The Quantum World Tania Martin Smals Research June 2017 www.smalsresearch.be Hypothetical scenario How is your company responding to the announcement of the new commercially available quantum computer that can “break” RSA and ECC? What the hell??? I don’t have any plan for that !!! I have no comment on that… 2 Hypothetical scenario What the hell!!! I hope for you (my dear Research team) that you have anticipated this HUGE problem that can threaten much of our business (eID, communication protocols, etc.)!!! Euh, sorry but no, we decided that it was not urgent… 3 Hypothetical scenario What the hell!!! I hope for you (my dear Research team) that you have anticipated this HUGE problem that can threatens many of our business (eID, communication protocols, etc.)!!! Euh, sorry but no, we decided that it was not urgent… 4 It’s too important to be set aside!!! House Homeland Security Committee Chairman Michael McCall is calling on Congress to increase spending on quantum computing research to ensure that the U.S. is the first nation to employ quantum computing as a tool to decrypt data. — September 2016 http://www.bankinfosecurity.com/rep-mccaul-us-must-gain-decryption-edge-a-9422 5 It’s too important to be set aside!!! 6 A certain future 1994 2018 2030 2050 QC = Quantum Computer 7 A certain future 1994 2018 2030 2050 QC = Quantum Computer 8 Quantum computer technology [Know the enemy] Quantum cryptography [Enhance cryptography] Quantum attacks [Break actual cryptography] Post quantum cryptography AGENDA [Counter quantum attacks] Quantum computer technology I can safely say that no one understands quantum mechanics Richard Feynman (1918-1988) Father of the new way to conceive quantum mechanics 11 What is a quantum computer? A digital computer uses transistors to perform computation of data A quantum computer uses quantum properties of the matter to perform computation of data 12 Examples of used *matter* • not excited An atom can be • excited • both • horizontal The polarization of • vertical a photon can be • both Formally, any matter used in quantum mechanics can be in a superposition of 2 states 13 Understand the superposition http://www.QuantumMadeSimple.com 14 Recap 1 bit 0 1 or 1 qubit 훼|0 + 훽|1 |0 and |1 are pronunced "ket 0" and "ket 1" 15 What does mean? 1 Reference to Schrödinger’s cat 16 What does mean? 1 Reference to Schrödinger’s cat 2 3 2 states: Equal probability • Cat alive that cat is alive or • Cat dead dead: 훼 = 훽 = 1 2 17 Quantum theory Not supposed Not fully Fully to represent represent represent reality reality reality Position Modified Influence of Quantum Multiple Positivism as added quantum laws consciousness decoherence universes variable R. Omnès S. Hawking L. de Broglie R. Penrose E. Wigner M. Gell-Mann H. Everett N. Bohr D. Bohm J. Hartle J. Von G. Ghirardi Neumann H.-D. Zeh A. Rimini J. Bell F. London W. Zurek W. E. Weber E. Bauer 18 vs. 1 bit 1 qubit 0 1 훼|0 + 훽|1 or Either 0 or 1 Both 0 and 1 푁 bits 푁 qubits 훼 |00 … 0 + 훼 |00 … 1 + … + 훼 푁 |11 … 1 0 1 0 0 1 0 1 1 2 2 ……… …………… 1 out of 2푁 possible states All out of 2푁 possible states - 19 Consequences of - Mathematical operation on 푁 - Parallel computation on ퟐ푵 data Computation power of a x2 each time a - is added 20 -- in real life 1994 2007 2017 2023 2030 2050 QC = Quantum Computer 21 Quantum cryptography Goal Exploit the mechanical properties to perform crypto tasks Quantum Random Quantum Key Number Generator Distribution Quantum Commitment Secure Multi-Party Oblivious Transfer Computation 23 Quantum Random Number Generator Generate better high-quality random numbers Based on: • Radioactive decay • Noise • Quantum optics 24 Quantum Random Number Generator Single-photon splitting 0 1 1 0 1 … "1" Detector 1 Detector Detector LASER Photon 0 Semi-transparent mirror "0" The beam splitter The photon’s choice Example based on deviates the photon at beam splitting is quantum optics to a 0/1 detector totally random 25 Quantum Key Distribution Transfer securely From , produce a from Alice to Bob random shared secret key - throught the channel throught the classical channel qkdsimulator.com 26 Quantum Key Distribution Polarization of a photon LASER LASER LASER LASER 27 Quantum Key Distribution Polarization of a photon Unpolarized photon Polarization filter Beam splitter 0 1 0 1 4 polarized photons 100% 50% 0% 50% Not readable during transfer otherwise qubits are disturb 28 Quantum Key Distribution The BB84 protocol 29 Quantum Key Distribution The BB84 protocol 1 0 1 1 0 0 1 1 0 0 1 1 1 0 30 Quantum Key Distribution The BB84 protocol 1 0 1 1 0 0 1 1 0 0 1 1 1 0 1 0 0 1 0 0 1 1 0 0 0 1 1 0 50% 50% 50% 50% 50% 31 Quantum Key Distribution The BB84 protocol 1 0 1 1 0 0 1 1 0 0 1 1 1 0 1 0 0 1 0 0 1 1 0 0 0 1 1 0 √ √ √ √ √ √ √ √ √ 1 - - 1 0 0 - 1 0 0 - 1 - 0 Shared key 32 Quantum Key Distribution Eavesdropping the BB84 protocol 4 3 1 2 1 3 Lecture of the qubit state Qubit modification in the channel 2 4 splitter disturbance Detection (error rate) & abortion 33 Quantum Key Distribution In practice Currently The highest bit rate for QKD with optical fiber is held by Toshiba with 1 Mbit/s over 50 km [up to our knowledge] Limitation on the distance of key exchange 34 Quantum attacks Goal Exploit the mechanical properties to crack/solve hard problems Shor’s algorithm Grover’s algorithm HHL’s algorithm Quantum simulator Etc… 36 Shor’s algorithm Created by Solve Peter Shor (1994) prime factorization in polynomial time 1092 2 546 Prime factors: 2, 2, 3, 7, 13 2 273 1092 = 22 ∗ 3 ∗ 7 ∗ 13 3 91 7 13 This is a very simple example 37 Shor’s algorithm Breaking public-key cryptography E.g. an RSA number: 푁 = 푝 ∗ 푞 , where 푝, 푞 are prime numbers Easy to compute 푁 from (푝, 푞) RSA-1024 = 135066410865995223349603216278805969 938881475605667027524485143851526510 604859533833940287150571909441798207 282164471551373680419703964191743046 496589274256239341020864383202110372 Hard to recover (푝, 푞) from 푁 958725762358509643110564073501508187 510676594629205563685529475213500852 879416377328533906109750544334999811 with standard methods 150056977236890927563 38 Shor’s algorithm Breaking public-key cryptography E.g. an RSA number: 푁 = 푝 ∗ 푞 , where 푝, 푞 are prime numbers Easy to compute 푁 from (푝, 푞) RSA-1024 = 135066410865995223349603216278805969 938881475605667027524485143851526510 604859533833940287150571909441798207 282164471551373680419703964191743046 496589274256239341020864383202110372 Easy to recover (푝, 푞) from 푁 958725762358509643110564073501508187 510676594629205563685529475213500852 879416377328533906109750544334999811 with Shor’s algorithm 150056977236890927563 39 Grover’s algorithm Created by Solve Lov Grover (1996) invertion of function in sub-linear time Function 푓 Input 푥 Output 푦 = 푓(푥) 40 Grover’s algorithm Searching an unstructured DB / an unsorted list E.g. searching a phonebook where: • 푥 is a name • 푦 = 푓(푥) is a phone number 푦 (푓, 푥) Easy to find from Phonebook of 10,000 entries Hard to find 푥 from (푓, 푦) with standard methods Need 5,000 guesses 41 Grover’s algorithm Searching an unstructured DB / an unsorted list E.g. searching a phonebook where: • 푥 is a name • 푦 = 푓(푥) is a phone number 푦 (푓, 푥) Easy to find from Phonebook of 10,000 entries Easy to find 푥 from (푓, 푦) with Grover’s algorithm Need 100 guesses 42 Grover’s algorithm Searching an unstructured DB / an unsorted list E.g. searching a phonebook where: • 푥 is a name • 푦 = 푓(푥) is a phone number 푦 (푓, 푥) Easy to find from Phonebook of 25 million entries Easy to find 푥 from (푓, 푦) with Grover’s algorithm Need 5,000 guesses 43 Grover’s algorithm Breaking symmetric-key cryptography Brute-forcing a 128-bit key Brute-forcing ퟔퟒ in ≈ ퟐ iterations a 256-bit key in ≈ ퟐퟏퟐퟖ iterations Simple solution Use loooooooooooonger keys! 44 Post-quantum cryptography Goal Cryptographic schemes/algorithms resistant to attacks Hash-based crypto Code-based crypto Lattice-based crypto Multivariate crypto Etc… 46 Hash-based crypto Created by Alternative to Ralph Merkle (1970) signature schemes like RSA/DSA/ECDSA 1 Hash 2 function ℎ 3 4 1 2 3 4 Create private key - Distribute Sign data with Verify signature with and public key - 47 Hash-based crypto The Lamport signature scheme and must be used only once 0 1 0 1 0 1 0 1 random random random random random random random random ℎ ℎ ℎ ℎ ℎ ℎ ℎ ℎ hash hash hash hash hash hash hash hash 1 Create private key - and public key - 48 Hash-based crypto The Lamport signature scheme 0 1 0 1 0 1 0 1 random random random random random random random random ℎ ℎ ℎ ℎ ℎ ℎ ℎ ℎ hash hash hash hash hash hash hash hash 1 2 Create private key - Distribute and public key - 49 Hash-based crypto The Lamport signature scheme = 1 1 0 1 = random random random random 0 1 0 1 0 1 0 1 random random random random random random random random ℎ ℎ ℎ ℎ ℎ ℎ ℎ ℎ hash hash hash hash hash hash hash hash 1 2 3 Create private key - Distribute Sign data with and public key - 50 Hash-based crypto The Lamport signature scheme = 1 1 0 1 = random random random random 0 1 0 1 0 1 0 1 random random random random ℎ ℎ ℎ ℎ =? =? =? =? hash hash hash hash hash hash hash hash 1 2 3 4 Create private key - Distribute Sign data with Verify signature with and public key - 51 Hash-based crypto The Lamport signature scheme To be quantum-resistant The lengths of random , hash and random - must be > x2 larger than the security parameter EX A 128-bit security requires lengths > 256 bits 52 Hash-based crypto The Merkle signature scheme h[3,0] A B : B = ℎ(A) h[2,0] h[2,1] h[1,0] h[1,1] h[1,2] h[1,3] h[0,0] h[0,1] h[0,2] h[0,3] h[0,4] h[0,5] h[0,6]