0 2018-10-15 ITI Crypto – Quantum Seminars

DEPARTMENT OF INFORMATICS, INSTITUTE OF THEORETICAL INFORMATICS

Seminars “Quantum Complexity Theory” and “QuantumCryptography”

Initial Meeting

KIT – The Research University in the Helmholtz Association www.kit.edu

Formalities

1 2018-10-15 ITI Crypto – Quantum Seminars

Report: ≈ 10 pages (including references)– should be in english– review of one other report

Presentation: 25 minutes presentation, ≈ 10 minutes questions– english slides– talk can be either in german or in english

LATEX-templates for report and slides can be found on our websiteSubmission of reports/slides via E-Mail to the resp. supervisor

Basics of Quantum ComputationSupervisor: Sven Maier

2 2018-10-15 ITI Crypto – Quantum Seminars

Quantum computers work with qubits |φ〉 = α |0〉+ β |1〉, which aresuperpositions over (classical) states.

Intuition: Qubits as complex probability distribution:(|α|2 + |β|2

)!= 1.

A state can be manipulated by multiplication with unitary matrices.

Seminar topic: Introduce quantum computers, present the Bra-Ketnotation, introduce and motivate density matrices, introduce generalquantum gates and present Born’s rule for measurement of quantumstates.

Non-Cloning Theorem and TeleportationSupervisor: Alexander Koch

3 2018-10-15 ITI Crypto – Quantum Seminars

Qubit: quantum state, superposition of |0〉 and |1〉.

Main difference to classical bit: impossible to clone.

Sending classical bits (roughly): read bit, send copy through wire.⇒ Not possible for qubits.

Teleportation: given a pre-shared EPR-pair, how to send a quantumstate to an other person (using only a classical channel).

Optional: Superdense Coding: How can we prepare a quantum state toencode classical information efficiently?

The Quantum Turing MachineSupervisor: Akin Ünal

4 2018-10-15 ITI Crypto – Quantum Seminars

Classical computation: Turing Machine can analyze, if a given problemcan be solved efficiently by a computer.

Quantum computation: “Quantum Turing Machine” (or “UniversalQuantum Computer”) by Deutsch [Deu85].

Close resemblence to the classical Turing Machine, but with changes tosuit the quantum setting.

Bernstein and Vazirani [BV93] provide further important properties andconstructions.

Topic: Present the Quantum Turing Machine as a mathematical model,compare it to a classical Turing Machine and show, how a quantumalgorithm works on such a machine.

The Bounded-Error Quantum Polynomial TimeClass BQPSupervisor: Tobias Müller

5 2018-10-15 ITI Crypto – Quantum Seminars

Bounded-Error Quantum Polynomial Time Class (BQP) is the class ofproblems to which quantum Turing machines have efficient solutions.

Quelle: Script Randomisierte Algorithmen, Thomas Worsch

The goal is to introduce the BQP class and to show its relation toclassical complexity classes (BPP, P, NP, PSPACE...)

Error Correction for Quantum StatesSupervisor: Sven Maier

6 2018-10-15 ITI Crypto – Quantum Seminars

Main problem for quantum computers: Quantum Noise.– Physical errors in measuring the quantum state.

Considered one of the major problems in deploying quantum computersfor a long time.

Solution: Error correcting codes.

Problem: Non-cloning⇒ Most classical schemes unusable on qubits.

Seminar topic: Present a solution for quantum error correction.

Simon’s AlgorithmSupervisor: Bogdan Ursu

7 2018-10-15 ITI Crypto – Quantum Seminars

Consider any function f : 0,1n → 0,1n, that satisfies the followingproperty:

There exists s ∈ 0,1n, such that for all x , y ∈ 0,1n:

f (x) = f (y) if and only if x = y or x ⊕ y = s

Problem: find sif s = 0 . . . 0, then f isone-to-oneelse f is two-to-one

Function modelled as oracle

Classically, Ω(√

2n) queries are neededQuantumly, only O(n) queries are sufficient.

