COS 433: Cryptography

COS 433: Cryptography Princeton University Spring 2010 Boaz Barak Disclaimer Lecture 12: Idiot’s Guide to Quantum Computing & Crypto

"Do not take the lecture too seriously . . . just relax and enjoy it. I am going to tell you what nature behaves like. If you will simply admit that maybe she does behave like this, you will find her a delightful, entrancing thing. Do not keep saying to yourself "But how can it be like that?" because you will get . . . into a blind alley from which nobody has yet escaped. Nobody knows how it can be like that." Richard Feynmann on Quantum Mechanics. Strange aspects of quantum mechanics: • Superposition– object doesn’t have definite properties (location, speed) but has probabilities over them. • Interference– probabilities can be negative. • Entanglement– properties of many particles can be correlated. • Measurement– object’s properties collapse to definite value when measured, collapsing also properties of other entangled objects.

Double-Slit Experiment How does electron passing thru top slit know to avoid mid point if bottom slit is open? We can never catch an electron “red-handed” behaving bizarrely If we place detector then pattern turns to be as expected.

Mathematical Formalism b b1 b2 Consider object/system that can be in one of two states. State |1> - electron hit mid point State |0> - electron did not hit mid point. Quantum view: System is in state p|0>+q|1> with |p|2+|q|2=1 (p,q complex) Suppose system consists of two bits – has four possible states: |00> , |01> , |10> , |11> Quantum view: System is in state p1|00>+p2|01>+p3|10>+p4|11> where |p1|2+|p2|2+|p3|2+|p4|2=1 When measured, system will collapse to ithstate w.prob |pi|2. Note: Need 2n numbers to keep track of state x2{0,1}n px|x> of n-bit system.

World View Suppose system consists of two bits – has four possible states: |00> , |01> , |10> , |11> b1 b2 Quantum view: System is in state p1|00>+p2|01>+p3|10>+p4|11> where |p1|2+|p2|2+|p3|2+|p4|2=1 When measured, system will collapse to ithstate w.prob |pi|2. Note: Need 2n numbers to keep track of state x2{0,1}n px|x> of n-bit system. Democritos  Newton  Einstein: Underlying everything are small particles interacting locally using simple well-defined rules (“billiard balls”). Quantum Mechanics: Nature has a secret HUGE piece of paper containing >210000000000000000 complex numbers, keeping track of a superposition of all particles in the world, but allows us only to make some specific measurements of these numbers. Measuring changes the state of the world.

Bell’s Inequalities [EPR,B,CHSH] Alice Bob Charlie a b x y Alice and Bob win if a©b = x^y (i.e., If a=b unlessx=y=1 ) Can win w.p. ¾ by always sending a=b=0 Thm: Cannot do better without coordination: If a is function of x, private and shared randomnessb is function of y, private and shared randomness Then Alice and Bob win with prob ∙¾

Bell’s Inequalities [EPR,B,CHSH] Alice Bob Charlie a b y x Alice and Bob win if a©b = x^y 19K miles (0.1 light seconds) (i.e., If a=b unlessx=y=1 ) Thm: If a is function of x, private and shared randomnessb is function of y, private and shared randomness Then Alice and Bob win with prob ∙¾ Meaning: In Democritos/Newton/Einstein world – Alice and Bob can’t win game with prob ¸ ¾ Proof: By averaging argument, deterministic strategy maximize success. ) Can assume a=a(x), b=b(y): check 16 possible cases. Bell: According to Quantum Mechanics – they can win with prob ¸ 0.8 !

Unitary Operations b cos(µ) -sin(µ) sin(µ) cos(µ) Consider system of one bit. Classically, there are not many operations we can perform on it – keep it the same or invert it. In QM, system’s state is described as p|0>+q|1> - i.e., vector (p,q)2C2 According to QM, we can perform any operation A on system that is: • Linear:A(p+p’,q+q’) = A(p,q) + A(p’,q’) • Norm-preserving: If ||(p,q)||=p2+q2 =1 then ||A(p,q)||=1 • (hence) Orthogonal:A(1,0)=A|0> is perpendicular to A(0,1)=A|1> (p,q) ? (p’,q’) if pp’+qq’=0 Example: Rµ Rµ|0> = cos(µ)|0> + sin(µ)|1>Rµ|1> = -sin(µ) |0> + cos(µ) |1>

