cost analysis of hash collisions will quantum computers
play

Cost analysis of hash collisions: will quantum computers make - PDF document

Oct 05, 2023 •128 likes •452 views

Cost analysis of hash collisions: will quantum computers make SHARCS obsolete? D. J. Bernstein University of Illinois at Chicago NSF ITR0716498 Quantum vs. SHARCS Exactly how expensive is it to break RSA-1024, ECC-160, etc.? Many papers

  1. Cost analysis of hash collisions: will quantum computers make SHARCS obsolete? D. J. Bernstein University of Illinois at Chicago NSF ITR–0716498

  2. Quantum vs. SHARCS Exactly how expensive is it to break RSA-1024, ECC-160, etc.? Many papers on the topic. Widespread interest today.

  3. Quantum vs. SHARCS Exactly how expensive is it to break RSA-1024, ECC-160, etc.? Many papers on the topic. Widespread interest today. But quantum computing says: “All your circuit designs will soon be obsolete! Our quantum computers will break RSA and ECC in polynomial time.”

  4. Exactly how expensive is it to invert a hash function, find a cipher key, etc.? b “operations” for b -bit key; 2 how expensive is an “operation”? Many papers on the topic. Widespread interest today.

  5. Exactly how expensive is it to invert a hash function, find a cipher key, etc.? b “operations” for b -bit key; 2 how expensive is an “operation”? Many papers on the topic. Widespread interest today. But quantum computing says: “All your circuit designs will soon be obsolete! Our quantum computers b -bit key will find a b= 2 .” in time only 2

  6. Exactly how expensive is it to find collisions in a hash function? b= 2 “operations” for b -bit hash; 2 how expensive is an “operation”? Many papers on the topic. Widespread interest today.

  7. Exactly how expensive is it to find collisions in a hash function? b= 2 “operations” for b -bit hash; 2 how expensive is an “operation”? Many papers on the topic. Widespread interest today. But quantum computing says: “All your circuit designs will soon be obsolete! Our quantum computers b -bit collision will find a b= 3 .” in time only 2

  8. Main point of my paper: All known quantum algorithms are fundamentally slower than traditional collision circuits, despite optimistic assumptions re quantum-computer speed.

  9. Main point of my paper: All known quantum algorithms are fundamentally slower than traditional collision circuits, despite optimistic assumptions re quantum-computer speed. Extra point of this talk: Optimization experience for ASICs/FPGAs/other meshes will be even more valuable in a quantum-computing world. “Quantum SHARCS”?

  10. Two quantum algorithms 1994 Shor: Fast quantum period-finding. Gives polynomial-time quantum solution to DLP. 1996 Grover, 1997 Grover: Fast quantum search. Practically all quantum algorithms are Shor/Grover applications. See 2003 Shor, “Why haven’t more quantum algorithms been found?”; 2004 Shor.

  11. Grover explicitly constructs F ) a quantum circuit Gr( F , to find a root of assuming root is unique. p N steps.” “Only b if N = 2 F maps b -bit input to 1-bit output. � 1 = 2. Success probability Can use fewer steps but probability degrades quadratically.

  12. F : any computable function. F by a Can specify classical combinatorial circuit: a directed acyclic graph of NAND computations b input bits from to 1 output bit.

  13. F : any computable function. F by a Can specify classical combinatorial circuit: a directed acyclic graph of NAND computations b input bits from to 1 output bit. Without serious overhead (and maybe reducing power!) can replace NAND gates by reversible “Toffoli gates” r ; s; t 7! r ; s; t � r s . x; t 7! x; F ( x ) � t . Obtain

  14. The basic quantum conversion: replace each Toffoli gate by a quantum Toffoli gate. Resulting quantum circuit x; t 7! x; F ( x ) � t computes x is a quantum where b -bit inputs. superposition of

  15. The basic quantum conversion: replace each Toffoli gate by a quantum Toffoli gate. Resulting quantum circuit x; t 7! x; F ( x ) � t computes x is a quantum where b -bit inputs. superposition of Grover builds a superposition x ; of all possible strings applies this circuit; applies an easy quantum flip x ; to build a new result b= 2 ) times. repeats Θ(2

  16. F has more roots? What if 1996 Boyer–Brassard–Høyer– p Tapp, generalizing Grover: O ( N =t )” “time in t roots. if there are

  17. F has more roots? What if 1996 Boyer–Brassard–Høyer– p Tapp, generalizing Grover: O ( N =t )” “time in t roots. if there are Don’t need generalization. Can simply apply Grover x 7! F ( R ( x )) where to x has � b � lg t bits, R is random affine map.

