, we denote by an execution of the commit phase of a message (with some randomness). We assume that the opening phase consists in the sender sending (and some randomness used in the commit phase) and the receiver verifying the open phase via a deterministic function .
Comments
There are no comments yet.