Abstract
In this work, we explore the notion of deniability in public-key authenticated quantum key exchange (\(\textsf{QKE}\)), which allows two parties to establish a shared secret key without leaving any evidence that would bind a session to either party. The deniability property is expressed in terms of being able to simulate the transcripts of a protocol. The ability to deny a message or an action has applications ranging from secure messaging to secure e-voting and whistle-blowing. While quite well-established in classical cryptography, it remains largely unexplored in the quantum setting. Here, we first present a natural extension of classical definitions in the simulation paradigm to the setting of quantum computation and formalize the requirements for a deniable \(\textsf{QKE}\) scheme. We then prove that the BB84 variant of \(\textsf{QKE}\), when authenticated using a strong designated verifier signature scheme, satisfies deniability and, finally, propose a concrete instantiation.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Atashpendar, A.: From information theory puzzles in deletion channels to deniability in quantum cryptography. Ph.D. thesis, University of Luxembourg, Luxembourg (2019). https://arxiv.org/pdf/2003.11663.pdf
Atashpendar, A., Policharla, G.V., Rønne, P.B., Ryan, P.Y.A.: Revisiting deniability in quantum key exchange. In: Gruschka, N. (ed.) NordSec 2018. LNCS, vol. 11252, pp. 104–120. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03638-6_7
Beaver, D.: On deniability in quantum key exchange. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 352–367. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-46035-7_23
Bennett, C.H., Brassard, G.: Quantum cryptography: public key distribution and coin tossing. In: International Conference on Computers, Systems and Signal Processing (India, December 1984), pp. 175–9 (1984)
Canetti, R., Gennaro, R.: Incoercible multiparty computation. In: Proceedings of 37th Conference on Foundations of Computer Science, pp. 504–513 (1996). https://doi.org/10.1109/SFCS.1996.548509
Canetti, R., Dwork, C., Naor, M., Ostrovsky, R.: Deniable encryption. In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 90–104. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0052229
Chen, Y.-A., et al.: An integrated space-to-ground quantum communication network over 4,600 kilometres. Nature 589(7841), 214–219 (2021)
Di Raimondo, M., Gennaro, R., Krawczyk, H.: Deniable authentication and key exchange. In: Proceedings of the 13th ACM Conference on Computer and Communications Security. CCS ’06, pp. 400–409. ACM, Alexandria, Virginia, USA (2006). https://doi.org/10.1145/1180405.1180454
Dwork, C., Naor, M., Sahai, A.: Concurrent Zero-knowledge. J. ACM 51(6), 851–898 (2004). https://doi.org/10.1145/1039488.1039489
European Quantum Communication Infrastructure (EuroQCI) | Shaping Europe’s digital future. https://digital-strategy.ec.europa.eu/en/policies/european-quantum-communication-infrastructure-euroqci. Accessed 09 July 2021
Ioannou, L.M., Mosca, M.: A new spin on quantum cryptography: avoiding trapdoors and embracing public keys. In: Yang, B.-Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 255–274. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25405-5_17
Jakobsson, M., Sako, K., Impagliazzo, R.: Designated verifier proofs and their applications. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 143–154. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68339-9_13
Mosca, M., Stebila, D., Ustaoğlu, B.: Quantum key distribution in the classical authenticated key exchange framework. In: Gaborit, P. (ed.) PQCrypto 2013. LNCS, vol. 7932, pp. 136–154. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38616-9_9
Noh, G., Jeong, I.R.: Strong designated verifier signature scheme from lattices in the standard model. Secur. Commun. Netw. 9(18), 6202–6214 (2016)
Saeednia, S., Kremer, S., Markowitch, O.: An efficient strong designated verifier signature scheme. In: Lim, J.-I., Lee, D.-H. (eds.) ICISC 2003. LNCS, vol. 2971, pp. 40–54. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24691-6_4
Shor, P.W.: Algorithms for quantum computation: discrete logarithms and factoring. In: Proceedings 35th Annual Symposium on Foundations of Computer Science, pp. 124–134 (1994). https://doi.org/10.1109/SFCS.1994.365700
of Standards, N.I., (NIST), T.: Post-Quantum Cryptography Standardization (2017). https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization. Accessed 22 July 2019
