Title: COS 433: Cryptography
1COS 433 Cryptography
Lecture 12 Idiots Guide to Quantum Computing
Crypto
- Princeton University Fall 2005
- Boaz Barak
2"Do not take the lecture too seriously . . . just
relax and enjoy it. I am going to tell you what
nature behaves like. If you will simply admit
that maybe she does behave like this, you will
find her a delightful, entrancing thing. Do not
keep saying to yourself "But how can it be like
that?" because you will get . . . into a blind
alley from which nobody has yet escaped. Nobody
knows how it can be like that."
Richard Feynmann on Quantum Mechanics.
Strange aspects of quantum mechanics
- Superposition object doesnt have definite
properties (location, speed) but has
probabilities over them.
- Interference probabilities can be negative.
- Entanglement properties of many particles can
be correlated.
- Measurement objects properties collapse to
definite value when measured, collapsing also
properties of other entangled objects.
3Double-Slit Experiment
How does electron passing thru top slit know to
avoid mid point if bottom slit is open?
We can never catch an electron red-handed
behaving bizarrely
If we place detector then pattern turns to be as
expected.
4Mathematical Formalism
Consider object/system that can be in one of two
states.
State 1gt - electron hit mid point
b
State 0gt - electron did not hit mid point.
Deterministic view
System is either in state 0gt or state 1gt
Probabilistic view
System is in state 0gt w.prob p and state 1gt
w.prob q with pq1
Quantum view
System is in state p0gtq1gt with pq1
(p,q can be negative!)
5Mathematical Formalism
Consider object/system that can be in one of two
states.
State 1gt - electron hit mid point
State 0gt - electron did not hit mid point.
Quantum view
System is in state p0gtq1gt with p2q21
(p,q complex)
Suppose system consists of two bits has four
possible states 00gt , 01gt , 10gt , 11gt
Quantum view
System is in state p100gtp201gtp310gtp411gt
where p12p22p32p421
When measured, system will collapse to ith state
w.prob pi2.
Note Need 2n numbers to keep track of state of
n-bit system.
6World View
Democritos ? Newton ? Einstein
Underlying everything are small particles
interacting locally using simple well-defined
rules (billiard balls).
Quantum Mechanics
Nature has a secret HUGE piece of paper
containing gt210000000000000000 complex numbers,
keeping track of a superposition of all particles
in the world, but allows us only to make some
specific measurements of these numbers.
Corollary We do not know how to simulate
quantum system of n particles for t time units in
time poly(n.t).
Rephrase There are some computations performed
by quantum systems of n particles and t time
units that we dont know to perform in a
classical computer in time poly(n,t)
Maybe can use quantum system to solve hard
computational problems??
7Quantum Computation State of the Art
- There is a mathematical model for computing
devices exploiting quantum mechanics quantum
computers.
- Many technical difficulties (and maybe
fundamental difficulties?) in building such
machines.
- (Unsurprisingly) there is no proof that quantum
computers are more powerful than classical
computers/Boolean circuits/Turing machines.
- There are polynomial algorithms for quantum
computers solving problems unknown to be
solvable classically in poly-time - Simulation of quantum system
- Factoring integers and discrete logs.
- There are hard problems with no quantum poly-time
algorithms - SAT, 3COL and all the NP-complete problems.
- Inverting many candidate one-way functions and
permutations, private key encryption and
signature schemes. - Problems on lattices (can be used for public-key
encryption).
8Quantum Computation And Cryptography
- If quantum computers can be built, then many
popular encryption and signature schemes can be
broken (RSA,Diffie-Hellman)
- However, there are still other candidates for
encryption schemes not known to be broken. This
is especially true for private key cryptography
and signature schemes.
- Many (but not all) of the proofs of security in
crypto carry over from the classical model to the
quantum model, as long as the underlying hard
problem is assumed hard for quantum computers.
- Exciting possibilities of using quantum mechanics
to obtain perfectly unconditionally secure
cryptography. Does not require full fledged
quantum computers prototype systems already
being built.
