Key Establishment à la Merkle in a Quantum World
 138 Downloads
Abstract
In 1974, Ralph Merkle proposed the first unclassified protocol for secure communications over insecure channels. When legitimate communicating parties are willing to spend an amount of computational effort proportional to some parameter N, an eavesdropper cannot break into their communication without spending a time proportional to \(N^2\), which is quadratically more than the legitimate effort. In a quantum world, however, Merkle’s protocol is immediately broken by Grover’s algorithm, but it is easily repaired if we are satisfied with a quantum protocol against which a quantum adversary needs to spend a time proportional to \(N^{3/2}\) in order to break it. Can we do better? We give two new key establishment protocols in the spirit of Merkle’s. The first one, which requires the legitimate parties to have access to a quantum computer, resists any quantum adversary who is not willing to make an effort at least proportional to \(N^{5/3}\), except with vanishing probability. Our second protocol is purely classical, yet it requires any quantum adversary to work asymptotically harder than the legitimate parties, again except with vanishing probability. In either case, security is proved for a typical run of the protocols: the probabilities are taken over the random (or quantum) choices made by the legitimate participants in order to establish their key as well as over the random (or quantum) choices made by the adversary who is trying to be privy to it.
Keywords
Merkle puzzles Key establishment Postquantum cryptography Quantum query complexity1 Introduction
While Ralph Merkle was delivering the 2005 International Association for Cryptologic Research (IACR) Distinguished Lecture at the Crypto annual conference in Santa Barbara, describing his original unpublished 1974 protocol [35] for publickey establishment (much simpler and more elegant than his subsequently published, yet better known, Merkle Puzzles [36]), one of us (Brassard) immediately realized that this protocol is totally insecure against an eavesdropper equipped with a quantum computer. The obvious question was: Can Merkle’s idea be repaired and made secure again in our quantum world? The defining characteristics of Merkle’s protocol are that (1) the legitimate parties communicate strictly through an authenticated classical channel on which eavesdropping is unrestricted and (2) a protocol is deemed to be secure if the cryptanalytic effort required of the eavesdropper to learn the key established by the legitimate parties grows superlinearly with the legitimate work.
 1.
Can the quadratic security possible in a classical world be restored in our quantum world?
 2.
Is any provable security possible at all if the legitimate parties are purely classical, yet the eavesdropper is endowed with a quantum computer?
Our second Crypto 2011 protocol was purely classical, in the sense that the legitimate parties need only classical computation and classical communication to establish a key after O(N) queries to similar random functions. We then gave a quantum cryptanalytic attack that requires \(\Theta \big (N^{13/12}\big )\) queries to the functions. As unlikely as it may sound, this attack is optimal (again up to logarithmic factors) against that protocol, and therefore, it is not possible to break it with a quantum attack that uses an amount of resource linear in the legitimate effort. This was the first protocol ever proved secure (in the random oracle model) in the now thriving field of postquantum cryptography [14, 37]. However, our proof of security was also given only in the worst case, making it cryptographically unsatisfactory.
We now improve on the Crypto 2011 results in two directions. First, we simplify both protocols. Curiously, the simpler classical protocol is also more secure since \(\Omega \big (N^{7/6}\big )\) quantum queries are required to break it, compared to \(O\big (N^{13/12}\big )\) queries for the earlier protocol. Second, and more importantly, our proofs of security now hold for random instances rather than for the worstcase instance. It follows that the key obtained in a typical run of our protocols is secure, except with vanishing probability.
After a review of Merkle’s original idea [35], its meltdown against a quantum eavesdropper and the obvious partial quantum solution [21] in Sect. 2, we describe our new protocols in Sects. 3 and 4, including quantum attacks against them in Sects. 3.1 and 4.1 and proofs of optimality for those attacks in Sects. 3.2 and 4.2. We then sketch an extension of these protocols to two families of more elaborate quantum and classical protocols in Sect. 5, but we postpone their detailed descriptions and proofs of security to a followup paper whose preliminary version is in Ref. [8]. Some practical aspects of our protocols are analysed in Sect. 6. As a technical tool needed in our proofs of lower bounds, we prove a new composition theorem of potential independent interest in Sect. 7. Finally, we conclude in Sect. 8 with a list of open problems in hope to improve our protocols in a variety of ways or prove intrinsic limits to such improvements.
2 Merkle’s Original Protocol and How to Break and Partially Repair It with Quantum Computers
The first unclassified document ever written that pioneered publickey establishment and publickey cryptography was a class project proposal written in 1974 by Merkle when he was a student in Lance Hoffman’s CS244 course on Computer Security at the University of California, Berkeley [35]. Hoffman rejected the proposal and Merkle dropped the course but “kept working on the idea” and eventually published it as one of the most seminal cryptographic papers in the second half of the twentieth century [36]. Merkle’s protocol in his published paper was somewhat different from his original 1974 idea, but both share the property that they “force any enemy to expend an amount of work which increases as the square of the work required of the two [legitimate] communicants” [36]. It took 35 years before Boaz Barak and Mohammad MahmoodyGhidary proved that this quadratic discrepancy between the legitimate and eavesdropping efforts is the best possible in a classical world [7] for provable security in the random oracle model.
In more modern terms, let f be a oneway permutation. In order to “oneway encrypt” x, as Merkle wrote in 1974, we assume that one can compute f(x) in unit time for any given input x but that the only way to retrieve x given f(x) is to try preimages and compute f on them until one is found that maps to f(x). This is captured by the random oracle model. Accordingly, throughout this paper, with the exception of Sect. 6, efficiency is defined solely in terms of the number of queries to such oracles (there could be more than one). In the quantum case, these queries can be made in a superposition of inputs. We also assume throughout this paper (as did Merkle) that an authenticated channel is available between the legitimate communicants, although this channel offers no protection against eavesdropping.
 Method 1:
Guessing. Both sites guess at keywords. These guesses are oneway encrypted, and transmitted to the other site. If both sites should chance to guess at the same keyword, this fact will be discovered when the encrypted versions are compared, and this keyword will then be used to establish a communications link.
 Discussion:
No, I am not joking.
The “keywords” guessed at by “both sites” are random points in the domain of \(f\). They are “oneway encrypted” by applying f to them. If there are \(N^2\) points in the domain of \(f\), it suffices to guess O(N) keywords at each site before it becomes overwhelmingly likely that “both sites should chance to guess at the same keyword”, which becomes their shared key. An eavesdropper who listens to the entire conversation has no other way to obtain this key than to invert f on the revealed common encrypted keyword. In accordance with the oracle model, this can only be done by trying on average half the points in the domain of \(f\) before one is found that is mapped by f to the target value. This will require an expected number of queries to f in \(\Omega (N^2)\), which is quadratic in the legitimate effort.
Shortly thereafter, Whitfield Diffie and Martin Hellman reinvented independently Merkle’s notion of key establishment and discovered a celebrated method to achieve this goal, making the cryptanalytic effort apparently exponentially harder than the legitimate effort [25]. However, no proof is known that the Diffie–Hellman protocol is secure at all (even using elliptic curve cryptography) since it relies on the conjectured difficulty of extracting discrete logarithms, an assumption doomed to fail whenever quantum computers become available [40]. The same can be said of the subsequent (nowadays ubiquitous) RSA publickey cryptosystem [38]. In contrast, Merkle’s approach offers provable quadratic security against any possible classical attack, under the sole assumption that f cannot be inverted by any other means than exhaustive search.
Next, we explain why Merkle’s original proposal becomes completely insecure if the eavesdropper is capable of quantum computation. (Merkle’s subsequently published “puzzles” [36] are equally insecure [21].) We then sketch our 2008 solution for a protocol that is not completely broken [21]. This is achieved by granting similar quantum computation capabilities to one of the legitimate communicating parties.
2.1 Quantum Attack and Partial Remedy
Let us now assume that function f can be computed quantum mechanically on a superposition of inputs. In this case, Merkle’s original protocol is completely compromised by way of Grover’s algorithm [29]. Indeed, this algorithm needs only query the function \(O\big (\sqrt{N^2}\,\big ) = O(N)\) times in order to invert it on any given point of its image, making the cryptanalytic task as easy (up to constant factors) as the legitimate key setup process.^{2}
The eavesdropper, on the other hand, is faced again with the need to invert f on a specific point of its image. Even with a quantum computer, this requires a number of queries to f proportional to the square root of the number of points in its domain [11], which is \(\Omega \big (\sqrt{N^3}\,\big ) = \Omega \big (N^{3/2}\big )\). This is more effort than what is required of the legitimate parties, yet less than quadratically so, as would have been possible in an allclassical world. Even though we have avoided the meltdown of Merkle’s original approach, the introduction of quantum computers available to all sides seems to be to the advantage of the codebreakers. Can we remedy this situation? Furthermore, is any security possible at all against a quantum computer if both legitimate parties are restricted to being purely classical? We address these two questions in the rest of this paper.
3 Improved Quantum Key Establishment Protocol
The adjective negligible describes a function that decreases faster than the inverse of any polynomial. Formally, a function \(\nu : \mathbb {N} \rightarrow \mathbb {R}\) is negligible if for any constant k, there exists \(N_{k}\) such that \(\nu (N) < N^{k}\) for all \(N\geqslant N_{k}\). A weaker notion is that of vanishing function, which means that for any integer k, there exists \(N_{k}\) such that \(\nu (N) < 1/k\) for all \(N\geqslant N_{k}\), or, said otherwise, \(\nu \) is o(1). In cryptography, we usually strive for bad things to happen with negligible probability, such as the eavesdropper learning the key. Merkle’s original work, however, was conceived in a way that a classical eavesdropper could not recover the secret key, except with vanishing probability, unless she made \(O(N^2)\) queries to the oracle. Yet, a very lucky eavesdropper could recover the key with nonnegligible probability (\(1/N^2\)) with a single query to the oracle! Even though Merkle’s protocol can be modified to make the eavesdropper’s success probability negligible, rather than merely vanishing, provided we restrict her to at most \(O(N^2 / \log ^2 N)\) queries [5], we shall be satisfied in this paper if the probability that a suitably bounded adversary can break our protocols is vanishing.