Sun, X., Tian, H., Wang, Y.: Toward quantum-resistant strong designated verifier signature from isogenies. In: 2012 Fourth International Conference on Intelligent Networking and Collaborative Systems, pp. 292–296 (2012). https://doi.org/10.1109/iNCoS.2012.70
Watrous, J.: The Theory of Quantum Information. Cambridge University Press, Cambridge (2018)
van Wier, J.: On SDVS sender privacy in the multi-party setting. CoRR abs/2107.06119 (2021). arXiv: 2107.06119. https://arxiv.org/abs/2107.06119
Acknowledgements
This work was supported by the Luxembourg National Research Fund (FNR), under the joint CORE project Q-CoDe (CORE17/IS/11689058/Q-CoDe/Ryan) and the CORE project EquiVox (C19/IS/13643617/EquiVox/Ryan), as well as the LUX4QCI Luxembourg Experimental Network for Quantum Communication Infrastructure project, co-funded by the Digital Europe Programme under the Grant Agreement No. 101091508.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Appendix: The [13] Model
In this appendix we elaborate on the [13] model. The classical Turing machine can receive the following activations:
-
\({{\,\mathrm{\textsf{SendC}}\,}}(\varPsi , \textsf{msg})\): The Turing machine resumes the session with identifier \(\varPsi \) using \(\textsf{msg} \) as input. \(\varPsi \) may also be a vector of session identifiers, where it is clear from context which one belongs to the receiving party and which to other parties.
-
\({{\,\mathrm{\textsf{SendC}}\,}}(\textsf{params}, \textsf{pid})\): When \({{\,\mathrm{\textsf{SendC}}\,}}\) is received without a session identifier it indicates the start of a new protocol execution with public parameters \(\textsf{params}\).
-
\(\textsf{Q2C} (\textsf{msg})\): This activation indicates a classical output of the quantum Turing machine and activates the classical Turing machine with the most recent session.
The quantum Turing machine has the following activations:
-
\(\textsf{SendQ} (\rho )\): The quantum Turing machine activates with as input the state \(\rho \).
-
\(\textsf{C2Q} (\textsf{msg})\): The quantum Turing machine is activated by the classical Turing machine with message \(\textsf{msg} \).
We use \(\varPsi \) to denote ephemeral variables, which are variables that are bound to a session. After each activation, the Turing machines may send activations over their respective public channel and the private channel between them. At the end of a session, the classical Turing machine of both parties outputs four values:
-
\(\textsf{sk} \), the shared secret key established during this session, or \(\bot \) if execution failed.
-
\(\textsf{pid} \), the identifier of the other party involved in this session.
-
A vector \(\boldsymbol{v} = (\boldsymbol{v_0},\dots )\), where each \(\boldsymbol{v_i}\) is a vector of labels of values.
-
A vector \(\boldsymbol{u} = (\boldsymbol{u_0},\dots )\), where each \(\boldsymbol{u_i}\) is a vector of labels of values.
A protocol is correct if, when all messages are delivered without changes or reordering, both parties output the same key \(\textsf{sk}\) and the same vector \(\boldsymbol{v}\). Each classical value \(\varPsi _d\) has a label \(\ell (\varPsi _d)\) and an adversary can partner a value by issuing \(\textsf{Partner} (\ell (\varPsi _d))\) to learn the value corresponding to the label. An adversary can also partner a session \(\varPsi \), learning the value \(\textsf{sk} \) if it has been output. Note that if an adversary learns a value without partnering (through public communication, for example), this value remains unpartnered. A session \(\varPsi \) is fresh as long as every \(\boldsymbol{v_i}\) contains at least (the label of) one value that the adversary has not partnered and the adversary has not partnered \(\varPsi \) or any session \(\varPsi '\) with the same \(\boldsymbol{v}\) and \(\textsf{sk} \) and, at the time of output, there is least one value in each \(\boldsymbol{u_i}\) with which the adversary has not partnered. This signifies the main difference between \(\boldsymbol{v}\) and \(\boldsymbol{u}\): values in \(\boldsymbol{u}\) pose no security risk if revealed after the key has been established, but values in \(\boldsymbol{v}\) do.
1.1 A.1 BB84 in This Model
In Algorithms 5 and 6 we present, respectively, the \(\textsf{initiator}\) and \(\textsf{responder}\) roles in the [4] QKD protocol, following the [13] model.
