Merkle Puzzles in a Quantum World

  • Gilles Brassard
  • Peter Høyer
  • Kassem Kalach
  • Marc Kaplan
  • Sophie Laplante
  • Louis Salvail
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6841)


In 1974, Ralph Merkle proposed the first unclassified scheme for secure communications over insecure channels. When legitimate communicating parties are willing to spend an amount of computational effort proportional to some parameter N, an eavesdropper cannot break into their communication without spending a time proportional to N 2, which is quadratically more than the legitimate effort. We showed in an earlier paper that Merkle’s schemes are completely insecure against a quantum adversary, but that their security can be partially restored if the legitimate parties are also allowed to use quantum computation: the eavesdropper needed to spend a time proportional to N 3/2 to break our earlier quantum scheme. Furthermore, all previous classical schemes could be broken completely by the onslaught of a quantum eavesdropper and we conjectured that this is unavoidable.

We give two novel key agreement schemes in the spirit of Merkle’s. The first one can be broken by a quantum adversary that makes an effort proportional to N 5/3 to implement a quantum random walk in a Johnson graph reminiscent of Andris Ambainis’ quantum algorithm for the element distinctness problem. This attack is optimal up to logarithmic factors. Our second scheme is purely classical, yet it cannot be broken by a quantum eavesdropper who is only willing to expend effort proportional to that of the legitimate parties.


Merkle Puzzles Public Key Distribution Quantum Cryptography 


  1. 1.
    Aaronson, S., Shi, Y.: Quantum lower bounds for the collision and the element distinctness problems. Journal of the ACM 51(4), 595–605 (2004)MathSciNetzbMATHCrossRefGoogle Scholar
  2. 2.
    Ambainis, A.: Quantum walk algorithm for element distinctness. SIAM Journal on Computing 37, 210–239 (2007)MathSciNetzbMATHCrossRefGoogle Scholar
  3. 3.
    Barak, B., Mahmoody-Ghidary, M.: Merkle puzzles are optimal — An O(n 2)–query attack on any key exchange from a random oracle. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 374–390. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  4. 4.
    Beals, R., Buhrman, H., Cleve, R., Mosca, M., de Wolf, R.: Quantum lower bounds by polynomials. Journal of the ACM 48(4), 778–797 (2001)MathSciNetzbMATHCrossRefGoogle Scholar
  5. 5.
    Bennett, C.H., Bernstein, E., Brassard, G., Vazirani, U.V.: Strengths and weaknesses of quantum computing. SIAM Journal on Computing 26(5), 1510–1523 (1997)MathSciNetzbMATHCrossRefGoogle Scholar
  6. 6.
    Boyer, M., Brassard, G., Høyer, P., Tapp, A.: Tight bounds on quantum searching. Fortschritte Der Physik 46, 493–505 (1998)CrossRefGoogle Scholar
  7. 7.
    Brassard, G., Høyer, P., Mosca, M., Tapp, A.: Quantum amplitude amplification and estimation. In: Lomonaco Jr., S.J. (ed.) Quantum Computation and Quantum Information. Contemporary Mathematics, vol. 305, pp. 53–74. AMS, Providence (2002)Google Scholar
  8. 8.
    Brassard, G., Salvail, L.: Quantum Merkle puzzles. In: Proceedings of Second International Conference on Quantum, Nano, and Micro Technologies (ICQNM 2008), Sainte Luce, Martinique, pp. 76–79 (February 2008)Google Scholar
  9. 9.
    Buhrman, H., Dürr, C., Heiligman, M., Høyer, P., Magniez, F., Sántha, M., de Wolf, R.: Quantum algorithms for element distinctness (2000),
  10. 10.
    Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Transactions on Information Theory 22(6), 644–654 (1976)MathSciNetzbMATHCrossRefGoogle Scholar
  11. 11.
    Grover, L.K.: Quantum mechanics helps in searching for a needle in a haystack. Physical Review Letters 79(2), 325–328 (1997)CrossRefGoogle Scholar
  12. 12.
    Heiligman, M.: Finding matches between two databases on a quantum computer (2000),
  13. 13.
    Høyer, P., Lee, T., Špalek, R.: Negative weights make adversaries stronger. In: Proceedings of 39th Annual Symposium on Theory of Computing (STOC), pp. 526–535 (June 2007), The complete version can be found at,
  14. 14.
    Lee, T., Mittal, R., Reichardt, B.W., Špalek, R.: An adversary for algorithms (2010),
  15. 15.
    Merkle, R.: C.S. 244 Project Proposal (1974), Facsimile available at
  16. 16.
    Merkle, R.: Secure communications over insecure channels. Communications of the ACM 21(4), 294–299 (1978)CrossRefGoogle Scholar
  17. 17.
    Sántha, M.: Quantum walk based search algorithms. In: Agrawal, M., Du, D.-Z., Duan, Z., Li, A. (eds.) TAMC 2008. LNCS, vol. 4978, pp. 31–46. Springer, Heidelberg (2008)CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2011

Authors and Affiliations

  • Gilles Brassard
    • 1
  • Peter Høyer
    • 2
  • Kassem Kalach
    • 1
  • Marc Kaplan
    • 1
  • Sophie Laplante
    • 3
  • Louis Salvail
    • 1
  1. 1.Département d’informatique et de recherche opérationnelleUniversité de MontréalMontréalCanada
  2. 2.Department of Computer ScienceUniversity of CalgaryCalgaryCanada
  3. 3.LRIUniversité Paris-SudOrsayFrance

Personalised recommendations