1 / 63

Quantum Contract Signing

Quantum Contract Signing. Paulo Mateus SQIG/IT – DM/IST/TULisbon reporting joint work with J. Bouda, N. Paukovic, S. Vaudenay and V.R. Vieira WECIQ 2010 - October 2010. Plan. Why do we need quantum cryptography Shor’s cryptoanalysis ; Quantum privacy attacks ; Classical threats ;

masako
Download Presentation

Quantum Contract Signing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Quantum Contract Signing Paulo Mateus SQIG/IT – DM/IST/TULisbon reporting joint work with J. Bouda, N. Paukovic, S. Vaudenay and V.R. Vieira WECIQ 2010 - October 2010

  2. Plan • Why do we need quantum cryptography • Shor’scryptoanalysis; • Quantumprivacyattacks; • Classicalthreats; • Which cryptographic tasks can be improved • Key distribution – BB84, E91; • Contract signing; • …

  3. Why we need quantum cryptography • All NIST security protocols rely on the hardness of two problems: Factoring or Discrete logarithm • Their hardness is a recent conjecture (40 years) • Quantum computers can solve these problems in polynomial time. • Can we do the same with classical computers?

  4. RSA Cryptosystem • n=pq with p and q primes • a b=1 mod (n)=(p-1)(q-1) where • a public key • b private key • ea(x)=xa mod n • db(y)=yb mod n • xab =x mod n • If the factorization of n is known then one can obtain efficiently b from a with the EEuclides Alg.

  5. Shor’s Algorithm • Computes a factor of n in O(n3) • Requires a quantum computer! • For that we need to understand what is a quantum computer

  6. Quantum cryptoanalysis • Quantum RAM computer • Memory: Qubits + classical bits • Control – usual imperative commands endowed with: • Unitary transformation applied to a set of qubits; • Computational observation of qubits, storing the result of the observation in classical bits. • A quantum computer is probabilistic!!!

  7. Shor’s algorithm • Quantum Fourier transformation • Hilbert H space of dimension n (log(n) qubits, with basis {|0i, |1i,..., |n-1i}) QFT: H -> H

  8. Shor’s algorithm • Finding a non-trivial factor of n reduces to find the phase of an eigenvector of a particular unitary operation Un|n> = ei |n> • Finding this phase can be done with the inverse of the quantum Fourier transformation over a state reachable from n. • The quantum Fourier transform (and its inverse) can be computed by a quantum computer in polynomial time.

  9. Classical results • The best published asymptotic running time for a classical algorithm is for the general number field sieve (GNFS) algorithm, which, for a number with n bits, is: O(exp((64/9)n1/3 log(n)2/3)

  10. General Number Field Sieve • We choose two polynomials f(x) and g(x) of small degrees d and e, which have integer coefficients, which are irreducible over the rationals, and which, when interpreted mod n, have a common root m. • We consider the rings Z[r1] and Z[r2], where r1 and r2 are roots of the polynomials f and g, and look for values a and b such thatr = bd·f(a/b) and s = be·g(a/b) are smooth. • Using Gaussian elimination, we can get products of certain r and of the corresponding s to be squares at the same time. • Since m is a root of both f and g mod n, there are homomorphisms from the rings Z[r1] and Z[r2] to the ring Z/nZ, which map r1 and r2 to m, • These homomorphisms will map each "square root" into its integer representative. • Two different square roots mod n allows to obtain a factor of n.

  11. Another approach • Try to simulate a quantum computer?!? • Consider harmonic functions?!? • Reduce factoring to numerical integration over the complex plane (P. Mateus & V. R. VieiraProceedings of the Royal Mathematical Society, 2010)

  12. Another approach Given a semiprime integer n=pq with p<q consider the functions h(z)=1-cos( n/z) cos( z) g(z)=1/h(z) n=15 p=3 q=5

  13. Another approach • The residue of g at p is Res(g,p)=limz->p d (z-p)2 g(z) / dz= =1/p (2n/(p2+q2)})2

  14. Another approach • From the residue theorem we get that if  is a Jordan curve that contains the pole p of g, then

  15. Another approach • From the argument principle we get that if  is a Jordan curve that contains the a zero of h, then • Moreover, if  does not contain any zero of h, then

  16. Another approach • So, If one is able to compute the contour integral of, say, a thin ellipse (containing just the real zero of h), we can bisect the interval [2,n1/2] to find p • By observing that h(x,y)=u(x,y)+i v(x,y) and exploring the parities of u and v we are able to show that for an ellipse  parametrized by  in [0,2]

  17. Another approach • Unfortunately, tan-1 has several branches, so we need to know in which branch we are. • This can be done by dividing [0,] in m subintervals and consider a numerical approximation for each subinterval.

