quantum contract signing

Quantum Contract Signing

Paulo MateusSQIG/IT – DM/IST/TULisbon

reporting joint work withJ. Bouda, N. Paukovic, S. Vaudenay and V.R. Vieira

WECIQ 2010 - October 2010

Plan

Why do we need quantum cryptography Shor’s cryptoanalysis; Quantum privacy attacks; Classical threats;

Which cryptographic tasks can be improved Key distribution – BB84, E91; Contract signing; …

Why we need quantum cryptography

All NIST security protocols rely on the hardness of two problems: Factoring or Discrete logarithm

Their hardness is a recent conjecture (40 years)

Quantum computers can solve these problems in polynomial time.

Can we do the same with classical computers?

RSA Cryptosystem

n=pq with p and q primes a b=1 mod (n)=(p-1)(q-1) where

a public key b private key

ea(x)=xa mod n

db(y)=yb mod n xab =x mod n If the factorization of n is known then one can

obtain efficiently b from a with the EEuclides Alg.

Shor’s Algorithm

Computes a factor of n in O(n3) Requires a quantum computer! For that we need to understand what is a

quantum computer

Quantum cryptoanalysis

Quantum RAM computer Memory: Qubits + classical bits Control – usual imperative commands endowed

with: Unitary transformation applied to a set of qubits; Computational observation of qubits, storing the result

of the observation in classical bits.

A quantum computer is probabilistic!!!

Shor’s algorithm

Quantum Fourier transformation Hilbert H space of dimension n

(log(n) qubits, with basis {|0i, |1i,..., |n-1i})

QFT: H -> H

Shor’s algorithm

Finding a non-trivial factor of n reduces to find the phase of an eigenvector of a particular unitary operation

Un|n> = ei |n> Finding this phase can be done with the inverse of

the quantum Fourier transformation over a state reachable from n.

The quantum Fourier transform (and its inverse) can be computed by a quantum computer in polynomial time.

Classical results

The best published asymptotic running time for a classical algorithm is for the general number field sieve (GNFS) algorithm, which, for a number with n bits, is:

O(exp((64/9)n1/3 log(n)2/3)

General Number Field Sieve We choose two polynomials f(x) and g(x) of small degrees d and e, which have integer coefficients, which are irreducible over the rationals, and which, when interpreted mod n, have a common root m.

We consider the rings Z[r1] and Z[r2], where r1 and r2 are roots of the polynomials f and g, and look for values a and b such that r = bd·f(a/b) and s = be·g(a/b) are smooth.

Using Gaussian elimination, we can get products of certain r and of the corresponding s to be squares at the same time.

Since m is a root of both f and g mod n, there are homomorphisms from the rings Z[r1] and Z[r2] to the ring Z/nZ, which map r1 and r2 to m,

These homomorphisms will map each "square root" into its integer representative.

Two different square roots mod n allows to obtain a factor of n.

Another approach

Try to simulate a quantum computer?!? Consider harmonic functions?!?

Reduce factoring to numerical integration over the complex plane

(P. Mateus & V. R. VieiraProceedings of the Royal Mathematical Society, 2010)

Another approach

Given a semiprime integer n=pq with p<q consider the functions

h(z)=1-cos( n/z) cos( z) g(z)=1/h(z)

n=15

p=3 q=5

Another approach

The residue of g at p is

Res(g,p)=limz->p d (z-p)2 g(z) / dz=

=1/p (2n/(p2+q2)})2

Another approach

From the residue theorem we get that if is a Jordan curve that contains the pole p of g, then

Another approach

From the argument principle we get that if is a Jordan curve that contains the a zero of h, then

Moreover, if does not contain any zero of h, then

Another approach

So, If one is able to compute the contour integral of, say, a thin ellipse (containing just the real zero of h), we can bisect the interval [2,n1/2] to find p

By observing that h(x,y)=u(x,y)+i v(x,y) and exploring the parities of u and v we are able to show that for an ellipse parametrized by in [0,2]

Another approach

Unfortunately, tan-1 has several branches, so we need to know in which branch we are.

This can be done by dividing [0,] in m subintervals and consider a numerical approximation for each subinterval.

Open questions

We need to understand the number of subintervals m and have an error bound so that we known in which branch of tan-1 the values relies in.

Final complexity?

Privacy attacks -ZKP

Objectives and security properties


1. Soundness

2. Completeness

Zero-knowledge proof systems


1.

2.

