0 2018-10-15 ITI Crypto – Quantum Seminars DEPARTMENT OF INFORMATICS, INSTITUTE OF THEORETICAL INFORMATICS Seminars “Quantum Complexity Theory” and “Quantum Cryptography” Initial Meeting KIT – The Research University in the Helmholtz Association www.kit.edu
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
0 2018-10-15 ITI Crypto – Quantum Seminars
DEPARTMENT OF INFORMATICS, INSTITUTE OF THEORETICAL INFORMATICS
Seminars “Quantum Complexity Theory” and “QuantumCryptography”
Initial Meeting
KIT – The Research University in the Helmholtz Association www.kit.edu
Formalities
1 2018-10-15 ITI Crypto – Quantum Seminars
Report: ≈ 10 pages (including references)– should be in english– review of one other report
Presentation: 25 minutes presentation, ≈ 10 minutes questions– english slides– talk can be either in german or in english
LATEX-templates for report and slides can be found on our websiteSubmission of reports/slides via E-Mail to the resp. supervisor
Basics of Quantum ComputationSupervisor: Sven Maier
2 2018-10-15 ITI Crypto – Quantum Seminars
Quantum computers work with qubits |φ〉 = α |0〉+ β |1〉, which aresuperpositions over (classical) states.
Intuition: Qubits as complex probability distribution:(|α|2 + |β|2
)!= 1.
A state can be manipulated by multiplication with unitary matrices.
Seminar topic: Introduce quantum computers, present the Bra-Ketnotation, introduce and motivate density matrices, introduce generalquantum gates and present Born’s rule for measurement of quantumstates.
Non-Cloning Theorem and TeleportationSupervisor: Alexander Koch
3 2018-10-15 ITI Crypto – Quantum Seminars
Qubit: quantum state, superposition of |0〉 and |1〉.
Main difference to classical bit: impossible to clone.
Sending classical bits (roughly): read bit, send copy through wire.⇒ Not possible for qubits.
Teleportation: given a pre-shared EPR-pair, how to send a quantumstate to an other person (using only a classical channel).
Optional: Superdense Coding: How can we prepare a quantum state toencode classical information efficiently?
The Quantum Turing MachineSupervisor: Akin Ünal
4 2018-10-15 ITI Crypto – Quantum Seminars
Classical computation: Turing Machine can analyze, if a given problemcan be solved efficiently by a computer.
Close resemblence to the classical Turing Machine, but with changes tosuit the quantum setting.
Bernstein and Vazirani [BV93] provide further important properties andconstructions.
Topic: Present the Quantum Turing Machine as a mathematical model,compare it to a classical Turing Machine and show, how a quantumalgorithm works on such a machine.
The Bounded-Error Quantum Polynomial TimeClass BQPSupervisor: Tobias Müller
5 2018-10-15 ITI Crypto – Quantum Seminars
Bounded-Error Quantum Polynomial Time Class (BQP) is the class ofproblems to which quantum Turing machines have efficient solutions.
Quelle: Script Randomisierte Algorithmen, Thomas Worsch
The goal is to introduce the BQP class and to show its relation toclassical complexity classes (BPP, P, NP, PSPACE...)
Error Correction for Quantum StatesSupervisor: Sven Maier
6 2018-10-15 ITI Crypto – Quantum Seminars
Main problem for quantum computers: Quantum Noise.– Physical errors in measuring the quantum state.
Considered one of the major problems in deploying quantum computersfor a long time.
Solution: Error correcting codes.
Problem: Non-cloning⇒ Most classical schemes unusable on qubits.
Seminar topic: Present a solution for quantum error correction.
Simon’s AlgorithmSupervisor: Bogdan Ursu
7 2018-10-15 ITI Crypto – Quantum Seminars
Consider any function f : 0,1n → 0,1n, that satisfies the followingproperty:
There exists s ∈ 0,1n, such that for all x , y ∈ 0,1n:
f (x) = f (y) if and only if x = y or x ⊕ y = s
Problem: find sif s = 0 . . . 0, then f isone-to-oneelse f is two-to-one
Function modelled as oracle
Classically, Ω(√
2n) queries are neededQuantumly, only O(n) queries are sufficient.
Shor’s algorithmSupervisor: Michael Klooß
8 2018-10-15 ITI Crypto – Quantum Seminars
Problem: f (x) has a period r , e.g. f : Z→ ZN , f (x) = x mod N.Solution: Shor’s algorithm.
Pre- and postprocessing: Classical.Quantum: Period-finding subroutine.
Example: ord(x) = r for x ∈ Z×N is the period of xk . Computing refficiently⇒ factoring efficiently.
