Information SecurityMethods and Practices in Classical and Quantum Regimes

Cryptography

•What’s that mean?▫Kryptos: hidden, secret▫Gráphō: to write

•What does it do?▫Encryption: plaintext ciphertext▫Decryption: ciphertext plaintext

•Why would you want that?▫Confidentiality▫Integrity, authentication, signing, interactive

proofs, secure multi-party computation

Cryptology, Cryptanalysis, Cryptolinguistics

• Frequency analysis

• Brute force• Differential• Integral• Impossible differential• Boomerang• Mod n• Related key• Slide• Timing• XSL• Linear• Multiple linear• Davies’ attack• Improved Davies’ attack

Demands for resilient crypto• Auguste Kerckhoff’s principle

▫ Cipher practically indecipherable▫ Cipher and keys not required to be secret▫ Key communicable and retainable▫ Applicable to telegraphic communication▫ Portable and human effort efficient▫ Easy to use

• Bruce Shneier▫ “Secrecy … is a prime cause of brittleness… Conversely, openness

provides ductility.”• Eric Raymond

▫ “Any security software design that doesn't assume the enemy possesses the source code is already untrustworthy; therefore, *never trust closed source.”

• Shannon’s maxim▫ “The enemy knows the system.”

Classical RegimeWritten language text

Transposition

•Exchange the position of two symbols in the text

•Like an anagram

•Scytale

E.g. text cipherHello world! eHll oowlr!d

Substitution

•Systematically exchange a symbol in the text with another symbol

•Caesar cipher, EXCESS-3

E.g. text cipherAabcd Ddefg

Poly-Alphabetic Substitution

•Repeated and dynamic substitution(s)

•Wehrmacht Enigma•Series of rotors

One Time Pad

•Perfect secrecy▫Coined by Shannon▫H(M) = H(M|C)

•Requirements▫Perfect randomness▫Secure key generation and

exchange▫Careful adherence to

process

Classical RegimeBinary bit sequence

Secret Key Crypto

•Perfect secrecy▫Coined by Shannon▫H(M) = H(M|C)

•Requirements▫Perfect randomness▫Secure key generation and

exchange▫Careful adherence to

process

Symmetric Key Crypto• The same (or similar) key

▫ For both encryption and decryption

• Data Encryption Standard▫ 56 bit key▫ Feistel network▫ Broken in 1999 in 22 hours 15 minutes by Deep Crack

• Triple-DES▫ 56 bit keys (3 unique)▫ en-de-en-crypt

• Advanced Encryption Standard (Rijndael)▫ 128-192-256 bit keys▫ Substitution permutation network

Feistel Network•Expansion•Key mixing•Substitution•Permutation

Substitution Permutation Network•Substitution

▫1/n input change 1/2 output change

▫confusion•Permutation

▫mix up inputs▫diffusion

•Round keys

Public Key Crypto

•Asymmetric keys▫public and private

•No secret key•Multiple use

•TLS, SSL, PGP, GPG, digital signatures

RSA• Ron Rivest, Adi Shamir, Leonard Adleman; 1978

• Key generation▫ Pick two distinct, large prime numbers: p, q▫ Compute their product: n = pq▫ Compute its totient: phi = (p-1)(q-1)▫ Pick a public key exponent: 1 < e < phi, e and phi coprime▫ Compute private key exponent: de = 1 (mod phi)

• Encryption▫ Forward padding ▫ Cipher = text ^ e (mod n)

Exponentiation by squaring

• Decryption▫ Text = cipher ^ d (mod n)

= text ^ de (mod n) = text ^ (1+k*phi) (mod n) = text (mod n)▫ Reverse padding

Hybrid Crypto• Diffe-Hellman key exchange

• Alice and Bob agree on a finite cyclic group G (Multiplicative group of integers mod p)▫ Period p, prime number▫ Base g, primitive root mod p

• Alice picks a random natural number a and sends ga mod p to Bob.

• Bob picks a random natural number b and sends gb mod p to Alice.

• Alice computes (gb mod p)a mod p• Bob computes (ga mod p)b mod p• Both know gab mod p = gba mod p

Quantum RegimeBreaking classical crypto

Peter Shor’s Factorization Algorithm

• Polynomial time in log N: O( (log N)3 )• Polynomial gates in log N: O( (log N)2 )• Complexity class Bounded-Error Quantum

Polynomial (BQP)

• Transform from to periodicity▫Pick 1 < r < N: ar = 1 mod N▫ar -1 = (ar/2 +1)(ar/2 -1) = 0 mod N▫N = (ar/2 +1)(ar/2 -1) = pq

• Quantum Fourier Transform▫Map x-space to ω-space▫Measure with 1/r2 probability

Factor 15• In 2001 IBM

demonstrated Shor’s Algorithm and factored 15 into 3 and 5

• NMR implementation with 7 qubits

• pentafluorobutadienyl cyclopentadienyldicarbonyl-iron complex (C11H5F5O2Fe)

DWave

•Superconducting processors•Adiabatic quantum algorithms•Solving Quantum Unconstrained Binary

Optimization problems (QUBO is in NP)