3. Zero-knowledge


I’m Alice


1. Soudness

2. Completeness

3. Zero knowledge

4. Impossibility of transfering proofs


Bob Eve

Zero-Knowledge Proof SystemGoldreich, Micali e Wigderson 84

BobG0 = G1G1-> G0


BobAlice

1. Generates an iso

G0-> G2 and sends G2 to Bob.

G0 = G1G1-> G0


Bob

2. Chooses r in {0,1} and sends r to Alice.

Quantum attack (simplified)

Bob Eve

a. Prepara pares EPR {|00i+|11ix}x2 S

numa máquina selada e envia metade de cada par à Paula.

h:->S = {0,1}k


Bob Eve

a) Prepares EPR pairs {|00>+|11>x}xin S

In a tamper proof device and sends half of each pair to Bob (Bob checks some with Eve, to see if they are OK).

h:->S = {0,1}k

Bob

2. Escolher r 2 {0,1} e envia r ao Vítor.

4. P verifica se o iso que recebe vai de Gr para G2


G0 = G1G1-> G0 {|0>+|1>x}x in

S

Bob

2. Escolher r 2 {0,1} e envia r ao Vítor.



Bob

2. r is the result of measuring qubit h(G2).



Bob

2. r is the result of measuring qubit h(G2).

4. Bob verifies if the iso he got goes from Gr to G2.And sends all he got to Eve



Bob Eve

b) Verifies if the qubits from h(G2) are still in the EPR state, and confirms the result of the remaining ones.

Classical attack

The attack can be made with current classical tamper-proof devices

Attacks all privacy methods with exception of blind signatures

The power of seals – P. Mateus & S. Vaudenay CHES 2009

Why do we need quantum cryptography

Classical asymmetric cryptography may collapse very soon (RSA, digital signatures) E-commerce, E-banking, E-government Remote login (social networks, e-mail access)

Quantum computers Disproving badly stated maths conjectures Using badly stated assumption

(tamper-proof hardware)

Protocol Ekert 91

Requirements: Random bit generation

EPR pairs generation

Protocol Ekert 91

Alice Bob

Protocol Ekert 91

Alice

|1>A

|2>A

|3>A

|4>A

|5>A

|6>A

...

Bob

|1>B

|2>B

|3>B

|4>B

|5>B

|6>B

...Share n EPR pairs at state

Protocol Ekert 91

Alice

0 |1>A

1 |2>A

0 |3>A

1 |4>A

0 |5>A

1 |6>A

...

Bob

0 |1>B

0 |2>B

1 |3>B

1 |4>B

0 |5>B

1 |6>B

...Randomly generate a bit

Protocol Ekert 91

Alice

0 |1>A

1 |2>A

0 |3>A

1 |4>A

0 |5>A

1 |6>A

...

Bob

0 |1>B

0 |2>B

1 |3>B

1 |4>B

0 |5>B

1 |6>B

...0 – measure with the computational observable {|0>,|1>}1 – measure with the diagonal observable {|+>,|->}

Protocol Ekert 91

Alice

1 0 |1>A

+ 1 |2>A

0 0 |3>A

- 1 |4>A

1 0 |5>A

+ 1 |6>A

...

Bob

1 0 |1>B

0 0 |2>B

+ 1 |3>B

- 1 |4>B

1 0 |5>B

+ 1 |6>B

...0 – measure with the computational observable {|0>,|1>}1 – measure with the diagonal observable {|+>,|->}

Protocol Ekert 91

Alice

1 0 |1>A

+ 1 |2>A

0 0 |3>A

- 1 |4>A

1 0 |5>A

+ 1 |6>A

...

Bob

1 0 |1>B

0 0 |2>B

+ 1 |3>B

- 1 |4>B

1 0 |5>B

+ 1 |6>B

...Ignore observations for which the random bit does not coincide

Protocol Ekert 91

Bob

1 0 |1>B

0 0 |2>B

+ 1 |3>B

- 1 |4>B

1 0 |5>B

+ 1 |6>B

...

Alice

1 0 |1>A

+ 1 |2>A

0 0 |3>A

- 1 |4>A

1 0 |5>A

+ 1 |6>A

...Confirm that Eve did not interfere and check the quality of the EPR pairs

Protocol Ekert 91

Bob

1 0 |1>B

0 0 |2>B

+ 1 |3>B

- 1 |4>B

1 0 |5>B

+ 1 |6>B

...