For any positive integer N, let [N] denote the set of integers from 0 to \(N 1\). For simplicity, we shall always take \(N=2^{\ell }\) to be a power of 2 and implicitly equate integer \(i \in [N]\) with the \(\ell \)bit binary expansion of i seen as a bit string. This makes it possible to consider [N] as a group under the bitwise exclusiveor operation, denoted “ \(\oplus \) ”. In case one or both of i and j are the special symbol “\(\star \)” introduced later, we say that \(i \oplus j\) is undefined, and therefore, it cannot be equal to w, regardless of what w is (not even \(w=\star \)). We describe our novel key establishment protocol assuming the existence of two random oracle functions \(f: [N^3] \rightarrow [N^c]\) and \(t: [N^3] \rightarrow [N^{c'}]\), where c and \(c'\) are constants discussed below. These oracles can be accessed in the usual quantum manner: for any \(x \in [N^3]\) and \(y \in [N^c]\), oracle f sends \(x,y\rangle \) to \(x,y \oplus f(x) \rangle \), and it sends superpositions of inputs to the corresponding superpositions of outputs; similarly for function t.
Constant c is chosen large enough so that f is onetoone (there is no collision in the images of f), except with vanishing probability. An elementary calculation based on Boole’s inequality (aka the union bound) shows that choosing \(c>6\) is sufficient. For simplicity, we shall henceforth disregard events that occur with vanishing probability, in particular the possibility that f not be onetoone. Constant \(c'\) is chosen large enough to ensure that, except with vanishing probability, the function that maps unordered pairs \(\{a,b\}\) of distinct elements to \(t(a)\oplus t(b)\) is onetoone. A similar calculation based again on Boole’s inequality, using the fact that \(\oplus \) maps uniformly distributed inputs to uniformly distributed outputs, shows that \(c' > 12\) is sufficient. Again, we shall henceforth assume that this property holds.
Notice that a single binary random oracle (which “implements” a random function from the integers to \(\{0,1\}\)) could be used to define both functions f and t, provided we disregard logarithmic factors in our analyses, since \(O(\log N)\) queries to the binary oracle would suffice to compute f or t on any given input. Indeed, to specify function f using a binary oracle, one needs only \(N^{3} \lg N^{c}\) bits from the binary oracle, where “ \(\lg \) ” denotes the binary logarithm, since each query \(i \in [N^{3}]\) for f requires \(\lg N^{c}\) queries to the binary oracle to construct the integer \(f(i) \in [N^{c}]\). The situation is similar for function t. For this reason, it is understood hereinafter that all our results are implicitly stated “up to logarithmic factors”. Furthermore, multiple function oracles can be encoded using a single binary oracle by prepending a fixed bit string to the beginning of each query. For instance, queries starting with “ 0x ” and “ 1x ” can be used to define f(x) and t(x), respectively.
Except in Sect. 6, where we care about computing time, the only resource that we consider in our analyses of efficiency and lower bounds is the number of queries made to these functions or, equivalently up to logarithmic factors, to the underlying binary random oracle.
Protocol 1
 1.
Alice picks at random N distinct points \(x_0, x_1,\ldots , x_{N1}\) in the domain of f and transmits their encrypted values \(y_i = f(x_i)\) to Bob. Let \(X=\{x_i \mid 0 \leqslant i < N \}\) be the secret set of Alice and define \(Y= \{y_i \mid 0 \leqslant i < N \}\). Note that Alice knows both X and \(Y\), whereas Bob and the eavesdropper know only Y until they make their own queries to oracle f.
 2.
Bob finds the preimages x and \(x'\) of two distinct random elements in \(Y\). For this purpose, he applies the BBHT generalization of Grover search twice on function g defined in Eq. (1), as reviewed in Sect. 2.1, using a small variation the second time to make sure that \(x' \ne x\). If \(f(x')\) was transmitted before f(x) at Step 1, Bob swaps x and \(x'\).
 3.
Bob sends back \(w=t(x) \oplus t(x')\) to Alice.
 4.
Alice queries oracle t once on each element of X. No further query is required for her to find the two elements \(x_i\) and \(x_j\) in X such that \(0 \leqslant i< j < N\) and \(t(x_i) \oplus t(x_j) = w\).
 5.
The key shared by Alice and Bob is \((x_i,x_j)\) for Alice and \((x,x')\) for Bob, which is indeed the same under our assumptions on functions f and t.
All counted, Alice makes N classical queries to f in Step 1 and N classical queries to t in Step 4, whereas Bob makes O(N) quantum queries to f in Step 2 and two classical queries to t in Step 3.
3.1 Quantum Attack
All the obvious (and some not so obvious) cryptanalytic attacks against this protocol, such as direct use of Grover’s algorithm (or BBHT), or even more sophisticated attacks based on amplitude amplification [19], require the eavesdropper to query functions f and t a total of \(\Omega (N^2)\) times. However, a more powerful attack based on the paradigm of quantum walks in Markov chains [39] enables the eavesdropper to recover Alice and Bob’s key with an expected \(O\big (N^{5/3}\big )\) queries to f and \(O\big (N^{2/3}\big )\) queries to t. This attack is reminiscent of Ambainis’ quantum algorithm for element distinctness [3], which can find two elements i and j such that \(e(i)=e(j)\) with \(O\big (N^{2/3}\big )\) expected queries to any function e whose domain contains N elements, provided such elements exist.^{4}
Ambainis’ algorithm uses a quantum walk on the Johnson graph J(N, r). This graph is an undirected graph in which each node contains an rsubset of [N], meaning a subset of cardinality r for an appropriate value of r, and there is an edge between two nodes if and only if they differ by exactly one element. Intuitively, we may think of “walking” from one node to an adjacent node by dropping one element and replacing it by another. For the problem of element distinctness, the task is to find a 2subset \(\{i,j\}\) of [N] such that \(e(i)=e(j)\), provided one exists. The nodes that contain this subset are called marked. However, for a technical reason, our cryptanalytic task requires us to walk on a (modified) Hamming graph instead, in which the nodes contain lists rather than subsets, so that repetitions are allowed and the order in which items are listed matters.
Magniez, Nayak, Roland and Santha have proved a general theorem, showing that quantum search algorithms can be derived from a large class of classical Markov chains [34]. The cost of the resulting quantum algorithm can be written as a function of S, U and C. These are the cost of setting up the quantum register in a state that corresponds to the stationary distribution, updating it unitarily by walking from one node to an adjacent node and checking whether a node is marked in order to flip its phase if it is, respectively.
Theorem 1
Theorem 2
There exists a quantum eavesdropping strategy that obtains the key established in Protocol 1 with \(O\big (N^{5/3}\big )\) expected queries to f and \(O\big (N^{2/3}\big )\) expected queries to t.
Proof
Intuitively, we apply Ambainis’ algorithm for element distinctness with two modifications: (1) instead of looking for \(i \ne j\) such that \(e(i)=e(j)\), we are looking for x and \(x'\) such that \(t(x) \oplus t(x')=w\) and (2) instead of being able to get randomly chosen values in the image of e with a single query to oracle e per value, we need to get random elements of X by applying BBHT on the list \(Y\) and then query t on them, which requires \(O\big (\sqrt{N^3/N}\,\big )=O(N)\) queries to f and one query to t per element. The second modification explains why the number of queries to f, compared to \(O\big (N^{2/3}\big )\) queries to e for element distinctness, is multiplied by O(N). Hence, we need \(O\big (N^{5/3}\big )\) queries to function f. To determine the number of queries required to function t, however, we have to delve deeper into the eavesdropping algorithm.
The composed structure of the problem prevents us from using a quantum walk on the Johnson graph, which was at the core of Ambainis’ algorithm. Instead, we base the eavesdropping algorithm on a quantum walk on the Hamming graph H(X, r), in which X is Alice’s secret set and r is a number to be determined later. The nodes of the Hamming graph are labelled by ordered rtuples of elements of X. There is an edge between two nodes when they differ on precisely one position. Said otherwise, the Hamming distance between their labels is 1. This graph has been used by Andrew Childs and Robin Kothari to study the quantum query complexity of minorclosed graph properties [24]. These authors have proved that the spectral gap \(\delta \) of this graph is \(\Omega (1/r)\). The quantum search algorithm on the Hamming graph also maintains a data structure at each node consisting of the image of each element of the node label under the random oracle t. In order to implement easily the update step of the quantum walk [34], we need to modify the Hamming graph by adding selfloops on all nodes, which does not change the spectral gap significantly [33]. Therefore, one can think of walking on the graph by replacing a randomly chosen element in the label of the current node by a randomly chosen element of X, thus leading to a selfloop with probability 1 / N.
3.2 Lower Bound
We prove in this section that the preceding quantum attack against our quantum protocol is optimal. This claim is formalized by the following theorem.
Theorem 3
Any quantum eavesdropping strategy that recovers the key established in Protocol 1 requires a total of \(\Omega \big (N^{5/3}\big )\) queries to functions f and t, except with vanishing probability. The vanishing probability is over a typical run of the protocol to establish a key, followed by the execution of an arbitrary quantum cryptanalytic algorithm to discover that key.
