Deniable Public-Key Authenticated Quantum Key Exchange

Abstract

In this work, we explore the notion of deniability in public-key authenticated quantum key exchange (\(\textsf{QKE}\)), which allows two parties to establish a shared secret key without leaving any evidence that would bind a session to either party. The deniability property is expressed in terms of being able to simulate the transcripts of a protocol. The ability to deny a message or an action has applications ranging from secure messaging to secure e-voting and whistle-blowing. While quite well-established in classical cryptography, it remains largely unexplored in the quantum setting. Here, we first present a natural extension of classical definitions in the simulation paradigm to the setting of quantum computation and formalize the requirements for a deniable \(\textsf{QKE}\) scheme. We then prove that the BB84 variant of \(\textsf{QKE}\), when authenticated using a strong designated verifier signature scheme, satisfies deniability and, finally, propose a concrete instantiation.

Appendices

A Appendix: The [13] Model

In this appendix we elaborate on the [13] model. The classical Turing machine can receive the following activations:

• \({{\,\mathrm{\textsf{SendC}}\,}}(\varPsi , \textsf{msg})\): The Turing machine resumes the session with identifier \(\varPsi \) using \(\textsf{msg} \) as input. \(\varPsi \) may also be a vector of session identifiers, where it is clear from context which one belongs to the receiving party and which to other parties.

• \({{\,\mathrm{\textsf{SendC}}\,}}(\textsf{params}, \textsf{pid})\): When \({{\,\mathrm{\textsf{SendC}}\,}}\) is received without a session identifier it indicates the start of a new protocol execution with public parameters \(\textsf{params}\).

• \(\textsf{Q2C} (\textsf{msg})\): This activation indicates a classical output of the quantum Turing machine and activates the classical Turing machine with the most recent session.

The quantum Turing machine has the following activations:

• \(\textsf{SendQ} (\rho )\): The quantum Turing machine activates with as input the state \(\rho \).

• \(\textsf{C2Q} (\textsf{msg})\): The quantum Turing machine is activated by the classical Turing machine with message \(\textsf{msg} \).

We use \(\varPsi \) to denote ephemeral variables, which are variables that are bound to a session. After each activation, the Turing machines may send activations over their respective public channel and the private channel between them. At the end of a session, the classical Turing machine of both parties outputs four values:

• \(\textsf{sk} \), the shared secret key established during this session, or \(\bot \) if execution failed.

• \(\textsf{pid} \), the identifier of the other party involved in this session.

• A vector \(\boldsymbol{v} = (\boldsymbol{v_0},\dots )\), where each \(\boldsymbol{v_i}\) is a vector of labels of values.

• A vector \(\boldsymbol{u} = (\boldsymbol{u_0},\dots )\), where each \(\boldsymbol{u_i}\) is a vector of labels of values.

A protocol is correct if, when all messages are delivered without changes or reordering, both parties output the same key \(\textsf{sk}\) and the same vector \(\boldsymbol{v}\). Each classical value \(\varPsi _d\) has a label \(\ell (\varPsi _d)\) and an adversary can partner a value by issuing \(\textsf{Partner} (\ell (\varPsi _d))\) to learn the value corresponding to the label. An adversary can also partner a session \(\varPsi \), learning the value \(\textsf{sk} \) if it has been output. Note that if an adversary learns a value without partnering (through public communication, for example), this value remains unpartnered. A session \(\varPsi \) is fresh as long as every \(\boldsymbol{v_i}\) contains at least (the label of) one value that the adversary has not partnered and the adversary has not partnered \(\varPsi \) or any session \(\varPsi '\) with the same \(\boldsymbol{v}\) and \(\textsf{sk} \) and, at the time of output, there is least one value in each \(\boldsymbol{u_i}\) with which the adversary has not partnered. This signifies the main difference between \(\boldsymbol{v}\) and \(\boldsymbol{u}\): values in \(\boldsymbol{u}\) pose no security risk if revealed after the key has been established, but values in \(\boldsymbol{v}\) do.

1.1 A.1 BB84 in This Model

In Algorithms 5 and 6 we present, respectively, the \(\textsf{initiator}\) and \(\textsf{responder}\) roles in the [4] QKD protocol, following the [13] model.

Algorithm 5

\(\varSigma _I\)

Algorithm 6

\(\varSigma _R\)

B Appendix: Lattice Hardness Problems Needed for [14]

In this appendix, we briefly present the following assumptions, which are conjectured to hold in the presence of quantum computers, but refer to [14] for their precise statements. We use the following (simplified) parameters:

• \(|\textsf{msg} |\) is the length of the message being signed,

• \(\kappa \) is the security parameter,

• \(h = O(\log \kappa )\)

• \(m = O(\kappa h)\),

• \(q = \textsf{poly} (\kappa )\) is a sufficiently large number,

• \(l \le (p-1)\kappa \), where p is the smallest prime dividing q, and

• \(s = O(\sqrt{\kappa lh})\cdot \omega (\sqrt{\log \kappa })^2\) a sufficiently large parameter.

Definition 7

([14]). Given a uniformly random matrix \(A \in \mathbb {Z}^{n \times m}_q\) and a syndrome \(\boldsymbol{u} \in \mathbb {Z}^n_q\), the \(\textsf{ISIS} _{q, m, \beta }\) problem is to find a nonzero vector \(\boldsymbol{v} \in \mathbb {Z}^m\) such that \(A\boldsymbol{v} = \boldsymbol{u} \pmod q\) and \(\Vert \boldsymbol{v}\Vert \le \beta \).

The \(\textsf{SIS} _{q,m, \beta }\) problem is the \(\textsf{ISIS} _{q,m, \beta }\) problem for \(\boldsymbol{u} = \boldsymbol{0}\).

Assumption B1

The \(\textsf{SIS} _{q,m, \beta }\) problem is hard for sufficiently large \(q = \sqrt{(|\textsf{msg} | + 4ms^2)\kappa } + \omega (\sqrt{\log \kappa })\) and \(\beta = \sqrt{|\textsf{msg} | + 4ms^2}\). The \(\textsf{SIS} _{q,m, \beta }\) problem and \(\textsf{ISIS} _{q, m, \beta }\) problem are hard for sufficiently large \(q = O(l^{3/2}\kappa ^3\log ^{5/2} \kappa )\cdot \omega (\sqrt{\log \kappa })^6\), \(m = O(\kappa \log q)\), and \(\beta = s\sqrt{2m}O(l\kappa ^{3/2}k^{3/2})\cdot \omega (\sqrt{\log \kappa })^3\).

Furthermore, we have the following assumption on the hardness of distinguishing lattices, where q is prime. Here \(\mathcal {D}_{\varLambda ^\bot _{\boldsymbol{w}}(A),s}\) denotes the distribution of sampling from \(\{\boldsymbol{z} \in \mathbb {Z}^\kappa \mid A\boldsymbol{z} = \boldsymbol{w} (\text {mod } q)\}\) according to a Gaussian distribution.

Assumption B2

(Assumption 2.1 in [14]). Let \(m_1, m_2 = O(\kappa \log q)\), A, R uniform random matrices from \(\mathbb {Z}^{\kappa \times m_1}_q\), \(C_0, \dots , C_l\) uniform random matrices from \(\mathbb {Z}^{\kappa \times m_2}_q\), \(\boldsymbol{w}\) a fixed vector from \(\mathbb {Z}^\kappa _q\), \(\mu \in \{0,1\}^l\) a secret bitstring, and \(C_\mu = C_0 + \sum _{j=1}^l \mu _jC_j\), then it is hard to distinguish between \(\mathcal {D}_{\varLambda ^\bot _{\boldsymbol{w}}(A|C_\mu ),s}\) and \(\mathcal {D}_{\varLambda ^\bot _{\boldsymbol{w}}(R|C_\mu ),s}\) without any information on \(\mu \).