Post quantum cryptography

Post Quantum Cryptography

Position-Based Quantum Cryptography

Device-Independent Quantum Cryptography

Post-Quantum CryptographyMartins Jr. Divine Okoi

ContentBackgroundPosition - Based Quantum CryptographyDevice - Independent Quantum CryptographyPost - Quantum CryptographySources

Background

Quantum cryptographyis the science of exploiting quantummechanical properties to perform cryptographictasks. The best known example of quantum cryptographyisquantumkey distribution which offers an information-theoretically secure solution to the key exchange problem.Quantum cryptography makes use of the quantum-mechanical behaviour of nature for the design and analysis of cryptographic schemes. Its aim is to design cryptographic schemes whose security is guaranteed solely by the laws of nature. This is in sharp contrast to most standard cryptographic schemes, which in principle, can be broken, i.e., when given sufficient computing power. From a theoretical point of view, quantum cryptography offers a beautiful interplay between the mathematics of adversarial behaviour and quantum information theory.

Position - Based Quantum Cryptography(What is it?)The goal of position-based cryptography is to use the geographical location of a player as its (only) credential. For example, one wants to send a message to a player at a specified position with the guarantee that it can only be read if the receiving party is located at that particular position. In the basic task ofposition-verification, a player Alice wants to convince the (honest) verifiers that she is located at a particular point. A more advanced task is secure position-based authentication where it is guaranteed that a received message originated from a particular position and was not modified.

Position - Based Quantum Cryptography

Position - Based Quantum CryptographyPosition-based cryptography has a number of interesting applications. For example, it enables secure communication over an insecure channel without having any pre-shared key, with the guarantee that only a party at a specific location can learn the content of the conversation; think of a military commander who wants to communicate with a base which is surrounded by enemy territory, or a country that wants to send instructions to an embassy in a foreign country. Another application is authenticity verification, where position-based cryptography enables users to verify that a received message originates from a particular geographical position and was not modified during the transmission. Another is access control to resources

Position - Based Quantum CryptographyIn 2009, it was proven by collaborators from the University of California in Los Angeles (UCLA) that position-based cryptography is impossible in the classical (non-quantum) world in the setting where colluding opponents control the whole space which is not occupied by honest players. In their latest research article, they investigated whether the impossibility of position-based cryptography can be overcome if they allow the players to use quantum communication.The outcome of their theoretical investigation demonstrates that the possibility of doing secure position-based cryptography depends on the opponents' capability of sharing entangled quantum states. On the one hand, they showed that if the opponents cannot share any entangled quantum state, then secure position-based cryptography is possible. They presented a scheme which allows a player, Alice, to convince the other participants in the protocol that she is at a particular geographical position. In contrast, colluding opponents who are not at this position and do not share any entangled quantum state will be detected lying if they claim to be there. They claim their scheme is very simple and can be implemented with today's QKD hardware.

Position - Based Quantum CryptographyOn the other hand, they also showed that if the opponents are able to share a huge entangled quantum state, then any positioning scheme can be broken and no position-based cryptography is possible at all. In fact, their result shows how colluding opponents can use their entangled state to instantaneously and non-locally perform the honest player's operations and are therefore able to make it appear as if they were at the claimed position.Their results raise various interesting research questions. For example, it is a formidable technical challenge to store and handle large quantum states. Hence, is secure position-based cryptography possible in the realistic setting where opponents can only handle a limited amount of entangled quantum states? Their investigation has already sparked several follow-up works and first results indicate that there are schemes which remain secure in this bounded-entanglement setting.

