Intro to Quantum Cryptography Algorithms Andrew Hamel EECS 598 Quantum Computing FALL 2001

References Ekert, A. “From quantum code-making to quantum code-breaking”, 1997 Brassard, et al. “A Quantum Bit Commitment Scheme Provably Unbreakable by both Parties”, 1993

Outline Classical Cryptography overview Problems with classical cryptography Quantum Algorithms Quantum Bit Commitment Quantum Key Distribution Introduction Conclusions

Classical Cryptography Simple Methods Transposition Arrange the “plaintext” in a special permutation Substitution Replace letters of the “plaintext” with other letters or symbols in a certain way Caesar’s Cipher COLD -> FROG

Classical Cryptography Problem with simple methods Security depends on the secrecy of the entire encrypting/decrypting process Need a way to ensure secrecy even if the encryption process is compromised

Classical Cryptography Key-based Cryptography Private Key Secret key locks and unlocks data Encrypt – E Pri (P) = C Decrypt – D Pri (C) = P Public Key Separate keys to lock and unlock data Encrypt – E Pub (P) = C Decrypt – D Pri (C) = P

Classical Cryptography Problem with private-key encryption Depends entirely on the secrecy of the key Requires two parties who initially share no secret information to exchange a secret key An eavesdropper can passively snoop secret key as it’s being exchanged

Classical Cryptography Problems with Public-key encryption No key distribution problem However, security relies on unproven mathematical assumptions such as the difficulty of factoring large integers Shor has already shown that the assumption wont hold up against quantum computation

What can be done? Private key is vulnerable to classical attacks, Public key is vulnerable to quantum attacks Solution: Augment private key encryption with quantum key distribution

A Slightly Different Problem Before worrying about eavesdroppers, let’s consider at simple bit-commitment scenario: Alice and Bob (who are mutually untrustworthy) wish to play a multiplayer game over a network Each player takes one action per round In order to prevent a player from waiting for the other’s move before deciding, each player commits themselves to an action by first transmitting an encrypted move (hash) Upon receiving the actual move, each player can encrypt it and compare to the previously received hash

Quantum Bit Commitment Why is bit commitment useful? Allows Alice to commit to a certain action without revealing that action to Bob Alice gives Bob a “hint” about what her action will be Later, if Alice wishes to reveal that action to Bob, the hint allows Bob to be certain that Alice has not changed the action

Quantum Bit Commitment Obvious problem with classical bit commitment Problem similar to the public-key encryption problem Hard for Alice to give Bob evidence that will both lock in her action AND prevent Bob for interpreting her action from the hint If we give Bob unlimited computational power (or a quantum computer) he could decrypt the hash and gain an advantage over Alice

Quantum Bit Commitment Solution: We need a hash that is not based on a shared algorithm that Bob could reverse Add a quantum channel in parallel to the classical communication channel Utilize quantum channel for transmission of “hint” to Bob

Quantum Bit Commitment Alice wants to commit a bit v to Bob Alice calls a function commit(v) that uses the quantum channel to transmit a “hint” to Bob Later, Alice calls unveil(v) to reveal v Bob can use his hint to ensure that Alice has not changed v

Quantum Bit Commitment Notation Rectilinear Base {|0>,|1>} = ‘+’ Diagonal Base { (|0>+|1>)/sqrt(2), (|0>-|1>)/sqrt(2) } = ‘X’ Vectors |0> = ‘|’ |1> = ‘-’ (|0>+|1>) = ‘/’ (|0>- |1>) = ‘\’

Quantum Bit Commitment Algorithm commit(v) Bob supplies Alice with a matrix G that generates code words that differ by at least 10εn bits Alice chooses a random n-bit string(r) Alice uses matrix G to generate a codeword(c) such that rc = v Alice announces r to Bob Alice chooses another n-bit random string(b) Alice sends c to Bob on the quantum channel encoded according to: b i =0 -> +0 = |1 = - b i =1 -> x0 = /1 = \

Quantum Bit Commitment Algorithm commit(v) Bob chooses his own random string of bases (b’) Bob uses b’ to measure the incoming values which gives Bob string c’ Bob now has a “quantum hint” of what Alice’s codeword is However, Bob cannot get any information out of the codeword since he doesn’t know what transmission bases Alice used Statistically Bob will only guess 50% of the bases correctly – 50% of the codeword bits are effectively random

Quantum Bit Commitment Algorithm unveil(v) Alice sends c,b,v to Bob Bob calculates a compare-summation on code words c and c’ for all bits in which Bob correctly guessed the transmission basis.  = (b i = b’ i )  (c i xor c’ i ) / (n/2)

Quantum Bit Commitment Algorithm unveil(v) If rc = v (Alice’s original setup) And c is a valid codeword of matrix G And  < 1.4ε Bob accepts v Otherwise Bob rejects v

Quantum Bit Commitment Example: Alice obtains a c = Generates random base: B = {++X+XX+X} Encodes c in base B: { - | \ - / \ - / } Transmits quantum string to Bob

Quantum Bit Commitment Example cont… Bob receives encoded string Chooses own random base and measures the quantum transmission B’ = {X+++X+XX} Obtains result c’ = { * 0 * 1 0 * * 0 } * = random result

Example cont… Alice sends b, c to Bob Bob compares b to b’ b= {++X+XX+X} b’= {X+++X+XX} Bob compares c and c’ for bits corresponding to matches in b an b’ c = { } c’= {*0*10**0} Quantum Bit Commitment

Can Either Player Cheat? Alice In order to fool Bob, would have to alter her codeword so that rc new = ~v However, she also has to ensure that c new is a valid codeword of generating matrix G This means Alice will have to flip at least 10εn bits to reach a new, valid codeword Also, to avoid detection, all Alice’s bit flips would have to be done on bits in which Bob chose a different measurement base than Alice did

Can Either Player Cheat? Alice’s Chances: The Probability that a given base differs: Prob (b != b’) = 0.5 Prob (success) = (0.5) 10εn So for: N = 1000, ε = 1% P(success) = 7.9 *

Can Either Player Cheat? Favorable conditions for Alice If there is no noise on the channel when Alice transmits Bob can attribute some of the differences to noise Alice could afford to incorrectly flip X bits where x must be: 0.7εn > X = 7 bits in our previous example Improves her chances to 1 * Does not help when n is large enough Flipping bases in conjunction with bits can also help

Can Either Player Cheat? Bob Until Alice reveals b, Bob knows nothing about c since c’ is nothing but random data until the bases are known. The information hidden in c’ “comes into being” only when Alice reveals her quantum transmission bases. Since no information exists prior to Alice’s transmission, it’s impossible for Bob to draw information out of c’

Can Either Player Cheat? Bob does an exhaustive key search Restricting Alice’s codeword choices could help Bob Bob finds all possible code words from matrix G that differ by 0.25n bit flips from the measured codeword However code words themselves only differ by 10εn which would produce an large enough set to negate Bob’s efforts

Can Either Player Cheat? Bob uses a non-standard base: Uses base halfway between diagonal and rectilinear Still only gives Bob 75% bit accuracy Also negates Bob’s ability to check Alice’s moves

Conclusions With a significantly large n and a reasonable ε, a cheat-proof Bit commitment algorithm can be implemented Using a Quantum channel allows a sender to “create” information after it has been transmitted Bob’s random data contains no information until Alice announces her transmission bases Will be a useful property for Quantum Key Distribution The “bothersome” properties of quantum mechanics ensure that the algorithm works If measurement did not destroy quantum information, Bob could continue to measure the bits received until he was probabilistically certain of the correct value Likewise if Bob could clone quantum states