Merkle Puzzles in a Quantum World ∗

In 1974, Ralph Merkle proposed the ﬁrst unclassiﬁed scheme for secure communications over insecure channels. When legitimate communicating parties are willing to spend an amount of computational eﬀort proportional to some parameter N , an eavesdropper cannot break into their communication without spending a time proportional to N 2 , which is quadratically more than the legitimate eﬀort. We showed in an earlier paper that Merkle’s schemes are completely insecure against a quantum adversary, but that their security can be partially restored if the legitimate parties are also allowed to use quantum computation: the eavesdropper needed to spend a time proportional to N 3 / 2 to break our earlier quantum scheme. Furthermore, all previous classical schemes could be broken completely by the onslaught of a quantum eavesdropper and we conjectured that this is unavoidable. We give two novel key establishment schemes in the spirit of Merkle’s. The ﬁrst one can be broken by a quantum adversary that makes an eﬀort proportional to N 5 / 3 to implement a quantum random walk in a Johnson graph reminiscent of Andris Ambainis’ quantum algorithm for the element distinctness problem. This attack is optimal up to logarithmic factors. Our second scheme is purely classical, yet it cannot be broken by a quantum eavesdropper who is only willing to expend eﬀort proportional to that of the legitimate parties.


Introduction
While Ralph Merkle was delivering the 2005 International Association for Cryptologic Research (IACR) Distinguished Lecture at the Crypto annual conference in Santa Barbara, describing his original unpublished 1974 scheme [16] for public key establishment (much simpler and more elegant than his subsequently published, yet better known, Merkle Puzzles [17]), one of us (Brassard) immediately realized that this scheme was totally insecure against an eavesdropper equipped with a quantum computer.The obvious question was: can Merkle's idea be repaired and made secure again in our quantum world?The defining characteristics of Merkle's protocol are that (1) the legitimate parties communicate strictly through an authenticated classical channel on which eavesdropping is unrestricted and (2) a protocol is deemed to be secure if the cryptanalytic effort required of the eavesdropper to learn the key established by the legitimate parties grows super-linearly with the legitimate work.
We partially repaired Merkle's scheme in Ref. [8] with a scheme in which the eavesdropper needed an amount of work in Ω(N 3/2 ) to obtain the key established by quantum legitimate parties whose amount of work is in O(N ).This was not quite as good as the work in Ω(N 2 ) required by a classical eavesdropper against Merkle's original scheme, but significantly better than the work in O(N ) sufficient for a quantum eavesdropper against the same scheme.Two main questions were left open in Ref. [8]: 1. Can the quadratic security possible in a classical world be restored in our quantum world? 2. Is any security possible at all if the legitimate parties are purely classical, yet the eavesdropper is endowed with a quantum computer?
We give two novel key establishment protocols to address these issues.In the first protocol, the legitimate parties use quantum computers and classical authenticated communication to establish a shared key after O(N ) expected queries to two black-box random functions (which can be modelled with a single binary random oracle).We then give a nontrivial quantum cryptanalytic attack that uses a quantum random walk in a Johnson graph, much like Andris Ambainis' algorithm to solve the element distinctness problem [2], which allows a quantum eavesdropper to learn the key after Θ(N 5/3 ) queries to the functions.Finally, we prove that our attack is optimal up to logarithmic factors.Therefore, we have not quite restored the quadratic security possible in a classical world, but we have made significant progress towards it.
Second, we give a purely classical protocol, in which the legitimate parties use classical communication and classical computation to establish a key after O(N ) calls to similar black-box random functions.We then attack this protocol with a quantum cryptanalytic algorithm that uses Θ(N 13/12 ) queries to the functions.As unlikely as it may sound, this attack is optimal (up to logarithmic factors) and therefore it is not possible to break this purely classical protocol with a quantum attack that uses an amount of resource linear in the legitimate effort.
After a review (lifted from Ref. [8]) of Merkle's original idea, its meltdown against a quantum eavesdropper and our earlier partial quantum solution (Sect.2), we describe our new protocols (Sects.3 and 4), quantum attacks against them (Sects.3.1 and 4.1) and proofs of optimality for those attacks (Sects.3.2 and 4.2).In Sect.5, we mention an improvement on our classical scheme, which forces a successful eavesdropper to use Θ(N 7/6 ) queries, but we leave the detail to a subsequent paper.Section 6 concludes with conjectures about the existence of even better schemes.Some of the technical tools required by our quantum attacks are reviewed in the Appendix and a new lower-bound composition theorem is introduced.