Quantum RegimeFuture proof cryptography

Quantum Key Distribution

•Quantum communication channel▫Single photon, entangled photon pair

•Preparation▫Alice prepares a state, sends to Bob,

measures•Entanglement

▫Alice and Bob each receive half the pair, measure

Non-Orthogonal Bases

•Complementary bases▫Basis A: { |0>, |1> }▫Basis B: { |+>, |-> }

• Indistinguishable transmission states▫|+> = 0.5 |0> + 0.5 |1>▫|-> = 0.5 |0> - 0.5 |1>

•Random choice of en-de-coding bases ▫Succeeds ~ p = 0.5

True Random Number Generation•Quantum mechanics at < atomic scale

▫Shot noise▫Nuclear decay▫Optics

•Thermal noise▫Resistor heat▫Avalanche/Zener diode breakdown noise▫Atmospheric noise

EPR

•Einstein, Podolsky, Rosen (1935)

•Entangled qubits

•Violation of Bell Inequality

BB84

•Charles A Bennett, Gilles Brassard (1984) •Single photon source, polarization•One way, Alice prepares sends to Bob

▫Psi encoded as random bits a, random bases b

•Bob measures▫Decoded in random bases b’▫50% successfully measured bits a’ = a

•Measurement bases are shared publicly▫Throw away a, a’ for b != b’

E91

•Artur Ekert (1991)•Entangled photon source

▫Perfect correlation, 100% a = a’ if b = b’▫Non-locality, > 50% a <--> a’▫Eve measurement reduces correlation

B92• Charles A. Bennett (1992)

• Dim signal pulse, bright reference pulse▫Maintains phase with a single qubit transmitted

• Bases: rectilinear, circular▫P0 = 1 - |u1><u1|

P0 |u0> = 1 ; p= 1 - |< u0 | u1 >|2 > 0 P0 |u1> = 0

▫P1 = 1 - |u0><u0| P1 |u0> = 0 P1 |u1> = 1 ; p= 1 - |< u0 | u1 >|2 > 0

• Throw away measurements != 1

SARG04

•Scarani et. al. (2004)

•Attenuated laser pulses

Information Reconciliation•1992 Bennett, Bessette, Brassard, Salvail,

Smolin•Cascade protocol, repititious •Compare block parity bits

▫Odd 1 count: parity = 1; even 1 count transmitted▫Even 1 count: parity = 0; even 1 count transmitted

•Two-out-of-five code▫Every transmission has two 1s and three 0s

•Hamming codes▫Additional bits used to identify and correct errors

Privacy Amplification

•Shortened key length•Universal hash function

▫Range r▫Collision probability p < 1/r

Quantum RegimeAttacks

Intercept and Resend

•Eve measures the qubit in basis b’’▫50% probability of correct measurement

•Eve sends to a’’ Bob▫25% probability of correct measurement

•Probability of detection ▫P = 1 – (0.75)n ▫99% in n = 16 bits

Security Proofs•BB84 is proven unconditionally secure

against unlimited resources, provided that:▫Eve cannot access Alice and Bob's encoding

and decoding devices▫The random number generators used by

Alice and Bob must be trusted and truly random

▫The classical communication channel must be authenticated using an unconditionally secure authentication scheme

Man in the Middle

•Senders and recipients are indistinguishable on public channels

•Eve could pose as Bob▫Receiving some large portion of messages▫Responding promptly, at least before Bob

•Wegman-Carter authentication▫Alice and Bob share a secret key

Photon Number Splitting

•No true single photon sources•Attenuated laser pulses

▫Some small number of photons per pulse, i.e. 0.1

•If > 1 photon are present, splitting can occur without detection during reconciliation

•A secure key is still possible, but requires additional privacy amplification

Hacking• Gain access to security equipment

▫ Foil random number generation▫ Plant Trojan horse

• Faked state attack▫ Eve - actively quenched detector module

• Phase remapping attack▫ Move from { |0>, |1>, |+>, |-> } to { |0>, |δ/2>, |δ>, |3δ/2>

}

• Time-shift attack▫ Demonstrated to have ~ 4% mutual information gathered

from the idQuantique ID-500 QKD

Denial of Service

•Stop Alice and Bob from communicating▫Via Classical channel(s)▫Via Quantum channel(s)

•Physically block transmissions•Introduce large volume of errors

Quantum RegimeCommercially available devices

MagiQ – QPN 8505

•“Any sufficiently advanced technology is indistinguishable from magic.” –Arthur C Clarke

•Transmits qubit polarization over optical fiber

•256 bit AES; 1,000 keys per second•140 km range, more with repeaters

idQuantique – Cerberis, Centauris•Transmits qubit phase over

optical fiber•High speed layer 2

encryption•256 bit AES; 12 key-devices

per minute, 100 km range

SmartQuantum – KeyGen, Defender•Generate and distribute secret keys over

quantum channel

•Use classical encryption and communication

Quintessence Labs

•G2 QKD

•Continuous variable brightness laser beams▫Cheaper than SPS

•Dense wavelength division multiplexing▫Erbium doped fiber amplifiers ~ 1550 nm

BBN Technologies

•DARPA QNet▫Fully operational October 23, 2003▫Harvard University▫Boston University▫BBN Technologies

•QKD▫Weak coherence▫5 MHz pulse rate▫0.1 mean photons/pulse

John KrahUniversity of WashingtonPhysics Department