Abstract

Only a handful candidates for computational assumptions that imply secure key-agreement protocols (KA) are known, and even fewer are believed to be quantum safe. In this work, we present a new hardness assumption – the worst-case hardness of a promise problem related to an interactive version of Kolmogorov Complexity.

Roughly speaking, the promise problem requires telling apart tuples of strings (\pi,x,y) with relatively (w.r.t. K(\pi)) low time-bounded Interactive Kolmogorov Complexity (IK^t), and those with relatively high Kolmogorov complexity, given the promise that K^t(x|y)< s, K^t(y|x)< s and s = log n, and where IK^t(\pi;x;y) is defined as the length of the shortest pair of t-bounded TMs (A,B) such that the interaction of (A,B) lead to the transcript \pi and the respective outputs x,y.

We demonstrate that when t is some polynomial, then not only does this hardness assumption imply the existence of KA, but it is also necessary for the existence of secure KA. As such, it yields the first natural hardness assumption characterizing the existence of key-agreement protocols.

We additionally show that if the threshold s is made just slightly bigger (e.g., s = 55log n), then the (worst-case) hardness of this problem instead characterizes the existence of one-way functions (OWFs). As such, our work also clarifies exactly what it would take to base KA on the existence of OWFs, and demonstrates that this question boils down to demonstrating a worst-case reduction between two closely related promise problems.