Alice

1 0 |1>A

+ 1 |2>A

0 0 |3>A

- 1 |4>A

1 0 |5>A

+ 1 |6>A

...The shared key is constructed from the remaining observations

Protocol Ekert 91

Bob

1 0 |1>B

0 0 |2>B

+ 1 |3>B

- 1 |4>B

1 0 |5>B

+ 1 |6>B

...

Alice

1 0 |1>A

+ 1 |2>A

0 0 |3>A

- 1 |4>A

1 0 |5>A

+ 1 |6>A

...Theorem (Mayers 01,Shor e Preskill 01): The Ekert 91 protocol has perfect security.

Perfect security

Proof (sketch) All that Eve can do to the pairs is described by a

POVM; A POVM P induces a random variable VP; Let X be the random variable describing the key

generated and n the size of the key; There exists c such that for all POVM P

n-H(X|VP) 2 O(2cn); Analytical properties of POVM lead to the above

result.

Problems

Man-in-the-middle attack; Requires authenticated channel for Alice and

Bob to communicate classically; Using classical authentication ensures future

security of transmitted data

Classical contract signing

Context: Alice and Bob share a message m; Alice and Bob are signing agents through a PKI; Alice and Bob do not trust each other.

Objective: Alice and Bob want to exchange each other signature of m.

Fairness condition: Either both Alice and Bob receive each other signature or none does.

Classical contract signing

Theorem: In asynchronous networks there is no diligent fair contract signing protocols without communicating with a common trusted party.

Proof: Reduction to the impossibility of Byzantine agreement.

There are probabilistic fair contract signing protocols…

Quantum contract signing

Context: Alice and Bob share a message m; Alice and Bob are signing agents through a PKI; Alice and Bob do not trust each other; Alice and Bob can:

Share entangled memory; Perform QC and exchange QI.

Objective: Alice and Bob want to exchange, in a

fair way, each other signature of m.


Theorem: In asynchronous quantum networks there is no diligent fair contract signing protocols without communicating with a common trusted party.

Proof: Reduction to the impossibility of quantum Byzantine agreement.

There are improvements over probabilistic fair contract signing protocols…

Can decoherence be good?

Decoherence can be used as a global clock and implements global synchronization

Ideal decoherence for CS start with a pure state

end with a mixed state

Werner state

Consider the following Werner state

()= |0><0| +(1-) f

That evolves acording to the following catastrophic decoherence

(t) =1 if t< tc

(t)=0 otherwise


Protocol setup Alice shares with a trusted agent (Judge) n pairs of qubits

in the Werner state; Similar to Bob; It is assume that Alice and Bob may change their minds

about the contract up to time tC

Protocol run If Alice receives the message signed by Bob before time tc

she measure her half of the qubits in the computational basis, otherwise she measure in the diagonal basis

Similar to Bob. No communication with the Judge!!!!


Commitment verification If somebody, say Alice, wants to enforce the contract, she

must show the outputs for the computational measurements to the judge, and the judge will check locally if the measures match.

If all the measurements coincide, the Judge accepts that Alice was committed to the contract before time tc

Then, the judge asks Bob if he was not committed to the contract, and for that Bob needs to show his measurements for the diagonal basis. If all the measurements are fulfilled then the contract is void, otherwise it is valid.

Contract signing protocol

Theorem: If Alice and Bob committed to the contract before time tc, then the contract is void with exponential small probability (in n). Moreover, if either Alice or Bob were not committed to the contract, then the contract is valide with exponential small probability.

Corollary: The protocol is fair.


Problem: How does Alice knows if Bob was committed or not?

Solution: The judge shares 2n Werner states with each agent and gives n of the qubits shared with Alice to Bob and vice-versa.

Protocol modifications: After measuring each agent has to publish the outputs of the measurements, and in which base it was measured.

Implementing Werner states

Approximation with realistic noise models; Quantum sealed devices; Impossibility of storing a stable entagled

quantum system.


With decoherence we can make fair contract signing protocols!!!

Clear implementation with quantum sealed devices, or by taking into account that quantum states decay...

Published IJQC PRL -version without tamper-proof devices

with an idea from N. Paunkovic.

Conclusions

Classical crypto is based in bad conjectures According to the laws of physics these

conjectures do not hold for quantum computers

Even for classical nobody knows Quantum cryptographic protocols are

implementable with optical fiber technology! Which security tasks can be improved?

quantum contract signing

Documents