Before we undertake the proof of this theorem, it is useful to summarize the task facing the adversary. After receiving a transcript of the protocol, which consists of \(y_0, y_1, \ldots , y_{N1}\) and w, where each \(y_k=f(x_k)\) for an unknown \(x_k\) and \(w=t(x_i) \oplus t(x_j)\) is a target value for some unknown i and j, she may make queries to functions f and t, after which she must determine \(x_i\) and \(x_j\). Most of her queries to f produce irrelevant random values not appearing in the transcript. Among the relevant queries (hidden in random positions chosen by Alice), she still needs to solve the hard problem of finding two values that sum to w after function t is applied to them. Our proof that this is difficult for the adversary after a typical run of the protocol uses two intermediate problems: H2XOR, which is a “hidden” extension of the 2XOR problem (see Definitions 5 and 4) and a more structured problem called BUC (Bucketed Unique Collision, see Definition 3) for which we prove a worstcase lower bound for quantum query complexity. The “ \(\star \) ” symbol in the intermediate problems stand in for the irrelevant values of the random functions f and t.
 1.
We define the unique collision problem UC, the search problem pSEARCH and their composition BUC, which is related to the hardness of breaking our protocol;
 2.
We prove the hardness of BUC in the worst case (Corollary 1 of Theorem 9). For this purpose, we need a new composition theorem for the generalized adversary method, whose precise statement and technical proof are postponed to Sect. 7;
 3.
We define problems 2XOR and H2XOR, the latter being a hidden version of the former, which are more directly related to the hardness of breaking our protocol;
 4.
We prove an \(\Omega \left( N^{5/3}\right) \) lower bound on the difficulty of solving \(\textsf {H2XOR }\) on random instances from the hardness of BUC in the worst case (Lemma 2);
 5.
We reduce H2XOR to the eavesdropping problem against our protocol. More precisely, we show that any attack on our key establishment protocol that would have a nonvanishing probability of success could be turned into an algorithm capable of solving H2XOR on random instances with twice the number of quantum queries (Theorem 3).
Notation 1
For any set X, let \(X^{\star }\) denote \(X \cup \{\star \}\), where “ \(\star \)” is some distinguished symbol that does not belong to X. Any element of X is called a non\(\star \) element of \(X^{\star }\).
Definition 1
(UC, COLL and ED Problems) Consider arbitrary integers N and \(M \geqslant N\) and a function \(e: [N] \rightarrow [M]\) so that there exist exactly two distinct elements i and j in [N] for which \(e(i) = e(j)\). Such a pair of elements is called a collision. The unique collision problem (UC) consists in finding these elements. Two related problems, called the twotoone collision problem (COLL) and the element distinctness problem (ED), consist in finding a collision in a twotoone function and deciding whether or not a given function is onetoone, respectively.
Lemma 1
The UC problem can be solved with \(O(N^{2/3})\) quantum queries to function e, which is optimal in the worst case.
Proof sketch
Andris Ambainis has given a quantum algorithm [3] capable of solving ED with \(O(N^{2/3})\) quantum queries to function e; the same approach can be used to solve UC with the same efficiency. This algorithm for ED has been proved optimal in the worst case by Scott Aaronson and Yaoyun Shi [1] by reduction from their \(\Omega (N^{1/3})\) lower bound for COLL. A variation on this reduction establishes an \(\Omega (N^{2/3})\) lower bound on UC in the worst case because the restriction of any twotoone function on a random subset of \(\sqrt{N}\) points of its domain has constant probability of having a single collision (see Reduction 1.4 in Ref. [1]). Note that a lower bound on ED does not automatically yield the same lower bound on UC because the hard instances of ED could have been those that have either zero or multiple collisions if all we knew was the lower bound itself. \(\square \)
Note that the lower bound on ED proved in Ref. [1] required \(M \geqslant N^2\). A claim was made by Ambainis that this restriction is not necessary to establish the lower bound [2]. However, the proof given there is incomplete as it would apply only if the lower bound restricted to \(M \geqslant N^2\) had been obtained with the polynomial method, which is not the case since it was obtained by a classical random reduction to COLL. The same applies to our lower bound on UC. Although the proof for the unrestricted case can be fixed [4], we do not need it for our purposes since we shall need to have \(M \geqslant N^2\) for a different reason anyways.
Definition 2
(\(\textsf {pSEARCH }\) Problem) Let M and \(K\) be integers. Consider the set \(P \subset ([M]^{\star })^{K}\) of strings \((a_0, a_1, \ldots , a_{K1})\) with the promise that exactly one value is non\(\star \). The problem \(\textsf {pSEARCH }: P \rightarrow [M]\) of size \(K\) consists in finding this non\(\star \) value by making queries that take i as input and return \(a_i\), \(0 \leqslant i < K\). Unless stated otherwise, we shall use \(K=N^2\).
Grover’s algorithm [29] solves \(\textsf {pSEARCH }\) with \(O\big (\sqrt{K}\,\big ) = O(N)\) queries, and the firstever lower bound on the power of quantum computing [11] shows that this is optimal in the worst case.
Definition 3
The query complexity of the \(\textsf {BUC }\) problem, as well as the abovementioned lower bounds on the difficulty of solving the \(\textsf {UC }\) and \(\textsf {pSEARCH }\) problems, are stated and proved according to the usual complexity theoretic worstcase paradigm. This is clearly not what is needed for cryptographic applications. We shall remedy this situation shortly, starting with H2XOR in Lemma 2.
The \(\textsf {BUC }\) search problem is defined as the composition of \(\textsf {UC }\) with \(\textsf {pSEARCH }\). Høyer, Lee and Špalek have proved a composition theorem for the quantum query complexity of such composed functions [31], later improved by Lee, Mittal, Reichard, Špalek and Szegedy [32]. Unfortunately, those theorems are not applicable in our case because they require the inner function to be Boolean, which \(\textsf {pSEARCH }\) is not.
Therefore, a more general composition theorem (Theorem 9) is needed, whose proof we postpone to Sect. 7 because of its technicality. We derive the statement we need here as Corollary 1 of Theorem 9, used with parameter \(K=N^2\) (the size of the buckets), to obtain a lower bound of \(\Omega (N^{5/3})\) on the worstcase query complexity of \(\textsf {BUC }\).
The security of our key establishment protocol is based directly on neither the \(\textsf {UC }\) problem nor its bucketed version \(\textsf {BUC }\), but rather on the \(\textsf {2XOR }\) problem, or more precisely its “hidden” version \(\textsf {H2XOR }\), both of which we now proceed to define.
Definition 4
(\(\textsf {2XOR }\) Problem) Consider arbitrary integers N and M, a nonzero target\(w \in [M]\) and a onetoone function \(\xi : [N] \rightarrow [M]\) so that there exist exactly two distinct elements i and j in [N] for which \(\xi (i) \oplus \xi (j) =w\). Such a pair of elements is called a wcollision. The \(\textsf {2XOR }\) problem consists in finding these elements. The couple \((w,\xi )\) is called an NMinstance of this problem. A couple \((w,\xi )\) such that \(\xi \) is not onetoone or there are either no wcollisions, or more than one, will be called an invalid “instance”.
It is elementary to adapt Ambainis’ algorithm [3] for \(\textsf {ED }\) in order to solve the \(\textsf {2XOR }\) problem with \(O\big (N^{2/3}\big )\) quantum queries to function \(\xi \), a fact that we do not actually need. Furthermore, it follows from Aaronson and Shi’s matching lower bound [1] that \(\textsf {2XOR }\) cannot be solved with fewer than \(\Omega (N^{2/3}\big )\) quantum queries in the worst case. Rather than proving this last statement (which we do not need either), we prove below the difficulty of uniformly distributed random instances of a problem more directly relevant to the analysis of our key establishment protocol.
Definition 5
Intuitively, given any NMinstance \((w,\xi )\) of the \(\textsf {2XOR }\) problem, a corresponding instance of \(\textsf {H2XOR }\) consists in “hiding” the image of \(\xi \) among \(N^3N\) uninformative \(\star \) symbols in positions specified by the a priori unknown values of \(z_0, z_1,\ldots , z_{N1}\). The inherent difficulty of solving the \(\textsf {2XOR }\) problem is therefore exacerbated by the difficulty of accessing the instance itself. The purpose of the intriguing first coordinate \([N]^{\star }\) in the image of \(h\) will become clear in the proof of Theorem 3.
We are now ready to prove that the \(\textsf {H2XOR }\) problem is difficult (in terms of query complexity) not only in the worst case but also on uniformly distributed random instances. (Note that the simpler \(\textsf {2XOR }\) problem is also difficult on uniformly distributed random instances, but this is a fact that we do not need and therefore do not prove.)
Lemma 2
Any quantum algorithm that attempts to solve the \(\textsf {H2XOR }\) problem with as few as \(o\big (N^{5/3}\big )\) quantum queries in the worst case, for parameters N and \(M \geqslant N^c\) with \(c>2\), will succeed with vanishing probability on a uniformly distributed random instance.
Proof
Consider an arbitrary quantum algorithm \({\mathcal {A}}\) to solve the H2XOR problem. As usual in quantum query complexity, the algorithm is given in the form of a uniform family of quantum circuits, one for each value of N.^{5} Each circuit alternates between arbitrary oracleindependent unitary transformations and oracle queries. Let \(p>0\) and q(N) be so that this algorithm succeeds with probability at least p on a random instance of H2XOR after at most q(N) quantum queries. Even though \({\mathcal {A}}\) may only be designed to work on valid instances of H2XOR, nothing prevents us from running it on an invalid “instance”, in particular if no wcollisions exist in \(h\). In that case, \({\mathcal {A}}\) will obviously fail, but it will nevertheless do so after at most q(N) queries.