Position - Based Quantum Cryptography

Basic TaskOne Dimension

Position - Based Quantum CryptographyClassical Scheme:Impossible

Position - Based Quantum CryptographyQuantum Based Position Verification

Position - Based Quantum Cryptography(History)2003/2006 [Kent Munro Spiller, Hp Labs]: Quantum TaggingMarch 2010 [Malaney, arxiv, Australian Phiscisist]: Quantum Scheme for Position verification, rigorous proof, but implicitly assuming no pre-shared entanglement2010 [Kent Munro Spiller arxiv]: Insecurity of Proposed scheme, new (secure) schemes?Sep. 2010 [bulo, arxiv]: extension of Kent et als attack, proposal of new (secure?) schemeSep. 2010 [arxiv] impossibility of position-based quantum cryptography

Position - Based Quantum Cryptography(Summary)Plain Model: Classically and Quantum impossible to use the provers location as the only credentialBasic scheme for secure positioning if adversaries have no pre-shared entanglementCan be generalized to more dimensions

Position - Based Quantum Cryptography(Further Study)Quantum Teleportation Instantaneous Non-Local Q ComputationImpossibility of any Position-Based Q Cryptography

Quantum Teleportation AttackWorks against multi-round schemesUnless entanglement isnt shared

Device - Independent Quantum CryptographyA quantum cryptographic protocol isdevice-independentif its security does not rely on trusting that the quantum devices used are truthful. Thus the security analysis of such a protocol needs to consider scenarios of imperfect or even malicious devices. Several important problems have been shown to admit unconditional secure and device-independent protocols.

Device - Independent Quantum CryptographyQuantum key distribution (QKD) is a provably secure way for two distant parties to establish a common secret key, which then can be used in a classical cryptographic scheme. Using quantum entanglement, one can reduce the necessary assumptions that the parties have to make about their devices, giving rise to device-independent QKD (DIQKD). However, in all existing protocols to date the parties need to have an initial (at least partially) random seed as a resource.Using recent advances in the elds of randomness amplication and randomness expansion, it was demonstrated that it is sufcient for the message the parties want to communicate to be (partially) unknown to the adversaries an assumption without which any type of cryptography would be pointless to begin with. One party can use her secret message to locally generate a secret sequence of bits, which can then be openly used by herself and the other party in a DIQKD protocol. Hence, work has been done which reduces the requirements needed to perform secure DIQKD and establish safe communication.

Post - Quantum CryptographyPost-quantum cryptographyrefers tocryptographicalgorithms (usuallypublic-keyalgorithms) that are thought to be secure against an attack by aquantum computer. This is not true of the most popular public-key algorithms which can be efficiently broken by a sufficiently large quantum computer. The problem with the currently popular algorithms is that their security relies on one of three hard mathematical problems: theinteger factorization problem, thediscrete logarithm problemor theelliptic curve discrete logarithm problem. All of these problems can be easily solved on a sufficiently large quantum computer runningShor's algorithm. Even though current, publicly known, experimental quantum computers are too small to attack any real cryptographic algorithm, many cryptographers are designing new algorithms to prepare for a time when quantum computing becomes a threat. This work has gained greater attention from academics and industry through the PQCryptoconferenceseries since 2006 and more recently by several European Telecommunications Standards Institute (ETSI) Workshops on Quantum Safe Cryptography.

Post - Quantum CryptographyIn contrast to the threat quantum computing poses to current public key algorithms, most current symmetric cryptographic algorithms (symmetric ciphers:algorithms are algorithms for cryptography that use the same cryptographic keys for both encryption of plaintext and decryption of ciphertext. The keys may be identical or there may be a simple transformation to go between the two keys. The keys, in practice, represent a shared secret between two or more parties that can be used to maintain a private information link) andhash functions :any function that can be used to map data of arbitrary size to data of fixed size.

Post - Quantum Cryptography

The values returned by a hash function are called hash values, hash codes, hash sums, or simply hashes. One use is a data structure called a hash table, widely used in computer software for rapid data lookup) are considered to be relatively secure from attacks by quantum computers.While the quantumGrover's algorithm(a quantum algorithm that finds with high probability the unique input to a black box function that produces a particular output value, using just O(N) evaluations of the function, where N is the size of the function's domain) does speed up attacks against symmetric ciphers, doubling the key size can effectively block these attacks.

