Slide 1

David Evans http://www.cs.virginia.edu/~evans CS588: Security and Privacy University of Virginia Computer Science Lecture 16: Blocking and Catching Photons Slide 2 7 Nov 2001University of Virginia CS 5882 Menu Trick-or-Treat Answers Visual Cryptography Quantum Cryptography Quantum Computing Slide 3 7 Nov 2001University of Virginia CS 5883 What is a Protocol? What is an Algorithm? Slide 4 7 Nov 2001University of Virginia CS 5884 Algorithm David Harel: The ingredients are the inputs to the process, the cake is its output, and the recipe is the algorithm. Garrett (MBC): A computational or decision-making procedure that can be completely automated. Slide 5 7 Nov 2001University of Virginia CS 5885 Algorithm The American Heritage Dictionary of the English Language: A step-by-step problem-solving procedure, especially an established, recursive computational procedure for solving a problem in a finite number of steps. Slide 6 7 Nov 2001University of Virginia CS 5886 What is a Protocol? An algorithm involving 2 or more parties. Schneier: A series of steps, involving two or more parties, designed to accomplish a task. Garrett (MBC): Slide 7 7 Nov 2001University of Virginia CS 5887 Jargon File 4.2.0 protocol n. As used by hackers, this never refers to niceties about the proper form for addressing letters to the Papal Nuncio or the order in which one should use the forks in a Russian-style place setting; hackers don't care about such things. It is used instead to describe any set of rules that allow different machines or pieces of software to coordinate with each other without ambiguity. So, for example, it does include niceties about the proper form for addressing packets on a network or the order in which one should use the forks in the Dining Philosophers Problem. It implies that there is some common message format and an accepted set of primitives or commands that all parties involved understand, and that transactions among them follow predictable logical sequences. Slide 8 7 Nov 2001University of Virginia CS 5888 What is a Cryptographic Protocol? A protocol involving one or more secrets. Slide 9 7 Nov 2001University of Virginia CS 5889 Algorithm, Protocol, Cryptographic Protocol? TCP Dating Dining at McDonalds Dining at Hamiltons Japanese Tea Ceremony Trick-or-Treating Slide 10 7 Nov 2001University of Virginia CS 58810 What is Computer Science? The Chinese tea ceremony, unlike the Japanese tea ceremony, emphasizes the tea, rather than the ceremony. http://desires.com/1.4/Food/Docs/tea.html Slide 11 7 Nov 2001University of Virginia CS 58811 Let AB and CD be the two given numbers not relatively prime. It is required to find the greatest common measure of AB and CD. If now CD measures AB, since it also measures itself, then CD is a common measure of CD and AB. And it is manifest that it is also the greatest, for no greater number than CD measures CD. But, if CD does not measure AB, then, when the less of the numbers AB and CD being continually subtracted from the greater, some number is left which measures the one before it. Slide 12 7 Nov 2001University of Virginia CS 58812 For a unit is not left, otherwise AB and CD would be relatively prime, which is contrary to the hypothesis. Therefore some number is left which measures the one before it. Now let CD, measuring BE, leave EA less than itself, let EA, measuring DF, leave FC less than itself, and let CF measure AE. Since then, CF measures AE, and AE measures DF, therefore CF also measures DF. But it measures itself, therefore it also measures the whole CD. But CD measures BE, therefore CF also measures BE. And it also measures EA, therefore it measures the whole BA. But it also measures CD, therefore CF measures AB and CD. Therefore CF is a common measure of AB and CD. I say next that it is also the greatest. If CF is not the greatest common measure of AB and CD, then some number G, which is greater than CF, measures the numbers AB and CD. Now, since G measures CD, and CD measures BE, therefore G also measures BE. But it also measures the whole BA, therefore it measures the remainder AE. But AE measures DF, therefore G also measures DF. And it measures the whole DC, therefore it also measures the remainder CF, that is, the greater measures the less, which is impossible. Therefore no number which is greater than CF measures the numbers AB and CD. Therefore CF is the greatest common measure of AB and CD. Euclids Elements, Book VII, Proposition 2 (300BC) Slide 13 7 Nov 2001University of Virginia CS 58813 By the word operation, we mean any process which alters the mutual relation of two or more things, be this relation of what kind it may. This is the most general definition, and would include all subjects in the universe. Again, it might act upon other things besides number, were objects found whose mutual fundamental relations could be expressed by those of the abstract science of operations, and which should be also susceptible of adaptations to the action of the operating notation and mechanism of the engine... Supposing, for instance, that the fundamental relations of pitched sounds in the science of harmony and of musical composition were susceptible of such expression and adaptations, the engine might compose elaborate and scientific pieces of music of any degree of complexity or extent. Ada, Countess of Lovelace, around 1830 Slide 14 7 Nov 2001University of Virginia CS 58814 What is the difference between Euclid and Ada? It depends on what your definition of is is. Bill Gates (speaking at Microsofts anti-trust trial) Slide 15 7 Nov 2001University of Virginia CS 58815 Geometry vs. Computer Science Geometry (mathematics) is about declarative knowledge: what is If now CD measures AB, since it also measures itself, then CD is a common measure of CD and AB Computer Science is about imperative knowledge: how to Computer Science has nothing to do with beige (or translucent blue) boxes called computers and is not a science. Slide 16 7 Nov 2001University of Virginia CS 58816 Computer Science How to knowledge: Ways of describing imperative processes (computations) Ways of reasoning about (predicting) what imperative processes will do CS 588 is: ~ 50% Mathematics ~ 25% Computer Science ~ 25%Coloring, History, Physics, Linguistics, Politics, Banking, Psychology, etc. Slide 17 7 Nov 2001University of Virginia CS 58817 CS 200 > 75% Computer Science Tell smart 1 st and 2 nd year College students to take it Slide 18 7 Nov 2001University of Virginia CS 58818 Visual Cryptography Slide 19 7 Nov 2001University of Virginia CS 58819 Visual Cryptography Can we quickly do a lot of XORs without a computer? Yes: 0: 1: Key Ciphertext.5 probability Slide 20 7 Nov 2001University of Virginia CS 58820 Key + Ciphertext Key Ciphertext ++ ++ = 0 = 1 Slide 21 7 Nov 2001University of Virginia CS 58821 Perfect Cipher? Key Ciphertext.5 probability Plaintext 0 1 Slide 22 7 Nov 2001University of Virginia CS 58822 Perfect Cipher Key Ciphertext.5 probability Plaintext 0 1 P (C = | M = 0) =.5 P (C = | M = 1) =.5 P (C = | M = 0) =.5 P (C = | M = 1) =.5 Yes! = = Slide 23 7 Nov 2001University of Virginia CS 58823 Quantum Cryptography Slide 24 7 Nov 2001University of Virginia CS 58824 Quantum Physics for Dummies Light behaves like both a wave and a particle at the same time A single photon is in many states at once Cant observe its state without forcing it into one state Schrdingers Cat Put a live cat in a box with cyanide vial that opens depending on quantum state Cat is both dead and alive at the same time until you open the box Slide 25 7 Nov 2001University of Virginia CS 58825 Heisenbergs Uncertainty Principle We cannot know, as a matter of principle, the present in all its details. Werner Heisenberg, 1920s If you cant know all the details about something you cant copy it. Bits are easy to copy; photons are impossible to copy. Slide 26 7 Nov 2001University of Virginia CS 58826 Quantum Cash Stephen Wiesner, late 60s: I didnt get any support from my thesis advisor he showed no interest in it at all. I showed it to several other people, and they all pulled a strange face, and went straight back to what they were already doing. (Quoted in Singh, The Code Book) Slide 27 7 Nov 2001University of Virginia CS 58827 Photons have spin: V H +45 -45 Photon Polarity Vertical filter: 100% of V photons 50% of +45 photons (become V photons) 50% of -45 photons (become V photons) 0% of H photons Horizontal filter: 100% of H photons 50% of +45 photons (become H photons) 50% of -45 photons (become H photons) 0% of V photons Slide 28 7 Nov 2001University of Virginia CS 58828 Photon Stream Vertical filter: 100% of V photons 50% of +45 photons (become V photons) 50% of -45 photons (become V photons) 0% of H photons Cant tell difference between V and +45 and 45 photons Slide 29 7 Nov 2001University of Virginia CS 58829 Quantum Cash First Photon Bank $10000 In Light We Trust Unique ID 258309274917392 Spinning Photons Richard Feynman, Safecracker, Father of Quantum Computing Slide 30 7 Nov 2001University of Virginia CS 58830 Bank Verifies Bill Unique ID 258309274917392 Spinning Photons First Photon Bank IDAmountPhotons 258309274917392 $10000V-45H+45+45V Bank aligns filters according to expected values. If photons on bill all pass through filters, the bill is valid. Slide 31 7 Nov 2001University of Virginia CS 58831 Counterfeiting Quantum Cash To copy a bill, need to know the photons. Counterfeiter can guess, but loses information. Physics says there is no way to measure the spins without knowing them! Slide 32 7 Nov 2001University of Virginia CS 58832 Perfect Security? Bill photons: V (), +45 (), -45 (), H () Guess V-filter: passes 100% of V photons, of +45 and of -45 p (M = V | passes V filter) =.25 / (.25 + (.5 *.25) + (.5 *.25)) =.25/.5 =.5 If photon passes, counterfeiter can guess it is a V photon, right of the time. If photon doesnt pass, guess its a H photon, right of the time. p (M = +45 | passes V filter) =.25 Actually a bit more complicated can guess some photons wrong, and 50% chance bank wont notice. Slide 33 7 Nov 2001University of Virginia CS 58833 Guessing One +45 Photon Passes through V-filter (.5) Counterfeiter guesses V-photon Passes through Banks +45 filter (.5) .25 chance of getting it right Doesnt passes through V-filter (.5) Counterfeiter guesses H-photon Passes through Banks +45 filter (.5) .25 chance of getting it right Probability of not getting caught =.5 Forge bill with 6 photons = 1/2 6 ; use more photons for more valuable bills. Slide 34 7 Nov 2001University of Virginia CS 58834 Quantum Key Distribution Slide 35 7 Nov 2001University of Virginia CS 58835 Quantum Key Distribution Charles Bennett (1980s) Use quantum physics to transmit a key with perfect secrecy Alice sends a stream of random photons Bob selects random filters to try and guess photons After, they communicate over insecure channel to figure out which bits were transmitted correctly Slide 36 7 Nov 2001University of Virginia CS 58836 Quantum Key Distribution 1.Alice generates a random sequence. Transmits: 0: or (Randomly pick H or 45) 1: or (Randomly pick V or +45) 2.Bob randomly guesses filter: Rectilinear detector: recognizes H and V photons with 100% accuracy, randomly misrecognizes diagonal photons. Diagonal detector: recognizes -45 and +45 photons with 100% accuracy, randomly misrecognizes H and V photons. Slide 37 7 Nov 2001University of Virginia CS 58837 Detecting Photons Bob picks the right detector: 100% chance of correctly recognizing bit Bob picks the wrong detector: 50% chance of guessing bit Bob cant tell the difference But, Alice can (since she picked the photon encoding) Slide 38 7 Nov 2001University of Virginia CS 58838 Finding Correct Guesses 3.Alice calls Bob over an insecure line, and tell him rectangular/diagonal for each bit. Bob tells Alice if he guessed right. They use the bits he guessed right on as the key. 4.Alice and Bob do some error checking (e.g., use a checksum) to make sure they have the same key. Slide 39 7 Nov 2001University of Virginia CS 58839 What about Eve? Eve can intercept the photon stream, and guess filters. If she guesses right, she can resend the same photon. If she guesses wrong, 50% chance she will send the wrong photon. 50% chance Bob will guess the right filter on this photon, so 25% chance of error Slide 40 7 Nov 2001University of Virginia CS 58840 Eve is Caught When Alice and Bob agree on which bits to use, Eve will have the wrong ones since she guesses different polarities. Eve cannot eavesdrop without Alice and Bob noticing an unusually high error rate! Slide 41 7 Nov 2001University of Virginia CS 58841 Practical Quantum Cryptography This may seem wacky and crazy, but it is real! Los Alamos Lab Bobs photon detector Alices photon transmitter 48 km fiber-optic wire loop Richard Hughes, et. al. What about quantum cash? Slide 42 7 Nov 2001University of Virginia CS 58842 Slide 43 7 Nov 2001University of Virginia CS 58843 Though Air Can transmit and recognize spinning photons through normal atmosphere! Los Alamos group has demonstrated quantum key distribution over 0.5km in daylight Depends on sending laser pulse before photon to obtain nano-second timing Perhaps possible to send keys to satellites this way Slide 44 7 Nov 2001University of Virginia CS 58844 Whats in the Sneakers Black Box? A Quantum Computer Slide 45 7 Nov 2001University of Virginia CS 58845 Quantum Computing Feynman, 1982 David Deustch, 1985 design for general purpose quantum computer Quantum particles are in all possible states Can try lots of possible computations at once with the same particles In theory, can test all possible factorizations/keys/paths/etc. and get the right one! In practice, major advances required before we can build it (unless the NSA knows something we dont) Slide 46 7 Nov 2001University of Virginia CS 58846 Summary/Charge We can really use quantum physics to distribute keys with perfect secrecy! People with a lot of resources may (someday?) be able to use a quantum computer to factor quickly Next week: Monday: Malicious Code, Beer Bottle Deciphering Wednesday: Dan Ortiz, Law School Read the Napster Case