Merkle's Original Scheme and How to Break and Partially Repair It
The first unclassified document ever written that pioneered public key establishment and public key cryptography was a project proposal written in 1974 by Merkle when he was a student in Lance Hoffman's CS244 course on Computer Security at the University of California, Berkeley [16].
Hoffman rejected the proposal and Merkle dropped the course but "kept working on the idea" and eventually published it as one of the most seminal cryptographic papers in the second half of the twentieth century [17].Merkle's scheme in his published paper was somewhat different from his original 1974 idea, but both share the property that they "force any enemy to expend an amount of work which increases as the square of the work required of the two [legitimate] communicants" [17].
It took 35 years before Boaz Barak and Mohammad Mahmoody-Ghidary proved that this quadratic discrepancy between the legitimate and eavesdropping efforts are the best possible in a classical world [3].
In his IACR Distinguished Lecture1 , which he delivered at the Crypto '05 Conference in Santa Barbara, Merkle described from memory his first solution to the problem of secure communications over insecure channels.As a wondrous coincidence, he unsuspectingly opened up a box of old folders a mere three weeks after his Lecture and happily recovered his long-lost CS244 Project Proposal, together with comments handwritten by Hoffman [16]!To quote his original typewritten words: Guessing.
Both sites guess at keywords.These guesses are one-way encrypted, and transmitted to the other site.If both sites should chance to guess at the same keyword, this fact will be discovered when the encrypted versions are compared, and this keyword will then be used to establish a communications link.Discussion: No, I am not joking.
In more modern terms, let f be a one-way permutation.In order to "one-way encrypt" x, as Merkle said in 1974, we assume that one can compute f (x) in unit time for any given input x but that the only way to retrieve x given f (x) is to try preimages and compute f on them until one is found that maps to f (x).This is known as the black-box (or oracle) model.Hereinafter, in accordance with this model, efficiency is defined solely in terms of the number of calls to such black-box functions (there could be more than one).In the quantum case, these calls can be made in superposition of inputs.We also assume throughout this paper (as did Merkle) that an authenticated channel is available between the legitimate communicants, although this channel offers no protection against eavesdropping.
The "keywords" guessed at by "both sites" are random points in the domain of f.They are "oneway encrypted" by applying f to them.If there are N 2 points in the domain of f, it suffices to guess O(N ) keywords at each site before a variation on the birthday paradox makes it overwhelmingly likely that "both sites should chance to guess at the same keyword", which becomes their shared key.An eavesdropper who listens to the entire conversation has no other way to obtain this key than to invert f on the revealed common encrypted keyword.In accordance with the black-box model, this can only be done by trying on the average half the points in the domain of f before one is found that is mapped by f to the target value.This will require an expected number of calls to f in Ω(N 2 ), which is quadratic in the legitimate effort.
Shortly thereafter, Whitfield Diffie and Martin Hellman discovered a celebrated method for public-key establishment that makes the cryptanalytic effort apparently exponentially harder than the legitimate effort [11].However, no proof is known that the Diffie-Hellman scheme is secure at all since it relies on the conjectured difficulty of extracting discrete logarithms, an assumption doomed to fail whenever quantum computers become available.In contrast, Merkle's approach offers provable quadratic security against any possible classical attack, under the sole assumption that f cannot be inverted by any other means than exhaustive search.
Next, we explain why Merkle's original proposal becomes completely insecure if the eavesdropper is capable of quantum computation (Merkle's published "puzzles" [17] are equally insecure).We then sketch a protocol from Ref. [8] that is not completely broken.This is be achieved by granting similar quantum computation capabilities to one of the legitimate communicating parties.

Quantum Attack and Partial Remedy
Let us now assume that function f can be computed quantum mechanically on a superposition of inputs.In this case, Merkle's original scheme is completely compromised by way of Grover's algorithm [12].Indeed, this algorithm needs only O( √ N 2 ) = O(N ) calls on f in order to invert it on any given point of its image, making the cryptanalytic task as easy (up to constant factors) as the legitimate key setup process. 2   To remedy the situation, we allow the communicating parties to use quantum computers as well (actually, one of the parties will remain classical), and we increase the domain of f from N 2 to N 3 points.Instead of having both sites transmit one-way encrypted guesses to the other site, one site called Alice chooses N distinct random values x 1 , x 2 , . . ., x N and transmits them, one-way encrypted by the application of f, to the other site called Bob.Let Y = {f (x i ) | 1 i N } denote the set of encrypted keywords received by Bob, which becomes known to the eavesdropper.Now, Bob defines Boolean function g on the same domain as f by 2 If an unstructured search problem has t solutions among M candidates, Grover's algorithm [12], or more precisely its so-called BBHT generalization [6], can find one of the solutions after O( M/t ) expected calls to a function that recognizes solutions among candidates.However, Theorem 4 of Ref. [7] implies that, whenever the number t > 0 is known, a solution can be found with certainty after O( M/t ) calls to that function in the worst case.From now on, when we mention Grover's algorithm or BBHT, we really mean this improvement according to Ref. [7].
Out of N3 points in the domain of f, there are exactly t = N solutions to the problem of finding an x so that g(x) = 1.It suffices for Bob to apply the BBHT generalization [6] of Grover's algorithm [12], which finds such an x after O( N 3 /t ) = O( √ N 2 ) = O(N ) calls on g (and therefore on f ).Bob sends back f (x) to Alice, who knows the value of x because she was careful to keep her randomly chosen points.Therefore, it suffices of O(N ) calls on f by Alice and Bob for them to agree on key x. 3   The eavesdropper, on the other hand, is faced with the need to invert f on a specific point of its image.Even with a quantum computer, this requires a number of calls on f proportional to the square root of the number of points in its domain [5], which is Ω( ).This is more effort than what is required of the legitimate parties, yet less than quadratically so, as would have been possible in a classical world.Even though we have avoided the meltdown of Merkle's original approach, the introduction of quantum computers available to all sides seems to be to the advantage of the codebreakers.Can we remedy this situation?Furthermore, is any security possible at all against a quantum computer if both legitimate parties are restricted to being purely classical?We address these two questions in the rest of this paper.

