Shor s algorithm and secret sharing Libor Nentvich: QC 23 April 2007: Shor s algorithm and secret sharing 1/41
Goals: 1 To explain why the factoring is important. 2 To describe the oldest and most successful public key cryptography. 3 Knowing period is equivalent to breaking RSA. 4 To explain how to compute quantum mechanically. 5 To explain Shor s algorithm. Libor Nentvich: QC 23 April 2007: Shor s algorithm and secret sharing 2/41
Easy and hard problems EASY HARD multiply factoring (Q) determinant permanent Gauss elimination knapsack sorting discrete logarithm (Q) primarility testing traveling salesman problem LL(1) parsing belonging to LL encryption decryption (Q) Libor Nentvich: QC 23 April 2007: Shor s algorithm and secret sharing 3/41
Example easy p = 738873402423833494183027176953 q = 3787776806865662882378273 p q = 2798687536910915970127263606 347911460948554197853542169 Example hard p q = 3809798755658743385477098607864681010895 8511558183839848107245951081227104782967 11610558197642043079 p =? q =? Libor Nentvich: QC 23 April 2007: Shor s algorithm and secret sharing 4/41
Why does one need hard problems? Secure communication over networks, bank transactions Distributions of keys By classical trusted channels By quantum mechanical trusted channels By public key algorithms Possible solutions (public key) One needs easily computable but hard-to-invert functions 1 Modular arithmetics 2 Elliptic curves 3 Knapsack 4 Libor Nentvich: QC 23 April 2007: Shor s algorithm and secret sharing 5/41
RSA an idea Easy to find lagre primes Easy to multiply, to make powers Hard to factorise Factoring is the only known door Libor Nentvich: QC 23 April 2007: Shor s algorithm and secret sharing 6/41
1 1969 - James Ellis at GCHQ had an idea of public key cryptography 2 1973 - Clifford Cocks at GCHQ discovered RSA 3 1975 - Whitfield Diffie and Martin Hellman did the same as Ellis 4 1977 - Ronald Rivest, Adi Shamir and Leonard Adleman Bibliography (Number theory, RSA, Cryptography) 1 S. Singh, Kniha kódů a šifer, Argo+Dokořán, Praha, 2003 2 W. Stein, Elementary number theory, 2004 (on-lline) 3 A. Menezes, P. van Oorschot, S. Vanstone, Handbook of applied cryptography, CRC Press, 1997 (on-line) Libor Nentvich: QC 23 April 2007: Shor s algorithm and secret sharing 7/41
Creation the keys Alice wants to receive some secret messages by RSA. 1 She chooses two large primes p, q and computes n = p q. 2 She computes ϕ(n) = (p 1) (q 1) and chooses invertible in Z ϕ(n) number d. Her secret key will be the (n, d). 3 She computes the inverse e = d 1 in Z ϕ(n). The pair (n, e) will be the public key. Libor Nentvich: QC 23 April 2007: Shor s algorithm and secret sharing 8/41
Bob sends a message to Alice 1 Bob computes z = w e in Z n using the Alice s public key (n, e). 2 Bob sends z to Alice by public channel. 3 Alice receives z and computes w = z d in Z n. Libor Nentvich: QC 23 April 2007: Shor s algorithm and secret sharing 9/41
Example 1 Bob wants to send the message PUBLIC KEY CRYPTOGRAPHY to Alice using her public key (2537, 13). 2 Bob first translates the letters into their numerical equivalents. And then groups these numbers into block of four. 1520 0111 0802 1004 2402 1724 1519 1406 1700 1507 2423 3 Bob encrypts each plaintext block into a ciphertext block, using the formula z = w 13 mod 2537. Encrypting all the plaintext blocks, he obtains the ciphertext message 0095 1648 1410 1299 0811 2333 2132 0370 1185 1957 1084 4 To decrypt the message, Alice chooses her private key (2537, 937) and behaves like Bob. Libor Nentvich: QC 23 April 2007: Shor s algorithm and secret sharing 10/41
Example 1 Eve receives the following message 1402590192 4491156271 5456170360 6218336917 7495217553 3838307479 8636900168 3433148116 7995123149 9324473812 knowing the public key is (3809798755 6587433854 7709860786 4681010895 8511558183 8398481072 4595108122 7104782967 1161055819 7642043079,55589). 2 She also knows the ASCII code was used. 3 Decrypt the message! Libor Nentvich: QC 23 April 2007: Shor s algorithm and secret sharing 11/41
