On deniability in quantum key exchange

Abstract

We show that claims of “perfect security” for keys produced by quantum key exchange (QKE) are limited to “privacy” and “integrity.” Unlike a one-time pad, QKE does not necessarily enable Sender and Receiver to pretend later to have established a different key. This result is puzzling in light of Mayers’ “No-Go” theorem showing the impossibility of quantum bit commitment. But even though a simple and intuitive application of Mayers’ protocol transformation appears sufficient to provide deniability (else QBC would be possible), we show several reasons why such conclusions are ill-founded. Mayers’ transformation arguments, while sound for QBC, are insufficient to establish deniability in QKE. Having shed light on several unadvertised pitfalls, we then provide a candidate deniable QKE protocol. This itself indicates further shortfalls in current proof techniques, including reductions that preserve privacy but fail to preserve deniability. In sum, purchasing undeniability with an off-the-shelf QKE protocol is significantly more expensive and dangerous than the mere optic fiber for which “perfect security” is advertised.