Improved Quantum Key Establishment Scheme
For any positive integer N , let [N ] denote the set of integers from 1 to N .We describe our novel key establishment protocol assuming the existence of two black-box random functions f : that can be accessed in quantum superposition of inputs.Constants k and k ′ are chosen large enough so that there is no collision in the images of f and g, except with negligible probability.(For simplicity, we shall systematically disregard the possibility that such collisions might exist.)Notice that a single binary random oracle (which "implements" a random function from the integers to {0, 1}) could be used to define both functions f and g provided we disregard logarithmic factors in our analyses since O(log N ) calls to the random oracle would suffice to compute f or g on any single input.For this reason, it is understood hereinafter that all our results are implicitly stated "up to logarithmic factors".As mentioned in the previous section, the only resource that we consider in our analyses of efficiency and lower bounds is the number of calls made to these functions or, equivalently, to the underlying binary random oracle.Protocol 1.

Alice picks at random N distinct values {x
] and transmits the encrypted values y i = f (x i ) to Bob.Let X and Y denote {x i | 1 i N } and {y i | 1 i N }, respectively.Note that Alice knows both X and Y, whereas Bob and the eavesdropper have immediate knowledge (i.e.without querying the black-box for function f ) of Y only.
2. Bob finds the pre-images x and x ′ of two distinct random elements in Y.To find each one of them, he uses BBHT [6] to search for an x such that φ(x) = 1, where φ : [N 3 ] → {0, 1} is defined as follows: There are exactly N values of x such that φ(x) = 1, out of N 3 points in the domain of φ.Therefore, Bob can find one such random x with O( N 3 /N ) = O(N ) calls to function f .He needs to repeat this process twice in order to get both x and x ′ .(A small variation in function φ can be used the second time to make sure that x ′ = x).
4. Because Alice had kept her randomly chosen set X, there are only N 2 candidate pairs (x i , x j ) ∈ X × X such that g(x i , x j ) could equal w.Using Grover's algorithm, she can find the one pair (x, x ′ ) that Bob has in mind with O(

5.
The key shared by Alice and Bob is the pair (x, x ′ ).
All counted, Alice makes N calls to f in step 1 and O(N ) calls to g in step 4, whereas Bob makes O(N ) calls to f in step 2 and a single call to g in step 3.If the protocol is constructed over a binary random oracle, it will have to be called O(N log N ) times since it takes O(log N ) binary queries to compute either function on any given input.

Quantum Attack
All the obvious (and not so obvious) cryptanalytic attacks against this scheme, such as direct use of Grover's algorithm (or BBHT), or even more sophisticated attacks based on amplitude amplification [7], require the eavesdropper to call Ω(N 2 ) times functions f and/or g.Unfortunately, a more powerful attack based on the more recent paradigm of quantum walks in Markov chains [18] allows the eavesdropper to recover Alice and Bob's key (x, x ′ ) with an expected O(N 5/3 ) calls to f and O(N ) calls to g.This attack was inspired by Ambainis' quantum algorithm for element distinctness [2], which can find the unique pair (i, j) such that c(i) = c(j) with O(N 2/3 ) expected queries to single-collision function c whose domain contains N elements (whereas all previous approaches based on Grover's algorithm and amplitude amplification [13,9] had required Ω(N 3/4 ) queries).
Theorem 1.There exists an eavesdropping strategy that outputs the pair (x, x ′ ) in Protocol 1 with O(N 5/3 ) expected quantum queries to functions f and g.

Proof.
In a nutshell, we apply Ambainis' algorithm for element distinctness with two modifications: (1) instead of looking for i and j such that c(i) = c(j), we are looking for x and x ′ such that g(x, x ′ ) = w and (2) instead of being able to get randomly chosen values in the image of c with a single call to oracle c per value, we need to get random elements of X by applying BBHT on the list Y, which requires O( N 3 /N ) = O(N ) calls to oracle f per element.The second modification explains why the number of calls to f , compared to O(N 2/3 ) calls to c for element distinctness, is multiplied by O(N ).Hence, we need O(N 5/3 ) calls to function f .To determine the number of calls required to function g, however, we have to delve deeper into the eavesdropping algorithm.
The eavesdropping algorithm uses a quantum walk on a Johnson graph-see the Appendix for a review of this topic.Each node of the graph contains some number r (to be determined later) of distinct elements of X.We are looking for a node that contains the two elements x and x ′ such that g(x, x ′ ) = w, where w is the value announced by Bob in step 3 of the protocol.We apply Theorem 5 (Appendix) to analyse the cost of a quantum walk on this graph [2,18].The set up cost S corresponds to finding r random elements of X.Since BBHT can be used to find one such element with O(N ) calls to f , and even to find an element of X guaranteed to be different from those already in the initial node (provided k ≪ N , which it will be), S = O(rN ) calls to f .The update cost U corresponds to finding one random element of X not already in the node, which is U = O(N ) calls to f , again by BBHT.The checking cost C requires us to decide if there is a pair (x, x ′ ) of elements in the node such that g(x, x ′ ) = w, which can be done with O( √ r2 ) = O(r) calls to g using Grover's algorithm since there are r 2 pairs of elements in the node.Putting it all together, the expected cryptanalytic cost is To minimize the number of calls to f , we choose r so that rN = N 2 / √ r, which is r = N 2/3 .It follows that a quantum eavesdropper is able to find the key (x, x ′ ) with an expected O(rN ) = O(N 5/3 ) calls to f and O(N ) calls to g.
Note that the use of Grover's algorithm in the checking step was not necessary to prove Theorem 1.Should this step be carried out classically, this would result in C = O(r 2 ) calls to g.The net result would be that the key is found after an expected O(N 5/3 ) calls to f and also O(N 5/3 ) calls to g.

