Quantum Technologies for Cryptography

Similar documents
Quantum Bilinear Optimisation

Introduction to Quantum Key Distribution

Cyber Security in the Quantum Era

Quantum to Classical Randomness Extractors

Perfectly secure cipher system.

Hacking Quantum Cryptography. Marina von Steinkirch ~ Yelp Security

Quantum Information Transfer and Processing Miloslav Dušek

Cryptography in a quantum world

Entropy Accumulation in Device-independent Protocols

An Introduction. Dr Nick Papanikolaou. Seminar on The Future of Cryptography The British Computer Society 17 September 2009

Quantum Information Theory and Cryptography

Challenges in Quantum Information Science. Umesh V. Vazirani U. C. Berkeley

Introduction to Quantum Computing

Cryptography CS 555. Topic 25: Quantum Crpytography. CS555 Topic 25 1

Device-Independent Quantum Information Processing (DIQIP)

Quantum Computing. Richard Jozsa Centre for Quantum Information and Foundations DAMTP University of Cambridge

Security Implications of Quantum Technologies

Device-Independent Quantum Information Processing

Quantum walks public key cryptographic system (Extended Abstract)

Quantum Cryptography and Security of Information Systems

Quantum Key Distribution. The Starting Point

A Genetic Algorithm to Analyze the Security of Quantum Cryptographic Protocols

Transmitting and Hiding Quantum Information

Information-theoretic treatment of tripartite systems and quantum channels. Patrick Coles Carnegie Mellon University Pittsburgh, PA USA

+ = OTP + QKD = QC. ψ = a. OTP One-Time Pad QKD Quantum Key Distribution QC Quantum Cryptography. θ = 135 o state 1

Ping Pong Protocol & Auto-compensation

An Introduction to Quantum Information and Applications

Quantum Cryptography. Areas for Discussion. Quantum Cryptography. Photons. Photons. Photons. MSc Distributed Systems and Security

Lecture: Quantum Information

Security of Quantum Key Distribution with Imperfect Devices

10 - February, 2010 Jordan Myronuk

Quantum Error Correcting Codes and Quantum Cryptography. Peter Shor M.I.T. Cambridge, MA 02139

Tutorial on Quantum Computing. Vwani P. Roychowdhury. Lecture 1: Introduction

Fundamental rate-loss tradeoff for optical quantum key distribution

9. Distance measures. 9.1 Classical information measures. Head Tail. How similar/close are two probability distributions? Trace distance.

Cryptographical Security in the Quantum Random Oracle Model

QUANTUM COMPUTING & CRYPTO: HYPE VS. REALITY ABHISHEK PARAKH UNIVERSITY OF NEBRASKA AT OMAHA

Quantum Cryptography

Notes for Lecture 17

Unconditionally secure deviceindependent

Quantum Cryptography

quantum mechanics is a hugely successful theory... QSIT08.V01 Page 1

Entropic Formulation of Heisenberg s Measurement-Disturbance Relation

1.0 Introduction to Quantum Systems for Information Technology 1.1 Motivation

A Matlab Realization of Shor s Quantum Factoring Algorithm

Logic gates. Quantum logic gates. α β 0 1 X = 1 0. Quantum NOT gate (X gate) Classical NOT gate NOT A. Matrix form representation

Other Topics in Quantum Information

9 Knapsack Cryptography

Unconditional Security of the Bennett 1992 quantum key-distribution protocol over a lossy and noisy channel

Asymptotic Analysis of a Three State Quantum Cryptographic Protocol

Quantum Setting with Applications

Device-independent Quantum Key Distribution and Randomness Generation. Stefano Pironio Université Libre de Bruxelles

Quantum key distribution for the lazy and careless

Practical quantum-key. key- distribution post-processing

Chapter 13: Photons for quantum information. Quantum only tasks. Teleportation. Superdense coding. Quantum key distribution

5th March Unconditional Security of Quantum Key Distribution With Practical Devices. Hermen Jan Hupkes

arxiv:quant-ph/ v1 6 Dec 2005

Secrecy and the Quantum

Quantum Cryptography

The Relativistic Quantum World

Realization of B92 QKD protocol using id3100 Clavis 2 system

Key distillation from quantum channels using two-way communication protocols

Quantum Cryptography. Marshall Roth March 9, 2007

Entanglement. arnoldzwicky.org. Presented by: Joseph Chapman. Created by: Gina Lorenz with adapted PHYS403 content from Paul Kwiat, Brad Christensen

What are we talking about when we talk about post-quantum cryptography?