Now, we proceed by a reduction of BUC to H2XOR. More specifically, we show how to transform an arbitrary instance of BUC into a uniformly distributed instance of H2XOR conditioned on an event whose probability is very close to \(\nicefrac 12\), in such a way that a solution to the H2XOR instance provides a solution to the original BUC instance. It follows that the worstcase quantum query complexity lower bound for BUC proved in Corollary 1 of Theorem 9 translates to essentially the same quantum query complexity lower bound for H2XOR, but on uniformly distributed random instances.
However, it could be that \((w,h)\) is an invalid “instance” of \(\textsf {H2XOR }\). This could happen if SPLIT did not occur, in which case there is most likely no wcollisions in \(h\) (and if there is one, it is spurious). Even if SPLIT occurs, which guarantees the existence of at least one wcollision, \((w,h)\) would be an invalid “instance” of \(\textsf {H2XOR }\) if and only if there exist r and s in \([N] \times [N^2]\) such that \(\tau (b(r)) \oplus \tau (b(s)) = w\), for one of two possible reasons: if \({\mathcal {L}} (\pi _1(r)) = {\mathcal {L}} (\pi _1(s))\), this creates a spurious wcollision in \(h\), whereas otherwise the instance of the 2XOR problem hidden in function \(h\) is not onetoone. The probability of any such occurrence is vanishing because \(M \geqslant N^c\) for \(c>2\) and \(\tau \) randomizes the values in the second coordinate of the range of \(h\). Since it is impossible to determine efficiently if we have produced a valid instance of H2XOR, it could happen that we call algorithm \({\mathcal {A}}\) on an invalid \((w,h)\). This has no other consequence than reduce the success probability by a constant factor, as we analyse in the next paragraph.
Define event VALID to mean that \((w,h)\) is a valid instance of the \(\textsf {H2XOR }\) problem. The reader can verify that conditioned on both SPLIT and VALID this process generates a uniformly distributed instance of H2XOR. Furthermore, the probability of SPLIT is exactly \(\nicefrac 12\) and the probability that VALID fails is vanishing conditioned on SPLIT. Putting it all together, this algorithm produces a uniformly distributed instance of H2XOR with probability at least \(\nicefrac 12o(1)\), which by hypothesis is solved by \({\mathcal {A}}\) with at most q(N) queries to \(h\) and correctness probability at least p. This yields an algorithm for BUC on an arbitrary instance \(b\), using O(q(N)) queries to \(b\), which is correct with nonvanishing probability at least \((\nicefrac 12o(1))p\). Since solving BUC requires \(\Omega \big (N^{5/3}\big )\) quantum queries in the worst case according to Corollary 1 (with parameter \(K=N^2\)), it follows that algorithm \({\mathcal {A}}\) also requires \(\Omega \big (N^{5/3}\big )\) quantum queries in order to solve \(\textsf {H2XOR }\) with nonvanishing probability on a uniformly distributed random instance. \(\square \)
We are now ready to return to the main theorem of this section, which concerns the cryptanalytic difficulty of breaking our key establishment protocol, and prove its security.
Proof of Theorem 3
Consider any eavesdropping strategy \({{\mathcal {A}}}\) that listens to the communication between Alice and Bob and tries to determine the key by querying functions f and t. In fact, there are no Alice and Bob at all! Instead, there is an instance \((w,h)\) of H2XOR, hiding an instance \((w,\xi )\) of 2XOR according to Eq. (2), which we want to solve by using unsuspecting \({{\mathcal {A}}}\) as a resource.
We start by supplying \({{\mathcal {A}}}\) with a completely fake “conversation” between “Alice” and “Bob”: for sufficiently large c and \(c'\), we randomly choose N points \(y_0\), \(y_1\),..., \(y_{N1}\) in \([N^c]\) and we pretend that Alice has sent the y’s to Bob, who responded with the w from the instance of H2XOR that we want to solve. We also choose random functions \(\hat{f}: [N^3] \rightarrow [N^c]\) and \(\hat{t}: [N^3] \rightarrow [N^{c'}]\). Note that the selection of \(\hat{f}\) and \(\hat{t}\) may take a lot of time, but this does not count towards the number of queries that will be made to function \(h\), and our lower bound on the search problem concerns only this number of queries. We could be tempted to choose randomly the values of \(\hat{f}\) and \(\hat{t}\) on the fly, whenever they are needed, but this is not an option for a quantum process because the values returned must be consistent whenever the same input is queried in different paths of the superposition.

If \(h(x)=(\star ,\star )\), return \(\hat{f}(x)\) and \(\hat{t}(x)\) to \({{\mathcal {A}}}\) as value for f(x) and t(x), respectively. In this case, we say that x is irrelevant.

Otherwise, let i be such that \(h(x)=(i,\xi (i))\) and return \(y_i\) and \(\xi (i)\) to \({{\mathcal {A}}}\) as value for f(x) and t(x), respectively. Intuitively, such an f(x) corresponds to a relevant query in the simulated protocol.
Suppose \({{\mathcal {A}}}\) happily returns the pair \((x,x')\) such that \(t(x) \oplus t(x')=w\), which is what a successful eavesdropper is supposed to do. We return this pair, which is also a solution to our instance \((w,h)\) of H2XOR, except with the vanishing probability that \(\hat{t}(\tilde{x}) \oplus \hat{t}(\tilde{x}')=w\) for some irrelevant queries \(\tilde{x}\) and \(\tilde{x}'\) that \({{\mathcal {A}}}\) made to t.
To analyse the correctness of this reduction, we need to show that given a random instance \((w,h)\) of H2XOR, it produces a random instance of the cryptanalytic task that \({{\mathcal {A}}}\) is purported to successfully solve. Notice that the functions f and t sampled by \({{\mathcal {A}}}\) are identical to random functions \(\hat{f}\) and \(\hat{t}\), except in N positions, where they are consistent with the \(y_i\) and corresponding \(\xi (i)\), respectively. The values \(y_i\) are chosen at random; hence, f is random. However, since \((w,h)\) is a valid instance of H2XOR, the random values of \(\xi (i)\) hidden in \(h\) are all distinct; therefore, they are not fully independent. Nevertheless, the statistical distance between the resulting distribution on t and the uniform distribution is vanishing since the probability of a collision occurring in a subset of size N of indices of t would be vanishing under the uniform distribution.
Therefore, the environment provided by \({{\mathcal {A}}}\) in this simulation is the same as in the cryptanalytic context, except with vanishing probability. Since we disregard also the vanishing possibility that there might exist a spurious solution \(t(\tilde{x}) \oplus t(\tilde{x}')=w\), on which \({{\mathcal {A}}}\) might happen, the reduction solves the search problem concerning \(h\) whenever \({{\mathcal {A}}}\) succeeds in finding the key. Notice finally that each (new) query made by \({{\mathcal {A}}}\) to either f or t translates to one query to \(h\).
It follows that any successful cryptanalytic strategy that makes \(o\big (N^{5/3}\big )\) total queries to f and t would solve the search problem with only \(o\big (N^{5/3}\big )\) queries to \(h\), which is impossible, except with vanishing probability, according to Lemma 2. This demonstrates the \(\Omega \big (N^{5/3}\big )\) lower bound on the cryptanalytic difficulty of breaking our key establishment protocol on a typical run, again except with vanishing probability. \(\square \)
4 Fully Classical Key Establishment Protocol
In this section, we revert to the original setting imagined by Merkle in the sense that Alice and Bob are now purely classical. However, we still allow full quantum power to the eavesdropper. Recall that Merkle’s original protocols [35, 36] are completely broken in this context [21]. Is it possible to restore some security in this highly adversarial (and unfair!) scenario? The following purely classical key establishment protocol, which is inspired by our quantum protocol described in the previous section, provides a positive answer to this conundrum.
This time, random oracle functions f and t are defined on a smaller domain (\(N^2\) instead of \(N^3\)) to compensate for the fact that classical Bob can no longer use the BBHT algorithm [15]. Specifically, \(f:[N^2]\rightarrow [N^c]\) and \(t:[N^2] \rightarrow [N^{c'}]\), with \(c>4\) and \(c'>8\) for reasons similar to those explained at the beginning of Sect. 3.
Protocol 2
 1.
Alice picks at random N distinct points \(x_0, x_1,\ldots , x_{N1}\) in the domain of f and transmits their encrypted values \(y_i = f(x_i)\) to Bob. Let X and Y denote \( \{x_i \mid 0 \leqslant i < N \}\) and \( \{y_i \mid 0 \leqslant i < N \}\), respectively.
 2.
Bob finds the preimages x and \(x'\) of two distinct random elements in \(Y\). To find each one of them, he chooses random values in \([N^2]\) and applies f to them until one is found whose image is in \(Y\). He is expected to succeed after O(N) queries to f. If \(f(x')\) was transmitted before f(x) at Step 1, Bob swaps x and \(x'\). Until now, this is almost identical to Merkle’s original protocol, except for the fact that Bob needs to find two elements of \(X\) rather than one.
 3.
Bob sends back \(w=t(x) \oplus t(x')\) to Alice.
 4.
Alice queries oracle t once on each element of X. No further query is required for her to find the two elements \(x_i\) and \(x_j\) in X such that \(0 \leqslant i< j < N\) and \(t(x_i) \oplus t(x_j) = w\).
 5.
The key shared by Alice and Bob is \((x_i,x_j)\) for Alice and \((x,x')\) for Bob, which is indeed the same.
All counted, Alice makes N queries to f in Step 1 and N queries to t in Step 4, whereas Bob makes O(N) expected queries to f in Step 2 and two queries to t in Step 3. The total expected number of classical queries to f and t is therefore in O(N) for both legitimate parties.
4.1 Quantum Attack
Theorem 4
There exists a quantum eavesdropping strategy that obtains the key established in Protocol 2 with \(O(N^{7/6})\) expected queries to f and \(O(N^{2/3})\) expected queries to t.