Lower Bound
The proof that the quantum attack described above against our protocol is optimal proceeds in three steps.
First, consider a function c : [N ] → [N ] so that there exists a single pair (i, j), 1 i < j N , for which c(i) = c(j).Ambainis' quantum algorithm for element distinctness [2] can find this pair with O(N 2/3 ) queries to function c and Scott Aaronson and Yaoyun Shi proved that this is optimal even for the decision version of this problem [1].

Now, consider a function
. The domain of this function is composed of N "buckets" of size N 2 , where h(i, •) corresponds to the i th bucket, 1 i N .In bucket i, all values of the function are 0 except for one single random It follows from the definitions of c and h that there is a single pair of distinct a and b in the domain of h such that h(a) = h(b) = 0. How difficult is it to find this pair given a black box for function h but no direct access to c? Lemma 1.Given h structured as above, finding the pair of distinct elements a and b in the domain of h such that h(a) = h(b) = 0 requires Ω(N 5/3 ) quantum queries to h, except with vanishing probability.
Proof.This problem can be modelled as the composition of element distinctness across buckets with finding the single non-zero entry in each bucket.It is therefore a special case of technical Lemma 5, stated in the Appendix, with parameters κ = N (the number of buckets) and η = N 2 (the size of the buckets).It follows that finding the desired pair (a, b) requires quantum queries to h, except with vanishing probability.
Consider now a slightly different search problem in which there are no buckets anymore, but there is an added coordinate in the image of the function: ′ is defined so that h ′ (a) = (0, 0) on all but N randomly chosen points in its domain, namely w 1 , w 2 ,. . ., w N .On these N points, h ′ (w i ) = (i, c(i)), where c is the function considered at the beginning of this section.We are required to find the unique pair of distinct a and b in [N 3 ] such that π 2 (h ′ (a)) = π 2 (h ′ (b)) = 0, where " π 2 " denotes the projection on the second coordinate (similarly for " π 1 ").The lower bound on the earlier search problem concerning h implies directly the same lower bound on the new search problem concerning h ′ since any algorithm capable of solving the new problem can be used at the same cost to solve the earlier problem through randomization.In other words, the more structured version of the problem cannot be harder than the less structured one.The next Lemma formalizes the argument above.Lemma 2. Given h ′ structured as above, finding the pair of distinct elements a and b in the ) quantum queries to h ′ , except with vanishing probability.

Proof. Define intermediary function h : [
It is elementary to reduce the search problem concerning h to the one concerning h as well as the search problem concerning h to the one concerning h ′ .Therefore, the lower bound concerning h given by Lemma 1 applies mutatis mutandis to h ′ .
Finally, we show how to reduce the search problem concerning h ′ to the cryptanalytic difficulty for the eavesdropper to determine the key that Alice and Bob have established by using our protocol.This is the last step in proving the security of our scheme.
Theorem 2. Any eavesdropping strategy that recovers the key (x, x ′ ) in protocol 1 requires a total of Ω(N 5/3 ) quantum queries to functions f and g, except with vanishing probability.
Proof.Consider any eavesdropping strategy A that listens to the communication between Alice and Bob and tries to determine the key (x, x ′ ) by querying black-box functions f and g.In fact, there are no Alice and Bob at all! Instead, there is a function h ′ : [N 3 ] → [N ] ′ × [N ] ′ as described above, for which we want to solve the search problem by using unsuspecting A as a resource.
We start by supplying A with a completely fake "conversation" between "Alice" and "Bob": for sufficiently large k and k ′ , we choose randomly N points y 1 , y 2 ,. . ., y N in [N k ] and one point w ∈ [N k ′ ] and we pretend that Alice has sent the y's to Bob and that Bob has responded with w.We also choose random functions f : as well as a random Boolean s ∈ {true, false}.Note that the selection of f and ĝ may take a lot of time, but this does not count towards the number of queries that will be made of function h ′ , and our lower bound on the search problem concerns only this number of queries.We could be tempted to choose randomly the values of f and ĝ on the fly, whenever they are needed, but this is not an option for a quantum process because the values returned must be consistent whenever the same input is queried in different paths of the superposition.The Boolean s indicates, when true (resp.false), that the fake "execution" is such that "Bob" has first picked x and then x ′ such that x < x ′ (resp.x ′ > x).Both cases happen with probability 1 / 2 in any real execution and for any public announcements Y and w.The value s will be used in the reduction to distinguish between g(x, x ′ ) and g(x ′ , x) so that only g(x, x ′ ) will be set to w.Now, we wait for A's queries to f and g.
• When A asks for f (i) for some i ∈ [N 3 ], there are two possibilities.
• When A asks for g(i, j) for some i, j ∈ [N 3 ], there are again two possibilities.
-If π 2 (h ′ (i)) = π 2 (h ′ (j)) = 0 and either s is true and i < j or s is false and i > j, return w as value for g(i, j).
Suppose A happily returns the pair (i, j) for which it was told that g(i, j) = w, which is what a successful eavesdropper is supposed to do.This pair is in fact the answer to the search problem concerning h ′ since g(i, j) = w implies that π 2 (h ′ (i)) = π 2 (h ′ (j)) = 0, except with the negligible probability that ĝ(i ′ , j ′ ) = w for some query (i ′ , j ′ ) that A asks about g.Queries asked by A concerning f and g are answered in the same way as they would be if f and g were two random functions consistent with the Y and w announced by Alice and Bob during the execution of a real protocol.To see this, remember that Y (subset of [N k ]) and w (element of [N k ′ ]) are uniformly picked at random in both the simulated and the real worlds.Moreover, the simulated function f is such that f (i) is random when h ′ (i) = (0, 0).The remaining N output values are in Y, as expected by A. On the other hand, the simulated function g is random everywhere except for one single input pair (i, j), i = j for which g(i, j) = w, as it is also expected by A. Therefore, A will behave in the environment provided by the simulation exactly as in the real world.Since we disregard the negligible possibility that g might not be be one-to-one, the reduction solves the search problem concerning h ′ whenever A succeeds in finding the key.Notice finally that each (new) question asked by A to either f or g translates to one or two questions actually asked to h ′ .It follows that any successful cryptanalytic strategy that makes o(N 5/3 ) total queries to f and g would solve the search problem with only o(N 5/3 ) queries to function h ′ , which is impossible, except with vanishing probability.This demonstrates the Ω(N 5/3 ) lower bound on the cryptanalytic difficulty of breaking our key establishment protocol, again except with vanishing probability, which matches the upper bound provided by the explicit attack given in Sect.3.1.