Shor’s algorithmSupervisor: Michael Klooß

8 2018-10-15 ITI Crypto – Quantum Seminars

Problem: f (x) has a period r , e.g. f : Z→ ZN , f (x) = x mod N.Solution: Shor’s algorithm.

Pre- and postprocessing: Classical.Quantum: Period-finding subroutine.

Example: ord(x) = r for x ∈ Z×N is the period of xk . Computing refficiently⇒ factoring efficiently.

Linear Systems of EquationsSupervisor: Akin Ünal

9 2018-10-15 ITI Crypto – Quantum Seminars

Let A ∈ RN×N be sparse with condition number κ and b ∈ RN be given.The algorithm of Harrow, Hassidim, and Lloyd [HHL09] (implemented byBarz et al. [Bar+14] and Pan et al. [Pan+14]) can find x such that

Ax = b

in time O(log(N)κ2) (where κ is the condition number).

Major speedup over classical algorithms (O(N√

κ)).

Topic: Present the algorithm, show, how it solves linear systems ofequations and analyse the resource requirement.

Overview Quantum Complexity Theory

10 2018-10-15 ITI Crypto – Quantum Seminars

1) Basics of QuantumComputation

Introduction to notational + mathe-matical background

SvenMaier

2) Non-Cloning Theo-rem and Teleportation

Phenomena relevant for QuantumComputers

AlexanderKoch

3) The Quantum TuringMachine

Quantum-version of the Turing Ma-chine

Akin Ünal

4) Bounded-ErrorQuantum PolynomialClass

Complexity class for quantum algo-rithms

TobiasMüller

5) Error Correction forQuantum States

A non-trivial key necessity for quan-tum computers

SvenMaier

6) Simon’s QuantumAlgorithm

Efficiently solving the Hidden OffsetProblem

BogdanUrsu

7) Shor’s Algorithm A poly-time solver for DLOG andfactoring problems

MichaelKlooß

8) Linear Systems ofEquations

Efficiently solving linear systems ofequations

Akin Ünal

Schedule

11 2018-10-15 ITI Crypto – Quantum Seminars

15th Oct Initial Meeting + Distribution of Topics12th Nov Presentation Topics 1 and 226th Nov Presentation Topics 3 and 410th Dec Presentation Topics 5 and 614th Jan Presentation Topics 7 and 815th Feb Deadline for reports + Assignment of Reviews1st Mar Deadline for reviews

29th Mar Rebuttal / deadline for final report

All deadlines are 23:59 (UTC+2).

Supervisors

12 2018-10-15 ITI Crypto – Quantum Seminars

Name Mail RoomMichael Klooß Michael.Klooss@kit.edu 250Alexander Koch alexander.koch@kit.edu 274Sven Maier sven.maier2@kit.edu 272Tobias Müller tobias.mueller@fzi.de FZI, 1.1.27Bogdan Ursu bogdan.ursu@kit.edu 246Akin Ünal akin.uenal@kit.edu 255

Quantum Key DistributionSupervisor: Roland Gröll

13 2018-10-15 ITI Crypto – Quantum Seminars

Problem: We want to establish a shared key with unconditionalsecuritySolution: We use the fact that measuring quantum states collapsesthem to detect eavesdroppers. This ensures that Alice and Bob haveshared Randomness that an eavesdropper doesn’t know.

Device IndependenceSupervisor: Alexander Koch

14 2018-10-15 ITI Crypto – Quantum Seminars

Classical computation: corrupted device can break security of a protocol.

Quantum computation: self-testing abilities allow secure protocolexecutions even on corrupted devices.

Device Independence: Security of a protocol does not depend on thedevice the protocol is executed on.

Topic:Formally introduce device independence.Show example protocols that achieve device independence.

Impossibility Proofs for Unconditionally SecureBit Commitments and Quantum-OTsSupervisor: Sven Maier

15 2018-10-15 ITI Crypto – Quantum Seminars

Classic computers: unconditionally hiding and binding bit commitmentsimpossible.

Quantum computers: proof for classical computer doesn’t apply.

Even further: unconditionally secure quantum bit commitments enableunconditionally secure quantum MPC.