Converse bounds for private communication over quantum channels

On the Legacy of Quantum Computation and Communication to Cryptography

The Elliptic Curve in https

Fang Song. Joint work with Sean Hallgren and Adam Smith. Computer Science and Engineering Penn State University

Public Key Cryptography

Lecture 2: Quantum bit commitment and authentication

1 1D Schrödinger equation: Particle in an infinite box

Teleportation of Quantum States (1993; Bennett, Brassard, Crepeau, Jozsa, Peres, Wootters)

Concentration of Measure Effects in Quantum Information. Patrick Hayden (McGill University)

PERFECTLY secure key agreement has been studied recently

Quantum Information Processing

Classical and Quantum Channel Simulations

Advanced Cryptography Quantum Algorithms Christophe Petit

arxiv:quant-ph/ v1 13 Jan 2003

Research, Development and Simulation of Quantum Cryptographic Protocols

Bit-Commitment and Coin Flipping in a Device-Independent Setting

Quantum Entanglement, Quantum Cryptography, Beyond Quantum Mechanics, and Why Quantum Mechanics Brad Christensen Advisor: Paul G.

Quantum Cryptography : On the Security of the BB84 Key-Exchange Protocol

An Introduction to Quantum Information. By Aditya Jain. Under the Guidance of Dr. Guruprasad Kar PAMU, ISI Kolkata

Technical Report Communicating Secret Information Without Secret Messages

Detection of Eavesdropping in Quantum Key Distribution using Bell s Theorem and Error Rate Calculations

Seminar Report On QUANTUM CRYPTOGRAPHY. Submitted by SANTHIMOL A. K. In the partial fulfillment of requirements in degree of

A probabilistic quantum key transfer protocol

Secret-Key Agreement over Unauthenticated Public Channels Part I: Definitions and a Completeness Result

Verification of quantum computation

Quantum Computation 650 Spring 2009 Lectures The World of Quantum Information. Quantum Information: fundamental principles

Introduction to Quantum Information, Quantum Computation, and Its Application to Cryptography. D. J. Guan

The quantum threat to cryptography

8 Elliptic Curve Cryptography

Errors, Eavesdroppers, and Enormous Matrices

Practical Quantum Coin Flipping

Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks

Quantum Computers Is the Future Here?

L7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015

Quantum Wireless Sensor Networks

Transcription:

University of Sydney 11 July 2018 Quantum Technologies for Cryptography Mario Berta (Department of Computing) marioberta.info

Quantum Information Science Understanding quantum systems (e.g., single atoms or electrons) is hard Understanding physics with computers 81 trying to find a computer simulation of physics seems to me to be an excellent program to follow out (...) nature is not classical, dammit, and if you want to make a simulation of nature, you would better make it quantum mechanical, and by golly it is a wonderful problem, because it does not look so easy Richard Feynman The Nobel Foundation Information processing based on quantum physics: Quantum Information Science

Quantum Technologies are growing fast Main motivation is that we believe quantum technologies will enable us to do things that we do not know how to do using only (future) classical technology Academic interest: EU quantum manifesto flagship-scale initiative in quantum technologies + UK national network of quantum technology hubs (UKNQT) +... Central intelligence agencies NSA + GCHQ: we must act now against the quantum computing threat in cryptography Big IT players investing in quantum technologies: Alibaba, Google, IBM, Intel, Microsoft, Nokia Bell Labs, NTT Laboratories, etc. Explosion of quantum start-ups

Quantum Technologies: Hardware Build well-controlled quantum systems: approaches range from cavity quantum electrodynamics, optical lattices, ion traps, superconductors, quantum dots, linear optics, nuclear magnetic resonance, etc. Imperial Centre for Quantum Engineering, Science and Technology (QuEST) Hardware based (direct) applications Quantum sensing, quantum clocks, quantum annealing, analogue quantum simulations, etc.