Fully Classical Key Establishment Scheme
In this section, we revert to the original setting imagined by Merkle in the sense that Alice and Bob are now purely classical.However, we allow full quantum power to the eavesdropper.Recall that Merkle's original schemes [16,17] are completely broken in this context [8].Is it possible to restore some security in this highly adversarial (and unfair!) scenario?The following purely classical key establishment protocol, which is inspired by our quantum protocol described in the previous section, provides a positive answer to this conundrum.This time, black-box random functions f and g are defined on a smaller domain to compensate for the fact that classical Alice and Bob can no longer use Grover's algorithm.Specifically, again with sufficiently large k and k ′ to avoid collisions in these functions, except with negligible probability (k and k ′ need not be the same here as in the previous section).As before, these two functions could be replaced by a single binary random oracle.For simplicity, we choose N to be a perfect square.Protocol 2.

Alice picks at random N distinct values {x
] and transmits the encrypted values y i = f (x i ) to Bob.Let X and Y denote {x i | 1 i N } and {y i | 1 i N }, respectively.

Bob finds the pre-images x and x ′ of two distinct random elements in Y. To find each one of them, he chooses random values in [N 2
] and applies f to them until one is found whose image is in Y.By virtue of the birthday paradox, he is expected to succeed after O( √ N 2 ) = O(N ) calls to function f .Until now this is identical to Merkle's original scheme, except for the fact that Bob needs to find two elements of X rather than one.
3. Bob sends back w = g(x, x ′ ) to Alice.In addition, he chooses √ N − 2 random elements from Y \ {f (x), f (x ′ )} and he forms a set Y ′ of cardinality √ N by adding f (x) and f (x ′ ) to those elements.He sends the elements of Y ′ to Alice in increasing order of values.

Because Alice had kept her randomly chosen set X, she knows the preimages of each element
By exhaustive search over all pairs of elements of X ′ , Alice finds the one pair (x, x ′ ) such that g(x, x ′ ) = w.

5.
The key shared by Alice and Bob is the pair (x, x ′ ).
All counted, Alice makes N calls to f in step 1 and at most N calls to g in step 4 because there are √ N √ N = N pairs of elements of X ′ and one of them is the correct one.As for Bob, he makes an expected O(N ) calls to f in step 2 and a singe call to g in step 3.The total expected number of calls to f and g is therefore in O(N ) for both legitimate parties.

Quantum Attack
Theorem 3.There exists an eavesdropping strategy that outputs the pair (x, x ′ ) in Protocol 2 with O(N 13/12 ) expected quantum queries to functions f and g.
Proof.A quantum eavesdropper can set up a walk in a Johnson graph very similar to the one explained in Sect.3.1, except that now the nodes in the graph contain some number r (to be determined later) of distinct elements of X ′ (rather than of X).The eavesdropper can find random elements of X ′ from his knowledge of Y ′ with an expected calls to f per element of X ′ .Therefore, S = O(rN 3/4 ) calls to f , U = O(N 3/4 ) calls to f and C = O(r) calls to g.Furthermore, δ is still Θ(1/r) but ε = Ω(r 2 /N ).
Putting it all together, the expected quantum cryptanalytic cost is To minimize the number of calls to f , we choose r so that rN 3/4 = N 5/4 / √ r, which is r = N 1/3 .It follows that a quantum eavesdropper is able to find the key (x, x ′ ) with an expected O(rN 3/4 ) = O(N 13/12 ) calls to f and O( √ N ) calls to g.

Lower Bound
The proof that it is not possible to find the key (x, x ′ ) with fewer than Ω(N 13/12 ) calls to f and g, except with vanishing probability, follows the same lines as the lower bound proof in Sect.3.2.It is therefore possible for purely classical Alice and Bob to agree on a shared key after calling f and g an expected number of times in the order of N whereas it is not possible, even for a quantum eavesdropper, to be privy of their secret with an effort in the same order, except with vanishing probability.
We refer the reader to Sect. 3 for the meaning of notation [N ] and to Sect.3.2 for the definitions of projectors π 1 , π 2 , and the meaning of notation [N ] ′ .

