Telecom ParisTech

Not considering classified work, the first person to have asked and solved the problem of secure communication over insecure communication channels was Ralph Merkle, in a project for a Computer securitjohn y course at UC Berkeley in 1974. In this work, he gave a protocol that allow two legitimate parties to establish a secret key with an effort of the order of N, but such that an eavesdropper can not discover the secret key with non-vanishing probability if he is not willing to spend an effort of at least the order of N^2.
In this talk, we will consider key exchange protocols in the presence of a quantum eavesdropper. Unfortunately, it is easy to see that in this case, breaking Merkle’s original protocol only requires an effort of the order of N, similar to the one of the legitimate parties. We will show how to restore the security by presenting two sequences of protocols with the following properties:
- In the first sequence, the legitimate parties have access to a quantum computer, and the eavesdropper's effort is arbitrarily close to N^2.
- In the second sequence, the protocols are classical, but the eavesdropper’s effort is arbitrarily close to N^{3/2}.
We will show the key exchange protocols, the quantum attacks with the proof of their optimality. We will focus mostly on the techniques from quantum algorithms and complexity theory used to devise quantum algorithms and to prove lower bounds. The underlying tools are the quantum walk formalism, and the quantum adversary lower bound method, respectively. Finally, we will introduce a new method to prove average-case quantum query complexity lower bounds.