Attacking the ECDLP with Quantum Computing

Similar documents
Shor s Prime Factorization Algorithm

Introduction to Quantum Computing

Quantum Information Processing and Diagrams of States

Logic gates. Quantum logic gates. α β 0 1 X = 1 0. Quantum NOT gate (X gate) Classical NOT gate NOT A. Matrix form representation

Richard Cleve David R. Cheriton School of Computer Science Institute for Quantum Computing University of Waterloo

Quantum Computing. Marija Kranjčević, Filip Kiršek, Petar Kunštek

The Bloch Sphere. Ian Glendinning. February 16, QIA Meeting, TechGate 1 Ian Glendinning / February 16, 2005

Quantum Computing. Thorsten Altenkirch

Shor s Algorithm. Elisa Bäumer, Jan-Grimo Sobez, Stefan Tessarini May 15, 2015

Semiconductors: Applications in spintronics and quantum computation. Tatiana G. Rappoport Advanced Summer School Cinvestav 2005

Cryptography in the Quantum Era. Tomas Rosa and Jiri Pavlu Cryptology and Biometrics Competence Centre, Raiffeisen BANK International

Simulation of quantum computers with probabilistic models

An Introduction to Quantum Computation and Quantum Information

Elliptic Curve Cryptography

Weak Curves In Elliptic Curve Cryptography

1500 AMD Opteron processor (2.2 GHz with 2 GB RAM)

Simon s algorithm (1994)

Introduction to Quantum Computing

Selecting Elliptic Curves for Cryptography Real World Issues

Quantum Resource Estimates for Computing Elliptic Curve Discrete Logarithms

Quantum Computing. Quantum Computing. Sushain Cherivirala. Bits and Qubits

Introduction to Quantum Computing

Advanced Cryptography Quantum Algorithms Christophe Petit

Introduction to Quantum Computing

Risk management and the quantum threat

Tutorial on Quantum Computing. Vwani P. Roychowdhury. Lecture 1: Introduction

Quantum gate. Contents. Commonly used gates

Reversible and Quantum computing. Fisica dell Energia - a.a. 2015/2016

b) (5 points) Give a simple quantum circuit that transforms the state

The quantum threat to cryptography

Short Course in Quantum Information Lecture 5

Quantum Wireless Sensor Networks

Concepts and Algorithms of Scientific and Visual Computing Advanced Computation Models. CS448J, Autumn 2015, Stanford University Dominik L.

Factoring on a Quantum Computer

Challenges in Quantum Information Science. Umesh V. Vazirani U. C. Berkeley

Discrete Logarithm Problem

Lecture 3: Constructing a Quantum Model

Introduction to Quantum Information Processing QIC 710 / CS 768 / PH 767 / CO 681 / AM 871

Quantum Computing Lecture 6. Quantum Search

Introduction to Quantum Information Processing QIC 710 / CS 768 / PH 767 / CO 681 / AM 871

Security Implications of Quantum Technologies

MAA509: Quantum Computing and Information Introduction

1 Readings. 2 Unitary Operators. C/CS/Phys C191 Unitaries and Quantum Gates 9/22/09 Fall 2009 Lecture 8

Daniel J. Bernstein University of Illinois at Chicago. means an algorithm that a quantum computer can run.

Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.

QUANTUM COMPUTING. Part II. Jean V. Bellissard. Georgia Institute of Technology & Institut Universitaire de France

C/CS/Phy191 Problem Set 6 Solutions 3/23/05

Quantum Computing Lecture 1. Bits and Qubits

Quantum Technology: Challenges and Opportunities for Cyber Security. Yaoyun Shi University of Michigan

Quantum Computing 101. ( Everything you wanted to know about quantum computers but were afraid to ask. )

Hilbert Space, Entanglement, Quantum Gates, Bell States, Superdense Coding.

Introduction to Quantum Information Processing QIC 710 / CS 768 / PH 767 / CO 681 / AM 871

Quantum Error Correcting Codes and Quantum Cryptography. Peter Shor M.I.T. Cambridge, MA 02139

Quantum computing! quantum gates! Fisica dell Energia!