Unfortunately: Unconditionally secure quantum bit commitments are alsoimpossible.

Seminar topic: Present impossibility proof for unconditionally securequantum bit commitments and relevant background (Uhlman’s Theorem,pure and mixed states) and motivate the proof for quantum OTs.

Quantum Commitments from PhysicalAssumptionsSupervisor: Lukas Beeck

16 2018-10-15 ITI Crypto – Quantum Seminars

Problem: Unconditionally secure quantum bit commitments aredesirable, yet impossible in the standard-model.

Remedy: Use additional tools, e.g. stateless hardware tokens.⇒ Quantum One-Time Programs.

Topic:Introduce quantum stateless hardware tokens.Introduce quantum one-time programs.Show, how stateless hardware tokens are used to securely constructany one-time program.

Quantum RewindingSupervisor: Lukas Beeck

17 2018-10-15 ITI Crypto – Quantum Seminars

Classical computation: (Non-UC) simulation-based proofs use rewinding.⇒ Simulate until one part of a secret has been learned.⇒ Reset to a previous state.

Quantum computation:X Every transformation is unitary⇒ efficiently invertible.× Measurement destroys quantum state.⇒ Rewinding to a previous state is possible.⇒ But we don’t gain information from it.?⇒ Pointless.

Quantum Rewinding: (Meaningful) rewinding on quantum states.

Topic: Formally introduce problems with rewinding in a quantum worldand proposed solutions.

Quantum Universal ComposabilitySupervisor: Jeremias Mechler

18 2018-10-15 ITI Crypto – Quantum Seminars

The Universal Composability FrameworkExtension of the Real/Ideal paradigmSecurity under concurrent composition with arbitrary protocolsModel of computation: Interactive Turing Machines (ITMs)

Quantum UC (Unruh [Unr10]):Extend model of computation: Quantum computations, send quantumstatesFeasibility: Statistically secure OT from commitments

This is an advanced topic. Previous knowledge of the UC framework ishighly recommended!

Unruh TransformationSupervisor: Jessica Koch

19 2018-10-15 ITI Crypto – Quantum Seminars

Classical Computation: Transformation of Fiat and Shamir [FS86]:arbitrary (interactive) sigma-protocol for Zero-Knowledge (ZK)→non-interactive Zero-Knowledge (NIZK) protocolQuantum World: Transformation of Unruh [Unr15]Both in the Random Oracle Model (ROM)Goal:– introduce problems of Fiat-Shamir in the quantum world– possible solution by Unruh [Unr17]– compare solution to the Unruh-transformation

Grover’s Quantum Search AlgorithmSupervisor: Michael Klooß

20 2018-10-15 ITI Crypto – Quantum Seminars

Problem:Quantum oracle access to (blackbox) function f : X → 0,1Unique x ∈ X s.th. f (x) = 1.Goal: Find x .

Example: f (x) permutation-cipher. Find key x such thatf (x) := Enc(x ,m) = c for fixed m, c.Solution: Grover’s algorithm

O(√|X |) invocations

Non-negl sucess

Improving Brute-Force Attacks on AES withGrover’s AlgorithmSupervisor: Wasilij Beskorovajnov

21 2018-10-15 ITI Crypto – Quantum Seminars

The "classical" security of symmetric and public-key cryptography ismeasured by the metric of "N bits of Security", i.e. RSA-3072 hasappx. 128-bits of securityGrover’s Algorithm from [Gro96] defines a new way of searching overunstructured datasets, e.g., key-space.

With quadratic speedup, i.e., searching for a key in the space 0,1n

requires now√

2n = 2n2 steps

However, in order to perform the algorithm it is necessary toimplement AES as a quantum-circuit. The AES quantum-circuit needsto be as efficient as possible in order to achieve the full speedup.

Goal: sketch the AES quantum-circuit and show how it is incorporatedinto the Grover’s Search according to Grassl et al. [Gra+16]. Additionaly,one may try to analyze the required costs.

