Long term Sec rit Long-term Security through g Quantum - - PowerPoint PPT Presentation

Long term Sec rit Long-term Security

through g

Quantum Cryptography

D i i U h Dominique Unruh University of Tartu

Dominique Unruh Dominique Unruh

EWSCS 2011 March 2, 2011

Recall Recall

L t it P t l i if

• Long‐term security: Protocol is secure if

– Adversary computationally limited during protocol – Adversary unlimited after protocol

• Examples:
• Examples:

– One‐time pad, one‐time MAC – Authentication – Unconditionally hiding commitments y g

Dominique Unruh Long‐term security through quantum 2

Examples: ? Examples: ...?

I th ?

• Is there more?
• Many things still impossible

y g p

• Public‐key encryption:

– Unlimited adversary can compute secret key y p y – No long‐term secure public‐key encryption

Dominique Unruh Long‐term security through quantum 3

Oblivious Transfer Oblivious Transfer

OT

m0, m1 c{0,1} m

OT

mc

Bob Alice

• Requirements:
• Requirements:

– Alice should not learn c – Bob should learn only mc, not m1-c

Dominique Unruh Long‐term security through quantum 4

Oblivious Transfer (II) Oblivious Transfer (II)

Wh t i OT d f ?

• What is OT good for?
• Allows to build “secure function evaluation”

protocols

Perform an arbitrary computation on secret data – Perform an arbitrary computation on secret data – Revealing only the intended result – Later more…

• Also a good test case:

Also a good test case:

– If OT impossible, general SFE impossible

Dominique Unruh Long‐term security through quantum 5

Oblivious Transfer (III) Oblivious Transfer (III)

• Is there a long term secure OT protocol?
• Is there a long‐term secure OT protocol?
• No. Proof idea:
• 1. Assume long‐term secure OT
• 2. Alice & Bob run honestly
• 2. Alice & Bob run honestly

m0, m1 c{0,1}

Transcript trans

• 3. trans must not contain both m0, m1 (info‐theo)

0, 1

{ , }

Bob Alice

• 3. trans must not contain both m0, m1 (info theo)
• 4. Hence only mc is contained

5 H li it d Ali fi d t

Dominique Unruh

• 5. Hence unlimited Alice can find out c

Long‐term security through quantum 6

Long‐term Secure Protocols Long‐term Secure Protocols

• No long‐term secure OT
• No long‐term secure SFE

– Except perhaps for special cases

• Not much better of than with

unconditional security? unconditional security?

Dominique Unruh Long‐term security through quantum 7

Quantum to the Rescue! Quantum to the Rescue!

I ibilit lt

• Impossibility results
• nly hold with respect

to classical physics

• Protocols using
• Protocols using

quantum mechanics ld t d it could get around it...

• Enters:

Quantum Cryptography

Dominique Unruh Long‐term security through quantum 8

Quantum Mechanics Quantum Mechanics

Dominique Unruh Dominique Unruh Long‐term security through quantum 9

Double Slit Experiment Double Slit Experiment

Li ht f ll th h t

• Light falls through two

slits (S2)

• Light‐dark pattern
• ccurs
• Reason: Light is a wave

→ Interference

Dominique Unruh Long‐term security through quantum 10

Double Slit Experiment Double Slit Experiment

S d i l h t t ti

• Send a single photon at a time
• Photon either goes through left or right

path

• After a while, interference pattern
• ccurs
• Each photon “interferes with itself”

Each photon interferes with itself → Physicists puzzled S l ti Q t h i

• Solution: Quantum mechanics:

– Photon takes both ways in superposition

Dominique Unruh Long‐term security through quantum 11

Superposition Superposition

If t it ti ibl t “d t

• If two situations are possible, nature “does not

always decide”

– Both situations happen “in superposition” – (Doesn’t need to make sense now)