1 Brute force attack 2 Factoring n knowing ϕ(n) 3 Factoring n if p and q are close 4 Factoring n knowing d (key ingredient in Shor s algorithm) 5 Other techniques? Open problem: Is Breaking RSA equivalent to factoring n? Question: Can the proof of Generalized Riemann Hypothesis threat the security of RSA? Libor Nentvich: QC 23 April 2007: Shor s algorithm and secret sharing 12/41
Algorithm in (4) and example 1 We know that a ed a mod n for each a. Then m = ed 1 satisfies a m 1 mod n for all a coprime to n. 2 If m is even and a m/2 1 mod n for several randomly choosen a, set m m/2 and go to step 1. Otherwise let a be such that a m/2 / 1 mod n 3 Compute g gcd(a m/2 1, n) 4 If g > 1 we are done, otherwise go to step 2 and choose different a. Libor Nentvich: QC 23 April 2007: Shor s algorithm and secret sharing 13/41
Algorithm in (4) and example 1 Somehow we discover that the RSA cryptosystem with encryption key (32295194023343, 29468811804857) has the following decryption key (32295194023343, 11127763319273). We use previous algorithm to factor 32295194023343. Let m = ed 1 = 327921963064646896263108960. 2 For each a 20 we find that a m/2 1 mod n. So we replace m m/2 = 163960981532323448131554480. Libor Nentvich: QC 23 April 2007: Shor s algorithm and secret sharing 14/41
Algorithm in (4) and example, continued 1 Again we find that a m/2 1 mod n. So we replace m by 81980490766161724065777240. Yet again, for each a 20, a m/2 1 mod n, so we replace m by 40990245383080862032888620. This is enough, since 2 m/2 = 4015382800099 mod n. 2 Then g = gcd(2 m/2 1, n) = 737531, and we have found a factor of n. 3 Then dividing n by g we find that n = 737531 43788253. Libor Nentvich: QC 23 April 2007: Shor s algorithm and secret sharing 15/41
How to break RSA? The crucial point of the previous algorithm was not the knowledge of the decryption key, but the fact that we had know the multiple of the period of the function Breaking RSA algorithm 1 Choose a at random. f (x) = a x mod n. 2 Compute the period r of the function f (x) = a x mod n. 3 If r is even compute t = a r/2 mod n, otherwise go to 1. 4 If t + 1 a r/2 + 1 0 mod n, then gcd(t 1, n) > 1 and gcd(t + 1, n)1, otherwise go to step 1. There is at least 50% probability that randomly choosen a satisfies all conditions in the above algorithm. Libor Nentvich: QC 23 April 2007: Shor s algorithm and secret sharing 16/41
Libor Nentvich: QC 23 April 2007: Shor s algorithm and secret sharing 17/41
The following are equivalent: 1 Turing machine 2 Flowcharts 3 Recursive function 4 Lambda calculus 5 Classical circuit model 6 Quantum circuit model Libor Nentvich: QC 23 April 2007: Shor s algorithm and secret sharing 18/41
Turing machine 0 1 1 0 1 1 1 0 0 0 1 1 0 0 Libor Nentvich: QC 23 April 2007: Shor s algorithm and secret sharing 19/41
Flowchart YES x := x 1 x = 0 NO y := 3 x := x 2 Libor Nentvich: QC 23 April 2007: Shor s algorithm and secret sharing 20/41
Recursive function f (n) = 0 g(n) = n + 1 h(n, m, p) = n + m n f (0) = 8 f (n + 1) = n + 5 f (n) Libor Nentvich: QC 23 April 2007: Shor s algorithm and secret sharing 21/41
Lambda calculus λx.yx λx.y(λx.y) (λxy.yx)y Libor Nentvich: QC 23 April 2007: Shor s algorithm and secret sharing 22/41
Classical circuit x y AND XOR c x y Libor Nentvich: QC 23 April 2007: Shor s algorithm and secret sharing 23/41
Quantum circuit Identity NOT Hadamard X H Controlled NOT Toffoli Libor Nentvich: QC 23 April 2007: Shor s algorithm and secret sharing 24/41
Semantics of quantum circuit We describe the action of the circuits on the base vectors. We extend the action on all vectors by linearity. Identity 0 0 1 1 X (NOT) 0 1 1 0 H (Hadamard) 0 1 2 ( 0 + 1 ) 0 1 2 ( 0 1 ) Libor Nentvich: QC 23 April 2007: Shor s algorithm and secret sharing 25/41
Semantics of quantum circuit, continued cnot (Controlled NOT) 00 00 01 01 10 11 11 10 Toffoli 000 000 001 001 010 010 011 011 100 100 101 101 110 111 111 110 Libor Nentvich: QC 23 April 2007: Shor s algorithm and secret sharing 26/41
Quantum logical circuit Quantum NOT Quantum AND x X NOT x x y x y 0 x AND y Libor Nentvich: QC 23 April 2007: Shor s algorithm and secret sharing 27/41
Quantum logical circuit, continued Quantum XOR x 1 x 1 y x XOR y Quantum COPY x x 1 1 0 x Libor Nentvich: QC 23 April 2007: Shor s algorithm and secret sharing 28/41
