Shor's algorithm and secret sharing - cvut.cz s algorithm and secret sharing Libor Nentvich: ... 3...

Easy and hard problemsRSA protocolAttacking RSA

Models of computationShor’s factoring algorithm

Sharing secret

Shor’s algorithm and secret sharing

Libor Nentvich: QC 23 April 2007: Shor’s algorithm and secret sharing 1/41



Sharing secret

Goals:1 To explain why the factoring is important.2 To describe the oldest and most successful public keycryptography.

3 Knowing period is equivalent to breaking RSA.4 To explain how to compute quantum mechanically.5 To explain Shor’s algorithm.




Sharing secret

Easy and hard problems

EASY HARDmultiply factoring (Q)determinant permanentGauss elimination knapsacksorting discrete logarithm (Q)primarility testing traveling salesman problemLL(1) parsing belonging to LLencryption decryption (Q)




Sharing secret

Example — easy

p = 738873402423833494183027176953q = 3787776806865662882378273p·q = 2798687536910915970127263606

347911460948554197853542169

Example — hard

p·q = 3809798755658743385477098607864681010895851155818383984810724595108122710478296711610558197642043079

p = ?q = ?




Sharing secret

Why does one need hard problems?Secure communication over networks, bank transactionsDistributions of keys

By classical trusted channelsBy quantum mechanical trusted channelsBy public key algorithms

Possible solutions (public key)

One needs easily computable but hard-to-invert functions1 Modular arithmetics2 Elliptic curves3 Knapsack4 · · ·




Sharing secret

RSA — an ideaEasy to find lagre primes

Easy to multiply, to make powers

Hard to factorise

Factoring is the only known door




Sharing secret

RSA protocol1 1969 - James Ellis at GCHQ had an idea of public keycryptography

2 1973 - Clifford Cocks at GCHQ discovered RSA3 1975 - Whitfield Diffie and Martin Hellman did the same asEllis

4 1977 - Ronald Rivest, Adi Shamir and Leonard Adleman

Bibliography (Number theory, RSA, Cryptography)1 S. Singh, Kniha kódů a šifer, Argo+Dokořán, Praha, 20032 W. Stein, Elementary number theory, 2004 (on-lline)3 A. Menezes, P. van Oorschot, S. Vanstone, Handbook ofapplied cryptography, CRC Press, 1997 (on-line)




Sharing secret

Creation the keysAlice wants to receive some secret messages by RSA.1 She chooses two large primes p, q and computes n = p · q.2 She computes ϕ(n) = (p − 1) · (q − 1) and chooses invertiblein Zϕ(n) number d . Her secret key will be the (n, d).

3 She computes the inverse e = d−1 in Zϕ(n). The pair (n, e)will be the public key.




Sharing secret

Bob sends a message to Alice1 Bob computes z = w e in Zn using the Alice’s public key

(n, e).2 Bob sends z to Alice by public channel.3 Alice receives z and computes w = zd in Zn.




Sharing secret

Example1 Bob wants to send the message “PUBLIC KEYCRYPTOGRAPHY” to Alice using her public key (2537, 13).

2 Bob first translates the letters into their numerical equivalents.And then groups these numbers into block of four.1520 0111 0802 1004 2402 1724 1519 1406 1700 1507 2423

3 Bob encrypts each plaintext block into a ciphertext block,using the formula z = w13 mod 2537. Encrypting all theplaintext blocks, he obtains the ciphertext message0095 1648 1410 1299 0811 2333 2132 0370 1185 1957 1084

4 To decrypt the message, Alice chooses her private key(2537, 937) and behaves like Bob.




Sharing secret

Example1 Eve receives the following message1402590192 4491156271 5456170360 62183369177495217553 3838307479 8636900168 34331481167995123149 9324473812knowing the public key is(3809798755 6587433854 7709860786 46810108958511558183 8398481072 4595108122 71047829671161055819 7642043079,55589).

2 She also knows the ASCII code was used.3 Decrypt the message!




Sharing secret

Attacking RSA1 Brute force attack2 Factoring n knowing ϕ(n)3 Factoring n if p and q are close4 Factoring n knowing d (key ingredient in Shor’s algorithm)5 Other techniques?

Open problem: Is Breaking RSA equivalent to factoring n?Question: Can the proof of Generalized Riemann Hypothesis threatthe security of RSA?




