Long term Sec rit Long-term Security through g Quantum - PowerPoint PPT Presentation

Long term Sec rit Long-term Security through g Quantum Cryptography D Dominique Unruh i i U h University of Tartu EWSCS 2011 March 2, 2011 Dominique Unruh Dominique Unruh

Recall Recall • Long ‐ term security: Protocol is secure if L t it P t l i if – Adversary computationally limited during protocol – Adversary unlimited after protocol • Examples: • Examples: – One ‐ time pad, one ‐ time MAC – Authentication – Unconditionally hiding commitments y g Dominique Unruh Long ‐ term security through quantum 2

Examples: Examples: ...? ? • Is there more? I th ? • Many things still impossible y g p • Public ‐ key encryption: – Unlimited adversary can compute secret key y p y – No long ‐ term secure public ‐ key encryption Dominique Unruh Long ‐ term security through quantum 3

Oblivious Transfer Oblivious Transfer c  {0,1} m 0 , m 1 OT OT m m c Alice Bob • Requirements: • Requirements: – Alice should not learn c – Bob should learn only m c , not m 1- c Dominique Unruh Long ‐ term security through quantum 4

Oblivious Transfer (II) Oblivious Transfer (II) • What is OT good for? Wh t i OT d f ? • Allows to build “secure function evaluation” protocols – Perform an arbitrary computation on secret data Perform an arbitrary computation on secret data – Revealing only the intended result – Later more… • Also a good test case: Also a good test case: – If OT impossible, general SFE impossible Dominique Unruh Long ‐ term security through quantum 5

Oblivious Transfer (III) Oblivious Transfer (III) • Is there a long term secure OT protocol? • Is there a long ‐ term secure OT protocol? • No. Proof idea: 1. Assume long ‐ term secure OT 2. Alice & Bob run honestly 2. Alice & Bob run honestly c  {0,1} Transcript trans m 0 , m 1 0 , { , } 1 Alice Bob 3. trans must not contain both m 0 , m 1 (info ‐ theo) 3. trans must not contain both m 0 , m 1 (info theo) 4. Hence only m c is contained 5 5. Hence unlimited Alice can find out c H li it d Ali fi d t Dominique Unruh Long ‐ term security through quantum 6

Long ‐ term Secure Protocols Long ‐ term Secure Protocols • No long ‐ term secure OT • No long ‐ term secure SFE – Except perhaps for special cases • Not much better of than with unconditional security? unconditional security? Dominique Unruh Long ‐ term security through quantum 7

Quantum to the Rescue! Quantum to the Rescue! • Impossibility results I ibilit lt only hold with respect to classical physics • Protocols using • Protocols using quantum mechanics could get around it... ld t d it • Enters: Quantum Cryptography Dominique Unruh Long ‐ term security through quantum 8

Quantum Mechanics Quantum Mechanics Dominique Unruh Long ‐ term security through quantum Dominique Unruh 9

Double Slit Experiment Double Slit Experiment • Light falls through two Li ht f ll th h t slits (S2) • Light ‐ dark pattern occurs • Reason: Light is a wave → Interference Dominique Unruh Long ‐ term security through quantum 10

Double Slit Experiment Double Slit Experiment • Send a single photon at a time S d i l h t t ti • Photon either goes through left or right path • After a while, interference pattern occurs • Each photon “interferes with itself” Each photon interferes with itself → Physicists puzzled • Solution: Quantum mechanics: S l ti Q t h i – Photon takes both ways in superposition Dominique Unruh Long ‐ term security through quantum 11

Superposition Superposition • If two situations are possible, nature “does not If t it ti ibl t “d t always decide” – Both situations happen “in superposition” – (Doesn’t need to make sense now) • Only when we look, “nature decides” • Schrödinger’s cat Dominique Unruh Long ‐ term security through quantum 12

