Composability in quantum cryptography

If we combine two secure cryptographic systems, is the resulting system still secure? Answering this question is highly nontrivial and has recently sparked a considerable research effort, in particular, in the area of classical cryptography. A central insight was that the answer to the question is yes, but only within a well-specified composability framework and for carefully chosen security definitions.

In this article, we review several aspects of composability in the context of quantum cryptography. The first part is devoted to key distribution. We discuss the security criteria that a quantum key distribution (QKD) protocol must fulfill to allow its safe use within a larger security application (e.g. for secure message transmission); and we demonstrate—by an explicit example—what can go wrong if conventional (non-composable) security definitions are used. Finally, to illustrate the practical use of composability, we show how to generate a continuous key stream by sequentially composing rounds of a QKD protocol.

In the second part, we take a more general point of view, which is necessary for the study of cryptographic situations involving, for example, mutually distrustful parties. We explain the universal composability (UC) framework and state the composition theorem that guarantees that secure protocols can securely be composed to larger applications. We focus on the secure composition of quantum protocols into unconditionally secure classical protocols. However, the resulting security definition is so strict that some tasks become impossible without additional security assumptions. Quantum bit commitment is impossible in the UC framework even with mere computational security. Similar problems arise in the quantum bounded storage model and we observe a trade-off between the UC and the use of the weakest possible security assumptions.