Quantum Contract Signing
description
Transcript of Quantum Contract Signing
Quantum Contract Signing
Paulo MateusSQIG/IT – DM/IST/TULisbon
reporting joint work withJ. Bouda, N. Paukovic, S. Vaudenay and V.R. Vieira
WECIQ 2010 - October 2010
Plan
Why do we need quantum cryptography Shor’s cryptoanalysis; Quantum privacy attacks; Classical threats;
Which cryptographic tasks can be improved Key distribution – BB84, E91; Contract signing; …
Why we need quantum cryptography
All NIST security protocols rely on the hardness of two problems: Factoring or Discrete logarithm
Their hardness is a recent conjecture (40 years)
Quantum computers can solve these problems in polynomial time.
Can we do the same with classical computers?
RSA Cryptosystem
n=pq with p and q primes a b=1 mod (n)=(p-1)(q-1) where
a public key b private key
ea(x)=xa mod n
db(y)=yb mod n xab =x mod n If the factorization of n is known then one can
obtain efficiently b from a with the EEuclides Alg.
Shor’s Algorithm
Computes a factor of n in O(n3) Requires a quantum computer! For that we need to understand what is a
quantum computer
Quantum cryptoanalysis
Quantum RAM computer Memory: Qubits + classical bits Control – usual imperative commands endowed
with: Unitary transformation applied to a set of qubits; Computational observation of qubits, storing the result
of the observation in classical bits.
A quantum computer is probabilistic!!!
Shor’s algorithm
Quantum Fourier transformation Hilbert H space of dimension n
(log(n) qubits, with basis {|0i, |1i,..., |n-1i})
QFT: H -> H
Shor’s algorithm
Finding a non-trivial factor of n reduces to find the phase of an eigenvector of a particular unitary operation
Un|n> = ei |n> Finding this phase can be done with the inverse of
the quantum Fourier transformation over a state reachable from n.
The quantum Fourier transform (and its inverse) can be computed by a quantum computer in polynomial time.
Classical results
The best published asymptotic running time for a classical algorithm is for the general number field sieve (GNFS) algorithm, which, for a number with n bits, is:
O(exp((64/9)n1/3 log(n)2/3)
General Number Field Sieve We choose two polynomials f(x) and g(x) of small degrees d and e, which have integer coefficients, which are irreducible over the rationals, and which, when interpreted mod n, have a common root m.
We consider the rings Z[r1] and Z[r2], where r1 and r2 are roots of the polynomials f and g, and look for values a and b such that r = bd·f(a/b) and s = be·g(a/b) are smooth.
Using Gaussian elimination, we can get products of certain r and of the corresponding s to be squares at the same time.
Since m is a root of both f and g mod n, there are homomorphisms from the rings Z[r1] and Z[r2] to the ring Z/nZ, which map r1 and r2 to m,
These homomorphisms will map each "square root" into its integer representative.
Two different square roots mod n allows to obtain a factor of n.
Another approach
Try to simulate a quantum computer?!? Consider harmonic functions?!?
Reduce factoring to numerical integration over the complex plane
(P. Mateus & V. R. VieiraProceedings of the Royal Mathematical Society, 2010)
Another approach
Given a semiprime integer n=pq with p<q consider the functions
h(z)=1-cos( n/z) cos( z) g(z)=1/h(z)
n=15
p=3 q=5
Another approach
The residue of g at p is
Res(g,p)=limz->p d (z-p)2 g(z) / dz=
=1/p (2n/(p2+q2)})2
Another approach
From the residue theorem we get that if is a Jordan curve that contains the pole p of g, then
Another approach
From the argument principle we get that if is a Jordan curve that contains the a zero of h, then
Moreover, if does not contain any zero of h, then
Another approach
So, If one is able to compute the contour integral of, say, a thin ellipse (containing just the real zero of h), we can bisect the interval [2,n1/2] to find p
By observing that h(x,y)=u(x,y)+i v(x,y) and exploring the parities of u and v we are able to show that for an ellipse parametrized by in [0,2]
Another approach
Unfortunately, tan-1 has several branches, so we need to know in which branch we are.
This can be done by dividing [0,] in m subintervals and consider a numerical approximation for each subinterval.
Open questions
We need to understand the number of subintervals m and have an error bound so that we known in which branch of tan-1 the values relies in.
Final complexity?
Privacy attacks -ZKP
Objectives and security properties
Objectives and security properties
1. Soundness
2. Completeness
Zero-knowledge proof systems
Objectives and security properties
1.
2.
3. Zero-knowledge
Zero-knowledge proof systems
I’m Alice
Objectives and security properties
1. Soudness
2. Completeness
3. Zero knowledge
4. Impossibility of transfering proofs
Zero-knowledge proof systems
Bob Eve
Zero-Knowledge Proof SystemGoldreich, Micali e Wigderson 84
BobG0 = G1G1-> G0
Zero-Knowledge Proof SystemGoldreich, Micali e Wigderson 84
BobAlice
1. Generates an iso
G0-> G2 and sends G2 to Bob.
G0 = G1G1-> G0
Zero-Knowledge Proof SystemGoldreich, Micali e Wigderson 84
Bob
2. Chooses r in {0,1} and sends r to Alice.
Zero-Knowledge Proof SystemGoldreich, Micali e Wigderson 84
Zero-Knowledge Proof SystemGoldreich, Micali e Wigderson 84
Quantum attack (simplified)
Bob Eve
a. Prepara pares EPR {|00i+|11ix}x2 S
numa máquina selada e envia metade de cada par à Paula.
h:->S = {0,1}k
Quantum attack (simplified)
Bob Eve
a) Prepares EPR pairs {|00>+|11>x}xin S
In a tamper proof device and sends half of each pair to Bob (Bob checks some with Eve, to see if they are OK).
h:->S = {0,1}k
Bob
2. Escolher r 2 {0,1} e envia r ao Vítor.
4. P verifica se o iso que recebe vai de Gr para G2
Quantum attack (simplified)
G0 = G1G1-> G0 {|0>+|1>x}x in
S
Bob
2. Escolher r 2 {0,1} e envia r ao Vítor.
4. P verifica se o iso que recebe vai de Gr para G2
Quantum attack (simplified)
Bob
2. r is the result of measuring qubit h(G2).
4. P verifica se o iso que recebe vai de Gr para G2
Quantum attack (simplified)
Bob
2. r is the result of measuring qubit h(G2).
4. P verifica se o iso que recebe vai de Gr para G2
Quantum attack (simplified)
Bob
2. r is the result of measuring qubit h(G2).
4. Bob verifies if the iso he got goes from Gr to G2.And sends all he got to Eve
Quantum attack (simplified)
Quantum attack (simplified)
Bob Eve
b) Verifies if the qubits from h(G2) are still in the EPR state, and confirms the result of the remaining ones.
Classical attack
The attack can be made with current classical tamper-proof devices
Attacks all privacy methods with exception of blind signatures
The power of seals – P. Mateus & S. Vaudenay CHES 2009
Why do we need quantum cryptography
Classical asymmetric cryptography may collapse very soon (RSA, digital signatures) E-commerce, E-banking, E-government Remote login (social networks, e-mail access)
Quantum computers Disproving badly stated maths conjectures Using badly stated assumption
(tamper-proof hardware)
Protocol Ekert 91
Requirements: Random bit generation
EPR pairs generation
Protocol Ekert 91
Alice Bob
Protocol Ekert 91
Alice
|1>A
|2>A
|3>A
|4>A
|5>A
|6>A
...
Bob
|1>B
|2>B
|3>B
|4>B
|5>B
|6>B
...Share n EPR pairs at state
Protocol Ekert 91
Alice
0 |1>A
1 |2>A
0 |3>A
1 |4>A
0 |5>A
1 |6>A
...
Bob
0 |1>B
0 |2>B
1 |3>B
1 |4>B
0 |5>B
1 |6>B
...Randomly generate a bit
Protocol Ekert 91
Alice
0 |1>A
1 |2>A
0 |3>A
1 |4>A
0 |5>A
1 |6>A
...
Bob
0 |1>B
0 |2>B
1 |3>B
1 |4>B
0 |5>B
1 |6>B
...Randomly generate a bit
Protocol Ekert 91
Alice
0 |1>A
1 |2>A
0 |3>A
1 |4>A
0 |5>A
1 |6>A
...
Bob
0 |1>B
0 |2>B
1 |3>B
1 |4>B
0 |5>B
1 |6>B
...0 – measure with the computational observable {|0>,|1>}1 – measure with the diagonal observable {|+>,|->}
Protocol Ekert 91
Alice
1 0 |1>A
+ 1 |2>A
0 0 |3>A
- 1 |4>A
1 0 |5>A
+ 1 |6>A
...
Bob
1 0 |1>B
0 0 |2>B
+ 1 |3>B
- 1 |4>B
1 0 |5>B
+ 1 |6>B
...0 – measure with the computational observable {|0>,|1>}1 – measure with the diagonal observable {|+>,|->}
Protocol Ekert 91
Alice
1 0 |1>A
+ 1 |2>A
0 0 |3>A
- 1 |4>A
1 0 |5>A
+ 1 |6>A
...
Bob
1 0 |1>B
0 0 |2>B
+ 1 |3>B
- 1 |4>B
1 0 |5>B
+ 1 |6>B
...Ignore observations for which the random bit does not coincide
Protocol Ekert 91
Bob
1 0 |1>B
0 0 |2>B
+ 1 |3>B
- 1 |4>B
1 0 |5>B
+ 1 |6>B
...
Alice
1 0 |1>A
+ 1 |2>A
0 0 |3>A
- 1 |4>A
1 0 |5>A
+ 1 |6>A
...Confirm that Eve did not interfere and check the quality of the EPR pairs
Protocol Ekert 91
Bob
1 0 |1>B
0 0 |2>B
+ 1 |3>B
- 1 |4>B
1 0 |5>B
+ 1 |6>B
...
Alice
1 0 |1>A
+ 1 |2>A
0 0 |3>A
- 1 |4>A
1 0 |5>A
+ 1 |6>A
...The shared key is constructed from the remaining observations
Protocol Ekert 91
Bob
1 0 |1>B
0 0 |2>B
+ 1 |3>B
- 1 |4>B
1 0 |5>B
+ 1 |6>B
...
Alice
1 0 |1>A
+ 1 |2>A
0 0 |3>A
- 1 |4>A
1 0 |5>A
+ 1 |6>A
...Theorem (Mayers 01,Shor e Preskill 01): The Ekert 91 protocol has perfect security.
Perfect security
Proof (sketch) All that Eve can do to the pairs is described by a
POVM; A POVM P induces a random variable VP; Let X be the random variable describing the key
generated and n the size of the key; There exists c such that for all POVM P
n-H(X|VP) 2 O(2cn); Analytical properties of POVM lead to the above
result.
Problems
Man-in-the-middle attack; Requires authenticated channel for Alice and
Bob to communicate classically; Using classical authentication ensures future
security of transmitted data
Classical contract signing
Context: Alice and Bob share a message m; Alice and Bob are signing agents through a PKI; Alice and Bob do not trust each other.
Objective: Alice and Bob want to exchange each other signature of m.
Fairness condition: Either both Alice and Bob receive each other signature or none does.
Classical contract signing
Theorem: In asynchronous networks there is no diligent fair contract signing protocols without communicating with a common trusted party.
Proof: Reduction to the impossibility of Byzantine agreement.
There are probabilistic fair contract signing protocols…
Quantum contract signing
Context: Alice and Bob share a message m; Alice and Bob are signing agents through a PKI; Alice and Bob do not trust each other; Alice and Bob can:
Share entangled memory; Perform QC and exchange QI.
Objective: Alice and Bob want to exchange, in a
fair way, each other signature of m.
Quantum contract signing
Theorem: In asynchronous quantum networks there is no diligent fair contract signing protocols without communicating with a common trusted party.
Proof: Reduction to the impossibility of quantum Byzantine agreement.
There are improvements over probabilistic fair contract signing protocols…
Can decoherence be good?
Decoherence can be used as a global clock and implements global synchronization
Ideal decoherence for CS start with a pure state
end with a mixed state
Werner state
Consider the following Werner state
()= |0><0| +(1-) f
That evolves acording to the following catastrophic decoherence
(t) =1 if t< tc
(t)=0 otherwise
Quantum contract signing
Protocol setup Alice shares with a trusted agent (Judge) n pairs of qubits
in the Werner state; Similar to Bob; It is assume that Alice and Bob may change their minds
about the contract up to time tC
Protocol run If Alice receives the message signed by Bob before time tc
she measure her half of the qubits in the computational basis, otherwise she measure in the diagonal basis
Similar to Bob. No communication with the Judge!!!!
Quantum contract signing
Commitment verification If somebody, say Alice, wants to enforce the contract, she
must show the outputs for the computational measurements to the judge, and the judge will check locally if the measures match.
If all the measurements coincide, the Judge accepts that Alice was committed to the contract before time tc
Then, the judge asks Bob if he was not committed to the contract, and for that Bob needs to show his measurements for the diagonal basis. If all the measurements are fulfilled then the contract is void, otherwise it is valid.
Contract signing protocol
Theorem: If Alice and Bob committed to the contract before time tc, then the contract is void with exponential small probability (in n). Moreover, if either Alice or Bob were not committed to the contract, then the contract is valide with exponential small probability.
Corollary: The protocol is fair.
Quantum contract signing
Problem: How does Alice knows if Bob was committed or not?
Solution: The judge shares 2n Werner states with each agent and gives n of the qubits shared with Alice to Bob and vice-versa.
Protocol modifications: After measuring each agent has to publish the outputs of the measurements, and in which base it was measured.
Implementing Werner states
Approximation with realistic noise models; Quantum sealed devices; Impossibility of storing a stable entagled
quantum system.
Quantum contract signing
With decoherence we can make fair contract signing protocols!!!
Clear implementation with quantum sealed devices, or by taking into account that quantum states decay...
Published IJQC PRL -version without tamper-proof devices
with an idea from N. Paunkovic.
Conclusions
Classical crypto is based in bad conjectures According to the laws of physics these
conjectures do not hold for quantum computers
Even for classical nobody knows Quantum cryptographic protocols are
implementable with optical fiber technology! Which security tasks can be improved?