Overview of Quantum Technologies 1 Quantum simulation: evolution of quantum systems (digital) for computational quantum chemistry 2 Quantum computation: up to super-polynomial speed-ups over best-known classical algorithms, e.g., Shor s algorithm for prime factorization 94 Quantum algorithm for prime factorization breaks RSA public key cryptosystem that is, virtually any encryption scheme in use today! 3 Quantum cryptography: quantum-safe cryptography + quantum-based cryptography 4 Quantum communication: quantum repeaters, quantum internet

This Talk: Quantum Cryptography Quantum-safe (post-quantum) cryptography: very active academic interest (e.g., at CRYPTO) ongoing NIST Post-Quantum Cryptography Standardization computational attacks / quantum memory attacks Quantum-based cryptography: quantum key distribution secure multi-party computation delegated computation quantum money randomness generation, etc.

Cryptography from Uncertainty vs. Entanglement Heisenberg s uncertainty principle for position X and momentum P Strong quantum correlations entanglement Basic idea: these two principles fight each other, quantitatively understanding this interplay is the key to quantum cryptography but also quantum adversaries.

Overview 1 Quantum Uncertainty Principle vs. Entanglement 2 Quantum Key Distribution (QKD) 3 Two-Party Cryptography 4 The Power of Quantum Adversaries 5 Conclusion & Outlook

Qubits Classical information unit: bits take values 0 or 1 with certain probabilities Quantum information unit: qubits take values ψ on the Bloch sphere S 2 R 3

Uncertainty Principle Quantum mechanics: impossible to measure in what exact state ψ the qubit is, we can only measure along axis, e.g., along X or Z. Measurement collapses the state ψ to probability distributions {p x } and {q z }, respectively. Heisenberg s uncertainty principle Information-theoretic uncertainty relation [Maassen-Uffink PRL 88] H(X ) + H(Z) 1 uncertainty uncertainty about X about Z with H(X ) = x p x log p x Shannon entropy

Entanglement Quantum correlations between qubits can become much stronger than classical correlations entanglement Implications for the concept of uncertainty [Einstein et al. 35]: measurement results on A available when having access to B (quantum adversary!).

Uncertainty vs. Bipartite Entanglement Presence of entanglement (quantum adversary B) changes uncertainty relation H(X ) + H(Z) 1 H(X B) + H(Z B) = 0 1 uncertainty about uncertainty about X given B Z given B with H(X B) = H(XB) H(B) the conditional von Neumann entropy Quantitative trade-off entanglement uncertainty Bipartite uncertainty relation [Berta et al. Nat. Phys. 10] H(X B) uncertainty about X given B + H(Z B) 1 + uncertainty about Z given B H(A B) entanglement between A and B (fully quantum conditional entropy H(A B) = 1 for maximally entangled state) What happens if we add a second observer E?

Uncertainty vs. Tripartite Entanglement Entanglement is monogamous it cannot be shared freely Eve Alice Bob Tripartite uncertainty relation [Berta et al. Nat. Phys. 10] H(Z E) + H(X B) 1 Eve s uncertainty Bob s uncertainty about Alice s Z about Alice s X Interplay between uncertainty and entanglement naturally leads to cryptography

Quantum Key Distribution: Setup Fully insecure public quantum channel together with authenticated classical channel (or short key to start with [Stinson 91]) and local randomness allow for information-theoretically secure key distribution [Wiesner 70], [Bennett & Brassard 84], [Mayers 06] Public channel authen-cated classical channel Eavesdropper can block the conversation, but once distributed key allows for secure communication (message size = key size) [Vernam 26], [Shannon 49] Classically insecure, but: monogamy of entanglement and uncertainty principle

Quantum Key Distribution: Protocol & Security Toy protocol [Ekert 91], [Bennett et al. 92] 1 Preparation share two-qubit state, using the public channel 2 Measurement along X or Z axis, coordinate using authenticated channel 3 Repeat steps 1 and 2 many times 4 Parameter estimation including privacy amplification and error correction Security proof idea [very many references by now] H(Z E) Eve s uncertainty about key Z 1 H(X B) 1 H(X X ) with Alice & Bob [Berta et al. Nat. Phys. 10], [Tomamichel & Renner PRL 11], [Tomamichel et al. Nat. Comm. 12], [Furrer et al. (Berta) PRL 12]

Two-Party Cryptography: Task Two mutually distrustful parties (quantum adversaries) want to achieve a task, example: secure function evaluation (others are secure identification, bit commitment, oblivious transfer, coin tossing, etc.) x y f x f(x,y) y f f(x,y) Quantum advantage but no information-theoretic security possible [Lo 97] Assumptions?

Two-Party Cryptography: Model & Security Security analysis: need bound for entanglement H(A B) in H(X B) + H(Z B) 1 + H(A B). Bounded (noisy) storage model: adversary computationally all powerful, actions are instantaneous, unlimited classical storage, but limited (noisy) quantum memory [Damgard et al. 05] Adversary s informa2on Quantum informa2on Classical Unlimited Measurement informa2on classical storage Arbitrary encoding Noisy quantum storage F t Quantum: no quantum memory needed for implementation vs. n O(log 2 n) qubits to break scheme [Berta et al. CRYPTO 12], [Dupuis et al. CRYPTO 15]

The Power of Quantum Adversaries I Various cryptographic sub-routines like privacy amplification [Bennett & Brassard 88] for post-processing. Main challenge Do these protocols work when taking quantum adversaries into account? It depends: Yes [Renner 05] + No [Gavinsky et al. 07] Routines as bilinear optimization problems [Berta et al. SIAM J Optim. 16] p(a, g, k) = maximize (z α,y β ) A α,β z αy β α,β subject to g(z 1,..., z N ) 0 k(y 1,..., y M ) 0, with sets of affine constraints { g(z 1,..., z N )} and {k(y 1,..., y M ) }. Performance p (A, g, k) in the quantum case generally worse! Theory of pseudo-randomness [Vadhan 07]: often NP-hard to compute p(a, g, k), linear or semidefinite programming approximations [Lasserre 01], [Parrilo 03]

The Power of Quantum Adversaries II p(a, g, k) = maximize (z α,y β ) A α,β z αy β α,β subject to g(z 1,..., z N ) 0 k(y 1,..., y M ) 0. The performance p (A, g, k) against quantum adversaries is measured by the corresponding quantum bilinear optimization [Berta et al. SIAM J Optim. 16] p (A, g, k) = maximize (H, ψ,e α,d β ) A α,β ψ E αd β ψ α,β subject to E αd β D β E α = 0 g(e 1,..., E N ) 0 k(d 1,..., D M ) 0, where g(e 1,..., E N ) 0 and k(d 1,..., D M ) 0 positive semidefinite. Optimization unbounded (computable?), operator spaces (non-commutative Banach spaces) [Berta et al. IEEE Trans. Inf. Theory 16]

The Power of Quantum Adversaries III Can we find outer approximations p(a, g, k) p (A, g, k)? Asymptotically convergent hierarchy of efficiently computable Semidefinite programming bounds [Berta et al. SIAM J Optim. 16] p(a, g, k) p (A, g, k) = SDP (A, g, k) SDP 1 (A, g, k) Semidefinite program (SDP): optimization of a linear objective function over the intersection of the cone of positive semidefinite matrices with an affine space Proof: Tomita-Takesaki modular theory of von Neumann algebras. Can certify security against quantum adversaries if for example p(a, g, k) p (A, g, k) SDP 1 (A, g, k)? C p(a, g, k) Flexible proof tool for upper bounding the power of quantum adversaries for a variety of important cryptographic protocols (analytical and numerical).

Conclusion & Outlook Quantum technologies for cryptography, challenges from quantum adversaries: 1 Relation between uncertainty and entanglement for simple and tight security proofs. 2 Efficiently computable semidefinite programming upper bounds on the power of quantum adversaries. Security of mathematical model vs. security of experimental implementation goal is to close this gap Security in laboratory vs. secure for everyday use (how much time/money needed to hack?) quantum technologies are adding non-trivially to this equation Thanks.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback