Quantum Cryptography Christian Schaffner Institute for Logic, Language and Computation (ILLC) University of Amsterdam Centrum Wiskunde & Informatica Amsterdam University College Monday, 24 February 2014
2 1969: Man on the Moon NASA The Great Moon-Landing Hoax? How can you prove that you are at a specific location?
3 What will you learn from this Talk? Classical Cryptography Introduction to Quantum Mechanics Quantum Key Distribution Position-Based Cryptography
4 Classical Cryptography 3000 years of fascinating history Until 1970: private communication was the only goal Scytale Enigma
5 Modern Cryptography is everywhere! is concerned with all settings where people do not trust each other
6 Secure Encryption k = ? Alice Bob Goal: Eve does not learn the message Setting: Alice and Bob share a secret key k Eve k = m = m = “I love you”
eXclusive OR (XOR) Function xyx © y Some properties: 8 x : x © 0 = x 8 x : x © x = 0 7 ) 8 x,y : x © y © y = x
One-Time Pad Encryption Alice Bob Goal: Eve does not learn the message Setting: Alice and Bob share a key k Recipe: Is it secure? Eve xyx © y k = m = c = m © k = c © k= c © k= m © k © k = m © 0 = m c = k = m = c = m © k = m = c © k = k = k = ? 8
Perfect Security Alice Bob Given that c = , is it possible that m = ? Yes, if k = is it possible that m = ? Yes, if k = it is possible that m = ? Yes, if k = In fact, every m is possible. Hence, the one-time pad is perfectly secure! Eve xyx © y m = ? k = ? c = m © k = m = c © k = ? k = ? 9
Problems With One-Time Pad Alice Bob The key has to be as long as the message. The key can only be used once. In practice, other encryption schemes (such as AES) are used which allow to encrypt long messages with short keys.AES One-time pad does not provide authentication: Eve can easily flip bits in the messageauthentication Eve m = k = c = m © k = m = c © k = k = ? 10
Symmetric-Key Cryptography Alice Encryption insures secrecy: Eve does not learn the message, e.g. one-time padone-time pad Authentication insures integrity: Eve cannot alter the message General problem: players have to exchange a key to start with Eve Bob 11
Public-Key Cryptography Alice Solves the key-exchange problem. Everyone can encrypt using the public key.public key Only the holder of the secret key can decrypt. Digital signatures: Only secret-key holder can sign, but everyone can verify signatures using the public-key. Digital signatures Eve public key secret key 12 Bob Charlie
History of Public-Key Crypto Early 1970s: invented in the „classified world“ at the British Government Communications Head Quarters (GCHQ) by Ellis, Cocks, Williamsoninvented Government Communications Head Quarters Mid/late 1970s: invented in the „academic world“ by Merkle, Hellman, Diffie, and Rivest, Shamir, Adleman 13
Politics of Cyberwar Edward Snowden, former CIA and NSA employee, now whistleblower and on (temporary) asylum in Russia Edward Snowdenwhistleblower leaked many thousand top secret documents to various media, documenting a mass surveillance programs by secret services from all over the world mass surveillance programs 14
Politics of Cyberwar 15
Politics of Cyberwar Methods: Break cryptography Influence industrial standardsstandards Pressure manufacturers to make insecure devices Infiltrate hardware and software (communication infrastructure, computers, smartphones etc.) Why mass surveillance? Other than to combat terrorism, these surveillance programs have been employed to assess the foreign policy and economic stability of other countries, and to gather "commercial secrets“. 16
Why worry? „I have nothing to hide“ is a very naive reaction. Think about what your smartphone knows about you. Think about what your smartphone does not know about you. 17
Why worry? „I have nothing to hide“ is a very naive reaction. Everyone‘s personal privacy is at stake! George Orwell‘s surveillance state from his book 1984 is coming true... George Orwell1984 "They (the NSA) can use the system to go back in time and scrutinize every decision you've ever made, every friend you've ever discussed something with, and attack you on that basis to sort of derive suspicion from an innocent life and paint anyone in the context of a wrongdoer." – Edward Snowden 18
Cryptography and Logic Cryptographic protocols for advanced tasks are built from basic building blocks Problem: security proofs become very hard to verify Solution: Logic provides formal methods to specify tools and taskformal methods Use automatic proof checkers to verify security Signature Key establishment Hash function Encryption Crypto-Toolbox electronic voting system 19
20 What will you Learn from this Talk? Classical Cryptography Introduction to Quantum Mechanics Quantum Key Distribution Position-Based Cryptography
21 Quantum Bit: Polarization of a Photon qu b i t asun i t vec t or i n C 2
22 Qubit: Rectilinear/Computational Basis
23 Detecting a Qubit Bob No photons: 0 Alice
24 Measuring a Qubit Bob No photons: 0 Photons: 1 with prob. 1 yields 1 Measurement: 0/1 Alice
25 Diagonal/Hadamard Basis with prob. ½ yields 0 with prob. ½ yields 1 Measurement: 0/1 =
26 Measuring Collapses the State with prob. ½ yields 0 with prob. ½ yields 1 Measurement: 0/1 =
27 Measuring Collapses the State = =
28 Quantum Mechanics with prob. 1 yields 1 Measurements: + basis £ basis with prob. ½ yields 0 with prob. ½ yields 1 0/1
Wonderland of Quantum Mechanics
30 [Shor ’94] Efficient quantum algorithm for factoring which breaks public-key cryptography (RSA) [Grover ’96] Fast quantum search algorithm Possible to build in theory, no fundamental theoretical obstacles have been found yet. Canadian company “D-Wave” claims to have build one. Did they? Quantum Computer
31 No-Cloning Theorem Quantum operations: U Proof: copying is a non-linear operation
Quantum Key Distribution (QKD) Alice Bob Eve Offers an quantum solution to the key-exchange problem Puts the players into the starting position to use symmetric-key cryptography (encryption, authentication etc.). [Bennett Brassard 84] 32 k = k = ?
