Quantum cryptanalysis: How to break some classical cryptosystems - PowerPoint PPT Presentation

Quantum cryptanalysis: How to break some classical cryptosystems with quantum computers? Miklos Santha CNRS, IRIF, Université Paris Diderot, France and Centre for Quantum Technologies, NUS, Singapore 1/36

Plan of the talk 1 Crash course on quantum computing 2 Simon’s problem 3 Factorisation 4 The Hidden Subgroup Problem ( HSP ) 5 Quantum safe cryptography 2/36

The qubit 3 Classical bit: b 2 { 0 , 1 } Probabilistic bit Probability distribution d 2 R { 0 , 1 } such that k d k 1 = 1 . + = ) d = ( p, 1 � p ) with p 2 [0 , 1] . Quantum bit Superposition | ψ i 2 C { 0 , 1 } such that k | ψ ik 2 = 1 . ) | ψ i = α | 0 i + β | 1 i with | α | 2 + | β | 2 = 1 . = 0 1 0 1 0 1 @ 1 @ 0 @ α | 0 i = A , | 1 i = A , | ψ i = A . 0 1 β

Qubit evolution 4 Unitary transformation | ψ i 7! G | ψ i , with G 2 C 2 ⇥ 2 such that G † G = Id . - | ψ 0 i = G | ψ i | ψ i G - Unitary = ) Reversible: - | ψ i G † G | ψ i - Measure: Reads and modifies. | α | 2 | 0 i ⇠ : ⇠⇠ α | 0 i + β | 1 i Measure - XX z X | 1 i | β | 2 = ) Superposition ! Probability distribution.

Examples 5 1 2 | 0 i + 1 Superposition: | ψ i = p p 2 | 1 i Measure 1 / 2 | 0 i ⇠ : ⇠⇠ 1 1 2 | 0 i + 2 | 1 i Measure - p p XX X z | 1 i 1 / 2 Unitary transformations - | ψ 0 i = G | ψ i | ψ i G - 0 1 @ 0 1 • NOT, | 0 i $ | 1 i : G = A . 1 0 0 1 @ 1 1 1 • Hadamard: H = p A . 2 1 � 1

Quantum coin flip 6 Probabilistic flip 1 / 2 0 ⇠ : ⇠⇠ 0 / 1 - PF XX X z 1 1 / 2 Remark: PF � PF = PF . Quantum flip 1 / 2 | 0 i ⇠ : ⇠⇠ 1 2 ( | 0 i + ( � 1) b | 1 i ) | b i - H - p XX X z | 1 i 1 / 2 Conclusion : PF = Measure � H . Question : H � H = ?

Quantum interference 7 ! : + 1 ! : � 1 2 , 2 . p p | 0 i . & | 0 i | 1 i . & . & | 0 i | 1 i | 0 i | 1 i 1 1 1 � 1 2 2 2 2 H � H | b i = | b i = ) H � H = Id . Conclusion : Measures change the computation

The n -qubit 8 Definition: n -qubit $ tensor product of n qubits. | ψ i 2 C { 0 , 1 } n such that k | ψ ik 2 = 1 . | α x | 2 = 1 . X X = ) | ψ i = α x | x i with x x 2 { 0 , 1 } n Unitary transformation: | ψ i 7! G | ψ i , with G 2 U(2 n ) . - | ψ 0 i = G | ψ i | ψ i G - Measure | α x | 2 P x α x | x i Measure - | x i - Partial measure second bit = 0 - α | 00 i + γ | 10 i Measure - α | 00 i + β | 01 i + γ | 10 i + δ | 11 i | α | 2 + | γ | 2 p

Circuits 9 Quantum circuit: ( G 2 U (16) ) H G ! XOR XOR R π 4 Theorem [DiV95,BMPRV99]: Every transformation on n -qubit decomposes into transformations on 1 -qubit and 2 -qubit. = ) Universal family.

Simon’s problem 3/29

Computing a function by oracle Let f : { 0 , 1 } n æ { 0 , 1 } m be a function Classical computing { 0 , 1 } n { 0 , 1 } m C f : æ x ‘æ f ( x ) Reversible computing { 0 , 1 } n + m { 0 , 1 } n + m R f : æ ( x , y ) ‘æ ( x , y ü f ( x )) Quantum computing C { 0 , 1 } n + m C { 0 , 1 } n + m U f : æ | x Í | y Í ‘æ | x Í | y ü f ( x ) Í | x Í | 0 Í ‘æ | x Í | f ( x ) Í 4/29

Simon’s problem ( Simon ) Simon Input (given by an oracle): A function f : { 0 , 1 } n æ { 0 , 1 } n Promise: ÷ s ” = 0 n , f ( x ) = f ( y ) ≈ ∆ ( x = y x = y ü s ) or Output: s . Remark: f is a periodical function and we are looking for its period Complexity: Number of evaluations of f and the computation time. Deterministic: 2 n ≠ 1 + 1 evaluations. Probabilistic: Ω ( 2 n / 2 ) evaluations. Theorem [Simon’94] : The problem Simon can be solved by a quantum algorithm with O ( n ) evaluations and in time O ( n 3 ) . 5/29

Hadamard (Fourier) Transform on n -qubit Recall: A B 1 1 1 Ô H = 1 ≠ 1 2 Definition: ÿ 1 ( ≠ 1 ) x · y | y Í H n | x Í = 2 n / 2 y x · y = q where i x i y i mod 2 Example: È 101011 | H 6 | 110111 Í = ≠ 1 / 8 Quantum circuit for H n : H H n H Ω æ . . . . . . . . . H 6/29

Simon’s algorithm Circuit | 0 n Í ? H n H n Measure - - U f | 0 n Í ◊ Measure - - Analysis | 0 n Í | 0 n Í • Initialisation : q • H n on the 1 st register: 1 x œ { 0 , 1 } n | x Í | 0 n Í 2 n / 2 q 1 • Evaluation of f : x | x Í | f ( x ) Í 2 n / 2 • Measure of the 2 nd register: 1 2 ( | a Í + | a ü s Í ) | f ( a ) Í Ô ! ( ≠ 1 ) a · y + ( ≠ 1 ) ( a ü s ) · y " | y Í q • H n on the 1 st register: 1 2 n / 2 Ô y 2 q y ( ≠ 1 ) a · y ( 1 + ( ≠ 1 ) s · y ) | y Í 1 = 2 n / 2 Ô 2 • Measure of the 1 st register: uniform y such that s · y = 0 Conclusion : In O ( n ) iterations we obtain a system of linear ∆ the 2 solutions are { 0 n , s } . equations of rank n ≠ 1 = 7/29

Factorisation 8/29

Classical reductions Factorisation Input: a composite number N Output: a non-trivial divisor of N . Square Root Input: N Output: y such that y 2 = 1 mod N and y ” = ± 1 mod N . Fact 1: Factorisation Æ Square Root . Proof: N | ( y + 1 )( y ≠ 1 ) = ∆ gcd ( N , y ± 1 ) is a non-trivial divisor of N Order Input: N , a œ Z ú N Output: the period r of the function x æ a x mod N . Fact 2: Square Root Æ R Order . N random, x r = 1 mod N . Then Proof: Let x œ Z ú Pr [ r is even and x r / 2 ” = ± 1 mod N ] Ø 1 / 2. Example: N = 24 , x = 5 , r = 2. Then gcd ( 5 ± 1 , 24 ) divides 24 9/29

Computing the order (with help) The function x æ a x mod N is periodical over Z . To compute the period, we will approximate the infinite group Z by a "big" cyclic group Z q (taking q ¥ N 2 ). I will suppose that r = order ( a ) mod N divides q . Without this (irrealistic) hypothesis a classical correction (via continuous fractions) is necessary Order (with help) Input: N , a œ Z ú N , q such that r = order ( a ) mod N divides q Output: r Consequence: The function f : æ Z q Z N a x mod N ‘æ x is periodical. 10/29

Quantum Fourier Transform mod q Let ω q be a q -th primitive root of the unity Definition: The Quantum Fourier Transform mod q is the function C q C q QFT q : æ q y œ Z q ω xy 1 | x Í ‘æ q | y Í Ô q Example: È 1 | QFT 4 | 3 Í = ≠ i / 2 Theorem: QFT q can be computed approximately by a quantum algorithm in time O (( log q ) 2 ) . 11/29

Shor’s algorithm for Order (with help) Circuit | 0 Í q ? QFT q QFT q Measure - - U a x | 0 Í N ◊ Measure - - Analysis • Initialisation : | 0 Í q | 0 Í N q q ≠ 1 • QFT q on 1 st register: 1 x = 0 | x Í q | 0 Í N Ô q q q ≠ 1 • Evaluation of a x : 1 x = 0 | x Í q | a x Í N Ô q q q • Measure of 2 nd register: r ≠ 1 Ô q 1 j = 0 | jr + k Í q | a k Í N r Ò r q q ≠ 1 q q r ≠ 1 • QFT q on 1 st register: ω ( jr + k ) c 1 | c Í q Ô q q c = 0 j = 0 q 3 Ô r 4 = q q ≠ 1 q q r ≠ 1 q ω kc j = 0 ( ω rc q ) j | c Í q c = 0 q = q q ≠ 1 c = 0 α c | c Í q 12/29

Shor’s algorithm for Order (with help) Ô r q q r ≠ 1 q ω kc j = 0 ( ω c r ) j : Evaluation of the amplitudes α c = q q I if q r doesn Õ t divide c 0 α c = if q Ô r ω kc 1 r | c q Evaluation of the probabilities: One measures t q r , for q | 2 = 1 t = 0 , . . . , r ≠ 1 , with probability | 1 Ô r ω kc r . Computing r : If gcd ( t , r ) = 1, then gcd ( t q r , q ) = gcd ( t q r , r q r ) = gcd ( t , r ) q r = q r Chance of measuring t q r with gcd ( t , r ) = 1: Pr [ gcd ( t , r ) = 1 ] = φ ( r ) = ω ( log log r ) = ω ( log log N ) r Conclusion: One repeats this quantum process O ( log log N ) -times to succeed with constant probability close to 1. 13/29

Hidden Subgroup Problem ( HSP ) 14/29

Hidden Subgroup Problem ( HSP ) HSP ( G ; H ) where G finite group, H family of subgroups of G Input(possibly by oracle): a function f : G æ S Promise: f hides a subgroup H œ H : f ( x ) = E ( xH ) , where E is injective on the left cosets of H . ors for H . G H S a 1 H . . . a t H Sortie: Generators for H H . Complexity: Number oracle requests and time 15/29

Quantum solutions for HSP The success of HSP : Theorem [Shor’94] : HSP is solvable in abelian groups in quantum polynomial time in log ( | G | ) . Corollary Factorisation ( HSP in Z q ) and the discrete logarithm ( HSP in Z p ≠ 1 ◊ Z p ≠ 1 ) are computable in quantum polynomial time. Extension to R and R m Extension to certain non-abelian groups Extension hidden algebraic sets of higher degree 16/29

Characters of an abelian group Let G be an abelian group. Definition: A character χ : G æ C ú is a group homomorphism. Remark: χ ( x ) is a | G | th root of the unity. ‚ G = { characters of G } . Theorem: G and ‚ ‚ G are isomorphic. G = { χ y : y œ G } . χ y ( x ) = ω x · y Examples: G = Z q : q . G = G 1 ◊ G 2 : χ y ( x ) = χ y 1 ( x 1 ) χ y 2 ( x 2 ) . Definition: Let H Æ G . Its orthogonal subgroup is H ‹ = { y œ G : ’ h œ H , χ y ( h ) = 1 } . Theorem: Soit H Æ G . There exists a deterministic algorithm that computes H from H ‹ in time O ( log 3 | G | ) . 17/29

Quantum Fourier Transform in an abelian group Let G be an abelian group. We consider C G , the Hilbert space generated by G . Bases: • Dirac: {| x Í : x œ G } . • Characters: {| χ y Í : y œ G } , where | χ y Í = q x χ y ( x ) | x Í . 1 Definition: QFT G : | y Í ‘æ G | χ y Í . Ô Principal property: Let H Æ G , x œ G . Then TFQ G | x + H Í = | H ‹ ( x ) Í , where q 1 Ô | x + H Í = h œ H | x + h Í and | H | q | H ‹ ( x ) Í = 1  y œ H ⊥ χ y ( x ) | y Í . | H ⊥ | Theorem: The approximate QFT G can be computed in quantum polynomial time. 18/29