Consider a function c : [
] so that there is a single pair (i, j), 1 i < j √ N , for which c(i) = c(j).Aaronson and Shi's lower bound [1] tells us that finding this pair requires Ω(( √ N ) 2/3 ) = Ω(N 1/3 ) calls to function c.Now, consider a function h In bucket i, all values of the function are 0 except for one: there is a single random v i ∈ [N 3/2 ] such that h(i, v i ) = c(i).It follows from the definitions of c and h that there is a single pair of distinct a and b in the domain of h such that h(a) = h(b) = 0. Lemma 3. Given h structured as above, finding the pair of distinct elements a and b in the domain of h such that h(a) = h(b) = 0 requires Ω(N 13/12 ) quantum queries to h, except with vanishing probability.
Proof.The proof is identical to the one for Lemma 1, mutatis mutandis.It is again a special case of Lemma 5, but with parameters κ = √ N (the number of buckets) and η = N 3/2 (the size of the buckets).It follows that finding the desired pair (a, b) requires quantum queries to h, except with vanishing probability.
denote the unstructured version of the same search problem for h, defined the same way as in Sect.3.2, mutatis mutandis.There is a single pair of distinct elements a and b such that π 2 (h ′ (a)) = π 2 (h ′ (b)) = 0.The problem of finding this pair is at least as difficult as finding the collision in h.Lemma 4. Given h ′ structured as above, finding the pair of distinct elements a and b in the domain of h ′ such that π 2 (h ′ (a)) = π 2 (h ′ (b)) = 0 requires Ω(N 13/12 ) quantum queries to h ′ , except with vanishing probability.
It remains to show that the search problem concerning h ′ reduces to the cryptanalytic difficulty for the eavesdropper to determine the key established by Alice and Bob.Theorem 4. Any eavesdropping strategy that recovers the key (x, x ′ ) in protocol 2 requires a total of Ω(N 13/12 ) quantum queries to functions f and g, except with vanishing probability.
Proof.Consider any eavesdropping strategy A that listens to the communication between Alice and Bob and tries to determine the key (x, x ′ ) by querying the black-box functions f and g.As before, the reduction does not have access to Alice and Bob but instead, to a function as described above and given as an oracle, for which we want to solve the search problem by using A as a resource.
We choose random functions f : as well as a random Boolean s ∈ {true, false}, which has the same purpose as in the proof of Theorem 2. Let Im( f ) denote the image of function f .We then supply A with a fake "conversation" between "Alice" and "Bob": we choose randomly 5 Late Breaking News Very recently, we have developed improved protocols, which will be the topic of a subsequent paper.Here, we simply sketch these protocols and claim their security.We still need two black-box random functions, the first one of which is unchanged: depending on whether the protocol is quantum or classical.As before, k is chosen sufficiently large to make f one-to-one except with negligible probability.The condition on k ′ is slightly different: we choose it large enough to ensure that t(a) ⊕ t(b) ⊕ t(c) ⊕ t(d) = 0 whenever {a, b, c, d} contains at least three distinct elements in the domain of t, except with negligible probability, where " ⊕ " denotes the bitwise exclusive-or.
Steps 1, 2 and 5 of the new quantum protocol are exactly as in Protocol 1.At Step 3, Bob sends back w = t(x) ⊕ t(x ′ ) to Alice.At Step 4, Alice uses her knowledge of X to determine x and x ′ from w.The solution is unique, except with negligible probability, provided Bob reorders x and x ′ if necessary so that f (x) came before f (x ′ ) in the list Y received from Alice at Step 1.If we care only about the number of queries to the black-box functions, it is obvious that classical Alice can find this pair with exactly N additional queries to function t.Nevertheless, if we also care about computation time, one might think that Alice has to use quantum computation (Grover's algorithm) in order to find this unique pair in linear time among the N 2 pairs of elements of X.However, it is a simple exercise (left to the reader) to compute this pair classically in O(N log N ) time by sorting or even O(N ) expected time by universal hashing [10].A proof very similar to that of Theorem 2 shows that the best quantum cryptanalytic attack on this scheme requires Θ(N 5/3 ) queries.Hence, this scheme is exactly as secure as Protocol 1, but it has the advantage of requiring only Bob to use quantum-computational capabilities, much as was the case in Ref. [8].
The advantage of this technique is more spectacular when we consider fully classical protocols.Indeed, it suffices to reduce the domain of f and t from [N 3 ] to [N 2 ] to make it possible for classical Bob to compute x and x ′ efficiently at Step 2 (as in Protocol 2), but now Steps 3 to 5 can be exactly as above since Alice was already classical.The first benefit of this approach is that there is no need for Bob to transmit subset Y ′ as in Protocol 2. The much more important benefit is that this deprives the eavesdropper from useful information.As a consequence, we can prove that the best quantum cryptanalytic attack on this scheme requires Θ(N 7/6 ) queries.This is strictly better than Protocol 2, which was broken with a mere Θ(N 13/12 ) queries.