Quantum Mechanics Quantum Mechanics • Superposition: Several things happen “at S iti S l thi h “ t once” • Our intuition is classical, we cannot understand this understand this • Mathematical notions allow to handle QM, even if we do not understand it Dominique Unruh Long ‐ term security through quantum 13

Quantum Computing Quantum Computing Dominique Unruh Long ‐ term security through quantum Dominique Unruh 14

Church ‐ Turing Thesis Church ‐ Turing Thesis • Turing: Definition of Turing ‐ machines T i D fi iti f T i hi • Church ‐ Turing thesis: g Any physically computable function Any physically computable function can be computed by a Turing machine → Turing ‐ Machine characterises physical computability t bilit Usually: Efficient = polynomial ‐ time y p y Dominique Unruh Long ‐ term security through quantum 15

Randomized algorithms Randomized algorithms • 1970s: Solovay ‐ Strassen primality test 1970 S l St i lit t t • No deterministic test known (at that time) ( ) • Polynomial identity: No deterministic test today No deterministic test today Any efficiently physically computable Any efficiently physically computable function can be computed by an efficient Turing machine ffi i t T i hi Dominique Unruh Long ‐ term security through quantum 16

Enters: The Quantum Computer Enters: The Quantum Computer • Strong Church ‐ Turing extended once St Ch h T i t d d – Perhaps has to be extended again • Feynman 1982: – Simulating quantum systems difficult for TMs Simulating quantum systems difficult for TMs – Quantum system can simulate quantum system • Probabilistic Church ‐ Turing thesis wrong? – Unknown so far Unknown so far… But seems so… But seems so Dominique Unruh Long ‐ term security through quantum 17

Quantum Algorithms Quantum Algorithms • Deutsch Jozsa 1992 • Deutsch ‐ Jozsa 1992: – Testing whether function is balanced or constant – No practical relevance – Shows: Quantum Computers more powerful than classical • Shor 1994: – Factorization of integers • Grover 1996: • Grover 1996: – Quadratic speed ‐ up of brute ‐ force search Dominique Unruh Long ‐ term security through quantum 18

Today Today • No quantum computers N t t (except for toy models) • Cannot execute quantum algorithms • Future will tell • Future will tell Dominique Unruh Long ‐ term security through quantum 19

Quantum Cryptography Quantum Cryptography Dominique Unruh Long ‐ term security through quantum Dominique Unruh 20

Quantum Key Exchange Quantum Key Exchange • Bennet, Brassard 1984: B t B d 1984 – Key exchange using quantum communication • Idea: – Measurement destroys state Measurement destroys state → Adversary cannot eavesdrop unno � ced Dominique Unruh Long ‐ term security through quantum 21

Quantum Key Exchange Quantum Key Exchange Alice Bob Polarisation: Measures Sends basis       Shared key bits Dominique Unruh Long ‐ term security through quantum 22

Quantum Key Exchange – Attack Quantum Key Exchange – Attack Alice Bob Polarisation: Caution: This is only the intuition. Security analysis much more involved. S it l i h i l d Changed by measurement Ch d b t (Took 12 additional years…) (Took 12 additional years ) Adversary measures → Bit destroyed y → Alice+Bob: di ff erent keys → A � ack detected → Dominique Unruh Long ‐ term security through quantum 23

Quantum Key Exchange Quantum Key Exchange • Idea proposed 1984 Id d 1984 • First security proof: Mayers 1996 y p y • Possible with today’s technology – Single photon sources Si l h – Polarisation filters • No complexity assumptions – Impossible classically Impossible classically • Details later in lecture Dominique Unruh Long ‐ term security through quantum 24

Quantum Cryptography Quantum Cryptography • Any cryptography using quantum • Any cryptography using quantum – Key exchange – Bit commitment – Oblivious transfer – Zero knowledge – Signatures g • Often: Quantum Crypto = Key Exchange – Physicists, Wikipedia Physicists Wikipedia – Other applications often ignored Dominique Unruh Long ‐ term security through quantum 25