Shor's algorithm and secret sharing - cvut.cz s algorithm and secret sharing Libor Nentvich: ... 3...
-
Upload
truonghanh -
Category
Documents
-
view
221 -
download
3
Transcript of Shor's algorithm and secret sharing - cvut.cz s algorithm and secret sharing Libor Nentvich: ... 3...
Easy and hard problemsRSA protocolAttacking RSA
Models of computationShor’s factoring algorithm
Sharing secret
Shor’s algorithm and secret sharing
Libor Nentvich: QC 23 April 2007: Shor’s algorithm and secret sharing 1/41
Easy and hard problemsRSA protocolAttacking RSA
Models of computationShor’s factoring algorithm
Sharing secret
Goals:1 To explain why the factoring is important.2 To describe the oldest and most successful public keycryptography.
3 Knowing period is equivalent to breaking RSA.4 To explain how to compute quantum mechanically.5 To explain Shor’s algorithm.
Libor Nentvich: QC 23 April 2007: Shor’s algorithm and secret sharing 2/41
Easy and hard problemsRSA protocolAttacking RSA
Models of computationShor’s factoring algorithm
Sharing secret
Easy and hard problems
EASY HARDmultiply factoring (Q)determinant permanentGauss elimination knapsacksorting discrete logarithm (Q)primarility testing traveling salesman problemLL(1) parsing belonging to LLencryption decryption (Q)
Libor Nentvich: QC 23 April 2007: Shor’s algorithm and secret sharing 3/41
Easy and hard problemsRSA protocolAttacking RSA
Models of computationShor’s factoring algorithm
Sharing secret
Example — easy
p = 738873402423833494183027176953q = 3787776806865662882378273p·q = 2798687536910915970127263606
347911460948554197853542169
Example — hard
p·q = 3809798755658743385477098607864681010895851155818383984810724595108122710478296711610558197642043079
p = ?q = ?
Libor Nentvich: QC 23 April 2007: Shor’s algorithm and secret sharing 4/41
Easy and hard problemsRSA protocolAttacking RSA
Models of computationShor’s factoring algorithm
Sharing secret
Why does one need hard problems?Secure communication over networks, bank transactionsDistributions of keys
By classical trusted channelsBy quantum mechanical trusted channelsBy public key algorithms
Possible solutions (public key)
One needs easily computable but hard-to-invert functions1 Modular arithmetics2 Elliptic curves3 Knapsack4 · · ·
Libor Nentvich: QC 23 April 2007: Shor’s algorithm and secret sharing 5/41
Easy and hard problemsRSA protocolAttacking RSA
Models of computationShor’s factoring algorithm
Sharing secret
RSA — an ideaEasy to find lagre primes
Easy to multiply, to make powers
Hard to factorise
Factoring is the only known door
Libor Nentvich: QC 23 April 2007: Shor’s algorithm and secret sharing 6/41
Easy and hard problemsRSA protocolAttacking RSA
Models of computationShor’s factoring algorithm
Sharing secret
RSA protocol1 1969 - James Ellis at GCHQ had an idea of public keycryptography
2 1973 - Clifford Cocks at GCHQ discovered RSA3 1975 - Whitfield Diffie and Martin Hellman did the same asEllis
4 1977 - Ronald Rivest, Adi Shamir and Leonard Adleman
Bibliography (Number theory, RSA, Cryptography)1 S. Singh, Kniha kódů a šifer, Argo+Dokořán, Praha, 20032 W. Stein, Elementary number theory, 2004 (on-lline)3 A. Menezes, P. van Oorschot, S. Vanstone, Handbook ofapplied cryptography, CRC Press, 1997 (on-line)
Libor Nentvich: QC 23 April 2007: Shor’s algorithm and secret sharing 7/41
Easy and hard problemsRSA protocolAttacking RSA
Models of computationShor’s factoring algorithm
Sharing secret
Creation the keysAlice wants to receive some secret messages by RSA.1 She chooses two large primes p, q and computes n = p · q.2 She computes ϕ(n) = (p − 1) · (q − 1) and chooses invertiblein Zϕ(n) number d . Her secret key will be the (n, d).
3 She computes the inverse e = d−1 in Zϕ(n). The pair (n, e)will be the public key.
Libor Nentvich: QC 23 April 2007: Shor’s algorithm and secret sharing 8/41
Easy and hard problemsRSA protocolAttacking RSA
Models of computationShor’s factoring algorithm
Sharing secret
Bob sends a message to Alice1 Bob computes z = w e in Zn using the Alice’s public key
(n, e).2 Bob sends z to Alice by public channel.3 Alice receives z and computes w = zd in Zn.
Libor Nentvich: QC 23 April 2007: Shor’s algorithm and secret sharing 9/41
Easy and hard problemsRSA protocolAttacking RSA
Models of computationShor’s factoring algorithm
Sharing secret
Example1 Bob wants to send the message “PUBLIC KEYCRYPTOGRAPHY” to Alice using her public key (2537, 13).
2 Bob first translates the letters into their numerical equivalents.And then groups these numbers into block of four.1520 0111 0802 1004 2402 1724 1519 1406 1700 1507 2423
3 Bob encrypts each plaintext block into a ciphertext block,using the formula z = w13 mod 2537. Encrypting all theplaintext blocks, he obtains the ciphertext message0095 1648 1410 1299 0811 2333 2132 0370 1185 1957 1084
4 To decrypt the message, Alice chooses her private key(2537, 937) and behaves like Bob.
Libor Nentvich: QC 23 April 2007: Shor’s algorithm and secret sharing 10/41
Easy and hard problemsRSA protocolAttacking RSA
Models of computationShor’s factoring algorithm
Sharing secret
Example1 Eve receives the following message1402590192 4491156271 5456170360 62183369177495217553 3838307479 8636900168 34331481167995123149 9324473812knowing the public key is(3809798755 6587433854 7709860786 46810108958511558183 8398481072 4595108122 71047829671161055819 7642043079,55589).
2 She also knows the ASCII code was used.3 Decrypt the message!
Libor Nentvich: QC 23 April 2007: Shor’s algorithm and secret sharing 11/41
Easy and hard problemsRSA protocolAttacking RSA
Models of computationShor’s factoring algorithm
Sharing secret
Attacking RSA1 Brute force attack2 Factoring n knowing ϕ(n)3 Factoring n if p and q are close4 Factoring n knowing d (key ingredient in Shor’s algorithm)5 Other techniques?
Open problem: Is Breaking RSA equivalent to factoring n?Question: Can the proof of Generalized Riemann Hypothesis threatthe security of RSA?
Libor Nentvich: QC 23 April 2007: Shor’s algorithm and secret sharing 12/41
Easy and hard problemsRSA protocolAttacking RSA
Models of computationShor’s factoring algorithm
Sharing secret
Algorithm in (4) and example
1 We know that aed ≡ a mod n for each a. Then m = ed − 1satisfies am ≡ 1 mod n for all a coprime to n.
2 If m is even and am/2 ≡ 1 mod n for several randomlychoosen a, set m← m/2 and go to step 1. Otherwise let a besuch that am/2 /≡ 1 mod n
3 Compute g ← gcd(am/2 − 1, n)4 If g > 1 we are done, otherwise go to step 2 and choosedifferent a.
Libor Nentvich: QC 23 April 2007: Shor’s algorithm and secret sharing 13/41
Easy and hard problemsRSA protocolAttacking RSA
Models of computationShor’s factoring algorithm
Sharing secret
Algorithm in (4) and example1 Somehow we discover that the RSA cryptosystem withencryption key
(32295194023343, 29468811804857)
has the following decryption key
(32295194023343, 11127763319273).
We use previous algorithm to factor 32295194023343. Let
m = ed − 1 = 327921963064646896263108960.
2 For each a ≤ 20 we find that am/2 ≡ 1 mod n. So we replacem← m/2 = 163960981532323448131554480.
Libor Nentvich: QC 23 April 2007: Shor’s algorithm and secret sharing 14/41
Easy and hard problemsRSA protocolAttacking RSA
Models of computationShor’s factoring algorithm
Sharing secret
Algorithm in (4) and example, continued
1 Again we find that am/2 ≡ 1 mod n. So we replace m by81980490766161724065777240. Yet again, for each a ≤ 20,am/2 ≡ 1 mod n, so we replace m by40990245383080862032888620. This is enough, since2m/2 = 4015382800099 mod n.
2 Theng = gcd(2m/2 − 1, n) = 737531,
and we have found a factor of n.3 Then dividing n by g we find that
n = 737531 · 43788253.
