### Citations

2398 |
Quantum Computation and Quantum Information,
- Nielsen, Chuang
- 2010
(Show Context)
Citation Context ...and Pr[B = 1|R(π)] are the probabilities that B = 1 when the distinguisher interacts with I and R(π), respectively. We give this (semi-formal) definition for completeness; we refer the reader to Refs =-=[15, 16, 7, 17]-=- for how to rigorize such a definition. As a final specification of our basic setup, it will be helpful to define the classical communication c in a key establishment protocol. For classical protocols... |

1374 |
Probabilistic encryption,”
- Goldwasser, Micali
- 1984
(Show Context)
Citation Context .... 11 Theorem 8 ([7]). Pseudorandom generators exist if and only if one-way functions exist. Theorem 9 ([8]). Symmetric-key encryption schemes exist if and only if one-way functions exist. Theorem 10 (=-=[21]-=-). Public-key encryption schemes exist if and only if trapdoor predicates exist. Theorem 11 ([22]). Information-theoretically-secure symmetric-key message authentication codes exist. Theorem 12 ([23, ... |

965 |
Quantum cryptography: Public key distribution and coin tossing.
- BENNETT, BRASSARD
- 1984
(Show Context)
Citation Context ...or a dedicated classical channel between Alice and Bob, since classical information can be sent along the quantum channel. However, the well-known qke protocols (i.e., those based on the ones in Refs =-=[13, 14]-=-) clearly distinguish the classical from the quantum communication; in particular, it suffices that only the classical communication is authenticated in order for the secret key to be authenticated at... |

879 |
Cryptography: theory and practice:
- Stinson
- 2005
(Show Context)
Citation Context ...the classical communication c up to implying a unique s, i.e., H(s|c) = 0, where H is the Shannon entropy. For any two random variables X and Y , H(X|Y ) = H(X) if and only if X and Y are independent =-=[18]-=-. Therefore, if (4) holds, then H(s) = H(s|c) = 0, so that s is a constant and thus the protocol is not quantum resistant. 8 It includes protocols that use a pseudorandom generator to expand the initi... |

821 | Universally composable security: A new paradigm for cryptographic protocols. In
- Canetti
- 2001
(Show Context)
Citation Context ...and Pr[B = 1|R(π)] are the probabilities that B = 1 when the distinguisher interacts with I and R(π), respectively. We give this (semi-formal) definition for completeness; we refer the reader to Refs =-=[15, 16, 7, 17]-=- for how to rigorize such a definition. As a final specification of our basic setup, it will be helpful to define the classical communication c in a key establishment protocol. For classical protocols... |

570 | Entity authentication and key distribution. - Bellare, Rogaway - 1994 |

422 | Proofs that yield nothing but their validity or all languages in NP have zero-knowledge proof systems.
- Goldreich, Micali, et al.
- 1991
(Show Context)
Citation Context ... reduction is also a black-box one, i.e., an algorithm for breaking X can be constructed from a black box for breaking Y . Non-black-box theorems of this sort are also possible (for example, see Ref. =-=[27]-=-), but are rarely required for these kinds of results, and indeed are not required for the theorems we quote. This is lucky, since it guarantees us that the theorems still hold with respect to a quant... |

416 |
New hash functions and their use in authentication and set equality,”
- Wegman, Carter
- 1981
(Show Context)
Citation Context ...em 9 ([8]). Symmetric-key encryption schemes exist if and only if one-way functions exist. Theorem 10 ([21]). Public-key encryption schemes exist if and only if trapdoor predicates exist. Theorem 11 (=-=[22]-=-). Information-theoretically-secure symmetric-key message authentication codes exist. Theorem 12 ([23, 24]). Public-key signature schemes exist if and only if one-way functions exist. Theorem 13 ([25]... |