Introduction to Quantum Computation

Quantum Computation 650 Spring 2009 Lectures The World of Quantum Information. Quantum Information: fundamental principles

On error distributions in ring-based LWE

CS/Ph120 Homework 1 Solutions

Quantum Differential and Linear Cryptanalysis

Lecture 1: Introduction to Quantum Computing

Modifying Shor s algorithm to compute short discrete logarithms

The Deutsch-Josza Algorithm in NMR

An Introduction to Quantum Information and Applications

Chapter 2. Basic Principles of Quantum mechanics

Shor s Algorithm. Polynomial-time Prime Factorization with Quantum Computing. Sourabh Kulkarni October 13th, 2017

Ph 219b/CS 219b. Exercises Due: Wednesday 20 November 2013

Introduction to Quantum Algorithms Part I: Quantum Gates and Simon s Algorithm

Quantum Entanglement and Error Correction

CS257 Discrete Quantum Computation

Discrete Logarithm Computation in Hyperelliptic Function Fields

Polynomial Interpolation in the Elliptic Curve Cryptosystem

Quantum Technologies for Cryptography

Some Introductory Notes on Quantum Computing

IBM quantum experience: Experimental implementations, scope, and limitations

Introduction to Quantum Information Processing

Faster Point Multiplication on Elliptic Curves with Efficient Endomorphisms

The odd couple: MQV and HMQV

Introduction to Quantum Computing

Logical error rate in the Pauli twirling approximation

C/CS/Phys 191 Quantum Gates and Universality 9/22/05 Fall 2005 Lecture 8. a b b d. w. Therefore, U preserves norms and angles (up to sign).

OPEN SOURCE IS NOT ENOUGH

Quantum Computation. Alessandra Di Pierro Computational models (Circuits, QTM) Algorithms (QFT, Quantum search)

. Here we are using the standard inner-product over C k to define orthogonality. Recall that the inner-product of two vectors φ = i α i.

Quantum sampling of mixed states

QUANTUM COMPUTING & CRYPTO: HYPE VS. REALITY ABHISHEK PARAKH UNIVERSITY OF NEBRASKA AT OMAHA

Quantum Permanent Compromise Attack to Blum-Micali Pseudorandom Generator

Optimal Realizations of Controlled Unitary Gates

On the complexity of computing discrete logarithms in the field F

Classical Verification of Quantum Computations

4th year Project demo presentation

A parallel quantum computer simulator

Quantum Computers. Peter Shor MIT

Ph 219b/CS 219b. Exercises Due: Wednesday 4 December 2013

ABHELSINKI UNIVERSITY OF TECHNOLOGY

Elliptic Curve DRNGs. Çetin Kaya Koç Winter / 19

A gentle introduction to elliptic curve cryptography

Verification of quantum computation

Cryptography CS 555. Topic 25: Quantum Crpytography. CS555 Topic 25 1

Introduction to Quantum Computing

Transcription:

Attacking the ECDLP with Quantum Computing Sam Green and Can Kizilkale sam.green@cs.ucsb.edu, cankizilkale@cs.ucsb.edu December 7, 015 CS 90g Fall Term 015 Attacking the ECDLP with Quantum Computing 1 / 7

Table of contents 1 Motivation for this talk August 015 NSA announcement Quantum computing in Fall 015 news Review of ECDLP 3 Classical ECDLP attacks 4 Intro to quantum computing What is a qubit? Bloch sphere Multiple bits Entanglement Quantum gates Example: Deutsch s algorithm 5 Quantum ECDLP attacks Applying quantum to ECDLP Shor s algorithm Shor s algorithm Algorithm comparisons CS 90g Fall Term 015 Attacking the ECDLP with Quantum Computing / 7

Motivation for this talk August 015 NSA announcement August 015 NSA announcement Currently, Suite B cryptographic algorithms are specified by the National Institute of Standards and Technology (NIST) and are used by NSA s Information Assurance Directorate in solutions approved for protecting classified and unclassified National Security Systems (NSS). Below, we announce preliminary plans for transitioning to quantum resistant algorithms. [0] CS 90g Fall Term 015 Attacking the ECDLP with Quantum Computing 3 / 7

Motivation for this talk Quantum computing in Fall 015 news Quantum computing in Fall 015 news Hype: A watershed announcement from Google regarding quantum computers is expected to be made on 8 December, according to a board member of the quantum computing firm D-Wave. [1] Intel to Invest $50 Million in Quantum Computers [] LANL Orders 1000+ Qubit D-Wave X [adiabatic] Quantum Computer [3]...nearly 0 qubits have been juxtaposed in a single quantum register. However, scaling this or any other type of qubit to much larger numbers while still contained in a single register will become increasingly difficult, as the connections will become too numerous to be reliable. [4] CS 90g Fall Term 015 Attacking the ECDLP with Quantum Computing 4 / 7