Linear Systems of EquationsSupervisor: Akin Ünal
9 2018-10-15 ITI Crypto – Quantum Seminars
Let A ∈ RN×N be sparse with condition number κ and b ∈ RN be given.The algorithm of Harrow, Hassidim, and Lloyd [HHL09] (implemented byBarz et al. [Bar+14] and Pan et al. [Pan+14]) can find x such that
Ax = b
in time O(log(N)κ2) (where κ is the condition number).
Major speedup over classical algorithms (O(N√
κ)).
Topic: Present the algorithm, show, how it solves linear systems ofequations and analyse the resource requirement.
Overview Quantum Complexity Theory
10 2018-10-15 ITI Crypto – Quantum Seminars
1) Basics of QuantumComputation
Introduction to notational + mathe-matical background
SvenMaier
2) Non-Cloning Theo-rem and Teleportation
Phenomena relevant for QuantumComputers
AlexanderKoch
3) The Quantum TuringMachine
Quantum-version of the Turing Ma-chine
Akin Ünal
4) Bounded-ErrorQuantum PolynomialClass
Complexity class for quantum algo-rithms
TobiasMüller
5) Error Correction forQuantum States
A non-trivial key necessity for quan-tum computers
SvenMaier
6) Simon’s QuantumAlgorithm
Efficiently solving the Hidden OffsetProblem
BogdanUrsu
7) Shor’s Algorithm A poly-time solver for DLOG andfactoring problems
MichaelKlooß
8) Linear Systems ofEquations
Efficiently solving linear systems ofequations
Akin Ünal
Schedule
11 2018-10-15 ITI Crypto – Quantum Seminars
15th Oct Initial Meeting + Distribution of Topics12th Nov Presentation Topics 1 and 226th Nov Presentation Topics 3 and 410th Dec Presentation Topics 5 and 614th Jan Presentation Topics 7 and 815th Feb Deadline for reports + Assignment of Reviews1st Mar Deadline for reviews
Problem: We want to establish a shared key with unconditionalsecuritySolution: We use the fact that measuring quantum states collapsesthem to detect eavesdroppers. This ensures that Alice and Bob haveshared Randomness that an eavesdropper doesn’t know.
Device IndependenceSupervisor: Alexander Koch
14 2018-10-15 ITI Crypto – Quantum Seminars
Classical computation: corrupted device can break security of a protocol.
Quantum computation: self-testing abilities allow secure protocolexecutions even on corrupted devices.
Device Independence: Security of a protocol does not depend on thedevice the protocol is executed on.
Topic:Formally introduce device independence.Show example protocols that achieve device independence.
Impossibility Proofs for Unconditionally SecureBit Commitments and Quantum-OTsSupervisor: Sven Maier
15 2018-10-15 ITI Crypto – Quantum Seminars
Classic computers: unconditionally hiding and binding bit commitmentsimpossible.
Quantum computers: proof for classical computer doesn’t apply.
Even further: unconditionally secure quantum bit commitments enableunconditionally secure quantum MPC.
Unfortunately: Unconditionally secure quantum bit commitments are alsoimpossible.
Seminar topic: Present impossibility proof for unconditionally securequantum bit commitments and relevant background (Uhlman’s Theorem,pure and mixed states) and motivate the proof for quantum OTs.
Quantum Commitments from PhysicalAssumptionsSupervisor: Lukas Beeck
16 2018-10-15 ITI Crypto – Quantum Seminars
Problem: Unconditionally secure quantum bit commitments aredesirable, yet impossible in the standard-model.
Remedy: Use additional tools, e.g. stateless hardware tokens.⇒ Quantum One-Time Programs.
Topic:Introduce quantum stateless hardware tokens.Introduce quantum one-time programs.Show, how stateless hardware tokens are used to securely constructany one-time program.
Quantum RewindingSupervisor: Lukas Beeck
17 2018-10-15 ITI Crypto – Quantum Seminars
Classical computation: (Non-UC) simulation-based proofs use rewinding.⇒ Simulate until one part of a secret has been learned.⇒ Reset to a previous state.
Quantum computation:X Every transformation is unitary⇒ efficiently invertible.× Measurement destroys quantum state.⇒ Rewinding to a previous state is possible.⇒ But we don’t gain information from it.?⇒ Pointless.
Quantum Rewinding: (Meaningful) rewinding on quantum states.
Topic: Formally introduce problems with rewinding in a quantum worldand proposed solutions.
