COS 433: Cryptography

1
COS 433 Cryptography
Lecture 12 Idiots Guide to Quantum Computing
Crypto

• Princeton University Fall 2005
• Boaz Barak

2
"Do not take the lecture too seriously . . . just
relax and enjoy it. I am going to tell you what
nature behaves like. If you will simply admit
that maybe she does behave like this, you will
find her a delightful, entrancing thing. Do not
keep saying to yourself "But how can it be like
that?" because you will get . . . into a blind
alley from which nobody has yet escaped. Nobody
knows how it can be like that."
Richard Feynmann on Quantum Mechanics.
Strange aspects of quantum mechanics

• Superposition object doesnt have definite
  properties (location, speed) but has
  probabilities over them.

• Interference probabilities can be negative.

• Entanglement properties of many particles can
  be correlated.

• Measurement objects properties collapse to
  definite value when measured, collapsing also
  properties of other entangled objects.

3
Double-Slit Experiment
How does electron passing thru top slit know to
avoid mid point if bottom slit is open?
We can never catch an electron red-handed
behaving bizarrely
If we place detector then pattern turns to be as
expected.
4
Mathematical Formalism
Consider object/system that can be in one of two
states.
State 1gt - electron hit mid point
b
State 0gt - electron did not hit mid point.
Deterministic view
System is either in state 0gt or state 1gt
Probabilistic view
System is in state 0gt w.prob p and state 1gt
w.prob q with pq1
Quantum view
System is in state p0gtq1gt with pq1
(p,q can be negative!)
5
Mathematical Formalism
Consider object/system that can be in one of two
states.
State 1gt - electron hit mid point
State 0gt - electron did not hit mid point.
Quantum view
System is in state p0gtq1gt with p2q21
(p,q complex)
Suppose system consists of two bits has four
possible states 00gt , 01gt , 10gt , 11gt
Quantum view
System is in state p100gtp201gtp310gtp411gt
where p12p22p32p421
When measured, system will collapse to ith state
w.prob pi2.
Note Need 2n numbers to keep track of state of
n-bit system.
6
World View
Democritos ? Newton ? Einstein
Underlying everything are small particles
interacting locally using simple well-defined
rules (billiard balls).
Quantum Mechanics
Nature has a secret HUGE piece of paper
containing gt210000000000000000 complex numbers,
keeping track of a superposition of all particles
in the world, but allows us only to make some
specific measurements of these numbers.
Corollary We do not know how to simulate
quantum system of n particles for t time units in
time poly(n.t).
Rephrase There are some computations performed
by quantum systems of n particles and t time
units that we dont know to perform in a
classical computer in time poly(n,t)
Maybe can use quantum system to solve hard
computational problems??
7
Quantum Computation State of the Art

• There is a mathematical model for computing
  devices exploiting quantum mechanics quantum
  computers.

• Many technical difficulties (and maybe
  fundamental difficulties?) in building such
  machines.

• (Unsurprisingly) there is no proof that quantum
  computers are more powerful than classical
  computers/Boolean circuits/Turing machines.

• There are polynomial algorithms for quantum
  computers solving problems unknown to be
  solvable classically in poly-time
• Simulation of quantum system
• Factoring integers and discrete logs.

• There are hard problems with no quantum poly-time
  algorithms
• SAT, 3COL and all the NP-complete problems.
• Inverting many candidate one-way functions and
  permutations, private key encryption and
  signature schemes.
• Problems on lattices (can be used for public-key
  encryption).

8
Quantum Computation And Cryptography

• If quantum computers can be built, then many
  popular encryption and signature schemes can be
  broken (RSA,Diffie-Hellman)

• However, there are still other candidates for
  encryption schemes not known to be broken. This
  is especially true for private key cryptography
  and signature schemes.

• Many (but not all) of the proofs of security in
  crypto carry over from the classical model to the
  quantum model, as long as the underlying hard
  problem is assumed hard for quantum computers.