Bell’s Inequalities [EPR,B,CHSH] Alice Bob |0> |0> |1> |1> Charlie a b y x Alice and Bob win if a©b = x^y a b a b 19K miles (0.1 light seconds) x=0,y=0: ab=0)Pr[a=b]=1 x=1,y=0: ab=22.5)Pr[a=b]=cos(22.5)2~0.85 x=0,y=1: ab=-22.5)Pr[a=b]=cos(-22.5)2~0.85 x=1,y=1: ab=45)Pr[a=b]=cos(45)2= ½ (i.e., If a=b unlessx=y=1 ) Bell: According to Quantum Mechanics – they can win with prob ¸ 0.8 ! 1) Initialize system a,b to state 2-1/2|00>+2-1/2|11> 2) If x=1 Alice applies R22.5 to a 3) If y=1 Bob applies R-22.5 to b 4) Bob & Alice measure and send a,b respectively.

World View Democritos  Newton  Einstein: Underlying everything are small particles interacting locally using simple well-defined rules (“billiard balls”). Quantum Mechanics: Nature has a secret HUGE piece of paper containing >210000000000000000 complex numbers, keeping track of a superposition of all particles in the world, but allows us only to make some specific measurements of these numbers. Measuring changes the state of the world. “Corollary”: We do not know how to simulate quantum system of n particles for t time units in time poly(n.t). Rephrase: There are some computations performed by quantum systems of n particles and t time units that we don’t know to perform in a classical computer in time poly(n,t) Maybe can use quantum system to solve hard computational problems??

Quantum Computation – State of the Art • There is a mathematical model for computing devices exploiting quantum mechanics – “quantum computers”. • Many technical difficulties (and maybe fundamental difficulties?) in building such machines. • (Unsurprisingly) there is no proof that quantum computers are more powerful than classical computers/Boolean circuits/Turing machines. • There are polynomial algorithms for quantum computers solving problems unknown to be solvable classically in poly-time: • Simulation of quantum system • Factoring integers and discrete logs. • There are hard problems with no quantum poly-time algorithms: • SAT, 3COL and all the NP-complete problems. • Inverting many candidate one-way functions and permutations, private key encryption and signature schemes. • Problems on lattices (can be used for public-key encryption).

Quantum Computation And Cryptography • If quantum computers can be built, then many popular encryption and signature schemes can be broken (RSA,Diffie-Hellman) • However, there are still other candidates for encryption schemes not known to be broken. This is especially true for private key cryptography and signature schemes. • Many (but not all) of the proofs of security in crypto carry over from the classical model to the quantum model, as long as the underlying hard problem is assumed hard for quantum computers. • Exciting possibilities of using quantum mechanics to obtain unconditionally secure cryptography. Does not require full fledged quantum computers – prototype systems already being built. Quantum Key Distribution (QKD)

Some Quotes • The major problem [with Quantum Computing] is the requirement that basic quantum equations hold to multi-hundredth if not millionth decimal positions... Are quantum amplitudes still complex numbers to such accuracies or do they become quaternions, colored graphs, or sick-humored gremlins? The only difference between a probabilistic classical world and the equations of the quantum world is that somehow or other it appears as if the probabilities would have to go negative.. Richard Feinmann Leonid Levin (See Aaronson STOC’ 04 for scientific response)

Factoring, Dlog using Quantum (Shor’s Algorithm) • Popular description: Quantum computer with n-qubits can search over exp(n) possibilities to find the factor. • False: • Probabilistic computer with n bits also has exp(n) state space – doesn’t help to factor. • If this was true, why can’t quantum computers break AES? • Bird’s eye view of Shor’s algorithm: • Reduction to order finding: given X, N, find smallest A s.t. XA = 1 (modN). • Idea: with prob¸¼ random Xhas (1) even order A(2) XA/2§1 (modN). • Then gcd(XA/2-1 , N) {1,N} • Quantum alg for: given F::Z*NZ*Ns.t. F(X+A)=F(X) for all X, find A.