Conclusion, Conjectures and Open Questions
We presented an improved protocol for quantum key establishment over a classical channel and the first purely classical protocols for key establishment that are secure against a quantum adversary.Is it possible that they are optimal (Θ(N 5/3 ) quantum queries would be required to break the best quantum protocol and Θ(N 7/6 ) for the best classical protocol)?We conjecture that they are not.Indeed, we have discovered two sequences of protocols Q ℓ and C ℓ for ℓ 2 (which we shall describe in a subsequent paper) with the following properties.In protocol Q ℓ , a classical Alice establishes a key with a quantum Bob after O(N ) accesses to a random oracle in such a way that our most efficient quantum eavesdropping strategy requires the eavesdropper to access the same random oracle Θ N 1+ ℓ ℓ+1 expected times.In protocol C ℓ , purely classical Alice and Bob establish a key after O(N ) accesses to a random oracle in such a way that our most efficient quantum eavesdropping strategy requires the eavesdropper to access the same random oracle Θ N 1 2 + ℓ ℓ+1 expected times.
Our attacks proceed by quantum walks in Johnson graphs similar to those exploited in the proofs of Theorems 1 and 3 to obtain optimal attacks against our protocols 1 and 2. If they are the best possible against our new protocols as well, then key establishment protocols à la Merkle can be arbitrarily as secure in our quantum world as they were in the whimsical classical world known to Merkle in 1974: arbitrarily close to quadratic security can be restored.The obvious open question is to prove the optimality of our attacks.It would also be interesting to find a quantum protocol that exactly achieves quadratic security. . .or better!Indeed, even though it has been proven in the classical case that quadratic security is the best that can be achieved [3], there is no compelling evidence yet that such a limitation exists in the quantum world.
If our quantum attacks against the classical protocols are optimal, classical Alice and Bob can establish a secret key against a quantum eavesdropper with as good a security (in the limit) as it was known to be possible for quantum Alice and Bob before this work [8].The main open question would be to break the Ω(N 3/2 ) barrier or prove that this is not possible.
Even though our protocols Q ℓ and C ℓ require classical Alice to access the random black-box functions only N times, she has to work for a time in Θ(N ⌈ℓ/2⌉ ) to complete her share of the protocol, which is more than linear when ℓ 3. Could similar protocols exist in which Alice would be efficient even outside the required calls to the black-box function?Finally, our lower bounds prove that it is not possible for the eavesdropper to learn Alice and Bob's key (x, x ′ ), except with vanishing probability, unless she queries the black-box functions significantly more than the legitimate parties.However, we have not addressed the possibility for the eavesdropper to obtain efficiently partial information about the key.We leave this important issue for further research.
for each i and then finding two of those elements, among κ possibilities, that are not distinct.Our main technical lemma, below, gives a lower bound on the number of queries to h that are required.Lemma 5. Finding a nonzero collision in h, structured as above, requires Ω(κ 2/3 η 1/2 ) quantum queries to h, except with vanishing probability.
It is more convenient to prove this lower bound for the related decision problem: we are given a function h of the type above, but it is either based on a function c that has a single collision (as above) or on a one-to-one function c (in which case h is collision-free, except for value 0 in its image).The task is to decide which is the case.Obviously, any algorithm that can solve the search problem with probability of success at least p > 0 can be used to solve the decision problem with error bounded by 1  2 − p 2 : run the search algorithm; if a collision is found (and verified), output "collision", otherwise output either "collision" or "no collision" with equal probability after flipping a fair coin.It follows that any lower bound on the bounded-error decision problem applies equally well to the search problem.
We shall change the notation in order to adapt it to the normal usage in the field of quantum query complexity.The function c : [κ] → [κ] is represented by an element of [κ] κ .This makes it possible to think of the decision version of element distinctness as a Boolean function ED : [κ] κ → {0, 1}, although it is a partial function since there is a promise on the valid inputs to ED: given κ integers (z 1 , . . ., z κ ) ∈ [κ] κ , the promise is that either all the elements are distinct or that all the elements are distinct except two, say z i = z j .The goal is to decide which of the two cases occurs by making as few queries as possible to the function that returns z i on input i.
Ambainis' element distinctness quantum algorithm [2] runs in O(κ 2/3 ) queries to the input, and Aaronson and Shi proved that this is optimal [1].Although the lower bound was proven using the polynomial method [4], a recent theorem of Ref. [15] shows that the generalized adversary bound is tight for total and partial functions.Since our proof of the lower bound is derived using the generalized adversary method [14], we may conclude that there exists an Ω(κ 2/3 ) adversary bound for element distinctness.
We compose the element distinctness problem with κ instances of a promise version of a search problem, which we call pSEARCH.Definition 1. pSEARCH : P → A with P ⊆ (A ′ ) η is a promise problem.On input (a 1 , . . ., a η ), the promise P is that all but one of the values are zero.The goal is to find and output this nonzero value by making queries that take i as input and return a i .
We now prove that the quantum query complexity of H is in Ω(κ 2/3 η 1/2 ).The proof uses the generalized adversary method for quantum query complexity, which we briefly describe here.Suppose we want to determine the quantum query complexity of a function F. First, we assign weights to pairs of inputs in order to bring out how hard it is (in terms of number of queries) to distinguish these inputs apart from one another.The adversary lower bound is the worst ratio of the spectral norm of this matrix, which measures the overall progress necessary in order for the algorithm to be correct, to the spectral norms of associated matrices, which measure the maximum amount of progress that can be achieved by making a single query.
To prove this, we define an adversary matrix Γ H for H and compute its spectrum.The largest eigenvalue of Γ H and Γ H • D ℓ give our lower bound on ADV ± (H).
The structure on Γ i allows us to consider it as M × M blocks, each of size η × η, as follows.Lines and columns of Γ i , indexed by inputs of the form x i = (a 1 , . . ., a η ) ∈ P , are sorted according to the value xi = G i (x i ).The submatrix Γ is the restriction of Γ i to the rows and columns such that G i (x i ) = xi and G i (y i ) = ỹi .Denote by I M and 1 M the M × M identity matrix and all-one matrix, respectively.When Γ i = (1 M − I M ) ⊗ S i , the diagonal blocks are the all-zero matrix and the others are equal to the matrix S i ., respectively.Each block labelled xi , ỹi contains inputs x i , y i , which map to the same output value, that is, G i (x i ) = xi and G i (y i ) = ỹi .
We define Γ H on blocks labelled by (x, ỹ) ∈ A κ × A κ .The submatrix Γ (x,ỹ) H is the restriction of Γ H to the rows and columns indexed by x = (x 1 , . . ., x κ ), y = (y 1 , . . ., y κ ) ∈ P κ such that (G 1 (x 1 ), . . ., G κ (x κ )) = x and (G 1 (y 1 ), . . ., G κ (y κ )) = ỹ: Here, we have used the modified adversary matrices which adds S i to the diagonal, to prevent zeroing out the block of H when xi equals ỹi on one of its components.The fundamental property of Γ H is that its norm is the product of the norms of the matrices Γ F and S i .
Claim 1.For the matrix Γ H defined as above, We defer the proof of this claim and first see how it implies Equation 1. Claim 1 gives us the norm of Γ H , and it remains to compute max i Γ H • D ℓ (Definition 2).Let us turn to the matrix Γ H • D ℓ to see that it shares the structure of Γ H so we can also apply Claim 1 to compute its norm.Recall that the domain of H is P κ , where P ⊆ (A ′ ) η .An index ℓ into an input x to H decomposes into p ∈ [κ], an index within x, and the index q ∈ [η] within x p seen as a vector in (A ′ ) η .