Proof
4.2 Lower Bound
The proof that it is not possible for the eavesdropper to find the key with fewer than a total of \(\Omega \big (N^{7/6}\big )\) queries to f and t, except with vanishing probability, follows the same lines as the lower bound proof in Sect. 3.2. It is therefore possible for purely classical Alice and Bob to agree on a shared key after querying f and t an expected number of times in the order of N, whereas it is not possible, even for a quantum eavesdropper, to be privy to their secret with an effort in the same order, except with vanishing probability.
Theorem 5
Any quantum eavesdropping strategy that recovers the key established in Protocol 2 requires a total of \(\Omega \big (N^{7/6}\big )\) queries to functions f and t, except with vanishing probability. The vanishing probability is over a typical run of the protocol to establish a key, followed by the execution of an arbitrary quantum cryptanalytic algorithm to discover that key.
5 Generalized Protocols
In Sects. 3 and 4, we presented a quantum and a classical protocol for key establishment over a classical channel. In both of them, Bob finds the preimages x and \(x'\) for f of two distinct elements sent by Alice, and he sends her back \(t(x)\oplus t(x')\), which allows Alice to recover both x and \(x'\). A natural generalization of these protocols is for Bob to find k preimages, for some constant \(k \geqslant 2\), and send back to Alice the bitwise exclusiveor of the values of t applied to each one of them. Once Alice has recovered the k preimages found by Bob—we must increase the range of function t appropriately in order to ensure the uniqueness of the solution, except with vanishing probability—both Alice and Bob reorder them to reflect the order in which the images had been transmitted from Alice to Bob at the beginning of the protocol. The resulting ktuple is the shared secret key. This generalization leads to a sequence of quantum and classical protocols, denoted \(Q_k\) and \(C_k\), respectively, with \(Q_2\) and \(C_2\) being Protocols 1 and 2 from the previous sections. These protocols still require Alice to make exactly N classical queries each to functions f and t, whereas Bob makes O(kN) expected quantum or classical queries to f (depending on whether we are considering \(Q_k\) or \(C_k\)) and exactly k classical queries to t, which are simply O(N) and O(1) queries, respectively, because k is a constant.
Theorems 2 and 4 apply mutatis mutandis to show that quantum cryptanalytic attacks based on quantum walks on modified Hamming graphs succeed after \(O(N^{1+k/(k+1)})\) expected queries to f and \(O(N^{k/(k+1)})\) expected queries to t against Protocol \(Q_k\), and \(O(N^{\nicefrac 12+k/(k+1)})\) expected queries to f and \(O(N^{k/(k+1)})\) expected queries to t against Protocol \(C_k\). For arbitrarily small \(\varepsilon \), these attacks take a total number of queries in \(O(N^{2\varepsilon })\) and \(O(N^{\nicefrac 32\varepsilon })\) against the quantum and classical protocols, respectively, provided k is sufficiently large.
The proof that these attacks are optimal against our generalized protocols is considerably more elaborate for the case \(k>2\) than when \(k=2\), corresponding to Theorem 3 for \(Q_2\) and Theorem 5 for \(C_2\). The problem kSUM, which is a natural generalization of 2XOR, was shown to be hard in the worst case by Belovs and Špalek [9]. However, there is no known way to prove a quantum lower bound on the difficulty of the kSUM problem on uniformly distributed random instances by a reduction from its difficulty in the worst case. Therefore, completely new tools had to be developed (with different coauthors) to prove the security of the generalized protocols, and hence conclude that Merkle’s approach can be made essentially as secure in an allquantum world as the original was in an allclassical world since our generalized protocols reestablish an arbitrarily close to quadratic security. This will be the topic of a followup paper whose preliminary version is in Ref. [8].
6 Practical Aspects of Our Protocols
In Sects. 3 to 5, we only counted the number of queries as a measure of complexity. In this section, we address the issue of whether the legitimate players have timeefficient strategies, as well as other “practical” considerations. It is important to understand that we do not claim that our protocols are actually practical, but only that some aspects of them can be made more realistic. After all, Merkle’s original protocols [35, 36] have never been deployed in real life, and this is obviously not because they are broken by Grover’s algorithm [21]! Certainly, a very serious obstacle to the deployment of Merkle’s protocols, which we do not address here, is the large amount of communication they may intrinsically require between the legitimate parties [30].
In any real implementation of our protocols, the random oracles would have to be replaced by quantumresistant oneway functions, whose existence has not been established (and would require at the very least a proof that \(\textsf {NP} \not \subseteq \textsf {BPQ}\)). Furthermore, even if we had such functions, the proofs of security for our protocols would not automatically carry through because of composability issues [22]. On the other hand, one might have objected to the notion of making queries in superposition to an oracle, whereas there are no issues about quantum computing a function on a superposition of inputs when it is specified by a quantum circuit. In any case, we shall assume in this section that functions f and t from our protocols can be computed in constant time. If this is not the case, the time required by all parties includes the number of queries multiplied by the time it takes to compute these functions. An unfair case, which we do not consider here, may occur if these functions can be computed more efficiently on a quantum computer and if only the eavesdropper is endowed with one.

Alice picks N points at random and sends the set Y of their images under function f to Bob.

Bob searches for a set of preimages of a given size using either a classical or a quantum strategy, and sends it back to Alice, encoded.

Alice recovers Bob’s set, which becomes the key under a canonical ordering.
For the second step, we showed that Bob needs only O(N) expected queries per preimage, whether he is participating in the classical or quantum protocol. However, he may require an additional \(\log N\) factor in terms of time because each query (whether or not in superposition) is followed by a binary search to check for membership in \(Y\), as already mentioned in footnote 3 of Sect. 2.1. Thus, even though Bob needs only O(N) queries, this translates into \(O(N \log N)\) time. In the case of classical protocols, Bob can use universal hashing [23] to build a table for Y in O(N) expected time, and then use it in constant expected time per search, so that his total expected time remains in O(N). However, there is no obvious way to extend the use of universal hashing to the quantum protocols because all possible queries would be launched on the hash table in superposition, so that we would need good hashing performance in the worst case rather than in the expected sense. It turns out that a slight variation on our quantum protocols can guarantee a worstcase lineartime effort for Bob, as we now explain after a brief detour concerning a seldom recognized practical issue involving quantum memories.
Our quantum protocols require Bob to use a quantum memory to run the BBHT algorithm in his search for random elements of Alice’s set X. Consider for instance the specific description of Step 2 in Protocol 1. It involves O(N) Grover iterations. Each iteration involves a single call to g, as defined in Eq. (1), which itself involves one query to f (in a superposition of inputs), followed by a test of membership in \(Y\) of the output of f. This test requires the use of a memory of size N to hold \(Y\), which must be accessible in a quantum superposition of its addresses (called a QRAM [27]) because f is queried in a superposition of all possible inputs (with nonuniform amplitudes in general) during each Grover iteration inside the BBHT algorithm. The use of such quantum memories has been a mostly unchallenged standard practice in quantum algorithmics at least since the 1997 paper of Ref. [20], but Daniel Bernstein objected as early as 2009 [13]. In the legitimate protocols presented here (but not in their cryptanalytic attacks), it suffices to have a memory that has to be loaded once with classical values (the elements of set Y), but that never needs to be updated once the quantum part of Bob’s process—BBHT—has been launched: this is in fact a QROM, which could be easier to implement than a QRAM. Nevertheless, Dominique Unruh pointed out that it may be unfair to count such quantum memory accesses at unit or even logarithmic cost in the memory size [41]. Be it as it may, quantum memories would likely be one of the most technologically challenging aspects to deploying our protocols, and therefore, it would be preferable if their need could be avoided [6].
We can modify our quantum protocols to remove any need for quantum memories, yet without compromising their security. We only sketch here the modifications that are needed for Protocol 1; the corresponding modifications for the generalized protocols outlined in Sect. 5 are identical, mutatis mutandis. Instead of having two functions \(f: [N^3] \rightarrow [N^c]\) and \(t: [N^3] \rightarrow [N^{c'}]\), we need 2N functions \(f_i: [N^2] \rightarrow [N^c]\) and \(t_i: [N^2] \rightarrow [N^{c'}]\), for \(0 \leqslant i < N\). The first step of the protocol is the same, except that Alice defines each \(y_i\) as \(f_i(x_i)\). In the second step, Bob chooses two indices \(i<j\) at random in [N]. He uses the standard Grover algorithm (there is no need for BBHT anymore) to find preimages \(x=x_i\) and \(x'=x_j\) of \(y_i\) and \(y_j\) under \(f_i\) and \(f_j\), respectively. This requires \(O\big (\sqrt{N^2}\,\big )=O(N)\) Grover iterations without any need for a quantum memory nor for an additional logarithmic factor in the time analysis. The rest of the protocol is unchanged, except of course that Bob computes w as \(t_i(x) \oplus t_j(x')\) and that Alice queries \(t_{\ell }\) on each of her \(x_{\ell }\). Note that this modified protocol is more similar to Merkle’s published “puzzles” [36], whereas the protocols we had described thus far are closer in spirit to Merkle’s original unpublished idea [35].
Let us now turn our attention to the final process by which Alice recovers the key from the information she had kept and the information she has received from Bob. Let us first consider Protocols 1 and 2, although the modified Protocol 1 described above can be handled in exactly the same way. Recall that Alice needs only N queries to function t since it suffices for her to obtain once each value of \(t(x_i)\) and store them in a classical memory for future use. However, it may seem at first that she will need \(\Omega (N^2)\)time to try a significant proportion of all the possible pairs among the N stored values of \(t(x_i)\) before hitting upon two elements that exclusiveor to the value w received from Bob. This would obviously be intolerable. We now show that Alice can find the key time efficiently in these protocols.
