cost analysis of hash collisions will quantum computers
play

Cost analysis of hash collisions: will quantum computers make - PDF document

Oct 05, 2023 •128 likes •452 views

Cost analysis of hash collisions: will quantum computers make SHARCS obsolete? D. J. Bernstein University of Illinois at Chicago NSF ITR0716498 Quantum vs. SHARCS Exactly how expensive is it to break RSA-1024, ECC-160, etc.? Many papers

  1. Cost analysis of hash collisions: will quantum computers make SHARCS obsolete? D. J. Bernstein University of Illinois at Chicago NSF ITR–0716498

  2. Quantum vs. SHARCS Exactly how expensive is it to break RSA-1024, ECC-160, etc.? Many papers on the topic. Widespread interest today.

  3. Quantum vs. SHARCS Exactly how expensive is it to break RSA-1024, ECC-160, etc.? Many papers on the topic. Widespread interest today. But quantum computing says: “All your circuit designs will soon be obsolete! Our quantum computers will break RSA and ECC in polynomial time.”

  4. Exactly how expensive is it to invert a hash function, find a cipher key, etc.? b “operations” for b -bit key; 2 how expensive is an “operation”? Many papers on the topic. Widespread interest today.

  5. Exactly how expensive is it to invert a hash function, find a cipher key, etc.? b “operations” for b -bit key; 2 how expensive is an “operation”? Many papers on the topic. Widespread interest today. But quantum computing says: “All your circuit designs will soon be obsolete! Our quantum computers b -bit key will find a b= 2 .” in time only 2

  6. Exactly how expensive is it to find collisions in a hash function? b= 2 “operations” for b -bit hash; 2 how expensive is an “operation”? Many papers on the topic. Widespread interest today.

  7. Exactly how expensive is it to find collisions in a hash function? b= 2 “operations” for b -bit hash; 2 how expensive is an “operation”? Many papers on the topic. Widespread interest today. But quantum computing says: “All your circuit designs will soon be obsolete! Our quantum computers b -bit collision will find a b= 3 .” in time only 2

  8. Main point of my paper: All known quantum algorithms are fundamentally slower than traditional collision circuits, despite optimistic assumptions re quantum-computer speed.

  9. Main point of my paper: All known quantum algorithms are fundamentally slower than traditional collision circuits, despite optimistic assumptions re quantum-computer speed. Extra point of this talk: Optimization experience for ASICs/FPGAs/other meshes will be even more valuable in a quantum-computing world. “Quantum SHARCS”?

  10. Two quantum algorithms 1994 Shor: Fast quantum period-finding. Gives polynomial-time quantum solution to DLP. 1996 Grover, 1997 Grover: Fast quantum search. Practically all quantum algorithms are Shor/Grover applications. See 2003 Shor, “Why haven’t more quantum algorithms been found?”; 2004 Shor.

  11. Grover explicitly constructs F ) a quantum circuit Gr( F , to find a root of assuming root is unique. p N steps.” “Only b if N = 2 F maps b -bit input to 1-bit output. � 1 = 2. Success probability Can use fewer steps but probability degrades quadratically.

  12. F : any computable function. F by a Can specify classical combinatorial circuit: a directed acyclic graph of NAND computations b input bits from to 1 output bit.

  13. F : any computable function. F by a Can specify classical combinatorial circuit: a directed acyclic graph of NAND computations b input bits from to 1 output bit. Without serious overhead (and maybe reducing power!) can replace NAND gates by reversible “Toffoli gates” r ; s; t 7! r ; s; t � r s . x; t 7! x; F ( x ) � t . Obtain

  14. The basic quantum conversion: replace each Toffoli gate by a quantum Toffoli gate. Resulting quantum circuit x; t 7! x; F ( x ) � t computes x is a quantum where b -bit inputs. superposition of

  15. The basic quantum conversion: replace each Toffoli gate by a quantum Toffoli gate. Resulting quantum circuit x; t 7! x; F ( x ) � t computes x is a quantum where b -bit inputs. superposition of Grover builds a superposition x ; of all possible strings applies this circuit; applies an easy quantum flip x ; to build a new result b= 2 ) times. repeats Θ(2

  16. F has more roots? What if 1996 Boyer–Brassard–Høyer– p Tapp, generalizing Grover: O ( N =t )” “time in t roots. if there are

  17. F has more roots? What if 1996 Boyer–Brassard–Høyer– p Tapp, generalizing Grover: O ( N =t )” “time in t roots. if there are Don’t need generalization. Can simply apply Grover x 7! F ( R ( x )) where to x has � b � lg t bits, R is random affine map.

