an efficient quantum collision search algorithm and
play

An Efficient Quantum Collision Search Algorithm and Implications on - PowerPoint PPT Presentation

Apr 13, 2023 •41 likes •321 views

Cryptographic context Quantum collision search: a brief state of the art Our collision algorithm An Efficient Quantum Collision Search Algorithm and Implications on Symmetric Cryptography Andr Chailloux, Mara Naya-Plasencia, Andr

  1. Cryptographic context Quantum collision search: a brief state of the art Our collision algorithm An Efficient Quantum Collision Search Algorithm and Implications on Symmetric Cryptography André Chailloux, María Naya-Plasencia, André Schrottenloher Inria Paris, France December 5, 2017 A. Chailloux, M. Naya-Plasencia, A. Schrottenloher (Inria) Quantum Coll. Search and Implications 1/27

  2. Cryptographic context Quantum collision search: a brief state of the art Our collision algorithm Outline Cryptographic context 1 Quantum collision search: a brief state of the art 2 Our collision algorithm 3 A. Chailloux, M. Naya-Plasencia, A. Schrottenloher (Inria) Quantum Coll. Search and Implications 2/27

  3. Cryptographic context Quantum collision search: a brief state of the art Our collision algorithm Cryptographic context A. Chailloux, M. Naya-Plasencia, A. Schrottenloher (Inria) Quantum Coll. Search and Implications 3/27

  4. Cryptographic context Quantum collision search: a brief state of the art Our collision algorithm Cryptographic context Symmetric cryptography: Ideal security defined by generic attacks Cryptanalysis searches for faults of the primitives Cryptanalysis increases confidence A. Chailloux, M. Naya-Plasencia, A. Schrottenloher (Inria) Quantum Coll. Search and Implications 4/27

  5. Cryptographic context Quantum collision search: a brief state of the art Our collision algorithm Post-quantum cryptography Suppose an adversary has access to a universal , scalable quantum computer: RSA ( factorization ) and ECC ( discrete logarithms ) could be broken in polynomial time (Shor). This is why the community is actively working on efficient post-quantum primitives (codes, lattices, isogenies. . . ) that will be standardized. In symmetric cryptography Grover’s generic attacks. . . . What about quantum cryptanalysis? What about other generic attacks? A. Chailloux, M. Naya-Plasencia, A. Schrottenloher (Inria) Quantum Coll. Search and Implications 5/27

  6. Cryptographic context Quantum collision search: a brief state of the art Our collision algorithm Quantum collision search: a brief state of the art A. Chailloux, M. Naya-Plasencia, A. Schrottenloher (Inria) Quantum Coll. Search and Implications 6/27

  7. Cryptographic context Quantum collision search: a brief state of the art Our collision algorithm Studied problem(s) If we consider generic attacks, keeping in mind a black-box random function H : { 0 , 1 } n → { 0 , 1 } n : Collision search: find x , y such that H ( x ) = H ( y ) , classical � 2 n / 2 � time O with poly ( n ) memory, using Pollard’s rho method. Muti-target preimage search: given { h 1 , . . . , h 2 t − 1 } (the targets), find m such that H ( m ) ∈ { h 1 , . . . , h 2 t − 1 } : classical time O ( 2 n − t ) using O ( 2 t ) memory, by exhaustive search. The precise complexity for solving these problems defines ideal security bounds, e.g for hash functions. A. Chailloux, M. Naya-Plasencia, A. Schrottenloher (Inria) Quantum Coll. Search and Implications 7/27

  8. Cryptographic context Quantum collision search: a brief state of the art Our collision algorithm Collisions: state of the art Time Queries Memory Processors Note 2 n / 2 2 n / 2 Pollard’s rho poly ( n ) 1 Opt. in time / queries Time Queries Qubits Processors Note 2 n / 2 2 n / 2 Grover a poly ( n ) 1 BHT b 2 n / 3 ? ? 1 Opt. in queries 2 n / 3 2 n / 3 2 n / 3 Ambainis c 1 Opt. in time / queries a Grover, 1996 b Brassard, Høyer, and Tapp, 1998 c Ambainis, 2007 A. Chailloux, M. Naya-Plasencia, A. Schrottenloher (Inria) Quantum Coll. Search and Implications 8/27