Quantum Key Distribution (QKD)
9Quantum Key Distribution
00gt11gt
Consider system of two bits initialized to 1/p2
00gt 1/p2 11gt
Give b1 to Alice and b2 to Bob.
According to QM until Alice measures b1, it is
completely random, but once she measures it
system collapses to either 00gt or 11gt
Thus Bob will measure the same value as Alice.
First idea for key exchange using QM
Alice
Eve
Bob
b1b2 00gt11gt
Measure b1
Measure b2
10First idea for key exchange using QM
Alice
Eve
Bob
b1b2 00gt11gt
Measure b1
Measure b2
Problem What if Eve measures b2 on the way and
learns it?
We cant stop Eve from doing so, but we need a
way for Bob to find out.
Problem can be solved but we need
- Learn more about operations allowed in QM.
- Assume Bob and Alice can exchange authenticated
but not secret classical messages.
11Unitary Operations
Consider system of one bit.
Classically, there are not many operations we can
perform on it keep it the same or invert it.
In QM, systems state is described as p0gtq1gt -
i.e., vector (p,q)2C2
According to QM, we can perform any operation A
on system that is
- Linear A(pp,qq) A(p,q) A(p,q)
- Norm-preserving If (p,q)pp2q2 1 then
A(p,q)1
- Orthogonal A(1,0)A0gt is perpendicular to
A(0,1)A1gt
(p,q) ? (p,q) if ppqq0
Example
H0gt 1/p2 0gt 1/p2 1gt 0gt 1gt
(1,1) H1gt 1/p2 0gt - 1/p2 1gt 0gt - 1gt
(1,-1)
H
12Key exchange using QM
Alice
Eve
Bob
b1b2 00gt11gt
With prob ½, apply H to b1
If YES apply H to b2
Measure b2
Measure b1.If b1? b2 abort protocol.
Lemma 1 If Eve did not measure b2 then b1b2
with prob 1.
Proof If they did not apply H then clearly b1b2
If both Alice and Bob apply H we get that b1b2 is
transformed to
HH00gt11gt (0gt1gt)(0gt1gt)(0gt-1gt)(0gt-1gt)
00gt10gt01gt11gt00gt-10gt-01gt11gt00gt
11gt
H0gt 1/p2 0gt 1/p2 1gt 0gt 1gt
(1,1) H1gt 1/p2 0gt - 1/p2 1gt 0gt - 1gt
(1,-1)
H
13Key exchange using QM
Alice
Eve
Bob
b1b2 00gt11gt
With prob ½, apply H to b1
If YES apply H to b2
Measure b2
Measure b1.If b1? b2 abort protocol.
Lemma 2 If Eve did measure b2 then b1? b2 with
prob 1/4.
Proof As example, assume that Eve measured b2
and collapsed b1b2 to 11gt
If both Alice and Bob apply H we get that b1b2 is
transformed to
HH11gt (0gt-1gt)(0gt-1gt) 00gt-10gt-01gt11gt
w.p. ½ this system collapses to either 10gt or
01gt and hence b1?b2
H0gt 1/p2 0gt 1/p2 1gt 0gt 1gt
(1,1) H1gt 1/p2 0gt - 1/p2 1gt 0gt - 1gt
(1,-1)
H
14Key exchange using QM
Alice
Eve
Bob
b1b2 00gt11gt
With prob ½, apply H to b1
If YES apply H to b2
Measure b2
Measure b1.If b1? b2 abort protocol.
Lemma 1 If Eve did not measure b2 then b1b2
with prob 1.
Lemma 2 If Eve did measure b2 then b1? b2 with
prob 1/4.
Idea Continue this for 2n steps, and discard all
bits that were made public. If did not abort,
Alice and Bob can be almost certain Eve did not
measure and has no information about undiscarded
bits.
Proof generalized to case that Eve applies
arbitrary unitary transformation.