• Exciting possibilities of using quantum mechanics
  to obtain perfectly unconditionally secure
  cryptography. Does not require full fledged
  quantum computers prototype systems already
  being built.

Quantum Key Distribution (QKD)
9
Quantum Key Distribution
00gt11gt
Consider system of two bits initialized to 1/p2
00gt 1/p2 11gt
Give b1 to Alice and b2 to Bob.
According to QM until Alice measures b1, it is
completely random, but once she measures it
system collapses to either 00gt or 11gt
Thus Bob will measure the same value as Alice.
First idea for key exchange using QM
Alice
Eve
Bob
b1b2 00gt11gt
Measure b1
Measure b2
10
First idea for key exchange using QM
Alice
Eve
Bob
b1b2 00gt11gt
Measure b1
Measure b2
Problem What if Eve measures b2 on the way and
learns it?
We cant stop Eve from doing so, but we need a
way for Bob to find out.
Problem can be solved but we need

• Learn more about operations allowed in QM.

• Assume Bob and Alice can exchange authenticated
  but not secret classical messages.

11
Unitary Operations
Consider system of one bit.
Classically, there are not many operations we can
perform on it keep it the same or invert it.
In QM, systems state is described as p0gtq1gt -
i.e., vector (p,q)2C2
According to QM, we can perform any operation A
on system that is

• Linear A(pp,qq) A(p,q) A(p,q)

• Norm-preserving If (p,q)pp2q2 1 then
  A(p,q)1

• Orthogonal A(1,0)A0gt is perpendicular to
  A(0,1)A1gt

(p,q) ? (p,q) if ppqq0
Example
H0gt 1/p2 0gt 1/p2 1gt 0gt 1gt
(1,1) H1gt 1/p2 0gt - 1/p2 1gt 0gt - 1gt
(1,-1)
H
12
Key exchange using QM
Alice
Eve
Bob
b1b2 00gt11gt
With prob ½, apply H to b1
If YES apply H to b2
Measure b2
Measure b1.If b1? b2 abort protocol.
Lemma 1 If Eve did not measure b2 then b1b2
with prob 1.
Proof If they did not apply H then clearly b1b2
If both Alice and Bob apply H we get that b1b2 is
transformed to
HH00gt11gt (0gt1gt)(0gt1gt)(0gt-1gt)(0gt-1gt)
00gt10gt01gt11gt00gt-10gt-01gt11gt00gt
11gt
H0gt 1/p2 0gt 1/p2 1gt 0gt 1gt
(1,1) H1gt 1/p2 0gt - 1/p2 1gt 0gt - 1gt
(1,-1)
H
13
Key exchange using QM
Alice
Eve
Bob
b1b2 00gt11gt
With prob ½, apply H to b1
If YES apply H to b2
Measure b2
Measure b1.If b1? b2 abort protocol.
Lemma 2 If Eve did measure b2 then b1? b2 with
prob 1/4.
Proof As example, assume that Eve measured b2
and collapsed b1b2 to 11gt
If both Alice and Bob apply H we get that b1b2 is
transformed to
HH11gt (0gt-1gt)(0gt-1gt) 00gt-10gt-01gt11gt
w.p. ½ this system collapses to either 10gt or
01gt and hence b1?b2
H0gt 1/p2 0gt 1/p2 1gt 0gt 1gt
(1,1) H1gt 1/p2 0gt - 1/p2 1gt 0gt - 1gt
(1,-1)
H
14
Key exchange using QM
Alice
Eve
Bob
b1b2 00gt11gt
With prob ½, apply H to b1
If YES apply H to b2
Measure b2
Measure b1.If b1? b2 abort protocol.
Lemma 1 If Eve did not measure b2 then b1b2
with prob 1.
Lemma 2 If Eve did measure b2 then b1? b2 with
prob 1/4.
Idea Continue this for 2n steps, and discard all
bits that were made public. If did not abort,
Alice and Bob can be almost certain Eve did not
measure and has no information about undiscarded
bits.
Proof generalized to case that Eve applies
arbitrary unitary transformation.