Overview Quantum Cryptography

22 2018-10-15 ITI Crypto – Quantum Seminars

1) Quantum Key Distri-bution

The Algorithm of Bennett and Bras-sard [BB84]

Roland Gröll

2) Device Indepen-dence

Executing Quantum Algorithms onuntrusted devices

AlexanderKoch

3) UnconditionallySecure Quantum BitCommitments

Present imposibility proof for un-conditionally secure quantum bitcommitments

Sven Maier

4) Commitments fromPhysical Assumptions

Perform commitments using state-ful quantum hardware

Lukas Beeck

5) Quantum Rewinding Rewinding while still learning some-thing

Lukas Beeck

6) Quantum UniversalComposability

UC-Framework for quantum com-puters

JeremiasMechler

7) Unruh Transforma-tion

Fiat-Shamir-type transformation inthe quantum world

Jessica Koch

8) Grover’s algorithm Quantum Search for unstructureddata

MichaelKlooß

9) Brute-Force on AESwith Grover

Using Grover’s algorithm to improveBrute-Force attacks on AES

Wasilij Besko-rovajnov

Schedule

23 2018-10-15 ITI Crypto – Quantum Seminars

15th Oct Initial Meeting + Distribution of Topics19th Nov Presentation Topics 1 and 23rd Dec Presentation Topics 3 and 4

17th Dec Presentation Topics 5 and 621st Jan Presentation Topics 7 and 828th Jan Presentation Topic 915th Feb Deadline for reports + Assignments of reviews

1st Mar Deadline for reviews29th Mar Deadline for final report

All deadlines are 23:59 (UTC+2).

Supervisors

24 2018-10-15 ITI Crypto – Quantum Seminars

Name Mail RoomLukas Beeck lukas.beeck@kit.edu 259Wasilij Beskorovajnov beskorovajnov@fzi.de FZI, 1.1.23Roland Gröll groell@fzi.de FZI, 1.1.27Michael Klooß michael.klooss@kit.edu 250Alexander Koch alexander.koch@kit.edu 274Jessica Koch jessica.koch@kit.edu 277Sven Maier sven.maier2@kit.edu 272Jeremias Mechler jeremias.mechler@kit.edu 276

References I

25 2018-10-15 ITI Crypto – Quantum Seminars

C. H. Bennett and G. Brassard. “Quantum cryptography:Public key distribution and coin tossing”. In: Proceedings ofIEEE International Conference on Computers, Systems, andSignal Processing. Bangalore, 1984, p. 175.

E. Bernstein and U. V. Vazirani. “Quantum complexity theory”.In: Proceedings of the Twenty-Fifth Annual ACM Symposiumon Theory of Computing, May 16-18, 1993, San Diego, CA,USA. Ed. by S. R. Kosaraju, D. S. Johnson, and A. Aggarwal.ACM, 1993, pp. 11–20. DOI: 10.1145/167088.167097. URL:http://doi.acm.org/10.1145/167088.167097.

References II

26 2018-10-15 ITI Crypto – Quantum Seminars

A. Fiat and A. Shamir. “How to Prove Yourself: PracticalSolutions to Identification and Signature Problems”. In:Advances in Cryptology - CRYPTO ’86, Santa Barbara,California, USA, 1986, Proceedings. Ed. by A. M. Odlyzko.Vol. 263. Lecture Notes in Computer Science. Springer, 1986,pp. 186–194. DOI: 10.1007/3-540-47721-7\_12. URL:https://doi.org/10.1007/3-540-47721-7\_12.

References III

27 2018-10-15 ITI Crypto – Quantum Seminars

M. Grassl, B. Langenberg, M. Roetteler, and R. Steinwandt.“Applying Grover’s Algorithm to AES: Quantum ResourceEstimates”. In: Post-Quantum Cryptography - 7thInternational Workshop, PQCrypto 2016, Fukuoka, Japan,February 24-26, 2016, Proceedings. Ed. by T. Takagi.Vol. 9606. Lecture Notes in Computer Science. Springer,2016, pp. 29–43. DOI: 10.1007/978-3-319-29360-8\_3. URL:https://doi.org/10.1007/978-3-319-29360-8\_3.