Libor Nentvich: QC 23 April 2007: Shor’s algorithm and secret sharing 15/41
Easy and hard problemsRSA protocolAttacking RSA
Models of computationShor’s factoring algorithm
Sharing secret
How to break RSA?The crucial point of the previous algorithm was not the knowledgeof the decryption key, but the fact that we had know the multipleof the period of the function
f (x) = ax mod n.
Breaking RSA — algorithm1 Choose a at random.2 Compute the period r of the function f (x) = ax mod n.3 If r is even compute t = ar/2 mod n, otherwise go to 1.4 If t + 1 ≡ ar/2 + 1 6≡ 0 mod n, then gcd(t − 1, n) > 1 andgcd(t + 1, n)1, otherwise go to step 1.
There is at least 50% probability that randomly choosen a satisfiesall conditions in the above algorithm.Libor Nentvich: QC 23 April 2007: Shor’s algorithm and secret sharing 16/41
Easy and hard problemsRSA protocolAttacking RSA
Models of computationShor’s factoring algorithm
Sharing secret
Models of computation
Libor Nentvich: QC 23 April 2007: Shor’s algorithm and secret sharing 17/41
Easy and hard problemsRSA protocolAttacking RSA
Models of computationShor’s factoring algorithm
Sharing secret
The following are equivalent:1 Turing machine2 Flowcharts3 Recursive function4 Lambda calculus5 Classical circuit model6 Quantum circuit model
Libor Nentvich: QC 23 April 2007: Shor’s algorithm and secret sharing 18/41
Easy and hard problemsRSA protocolAttacking RSA
Models of computationShor’s factoring algorithm
Sharing secret
Turing machine
· · ·· · ·
· · ·· · ·
0 1 1 0 1 1 1 0 0 0 1 1 0 0
����////
Libor Nentvich: QC 23 April 2007: Shor’s algorithm and secret sharing 19/41
Easy and hard problemsRSA protocolAttacking RSA
Models of computationShor’s factoring algorithm
Sharing secret
Flowchart
x := x − 1
x = 0
y := 3 x := x2
DDDD
DD
zzzz
zz
zzzz
zzDD
DDDD
YES NO
Libor Nentvich: QC 23 April 2007: Shor’s algorithm and secret sharing 20/41
Easy and hard problemsRSA protocolAttacking RSA
Models of computationShor’s factoring algorithm
Sharing secret
Recursive function
f (n) = 0g(n) = n + 1h(n,m, p) = n +m · n
f (0) = 8f (n + 1) = n + 5 ∗ f (n)
Libor Nentvich: QC 23 April 2007: Shor’s algorithm and secret sharing 21/41
Easy and hard problemsRSA protocolAttacking RSA
Models of computationShor’s factoring algorithm
Sharing secret
Lambda calculus
λx .yxλx .y(λx .y)(λxy .yx)y
Libor Nentvich: QC 23 April 2007: Shor’s algorithm and secret sharing 22/41
Easy and hard problemsRSA protocolAttacking RSA
Models of computationShor’s factoring algorithm
Sharing secret
Classical circuit
AND
XOR
))))
))))
))
����������
x
y
c
x ⊕ y
Libor Nentvich: QC 23 April 2007: Shor’s algorithm and secret sharing 23/41
Easy and hard problemsRSA protocolAttacking RSA
Models of computationShor’s factoring algorithm
Sharing secret
Quantum circuit
Identity NOT Hadamard
X H
Controlled NOT Toffoli•
⊕
•
•
⊕
Libor Nentvich: QC 23 April 2007: Shor’s algorithm and secret sharing 24/41
Easy and hard problemsRSA protocolAttacking RSA
Models of computationShor’s factoring algorithm
Sharing secret
Semantics of quantum circuitWe describe the action of the circuits on the base vectors. Weextend the action on all vectors by linearity.Identity
|0〉 7−→ |0〉 |1〉 7−→ |1〉
X (NOT)|0〉 7−→ |1〉 |1〉 7−→ |0〉
H (Hadamard)
|0〉 7−→ 1√2(|0〉+ |1〉) |0〉 7−→ 1√
2(|0〉 − |1〉)
Libor Nentvich: QC 23 April 2007: Shor’s algorithm and secret sharing 25/41
Easy and hard problemsRSA protocolAttacking RSA
Models of computationShor’s factoring algorithm