B Appendix: Lattice Hardness Problems Needed for [14]
In this appendix, we briefly present the following assumptions, which are conjectured to hold in the presence of quantum computers, but refer to [14] for their precise statements. We use the following (simplified) parameters:
-
\(|\textsf{msg} |\) is the length of the message being signed,
-
\(\kappa \) is the security parameter,
-
\(h = O(\log \kappa )\)
-
\(m = O(\kappa h)\),
-
\(q = \textsf{poly} (\kappa )\) is a sufficiently large number,
-
\(l \le (p-1)\kappa \), where p is the smallest prime dividing q, and
-
\(s = O(\sqrt{\kappa lh})\cdot \omega (\sqrt{\log \kappa })^2\) a sufficiently large parameter.
Definition 7
([14]). Given a uniformly random matrix \(A \in \mathbb {Z}^{n \times m}_q\) and a syndrome \(\boldsymbol{u} \in \mathbb {Z}^n_q\), the \(\textsf{ISIS} _{q, m, \beta }\) problem is to find a nonzero vector \(\boldsymbol{v} \in \mathbb {Z}^m\) such that \(A\boldsymbol{v} = \boldsymbol{u} \pmod q\) and \(\Vert \boldsymbol{v}\Vert \le \beta \).
The \(\textsf{SIS} _{q,m, \beta }\) problem is the \(\textsf{ISIS} _{q,m, \beta }\) problem for \(\boldsymbol{u} = \boldsymbol{0}\).
Assumption B1
The \(\textsf{SIS} _{q,m, \beta }\) problem is hard for sufficiently large \(q = \sqrt{(|\textsf{msg} | + 4ms^2)\kappa } + \omega (\sqrt{\log \kappa })\) and \(\beta = \sqrt{|\textsf{msg} | + 4ms^2}\). The \(\textsf{SIS} _{q,m, \beta }\) problem and \(\textsf{ISIS} _{q, m, \beta }\) problem are hard for sufficiently large \(q = O(l^{3/2}\kappa ^3\log ^{5/2} \kappa )\cdot \omega (\sqrt{\log \kappa })^6\), \(m = O(\kappa \log q)\), and \(\beta = s\sqrt{2m}O(l\kappa ^{3/2}k^{3/2})\cdot \omega (\sqrt{\log \kappa })^3\).
Furthermore, we have the following assumption on the hardness of distinguishing lattices, where q is prime. Here \(\mathcal {D}_{\varLambda ^\bot _{\boldsymbol{w}}(A),s}\) denotes the distribution of sampling from \(\{\boldsymbol{z} \in \mathbb {Z}^\kappa \mid A\boldsymbol{z} = \boldsymbol{w} (\text {mod } q)\}\) according to a Gaussian distribution.
Assumption B2
(Assumption 2.1 in [14]). Let \(m_1, m_2 = O(\kappa \log q)\), A, R uniform random matrices from \(\mathbb {Z}^{\kappa \times m_1}_q\), \(C_0, \dots , C_l\) uniform random matrices from \(\mathbb {Z}^{\kappa \times m_2}_q\), \(\boldsymbol{w}\) a fixed vector from \(\mathbb {Z}^\kappa _q\), \(\mu \in \{0,1\}^l\) a secret bitstring, and \(C_\mu = C_0 + \sum _{j=1}^l \mu _jC_j\), then it is hard to distinguish between \(\mathcal {D}_{\varLambda ^\bot _{\boldsymbol{w}}(A|C_\mu ),s}\) and \(\mathcal {D}_{\varLambda ^\bot _{\boldsymbol{w}}(R|C_\mu ),s}\) without any information on \(\mu \).
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
van Wier, J., Atashpendar, A., Roenne, P. (2024). Deniable Public-Key Authenticated Quantum Key Exchange. In: Manulis, M., Maimuţ, D., Teşeleanu, G. (eds) Innovative Security Solutions for Information Technology and Communications. SecITC 2023. Lecture Notes in Computer Science, vol 14534. Springer, Cham. https://doi.org/10.1007/978-3-031-52947-4_8
Download citation
DOI: https://doi.org/10.1007/978-3-031-52947-4_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-52946-7
Online ISBN: 978-3-031-52947-4
eBook Packages: Computer ScienceComputer Science (R0)