Classical and quantum half adder Classical half adder x y AND XOR c x y Libor Nentvich: QC 23 April 2007: Shor s algorithm and secret sharing 29/41
Shor s Algorithm Libor Nentvich: QC 23 April 2007: Shor s algorithm and secret sharing 30/41
Shor s Algorithm In the previous section we show that the knowledge of the period of the function f (x) = a x mod n is sufficient to factor n with high probability. The main tast of the Shor s algorithm is to find such a period. Libor Nentvich: QC 23 April 2007: Shor s algorithm and secret sharing 31/41
Shor s Algorithm false approach We begin by using our quantum computer to construct the state 2 t 1 x=0 x f (x). Then we measure the output register. If the measurement yields the value f 0, then the rule of measurement tells us that the state of the input register will be ψ = m 1 j=0 k + jr. Here k is the smallest value of x at which f (x) = k and m is the smallest integer for which mr + k 2 t. Libor Nentvich: QC 23 April 2007: Shor s algorithm and secret sharing 32/41
Shor s Algorithm false approach, continued If we could produce a small number of identical copies of the state ψ we would be done. But this is impossible by the no-cloning theorem. And if we ran the whole algorithm again, we would end up with a state ψ for another random value k. Libor Nentvich: QC 23 April 2007: Shor s algorithm and secret sharing 33/41
0 H 0 0 0 H H H U f 0 s ) Libor Nentvich: QC 23 April 2007: Shor s algorithm and secret sharing 34/41
Quantum Fourier transformation The heart of Shor s algorithm is the superfast quantum Fourier transform procedure. The quantum Fourier trannsform on the basis is given by U FT x = 2 n 1 y=0 e 2πixy/2n y. Applying this transform on the state ψ above yields m 1 U FT j=0 k + jr = 2 n 1 y=0 m 1 e 2πiky/2n j=0 e 2πijry/2n y. If we now make a measurement, the probability that we obtain valuable information about r is at least 40%. Libor Nentvich: QC 23 April 2007: Shor s algorithm and secret sharing 35/41
Shor s Algorithm 1 Classical part. 2 Quantum mechanical part. Libor Nentvich: QC 23 April 2007: Shor s algorithm and secret sharing 36/41
Classical part 1 If N is divisible by 2 then return 2. 2 For a 1 and b 2 if N = a b then return a. This can be done classically. Libor Nentvich: QC 23 April 2007: Shor s algorithm and secret sharing 37/41
Quantum mechanical part 1 Choose 1 < x < N. If gcd(n, x) > 1 then return f = gcd(n, x). 2 Select t resp. s such that N 2 < 2 t resp. N 2 s. ψ 1 Initialize register 1, which is t qubits in size to 0 t and register 2, which is s qubits in size to 0 s. ψ 2 Create a superposition on regiter 1: 2 t 1 a=0 a 0 s. ψ 3 Compute f (a) = x a mod N using a quantum circuit, to get a superposition 2 t 1 a=0 a x a mod N. ψ 4 Measure the second register. Now the first register contains the periodic superposition 2 t /r 1 j=0 jr + k for some k. ψ 5 Apply QFT on the first register and measure it. 3 Find the period r of f (a) = x a mod N. If r is even, compute a = gcd(x r/2 + 1, N). If a > 1 then return a. Otherwise go to step 1. Libor Nentvich: QC 23 April 2007: Shor s algorithm and secret sharing 38/41
0 H ) 0 H QFT ) 0 H U f ) 0 H ) 0 s ψ 1 ψ 2 ψ 3 ) ψ 4 ψ 5 Libor Nentvich: QC 23 April 2007: Shor s algorithm and secret sharing 39/41
Protocol BB84 1 Alice chooses (4 + δ)n random data bits. 2 Alice chooses a random (4 + δ)n-bit string b (control bits). She encodes each data bit as { 0, 1 } if the corresponding control bit of b is 0, otherwise she encodes it as { +, }. 3 Alice sends the resulting state to Bob. 4 Bob receives the (4 + δ)n qubits, announces this fact, and measures each qubit in the { 0, 1 } or { +, } basis at random. 5 Alice announces b. Libor Nentvich: QC 23 April 2007: Shor s algorithm and secret sharing 40/41
Protocol BB84 continued 6 Alice and Bob discard any bits where Bob measured a different basis than Alice had prepared. There are at least 2n bits left (if not, abort the protocol). They keep 2n bits. 7 Alice selects a subset of n bits that will serve as a check on Eve s interference, and tells Bob which bits she selected. 8 Alice and Bob announce and compare the value of the n check bits. If more than an acceptable number disagree, they abort the protocol. Libor Nentvich: QC 23 April 2007: Shor s algorithm and secret sharing 41/41