The Universal Composability FrameworkExtension of the Real/Ideal paradigmSecurity under concurrent composition with arbitrary protocolsModel of computation: Interactive Turing Machines (ITMs)
Quantum UC (Unruh [Unr10]):Extend model of computation: Quantum computations, send quantumstatesFeasibility: Statistically secure OT from commitments
This is an advanced topic. Previous knowledge of the UC framework ishighly recommended!
Unruh TransformationSupervisor: Jessica Koch
19 2018-10-15 ITI Crypto – Quantum Seminars
Classical Computation: Transformation of Fiat and Shamir [FS86]:arbitrary (interactive) sigma-protocol for Zero-Knowledge (ZK)→non-interactive Zero-Knowledge (NIZK) protocolQuantum World: Transformation of Unruh [Unr15]Both in the Random Oracle Model (ROM)Goal:– introduce problems of Fiat-Shamir in the quantum world– possible solution by Unruh [Unr17]– compare solution to the Unruh-transformation
Grover’s Quantum Search AlgorithmSupervisor: Michael Klooß
20 2018-10-15 ITI Crypto – Quantum Seminars
Problem:Quantum oracle access to (blackbox) function f : X → 0,1Unique x ∈ X s.th. f (x) = 1.Goal: Find x .
Example: f (x) permutation-cipher. Find key x such thatf (x) := Enc(x ,m) = c for fixed m, c.Solution: Grover’s algorithm
O(√|X |) invocations
Non-negl sucess
Improving Brute-Force Attacks on AES withGrover’s AlgorithmSupervisor: Wasilij Beskorovajnov
21 2018-10-15 ITI Crypto – Quantum Seminars
The "classical" security of symmetric and public-key cryptography ismeasured by the metric of "N bits of Security", i.e. RSA-3072 hasappx. 128-bits of securityGrover’s Algorithm from [Gro96] defines a new way of searching overunstructured datasets, e.g., key-space.
With quadratic speedup, i.e., searching for a key in the space 0,1n
requires now√
2n = 2n2 steps
However, in order to perform the algorithm it is necessary toimplement AES as a quantum-circuit. The AES quantum-circuit needsto be as efficient as possible in order to achieve the full speedup.
Goal: sketch the AES quantum-circuit and show how it is incorporatedinto the Grover’s Search according to Grassl et al. [Gra+16]. Additionaly,one may try to analyze the required costs.
Overview Quantum Cryptography
22 2018-10-15 ITI Crypto – Quantum Seminars
1) Quantum Key Distri-bution
The Algorithm of Bennett and Bras-sard [BB84]
Roland Gröll
2) Device Indepen-dence
Executing Quantum Algorithms onuntrusted devices
AlexanderKoch
3) UnconditionallySecure Quantum BitCommitments
Present imposibility proof for un-conditionally secure quantum bitcommitments
Sven Maier
4) Commitments fromPhysical Assumptions
Perform commitments using state-ful quantum hardware
Lukas Beeck
5) Quantum Rewinding Rewinding while still learning some-thing
Lukas Beeck
6) Quantum UniversalComposability
UC-Framework for quantum com-puters
JeremiasMechler
7) Unruh Transforma-tion
Fiat-Shamir-type transformation inthe quantum world
Jessica Koch
8) Grover’s algorithm Quantum Search for unstructureddata
MichaelKlooß
9) Brute-Force on AESwith Grover
Using Grover’s algorithm to improveBrute-Force attacks on AES
Wasilij Besko-rovajnov
Schedule
23 2018-10-15 ITI Crypto – Quantum Seminars
15th Oct Initial Meeting + Distribution of Topics19th Nov Presentation Topics 1 and 23rd Dec Presentation Topics 3 and 4
17th Dec Presentation Topics 5 and 621st Jan Presentation Topics 7 and 828th Jan Presentation Topic 915th Feb Deadline for reports + Assignments of reviews
1st Mar Deadline for reviews29th Mar Deadline for final report
C. H. Bennett and G. Brassard. “Quantum cryptography:Public key distribution and coin tossing”. In: Proceedings ofIEEE International Conference on Computers, Systems, andSignal Processing. Bangalore, 1984, p. 175.
E. Bernstein and U. V. Vazirani. “Quantum complexity theory”.In: Proceedings of the Twenty-Fifth Annual ACM Symposiumon Theory of Computing, May 16-18, 1993, San Diego, CA,USA. Ed. by S. R. Kosaraju, D. S. Johnson, and A. Aggarwal.ACM, 1993, pp. 11–20. DOI: 10.1145/167088.167097. URL:http://doi.acm.org/10.1145/167088.167097.