Sharing secret
Semantics of quantum circuit, continued
cNOT (Controlled NOT)
|00〉 7−→ |00〉 |01〉 7−→ |01〉|10〉 7−→ |11〉 |11〉 7−→ |10〉
Toffoli|000〉 7−→ |000〉 |001〉 7−→ |001〉|010〉 7−→ |010〉 |011〉 7−→ |011〉|100〉 7−→ |100〉 |101〉 7−→ |101〉|110〉 7−→ |111〉 |111〉 7−→ |110〉
Libor Nentvich: QC 23 April 2007: Shor’s algorithm and secret sharing 26/41
Easy and hard problemsRSA protocolAttacking RSA
Models of computationShor’s factoring algorithm
Sharing secret
Quantum logical circuitQuantum NOT
X|x〉 |NOT x〉
Quantum AND
•
•
⊕
|x〉
|y〉
|0〉
|x〉
|y〉
|x AND y〉
Libor Nentvich: QC 23 April 2007: Shor’s algorithm and secret sharing 27/41
Easy and hard problemsRSA protocolAttacking RSA
Models of computationShor’s factoring algorithm
Sharing secret
Quantum logical circuit, continuedQuantum XOR
•
•
⊕
|x〉
|1〉
|y〉
|x〉
|1〉
|x XOR y〉
Quantum COPY•
•
⊕
|x〉
|1〉
|0〉
|x〉
|1〉
|x〉
Libor Nentvich: QC 23 April 2007: Shor’s algorithm and secret sharing 28/41
Easy and hard problemsRSA protocolAttacking RSA
Models of computationShor’s factoring algorithm
Sharing secret
Classical and quantum half adderClassical half adder
AND
XOR
))))
))))
))
����������
x
y
c
x ⊕ y
Libor Nentvich: QC 23 April 2007: Shor’s algorithm and secret sharing 29/41
Easy and hard problemsRSA protocolAttacking RSA
Models of computationShor’s factoring algorithm
Sharing secret
Shor’s Algorithm
Libor Nentvich: QC 23 April 2007: Shor’s algorithm and secret sharing 30/41
Easy and hard problemsRSA protocolAttacking RSA
Models of computationShor’s factoring algorithm
Sharing secret
Shor’s AlgorithmIn the previous section we show that the knowledge of the periodof the function f (x) = ax mod n is sufficient to factor n with highprobability.
The main tast of the Shor’s algorithm is to find such a period.
Libor Nentvich: QC 23 April 2007: Shor’s algorithm and secret sharing 31/41
Easy and hard problemsRSA protocolAttacking RSA
Models of computationShor’s factoring algorithm
Sharing secret
Shor’s Algorithm — false approachWe begin by using our quantum computer to construct the state
2t−1∑x=0
|x〉|f (x)〉.
Then we measure the output register. If the measurement yieldsthe value f0, then the rule of measurement tells us that the state ofthe input register will be
|ψ〉 =m−1∑j=0
|k + jr〉.
Here k is the smallest value of x at which f (x) = k and m is thesmallest integer for which mr + k ≥ 2t .
Libor Nentvich: QC 23 April 2007: Shor’s algorithm and secret sharing 32/41
Easy and hard problemsRSA protocolAttacking RSA
Models of computationShor’s factoring algorithm
Sharing secret
Shor’s Algorithm — false approach, continuedIf we could produce a small number of identical copies of the state|ψ〉 we would be done. But this is impossible by the no-cloningtheorem. And if we ran the whole algorithm again, we would endup with a state |ψ〉 for another random value k.
Libor Nentvich: QC 23 April 2007: Shor’s algorithm and secret sharing 33/41
Easy and hard problemsRSA protocolAttacking RSA
Models of computationShor’s factoring algorithm
Sharing secret
|0〉
|0〉
|0〉
|0〉
|0〉⊗s
H
···
H
H
H
Uf
) 99sss
Libor Nentvich: QC 23 April 2007: Shor’s algorithm and secret sharing 34/41
Easy and hard problemsRSA protocolAttacking RSA
Models of computationShor’s factoring algorithm
Sharing secret
Quantum Fourier transformationThe heart of Shor’s algorithm is the superfast quantum Fouriertransform procedure. The quantum Fourier trannsform on the basisis given by
UFT |x〉 =2n−1∑y=0
e2πixy/2n |y〉.