Quantum Key Distribution (QKD) [Bennett Brassard 84] k = 110
Quantum Key Distribution (QKD) [Bennett Brassard 84] k = 10 Quantum states are unknown to Eve, she cannot copy them. Honest players can test whether Eve interfered. k = ?
Quantum Key Distribution (QKD) Alice Bob Eve technically feasible: no quantum computer required, only quantum communication [Bennett Brassard 84] 35
36 What will you Learn from this Talk? Classical Cryptography Introduction to Quantum Mechanics Quantum Key Distribution Position-Based Cryptography
37 Position-Based Cryptography Typically, cryptographic players use credentials such as secret information (e.g. password or secret key) authenticated information biometric features Can the geographical location of a player be used as cryptographic credential ?
38 Position-Based Cryptography Possible Applications: Launching-missile command comes from within the military headquarters Talking to the correct country Pizza-delivery problem / avoid fake calls to emergency services … Can the geographical location of a player be used as sole cryptographic credential ?
39 Basic task: Position Verification Prover wants to convince verifiers that she is at a particular position no coalition of (fake) provers, i.e. not at the claimed position, can convince verifiers assumptions: communication at speed of light instantaneous computation verifiers can coordinate Verifier1 Verifier2 Prover
40 Position Verification: First Try Verifier1 Verifier2 Prover time distance bounding [Brands Chaum ‘93]
41 Position Verification: Second Try Verifier1 Verifier2 Prover position verification is classically impossible !
42 The Attack copying classical information this is impossible quantumly
43 Position Verification: Quantum Try [Kent Munro Spiller 03/10] Can we brake the scheme now?
44 Attacking Game Impossible to cheat due to non- cloning theorem Or not? ? ?
45 Teleportation Attack It is possible to cheat with entanglement !!entanglement Quantum teleportation allows to break the protocol perfectly. Quantum teleportation [Bell]
46 No-Go Theorem Any position-verification protocol can be broken using a very large number of entangled qubits. Question: Are so many quantum resources really necessary? Does there exist a protocol such that: honest prover and verifiers are efficient, but any attack requires lots of entanglement [Buhrman, Chandran, Fehr, Gelles, Goyal, Ostrovsky, Schaffner 2010]
47 What Have You Learned from this Talk? Classical Cryptography Long historyhistory One-time pad Public-key cryptography Links to Logic and PoliticsLogic Politics Alice Bob Eve m = k = c = m © k = k = ?
48 What Have You Learned from this Talk? Quantum Mechanics Qubits Quantum Computer No-cloning Entanglement Quantum Teleportation
49 What Have You Learned from this Talk? Position-Based Cryptography Quantum Key Distribution (QKD)QKD
Thank you for your attention! Questions
51 Are There Secure Schemes? Different quantum schemes proposed by Chandran, Fehr, Gelles, Goyal, Ostrovsky [2010] Malaney [2010] Kent, Munro, Spiller [2010] Lau, Lo [2010] Unfortunately they can all be broken! General no-go theorem [Buhrman, Chandran, Fehr, Gelles, Goyal, Ostrovsky, Schaffner 2010]
52 Quantum Operations are linear isometries can be described by a unitary matrix: examples: identity bitflip (Pauli X): mirroring at axis X X X X
53 Quantum Operations are linear isometries can be described by a unitary matrix: examples: identity bitflip (Pauli X): mirroring at axis phase-flip (Pauli Z): mirroring at axis both (Pauli XZ) Z
54 U Most General Single-Round Scheme Let us study the attacking game
55 U Distributed Q Computation in 1 Round using some form of back-and-forth teleportation, players succeed with probability arbitrarily close to 1 requires an exponential amount of EPR pairs