  18. Open questions • We need to understand the number of subintervals m and have an error bound so that we known in which branch of tan-1 the values relies in. • Final complexity?

  19. Privacy attacks -ZKP Objectives and security properties Bob Alice Alice has to identifyherself inorder to buyteafromBob, but...

  20. Zero-knowledge proof systems Objectives and security properties • Soundness • Completeness Bob Alice

  21. I’m Alice Bob Alice Eve Zero-knowledge proof systems Objectives and security properties • Zero-knowledge

  22. Alice bought me tea Bob Eve Zero-knowledge proof systems Objectives and security properties • Soudness • Completeness • Zero knowledge • Impossibility of transfering proofs

  23. Zero-Knowledge Proof SystemGoldreich, Micali e Wigderson 84 Alice  : G1-> G0 G0= G1 Bob

  24. Zero-Knowledge Proof SystemGoldreich, Micali e Wigderson 84 Alice 1. Generates an iso :G0-> G2 and sends G2 to Bob.  : G1-> G0 G0= G1 Bob

  25. Zero-Knowledge Proof SystemGoldreich, Micali e Wigderson 84 Alice 1. Generatesaniso :G0->G2andsends G2 to Bob.  : G1->G0 G0=G1 Bob 2. Chooses r in {0,1} and sends r to Alice.

  26. Zero-Knowledge Proof SystemGoldreich, Micali e Wigderson 84 Alice 1. Generatesaniso :G0->G2andsends G2 to Bob. 3. Sendsr to Bob.  : G1->G0 G0=G1 Bob 2. Choosesrin{0,1} andsendsr to Alice.

  27. Zero-Knowledge Proof SystemGoldreich, Micali e Wigderson 84 Alice 1. Generatesaniso :G0->G2andsends G2 to Bob. 3. Sendsr to Bob.  : G1->G0 G0=G1 Bob 2. Choosesrin {0,1} andsendsr to Alice. 4. BobverifiesiftheisohegotgoesfromGr to G2 .

  28. Bob Eve a. Prepara pares EPR {|00i+|11ix}x2 S numa máquina selada e envia metade de cada par à Paula. Quantum attack (simplified) h:->S = {0,1}k

  29. Bob Eve a) Prepares EPR pairs {|00>+|11>x}xin S In a tamper proof device and sends half of each pair to Bob (Bob checks some with Eve, to see if they are OK). Quantum attack (simplified) h:->S = {0,1}k

  30. Quantum attack (simplified) Alice 1. Gera um isomorfismo :G0! G2 e envia G2 à Paula. 3. Envia r à Paula  : G1-> G0 G0= G1 {|0>+|1>x}x in S Bob 2. Escolher r 2 {0,1} e envia r ao Vítor. 4. P verifica se o iso que recebe vai de Gr para G2

  31. Quantum attack (simplified) Alice 1. Generatesaniso :G0->G2andsends G2 to Bob. 3. Envia r à Paula  : G1->G0 G0=G1 {|0>+|1>x}xinS Bob 2. Escolher r 2 {0,1} e envia r ao Vítor. 4. P verifica se o iso que recebe vai de Gr para G2

  32. Quantum attack (simplified) Alice 1. Generatesaniso :G0 ->G2andsends G2 to Bob. 3. Envia r à Paula  : G1->G0 G0=G1 {|0>+|1>x}xinS Bob 2. r is the result of measuring qubit h(G2). 4. P verifica se o iso que recebe vai de Gr para G2

  33. Quantum attack (simplified) Alice 1. Generatesaniso :G0->G2andsends G2 to Bob. 3. Sendsr to Bob  : G1->G0 G0=G1 {|0>+|1>x}xinS Bob 2. r is the result of measuring qubit h(G2). 4. P verifica se o iso que recebe vai de Gr para G2

  34. Quantum attack (simplified) Alice 1. Generatesaniso :G0->G2andsends G2 to Bob. 3. Sendsr to Bob  : G1->G0 G0=G1 {|0>+|1>x}xinS Bob 2. r is the result of measuring qubit h(G2). 4. Bob verifies if the iso he got goes from Gr to G2. And sends all he got to Eve