A. Fiat and A. Shamir. “How to Prove Yourself: PracticalSolutions to Identification and Signature Problems”. In:Advances in Cryptology - CRYPTO ’86, Santa Barbara,California, USA, 1986, Proceedings. Ed. by A. M. Odlyzko.Vol. 263. Lecture Notes in Computer Science. Springer, 1986,pp. 186–194. DOI: 10.1007/3-540-47721-7\_12. URL:https://doi.org/10.1007/3-540-47721-7\_12.
M. Grassl, B. Langenberg, M. Roetteler, and R. Steinwandt.“Applying Grover’s Algorithm to AES: Quantum ResourceEstimates”. In: Post-Quantum Cryptography - 7thInternational Workshop, PQCrypto 2016, Fukuoka, Japan,February 24-26, 2016, Proceedings. Ed. by T. Takagi.Vol. 9606. Lecture Notes in Computer Science. Springer,2016, pp. 29–43. DOI: 10.1007/978-3-319-29360-8\_3. URL:https://doi.org/10.1007/978-3-319-29360-8\_3.
L. K. Grover. “A Fast Quantum Mechanical Algorithm forDatabase Search”. In: Proceedings of the Twenty-EighthAnnual ACM Symposium on the Theory of Computing,Philadelphia, Pennsylvania, USA, May 22-24, 1996. Ed. byG. L. Miller. ACM, 1996, pp. 212–219. DOI:10.1145/237814.237866. URL:http://doi.acm.org/10.1145/237814.237866.
A. W. Harrow, A. Hassidim, and S. Lloyd. “Quantum Algorithmfor Linear Systems of Equations”. In: Physical Review Letters103.15, 150502 (Oct. 2009), p. 150502. DOI:10.1103/PhysRevLett.103.150502. arXiv: 0811.3171[quant-ph].
D. Unruh. “Universally Composable Quantum Multi-partyComputation”. In: Advances in Cryptology - EUROCRYPT2010, 29th Annual International Conference on the Theoryand Applications of Cryptographic Techniques, Monaco /French Riviera, May 30 - June 3, 2010. Proceedings. Ed. byH. Gilbert. Vol. 6110. Lecture Notes in Computer Science.Springer, 2010, pp. 486–505. DOI:10.1007/978-3-642-13190-5\_25. URL:https://doi.org/10.1007/978-3-642-13190-5\_25.
D. Unruh. “Non-Interactive Zero-Knowledge Proofs in theQuantum Random Oracle Model”. In: Advances in Cryptology- EUROCRYPT 2015 - 34th Annual International Conferenceon the Theory and Applications of Cryptographic Techniques,Sofia, Bulgaria, April 26-30, 2015, Proceedings, Part II. Ed. byE. Oswald and M. Fischlin. Vol. 9057. Lecture Notes inComputer Science. Springer, 2015, pp. 755–784. DOI:10.1007/978-3-662-46803-6\_25. URL:https://doi.org/10.1007/978-3-662-46803-6\_25.
D. Unruh. “Post-quantum Security of Fiat-Shamir”. In:Advances in Cryptology - ASIACRYPT 2017 - 23rdInternational Conference on the Theory and Applications ofCryptology and Information Security, Hong Kong, China,December 3-7, 2017, Proceedings, Part I. Ed. by T. Takagiand T. Peyrin. Vol. 10624. Lecture Notes in ComputerScience. Springer, 2017, pp. 65–95. DOI:10.1007/978-3-319-70694-8\_3. URL:https://doi.org/10.1007/978-3-319-70694-8\_3.
S. Barz, I. Kassal, M. Ringbauer, Y. O. Lipp, B. Dakic,A. Aspuru-Guzik, and P. Walther. “A two-qubit photonicquantum processor and its application to solving systems oflinear equations”. In: Scientific Reports 4, 6115 (Aug. 2014),p. 6115. DOI: 10.1038/srep06115. arXiv: 1302.1210[quant-ph].
D. Deutsch. “Quantum theory, the Church-Turing principle andthe universal quantum computer”. In: Proceedings of theRoyal Society of London Series A 400 (July 1985),pp. 97–117. DOI: 10.1098/rspa.1985.0070.
J. Pan, Y. Cao, X. Yao, Z. Li, C. Ju, H. Chen, X. Peng, S. Kais,and J. Du. “Experimental realization of quantum algorithm forsolving linear systems of equations”. In: Physical Review A,Volume 89, Issue 2, id.022313 89.2, 022313 (Feb. 2014),p. 022313. DOI: 10.1103/PhysRevA.89.022313. arXiv:1302.1946 [quant-ph].