  18. F has more roots? What if 1996 Boyer–Brassard–Høyer– p Tapp, generalizing Grover: O ( N =t )” “time in t roots. if there are Don’t need generalization. Can simply apply Grover x 7! F ( R ( x )) where to x has � b � lg t bits, R is random affine map. t ? Simply guess. Unknown : : : but BBHT is more streamlined.

  19. Grover space and time F Don’t have to unroll into a combinatorial circuit. A Take any circuit of area (using reversible gates!) x; t at the top, that reads x; F ( x ) � t at the top, ends with x is a b -bit string. where Convert gates to quantum gates. Obtain quantum circuit x; t at the top, that reads x; F ( x ) � t at the top, ends with x is a quantum where b -bit strings. superposition of

  20. Don’t unroll Grover iterations. Need some extra space for quantum flip etc., but total Grover circuit size A . will be essentially

  21. Don’t unroll Grover iterations. Need some extra space for quantum flip etc., but total Grover circuit size A . will be essentially “Aren’t quantum gates much larger than classical gates?” — Yes. Constants matter! But this talk makes best-case assumption that the overhead A . doesn’t grow with

  22. p O ( N )” “Time in F time. fails to account for Assume that original circuit F in time T . computes Each Grover iteration T . p takes time essentially T N . Total time essentially

  23. p O ( N )” “Time in F time. fails to account for Assume that original circuit F in time T . computes Each Grover iteration T . p takes time essentially T N . Total time essentially “Aren’t quantum gates much slower than classical gates?” — Yes, but again assume A; T )-dependent penalty. no (

  24. “Can quantum gates operate with just as much parallelism as original gates?” — Best-case assumption: Yes. x 7! A [ x ] Example: RAM lookup is actually computing A [0]( x = 0) + A [1]( x = 1) + � � � ; n terms if A has size n . The basic quantum conversion n ) quantum gates produces Ω( : : : which, presumably, can all operate in parallel. p Realistic mesh/speed of light ) wire delay ) time Ω( n ).

  25. Guessing a collision Consider a hash function b +1 b H : F ! F 2 . 2 b +1 b +1 F : F � F ! F 2 Define F ( 2 x; y ) = 2 as follows: x y and H ( x ) = H ( y ); 0 if 6 = x = y or H ( x ) H ( y ). 1 if 6 = H is, A collision in F . by definition, a root of Easiest way to find collision: F . search randomly for root of

  26. A Assume circuit of area H in time T . computes � A Then circuit of area F in time � T . computes A ?” — Roughly.) (“You mean 2 b +1 for � 1 = 2 Collision chance 0 ). x; x a uniform random pair ( b +1 pairs Trying 2 b � 2 T takes time � A . on circuit of area b= 2 � 2 T Grover takes time � A . on quantum circuit of area

  27. Table lookups Generate many random inputs b= 3 . x 1 ; x 2 ; : : : ; x M = 2 M ; e.g. M pairs Compute and sort H ( x 1 ) ; x 1 ), ( H ( x 2 ) ; x 2 ), : : : , ( H ( x ; x M ) M ) in lex order. ( y . Generate a random input H ( y ) in sorted list. Check for y ’s Keep trying more until collision is found.

  28. b � M = 2 Collision chance y . for each Naive free-communication model: � 1. Table lookup takes time b � ( M + 2 = M )( T + 1) Total time � A + M . on circuit of area � 2 2 b= 3 T e.g. time b= 3 . � A + 2 on circuit of area p Realistic model: � M . Table lookup takes time p Total time b � ( M + 2 = M )( T + M ) � A + M . on circuit of area

  29. F ( y ) as 0 iff Define there is a collision among x 1 ; y ) ; ( x 2 ; y ) ; : : : ; ( x ; y ). M ( F . We’re guessing root of 1998 Brassard–Høyer–Tapp: Instead use quantum search; b= 3 if b= 3 . M = 2 “time” 2 b= 2 ! Wow, faster than 2 Many people say this is scary. ECRYPT Hash Function Website: “For collision resistance at least 384 bits are needed.”