Sharing secret

Algorithm in (4) and example

1 We know that aed ≡ a mod n for each a. Then m = ed − 1satisfies am ≡ 1 mod n for all a coprime to n.

2 If m is even and am/2 ≡ 1 mod n for several randomlychoosen a, set m← m/2 and go to step 1. Otherwise let a besuch that am/2 /≡ 1 mod n

3 Compute g ← gcd(am/2 − 1, n)4 If g > 1 we are done, otherwise go to step 2 and choosedifferent a.




Sharing secret

Algorithm in (4) and example1 Somehow we discover that the RSA cryptosystem withencryption key

(32295194023343, 29468811804857)

has the following decryption key

(32295194023343, 11127763319273).

We use previous algorithm to factor 32295194023343. Let

m = ed − 1 = 327921963064646896263108960.

2 For each a ≤ 20 we find that am/2 ≡ 1 mod n. So we replacem← m/2 = 163960981532323448131554480.




Sharing secret

Algorithm in (4) and example, continued

1 Again we find that am/2 ≡ 1 mod n. So we replace m by81980490766161724065777240. Yet again, for each a ≤ 20,am/2 ≡ 1 mod n, so we replace m by40990245383080862032888620. This is enough, since2m/2 = 4015382800099 mod n.

2 Theng = gcd(2m/2 − 1, n) = 737531,

and we have found a factor of n.3 Then dividing n by g we find that

n = 737531 · 43788253.




Sharing secret

How to break RSA?The crucial point of the previous algorithm was not the knowledgeof the decryption key, but the fact that we had know the multipleof the period of the function

f (x) = ax mod n.

Breaking RSA — algorithm1 Choose a at random.2 Compute the period r of the function f (x) = ax mod n.3 If r is even compute t = ar/2 mod n, otherwise go to 1.4 If t + 1 ≡ ar/2 + 1 6≡ 0 mod n, then gcd(t − 1, n) > 1 andgcd(t + 1, n)1, otherwise go to step 1.

There is at least 50% probability that randomly choosen a satisfiesall conditions in the above algorithm.Libor Nentvich: QC 23 April 2007: Shor’s algorithm and secret sharing 16/41



Sharing secret

Models of computation




Sharing secret

The following are equivalent:1 Turing machine2 Flowcharts3 Recursive function4 Lambda calculus5 Classical circuit model6 Quantum circuit model




Sharing secret

Turing machine

· · ·· · ·

· · ·· · ·

0 1 1 0 1 1 1 0 0 0 1 1 0 0

��////




Sharing secret

Flowchart

x := x − 1

x = 0

y := 3 x := x2

DDDD

DD

zzzz

zz

zzzz

zzDD

DDDD

YES NO




Sharing secret

Recursive function

f (n) = 0g(n) = n + 1h(n,m, p) = n +m · n

f (0) = 8f (n + 1) = n + 5 ∗ f (n)




Sharing secret

Lambda calculus

λx .yxλx .y(λx .y)(λxy .yx)y




Sharing secret

Classical circuit

AND

XOR

))))

))))

))

��

x

y

c

x ⊕ y




Sharing secret

Quantum circuit

Identity NOT Hadamard

X H

Controlled NOT Toffoli•

⊕

•

•

⊕




Sharing secret

Semantics of quantum circuitWe describe the action of the circuits on the base vectors. Weextend the action on all vectors by linearity.Identity

|0〉 7−→ |0〉 |1〉 7−→ |1〉

X (NOT)|0〉 7−→ |1〉 |1〉 7−→ |0〉

H (Hadamard)

|0〉 7−→ 1√2(|0〉+ |1〉) |0〉 7−→ 1√

2(|0〉 − |1〉)




Sharing secret

Semantics of quantum circuit, continued

cNOT (Controlled NOT)

|00〉 7−→ |00〉 |01〉 7−→ |01〉|10〉 7−→ |11〉 |11〉 7−→ |10〉

Toffoli|000〉 7−→ |000〉 |001〉 7−→ |001〉|010〉 7−→ |010〉 |011〉 7−→ |011〉|100〉 7−→ |100〉 |101〉 7−→ |101〉|110〉 7−→ |111〉 |111〉 7−→ |110〉




Sharing secret

Quantum logical circuitQuantum NOT

X|x〉 |NOT x〉

Quantum AND

•

•

⊕

|x〉

|y〉

|0〉

|x〉

|y〉

|x AND y〉




Sharing secret

Quantum logical circuit, continuedQuantum XOR

•

•

⊕

|x〉

|1〉

|y〉

|x〉

|1〉

|x XOR y〉

Quantum COPY•

•

⊕

|x〉

|1〉

|0〉

|x〉

|1〉

|x〉




Sharing secret

Classical and quantum half adderClassical half adder

AND

XOR

))))

))))

))

��

x

y

c

x ⊕ y




Sharing secret

Shor’s Algorithm




Sharing secret

Shor’s AlgorithmIn the previous section we show that the knowledge of the periodof the function f (x) = ax mod n is sufficient to factor n with highprobability.

