Presentation is loading. Please wait.

Presentation is loading. Please wait.

Quantum Cryptography Christian Schaffner ILLC, University of Amsterdam Centrum Wiskunde & Informatica Logic, Language and Computation Monday, 21 September.

Published byElvin Logan Modified over 8 years ago

Similar presentations

Presentation on theme: "Quantum Cryptography Christian Schaffner ILLC, University of Amsterdam Centrum Wiskunde & Informatica Logic, Language and Computation Monday, 21 September."— Presentation transcript:

1 Quantum Cryptography Christian Schaffner ILLC, University of Amsterdam Centrum Wiskunde & Informatica Logic, Language and Computation Monday, 21 September 2015

2 2 1969: Man on the Moon NASA The Great Moon-Landing Hoax? How can you prove that you are at a specific location? http://www.unmuseum.org/moonhoax.htm

3 3 What will you Learn from this Talk? Classical Cryptography Quantum Computation & Teleportation Position-Based Cryptography Garden-Hose Model

4 4 Classical Cryptography 3000 years of fascinating history until 1970: private communication was the only goal

5 5 Modern Cryptography is everywhere! is concerned with all settings where people do not trust each other

6 6 Secure Encryption k = ? Alice Bob Goal: Eve does not learn the message Setting: Alice and Bob share a secret key k Eve k = 0101 1011 m = 0000 1111 m = “I love you”

7 eXclusive OR (XOR) Function xyx © y 000 101 011 110 Some properties: 8 x : x © 0 = x 8 x : x © x = 0 7 ) 8 x,y : x © y © y = x

8 One-Time Pad Encryption Alice Bob Goal: Eve does not learn the message Setting: Alice and Bob share a key k Recipe: Is it secure? Eve xyx © y 000 011 101 110 k = 0101 1011 m = 0000 1111 c = m © k = 0101 0100 c © k= 0000 1111 c © k= m © k © k = m © 0 = m c = 0101 0100 k = 0101 1011 m = 0000 1111 c = m © k = 0101 0100 m = c © k = 0000 1111 k = 0101 1011 k = ? 8

9 Perfect Security Alice Bob Given that c = 0101 0100, is it possible that m = 0000 0000 ? Yes, if k = 0101 0100. is it possible that m = 1111 1111 ? Yes, if k = 1010 1011. it is possible that m = 0101 0101 ? Yes, if k = 0000 0001 In fact, every m is possible. Hence, the one-time pad is perfectly secure! Eve xyx © y 000 011 101 110 m = ? k = ? c = m © k = 0101 0100 m = c © k = ? k = ? 9

10 Problems With One-Time Pad Alice Bob The key has to be as long as the message (Shannon’s theorem) The key can only be used once. Eve m = 0000 1111 k = 0101 1011 c = m © k = 0101 0100 m = c © k = 0000 1111 k = ? 10

11 11 Information Theory 6 ECTS MoL course, given in 2 nd block: Nov/Dec 2015 mandatory for Logic & Computation track first lecture: Tuesday, 28 October 2015, 9:00, G3.13 http://homepages.cwi.nl/~schaffne/courses/inftheory/2015/

12 Problems With One-Time Pad Alice Bob The key has to be as long as the message (Shannon’s theorem) The key can only be used once. In practice, other encryption schemes (such as AES) are used which allow to encrypt long messages with short keys.AES One-time pad does not provide authentication: Eve can easily flip bits in the messageauthentication Eve m = 0000 1111 k = 0101 1011 c = m © k = 0101 0100 m = c © k = 0000 1111 k = ? 12

13 Symmetric-Key Cryptography Alice Encryption insures secrecy: Eve does not learn the message, e.g. one-time padone-time pad Authentication insures integrity: Eve cannot alter the message General problem: players have to exchange a key to start with Eve Bob 13

14 14 Introduction to Modern Cryptography 6 ECTS MoL course, usually given in Feb/March 2016: probably not http://homepages.cwi.nl/~schaffne/courses/crypto/2015/

15 15 What to Learn from this Talk? Classical Cryptography Quantum Computing & Teleportation Position-Based Cryptography Garden-Hose Model

16 16 Quantum Bit: Polarization of a Photon qu b i t asun i t vec t or i n C 2

17 17 Qubit: Rectilinear/Computational Basis

18 18 Detecting a Qubit Bob no photons: 0 Alice

19 19 Measuring a Qubit Bob no photons: 0 photons: 1 with prob. 1 yields 1 measurement: 0/1 Alice

20 20 Diagonal/Hadamard Basis with prob. ½ yields 0 with prob. ½ yields 1 Measurement: 0/1 =

21 21 Illustration of a Superposition with prob. ½ yields 0 with prob. ½ yields 1 Measurement: 0/1 =

22 22 Illustration of a Superposition = =

23 23 Quantum Mechanics with prob. 1 yields 1 Measurements: + basis £ basis with prob. ½ yields 0 with prob. ½ yields 1 0/1

24 Wonderland of Quantum Mechanics

25 25 Quantum is Real! 25 generation of random numbers (diagram from idQuantique white paper) no quantum computation, only quantum communication required 50%

26 26 Possible to build in theory, no fundamental theoretical obstacles have been found yet. Canadian company “D-Wave” claims to have build a quantum computer with 1024 qubits. Did they? 2014: Martinis group “acquired” by Googleacquired 2014/15: 135+50 Mio € investment in QuTech centre in Delft 2015: QuSoft center in Amsterdam Can We Build Quantum Computers? Martinis group (UCSB) 9 qubits

27 27 No-Cloning Theorem quantum operations: U Proof: copying is a non-linear operation

28 Quantum Key Distribution (QKD) Alice Bob Eve security against unrestricted eavesdroppers: quantum states are unknown to Eve, she cannot copy them honest players can check whether Eve interfered technically feasible: no quantum computation required, only quantum communication [Bennett Brassard 84]

29 29 EPR Pairs prob. ½ : 0prob. ½ : 1 prob. 1 : 0 [Einstein Podolsky Rosen 1935] “spukhafte Fernwirkung” (spooky action at a distance) EPR pairs do not allow to communicate (no contradiction to relativity theory) can provide a shared random bit EPR magic!

30 30 Quantum Teleportation [Bennett Brassard Crépeau Jozsa Peres Wootters 1993] does not contradict relativity theory teleported state can only be recovered once the classical information ¾ arrives [Bell]

31 31 What to Learn from this Talk? Classical Cryptography Quantum Computing & Teleportation Position-Based Cryptography Garden-Hose Model

32 32 How to Convince Someone of Your Presence at a Location The Great Moon Landing Hoax http://www.unmuseum.org/moonhoax.htm

33 33 Position-Based Cryptography Possible Applications: Launching-missile command comes from within the military headquarters Talking to the correct country Pizza-delivery problem / avoid fake calls to emergency services … Can the geographical location of a player be used as sole cryptographic credential ?

34 34 Position-Based Cryptography http://nos.nl/op3/artikel/692138-gamer-krijgt- swatteam-in-zn-nek-swatting.html https://youtu.be/TiW-BVPCbZk?t=117

35 35 Basic task: Position Verification Prover wants to convince verifiers that she is at a particular position no coalition of (fake) provers, i.e. not at the claimed position, can convince verifiers assumptions: communication at speed of light instantaneous computation verifiers can coordinate Verifier1 Verifier2 Prover

36 36 Position Verification: First Try Verifier1 Verifier2 Prover time distance bounding [Brands Chaum ‘93]

37 37 Position Verification: Second Try Verifier1 Verifier2 Prover position verification is classically impossible ! [Chandran Goyal Moriarty Ostrovsky: CRYPTO ’09]

38 38 Equivalent Attacking Game independent messages m x and m y copying classical information this is impossible quantumly

39 39 Position Verification: Quantum Try [Kent Munro Spiller 03/10] Let us study the attacking game

40 40 Attacking Game impossible but possible with entanglement!! ? ?

41 41 Entanglement attack done if b=1 [Bell]

42 42 Entanglement attack the correct person can reconstruct the qubit in time! the scheme is completely broken [Bell]

43 43 more complicated schemes? Different schemes proposed by Chandran, Fehr, Gelles, Goyal, Ostrovsky [2010] Malaney [2010] Kent, Munro, Spiller [2010] Lau, Lo [2010] Unfortunately they can all be broken! general no-go theorem [Buhrman, Chandran, Fehr, Gelles, Goyal, Ostrovsky, S 2014]

44 44 U Most General Single-Round Scheme Let us study the attacking game

45 45 U Distributed Q Computation in 1 Round using some form of back-and-forth teleportation, players succeed with probability arbitrarily close to 1 requires an exponential amount of EPR pairs

46 46 No-Go Theorem Any position-verification protocol can be broken using an exponential number of EPR-pairs Question: is this optimal? Does there exist a protocol such that: any attack requires many EPR-pairs honest prover and verifiers efficient

47 47 Single-Qubit Protocol: SQP f [Kent Munro Spiller 03/10] if f(x,y)=0 if f(x,y)=1 efficiently computable

48 48 Attacking Game for SQP f Define E(SQP f ) := minimum number of EPR pairs required for attacking SQP f if f(x,y)=0if f(x,y)=1 xy

49 49 What to Learn from this Talk? Classical Cryptography Quantum Computing & Teleportation Position-Based Cryptography Garden-Hose Model http://arxiv.org/abs/1109.2563 Buhrman, Fehr, S, Speelman

50 share s waterpipes 50 The Garden-Hose Model

51 based on their inputs, players connect pipes with pieces of hose Alice also connects a water tap 51 if water exits @ Alice if water exits @ Bob

52 Garden-Hose complexity of f: GH(f) := minimum number of pipes needed to compute f 52 if water exits @ Alice if water exits @ Bob The Garden-Hose Model

53 Demonstration: Inequality on Two Bits 53

54 GH( Inequality ) · demonstration: 3n challenge: 2n + 1 (first student to email me solution wins) world record: ~1.359n [Chiu Szegedy et al 13] GH( Inequality ) ¸ n [Pietrzak ‘11] n-Bit Inequality Puzzle 54

55 Relationship between E(SQP f ) and GH(f)

56 GH(f) ¸ E(SQP f ) Garden-HoseAttacking Game teleport

57 GH(f) ¸ E(SQP f ) Garden-HoseAttacking Game teleport y, Bob’s telep. keys x, Alice’s telep. keys using x & y, can follow the water/qubit correct water/qubit using all measurement outcomes

58 58 last slide: GH(f) ¸ E(SQP f ) The two models are not equivalent: exists f such that GH(f) = n, but E(SQP f ) · log(n) Quantum garden-hose model: give Alice & Bob also entanglement research question: are the models now equivalent? GH(f) = E(SQP f ) ?

59 59 Garden-Hose Complexity Theory every f has GH(f) · 2 n+1 if f in logspace, then GH(f) · polynomial efficient f & no efficient attack ) P  L exist f with GH(f) exponential (counting argument) for g 2 {equality, IP, majority}: GH(g) ¸ n / log(n) techniques from communication complexity Many open problems!

60 60 What Have You Learned from this Talk? Classical Cryptography Quantum Computing & Teleportation

61 61 What Have You Learned from this Talk? No-Go Theorem Impossible unconditionally, but attack requires unrealistic amounts of resources Garden-Hose Model model of communication complexity Position-Based Cryptography

62 62 Take on the crypto challenge! GH( Inequality ) = 2n + 1 pipes the first person to tell me (cschaffner@uva.nl) the protocol wins:cschaffner@uva.nl course “Information Theory” see you in the next block on 28 October 2015!

63 00… 0 2 n+1 pipes 11… 1 x 1 x 2 …x n connects iff f(00…0,y)=0 connects iff f(11…1,y)=0 connects iff f(x,y)=0 f(x,y)=1 Any f has GH(f) · 2 n+1 x 1 x 2 …x n y 1 y 2 …y n f(x,y)=0f(x,y)=1

64 00… 0 n 11… 1 n x 1 x 2 …x n connects iff f(00…0,y)=0 connects iff f(11…1,y)=0 connects iff f(x,y)=0 Any f has GH(f) · 2 n+1 x 1 x 2 …x n y 1 y 2 …y n 2 n+1 pipes f(x,y)=0 f(x,y)=1

65 65 Open Problems Is Quantum-GH(f) equivalent to E(SQP f )? Find good lower bounds on E(SQP f ) Does P  L/poly imply f in P with GH(f) > poly ? Are there other position-verification schemes? Parallel repetition, link with Semi-Definite Programming (SDP) and non-locality. Implementation: handle noise & limited precision Can we achieve other position-based primitives?

66 66 Quantum Operations are linear isometries can be described by a unitary matrix: examples: identity bitflip (Pauli X): mirroring at axis X X X X

67 67 Quantum Operations are linear isometries can be described by a unitary matrix: examples: identity bitflip (Pauli X): mirroring at axis phase-flip (Pauli Z): mirroring at axis both (Pauli XZ) Z

68 Quantum Key Distribution (QKD) Alice Bob Eve inf-theoretic security against unrestricted eavesdroppers: quantum states are unknown to Eve, she cannot copy them honest players can check whether Eve interfered technically feasible: no quantum computation required, only quantum communication [Bennett Brassard 84]

69 69 Efficient quantum algorithm for factoring [Shor’94] breaks public-key cryptography (RSA) Fast quantum search algorithm [Grover’96] quadratic speedup, widely applicable Quantum communication complexity exponential savings in communication Quantum Cryptography [Bennett-Brassard’84,Ekert’91] Quantum key distribution Early results of QIP

Download ppt "Quantum Cryptography Christian Schaffner ILLC, University of Amsterdam Centrum Wiskunde & Informatica Logic, Language and Computation Monday, 21 September."

Similar presentations

Quantum Computing MAS 725 Hartmut Klauck NTU 5.3.2012.

Quantum Computing MAS 725 Hartmut Klauck NTU
P LAYING ( QUANTUM ) GAMES WITH OPERATOR SPACES David Pérez-García Universidad Complutense de Madrid Bilbao 8-Oct-2011.

P LAYING ( QUANTUM ) GAMES WITH OPERATOR SPACES David Pérez-García Universidad Complutense de Madrid Bilbao 8-Oct-2011.
Christian Schaffner CWI Amsterdam, Netherlands Position-Based Quantum Cryptography: Impossibility and Constructions Seminar Eindhoven, Netherlands Wednesday,

Christian Schaffner CWI Amsterdam, Netherlands Position-Based Quantum Cryptography: Impossibility and Constructions Seminar Eindhoven, Netherlands Wednesday,
Position-Based Quantum Cryptography Christian Schaffner ILLC, University of Amsterdam Centrum Wiskunde & Informatica Logic Tea, ILLC Tuesday, 14/02/2012.

Position-Based Quantum Cryptography Christian Schaffner ILLC, University of Amsterdam Centrum Wiskunde & Informatica Logic Tea, ILLC Tuesday, 14/02/2012.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Short course on quantum computing Andris Ambainis University of Latvia.

Short course on quantum computing Andris Ambainis University of Latvia.
Quantum Computing MAS 725 Hartmut Klauck NTU 12.3.2012.

Quantum Computing MAS 725 Hartmut Klauck NTU
CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.
Quantum Cryptography Qingqing Yuan. Outline No-Cloning Theorem BB84 Cryptography Protocol Quantum Digital Signature.

Quantum Cryptography Qingqing Yuan. Outline No-Cloning Theorem BB84 Cryptography Protocol Quantum Digital Signature.
Superdense coding. How much classical information in n qubits? Observe that 2 n  1 complex numbers apparently needed to describe an arbitrary n -qubit.

Superdense coding. How much classical information in n qubits? Observe that 2 n  1 complex numbers apparently needed to describe an arbitrary n -qubit.
A Brief Introduction to Quantum Computation 1 Melanie Mitchell Portland State University 1 This talk is based on the following paper: E. Rieffel & W. Polak,

A Brief Introduction to Quantum Computation 1 Melanie Mitchell Portland State University 1 This talk is based on the following paper: E. Rieffel & W. Polak,
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Princeton University COS 433 Cryptography Fall 2005 Boaz Barak COS 433: Cryptography Princeton University Fall 2005 Boaz Barak Lecture 12: Idiot’s Guide.

Princeton University COS 433 Cryptography Fall 2005 Boaz Barak COS 433: Cryptography Princeton University Fall 2005 Boaz Barak Lecture 12: Idiot’s Guide.
BB84 Quantum Key Distribution 1.Alice chooses (4+  )n random bitstrings a and b, 2.Alice encodes each bit a i as {|0>,|1>} if b i =0 and as {|+>,|->}

BB84 Quantum Key Distribution 1.Alice chooses (4+  )n random bitstrings a and b, 2.Alice encodes each bit a i as {|0>,|1>} if b i =0 and as {|+>,|->}
Quantum Cryptography Prafulla Basavaraja CS 265 – Spring 2005.

Quantum Cryptography Prafulla Basavaraja CS 265 – Spring 2005.
Lo-Chau Quantum Key Distribution 1.Alice creates 2n EPR pairs in state each in state |  00 >, and picks a random 2n bitstring b, 2.Alice randomly selects.

Lo-Chau Quantum Key Distribution 1.Alice creates 2n EPR pairs in state each in state |  00 >, and picks a random 2n bitstring b, 2.Alice randomly selects.
EECS 598 Fall ’01 Quantum Cryptography Presentation By George Mathew.

EECS 598 Fall ’01 Quantum Cryptography Presentation By George Mathew.
Paraty, Quantum Information School, August 2007 Antonio Acín ICFO-Institut de Ciències Fotòniques (Barcelona) www.icfo.es Quantum Cryptography.

Paraty, Quantum Information School, August 2007 Antonio Acín ICFO-Institut de Ciències Fotòniques (Barcelona) Quantum Cryptography.
Quantum Communication, Quantum Entanglement and All That Jazz Mark M. Wilde Communication Sciences Institute, Ming Hsieh Department of Electrical Engineering,

Quantum Communication, Quantum Entanglement and All That Jazz Mark M. Wilde Communication Sciences Institute, Ming Hsieh Department of Electrical Engineering,
Quantum computing Alex Karassev. Quantum Computer Quantum computer uses properties of elementary particle that are predicted by quantum mechanics Usual.

Quantum computing Alex Karassev. Quantum Computer Quantum computer uses properties of elementary particle that are predicted by quantum mechanics Usual.

Similar presentations

Ads by Google