Practical Unconditionally Secure Two-channel Message Authentication

We investigate unconditional security for message authentication protocols that are designed using two-channel cryptography. We look at both noninteractive message authentication protocols (NIMAPs) and interactive message authentication protocols (IMAPs). We provide a new proof of nonexistence of nontrivial unconditionally secure NIMAPs. This proof consists of a combinatorial counting argument and is much shorter than the previous proof by Wang et al., which was based on probability distribution arguments. Further, we propose a generalization of an unconditionally secure 3-round IMAP due to Naor, Segev and Smith. With a careful choice of parameters, our scheme improves that of Naor et al. Our scheme is very close to optimal for most parameter situations of practical interest.

Using quantum key distribution for cryptographic purposes: a survey

The appealing feature of quantum key distribution (QKD), from a cryptographic viewpoint, is the ability to prove the information-theoretic security (ITS) of the established keys. As a key establishment primitive, QKD however does not provide a standalone security service in its own: the secret keys established by QKD are in general then used by a subsequent cryptographic applications for which the requirements, the context of use and the security properties can vary. It is therefore important, in the perspective of integrating QKD in security infrastructures, to analyze how QKD can be combined with other cryptographic primitives. The purpose of this survey article, which is mostly centered on European research results, is to contribute to such an analysis. We first review and compare the properties of the existing key establishment techniques, QKD being one of them. We then study more specifically two generic scenarios related to the practical use of QKD in cryptographic infrastructures: 1) using QKD as a key renewal technique for a symmetric cipher over a point-to-point link; 2) using QKD in a network containing many users with the objective of offering any-to-any key establishment service. We discuss the constraints as well as the potential interest of using QKD in these contexts. We finally give an overview of challenges relative to the development of QKD technology that also constitute potential avenues for cryptographic research.Comment: Revised version of the SECOQC White Paper. Published in the special issue on QKD of TCS, Theoretical Computer Science (2014), pp. 62-8

Quantum cryptography: a practical information security perspective

Quantum Key Exchange (QKE, also known as Quantum Key Distribution or QKD) allows communicating parties to securely establish cryptographic keys. It is a well-established fact that all QKE protocols require that the parties have access to an authentic channel. Without this authenticated link, QKE is vulnerable to man-in-the-middle attacks. Overlooking this fact results in exaggerated claims and/or false expectations about the potential impact of QKE. In this paper we present a systematic comparison of QKE with traditional key establishment protocols in realistic secure communication systems.Comment: 5 pages, new title, published version, minor changes onl

A Novel Protocol-Authentication Algorithm Ruling Out a Man-in-the-Middle Attack in Quantum Cryptography

In this work we review the security vulnerability of Quantum Cryptography with respect to "man-in-the-middle attacks" and the standard authentication methods applied to counteract these attacks. We further propose a modified authentication algorithm which features higher efficiency with respect to consumption of mutual secret bits.Comment: 4 pages, submitted to the International Journal of Quantum Information, Proceedings of the meeting "Foundations of Quantum Information", Camerino, April 200

The Case for Quantum Key Distribution

Quantum key distribution (QKD) promises secure key agreement by using quantum mechanical systems. We argue that QKD will be an important part of future cryptographic infrastructures. It can provide long-term confidentiality for encrypted information without reliance on computational assumptions. Although QKD still requires authentication to prevent man-in-the-middle attacks, it can make use of either information-theoretically secure symmetric key authentication or computationally secure public key authentication: even when using public key authentication, we argue that QKD still offers stronger security than classical key agreement.Comment: 12 pages, 1 figure; to appear in proceedings of QuantumComm 2009 Workshop on Quantum and Classical Information Security; version 2 minor content revision

Composability in quantum cryptography

In this article, we review several aspects of composability in the context of quantum cryptography. The first part is devoted to key distribution. We discuss the security criteria that a quantum key distribution protocol must fulfill to allow its safe use within a larger security application (e.g., for secure message transmission). To illustrate the practical use of composability, we show how to generate a continuous key stream by sequentially composing rounds of a quantum key distribution protocol. In a second part, we take a more general point of view, which is necessary for the study of cryptographic situations involving, for example, mutually distrustful parties. We explain the universal composability framework and state the composition theorem which guarantees that secure protocols can securely be composed to larger applicationsComment: 18 pages, 2 figure

Quantum identification system

A secure quantum identification system combining a classical identification procedure and quantum key distribution is proposed. Each identification sequence is always used just once and new sequences are ``refuelled'' from a shared provably secret key transferred through the quantum channel. Two identification protocols are devised. The first protocol can be applied when legitimate users have an unjammable public channel at their disposal. The deception probability is derived for the case of a noisy quantum channel. The second protocol employs unconditionally secure authentication of information sent over the public channel, and thus it can be applied even in the case when an adversary is allowed to modify public communications. An experimental realization of a quantum identification system is described.Comment: RevTeX, 4 postscript figures, 9 pages, submitted to Physical Review