References IV

28 2018-10-15 ITI Crypto – Quantum Seminars

L. K. Grover. “A Fast Quantum Mechanical Algorithm forDatabase Search”. In: Proceedings of the Twenty-EighthAnnual ACM Symposium on the Theory of Computing,Philadelphia, Pennsylvania, USA, May 22-24, 1996. Ed. byG. L. Miller. ACM, 1996, pp. 212–219. DOI:10.1145/237814.237866. URL:http://doi.acm.org/10.1145/237814.237866.

A. W. Harrow, A. Hassidim, and S. Lloyd. “Quantum Algorithmfor Linear Systems of Equations”. In: Physical Review Letters103.15, 150502 (Oct. 2009), p. 150502. DOI:10.1103/PhysRevLett.103.150502. arXiv: 0811.3171[quant-ph].

References V

29 2018-10-15 ITI Crypto – Quantum Seminars

D. Unruh. “Universally Composable Quantum Multi-partyComputation”. In: Advances in Cryptology - EUROCRYPT2010, 29th Annual International Conference on the Theoryand Applications of Cryptographic Techniques, Monaco /French Riviera, May 30 - June 3, 2010. Proceedings. Ed. byH. Gilbert. Vol. 6110. Lecture Notes in Computer Science.Springer, 2010, pp. 486–505. DOI:10.1007/978-3-642-13190-5\_25. URL:https://doi.org/10.1007/978-3-642-13190-5\_25.

References VI

30 2018-10-15 ITI Crypto – Quantum Seminars

D. Unruh. “Non-Interactive Zero-Knowledge Proofs in theQuantum Random Oracle Model”. In: Advances in Cryptology- EUROCRYPT 2015 - 34th Annual International Conferenceon the Theory and Applications of Cryptographic Techniques,Sofia, Bulgaria, April 26-30, 2015, Proceedings, Part II. Ed. byE. Oswald and M. Fischlin. Vol. 9057. Lecture Notes inComputer Science. Springer, 2015, pp. 755–784. DOI:10.1007/978-3-662-46803-6\_25. URL:https://doi.org/10.1007/978-3-662-46803-6\_25.

References VII

31 2018-10-15 ITI Crypto – Quantum Seminars

D. Unruh. “Post-quantum Security of Fiat-Shamir”. In:Advances in Cryptology - ASIACRYPT 2017 - 23rdInternational Conference on the Theory and Applications ofCryptology and Information Security, Hong Kong, China,December 3-7, 2017, Proceedings, Part I. Ed. by T. Takagiand T. Peyrin. Vol. 10624. Lecture Notes in ComputerScience. Springer, 2017, pp. 65–95. DOI:10.1007/978-3-319-70694-8\_3. URL:https://doi.org/10.1007/978-3-319-70694-8\_3.

References VIII

32 2018-10-15 ITI Crypto – Quantum Seminars

S. Barz, I. Kassal, M. Ringbauer, Y. O. Lipp, B. Dakic,A. Aspuru-Guzik, and P. Walther. “A two-qubit photonicquantum processor and its application to solving systems oflinear equations”. In: Scientific Reports 4, 6115 (Aug. 2014),p. 6115. DOI: 10.1038/srep06115. arXiv: 1302.1210[quant-ph].

D. Deutsch. “Quantum theory, the Church-Turing principle andthe universal quantum computer”. In: Proceedings of theRoyal Society of London Series A 400 (July 1985),pp. 97–117. DOI: 10.1098/rspa.1985.0070.

References IX

33 2018-10-15 ITI Crypto – Quantum Seminars

J. Pan, Y. Cao, X. Yao, Z. Li, C. Ju, H. Chen, X. Peng, S. Kais,and J. Du. “Experimental realization of quantum algorithm forsolving linear systems of equations”. In: Physical Review A,Volume 89, Issue 2, id.022313 89.2, 022313 (Feb. 2014),p. 022313. DOI: 10.1103/PhysRevA.89.022313. arXiv:1302.1946 [quant-ph].