Theorem 6
Given w, Alice can use a classical algorithm to find two elements x and \(x'\) in X such that \(t(x) \oplus t(x')=w\) in worstcase \(O(N \log N)\) time or in expected O(N) time.
Proof
By querying t once on each element of X, Alice forms \(Z = \{t(x) \oplus w \mid x \in X\}\) and she sorts it in \(O(N \log N\)) time. Now, it suffices for her to try each value of \(t(x')\), \(x' \in X\), until one is found that belongs to Z. By definition of Z, there will be an \(x \in X\) so that \(t(x') = t(x) \oplus w\), which implies that \(t(x) \oplus t(x')=w\) as required. Each of the (at most) N search operations is carried out in \(O(\log N)\) time by virtue of using binary search, for a total of \(O(N \log N)\) time in the worst case. Alternatively, Alice can use universal hashing [23] to build a table for Z in O(N) expected time, and then search it in expected constant time per element of the form \(t(x')\), \(x' \in X\), for a total of O(N) expected time. \(\square \)
If we consider now the generalized protocols of Sect. 5, no classical algorithms are known that could handle Alice’s last step efficiently whenever \(k\,{>}\,2\). However, a quantum Alice can do better, as shown in the following theorem, making \(Q_3\) timeefficient as well.
Theorem 7
Using a quantum strategy, Alice can find the elements x, \(x'\) and \(x''\) in X such that \(t(x) \oplus t(x') \oplus t(x'')=w\) in time \(O(N \log N)\).
Proof
By querying t once on each element of X, Alice forms \(Z = \{t(x) \oplus w \mid x \in X\}\) and she sorts it in \(O(N \log N\)) time. Then, she uses Grover’s search algorithm to find a pair \((x',x'') \in X \times X\) such that \(t(x') \oplus t(x'') \in Z\). It takes \(O\big (\sqrt{N^2}\,\big )=O(N)\) Grover iterations to find this pair and each iteration takes \(O(\log N)\) time by virtue of binary search in Z. Now, Alice can easily find the \(x \in X\) such that \(t(x') \oplus t(x'') = t(x) \oplus w\), which solves the problem since it follows that \(t(x) \oplus t(x') \oplus t(x'')=w\), as desired. \(\square \)
Unfortunately, the quantum algorithm in the proof of Theorem 7 requires the use of a quantum memory to hold Z. We do not know how to solve this problem otherwise. Table 1 summarizes the time separations that we get between the legitimate parties and the eavesdropper, although the adversary’s lower bound for \(Q_3\) requires a proof postponed to our followup paper whose preliminary version is in Ref. [8]. Recall that \(C_2\) and \(Q_2\) are Protocols 2 and 1, respectively. In each case, it is assumed that the adversary is capable of unrestricted quantum computation, including the use of a dynamic quantum memory, and that the legitimate parties agree on a shared key in O(N)—or at worst \(O(N \log N)\)—expected time. Only the last line in the table requires the use of a (static) quantum memory on the part of one of the legitimate parties, provided the improvements suggested in this section are implemented.
7 A Composition Theorem for Quantum Query Complexity
Lower bounds on the time needed by quantum eavesdropping against various classical and quantum protocols when the legitimate parties establish a key in \(O(N \log N)\) expected time
Alice  Bob  Protocol  Adversary’s lower bound 

Classical  Classical  \(C_2\)  \(\Omega (N^{7/6})\) 
Classical  Quantum  \(Q_2\)  \(\Omega (N^{5/3})\) 
Quantum  Quantum  \(Q_3\)  \(\Omega (N^{7/4})\) 
Definition 6
Theorem 8
([31, 32]) For any function \(\textsf {F }\), \(\textsf {Q }(\textsf {F }) \leqslant \textsf {ADV }^{\pm }(\textsf {F }) \leqslant 2\textsf {Q }(\textsf {F })\), where \(\textsf {Q }(\textsf {F })\) is the worstcase quantum query complexity of \(\textsf {F }\).
Since BUC is defined as the composition of UC and \(\textsf {pSEARCH }\), we would like to apply a composition theorem for the generalized adversary method, which would say that if a function \(\textsf {H }=\textsf {F }\circ {\textsf {G }}^N\), then \(\textsf {ADV }^{\pm }(\textsf {H }) \geqslant \textsf {ADV }^{\pm }(\textsf {F }) \, \textsf {ADV }^{\pm }({\textsf {G }})\). Unfortunately, the composition theorems already known in the literature [31, 32] require the inner function to be Boolean, which is not the case here for \(\textsf {pSEARCH }\). Since counterexamples can be found [32], we cannot hope to prove a fully general composition theorem in which the inner function would be an arbitrary function. Nevertheless, we prove here a composition theorem with \(\textsf {pSEARCH }\) as the inner function.
Theorem 9
The inner function can be slightly more general than \(\textsf {pSEARCH }\). For example, it could be that the element we search for is hidden in several places. The proof also goes through if the instances of \(\textsf {pSEARCH }\) operate over distinct domains \((A_i^{\star })^{K_i}\). We leave for further research the extent to which our theorem can be generalized and proceed to prove it as stated.
Before we present the proof, we derive a corollary that is useful for our purpose, which applies for \(\textsf {BUC }= \textsf {UC }\circ \textsf {pSEARCH }^N\).
Corollary 1
\(\textsf {Q }(\textsf {BUC }) = \Omega (N^{2/3}K^{1/2})\).
Proof of Corollary 1
From Lemma 1 together with Theorem 8, we have \(\textsf {ADV }^{\pm }(\textsf {UC }) = \Omega (N^{2/3})\). Furthermore, \(\textsf {ADV }^{\pm }(\textsf {pSEARCH })> K^{1/2}\) by Eq. (10) below. Theorem 9 implies that \(\textsf {ADV }^{\pm }(\textsf {BUC }) = \Omega (N^{2/3} K^{1/2})\). Finally, by Theorem 8, \(\textsf {Q }(\textsf {BUC }) = \Omega (N^{2/3}K^{1/2})\) as well. \(\square \)
Proof of Theorem 9
 1.
An \(MK\times MK\) optimal adversary matrix \(\Gamma _i\) for \({\textsf {G }}_i\) can be written in block form with \(M\times M\) blocks of size \(K\times K\) indexed by pairs of outputs in which all offdiagonal blocks are identical. Written in this form, all \(M\) diagonal blocks are necessarily zero since it is an adversary matrix.
 2.
The \(MK\times MK\) matrices \(D_q\), with inputs sorted in the same way, are also composed of identical offdiagonal blocks \(\Delta _q\) and \(\Delta _q'\) ondiagonal blocks. Notice that this strongly depends on \({\textsf {G }}_i\), since the inputs are sorted by output value.
Let us introduce some notation that we will use throughout the proof. Inputs to \(\textsf {H }\) are written \(x,y\in P^N\). Each \(x\in P^N\) breaks into \(x=(x_1,\ldots , x_N)\). The result of applying the inner functions to \(x=(x_1,\ldots , x_N)\) is written \(\tilde{x}=({\tilde{x}}_1,\ldots , {\tilde{x}}_N)=({\textsf {G }}_1(x_1),\ldots , {\textsf {G }}_N(x_N))\). Each \(x_i\in P\), seen as an element of \((A^{\star })^K\), also breaks down into its components, which we write \(x_i=((x_i)_1,\ldots ,(x_i)_K)\), where each component \((x_i)_j\) is an element of \(A^{\star }\).
Claim 1
For the matrix \(\Gamma _\textsf {H }\) defined as above, \(\Vert \Gamma _\textsf {H }\Vert =\Vert \Gamma _\textsf {F }\Vert \cdot \prod _{i=1}^{N} \Vert S_i\Vert \).
We defer the proof of this claim and first see how it implies Eq. (3). Claim 1 gives us the norm of \(\Gamma _{\textsf {\textsf {H } }}\), and it remains to compute \(\max _\ell \Vert \Gamma _{\textsf {\textsf {H } }} \bullet D_\ell \Vert \) (Definition 6). Let us turn to the matrix \(\Gamma _{\textsf {\textsf {H } }}\bullet D_\ell \) to see that it shares the structure of \(\Gamma _{\textsf {\textsf {H } }}\) so we can also apply Claim 1 to compute its norm. Recall that the domain of \(\textsf {H }\) is \(P^N\), where \(P\subseteq (A^{\star })^K\). An index \(\ell \) into an input x to \(\textsf {H }\) decomposes into \(p\in [N]\), an index within x, and the index \(q\in [K]\) within \(x_p\) seen as a vector in \((A^{\star })^K\).
Claim 2
\(\Vert \Gamma _{\textsf {\textsf {H } }} \bullet D_\ell \Vert ={\Vert \Gamma _\textsf {F }\bullet D_p\Vert } \cdot {\Vert S_p \bullet \Delta _q\Vert }\cdot \prod _{i \ne p}{\Vert S_i \Vert } \).
Proof of Claim 2
Proof of Claim 1
 1.
We define a set of vectors \(\{\delta _{\alpha ,c}\}\) in \({\mathbb {C}}^{( KM)^N}\).
 2.
We prove that they are eigenvectors of \(\Gamma _\textsf {H }\) and give the corresponding eigenvalues.
 3.
We show that we have defined all eigenvectors and eigenvalues of \(\Gamma _\textsf {H }\).
 4.
We upper bound the eigenvalues in absolute value.
 1.
\(A_c^{(0)} = \Gamma _\textsf {F }\),
 2.
\(A_c^{(i)} [{\tilde{x}}, {\tilde{y}}] = A_c^{(i1)} [{\tilde{x}}, {\tilde{y}}] \cdot \lambda _{i,c_i}^{{\tilde{x}}_i \ne {\tilde{y}}_i}\).
Since \(A_c^{(0)}= \Gamma _\textsf {F }\), the base case is trivial. Assume that for some i, \(\Vert A_c^{(i1)}\Vert \leqslant \Vert \Gamma _\textsf {F }\Vert \cdot \prod _{j=1}^{i1} \Vert S_{j} \Vert \). By rearranging the rows and columns of \(A_c^{(i1)}\) as before, we can consider that it is formed of \(M^2\) blocks with the following structure: the block labelled \((u,v) \in A\times A\) contains the entries \(A_c^{(i1)}[{\tilde{x}}, {\tilde{y}}]\) such that \({\tilde{x}}_{i}=u\) and \({\tilde{y}}_{i}=v\). Now, to form \(A_c^{(i)}\), the diagonal blocks of \(A_c^{(i1)}\), labelled (u, u), are multiplied by \(\Vert S_{i} \Vert \) and the others are multiplied by the same factor \(\lambda _{i,c_{i}}\), which is at most \(\Vert S_{i}\Vert \). We claim that under this operation, the norm of the matrix increases at most by a factor \(\Vert S_{i} \Vert \).
 1.
any eigenvalue of B is associated with an eigenvector whose support is in \(E_t\) for some t, and
 2.
for any vector v whose support is in \(E_t\) for some t, \( \Vert B v \Vert \leqslant \Vert \tau _i A_c^{(i1)} v\Vert \).
We now prove the other direction: \(\Vert \Gamma _\textsf {H }\Vert \geqslant \Vert \Gamma _\textsf {F }\Vert \cdot \prod _i \Vert S_{i} \Vert \). Taking \(c=(1,\ldots ,1)\), we have \(\Vert \Gamma _\textsf {H }\Vert \geqslant \Vert A_{c } \Vert \). By definition, \(A_{c}[{\tilde{x}}, {\tilde{y}}] = \Gamma _\textsf {F }[{\tilde{x}}, {\tilde{y}}] \cdot \prod _i \Vert S_i \Vert \), which immediately implies that \(\Vert \Gamma _\textsf {H }\Vert \geqslant \Vert \Gamma _\textsf {F }\Vert \cdot \prod _i \Vert S_i \Vert \). This completes the proof of Claim 1. \(\square \)
8 Conclusion and Open Questions
We live in a quantum world. Is this to the advantage of cryptographers or cryptanalysts [17]? The advantage to cryptographers is well established if they make use of quantum channels since quantum key distribution offers unconditional security [12], provided it is implemented faithfully [26]. However, the opposite seems to hold whenever cryptographers are limited to communicating over classical channels. Indeed, most of the cryptography currently deployed in attempts to protect information over the Internet fails completely in a quantum world [16]. The thriving field of postquantum cryptography [14] aims at restoring at least some security for classical cryptography against a quantum adversary, and the race is on to find practical ways to do this [37]. In this paper, we gave a formal proof that this goal is achievable indeed, at least relative to a random oracle. For this, we showed how to restore some of the provable security of Merkle’s seminal key establishment protocol [35, 36] in a quantum world, although we have not been capable of restoring the full quadratic advantage it enjoyed in an allclassical world. Not surprisingly, our protocol is more secure if the cryptographers are also endowed with quantum computing capabilities, but some security remains even if they are not. Along the way, we proved a composition theorem of potential independent interest in Sect. 7. We leave for further research the extent to which Theorem 9 can be generalized beyond the case of pSEARCH as the inner function.
We leave several other questions open for further research. Merkle’s original protocol did not offer negligible probability of success against an adversary who would only be willing to invest an effort proportional to that used to establish the key. Indeed, after the cryptographers have invested an effort in the order of some security parameter N, a lucky eavesdropper could find the “secret” key with the same effort, albeit with probability 1 / N (or even faster with a yet smaller probability). This is why we have deemed a protocol secure throughout this paper provided its probability of being broken by a resourcelimited adversary is vanishing rather than negligible, as explained at the onset of Sect. 3. However, Merkle’s original protocol can be modified to make the eavesdropper’s success probability negligible, rather than merely vanishing, provided we restrict her to at most \(O(N^2 / \log ^2 N)\) queries [5]. It would be interesting to see whether a similar approach can make our protocols provably quantum resistant if we required them to ensure secrecy except with negligible probability.
Our lower bounds prove that it is not possible for an eavesdropper to learn the key established by the protocol, except with vanishing probability, without querying the oracles significantly more than the legitimate parties. However, some partial information about the key leaks even without querying the oracles at all, and therefore, we do not achieve anything comparable to semantic security [28]. For instance, in Protocol 1, whenever the legitimate parties establish some key \(k=(x,x')\), the eavesdropper learns the value of \(t(x) \oplus t(x')\) since this is the revealed value of w. The question is whether or not the eavesdropper could learn any useful partial information about the key, whatever this could mean. Would there be any advantage in distilling \(x \oplus x'\) as final key in Protocol 1 (or some other function of x and \(x'\)), rather than \((x,x')\)? Alternatively, could the protocol be modified to probably deprive a resourcelimited eavesdropper from any partial information?
We gave cryptanalytic attacks against our protocols that match the lower bounds on how difficult they are to attack successfully. However, those attacks proceed by a quantum walk in a modified Hamming graph, which requires the availability of a hypothetical QRAM [6, 13, 27]. In sharp contrast, our legitimate protocols (except those mentioned in Sect. 5) do not require such technological prowess provided they are modified according to Sect. 6. As an open question, can our protocols be attacked as efficiently without any need for QRAMs? Similarly, even if modified according to Sect. 6, protocol Q3 described in Sect. 5 seems to require at least availability of a QROM if it is to be timeefficient according to the proof of Theorem 7. Even though this may be easier to achieve than a QRAM, it would still represent a formidable technological challenge. Can protocol Q3 be implemented efficiently without any need for quantum memories? Even more interestingly, can generalized protocols \(C_k\) for \(k>2\) and \(Q_k\) for \(k>3\) be made timeefficient with or without need for fancy quantum memories?
Our protocols are defined in the random oracle model, which is why we are actually able to give formal proofs of security. As mentioned in Sect. 6, our random oracles would have to be replaced by quantumresistant oneway functions (assuming they exist) before they can be deployed in real life. Unfortunately, our proofs of security would not carry automatically even if we had provable quantumresistant oneway functions because of composability issues [22]. It would be much more interesting if we could prove the existence of quantumsecure classical key establishment protocols based only on the assumption that quantumresistant oneway functions exist. This could be attempted either in proving composability properties of our protocols or in designing new protocols altogether.
The most important open question is to determine whether or not it is possible to restore Merkle’s quadratic security in an allquantum world, or perhaps even blast through that barrier since the proof of optimality for Merkle’s protocol [7] only applies in the classical setting. Possibly a more practical consideration would be to determine the limit of provable security for a classical protocol based on random oracles against a quantum adversary. Partial answers to the questions raised in this paragraph are provided in our followup paper whose preliminary version is in Ref. [8], but those answers are severely limited if we take time efficiency into consideration.
Footnotes
 1.
 2.
If an unstructured search problem has t solutions among M candidates, Grover’s algorithm [29], or more precisely its socalled BBHT generalization [15], can find one of the solutions after \(O\big (\sqrt{M/t}\,\big )\)expected queries to a function that recognizes solutions among candidates. However, Theorem 4 of Ref. [19] implies that, whenever the number \(t>0\) is known, a solution can be found with certainty after \(O\big (\sqrt{M/t}\,\big )\) queries to that function in the worst case. From now on, when we mention Grover’s algorithm or BBHT, we really mean this improvement according to Ref. [19].
 3.
If we cared about computational efficiency instead of only query complexity, Bob would sort the elements of Y in increasing order after receiving them from Alice. In this way, he can quickly determine, given any \(y=f(x)\), whether or not \(y \in Y\), which is needed to compute g. More on computational efficiency in Sect. 6.
 4.
There is no standard definition for the element distinctness problem. Ambainis uses the one above in Ref. [3] and our Definition 1 in Ref. [2], which is also used by others in Ref. [1]. This is of no significant importance because these two problems are easily seen to be computationally equivalent up to logarithmic factors in the query complexity model.
 5.
For simplicity, we shall assume that the value of M is implicit given the value of N, so that we do not need to have a different circuit for each value of N and M. For instance, we could take \(M=2^{\lceil c \lg N \rceil }\), which would be the smallest power of 2 no smaller than \(N^c\) (note that we never said that c had to be an integer).
Notes
Acknowledgements
We are grateful to Troy Lee, Frédéric Magniez, Mohammad MahmoodyGhidary, Miklos Santha and Robin Kothari for insightful discussions, to Krzysztof Pietrzak for pointing out the \(O(N \log N)\)time algorithm that classical Alice can use in Protocols 1 and 2, and to Dominique Unruh for pointing out the “practical” difficulty (and possibly fundamental inefficiency) arising from the need to use quantum memories to implement some of our protocols. We are also indebted to an anonymous referee for pointing out that we don’t necessarily have to be content with a vanishing probability that the eavesdropper learns the secret: protocols that would offer negligible probabilities are conceivable. The same referee also discovered a serious mistake in our original proof concerning the difficulty of solving H2XOR on a uniformly distributed random instance, which has now been fixed and became Lemma 2. G. B. is also grateful to Ralph Merkle for his most inspiring Distinguished Lecture at Crypto ’05, which sparked this entire line of work, and to Harry Buhrman for hosting him at QuSoft during the final moments leading to the publication of this paper.
G. B. is supported in part by Canada’s Natural Sciences and Engineering Research Council (Nserc), the Institut transdisciplinaire d’informatique quantique (Intriq), the Canada Research Chair Program and the Canadian Institute for Advanced Research (Cifar). P. H. is supported in part by Nserc, Cifar and the Canadian Network Centres of Excellence for Mathematics of Information Technology and Complex Systems (Mitacs). S. L. is supported in part by the projects EU FP7 QCS, EU CHISTERA DIQIP, EU QuantERA QuantAlgo, and the IRIF ICQ PICS Cooperation Project. L. S. is supported in part by an Nserc discovery grant and by Intriq.
References
 1.S. Aaronson, Y. Shi, Quantum lower bounds for the collision and the element distinctness problems. Journal of the ACM 51(4), 595–605 (2004)MathSciNetCrossRefzbMATHGoogle Scholar
 2.A. Ambainis, Polynomial degree and lower bounds in quantum complexity: collision and element distinctness with small range. Theory of Computing 1, 37–46 (2005)MathSciNetCrossRefzbMATHGoogle Scholar
 3.A. Ambainis, Quantum walk algorithm for element distinctness. SIAM Journal on Computing 37, 210–239 (2007)MathSciNetCrossRefzbMATHGoogle Scholar
 4.A. Ambainis, Personal communication (2016)Google Scholar
 5.Anonymous Referee, Personal communication through the Editor, 26 October 2015Google Scholar
 6.S. Arunachalam, V. Gheorghiu, T. JochymO’Connor, M. Mosca and P. V. Srinivasan, On the robustness of bucket brigade quantum RAM. New Journal of Physics 17(12), 123010 (2015)CrossRefzbMATHGoogle Scholar
 7.B. Barak, M. MahmoodyGhidary, Merkle puzzles are optimal—An \(O(n^2)\)–query attack on any key exchange from a random oracle, in Advances in Cryptology—Proceedings of Crypto 2009 (Santa Barbara, California, 2009), pp. 374–390Google Scholar
 8.A. Belovs, G. Brassard, P. Høyer, M. Kaplan, S. Laplante, L. Salvail, Provably secure key establishment against quantum adversaries, in Proceedings of 12th Conference on Theory of Quantum Computation, Communication and Cryptography (TQC) (Paris, 2017), pp. 3:1–3:17. Open access available at http://drops.dagstuhl.de/opus/volltexte/2018/8581/pdf/LIPIcsTQC20173.pdf
 9.A. Belovs, R. Špalek, Adversary lower bound for the \(k\)sum problem, in Proceeding of 4th Annual ACM Conference on Innovations in Theoretical Computer Science (ITCS) (Berkeley, California, 2013), pp. 323–328Google Scholar
 10.C. H. Bennett, Logical reversibility of computation. IBM Journal of Research and Development 17(6), 525–532 (1973)MathSciNetCrossRefzbMATHGoogle Scholar
 11.C. H. Bennett, E. Bernstein, G. Brassard, U. V. Vazirani, Strengths and weaknesses of quantum computing. SIAM Journal on Computing 26(5), 1510–1523 (1997)MathSciNetCrossRefzbMATHGoogle Scholar
 12.C. H. Bennett, G. Brassard, Quantum cryptography: Public key distribution and coin tossing, in Proceedings of International Conference on Computers, Systems and Signal Processing (Bangalore, India, 1984), pp. 175–179. Reprinted in Theoretical Computer Science 5601, 7–11 (2014)Google Scholar
 13.D. J. Bernstein, Cost analysis of hash collisions: Will quantum computers make SHARCS obsolete?, in Proceedings of Workshop on Specialpurpose Hardware for Attacking Cryptographic Systems (SHARCS’09) (Lausanne, 2009), pp. 105–116. Proceedings available at http://www.hyperelliptic.org/tanja/SHARCS/record2.pdf
 14.D. J. Bernstein, T. Lange, Postquantum cryptography. Nature 549, 188–194 (2017)CrossRefGoogle Scholar
 15.M. Boyer, G. Brassard, P. Høyer, A. Tapp, Tight bounds on quantum searching. Fortschritte der Physik 46, 493–505 (1998)CrossRefGoogle Scholar
 16.G. Brassard, Cryptography in a quantum world, in 42nd International Conference on Current Trends in Theory and Practice of Computer Science (SOFSEM) (Springer, Harrachov, Czech Republic, 2016), pp. 3–16. Preliminary version available at arXiv:1510.04256 [quantph]
 17.G. Brassard, Was Edgar Allan Poe wrong after all? Communications of the ACM 62(4), 132 (2019)CrossRefGoogle Scholar
 18.G. Brassard, P. Høyer, K. Kalach, M. Kaplan, S. Laplante, L. Salvail, Merkle puzzles in a quantum world, in Advances in Cryptology—Proceedings of Crypto 2011 (Santa Barbara, California, 2011), pp. 391–410Google Scholar
 19.G. Brassard, P. Høyer, M. Mosca, A. Tapp, Quantum amplitude amplification and estimation, in Samuel J. Lomonaco, Jr. editor, Quantum Computation and Quantum Information, AMS Contemporary Mathematics, 305, 53–74 (2002)Google Scholar
 20.G. Brassard, P. Høyer, A. Tapp, Quantum algorithm for the collision problem (1997). arXiv:quantph/9705002
 21.G. Brassard, L. Salvail, Quantum Merkle puzzles, in Proceedings of Second International Conference on Quantum, Nano, and Micro Technologies (ICQNM08) (SainteLuce, Martinique, 2008), pp. 76–79Google Scholar
 22.R. Canetti, O. Goldreich, S. Halevi, The random oracle methodology, revisited (1998). https://eprint.iacr.org/1998/011
 23.L. Carter, and M. N. Wegman, Universal classes of hash functions. Journal of Computer and System Sciences 18(2), 143–154 (1979)MathSciNetCrossRefzbMATHGoogle Scholar
 24.A. Childs, R. Kothari, Quantum query complexity of minorclosed graph properties, in Proceedings of 28th Symposium on Theoretical Aspects of Computer Science (STACS) (Dortmund, 2011), pp. 661–672Google Scholar
 25.W. Diffie, M. E. Hellman, New directions in cryptography. IEEE Transactions on Information Theory 22(6), 644–654 (1976)MathSciNetCrossRefzbMATHGoogle Scholar
 26.I. Gerhardt, Q. Liu, A. LamasLinares, J. Skaar, C. Kurtsiefer, V. Makarov, Fullfield implementation of a perfect eavesdropper on a quantum cryptography system. Nature Communications 2, 349 (2011)CrossRefGoogle Scholar
 27.V. Giovannetti, S. Lloyd, L. Maccone, Quantum random access memory. Physical Review Letters 100(16), 160501 (2008)MathSciNetCrossRefzbMATHGoogle Scholar
 28.S. Goldwasser, S. Micali, Probabilistic encryption & How to play mental poker keeping secret all partial information, in Proceedings of 14th Annual Symposium on Theory of Computing (STOC) (San Francisco, California, 1982), pp. 365–377Google Scholar
 29.L. K. Grover, Quantum mechanics helps in searching for a needle in a haystack. Physical Review Letters 79(2), 325–328 (1997)CrossRefGoogle Scholar
 30.I. Haitner, N. Mazor, R. Oshman, O. Reingold, A. Yehudayoff, On the communication complexity of keyagreement protocols, in Proceedings of 10th Innovations in Theoretical Computer Science Conference (ITCS) (San Diego, California, 2019), paper no. 40. https://doi.org/10.4230/LIPIcs.ITCS.2019.40.
 31.P. Høyer, T. Lee, R. Špalek, Negative weights make adversaries stronger, in Proceedings of 39th Annual Symposium on Theory of Computing (STOC) (San Diego, California, 2007) pp. 526–535. The complete version can be found at arXiv:quantph/0611054
 32.T. Lee, R. Mittal, B. W. Reichardt, R. Špalek, M. Szegedy, Quantum query complexity of state conversion, in Proceedings of the IEEE 52nd Annual Symposium on Foundations of Computer Science (FOCS) (Palm Springs, California, 2011), pp. 344–353Google Scholar
 33.F. Magniez, Personal communication (2019)Google Scholar
 34.F. Magniez, A. Nayak, J. Roland, M. Santha, Search via quantum walk. SIAM Journal on Computing 40(1), 142164 (2011)MathSciNetCrossRefzbMATHGoogle Scholar
 35.R. Merkle, C.S. 244 Project Proposal (1974). Facsimile available at http://www.merkle.com/1974/FirstCS244projectProposal.pdf
 36.R. Merkle, Secure communications over insecure channels. Communications of the ACM 21(4), 294–299 (1978)CrossRefzbMATHGoogle Scholar
 37.National Institute of Standards and Technology (NIST), Postquantum cryptography standardization, https://csrc.nist.gov/projects/postquantumcryptography/postquantumcryptographystandardization
 38.R. L. Rivest, A. Shamir, L. Adleman, A method for obtaining digital signatures and publickey cryptosystems. Communications of the ACM 21(2), 120–126 (1978)Google Scholar
 39.M. Santha, Quantum walk based search algorithms, in Proceedings of 5th Theory and Applications of Models of Computation (TAMC08) (Xian, 2008), pp. 31–46Google Scholar
 40.P. W. Shor, Polynomialtime algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM Journal on Computing 26, 1484–1509 (1997)MathSciNetCrossRefzbMATHGoogle Scholar
 41.D. Unruh, Objection raised during the question period when a preliminary version of this work was presented at the First Annual Conference on Quantum Cryptography (QCrypt), September 2011. Start at the 23rd minute of https://www.video.ethz.ch/conferences/2011/qcrypt/20110912/5b98752b75844ad0b7fc29aaf06371f9.html
Copyright information
Open AccessThis article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.