  30. Let’s look at the actual costs of 1998 Brassard–Høyer–Tapp. p Naive free-communication model: b � ( M + = M )( T +1) Total time 2 on quantum circuit � A + M . of area (Realistic model: Slower. See paper for details.) b= 3 : M = 2 e.g. b= 3 � 2 T , time b= 3 . � A + 2 area

  31. 2003 Grover–Rudolph, “How significant are the known collision and element distinctness quantum algorithms?”: With such a huge machine, b= 3 can simply run 2 parallel quantum searches 0 ). x; x for collisions ( High probability of success b= 3 . within “time” 2

  32. But these algorithms are giant steps backwards! Standard collision circuits, 1994 van Oorschot–Wiener: b= 4 � 2 T , time b= 4 � 2 A . area This is much faster than 1998 Brassard–Høyer–Tapp, on a much smaller circuit. My paper presents newer, faster quantum collision algorithms, but I conjecture optimality for the standard circuits.

Recommend

Quantum computing for simulating high energy collisions Sarah Alam Malik Imperial College London

Quantum computing for simulating high energy collisions Sarah Alam Malik Imperial College London

Quantum computing for simulating high energy collisions Sarah Alam Malik Imperial College London Outline Intro to quantum computers Review of quantum computers in HEP Quantum algorithm for helicity amplitudes Quantum algorithm for

796 views • 46 slides
Summary: * Why quantum for computers? * Logic gates and algorithms * Manipulating quantum

Summary: * Why quantum for computers? * Logic gates and algorithms * Manipulating quantum

Elements of quantum information processing and quantum computers (with trapped ion examples) D. J. Wineland, Dept. of Physics, U Oregon, Eugene, OR; & Research Associate, NIST, Boulder, CO Summary: * Why quantum for computers? *

742 views • 42 slides
Hash Pile Ups: Using Collisions to Identify Unknown Hash Functions R. Joshua Tobin and David

Hash Pile Ups: Using Collisions to Identify Unknown Hash Functions R. Joshua Tobin and David

Hash Pile Ups: Using Collisions to Identify Unknown Hash Functions R. Joshua Tobin and David Malone 11 October 2012 Hash Functions We are talking about hash functions for consistent assignment. For example, Hash tables, Network

448 views • 18 slides
Introduction to Quantum Collision Theory Pierre Capel 16 July 2015 1 / 30 Quantum Collisions

Introduction to Quantum Collision Theory Pierre Capel 16 July 2015 1 / 30 Quantum Collisions

Introduction to Quantum Collision Theory Pierre Capel 16 July 2015 1 / 30 Quantum Collisions Quantum Collisions Quantum collisions used to study the interaction between particles/nuclei/atoms. . . analyse the structure of

651 views • 30 slides
COMPUTERS TAKING A QUANTUM LEAP Quantum computers will harness the power of atoms and molecules

COMPUTERS TAKING A QUANTUM LEAP Quantum computers will harness the power of atoms and molecules

COMPUTING COMPUTERS TAKING A QUANTUM LEAP Quantum computers will harness the power of atoms and molecules to perform calculations billions of times faster than todays silicon-based computers. They will also enable new revolutionary

299 views • 6 slides
KILL MD5 DEMYSTIFYING HASH COLLISIONS Ange AlBertini With the help of Marc Stevens TL;DR This

KILL MD5 DEMYSTIFYING HASH COLLISIONS Ange AlBertini With the help of Marc Stevens TL;DR This

Pass the salt 2019 Pass the salt 2019 KILL MD5 DEMYSTIFYING HASH COLLISIONS Ange AlBertini With the help of Marc Stevens TL;DR This talk is about: Understanding the impact of current hash collisions attacks. Side efgect: show that MD5 is