Quantum alg for: given F::Z*NZ*N s.t. F(X+A)=F(X) for all X, find A. • Fourier Transform:

Quantum Key Distribution b1 b2 Transfer qubit b2 |00>+|11> Consider system of two bits initialized to 2-1/2|00> + 2-1/2|11> Give b1to Alice and b2 to Bob. According to QM until Alice measures b1, it is completely random, but once she measures it system collapses to either |00> or |11> Thus Bob will measure the same value as Alice. First idea for key exchange using QM: Alice Eve Bob b1b2= |00>+|11> Measure b1 Measure b2

Transfer qubit b2 First idea for key exchange using QM: Alice Eve Bob b1b2= |00>+|11> Measure b1 Measure b2 Problem: What if Eve measures b2on the way and learns it? We can’t stop Eve from doing so, but we need a way for Bob to find out. Problem can be solved but we need: • Assume Bob and Alice can exchange authenticated but not secret classical messages.

Transfer qubit b2 “I received the bit” If applied H send “YES” w.p. ½ send b2 Key exchange using QM: Alice Eve Bob b1b2= |00>+|11> With prob ½, apply H to b1 If “YES” apply H to b2 Measure b2 Measure b1.If b1 b2 abort protocol. Lemma 1: If Eve did not measure b2 then b1=b2 with prob 1. Proof: If they did not apply H then clearly b1=b2 If both Alice and Bob apply H we get that b1b2 is transformed to HH|00>+|11>= (|0>+|1>)(|0>+|1>)+(|0>-|1>)(|0>-|1>) = |00>+|10>+|01>+|11>+|00>-|10>-|01>+|11>=|00>+|11> H H|0> = 2-1/2 |0> + 2-1/2|1> ~ |0> + |1> = (1,1) H|1> = 2-1/2 |0> - 2-1/2 |1> ~ |0> - |1> = (1,-1)

Transfer qubit b2 “I received the bit” If applied H send “YES” w.p. ½ send b2 Key exchange using QM: Alice Eve Bob b1b2= |00>+|11> With prob ½, apply H to b1 If “YES” apply H to b2 Measure b2 Measure b1.If b1 b2 abort protocol. Lemma 2: If Eve did measure b2 then b1 b2 with prob ¸1/4. Proof: As example, assume that Eve measured b2 and collapsed b1b2to |11> If both Alice and Bob apply H we get that b1b2 is transformed to HH|11>= (|0>-|1>)(|0>-|1>) = |00>-|10>-|01>+|11> w.p. ½ this system collapses to either |10> or |01> and hence b1b2 H H|0> = 2-1/2 |0> + 2-1/2 |1> ~ |0> + |1> = (1,1) H|1> = 2-1/2 |0> - 2-1/2 |1> ~ |0> - |1> = (1,-1)

Transfer qubit b2 “I received the bit” If applied H send “YES” w.p. ½ send b2 Key exchange using QM: Alice Eve Bob b1b2= |00>+|11> With prob ½, apply H to b1 If “YES” apply H to b2 Measure b2 Measure b1.If b1 b2 abort protocol. Lemma 1: If Eve did not measure b2 then b1=b2 with prob 1. Lemma 2: If Eve did measure b2 then b1 b2 with prob ¸1/4. Idea: Continue this for 2n steps, and discard all bits that were made public. If did not abort, Alice and Bob can be almost certain Eve did not measure and has no information about undiscarded bits. Proof generalizes to case that Eve applies arbitrary unitary transformation.

Quantum Computation And Cryptography • If quantum computers can be built, then many popular encryption and signature schemes can be broken (RSA,Diffie-Hellman) • However, there are still other candidates for encryption schemes not known to be broken. This is especially true for private key cryptography and signature schemes. • Many (but not all) of the proofs of security in crypto carry over from the classical model to the quantum model, as long as the underlying hard problem is assumed hard for quantum computers. • Exciting possibilities of using quantum mechanics to obtain perfectly unconditionally secure cryptography. Does not require full fledged quantum computers – prototype systems already being built. Quantum Key Distribution (QKD)

COS 433: Cryptography