  18. F has more roots? What if 1996 Boyer–Brassard–Høyer– p Tapp, generalizing Grover: O ( N =t )” “time in t roots. if there are Don’t need generalization. Can simply apply Grover x 7! F ( R ( x )) where to x has � b � lg t bits, R is random affine map. t ? Simply guess. Unknown : : : but BBHT is more streamlined.

  19. Grover space and time F Don’t have to unroll into a combinatorial circuit. A Take any circuit of area (using reversible gates!) x; t at the top, that reads x; F ( x ) � t at the top, ends with x is a b -bit string. where Convert gates to quantum gates. Obtain quantum circuit x; t at the top, that reads x; F ( x ) � t at the top, ends with x is a quantum where b -bit strings. superposition of

  20. Don’t unroll Grover iterations. Need some extra space for quantum flip etc., but total Grover circuit size A . will be essentially

  21. Don’t unroll Grover iterations. Need some extra space for quantum flip etc., but total Grover circuit size A . will be essentially “Aren’t quantum gates much larger than classical gates?” — Yes. Constants matter! But this talk makes best-case assumption that the overhead A . doesn’t grow with

  22. p O ( N )” “Time in F time. fails to account for Assume that original circuit F in time T . computes Each Grover iteration T . p takes time essentially T N . Total time essentially

  23. p O ( N )” “Time in F time. fails to account for Assume that original circuit F in time T . computes Each Grover iteration T . p takes time essentially T N . Total time essentially “Aren’t quantum gates much slower than classical gates?” — Yes, but again assume A; T )-dependent penalty. no (

  24. “Can quantum gates operate with just as much parallelism as original gates?” — Best-case assumption: Yes. x 7! A [ x ] Example: RAM lookup is actually computing A [0]( x = 0) + A [1]( x = 1) + � � � ; n terms if A has size n . The basic quantum conversion n ) quantum gates produces Ω( : : : which, presumably, can all operate in parallel. p Realistic mesh/speed of light ) wire delay ) time Ω( n ).

  25. Guessing a collision Consider a hash function b +1 b H : F ! F 2 . 2 b +1 b +1 F : F � F ! F 2 Define F ( 2 x; y ) = 2 as follows: x y and H ( x ) = H ( y ); 0 if 6 = x = y or H ( x ) H ( y ). 1 if 6 = H is, A collision in F . by definition, a root of Easiest way to find collision: F . search randomly for root of

  26. A Assume circuit of area H in time T . computes � A Then circuit of area F in time � T . computes A ?” — Roughly.) (“You mean 2 b +1 for � 1 = 2 Collision chance 0 ). x; x a uniform random pair ( b +1 pairs Trying 2 b � 2 T takes time � A . on circuit of area b= 2 � 2 T Grover takes time � A . on quantum circuit of area

  27. Table lookups Generate many random inputs b= 3 . x 1 ; x 2 ; : : : ; x M = 2 M ; e.g. M pairs Compute and sort H ( x 1 ) ; x 1 ), ( H ( x 2 ) ; x 2 ), : : : , ( H ( x ; x M ) M ) in lex order. ( y . Generate a random input H ( y ) in sorted list. Check for y ’s Keep trying more until collision is found.

  28. b � M = 2 Collision chance y . for each Naive free-communication model: � 1. Table lookup takes time b � ( M + 2 = M )( T + 1) Total time � A + M . on circuit of area � 2 2 b= 3 T e.g. time b= 3 . � A + 2 on circuit of area p Realistic model: � M . Table lookup takes time p Total time b � ( M + 2 = M )( T + M ) � A + M . on circuit of area

  29. F ( y ) as 0 iff Define there is a collision among x 1 ; y ) ; ( x 2 ; y ) ; : : : ; ( x ; y ). M ( F . We’re guessing root of 1998 Brassard–Høyer–Tapp: Instead use quantum search; b= 3 if b= 3 . M = 2 “time” 2 b= 2 ! Wow, faster than 2 Many people say this is scary. ECRYPT Hash Function Website: “For collision resistance at least 384 bits are needed.”

  30. Let’s look at the actual costs of 1998 Brassard–Høyer–Tapp. p Naive free-communication model: b � ( M + = M )( T +1) Total time 2 on quantum circuit � A + M . of area (Realistic model: Slower. See paper for details.) b= 3 : M = 2 e.g. b= 3 � 2 T , time b= 3 . � A + 2 area

  31. 2003 Grover–Rudolph, “How significant are the known collision and element distinctness quantum algorithms?”: With such a huge machine, b= 3 can simply run 2 parallel quantum searches 0 ). x; x for collisions ( High probability of success b= 3 . within “time” 2

  32. But these algorithms are giant steps backwards! Standard collision circuits, 1994 van Oorschot–Wiener: b= 4 � 2 T , time b= 4 � 2 A . area This is much faster than 1998 Brassard–Høyer–Tapp, on a much smaller circuit. My paper presents newer, faster quantum collision algorithms, but I conjecture optimality for the standard circuits.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Quantum computing for simulating high energy collisions Sarah Alam Malik Imperial College London

Quantum computing for simulating high energy collisions Sarah Alam Malik Imperial College London

Quantum computing for simulating high energy collisions Sarah Alam Malik Imperial College London Outline Intro to quantum computers Review of quantum computers in HEP Quantum algorithm for helicity amplitudes Quantum algorithm for

796 views • 46 slides
Summary: * Why quantum for computers? * Logic gates and algorithms * Manipulating quantum

Summary: * Why quantum for computers? * Logic gates and algorithms * Manipulating quantum

Elements of quantum information processing and quantum computers (with trapped ion examples) D. J. Wineland, Dept. of Physics, U Oregon, Eugene, OR; & Research Associate, NIST, Boulder, CO Summary: * Why quantum for computers? *

742 views • 42 slides
Hash Pile Ups: Using Collisions to Identify Unknown Hash Functions R. Joshua Tobin and David

Hash Pile Ups: Using Collisions to Identify Unknown Hash Functions R. Joshua Tobin and David

Hash Pile Ups: Using Collisions to Identify Unknown Hash Functions R. Joshua Tobin and David Malone 11 October 2012 Hash Functions We are talking about hash functions for consistent assignment. For example, Hash tables, Network

448 views • 18 slides
Introduction to Quantum Collision Theory Pierre Capel 16 July 2015 1 / 30 Quantum Collisions

Introduction to Quantum Collision Theory Pierre Capel 16 July 2015 1 / 30 Quantum Collisions

Introduction to Quantum Collision Theory Pierre Capel 16 July 2015 1 / 30 Quantum Collisions Quantum Collisions Quantum collisions used to study the interaction between particles/nuclei/atoms. . . analyse the structure of

651 views • 30 slides
COMPUTERS TAKING A QUANTUM LEAP Quantum computers will harness the power of atoms and molecules

COMPUTERS TAKING A QUANTUM LEAP Quantum computers will harness the power of atoms and molecules

COMPUTING COMPUTERS TAKING A QUANTUM LEAP Quantum computers will harness the power of atoms and molecules to perform calculations billions of times faster than todays silicon-based computers. They will also enable new revolutionary

299 views • 6 slides
KILL MD5 DEMYSTIFYING HASH COLLISIONS Ange AlBertini With the help of Marc Stevens TL;DR This

KILL MD5 DEMYSTIFYING HASH COLLISIONS Ange AlBertini With the help of Marc Stevens TL;DR This

Pass the salt 2019 Pass the salt 2019 KILL MD5 DEMYSTIFYING HASH COLLISIONS Ange AlBertini With the help of Marc Stevens TL;DR This talk is about: Understanding the impact of current hash collisions attacks. Side efgect: show that MD5 is

1.06k views • 77 slides
Time-Memory Tradeoffs for Short Hash Collisions Akshima University of Chicago Joint work with

Time-Memory Tradeoffs for Short Hash Collisions Akshima University of Chicago Joint work with

Time-Memory Tradeoffs for Short Hash Collisions Akshima University of Chicago Joint work with David Cash, Andrew Drucker, Hoeteck Wee 1 This Talk Inspects time-space tradeo ff s for finding short collisions in Merkle-Damgrd hash

890 views • 55 slides
MACAW IEEE 802.11 Standard 29 Reducing Cost of Collisions q Collisions are expensive

MACAW IEEE 802.11 Standard 29 Reducing Cost of Collisions q Collisions are expensive

12/9/15 MACAW IEEE 802.11 Standard 29 Reducing Cost of Collisions q Collisions are expensive How to reduce their cost? q Reserve the wireless channel before transmitting data Send short control packets for

237 views • 7 slides
Qu Quantum co computers, ho how do do the hey work and nd wha hat can n the hey do do?

Qu Quantum co computers, ho how do do the hey work and nd wha hat can n the hey do do?

Qu Quantum co computers, ho how do do the hey work and nd wha hat can n the hey do do? Outline Quantum technology Quantum computing What is the advantage? The qubits Operating the quantum computer Quantum computing initiatives

475 views • 31 slides
Quantum Mechanics; a Blessing and a Curse By Elias Marcopoulos Quantum Computers Quantum

Quantum Mechanics; a Blessing and a Curse By Elias Marcopoulos Quantum Computers Quantum

Quantum Mechanics; a Blessing and a Curse By Elias Marcopoulos Quantum Computers Quantum Computers are just like regular computers, they crunch numbers Quantum Computers Quantum Computers are just like regular computers, they crunch

926 views • 74 slides
Cryptography for the quantum internet Elements of a quantum TLS Christian Majenz

Cryptography for the quantum internet Elements of a quantum TLS Christian Majenz

Cryptography for the quantum internet Elements of a quantum TLS Christian Majenz Colloquium Informatics Institute, University of Amsterdam Quantum computers Quantum computers Accelerating effort to build a quantum computer Quantum

1.74k views • 115 slides
CS261 Data Structures Hash Tables Buckets/Chaining Hash Tables:

CS261 Data Structures Hash Tables Buckets/Chaining Hash Tables:

CS261 Data Structures Hash Tables Buckets/Chaining Hash Tables: Resolving Collisions There are two general approaches to resolving collisions: 1. Open address

293 views • 12 slides
14. Hashing Hash Tables, Pre-Hashing, Hashing, Resolving Collisions using Chaining, Simple

14. Hashing Hash Tables, Pre-Hashing, Hashing, Resolving Collisions using Chaining, Simple

14. Hashing Hash Tables, Pre-Hashing, Hashing, Resolving Collisions using Chaining, Simple Uniform Hashing, Popular Hash Functions, Table-Doubling, Open Addressing: Probing, Uniform Hashing, Universal Hashing, Perfect Hashing [Ottman/Widmayer,

1.25k views • 98 slides
14. Hashing Hash Tables, Pre-Hashing, Hashing, Resolving Collisions using Chaining, Simple

14. Hashing Hash Tables, Pre-Hashing, Hashing, Resolving Collisions using Chaining, Simple

14. Hashing Hash Tables, Pre-Hashing, Hashing, Resolving Collisions using Chaining, Simple Uniform Hashing, Popular Hash Functions, Table-Doubling, Open Addressing: Probing, Uniform Hashing, Universal Hashing, Perfect Hashing [Ottman/Widmayer,

1.5k views • 58 slides
CS 225 Data Structures Mar March h 15 15 Hash T Table C e Collisions Wade Fa Wa

CS 225 Data Structures Mar March h 15 15 Hash T Table C e Collisions Wade Fa Wa

CS 225 Data Structures Mar March h 15 15 Hash T Table C e Collisions Wade Fa Wa Fagen-Ul Ulmsch schnei eider er, , Cra Craig Zi Zilles (Example of open hashing) Collision Handling: Sep eparate e Chaining S = { 16, 8, 4, 13,

854 views • 10 slides
An Introduction to Quantum Computers and Quantum Cryptography Computer Network Security

An Introduction to Quantum Computers and Quantum Cryptography Computer Network Security

An Introduction to Quantum Computers and Quantum Cryptography Computer Network Security Prepared by: Nima Bayan, P.Eng. Fall 2003 Contents ! Introduction " Cryptography and Relativity " Quantum Algorithms " Quantum Computers !