1.06k views • 77 slides
Time-Memory Tradeoffs for Short Hash Collisions Akshima University of Chicago Joint work with

Time-Memory Tradeoffs for Short Hash Collisions Akshima University of Chicago Joint work with

Time-Memory Tradeoffs for Short Hash Collisions Akshima University of Chicago Joint work with David Cash, Andrew Drucker, Hoeteck Wee 1 This Talk Inspects time-space tradeo ff s for finding short collisions in Merkle-Damgrd hash

890 views • 55 slides
MACAW IEEE 802.11 Standard 29 Reducing Cost of Collisions q Collisions are expensive

MACAW IEEE 802.11 Standard 29 Reducing Cost of Collisions q Collisions are expensive

12/9/15 MACAW IEEE 802.11 Standard 29 Reducing Cost of Collisions q Collisions are expensive How to reduce their cost? q Reserve the wireless channel before transmitting data Send short control packets for

237 views • 7 slides
Qu Quantum co computers, ho how do do the hey work and nd wha hat can n the hey do do?

Qu Quantum co computers, ho how do do the hey work and nd wha hat can n the hey do do?

Qu Quantum co computers, ho how do do the hey work and nd wha hat can n the hey do do? Outline Quantum technology Quantum computing What is the advantage? The qubits Operating the quantum computer Quantum computing initiatives

475 views • 31 slides
Quantum Mechanics; a Blessing and a Curse By Elias Marcopoulos Quantum Computers Quantum

Quantum Mechanics; a Blessing and a Curse By Elias Marcopoulos Quantum Computers Quantum

Quantum Mechanics; a Blessing and a Curse By Elias Marcopoulos Quantum Computers Quantum Computers are just like regular computers, they crunch numbers Quantum Computers Quantum Computers are just like regular computers, they crunch

926 views • 74 slides
Cryptography for the quantum internet Elements of a quantum TLS Christian Majenz

Cryptography for the quantum internet Elements of a quantum TLS Christian Majenz

Cryptography for the quantum internet Elements of a quantum TLS Christian Majenz Colloquium Informatics Institute, University of Amsterdam Quantum computers Quantum computers Accelerating effort to build a quantum computer Quantum

1.74k views • 115 slides
CS261 Data Structures Hash Tables Buckets/Chaining Hash Tables:

CS261 Data Structures Hash Tables Buckets/Chaining Hash Tables:

CS261 Data Structures Hash Tables Buckets/Chaining Hash Tables: Resolving Collisions There are two general approaches to resolving collisions: 1. Open address

293 views • 12 slides
14. Hashing Hash Tables, Pre-Hashing, Hashing, Resolving Collisions using Chaining, Simple

14. Hashing Hash Tables, Pre-Hashing, Hashing, Resolving Collisions using Chaining, Simple

14. Hashing Hash Tables, Pre-Hashing, Hashing, Resolving Collisions using Chaining, Simple Uniform Hashing, Popular Hash Functions, Table-Doubling, Open Addressing: Probing, Uniform Hashing, Universal Hashing, Perfect Hashing [Ottman/Widmayer,

1.25k views • 98 slides
14. Hashing Hash Tables, Pre-Hashing, Hashing, Resolving Collisions using Chaining, Simple

14. Hashing Hash Tables, Pre-Hashing, Hashing, Resolving Collisions using Chaining, Simple

14. Hashing Hash Tables, Pre-Hashing, Hashing, Resolving Collisions using Chaining, Simple Uniform Hashing, Popular Hash Functions, Table-Doubling, Open Addressing: Probing, Uniform Hashing, Universal Hashing, Perfect Hashing [Ottman/Widmayer,

1.5k views • 58 slides
CS 225 Data Structures Mar March h 15 15 Hash T Table C e Collisions Wade Fa Wa

CS 225 Data Structures Mar March h 15 15 Hash T Table C e Collisions Wade Fa Wa

CS 225 Data Structures Mar March h 15 15 Hash T Table C e Collisions Wade Fa Wa Fagen-Ul Ulmsch schnei eider er, , Cra Craig Zi Zilles (Example of open hashing) Collision Handling: Sep eparate e Chaining S = { 16, 8, 4, 13,

854 views • 10 slides
An Introduction to Quantum Computers and Quantum Cryptography Computer Network Security

An Introduction to Quantum Computers and Quantum Cryptography Computer Network Security

An Introduction to Quantum Computers and Quantum Cryptography Computer Network Security Prepared by: Nima Bayan, P.Eng. Fall 2003 Contents ! Introduction " Cryptography and Relativity " Quantum Algorithms " Quantum Computers !

