Merkle puzzles in a quantum world

Authors:
Gilles Brassard;Peter Høyer;Kassem Kalach;Marc Kaplan;Sophie Laplante;Louis Salvail
Affiliations:
Département d'informatique et de recherche opérationnelle, Université de Montréal, Montréal (QC), Canada;Department of Computer Science, University of Calgary, Calgary, AB, Canada;Département d'informatique et de recherche opérationnelle, Université de Montréal, Montréal (QC), Canada;Département d'informatique et de recherche opérationnelle, Université de Montréal, Montréal (QC), Canada;LRI, Université Paris-Sud, Orsay, France;Département d'informatique et de recherche opérationnelle, Université de Montréal, Montréal (QC), Canada
Venue:
CRYPTO'11 Proceedings of the 31st annual conference on Advances in cryptology
Year:
2011

Citing 9
Cited 2

Strengths and Weaknesses of Quantum Computing

SIAM Journal on Computing
Secure communications over insecure channels

Communications of the ACM
Quantum lower bounds by polynomials

Journal of the ACM (JACM)
Quantum lower bounds for the collision and the element distinctness problems

Journal of the ACM (JACM)
Negative weights make adversaries stronger

Proceedings of the thirty-ninth annual ACM symposium on Theory of computing
Quantum Walk Algorithm for Element Distinctness

SIAM Journal on Computing
Quantum Merkle Puzzles

ICQNM '08 Proceedings of the Second International Conference on Quantum, Nano and Micro Technologies (ICQNM 2008)
Merkle Puzzles Are Optimal -- An O(n2)-Query Attack on Any Key Exchange from a Random Oracle

CRYPTO '09 Proceedings of the 29th Annual International Cryptology Conference on Advances in Cryptology
Quantum walk based search algorithms

TAMC'08 Proceedings of the 5th international conference on Theory and applications of models of computation

Random oracles in a quantum world

ASIACRYPT'11 Proceedings of the 17th international conference on The Theory and Application of Cryptology and Information Security
Adversary lower bound for the k-sum problem

Proceedings of the 4th conference on Innovations in Theoretical Computer Science

Quantified Score

Hi-index	0.00

Visualization

Abstract

In 1974, Ralph Merkle proposed the first unclassified scheme for secure communications over insecure channels. When legitimate communicating parties are willing to spend an amount of computational effort proportional to some parameter N, an eavesdropper cannot break into their communication without spending a time proportional to N2, which is quadratically more than the legitimate effort. We showed in an earlier paper that Merkle's schemes are completely insecure against a quantum adversary, but that their security can be partially restored if the legitimate parties are also allowed to use quantum computation: the eavesdropper needed to spend a time proportional to N3/2 to break our earlier quantum scheme. Furthermore, all previous classical schemes could be broken completely by the onslaught of a quantum eavesdropper and we conjectured that this is unavoidable. We give two novel key agreement schemes in the spirit of Merkle's. The first one can be broken by a quantum adversary that makes an effort proportional to N5/3 to implement a quantum random walk in a Johnson graph reminiscent of Andris Ambainis' quantum algorithm for the element distinctness problem. This attack is optimal up to logarithmic factors. Our second scheme is purely classical, yet it cannot be broken by a quantum eavesdropper who is only willing to expend effort proportional to that of the legitimate parties.