  9. Cryptographic context Quantum collision search: a brief state of the art Our collision algorithm In short The quantum query lower bound for collisions has been reached. All the available quantum algorithms have a common point: if we want to outperform the classical 2 n / 2 , we need more than poly ( n ) qubits. Challenge (Grover and Rudolph, 2004) Find an algorithm for collision and/or element distinctness which gives a searching speedup greater than merely a square-root factor over the number of available processing qubits. A. Chailloux, M. Naya-Plasencia, A. Schrottenloher (Inria) Quantum Coll. Search and Implications 9/27

  10. Cryptographic context Quantum collision search: a brief state of the art Our collision algorithm Our model We restrict the qubits available to poly ( n ) : this is a "reasonable" computer. Quantum resources needed are those of Grover’s algorithm. We focus on the theoretical algorithm (in the circuit model) and not on implementation details. A. Chailloux, M. Naya-Plasencia, A. Schrottenloher (Inria) Quantum Coll. Search and Implications 10/27

  11. Cryptographic context Quantum collision search: a brief state of the art Our collision algorithm Result Time Queries Memory Processors 2 n / 2 2 n / 2 Pollard’s rho method poly ( n ) 1 Time Queries Qubits Classical memory 2 n / 2 2 n / 2 Grover poly ( n ) 0 2 2 n / 3 2 n / 3 2 n / 3 BHT poly ( n ) 2 n / 3 2 n / 3 2 n / 3 Ambainis 0 2 2 n / 5 2 2 n / 5 2 n / 5 Our result poly ( n ) A. Chailloux, M. Naya-Plasencia, A. Schrottenloher (Inria) Quantum Coll. Search and Implications 11/27

  12. Cryptographic context Quantum collision search: a brief state of the art Our collision algorithm Our collision algorithm A. Chailloux, M. Naya-Plasencia, A. Schrottenloher (Inria) Quantum Coll. Search and Implications 12/27

  13. Cryptographic context Quantum collision search: a brief state of the art Our collision algorithm Grover search Given oracle access to the (efficiently computable) function : { 0 , 1 } n → { 0 , 1 } , the oracle O f acts on superpositions of f quantum states: O f ( | x � | 0 � ) = | x � | f ( x ) � and �� � � O f α i | x i � | 0 � = α i | x i � | f ( x i ) � . i i We look for x such that f ( x ) = 1. One solution among 2 n : quantum time O ( 2 n / 2 ) ; With 2 t solutions among 2 n : quantum time O ( 2 ( n − t ) / 2 ) . A. Chailloux, M. Naya-Plasencia, A. Schrottenloher (Inria) Quantum Coll. Search and Implications 13/27

  14. Cryptographic context Quantum collision search: a brief state of the art Our collision algorithm BHT algorithm (Brassard, Høyer, Tapp, 1998) Using Grover, we can find a collision of H in O ( 2 n / 3 ) quantum queries, in two steps: Perform ℓ = 2 n / 3 arbitrary classical queries to H : H ( x 1 ) , . . . , H ( x ℓ ) . Grover : search x ∈ { 0 , 1 } n such that f ( x ) = 1. The oracle f : f ( x ) = 1 ⇐ ⇒ x / ∈ { x 1 , . . . x ℓ } and H ( x ) ∈ { H ( x 1 ) , . . . , H ( x ℓ ) } . Queries: � 2 n n 2 + 3 ���� 2 n / 3 � �� � Initial list 2 n / 3 solutions among 2 n A. Chailloux, M. Naya-Plasencia, A. Schrottenloher (Inria) Quantum Coll. Search and Implications 14/27

  15. Cryptographic context Quantum collision search: a brief state of the art Our collision algorithm The oracle f ( x ) = 1 ⇐ ⇒ x / ∈ { x 1 , . . . x ℓ } and H ( x ) ∈ { H ( x 1 ) , . . . , H ( x ℓ ) } . Needs a superposition query to H (which is implemented). Needs to answer a query of the form y ∈ { H ( x 1 ) , . . . , H ( x ℓ ) } , in superposition. This is easy if 2 n / 3 quantum memory is available. Without any quantum data structure, how do we do? A. Chailloux, M. Naya-Plasencia, A. Schrottenloher (Inria) Quantum Coll. Search and Implications 15/27