227 views • 11 slides
Cost-benefit analysis of quantum cryptography D. J. Bernstein University of Illinois at Chicago

Cost-benefit analysis of quantum cryptography D. J. Bernstein University of Illinois at Chicago

Cost-benefit analysis of quantum cryptography D. J. Bernstein University of Illinois at Chicago NSF ITR0716498 2004 PatersonPiperSchack: Why quantum cryptography? 2007 All eaume et al.: SECOQC white paper on quantum key

561 views • 37 slides
Quantum cryptanalysis: How to break some classical cryptosystems with quantum computers? Miklos

Quantum cryptanalysis: How to break some classical cryptosystems with quantum computers? Miklos

Quantum cryptanalysis: How to break some classical cryptosystems with quantum computers? Miklos Santha CNRS, IRIF, Universit Paris Diderot, France and Centre for Quantum Technologies, NUS, Singapore 1/36 Plan of the talk 1 Crash course on

543 views • 36 slides
Quantum Information Theory Renato Renner ETH Zurich Do quantum computers exist?

Quantum Information Theory Renato Renner ETH Zurich Do quantum computers exist?

Quantum Information Theory Renato Renner ETH Zurich Do quantum computers exist? Geordie Rose and his D-Wave quantum computer Commercial devices Quantum cryptography device by id

1.29k views • 112 slides
Quantum Algorithms Tutorial Ronald de Wolf 1/ 37 Post-quantum cryptography I Quantum computers

Quantum Algorithms Tutorial Ronald de Wolf 1/ 37 Post-quantum cryptography I Quantum computers

Quantum Algorithms Tutorial Ronald de Wolf 1/ 37 Post-quantum cryptography I Quantum computers can break public-key cryptography that is based on assuming hardness of factoring, discrete logs, and a few other problems I Post-quantum

2.98k views • 37 slides
What do quantum computers do? Daniel J. Bernstein Quantum algorithm means an algorithm

What do quantum computers do? Daniel J. Bernstein Quantum algorithm means an algorithm

1 What do quantum computers do? Daniel J. Bernstein Quantum algorithm means an algorithm that a quantum computer can run. i.e. a sequence of instructions, where each instruction is in a quantum computers supported instruction set.

1.5k views • 132 slides
Limited-Birthday Distinguishers for Hash Functions Collisions Beyond the Birthday Bound can be

Limited-Birthday Distinguishers for Hash Functions Collisions Beyond the Birthday Bound can be

Limited-Birthday Distinguishers for Hash Functions Collisions Beyond the Birthday Bound can be Meaningful Mitsugu Iwamoto 1 , Thomas Peyrin 2 and Yu Sasaki 3 1: The University of Electro-Communications, Japan 2:Nanyang Technological University,

877 views • 20 slides
Post-Quantum Cryptography Dr. Ruben Niederhagen, February 8, 2016 Introduction Quantum Computers

Post-Quantum Cryptography Dr. Ruben Niederhagen, February 8, 2016 Introduction Quantum Computers

Post-Quantum Cryptography Dr. Ruben Niederhagen, February 8, 2016 Introduction Quantum Computers Using quantum states for computation: Introduced in 1985 by David Deutsch [3]. Operate on qubits using gates that perform reversible

1.69k views • 157 slides
What do quantum computers do? Daniel J. Bernstein University of Illinois at Chicago Quantum

What do quantum computers do? Daniel J. Bernstein University of Illinois at Chicago Quantum

1 What do quantum computers do? Daniel J. Bernstein University of Illinois at Chicago Quantum algorithm means an algorithm that a quantum computer can run. i.e. a sequence of instructions, where each instruction is in a quantum

892 views • 76 slides

More recommend