412 |
Quantum cryptography based on Bell’s theorem.
- EKERT
- 1991
(Show Context)
Citation Context ...or a dedicated classical channel between Alice and Bob, since classical information can be sent along the quantum channel. However, the well-known qke protocols (i.e., those based on the ones in Refs =-=[13, 14]-=-) clearly distinguish the classical from the quantum communication; in particular, it suffices that only the classical communication is authenticated in order for the secret key to be authenticated at... |

350 | Universal one-way hash functions and their cryptographic applications.
- Naor, Yung
- 1989
(Show Context)
Citation Context ...([21]). Public-key encryption schemes exist if and only if trapdoor predicates exist. Theorem 11 ([22]). Information-theoretically-secure symmetric-key message authentication codes exist. Theorem 12 (=-=[23, 24]-=-). Public-key signature schemes exist if and only if one-way functions exist. Theorem 13 ([25]). Information-theoretically-secure q-UKE-protocols exist. Because we are assuming a quantum universe, one... |

327 | Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels. Eurocrypt
- Canetti, Krawczyk
- 2001
(Show Context)
Citation Context ... beyond the scope of this paper. 3 (i.e., in a network setting and where simultaneous, multiple key establishment sessions among many pairs of users are considered) as rigorously as it deserves (e.g. =-=[9, 10]-=-). That is, we implicitly assume that point-to-point4 unauthenticated key establishment protocols (whether they be key transport protocols or key agreement protocols5) and message-authentication proto... |

228 | One-way functions are necessary and sufficient for secure signatures. 22nd
- Rompel
- 1990
(Show Context)
Citation Context ...([21]). Public-key encryption schemes exist if and only if trapdoor predicates exist. Theorem 11 ([22]). Information-theoretically-secure symmetric-key message authentication codes exist. Theorem 12 (=-=[23, 24]-=-). Public-key signature schemes exist if and only if one-way functions exist. Theorem 13 ([25]). Information-theoretically-secure q-UKE-protocols exist. Because we are assuming a quantum universe, one... |

199 | Limits on the provable consequences of one-way permutations
- Impagliazzo, Rudich
- 1989
(Show Context)
Citation Context ...uthenticated key establishment (or uke), because, as well as being useful as a building block for ake systems, it is an often-considered cryptographic primitive in more foundational works, e.g., Ref. =-=[12]-=- (see Remark 2). We now make some precise definitions. A (point-to-point) ake system consists of two probabilistic-polynomialtime (quantum) computers, called “Alice” and “Bob”, that • are preloaded wi... |

173 | Security of quantum key distribution,
- Renner
(Show Context)
Citation Context ...[22]). Information-theoretically-secure symmetric-key message authentication codes exist. Theorem 12 ([23, 24]). Public-key signature schemes exist if and only if one-way functions exist. Theorem 13 (=-=[25]-=-). Information-theoretically-secure q-UKE-protocols exist. Because we are assuming a quantum universe, one-way functions and trapdoor predicates10 in this article (if they exist) are secure against an... |

94 |
Foundations of Cryptography Volume II Basic Aplications.
- Goldreich
- 2004
(Show Context)
Citation Context ...ming it is available in practice and is as costeffective as any type of “in-band” classical key establishment (see Definition 1).3 We adopt the same foundational approach that Goldreich does in Refs. =-=[7, 8]-=-. This basically means that, when reviewing which computational assumptions are known to be necessary or sufficient for certain cryptographic primitives, we ignore those assumptions (and the schemes b... |

71 |
Foundations of cryptography - Volume I (Basic tools
- Goldreich
- 2001
(Show Context)
Citation Context ...ming it is available in practice and is as costeffective as any type of “in-band” classical key establishment (see Definition 1).3 We adopt the same foundational approach that Goldreich does in Refs. =-=[7, 8]-=-. This basically means that, when reviewing which computational assumptions are known to be necessary or sufficient for certain cryptographic primitives, we ignore those assumptions (and the schemes b... |

49 | U.M.: Unconditional security against memory-bounded adversaries.
- Cachin, Maurer
- 1997
(Show Context)
Citation Context ...problems are actually hard seem to be beyond the reach of theoretical computer scientists. 14The term “everlasting security” has been used in the context of the bounded storage model (see, e.g., Ref. =-=[28]-=-), where, e.g., it describes the case where encryption is secure even if the adversary, at some later time, learns the pre-shared symmetric key, as long as, at the time of transmission of the cipherte... |

48 |
Post Quantum Cryptography.
- Bernstein, Buchmann
- 2008
(Show Context)
Citation Context ...e stick to classical one-way functions and trapdoor predicates that are quantum resistant, candidates of which are, e.g., the trapdoor predicates underlying some lattice-based cryptosystems (see Ref. =-=[26]-=- for more examples). 12 Protocol class Computational assumptions OOB none PGE one-way functions wc-AKE one-way functions c-UKE/sc-AKE trapdoor predicates q-UKE/q-AKEsym none q-AKEpub one-way functions... |

41 | On the Impossibility of Basing Trapdoor Functions on Trapdoor Predicates
- Gertner, Malkin, et al.
- 2001
(Show Context)
Citation Context ...s. At the very least, quantum cryptography certainly allows us to sidestep the question of the necessity of trapdoor predicates for secret key agreement (or trapdoor functions for trapdoor predicates =-=[32]-=-). We view this as strengthening the case for signed qke. If public-key encryption exists... If trapdoor predicates do exist and are secure in the long term, we note that Advantages 1 through 4 can va... |

37 | Quantum public-key cryptosystems
- Okamoto, Tanaka, et al.
(Show Context)
Citation Context ...-distribution schemes are said to accomplish dynamic key establishment. Remark 5 (Definition of sc-AKE). The class sc-AKE may contain protocols that use the “quantum public-key cryptosystems” in Ref. =-=[20]-=-, since the model does not stipulate how initial keys are derived (i.e., they could be derived using a quantum computer). Remark 6 (Definition of q-AKE). The class q-AKE may contain protocols obeying ... |

26 |
Hyper-encryption and everlasting security
- Ding, Rabin
- 2002
(Show Context)
Citation Context ...ecure even if the adversary, at some later time, learns the pre-shared symmetric key, as long as, at the time of transmission of the ciphertext, the adversary has bounded storage capability (see Ref. =-=[29]-=-). The term seems equally well suited to qke. 15On the Internet, this works as follows. Bob’s web-browser comes from the manufacturer pre-loaded with the public key of a trusted third party Charlie. W... |

25 |
Moni Naor, and Rafail Ostrovsky. Deniable encryption
- Canetti, Dwork
(Show Context)
Citation Context ...ecret key was produced by a q-AKEpub-protocol, it is not attributable at all. This is a potential advantage of using qke to generate aes keys. 16In Ref. [33], Beaver discusses “deniability” (see Refs =-=[34, 35]-=-) of qke, which is similar to nonattributability. However, in that paper, it is assumed that Alice and Bob keep a record of their qubit-measurement outcomes (often called “raw key bits”) made during t... |

14 |
Cryptography,” in Handbook of Theoretical Computer Science, Volume A, Algorithms and Complexity
- Rivest
- 1990
(Show Context)
Citation Context ...blem, too. A signature scheme can be used in conjunction with a network of trusted third parties to help Bob be certain that he has Alice’s legitimate public key.15 This is probably the reason Rivest =-=[31]-=- wrote, “The notion of a digital signature may prove to be one of the most fundamental and useful inventions of modern cryptography.” ...the bathwater. There is a price to pay for the advantages of a ... |

12 |
SECOQC white paper on quantum key distribution and cryptography
- Alléaume, Bouda, et al.
- 2007
(Show Context)
Citation Context ...antum computers, also known as quantum resistance. Several detailed analyses have appeared that consider the benefits and disadvantages of quantum cryptography in comparison to classical alternatives =-=[2, 3, 4, 5]-=-. The present article contributes to the dialogue in a way that we hope is very palatable to the community of quantum-questioning cryptographers: we give new arguments in support of signed quantum key... |

5 | Composability in quantum cryptography
- Müller-Quade, Renner
- 2009
(Show Context)
Citation Context ...and Pr[B = 1|R(π)] are the probabilities that B = 1 when the distinguisher interacts with I and R(π), respectively. We give this (semi-formal) definition for completeness; we refer the reader to Refs =-=[15, 16, 7, 17]-=- for how to rigorize such a definition. As a final specification of our basic setup, it will be helpful to define the classical communication c in a key establishment protocol. For classical protocols... |

4 |
Privacy in a quantum world
- Bennett, Shor
- 1999
(Show Context)
Citation Context ...rotocols satisfying the definition exist). Quantum cryptography1 has been promoted as a more secure alternative to public-key cryptography based on computational assumptions (see the abstract of Ref. =-=[1]-=- for a typical example). However, an opposing view is sometimes voiced by classical cryptographers and computer security specialists questioning whether quantum cryptography is really a practical way ... |

4 | Quantum cryptography: A practical information security perspective
- Paterson, Piper, et al.
- 2007
(Show Context)
Citation Context ...antum computers, also known as quantum resistance. Several detailed analyses have appeared that consider the benefits and disadvantages of quantum cryptography in comparison to classical alternatives =-=[2, 3, 4, 5]-=-. The present article contributes to the dialogue in a way that we hope is very palatable to the community of quantum-questioning cryptographers: we give new arguments in support of signed quantum key... |

3 | The case for quantum key distribution
- Stebila, Mosca, et al.
(Show Context)
Citation Context ...antum computers, also known as quantum resistance. Several detailed analyses have appeared that consider the benefits and disadvantages of quantum cryptography in comparison to classical alternatives =-=[2, 3, 4, 5]-=-. The present article contributes to the dialogue in a way that we hope is very palatable to the community of quantum-questioning cryptographers: we give new arguments in support of signed quantum key... |

3 |
eds., Focus on Quantum Cryptography: Theory and Practice
- Lütkenhaus, Shields
- 2009
(Show Context)
Citation Context ...e practical availability of the qke primitive between a typical real-world Alice and Bob is a very non-trivial assumption. For a fairly recent status report on practical qke systems, one can see Ref. =-=[6]-=-, where it is evident that key-rate, distance and availability remain serious obstacles for most practical applications today. In the cases that one believes that qke could in principle add value, one... |

2 |
Mityagin A.: Stronger Security of Authenticated Key Exchange
- LaMacchia, Lauter
- 2007
(Show Context)
Citation Context ...tocol, the secret key s is independent of the initial keys and the classical communication c, i.e., for all values k′ A and k′ B of the initial 8Our use of the word “strong” differs from that in Ref. =-=[19]-=-, where a key establishment protocol is secure only if it remains secure under the reveal of any subset of the initial (also called “long-term”) and ephemeral keys that does not contain both the initi... |

2 | On deniability in quantum key exchange
- Beaver
- 2002
(Show Context)
Citation Context ...butable given the secret key; however, if the secret key was produced by a q-AKEpub-protocol, it is not attributable at all. This is a potential advantage of using qke to generate aes keys. 16In Ref. =-=[33]-=-, Beaver discusses “deniability” (see Refs [34, 35]) of qke, which is similar to nonattributability. However, in that paper, it is assumed that Alice and Bob keep a record of their qubit-measurement o... |

1 |
Cost-benefit analysis of quantum cryptography
- Bernstein
- 2009
(Show Context)
Citation Context |

1 |
Miroslaw Kutylowski. Practical deniable encryption
- Kubiak
(Show Context)
Citation Context ...ecret key was produced by a q-AKEpub-protocol, it is not attributable at all. This is a potential advantage of using qke to generate aes keys. 16In Ref. [33], Beaver discusses “deniability” (see Refs =-=[34, 35]-=-) of qke, which is similar to nonattributability. However, in that paper, it is assumed that Alice and Bob keep a record of their qubit-measurement outcomes (often called “raw key bits”) made during t... |