• Only when we look, “nature decides”
• Schrödinger’s cat

Dominique Unruh Long‐term security through quantum 12

Quantum Mechanics Quantum Mechanics

S iti S l thi h “ t

• Superposition: Several things happen “at
• nce”
• Our intuition is classical, we cannot

understand this understand this

• Mathematical notions allow to handle QM,

even if we do not understand it

Dominique Unruh Long‐term security through quantum 13

Quantum Computing Quantum Computing

Dominique Unruh Dominique Unruh Long‐term security through quantum 14

Church‐Turing Thesis Church‐Turing Thesis

T i D fi iti f T i hi

• Turing: Definition of Turing‐machines
• Church‐Turing thesis:

g Any physically computable function Any physically computable function can be computed by a Turing machine → Turing‐Machine characterises physical t bilit computability Usually: Efficient = polynomial‐time

Dominique Unruh Long‐term security through quantum

y p y

15

Randomized algorithms Randomized algorithms

1970 S l St i lit t t

• 1970s: Solovay‐Strassen primality test
• No deterministic test known (at that time)

( )

• Polynomial identity:

No deterministic test today No deterministic test today Any efficiently physically computable Any efficiently physically computable function can be computed by an ffi i t T i hi efficient Turing machine

Dominique Unruh Long‐term security through quantum 16

Enters: The Quantum Computer Enters: The Quantum Computer

St Ch h T i t d d

• Strong Church‐Turing extended once

– Perhaps has to be extended again

• Feynman 1982:

Simulating quantum systems difficult for TMs – Simulating quantum systems difficult for TMs – Quantum system can simulate quantum system

• Probabilistic Church‐Turing thesis wrong?

– Unknown so far But seems so Unknown so far… But seems so…

Dominique Unruh Long‐term security through quantum 17

Quantum Algorithms Quantum Algorithms

• Deutsch Jozsa 1992
• Deutsch‐Jozsa 1992:

– Testing whether function is balanced or constant – No practical relevance – Shows: Quantum Computers more powerful than classical

• Shor 1994:

– Factorization of integers

• Grover 1996:
• Grover 1996:

– Quadratic speed‐up of brute‐force search

Dominique Unruh Long‐term security through quantum 18

Today Today

N t t

• No quantum computers

(except for toy models)

• Cannot execute quantum algorithms
• Future will tell
• Future will tell

Dominique Unruh Long‐term security through quantum 19

Quantum Cryptography Quantum Cryptography

Dominique Unruh Dominique Unruh Long‐term security through quantum 20

Quantum Key Exchange Quantum Key Exchange

B t B d 1984

• Bennet, Brassard 1984:

– Key exchange using quantum communication

• Idea:

Measurement destroys state – Measurement destroys state → Adversary cannot eavesdrop unnoced

Dominique Unruh Long‐term security through quantum 21

Quantum Key Exchange Quantum Key Exchange

Alice Bob Polarisation: Measures Sends basis

  

  

Shared key bits

Dominique Unruh Long‐term security through quantum 22

Quantum Key Exchange – Attack Quantum Key Exchange – Attack

Alice Bob Polarisation: Ch d b t

Caution: This is only the intuition. S it l i h i l d

Changed by measurement

Security analysis much more involved.

(Took 12 additional years ) Adversary measures → Bit destroyed (Took 12 additional years…) y → Alice+Bob: different keys → Aack detected

Dominique Unruh Long‐term security through quantum

→

23

Quantum Key Exchange Quantum Key Exchange

Id d 1984

• Idea proposed 1984
• First security proof: Mayers 1996

y p y

• Possible with today’s technology

Si l h – Single photon sources – Polarisation filters

• No complexity assumptions

Impossible classically – Impossible classically

• Details later in lecture

Dominique Unruh Long‐term security through quantum 24

Quantum Cryptography Quantum Cryptography

• Any cryptography using quantum
• Any cryptography using quantum

– Key exchange – Bit commitment – Oblivious transfer – Zero knowledge – Signatures g

• Often: Quantum Crypto = Key Exchange

Physicists Wikipedia – Physicists, Wikipedia – Other applications often ignored

Dominique Unruh Long‐term security through quantum 25