  35. Bob Eve b) Verifies if the qubits  from h(G2) are still in the EPR state, and confirms the result of the remaining ones. Quantum attack (simplified) h:-> S

  36. Classical attack • The attack can be made with current classical tamper-proof devices • Attacks all privacy methods with exception of blind signatures • The power of seals – P. Mateus & S. Vaudenay CHES 2009

  37. Why do we need quantum cryptography • Classical asymmetric cryptography may collapse very soon (RSA, digital signatures) • E-commerce, E-banking, E-government • Remote login (social networks, e-mail access) • Quantum computers • Disproving badly stated maths conjectures • Using badly stated assumption (tamper-proof hardware)

  38. Protocol Ekert 91 • Requirements: • Random bit generation • EPR pairs generation

  39. Alice Bob Protocol Ekert 91

  40. Alice |1>A |2>A |3>A |4>A |5>A |6>A ... Bob |1>B |2>B |3>B |4>B |5>B |6>B ... Protocol Ekert 91 Share n EPR pairs at state

  41. Alice 0 |1>A 1 |2>A 0 |3>A 1 |4>A 0 |5>A 1 |6>A ... Bob 0 |1>B 0 |2>B 1 |3>B 1 |4>B 0 |5>B 1 |6>B ... Protocol Ekert 91 Randomly generate a bit

  42. Alice 0 |1>A 1 |2>A 0 |3>A 1 |4>A 0 |5>A 1 |6>A ... Bob 0 |1>B 0 |2>B 1 |3>B 1 |4>B 0 |5>B 1 |6>B ... Protocol Ekert 91 Randomly generate a bit

  43. Alice 0 |1>A 1 |2>A 0 |3>A 1 |4>A 0 |5>A 1 |6>A ... Bob 0 |1>B 0 |2>B 1 |3>B 1 |4>B 0 |5>B 1 |6>B ... Protocol Ekert 91 0 – measure with the computational observable {|0>,|1>} 1 – measure with the diagonal observable {|+>,|->}

  44. Alice 1 0 |1>A + 1 |2>A 0 0 |3>A - 1 |4>A 1 0 |5>A + 1 |6>A ... Bob 1 0 |1>B 0 0 |2>B + 1 |3>B - 1 |4>B 1 0 |5>B + 1 |6>B ... Protocol Ekert 91 0 – measure with the computational observable {|0>,|1>} 1 – measure with the diagonal observable {|+>,|->}

  45. Alice 1 0 |1>A + 1 |2>A 0 0 |3>A - 1 |4>A 1 0 |5>A + 1 |6>A ... Bob 1 0 |1>B 0 0 |2>B + 1 |3>B - 1 |4>B 1 0 |5>B + 1 |6>B ... Protocol Ekert 91 Ignore observations for which the random bit does not coincide

  46. Bob 1 0 |1>B 0 0 |2>B + 1 |3>B - 1 |4>B 1 0 |5>B + 1 |6>B ... Alice 1 0 |1>A + 1 |2>A 0 0 |3>A - 1 |4>A 1 0 |5>A + 1 |6>A ... Protocol Ekert 91 Confirm that Eve did not interfere and check the quality of the EPR pairs

  47. Bob 1 0 |1>B 0 0 |2>B + 1 |3>B - 1 |4>B 1 0 |5>B + 1 |6>B ... Alice 1 0 |1>A + 1 |2>A 0 0 |3>A - 1 |4>A 1 0 |5>A + 1 |6>A ... Protocol Ekert 91 The shared key is constructed from the remaining observations

  48. Bob 1 0 |1>B 0 0 |2>B + 1 |3>B - 1 |4>B 1 0 |5>B + 1 |6>B ... Alice 1 0 |1>A + 1 |2>A 0 0 |3>A - 1 |4>A 1 0 |5>A + 1 |6>A ... Protocol Ekert 91 Theorem (Mayers 01,Shor e Preskill 01): The Ekert 91 protocol has perfect security.

  49. Perfect security Proof (sketch) • All that Eve can do to the pairs is described by a POVM; • A POVM P induces a random variable VP; • Let X be the random variable describing the key generated and n the size of the key; • There exists c such that for all POVM P n-H(X|VP) 2 O(2cn); • Analytical properties of POVM lead to the above result.

  50. Problems • Man-in-the-middle attack; • Requires authenticated channel for Alice and Bob to communicate classically; • Using classical authentication ensures future security of transmitted data

More Related