Presentation is loading. Please wait.

Presentation is loading. Please wait.

Quantum Cryptography Christian Schaffner Institute for Logic, Language and Computation (ILLC) University of Amsterdam Centrum Wiskunde & Informatica Amsterdam.

Published byErick Ralf French Modified over 8 years ago

Similar presentations

Presentation on theme: "Quantum Cryptography Christian Schaffner Institute for Logic, Language and Computation (ILLC) University of Amsterdam Centrum Wiskunde & Informatica Amsterdam."— Presentation transcript:

1 Quantum Cryptography Christian Schaffner Institute for Logic, Language and Computation (ILLC) University of Amsterdam Centrum Wiskunde & Informatica Amsterdam University College Monday, 24 February 2014

2 2 1969: Man on the Moon NASA The Great Moon-Landing Hoax? How can you prove that you are at a specific location? http://www.unmuseum.org/moonhoax.htm

3 3 What will you learn from this Talk? Classical Cryptography Introduction to Quantum Mechanics Quantum Key Distribution Position-Based Cryptography

4 4 Classical Cryptography 3000 years of fascinating history Until 1970: private communication was the only goal Scytale Enigma

5 5 Modern Cryptography is everywhere! is concerned with all settings where people do not trust each other

6 6 Secure Encryption k = ? Alice Bob Goal: Eve does not learn the message Setting: Alice and Bob share a secret key k Eve k = 0101 1011 m = 0000 1111 m = “I love you”

7 eXclusive OR (XOR) Function xyx © y 000 101 011 110 Some properties: 8 x : x © 0 = x 8 x : x © x = 0 7 ) 8 x,y : x © y © y = x

8 One-Time Pad Encryption Alice Bob Goal: Eve does not learn the message Setting: Alice and Bob share a key k Recipe: Is it secure? Eve xyx © y 000 011 101 110 k = 0101 1011 m = 0000 1111 c = m © k = 0101 0100 c © k= 0000 1111 c © k= m © k © k = m © 0 = m c = 0101 0100 k = 0101 1011 m = 0000 1111 c = m © k = 0101 0100 m = c © k = 0000 1111 k = 0101 1011 k = ? 8

9 Perfect Security Alice Bob Given that c = 0101 0100, is it possible that m = 0000 0000 ? Yes, if k = 0101 0100. is it possible that m = 1111 1111 ? Yes, if k = 1010 1011. it is possible that m = 0101 0101 ? Yes, if k = 0000 0001 In fact, every m is possible. Hence, the one-time pad is perfectly secure! Eve xyx © y 000 011 101 110 m = ? k = ? c = m © k = 0101 0100 m = c © k = ? k = ? 9

10 Problems With One-Time Pad Alice Bob The key has to be as long as the message. The key can only be used once. In practice, other encryption schemes (such as AES) are used which allow to encrypt long messages with short keys.AES One-time pad does not provide authentication: Eve can easily flip bits in the messageauthentication Eve m = 0000 1111 k = 0101 1011 c = m © k = 0101 0100 m = c © k = 0000 1111 k = ? 10

11 Symmetric-Key Cryptography Alice Encryption insures secrecy: Eve does not learn the message, e.g. one-time padone-time pad Authentication insures integrity: Eve cannot alter the message General problem: players have to exchange a key to start with Eve Bob 11

12 Public-Key Cryptography Alice Solves the key-exchange problem. Everyone can encrypt using the public key.public key Only the holder of the secret key can decrypt. Digital signatures: Only secret-key holder can sign, but everyone can verify signatures using the public-key. Digital signatures Eve public key secret key 12 Bob Charlie

13 History of Public-Key Crypto Early 1970s: invented in the „classified world“ at the British Government Communications Head Quarters (GCHQ) by Ellis, Cocks, Williamsoninvented Government Communications Head Quarters Mid/late 1970s: invented in the „academic world“ by Merkle, Hellman, Diffie, and Rivest, Shamir, Adleman 13

14 Politics of Cyberwar Edward Snowden, former CIA and NSA employee, now whistleblower and on (temporary) asylum in Russia Edward Snowdenwhistleblower leaked many thousand top secret documents to various media, documenting a mass surveillance programs by secret services from all over the world mass surveillance programs 14

15 Politics of Cyberwar 15

16 Politics of Cyberwar Methods: Break cryptography Influence industrial standardsstandards Pressure manufacturers to make insecure devices Infiltrate hardware and software (communication infrastructure, computers, smartphones etc.) Why mass surveillance? Other than to combat terrorism, these surveillance programs have been employed to assess the foreign policy and economic stability of other countries, and to gather "commercial secrets“. 16

17 Why worry? „I have nothing to hide“ is a very naive reaction. Think about what your smartphone knows about you. Think about what your smartphone does not know about you. 17

18 Why worry? „I have nothing to hide“ is a very naive reaction. Everyone‘s personal privacy is at stake! George Orwell‘s surveillance state from his book 1984 is coming true... George Orwell1984 "They (the NSA) can use the system to go back in time and scrutinize every decision you've ever made, every friend you've ever discussed something with, and attack you on that basis to sort of derive suspicion from an innocent life and paint anyone in the context of a wrongdoer." – Edward Snowden 18

19 Cryptography and Logic Cryptographic protocols for advanced tasks are built from basic building blocks Problem: security proofs become very hard to verify Solution: Logic provides formal methods to specify tools and taskformal methods Use automatic proof checkers to verify security Signature Key establishment Hash function Encryption Crypto-Toolbox electronic voting system 19

20 20 What will you Learn from this Talk? Classical Cryptography Introduction to Quantum Mechanics Quantum Key Distribution Position-Based Cryptography

21 21 Quantum Bit: Polarization of a Photon qu b i t asun i t vec t or i n C 2

22 22 Qubit: Rectilinear/Computational Basis

23 23 Detecting a Qubit Bob No photons: 0 Alice

24 24 Measuring a Qubit Bob No photons: 0 Photons: 1 with prob. 1 yields 1 Measurement: 0/1 Alice

25 25 Diagonal/Hadamard Basis with prob. ½ yields 0 with prob. ½ yields 1 Measurement: 0/1 =

26 26 Measuring Collapses the State with prob. ½ yields 0 with prob. ½ yields 1 Measurement: 0/1 =

27 27 Measuring Collapses the State = =

28 28 Quantum Mechanics with prob. 1 yields 1 Measurements: + basis £ basis with prob. ½ yields 0 with prob. ½ yields 1 0/1

29 Wonderland of Quantum Mechanics

30 30 [Shor ’94] Efficient quantum algorithm for factoring which breaks public-key cryptography (RSA) [Grover ’96] Fast quantum search algorithm Possible to build in theory, no fundamental theoretical obstacles have been found yet. Canadian company “D-Wave” claims to have build one. Did they? Quantum Computer

31 31 No-Cloning Theorem Quantum operations: U Proof: copying is a non-linear operation

32 Quantum Key Distribution (QKD) Alice Bob Eve Offers an quantum solution to the key-exchange problem Puts the players into the starting position to use symmetric-key cryptography (encryption, authentication etc.). [Bennett Brassard 84] 32 k = 0101 1011 k = ?

33 Quantum Key Distribution (QKD) [Bennett Brassard 84] 33 0 1 1 1 0 0 0 1 1 0 k = 110

34 Quantum Key Distribution (QKD) [Bennett Brassard 84] 34 0 1 1 1 0 0 0 1 1 0 k = 10 Quantum states are unknown to Eve, she cannot copy them. Honest players can test whether Eve interfered. k = ?

35 Quantum Key Distribution (QKD) Alice Bob Eve technically feasible: no quantum computer required, only quantum communication [Bennett Brassard 84] 35

36 36 What will you Learn from this Talk? Classical Cryptography Introduction to Quantum Mechanics Quantum Key Distribution Position-Based Cryptography

37 37 Position-Based Cryptography Typically, cryptographic players use credentials such as secret information (e.g. password or secret key) authenticated information biometric features Can the geographical location of a player be used as cryptographic credential ?

38 38 Position-Based Cryptography Possible Applications: Launching-missile command comes from within the military headquarters Talking to the correct country Pizza-delivery problem / avoid fake calls to emergency services … Can the geographical location of a player be used as sole cryptographic credential ?

39 39 Basic task: Position Verification Prover wants to convince verifiers that she is at a particular position no coalition of (fake) provers, i.e. not at the claimed position, can convince verifiers assumptions: communication at speed of light instantaneous computation verifiers can coordinate Verifier1 Verifier2 Prover

40 40 Position Verification: First Try Verifier1 Verifier2 Prover time distance bounding [Brands Chaum ‘93]

41 41 Position Verification: Second Try Verifier1 Verifier2 Prover position verification is classically impossible !

42 42 The Attack copying classical information this is impossible quantumly

43 43 Position Verification: Quantum Try [Kent Munro Spiller 03/10] Can we brake the scheme now?

44 44 Attacking Game Impossible to cheat due to non- cloning theorem Or not? ? ?

45 45 Teleportation Attack It is possible to cheat with entanglement !!entanglement Quantum teleportation allows to break the protocol perfectly. Quantum teleportation [Bell]

46 46 No-Go Theorem Any position-verification protocol can be broken using a very large number of entangled qubits. Question: Are so many quantum resources really necessary? Does there exist a protocol such that: honest prover and verifiers are efficient, but any attack requires lots of entanglement [Buhrman, Chandran, Fehr, Gelles, Goyal, Ostrovsky, Schaffner 2010]

47 47 What Have You Learned from this Talk? Classical Cryptography Long historyhistory One-time pad Public-key cryptography Links to Logic and PoliticsLogic Politics Alice Bob Eve m = 0000 1111 k = 0101 1011 c = m © k = 0101 0100 k = ?

48 48 What Have You Learned from this Talk? Quantum Mechanics Qubits Quantum Computer No-cloning Entanglement Quantum Teleportation

49 49 What Have You Learned from this Talk? Position-Based Cryptography Quantum Key Distribution (QKD)QKD

50 Thank you for your attention! Questions

51 51 Are There Secure Schemes? Different quantum schemes proposed by Chandran, Fehr, Gelles, Goyal, Ostrovsky [2010] Malaney [2010] Kent, Munro, Spiller [2010] Lau, Lo [2010] Unfortunately they can all be broken! General no-go theorem [Buhrman, Chandran, Fehr, Gelles, Goyal, Ostrovsky, Schaffner 2010]

52 52 Quantum Operations are linear isometries can be described by a unitary matrix: examples: identity bitflip (Pauli X): mirroring at axis X X X X

53 53 Quantum Operations are linear isometries can be described by a unitary matrix: examples: identity bitflip (Pauli X): mirroring at axis phase-flip (Pauli Z): mirroring at axis both (Pauli XZ) Z

54 54 U Most General Single-Round Scheme Let us study the attacking game

55 55 U Distributed Q Computation in 1 Round using some form of back-and-forth teleportation, players succeed with probability arbitrarily close to 1 requires an exponential amount of EPR pairs

Download ppt "Quantum Cryptography Christian Schaffner Institute for Logic, Language and Computation (ILLC) University of Amsterdam Centrum Wiskunde & Informatica Amsterdam."

Similar presentations

Quantum Computing MAS 725 Hartmut Klauck NTU 5.3.2012.

Quantum Computing MAS 725 Hartmut Klauck NTU
Christian Schaffner CWI Amsterdam, Netherlands Position-Based Quantum Cryptography: Impossibility and Constructions Seminar Eindhoven, Netherlands Wednesday,

Christian Schaffner CWI Amsterdam, Netherlands Position-Based Quantum Cryptography: Impossibility and Constructions Seminar Eindhoven, Netherlands Wednesday,
Position-Based Quantum Cryptography Christian Schaffner ILLC, University of Amsterdam Centrum Wiskunde & Informatica Logic Tea, ILLC Tuesday, 14/02/2012.

Position-Based Quantum Cryptography Christian Schaffner ILLC, University of Amsterdam Centrum Wiskunde & Informatica Logic Tea, ILLC Tuesday, 14/02/2012.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
15-1 Last time Internet Application Security and Privacy Public-key encryption Integrity.

15-1 Last time Internet Application Security and Privacy Public-key encryption Integrity.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.
Public-key Cryptography Montclair State University CMPT 109 J.W. Benham Spring, 1998.

Public-key Cryptography Montclair State University CMPT 109 J.W. Benham Spring, 1998.
CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.
Quantum Cryptography Qingqing Yuan. Outline No-Cloning Theorem BB84 Cryptography Protocol Quantum Digital Signature.

Quantum Cryptography Qingqing Yuan. Outline No-Cloning Theorem BB84 Cryptography Protocol Quantum Digital Signature.
Public Key Crytography1 From: Introduction to Algorithms Cormen, Leiserson and Rivest.

Public Key Crytography1 From: Introduction to Algorithms Cormen, Leiserson and Rivest.
1 CPSC156: The Internet Co-Evolution of Technology and Society Lectures 19,20, and 21: April 5, 10, and 12, 2007 Cryptographic Primitives.

1 CPSC156: The Internet Co-Evolution of Technology and Society Lectures 19,20, and 21: April 5, 10, and 12, 2007 Cryptographic Primitives.
Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.

Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
1 Pertemuan 08 Public Key Cryptography Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 08 Public Key Cryptography Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
Paraty, Quantum Information School, August 2007 Antonio Acín ICFO-Institut de Ciències Fotòniques (Barcelona) www.icfo.es Quantum Cryptography.

Paraty, Quantum Information School, August 2007 Antonio Acín ICFO-Institut de Ciències Fotòniques (Barcelona) Quantum Cryptography.
Quantum computing Alex Karassev. Quantum Computer Quantum computer uses properties of elementary particle that are predicted by quantum mechanics Usual.

Quantum computing Alex Karassev. Quantum Computer Quantum computer uses properties of elementary particle that are predicted by quantum mechanics Usual.
Quantum Public Key Cryptography with Information- Theoretic Security Daniel Gottesman Perimeter Institute.

Quantum Public Key Cryptography with Information- Theoretic Security Daniel Gottesman Perimeter Institute.
A Cryptography Tutorial Jim Xu College of Computing Georgia Tech

A Cryptography Tutorial Jim Xu College of Computing Georgia Tech

Similar presentations

Ads by Google