Applying this transform on the state |ψ〉 above yields
UFTm−1∑j=0
|k + jr〉 =2n−1∑y=0
e2πiky/2nm−1∑j=0
e2πijry/2n |y〉.
If we now make a measurement, the probability that we obtainvaluable information about r is at least 40%.
Libor Nentvich: QC 23 April 2007: Shor’s algorithm and secret sharing 35/41
Easy and hard problemsRSA protocolAttacking RSA
Models of computationShor’s factoring algorithm
Sharing secret
Shor’s Algorithm1 Classical part.2 Quantum mechanical part.
Libor Nentvich: QC 23 April 2007: Shor’s algorithm and secret sharing 36/41
Easy and hard problemsRSA protocolAttacking RSA
Models of computationShor’s factoring algorithm
Sharing secret
Classical part1 If N is divisible by 2 then return 2.2 For a ≥ 1 and b ≥ 2 if N = ab then return a. This can bedone classically.
Libor Nentvich: QC 23 April 2007: Shor’s algorithm and secret sharing 37/41
Easy and hard problemsRSA protocolAttacking RSA
Models of computationShor’s factoring algorithm
Sharing secret
Quantum mechanical part1 Choose 1 < x < N. If gcd(N, x) > 1 then returnf = gcd(N, x).
2 Select t resp. s such that N2 < 2t resp. N ≤ 2s .|ψ1〉 Initialize register 1, which is t qubits in size to |0〉⊗t and
register 2, which is s qubits in size to |0〉⊗s .|ψ2〉 Create a superposition on regiter 1:
∑2t−1a=0 |a〉|0〉⊗s .
|ψ3〉 Compute f (a) = xa mod N using a quantum circuit, to get asuperposition
∑2t−1a=0 |a〉|xa mod N〉.
|ψ4〉 Measure the second register. Now the first register containsthe periodic superposition
∑2t/r−1j=0 |jr + k〉 for some k.
|ψ5〉 Apply QFT on the first register and measure it.3 Find the period r of f (a) = xa mod N. If r is even, computea = gcd(x r/2 + 1,N). If a > 1 then return a. Otherwise go tostep 1.
Libor Nentvich: QC 23 April 2007: Shor’s algorithm and secret sharing 38/41
Easy and hard problemsRSA protocolAttacking RSA
Models of computationShor’s factoring algorithm
Sharing secret
|0〉
|0〉
|0〉
|0〉
|0〉⊗s
H
···
H
H
H
Uf
) 99sss
QFT
) 99sss
) 99sss) 99sss) 99sss
↑|ψ1〉
↑|ψ2〉
↑|ψ3〉
↑|ψ4〉
↑|ψ5〉
Libor Nentvich: QC 23 April 2007: Shor’s algorithm and secret sharing 39/41
Easy and hard problemsRSA protocolAttacking RSA
Models of computationShor’s factoring algorithm
Sharing secret
Protocol BB841 Alice chooses (4+ δ)n random data bits.2 Alice chooses a random (4+ δ)n-bit string 〈b〉 (control bits).She encodes each data bit as {|0〉, |1〉} if the correspondingcontrol bit of 〈b〉 is 0, otherwise she encodes it as {|+〉, |−〉}.
3 Alice sends the resulting state to Bob.4 Bob receives the (4+ δ)n qubits, announces this fact, andmeasures each qubit in the {|0〉, |1〉} or {|+〉, |−〉} basis atrandom.
5 Alice announces 〈b〉.
Libor Nentvich: QC 23 April 2007: Shor’s algorithm and secret sharing 40/41
Easy and hard problemsRSA protocolAttacking RSA
Models of computationShor’s factoring algorithm
Sharing secret
Protocol BB84 — continued6 Alice and Bob discard any bits where Bob measured adifferent basis than Alice had prepared. There are at least 2nbits left (if not, abort the protocol). They keep 2n bits.
7 Alice selects a subset of n bits that will serve as a check onEve’s interference, and tells Bob which bits she selected.
8 Alice and Bob announce and compare the value of the ncheck bits. If more than an acceptable number disagree, theyabort the protocol.
Libor Nentvich: QC 23 April 2007: Shor’s algorithm and secret sharing 41/41