Starting in 1974, Ralph Merkle proposed the first unclassified systems for secure communications over insecure channels. When legitimate communicating parties are willing to spend an amount of computational effort proportional to some parameter N, an eavesdropper cannot break into their communication without spending a time in the order ofN2, which is quadratically more than the legitimate effort. We investigate quantum analogues to this technique. First, we show that Merkle's systems are completely insecure if the legitimate parties are classical but the eavesdropper uses quantum computation. Then, we describe simple modifications on Merkle's proposals, in which the legitimate parties still use classical communication but benefit from local quantum computation to agree on a common key. We show that the optimal quantum eavesdropping strategy against our protocols requires a time in the order o/7V3/2. We conjecture these Quantum Merkle Puzzles to be optimal in the classical communication model, in which case quantum mechanics does more harm than good for the purpose of secure communications over insecure classical channels. This is in sharp contrast with Quantum Key Distribution, which ensures unconditionally secure communications over quantum channels.
[1]
Gilles Brassard,et al.
Tight bounds on quantum searching
,
1996,
quant-ph/9605034.
[2]
Russell Impagliazzo,et al.
Limits on the Provable Consequences of One-way Permutations
,
1988,
CRYPTO.
[3]
Ralph C. Merkle,et al.
Secure communications over insecure channels
,
1978,
CACM.
[4]
Gilles Brassard,et al.
Strengths and Weaknesses of Quantum Computing
,
1997,
SIAM J. Comput..
[5]
Whitfield Diffie,et al.
New Directions in Cryptography
,
1976,
IEEE Trans. Inf. Theory.
[6]
Larry Carter,et al.
Universal Classes of Hash Functions
,
1979,
J. Comput. Syst. Sci..
[7]
Lov K. Grover.
Quantum Mechanics Helps in Searching for a Needle in a Haystack
,
1997,
quant-ph/9706033.