Post - Quantum CryptographyImagine that its fteen years from now and someone announces the successful construction of a large quantum computer. The New York Times runs a front page article reporting that all of the public-key algorithms used to protect the Internet have been broken. Users panic. What exactly will happen to cryptography? Perhaps, after seeing quantum computers destroy RSA and DSA and ECDSA, Internet users will leap to the conclusion that cryptography is dead; that there is no hope of scrambling information to make it incomprehensible to, and unforgeable by, attackers; that securely storing and communicating information means using expensive physical shields to prevent attackers from seeing the informationfor example, hiding USB sticks inside a locked briefcase chained to a trusted couriers wrist. A closer look reveals, however, that there is no justication for the leap from quantum computers destroy RSA and DSA and ECDSA to quantum computers destroy cryptography. There are many important classes of cryptographic systems beyond RSA and DSA and ECDSA:

Post - Quantum Cryptography(Algorithms Used and Their Security Downsides)Algorithms UsedHash-BasedCode BasedMultivariableLattice BasedSupersingular Elliptic Curve IsogenySymmetric Key Quantum Resistance

Post - Quantum Cryptography(A hash-based public-key signature system)This signature system requires a standard cryptographic hash function H that produces 2b bits of output. For b = 128 one could choose H as the SHA256 hash function. Over the last few years many concerns have been raised regarding the security of popular hash functions, and over the next few years NIST will run a competition for a SHA-256 replacement, but all known attacks against SHA-256 are extremely expensive. The signers public key in this system has 8b2 bits: e.g., 16 kilobytes for b = 128. The key consists of 4b strings y1[0],y1[1],y2[0],y2[1],...,y2b[0],y2b[1], each string having 2b bits. A signature of a message m has 2b(2b + 1)bits: e.g., 8 kilobytes for b = 128. The signature consists of 2b-bit strings r,x1,...,x2b such that the bits (h1,...,h2b) of H(r,m) satisfy y1[h1]=H(x1), y2[h2]=H(x2), and so on through y2b[h2b]=H(x2b). How does the signer nd x with H(x)=y? By generating a secret x and then computes y = H(x). Specically, the signers secret key has 8b2 bits, namely 4b independent uniform random strings x1[0],x1[1],x2[0],x2[1],...,x2b[0],x2b[1], each string having 2b bits. The signer computes the public key y1[0],y1[1],y2[0],y2[1],...,y2b[0],y2b[1] as H(x1[0]),H(x1[1]),H(x2[0]),H(x2[1]),...,H(x2b[0]),H(x2b[1]).

Post - Quantum Cryptography(A hash-based public-key signature system)To sign a message m, the signer generates a uniform random string r, computes the bits (h1,...,h2b) of H(r,m), and reveals(r,x1[h1],...,x2b[h2b]) as a signature of m. The signer then discards the remaining x values and refuses to sign any more messages. What Ive described so far is the LamportDie one-time signature system. What do we do if the signer wants to sign more than one message? An easy answer is chaining. The signer includes, in the signed message, a newly generated public key that will be used to sign the next message. The verier checks the rst signed message, including the new public key, and can then check the signature of the next message; the signature of the nth message includes all n1 previous signed messages. More advanced systems, such as Merkles hash-tree signature system, scale logarithmically with the number of messages signed. To me hash-based cryptography is a convincing argument for the existence of secure post-quantum public-key signature systems. Grovers algorithm is the fastest quantum algorithm to invert generic functions, and is widely believed to be the fastest quantum algorithm to invert the vast majority of specic eciently computable functions (although obviously there are also many exceptions, i.e., functions that are easier to invert).

Post - Quantum Cryptography(A hash-based public-key signature system)Hash-based cryptography can convert any hard-to-invert function into a secure public-key signature system. See the Hash-based digital signature schemes chapter of this book for a much more detailed discussion of hash-based cryptography. Note that most hash-based systems impose an extra requirement of collision resistance upon the hash function, allowing simpler signatures without randomization.

Post - Quantum Cryptography(A code-based public-key encryption system)Assume that b is a power of 2. Write n =4 blgb; d = lgn; andt = 0.5n/d.For example, if b = 128, thenn = 3584; d = 12; andt = 149. The receivers public key in this system is a dtn matrix K with coecients in F2. Messages suitable for encryption are n-bit strings of weight t, i.e., n-bit strings having exactly t bits set to 1. To encrypt a message m, the sender simply multiplies K by m, producing a dt-bit ciphertext Km. The basic problem for the attacker is to syndrome-decode K, i.e., to undo the multiplication by K, knowing that the input had weight t. It is easy, by linear algebra, to work backwards from Km to some n-bit vector v such that Kv = Km; however, there are a huge number of choices for v, and nding a weight-t choice seems to be extremely dicult. The best known attacks on this problem take time exponential in b for most matrices K. How, then, can the receiver solve the same problem? The answer is that the receiver generates the public key K with a secret structure, specically a hidden Goppa code structure, that allows the receiver to decode in a reasonable amount of time. It is conceivable that the attacker can detect the hidden Goppa code structure in the public key, but no such attack is known.

