Quantum computers and factoring Learning with errors Cryptography from LWE From linear algebra to post-quantum cryptography Dr. Ir. Fr´ e Vercauteren frederik.vercauteren@gmail.com Open Security Research (China) ESAT/COSIC - KU Leuven (Belgium) Dr. Ir. Fr´ e Vercauteren From linear algebra to post-quantum cryptography
Quantum computers and factoring Learning with errors Cryptography from LWE Quantum computers and factoring Learning with errors Cryptography from LWE Dr. Ir. Fr´ e Vercauteren From linear algebra to post-quantum cryptography
Quantum computers and factoring Learning with errors Cryptography from LWE Post-quantum public key cryptography ◮ Currently only two types PK are popular ◮ Factoring based: given n = p · q , find p and q ◮ Discrete logarithm based: given g and h = g a mod p , find a Dr. Ir. Fr´ e Vercauteren From linear algebra to post-quantum cryptography
Quantum computers and factoring Learning with errors Cryptography from LWE Post-quantum public key cryptography ◮ Currently only two types PK are popular ◮ Factoring based: RSA ◮ Discrete logarithm based: DSA, ECDSA Dr. Ir. Fr´ e Vercauteren From linear algebra to post-quantum cryptography
Quantum computers and factoring Learning with errors Cryptography from LWE Post-quantum public key cryptography ◮ Currently only two types PK are popular ◮ Factoring based: RSA ◮ Discrete logarithm based: DSA, ECDSA ◮ Shor (1994) : quantum algorithm for factoring and dlog in time ˜ O (( log N ) 2 ) Dr. Ir. Fr´ e Vercauteren From linear algebra to post-quantum cryptography
Quantum computers and factoring Learning with errors Cryptography from LWE Post-quantum public key cryptography ◮ Currently only two types PK are popular ◮ Factoring based: RSA ◮ Discrete logarithm based: DSA, ECDSA ◮ Shor (1994) : quantum algorithm for factoring and dlog in time ˜ O (( log N ) 2 ) ◮ Need for new constructions for the post-quantum era ◮ Lattice based ◮ Multivariate polynomial based ◮ Code based ◮ Hash based ◮ Supersingular isogenies Dr. Ir. Fr´ e Vercauteren From linear algebra to post-quantum cryptography
Quantum computers and factoring Learning with errors Cryptography from LWE Quantum computers ◮ Classical computer: bits, either 0 or 1 ◮ Quantum computer: quantum bit (qubit) ◮ Qubit: superposition of two basic states | 0 � and | 1 � | α 0 | 2 + | α 1 | 2 = 1 | φ � = α 0 | 0 � + α 1 | 1 � , α 0 , α 1 ∈ C , Dr. Ir. Fr´ e Vercauteren From linear algebra to post-quantum cryptography
Quantum computers and factoring Learning with errors Cryptography from LWE Quantum computers ◮ Classical computer: bits, either 0 or 1 ◮ Quantum computer: quantum bit (qubit) ◮ Qubit: superposition of two basic states | 0 � and | 1 � | α 0 | 2 + | α 1 | 2 = 1 | φ � = α 0 | 0 � + α 1 | 1 � , α 0 , α 1 ∈ C , ◮ α i is called amplitude of | i � in | φ � ◮ Impossible to “see” the superposition itself ◮ Measurement: quantum state collapses into basic state | i � with probability | α i | 2 Dr. Ir. Fr´ e Vercauteren From linear algebra to post-quantum cryptography
Quantum computers and factoring Learning with errors Cryptography from LWE Quantum computers ◮ Quantum register: n qubits can be in superposition of N = 2 n basic states | 00 . . . 0 � , | 00 . . . 1 � , . . . , | 11 . . . 1 � i = 0 | α i | 2 = 1 ◮ Quantum state: | φ � = � N − 1 i = 0 α i | i � with � N − 1 Dr. Ir. Fr´ e Vercauteren From linear algebra to post-quantum cryptography
Quantum computers and factoring Learning with errors Cryptography from LWE Quantum computation ◮ Quantum mechanics only allows linear operations applied to quantum state ◮ A state | φ � = � N − 1 i = 0 α i | i � with “coordinates” ( α 0 , . . . , α N − 1 ) get mapped to α 0 β 0 α 1 β 1 U = . . . . . . α N − 1 β N − 1 Dr. Ir. Fr´ e Vercauteren From linear algebra to post-quantum cryptography
Quantum computers and factoring Learning with errors Cryptography from LWE Quantum computation ◮ Quantum mechanics only allows linear operations applied to quantum state ◮ A state | φ � = � N − 1 i = 0 α i | i � with “coordinates” ( α 0 , . . . , α N − 1 ) get mapped to α 0 β 0 α 1 β 1 U = . . . . . . α N − 1 β N − 1 ◮ Since RHS has norm 1 as well, U has to be unitary ◮ Note general U has exponential size . . . Dr. Ir. Fr´ e Vercauteren From linear algebra to post-quantum cryptography
Quantum computers and factoring Learning with errors Cryptography from LWE Quantum computation ◮ Quantum gate: unitary matrix on small number of qubits ◮ Main example: 1-qubit Hadamard transform H given by � 1 1 � � α 0 √ √ � 2 2 ( α 0 , α 1 ) �→ 1 − 1 α 1 √ √ 2 2 1 1 ◮ Maps basic state | 0 � into superposition 2 | 0 � + 2 | 1 � √ √ Dr. Ir. Fr´ e Vercauteren From linear algebra to post-quantum cryptography
Quantum computers and factoring Learning with errors Cryptography from LWE Quantum computation ◮ Quantum gate: unitary matrix on small number of qubits ◮ Main example: 1-qubit Hadamard transform H given by � 1 1 � � α 0 √ √ � 2 2 ( α 0 , α 1 ) �→ 1 − 1 α 1 √ √ 2 2 1 1 ◮ Maps basic state | 0 � into superposition 2 | 0 � + 2 | 1 � √ √ ◮ Hadamard on each qubit of n -bit register gives ( N = 2 n ) 1 1 1 √ | 0 � + √ | 1 � + . . . + √ | N − 1 � N N N ◮ Matrix U is n -fold tensor product of 2 × 2 above Dr. Ir. Fr´ e Vercauteren From linear algebra to post-quantum cryptography
Quantum computers and factoring Learning with errors Cryptography from LWE Quantum parallelism ◮ Given function f : { 0 , 1 } n → { 0 , 1 } m , make quantum circuit U that maps | x �| 0 � into | x �| f ( x ) � ◮ Apply U to a superposition gives 1 1 � = � √ √ U | x �| 0 � | x �| f ( x ) � 2 n 2 n x ∈{ 0 , 1 } n x ∈{ 0 , 1 } n Dr. Ir. Fr´ e Vercauteren From linear algebra to post-quantum cryptography
Quantum computers and factoring Learning with errors Cryptography from LWE Quantum parallelism ◮ Given function f : { 0 , 1 } n → { 0 , 1 } m , make quantum circuit U that maps | x �| 0 � into | x �| f ( x ) � ◮ Apply U to a superposition gives 1 1 � = � √ √ U | x �| 0 � | x �| f ( x ) � 2 n 2 n x ∈{ 0 , 1 } n x ∈{ 0 , 1 } n ◮ This by itself is totally useless since observing the above state gives a random | x �| f ( x ) � Dr. Ir. Fr´ e Vercauteren From linear algebra to post-quantum cryptography
Quantum computers and factoring Learning with errors Cryptography from LWE (Quantum) Fourier Transform ◮ Set N = 2 n , and set ω N = exp ( 2 π i / N ) a primitive N -th root of unity ◮ QFT: maps standard basis | x � into state N − 1 1 � ω xy √ N | y � N y = 0 ◮ 2 n -QFT can be computed by composition of n ( n − 1 ) / 2 quantum gates Dr. Ir. Fr´ e Vercauteren From linear algebra to post-quantum cryptography
Quantum computers and factoring Learning with errors Cryptography from LWE Factoring via period finding ◮ Given an N one wants to factor, fix m coprime to N ◮ Define f : N → Z / N Z : k �→ m k mod N , ◮ f ( x ) = f ( x + r ) with period r order of m modulo N Dr. Ir. Fr´ e Vercauteren From linear algebra to post-quantum cryptography
Quantum computers and factoring Learning with errors Cryptography from LWE Factoring via period finding ◮ Given an N one wants to factor, fix m coprime to N ◮ Define f : N → Z / N Z : k �→ m k mod N , ◮ f ( x ) = f ( x + r ) with period r order of m modulo N ◮ Assume r is even then m r − 1 ≡ ( m r / 2 + 1 )( m r / 2 − 1 ) = kN ◮ Compute gcd ( m r / 2 − 1 , N ) as factor of N ◮ Probability > 1 / 4 the above is non-trivial Dr. Ir. Fr´ e Vercauteren From linear algebra to post-quantum cryptography
Quantum computers and factoring Learning with errors Cryptography from LWE Shor’s algorithm = period finding ◮ 1 : two quantum registers: ◮ n -qubit register with N 2 < 2 n ≤ 2 N 2 ◮ ⌈ log 2 N ⌉ qubit register Dr. Ir. Fr´ e Vercauteren From linear algebra to post-quantum cryptography
Quantum computers and factoring Learning with errors Cryptography from LWE Shor’s algorithm = period finding ◮ 1 : two quantum registers: ◮ n -qubit register with N 2 < 2 n ≤ 2 N 2 ◮ ⌈ log 2 N ⌉ qubit register ◮ 2 : use Hadamard n times to create superposition 1 � √ | x �| 0 � 2 n x ∈{ 0 , 1 } n Dr. Ir. Fr´ e Vercauteren From linear algebra to post-quantum cryptography
Quantum computers and factoring Learning with errors Cryptography from LWE Shor’s algorithm = period finding ◮ 1 : two quantum registers: ◮ n -qubit register with N 2 < 2 n ≤ 2 N 2 ◮ ⌈ log 2 N ⌉ qubit register ◮ 2 : use Hadamard n times to create superposition 1 � √ | x �| 0 � 2 n x ∈{ 0 , 1 } n ◮ 3 : Apply function f ( x ) = m x mod N to the above state 1 | x �| m x mod N � � √ 2 n x ∈{ 0 , 1 } n Dr. Ir. Fr´ e Vercauteren From linear algebra to post-quantum cryptography
Recommend
More recommend