227 views • 11 slides
Decision Trees Lecture 22 To left or to right 1 Decision Trees 2 Decision Trees A different

Decision Trees Lecture 22 To left or to right 1 Decision Trees 2 Decision Trees A different

Decision Trees Lecture 22 To left or to right 1 Decision Trees 2 Decision Trees A different complexity measure 2 Decision Trees A different complexity measure Number of bits of input read 2 Decision Trees A different complexity measure

1.62k views • 107 slides
Combinatorial Circuits and Indiscernibility Thomas Colcombet, Amaldev Manuel LIAFA, Universit

Combinatorial Circuits and Indiscernibility Thomas Colcombet, Amaldev Manuel LIAFA, Universit

Combinatorial Circuits and Indiscernibility Thomas Colcombet, Amaldev Manuel LIAFA, Universit e Paris-Diderot Thomas Colcombet, Amaldev Manuel Combinatorial Circuits and Indiscernibility Motivation To prove hierarchy theorems for

558 views • 20 slides
Lecture 4: Sequential Circuits Term Test Date Term Test July 3 17:00-19:00 SW309

Lecture 4: Sequential Circuits Term Test Date Term Test July 3 17:00-19:00 SW309

Lecture 4: Sequential Circuits Term Test Date Term Test July 3 17:00-19:00 SW309 Assembly Test In class End of July Details TBA B58 asks the big questions How does Tickle Me Elmo work? Something else to consider

374 views • 26 slides
Gates and Logic: From Transistors to Logic Gates and Logic Circuits Prof. Hakim Weatherspoon CS

Gates and Logic: From Transistors to Logic Gates and Logic Circuits Prof. Hakim Weatherspoon CS

Gates and Logic: From Transistors to Logic Gates and Logic Circuits Prof. Hakim Weatherspoon CS 3410 Computer Science Cornell University [Weatherspoon, Bala, Bracy, and Sirer] Goals for Today From Switches to Logic Gates to Logic

1.04k views • 77 slides
Depth Lower Bound against Circuits with Sparse Orientation Sajin Koroth 1 Jayalal Sarma 1 1

Depth Lower Bound against Circuits with Sparse Orientation Sajin Koroth 1 Jayalal Sarma 1 1

Depth Lower Bound against Circuits with Sparse Orientation Sajin Koroth 1 Jayalal Sarma 1 1 Algorithms and Complexity Theory Lab Department of Computer Science IIT Madras Chennai Theory Day, 2013 1 / 17 Circuit Model A circuit family C

880 views • 75 slides
Logic Circuits and Signals Hardware/Software Connection Corrado Santoro ARSLAB - Autonomous and

Logic Circuits and Signals Hardware/Software Connection Corrado Santoro ARSLAB - Autonomous and

Logic Circuits and Signals Hardware/Software Connection Corrado Santoro ARSLAB - Autonomous and Robotic Systems Laboratory Dipartimento di Matematica e Informatica - Universit` a di Catania, Italy santoro@dmi.unict.it L.S.M. Course Corrado

451 views • 19 slides
Switching networks Switches and bulbs are 2-state components of electrical circuits.

Switching networks Switches and bulbs are 2-state components of electrical circuits.

519 views • 7 slides
Advanced Grid Modeling, Simulation, and Computation Building Research Collaborations: Electricity

Advanced Grid Modeling, Simulation, and Computation Building Research Collaborations: Electricity

Advanced Grid Modeling, Simulation, and Computation Building Research Collaborations: Electricity Systems Sven Leyffer , Cosmin Petra, and Steve Wright Argonne National Laboratory August 28-29, 2013 Overview of Challenges in Grid Modeling

396 views • 15 slides

More recommend