Post - Quantum Cryptography(A code-based public-key encryption system)Specically, the receiver starts with distinct elements 1,2,...,n of the eld F2d and a secret monic degree-t irreducible polynomial g F2d[x]. The main work for the receiver is to syndrome-decode the dtn matrix where each element of F2d is viewed as a column of d elements of F2 in a standard basis of F2d. This matrix H is a parity-check matrix for an irreducible binary Goppa code, and can be syndrome-decoded by Pattersons algorithm or by faster algorithms. The receivers public key K is a scrambled version of H. Specically, the receivers secret key also includes an invertible dtdt matrix S and an n n permutation matrix P. The public key K is the product SHP. Given a ciphertext Km = SHPm, the receiver multiplies by S1 to obtain HPm, decodes H to obtain Pm, and multiplies by P1 to obtain m. What Ive described here is a variant, due to Niederreiter (1986), of McElieces original code-based public-key encryption system. Both systems are extremely ecient at key generation, encryption, and decryption, butas I mentioned earlierhave been held back by their long public keys. See the Code-based cryptography and Lattice-based cryptography chapters of this book for much more information about code-based cryptography and (similar but more complicated) lattice-based cryptography, including several systems that use shorter public keys.

Post - Quantum Cryptography(Challenges)Some cryptographic systems, such as RSA with a four-thousand-bit key, are believed to resist attacks by large classical computers but do not resist attacks by large quantum computers. Some alternatives, such as McEliece encryption with a four-million-bit key, are believed to resist attacks by large classical computers and attacks by large quantum computers. So why do we need to worry now about the threat of quantum computers? Why not continue to focus on RSA and ECDSA? If someone announces the successful construction of a large quantum computer fteen years from now, why not simply switch to McEliece etc. fteen years from now? This section gives three answersthree important reasons that parts of the cryptographic community are already starting to focus attention on postquantum cryptography:

Post - Quantum Cryptography(Challenges) We need time to improve the eciency of post-quantum cryptography. We need time to build condence in post-quantum cryptography. We need time to improve the usability of post-quantum cryptography. In short, we are not yet prepared for the world to switch to post-quantum cryptography. Maybe this preparation is unnecessary. Maybe we wont actually need post-quantum cryptography. Maybe nobody will ever announce the successful construction of a large quantum computer. However, if we dont do anything, and if it suddenly turns out years from now that users do need post-quantum cryptography, years of critical research time will have been lost.

Post - Quantum Cryptography(Challenges: Efficiency)Elliptic-curve signature systems with O(b)-bit signatures and O(b)-bit keys appear to provide b bits of security against classical computers. State-of-the art signing algorithms and verication algorithms take time b2+o(1). Can post-quantum public-key signature systems achieve similar levels of performance? My two examples of signature systems certainly dont qualify: one example has signatures of length b2+o(1), and the other example has keys of length b3+o(1). There are many other proposals for post-quantum signature systems, but I have never seen a proposal combining O(b)-bit signatures, O(b)bit keys, polynomial-time signing, and polynomial-time verication. Inecient cryptography is an option for some users but is not an option for a busy Internet server handling tens of thousands of clients each second. If you make a secure web connection today to https://www.google.com, Google redirects your browser to http://www.google.com, deliberately turning o cryptographic protection. Google does have some cryptographically protected web pages but apparently cannot aord to protect its most heavily used web pages. If Google already has trouble with the slowness of todays cryptographic

Post - Quantum Cryptography(Challenges: Efficiency)software, surely it will not have less trouble with the slowness of post-quantum cryptographic software. Constraints on space and time have always posed critical research challenges to cryptographers and will continue to pose critical research challenges to post-quantum cryptographers. On the bright side, research in cryptography has produced many impressive speedups, and one can reasonably hope that increased research eorts in post-quantum cryptography will continue to produce impressive speedups.