The main tast of the Shor’s algorithm is to find such a period.




Sharing secret

Shor’s Algorithm — false approachWe begin by using our quantum computer to construct the state

2t−1∑x=0

|x〉|f (x)〉.

Then we measure the output register. If the measurement yieldsthe value f0, then the rule of measurement tells us that the state ofthe input register will be

|ψ〉 =m−1∑j=0

|k + jr〉.

Here k is the smallest value of x at which f (x) = k and m is thesmallest integer for which mr + k ≥ 2t .




Sharing secret

Shor’s Algorithm — false approach, continuedIf we could produce a small number of identical copies of the state|ψ〉 we would be done. But this is impossible by the no-cloningtheorem. And if we ran the whole algorithm again, we would endup with a state |ψ〉 for another random value k.




Sharing secret

|0〉

|0〉

|0〉

|0〉

|0〉⊗s

H

···

H

H

H

Uf

) 99sss




Sharing secret

Quantum Fourier transformationThe heart of Shor’s algorithm is the superfast quantum Fouriertransform procedure. The quantum Fourier trannsform on the basisis given by

UFT |x〉 =2n−1∑y=0

e2πixy/2n |y〉.

Applying this transform on the state |ψ〉 above yields

UFTm−1∑j=0

|k + jr〉 =2n−1∑y=0

e2πiky/2nm−1∑j=0

e2πijry/2n |y〉.

If we now make a measurement, the probability that we obtainvaluable information about r is at least 40%.




Sharing secret

Shor’s Algorithm1 Classical part.2 Quantum mechanical part.




Sharing secret

Classical part1 If N is divisible by 2 then return 2.2 For a ≥ 1 and b ≥ 2 if N = ab then return a. This can bedone classically.




Sharing secret

Quantum mechanical part1 Choose 1 < x < N. If gcd(N, x) > 1 then returnf = gcd(N, x).

2 Select t resp. s such that N2 < 2t resp. N ≤ 2s .|ψ1〉 Initialize register 1, which is t qubits in size to |0〉⊗t and

register 2, which is s qubits in size to |0〉⊗s .|ψ2〉 Create a superposition on regiter 1:

∑2t−1a=0 |a〉|0〉⊗s .

|ψ3〉 Compute f (a) = xa mod N using a quantum circuit, to get asuperposition

∑2t−1a=0 |a〉|xa mod N〉.

|ψ4〉 Measure the second register. Now the first register containsthe periodic superposition

∑2t/r−1j=0 |jr + k〉 for some k.

|ψ5〉 Apply QFT on the first register and measure it.3 Find the period r of f (a) = xa mod N. If r is even, computea = gcd(x r/2 + 1,N). If a > 1 then return a. Otherwise go tostep 1.




Sharing secret

|0〉

|0〉

|0〉

|0〉

|0〉⊗s

H

···

H

H

H

Uf

) 99sss

QFT

) 99sss

) 99sss) 99sss) 99sss

↑|ψ1〉

↑|ψ2〉

↑|ψ3〉

↑|ψ4〉

↑|ψ5〉




Sharing secret

Protocol BB841 Alice chooses (4+ δ)n random data bits.2 Alice chooses a random (4+ δ)n-bit string 〈b〉 (control bits).She encodes each data bit as {|0〉, |1〉} if the correspondingcontrol bit of 〈b〉 is 0, otherwise she encodes it as {|+〉, |−〉}.

3 Alice sends the resulting state to Bob.4 Bob receives the (4+ δ)n qubits, announces this fact, andmeasures each qubit in the {|0〉, |1〉} or {|+〉, |−〉} basis atrandom.

5 Alice announces 〈b〉.




Sharing secret

Protocol BB84 — continued6 Alice and Bob discard any bits where Bob measured adifferent basis than Alice had prepared. There are at least 2nbits left (if not, abort the protocol). They keep 2n bits.

7 Alice selects a subset of n bits that will serve as a check onEve’s interference, and tells Bob which bits she selected.

8 Alice and Bob announce and compare the value of the ncheck bits. If more than an acceptable number disagree, theyabort the protocol.


Shor's algorithm and secret sharing - cvut.cz s algorithm and secret sharing Libor Nentvich: ... 3...

Documents

Transcript of Shor's algorithm and secret sharing - cvut.cz s algorithm and secret sharing Libor Nentvich: ... 3...