Review of ECDLP Review of ECDLP Let E be an elliptic curve over F p given by the Weierstrass equation E : y x 3 + ax + b (mod p). And let points S and T be in E(F p ). The ECDLP is to find k (assuming it exists) such that k log T S (mod p) or S [k]t (mod p). CS 90g Fall Term 015 Attacking the ECDLP with Quantum Computing 5 / 7

Classical ECDLP attacks Classical ECDLP attacks Exhaustive Search O(n) Pollard ρ O( p), where p is the largest prime divisor of n Pohlig-Hellman O( p), where p is the largest prime divisor of n Index-calculus (only sub-exponential attack) L p [ 1 3, 1.93] Reference: [7] CS 90g Fall Term 015 Attacking the ECDLP with Quantum Computing 6 / 7

What is a qubit? Intro to quantum computing What is a qubit? A classical bit only takes 1 or 0. Qubit: dimensional complex vector, so each qubit C. There are base vectors 0, 1 which are orthogonal to each other: 0 = (0, 1) T, 1 = (1, 0) T. Each qubit is represented as a superposition of these. That is where φ = α 0 + β 1, α + β = 1. CS 90g Fall Term 015 Attacking the ECDLP with Quantum Computing 7 / 7

Intro to quantum computing Visualizing superposition What is a qubit? 1 0 0101 5 4 + 5 qubits can be in a superposition of all the clasically allowed states image credit: Wikipedia CS 90g Fall Term 015 Attacking the ECDLP with Quantum Computing 8 / 7

Bloch sphere Intro to quantum computing Bloch sphere To represent a qubit in 3D space, we use a Bloch sphere ψ = cos( θ ) 0 + sin( θ )eiφ 1 image credit: Wikipedia CS 90g Fall Term 015 Attacking the ECDLP with Quantum Computing 9 / 7

Measurement Intro to quantum computing Bloch sphere What are we measuring? For a standard qubit: α 0 + β 1 = α, β. The phase-shift information (e iφ ) is lost. By changing the basis with a unitary transformation, we capture phase shift information: + = 0 + 1, = 0 1. 0 + eiθ 1 1 eiθ + + 1 + eiθ CS 90g Fall Term 015 Attacking the ECDLP with Quantum Computing 10 / 7

Intro to quantum computing Multiple bits in one register Multiple bits Every sequence of bits will be mapped into an orthogonal state in a register. For example, when we have two qubits, the state of the register will be a superposition of 00, 01, 10, and 11. Register = α 1 00 + α 01 + α 3 10 + α 4 11 CS 90g Fall Term 015 Attacking the ECDLP with Quantum Computing 11 / 7

Entanglement Intro to quantum computing Entanglement Can the state of the register be written as the multiplication of multiple qubits? Yes, this is quantum entaglement. No entanglement example: (a 1 0 + b 1 1 )(a 0 + b 1 ) = a 1 a 00 + a 1 b 01 + b 1 a 10 + b 1 b 11. We measure the first bit. If it is 0 or 1 then the second bit is always a 0 + b 1. Entanglement example: 1 00 + 3 10 + 3 11. We measure the first bit. If it is 0 then the second bit is always 0. If is 1 is 1 the second bit is 0 + 1 1. CS 90g Fall Term 015 Attacking the ECDLP with Quantum Computing 1 / 7

Quantum gates Intro to quantum computing Quantum gates NOT-gate = Pauli-X = ( 0 1 1 0 Corresponse to the rotation of a point on the Bloch sphere by π radians around the x-axis. Also Pauli-Y = ( 0 i i 0 ) ) ( 1 0, and Pauli-Z = 0 1 ). CS 90g Fall Term 015 Attacking the ECDLP with Quantum Computing 13 / 7

Hadamard gate Intro to quantum computing Quantum gates H = 1 ( 1 1 1 1 Deals with a singular bit. Allows transformation of both 0 and 1 into states with equal probabilities. ) CS 90g Fall Term 015 Attacking the ECDLP with Quantum Computing 14 / 7

Phase-shift gate Intro to quantum computing Quantum gates Θ = ( 1 0 0 e iθ ) Maps 0 to 0 Maps 1 to e iθ 1 CS 90g Fall Term 015 Attacking the ECDLP with Quantum Computing 15 / 7