  16. Cryptographic context Quantum collision search: a brief state of the art Our collision algorithm BHT cost Queries: � 2 n / 3 + 2 n / 2 n / 3 ( 1 + 0 ) Time: 2 n / 3 + 2 n / 3 ( 1 + (?)) Superposition membership query: Testing if H ( x ) ∈ { H ( x 1 ) , . . . , H ( x ℓ ) } is done sequentially in time O ( 2 n / 3 ) . A. Chailloux, M. Naya-Plasencia, A. Schrottenloher (Inria) Quantum Coll. Search and Implications 16/27

  17. Cryptographic context Quantum collision search: a brief state of the art Our collision algorithm Improving   The cost is unbalanced: n n n   2 2 1 2 + + 3 3 3 ���� ���� ���� ���� 2 n / 3 solutions among 2 n Initial list Querying H Membership Because we are computing: 2 n / 3 iterations; A query to O H with each iteration; 2 n / 3 operations with each iteration. Ideas Use distinguished points; Take a smaller list: membership testing will be faster (but there will be more iterations); Balance the cost. A. Chailloux, M. Naya-Plasencia, A. Schrottenloher (Inria) Quantum Coll. Search and Implications 17/27

  18. Cryptographic context Quantum collision search: a brief state of the art Our collision algorithm Step 1: distinguished points Definition (Distinguished points) All the x whose image starts with u zeroes. We generate a list of distinguished points. We are now searching only among the distinguished points (2 n − u ) for the same number of solutions (2 n / 3 ). Total cost:     n u 3 − u n u n   × 2 2 2 2 2 + + 3 2 2 2 3 ���� ���� ���� ���� ����   List size Less iterations Grover search Building Membership of a DP all the DPs � �� � � �� � First step: constructing the list Second step: searching a collision A. Chailloux, M. Naya-Plasencia, A. Schrottenloher (Inria) Quantum Coll. Search and Implications 18/27

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

How to improve the price-performance ratio of quantum collision search D. J. Bernstein

How to improve the price-performance ratio of quantum collision search D. J. Bernstein

How to improve the price-performance ratio of quantum collision search D. J. Bernstein University of Illinois at Chicago NSF ITR0716498 Warning: Complexity estimates in this talk are approximate; small factors are suppressed. What is the

478 views • 26 slides
Notes Rigid Collision Algorithms Use the same collision response algorithm as Assignment 2

Notes Rigid Collision Algorithms Use the same collision response algorithm as Assignment 2

Notes Rigid Collision Algorithms Use the same collision response algorithm as Assignment 2 instability - dont worry with particles about it right now Identify colliding points as perhaps the deepest Please read penetrating

499 views • 5 slides
An Efficient Algorithm for Feature-based 3D Point Cloud Correspondence Search Outline

An Efficient Algorithm for Feature-based 3D Point Cloud Correspondence Search Outline

Zili Yi Co-authors: Yang Li, Minglun Gong Memorial University of Newfoundland 2016-12-12 An Efficient Algorithm for Feature-based 3D Point Cloud Correspondence Search Outline Introduction Background Method Results

223 views • 18 slides
Moving Forward: A Non-Search Based Synthesis Method towards Efficient CNOT-Based Quantum Circuit

Moving Forward: A Non-Search Based Synthesis Method towards Efficient CNOT-Based Quantum Circuit

Moving Forward: A Non-Search Based Synthesis Method towards Efficient CNOT-Based Quantum Circuit Synthesis Algorithms Mehdi Saeedi, Morteza Saheb Zamani, Mehdi Sedighi Email: {msaeedi, szamani, msedighi}@ aut.ac.ir Quantum Design Automation

529 views • 38 slides
Quantum Information Processing: Deutsch Algorithm and Grover Search Edwin Ng | 2 May 2012 The

Quantum Information Processing: Deutsch Algorithm and Grover Search Edwin Ng | 2 May 2012 The

Quantum Information Processing: Deutsch Algorithm and Grover Search Edwin Ng | 2 May 2012 The Computational Basis The computational basis states of the molecule are These correspond to the classical bits NMR quantum computation

453 views • 31 slides
Quantum Computation (Lecture QC-3: Quantum Algorithms) Lu s Soares Barbosa MFES -

Quantum Computation (Lecture QC-3: Quantum Algorithms) Lu s Soares Barbosa MFES -

Quantum Computation (Lecture QC-3: Quantum Algorithms) Lu s Soares Barbosa MFES - Arquitectura e C alculo May 2019 Quantum Algorithms The Deutsch-Jozsa Algorithm Quantum Search: Grover A quantum machine Structure of a quantum

1.08k views • 29 slides
Space-efficient quantum Space-efficient quantum automata automata Andris Ambainis Nikolay

Space-efficient quantum Space-efficient quantum automata automata Andris Ambainis Nikolay

Space-efficient quantum Space-efficient quantum automata automata Andris Ambainis Nikolay Nahimov Department of Computer Science University of Latvia TQC 2008 Quantum Finite Automata Mathematical model for quantum computers with

616 views • 29 slides
Introduction to Quantum Collision Theory Pierre Capel 16 July 2015 1 / 30 Quantum Collisions

Introduction to Quantum Collision Theory Pierre Capel 16 July 2015 1 / 30 Quantum Collisions

Introduction to Quantum Collision Theory Pierre Capel 16 July 2015 1 / 30 Quantum Collisions Quantum Collisions Quantum collisions used to study the interaction between particles/nuclei/atoms. . . analyse the structure of

651 views • 30 slides
Quantum algorithms Daniel J. Bernstein Quantum algorithm means an algorithm that a

Quantum algorithms Daniel J. Bernstein Quantum algorithm means an algorithm that a

1 Quantum algorithms Daniel J. Bernstein Quantum algorithm means an algorithm that a quantum computer can run. i.e. a sequence of instructions, where each instruction is in a quantum computers supported instruction set. How do we

1.53k views • 135 slides
New Algorithms for Quantum (Symmetric) Cryptanalysis Mara Naya-Plasencia 2 , Andr

New Algorithms for Quantum (Symmetric) Cryptanalysis Mara Naya-Plasencia 2 , Andr

Quantum-safe (Symmetric) Cryptography Quantum Collision Search Quantum k-xor Algorithms New Algorithms for Quantum (Symmetric) Cryptanalysis Mara Naya-Plasencia 2 , Andr Schrottenloher 2 Joint work with Andr Chailloux 2 and Lorenzo Grassi

1.63k views • 65 slides
Generalization of the Ball-Collision Algorithm Violetta Weger joint work with Carmelo Interlando,

Generalization of the Ball-Collision Algorithm Violetta Weger joint work with Carmelo Interlando,

Generalization of the Ball-Collision Algorithm Violetta Weger joint work with Carmelo Interlando, Karan Khathuria, Nicole Rohrer and Joachim Rosenthal University of Zurich Munich 18 July 2019 Violetta Weger Ball-Collision Algorithm Outline

1.26k views • 53 slides
Generalization of the Ball-Collision Algorithm Violetta Weger joint work with Carmelo Interlando,

Generalization of the Ball-Collision Algorithm Violetta Weger joint work with Carmelo Interlando,

Generalization of the Ball-Collision Algorithm Violetta Weger joint work with Carmelo Interlando, Karan Khathuria, Nicole Rohrer and Joachim Rosenthal University of Zurich SIAM AG 19 11 July 2019 Violetta Weger Ball-Collision Algorithm

398 views • 36 slides
A-Star Algorithm & Heaps/Priority Queues Mark Redekopp 2 A* Search Algorithm ALGORITHM

A-Star Algorithm & Heaps/Priority Queues Mark Redekopp 2 A* Search Algorithm ALGORITHM

1 EE 355 Unit 14 A-Star Algorithm & Heaps/Priority Queues Mark Redekopp 2 A* Search Algorithm ALGORITHM HIGHLIGHT 3 Search Methods Many systems require searching for goal states Path Planning Roomba Vacuum

887 views • 40 slides
Quantum algorithms Daniel J. Bernstein University of Illinois at Chicago Quantum algorithm

Quantum algorithms Daniel J. Bernstein University of Illinois at Chicago Quantum algorithm

1 Quantum algorithms Daniel J. Bernstein University of Illinois at Chicago Quantum algorithm means an algorithm that a quantum computer can run. i.e. a sequence of instructions, where each instruction is in a quantum computers

1.42k views • 138 slides
What do quantum computers do? Daniel J. Bernstein Quantum algorithm means an algorithm

What do quantum computers do? Daniel J. Bernstein Quantum algorithm means an algorithm

1 What do quantum computers do? Daniel J. Bernstein Quantum algorithm means an algorithm that a quantum computer can run. i.e. a sequence of instructions, where each instruction is in a quantum computers supported instruction set.

1.5k views • 132 slides
Current Quantum Measurements in . . . Cryptography Algorithm Main Idea of Quantum . . . A

Current Quantum Measurements in . . . Cryptography Algorithm Main Idea of Quantum . . . A

Why Quantum . . . Quantum . . . Remaining Problems . . . Quantum Physics: . . . Current Quantum Measurements in . . . Cryptography Algorithm Main Idea of Quantum . . . A General Family of . . . Is Optimal: A Proof What Do We Want to . . .

818 views • 40 slides
CS 152: Discussion Section 7 Branch Predictor and VLIW Albert Ou, Yue Dai 03/013/2020

CS 152: Discussion Section 7 Branch Predictor and VLIW Albert Ou, Yue Dai 03/013/2020

CS 152: Discussion Section 7 Branch Predictor and VLIW Albert Ou, Yue Dai 03/013/2020 Administrivia Problem Set 3 due 10:30am on Mon, March 16 Lab 3 released today, due 10:30am on Mon, April 6 Midterm 1 scores are available on

379 views • 18 slides
1 Predictor for a Single Branch Branch History Table of 1-bit Predictor BHT also Called Branch

1 Predictor for a Single Branch Branch History Table of 1-bit Predictor BHT also Called Branch

Reducing Branch Penalty Branch penalty in dynamically scheduled processors: wasted cycles due to pipeline flushing on mis- predicted branches Lecture 9: Branch Prediction I Reduce branch penalty: 1. Prediction analysis, 1-bit predictor,

378 views • 3 slides
Branch Prediction Tackles problem of stalls from control

Branch Prediction Tackles problem of stalls from control

Branch Prediction Tackles problem of stalls from control dependencies Vital for mul5ple issue architectures Branches arrive up to N 5mes faster when

553 views • 21 slides
ARCHITECT & ACTIVIST Walking the thin line between professional practice and social &

ARCHITECT & ACTIVIST Walking the thin line between professional practice and social &

GLOBAL TALK AT T. U DELFT ARCHITECT & ACTIVIST Walking the thin line between professional practice and social & environmental outreach 28 th March 2019 Aerial Image of the Irla Nullah taken in 2006 ii THE MOVEMENT TO RECLAIM

973 views • 55 slides
Reducing the branch delay IF.Flush Hazard detection unit ID/EX M u x WB

Reducing the branch delay IF.Flush Hazard detection unit ID/EX M u x WB

Reducing the branch delay IF.Flush Hazard detection unit ID/EX M u x WB EX/MEM M Control u M WB MEM/WB x 0 EX M WB IF/ID 4 Shift left 2 M u x = Registers Data Instruction ALU PC

870 views • 40 slides
r r t rt

r r t rt

r r t rt s qts ts ts r rtt

561 views • 33 slides
Superscalar Design: Instruction Flow Techniques Virendra Singh Associate Professor C omputer A

Superscalar Design: Instruction Flow Techniques Virendra Singh Associate Professor C omputer A

Superscalar Design: Instruction Flow Techniques Virendra Singh Associate Professor C omputer A rchitecture and D ependable S ystems L ab Department of Electrical Engineering Indian Institute of Technology Bombay

311 views • 17 slides
Preconditioning of conjugate-gradients in observation space for 4D-VAR S. Gratton 12 S. Gurol 2

Preconditioning of conjugate-gradients in observation space for 4D-VAR S. Gratton 12 S. Gurol 2

Preconditioning of conjugate-gradients in observation space for 4D-VAR S. Gratton 12 S. Gurol 2 Ph.L. Toint 3 J. Tshimanga 1 1 ENSEEIHT, Toulouse, France 2 CERFACS, Toulouse, France 3 FUNDP, Namur, Belgium Large scale problems and Applications in

987 views • 47 slides

More recommend