Post - Quantum Cryptography(Challenges: Confidence)Merkles hash-tree public-key signature system and McElieces hidden-Goppacode public-key encryption system were both proposed thirty years ago and remain essentially unscathed despite extensive cryptanalytic eorts. Many other candidates for hash-based cryptography and code-based cryptography are much newer; multivariate-quadratic cryptography and lattice based cryptography provide an even wider variety of new candidates for postquantum cryptography. Some specic proposals have been broken. Perhaps a new system will be broken as soon as a cryptanalyst takes the time to look at the system. One could insist on using classic systems that have survived many years of review. But often the user cannot aord the classic systems and is forced to consider newer, smaller, faster systems that take advantage of more recent research into cryptographic eciency. To build condence in these systems the community needs to make sure that cryptanalysts have taken time to search for attacks on the systems. Those cryptanalysts, in turn, need to gain familiarity with post-quantum cryptography and experience with post-quantum cryptanalysis.

Post - Quantum Cryptography(Challenges: Usability)The RSA public-key cryptosystem started as nothing more than a trapdoor one-way function, cube modulo n. (Tangential historical note: The original paper by Rivest, Shamir, and Adleman actually used large random exponents. Rabin pointed out that small exponents such as 3 are hundreds of times faster.) Unfortunately, one cannot simply use a trapdoor one-way function as if it were a secure encryption function. Modern RSA encryption does not simply cube a message modulo n; it has to rst randomize and pad the message. Furthermore, to handle long messages, it encrypts a short random string instead of the message, and uses that random string as a key for a symmetric cipher to encrypt and authenticate the original message. This infrastructure around RSA took many years to develop, with many disasters along the way, such as the PKCS#1 v1.5 padding standard broken by Bleichenbacher in 1998

Post - Quantum Cryptography(Challenges: Usability)Furthermore, even if a secure encryption function has been dened and standardized, it needs software implementationsand perhaps also hardware implementationssuitable for integration into a wide variety of applications. Implementors need to be careful not only to achieve correctness and speed but also to avoid timing leaks and other side-channel leaks. A few years ago several implementations of RSA and AES were broken by cache-timing attacks; Intel has, as a partial solution, added AES instructions to its future CPUs. Post-quantum cryptography, like the rest of cryptography, needs complete hybrid systems and detailed standards and high-speed leak-resistant implementations.

SourcesAlves, Carolina Moura and Kent Adrian. "Quantum Cryptography." National University of Singapore. http://www.quantumlah.org/?q=tutorial/quantumcryptoAzzole, Pete. "Ultra: The Silver Bullet." Crypotolog. November 1996. http://www.cl.cam.ac.uk/research/security/Historical/azzole1.htmlBrumfiel, Geoffrey. "Quantum Cryptography is Hacked." Nature. April 27, 2007. http://www.nature.com/news/2007/070423/full/news070423-10.html

SourcesEdgar A Aguilar, Ravishankar Ramanathan, Johannes Koer4, and Marcin Pawowski, Completely Device Independent Quantum Key Distribution. arXiv:1507.05752v1 [quant-ph] 21 Jul 2015Messmer, Ellen. "Quantum Cryptography to Secure Ballots in Swiss Election." Network World. October 11, 2007. http://www.networkworld.com/news/2007/101007-quantum-cryptography-secure-ballots.html?t51hbStix, Gary. "Best-Kept Secrets: Quantum cryptography has marched from theory to laboratory to real products." Scientific American. January 2005. http://www.sciam.com/article.cfm?chanID=sa006&colID=1&articleID= 000479CD-F58C-11BE-AD0683414B7F0000Vittorio, Salvatore. "Quantum Cryptography: Privacy through Uncertainty." CSA. October 2002. http://www.csa.com/discoveryguides/crypt/overview.php"Quantum Cryptography Tutorial." Dartmouth College. http://www.cs.dartmouth.edu/~jford/crypto.html