Claim 2. Γ
Proof of Claim 2. Restricting to the block labelled by x and ỹ, Ref. [14] shows that Here we use the second property of pSEARCH: for each q, there exist matrices ∆ q and ∆ ′ q such that when restricted to blocks, D q = (1 M − I M ) ⊗ ∆ q + I M ∆ ′ q .Therefore, Γ p • D q has the same block structure as Γ p and by Claim 1, we get the expression for Γ H • D ℓ given in Claim 2.
Equation 1 follows from Claims 1 and 2.
and therefore ADV ± (H; Γ H ) ADV ± (F) • min As we can see from the following eigenvalue equation, λ xi =ỹ i i,j is the eigenvalue of Γ (x i ,ỹ i ) i associated with the vector δ i,j : Γ (x i ,ỹ i ) i δ i,j =    λ i,j δ i,j if xi = ỹi , S i δ i,j otherwise = λ xi =ỹ i i,j δ i,j .
Given a vector of indices c = (c 1 , . . ., c κ ), c i ∈ [η], we build up our eigenvectors for Γ H by picking the c i th eigenvector for the i th inner function (see Step 1).For c = (c 1 , . . ., c κ ), the M κ × M κ matrix A c is defined by blocks λ xi =ỹ i i,c i and we write its spectrum {(α, µ α,c )}.
Step 1: We are ready to define the eigenvectors δ α,c of Γ H .We define the vectors δ α,c on the block δ α,c of coordinates x ∈ P κ such that (g 1 (x 1 ), . . ., g k (x κ )) = x: Notice that because of the structure of the Γ i , it suffices for our purposes to build up the eigenvectors of Γ H from the eigenvectors of the underlying S i , which considerably simplifies the proof.
Step 2: We claim that the δ α,c are eigenvectors of Γ H with corresponding eigenvalues µ α,c .We want to calculate Γ H δ α,c .We do this block by block.Fix x ∈ A κ .Using the eigenvalue equation ( 5), we get Then Since λ i,c i is an eigenvalue of S i , it is the case that τ i 0, so 1 + |τ i | = 1 |λ i,c i | S i .Finally: The induction hypothesis allows us to conclude the proof of step 4, which completes one direction in the proof of Claim 1.
We now prove the other direction: Γ H Γ F • i Γ i .Taking c = (1, . . ., 1), we have Γ H A c .By definition, A c [x, ỹ] = Γ F [x, ỹ] • i S i , which immediately implies that Γ H Γ F • i S i .This completes the proof of Claim 1.
To complete the proof of Theorem 6, we choose the matrix S i = 1 η and take Γ i = (1 M −I M )⊗1 η for the adversary matrix of G i = pSEARCH, for each i.We verify that D q has the necessary block structure.Indeed, for each output pair a, b of pSEARCH, if a = b then the block is all zero except in the line and column indexed by q, where it is 1, since the q th line corresponds to the input where a is hidden in position q and the q th column is the input where b is hidden in position q.Further, if a = b then the block in D q is 1 in column q and line q except in position (q, q) where it is zero.By direct computation, S i = η and S i • ∆ q = √ η − 1.Using Definition 2 and Equation 4(with G i = pSEARCH), it follows that ADV ± (pSEARCH) ADV ± (pSEARCH; Γ i ) = min On the other hand, we know from the universality (up to a factor 2) of the generalized adversary bound [15] and Ref. [6] that where Q denotes the quantum query complexity.Equations 7 and 8 imply that ADV ± (pSEARCH; Γ i ) 2 π ADV ± (pSEARCH) .
Theorem 6 now follows from Equation 1.
It is interesting to note that the lower bound for ED was obtained by the polynomial method [4].Even though we do not know how to calculate the optimal adversary matrix for ED, we know that it exists and matches the lower bound since the generalized adversary bound is tight up to a factor of two [15].Hence we can safely use our knowledge that this matrix exists even though we do not know it explicitly.To the best of our knowledge, Lemma 5 is the first lower bound whose proof depends crucially on both the polynomial and the generalized adversary techniques.

Figure 1 :
Figure 1: The matrices Γ i and D q are decomposed into blocks Γ (xi,ỹi) i and D (xi,ỹi) q