Intro to quantum computing Example: Deutsch s algorithm Example: Deutsch s algorithm Solves contrived problem: Given f : {0, 1} {0, 1}, determine if f (0) = f (1). Need one more concept: U f ( x y ) = x y f (x) U f is a device whose inputs and outputs can be known, but there is no information about its internal structure. image credit: [5] CS 90g Fall Term 015 Attacking the ECDLP with Quantum Computing 16 / 7

Deutsch s algorithm Intro to quantum computing Example: Deutsch s algorithm 1. Take two qubits, in states 0 and 1. Then φ 0 = 0, 1.. Apply Hadamard gate to both qubits to put them in a superposition of states. The state is now φ = 0 + 1 0 1 = 0, 0 0, 1 + 1, 0 1, 1. CS 90g Fall Term 015 Attacking the ECDLP with Quantum Computing 17 / 7

Deutsch s algorithm Intro to quantum computing Example: Deutsch s algorithm 3. Apply U f to get 0, 0 0, 1 + 1, 0 1, 1 φ = U f ( ) 0, 0 f (0) 0, 1 f (0) + 1, 0 f (1) 1, 1 f (1) = 0, f (0) 0, f (0) + 1, f (1) 1, f (1) = = [ ( 1)f (0) 0 + ( 1) f (1) 1 0 1 ][ ] = { (±) 0 + 1 0 1 (±) 0 1 0 1 if f is constant, if f is balanced. CS 90g Fall Term 015 Attacking the ECDLP with Quantum Computing 18 / 7

Deutsch s algorithm Intro to quantum computing Example: Deutsch s algorithm 4. Apply Hadamard gate φ 3 = { (±) 0 0 1 (±) 1 0 1 if f is constant, if f is balanced. 5. Measure the state of the first qubit. Measured result gives the solution of the initial problem. CS 90g Fall Term 015 Attacking the ECDLP with Quantum Computing 19 / 7

Quantum ECDLP attacks Applying quantum to ECDLP Applying quantum to ECDLP image credit: [6] CS 90g Fall Term 015 Attacking the ECDLP with Quantum Computing 0 / 7

Quantum ECDLP attacks Shor s algorithm introduction Shor s algorithm Gven a natural number N, find its nontrivial factors. The best classical factoring algorithm requires O(e 1,9(log N) 1 3 (log log N) 3 ). And Shor s factoring algorithm [8] is only O(log N 3 ). CS 90g Fall Term 015 Attacking the ECDLP with Quantum Computing 1 / 7

Quantum ECDLP attacks Shor s algorithm circuit Shor s algorithm image credit: [5] CS 90g Fall Term 015 Attacking the ECDLP with Quantum Computing / 7

Shor s algorithm [5] Quantum ECDLP attacks Shor s algorithm CS 90g Fall Term 015 Attacking the ECDLP with Quantum Computing 3 / 7

Quantum ECDLP attacks Algorithm comparisons Quantum algorithm comparisons [6] Eicher-Opoku O(nlogn + n p) Proos-Zalka O( n) Kaye-Zalka O( n) CS 90g Fall Term 015 Attacking the ECDLP with Quantum Computing 4 / 7

Quantum ECDLP attacks Algorithm comparisons [6] Algorithm comparisons CS 90g Fall Term 015 Attacking the ECDLP with Quantum Computing 5 / 7

Questions? Conclusion CS 90g Fall Term 015 Attacking the ECDLP with Quantum Computing 6 / 7

References Conclusion [0] https://www.nsa.gov/ia/programs/suiteb_cryptography/ [1] http://www.ibtimes.co.uk/google-plans-watershed-quantum-computing-announcement-december-158915 [] http://www.wsj.com/articles/intel-to-invest-50-million-in-quantum-computers-1441307006 [3] http://www.hpcwire.com/off-the-wire/lanl-orders-1000-qubit-d-wave-x-quantum-computer/ [4] http://jqi.umd.edu/news/how-do-you-build-large-scale-quantum-computer [5] M. Kranjcevic, F. Kirsek, and P. Kunstek. Quantum Computing. White paper. [6] S. Yan. Quantum Attacks on Public-Key Crypto Systems. Springer, 013. [7] D. Hankerson, A. Menezes, S. Vanstone. Guide to Elliptic Curve Cryptography. Springer, 003. [8] Peter Williston Shor (1959.-), American mathematician. CS 90g Fall Term 015 Attacking the ECDLP with Quantum Computing 7 / 7

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback