Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Quantum Knowledge Proofs and Post Quantum Cryptography - A Primer


Published on

Lecture presented on Quantum Computing Workshop organised by Government of West Bengal Department of Information Technology on October 2018. This presentation explores the differences between Quantum Cryptography, Post Quantum Cryptography and outlines the fundamentals of Zero Knowledge Proof Protocols and how Quantum Information can redefine the landscape of Proof Systems in general and Zero Knowledge Proof in specific context.

Published in: Science
  • Be the first to comment

  • Be the first to like this

Quantum Knowledge Proofs and Post Quantum Cryptography - A Primer

  1. 1. Q U A N T U M K N O W L E D G E P R O O F S A J O U R N E Y T H R O U G H Q U A N T U M I N F O R M AT I O N S Y S T E M S A N D Z E R O K N O W L E D G E P R O O F S
  2. 2. C U R R E N T S O F Q U A N T U M C RY P T O G R A P H Y • Classical Post Quantum Cryptography • Quantum Cryptography • Quantum Key Distribution • Quantum Random Number Generators • Quantum Channels • Quantum Blind Computation
  3. 3. M O S T P O P U L A R P U B L I C K E Y A L G O R I T H M S C A N B E E F F I C I E N T LY B R O K E N B Y S U F F I C I E N T LY S T R O N G H Y P O T H E T I C A L Q U A N T U M C O M P U T E R S P R O B L E M S TAT E M E N T …
  4. 4. M O S T O F T H E M R E L I E D O N T H R E E H A R D M AT H E M AT I C A L P R O B L E M S : R E A S O N S …
  5. 5. • I N T E G E R FA C T O R I S AT I O N P R O B L E M • D I S C R E T E L O G A R I T H M P R O B L E M • E L L I P T I C C U R V E D I S C R E T E L O G A R I T H M P R O B L E M T H E Y A R E
  6. 6. N I S T H A S R E C E N T LY S U M M A R I S E D T H E I M PA C T O F Q U A N T U M C O M P U T I N G O N C O M M O N C RY P T O G R A P H I C A L G O R I T H M S I M PA C T …
  7. 7. B R O K E N A N D I M PA C T E D A L G O R I T H M S • AES - 256 • Encryption • Large key sizes needed • SHA - 256, SHA -3 • Large output needed • RSA • No longer secure • ECDSA, ECDH • No longer secure • DSA • No longer secure
  8. 8. B R O K E N A N D I M PA C T E D A L G O R I T H M S The emergence of quantum computers would break all asymmetric public-key cryptography and signature algorithms used today - the type of cryptography that protects communications over the internet. The size of symmetric keys is also halved, meaning the strength of 256-bit keys would be equivalent to 128-bit keys. This is the type of cryptography used for Full Disk Encryption, when data is encrypted with a passphrase. All current generation symmetric cryptographic authenticated modes such as CBC-MAC, PMAC, GMAC, GCM, and OCB are completely broken.
  9. 9. – D R . M I C H E L E M O S C A , U . O F WAT E R L O O “There is a 1 in 7 chance that some fundamental public-key crypto will be broken by quantum by 2026, and a 1 in 2 chance of the same by 2031.”
  10. 10. P O S T Q U A N T U M C RY P T O G R A P H Y B E C O M E S A S I G N I F I C A N T S E C U R I T Y P R I O R I T Y ! I N T H I S J U N C T U R E …
  11. 11. D E F I N I N G P O S T Q U A N T U M C RY P T O G R A P H Y • Crypto systems which run on classical computers, and are considered to be resistant to quantum attacks • Also known as “quantum-safe” or “quantum-resistant” • PQC needs time to be ready • Efficiency • Confidence – cryptanalysis • Standardisation • Usability and interoperability
  12. 12. 8 2 S U B M I S S I O N S - 2 3 S I G N AT U R E , 5 9 E N C RY P T I O N S C H E M E S N I S T C O M P E T I T I O N
  13. 13. • L AT T I C E S W I T H LW E • S I G N AT U R E A N D E N C RY P T I O N • E R R O R C O R R E C T I N G C O D E S • E N C RY P T I O N • H A S H F U N C T I O N S • S I G N AT U R E • M U LT I VA R I AT E P O LY N O M I A L S • S I G N AT U R E • S U P E R S I N G U L A R E L L I P T I C A L E M E R G I N G T E C H N I Q U E S
  14. 14. R E L AT E D T O C L O S E S T V E C T O R P R O B L E M I N L AT T I C E L AT T I C E C RY P T O G R A P H Y - N T R U , B L I S S
  15. 15. S H O R T E S T V E C T O R P R O B L E M I N A L AT T I C E A S A L O W E R B O U N D O N T H E S E C U R I T Y L AT T I C E C RY P T O G R A P H Y - R I N G LW E S I G N AT U R E
  16. 16. The Rainbow Multivariate Equation Signature Scheme is a member of a class of multivariate quadratic equation crypto systems called "Unbalanced Oil and Vinegar Cryptosystems" M U LT I VA R I AT E C RY P T O G R A P H Y - R A I N B O W
  17. 17. In 2005, Luis Garcia proved that there was a security reduction of Merkle Hash Tree signatures to the security of the underlying hash function. Garcia showed in his paper that if computationally one-way hash functions exist then the Merkle Hash Tree signature is provably secure. H A S H C RY P T O G R A P H Y - M E R K L E S I G N AT U R E S C H E M E S
  18. 18. Long-studied crypto systems with moderately high confidence for some code families . Challenges in communication sizes . In 2016, Wang proposed a random linear code encryption scheme RLCE [32] which is based on McEliece schemes. RLCE scheme can be constructed using any linear code such as Reed-Solomon code by inserting random columns in the underlying linear code generator matrix. C O D E B A S E D C RY P T O G R A P H Y - R L C E
  19. 19. Security is related to the problem of constructing an isogeny between two super singular curves with the same number of points. Slower computation. Slower communication. S U P E R S I N G U L A R E L L I P T I C C U R V E I S O G E N Y C RY P T O G R A P H Y
  20. 20. E U R O P E A N C O M M I S S I O N R E C O M M E N D AT I O N S R E F E R E N C E - W H O N I X
  21. 21. S Y M M E T R I C E N C RY P T I O N • Symmetric systems are usually not affected by Shor’s algorithm, but they are affected by Grover’s algorithm • Under Grover’s attack, the best security a key of length n can offer is 2(n/2) • Hence, AES - 128 offers only 2^64 post quantum security • Recommended • AES - 256 • Salsa20 • Serpent - 256
  22. 22. S Y M M E T R I C A U T H E N T I C AT I O N Some message-authentication codes provide “information-theoretic security”, guaranteeing that they are as secure as the underlying cipher (within a negligible mathematically guaranteed forgery probability), even against an adversary with unlimited computing power. These authentication mechanisms are not affected by quantum computing. • Poly1305 • GCM using 96 bit nonce and a 128 bit authenticator
  23. 23. P U B L I C K E Y E N C RY P T I O N For public-key encryption the currently used algorithms based on RSA and ECC are easily broken by quantum computers. Code-based cryptography has been studied since 1978 and has withstood attacks very well, including attacks using quantum computers. McEliece with binary Goppa codes using length n = 6960, dimension k = 5413 and adding t = 119 errors. The Stehl ́e–Steinfeld version of the NTRU lattice-based crypto system.
  24. 24. P U B L I C K E Y S I G N AT U R E S Similar to encryption, currently used signatures are based on problems that become easy to solve with a quantum computer. Signatures use cryptographic hash functions in order to hash the message and then sign the hash. Following two hash functions can achieve 2^128 post quantum security • XMSS which is stateful • SPHINCS which is stateless • HFEv multivariate quadratic signature
  25. 25. F R E E S O F T WA R E I M P L E M E N TAT I O N S P O S T Q U A N T U M C RY P T O G R A P H Y T O O L K I T S
  26. 26. L I B R A R I E S A N D T O O L S • CodeCrypt • Cyph • OneTime • TinySSH
  27. 27. P Q C RY P T O V P N P R O J E C T I M P L E M E N TAT I O N I N I T I AT I V E S
  28. 28. A S I G N AT U R E S C H E M E U S I N G S Y M M E T R I C K E Y P R I M I T I V E S A N D N O N I N T E R A C T I V E Z E R O K N O W L E D G E P R O O F S . M I C R O S O F T R E S E A R C H I M P L E M E N T I N G P I C N I C I N A P K I U S I N G H A R D WA R E S E C U R I T Y M O D U L E S . P I C N I C
  29. 29. O P E N Q U A N T U M S A F E P R O J E C T Open Quantum Safe[53][54] (OQS) project was started in late 2016 and has the goal of developing and prototyping quantum-resistant cryptography. It aims to integrate current post- quantum schemes in one library: liboqs.[55] liboqs is an open source C library for quantum- resistant cryptographic algorithms. liboqs initially focuses on key exchange algorithms. liboqs provides a common API suitable for post-quantum key exchange algorithms, and will collect together various implementations. liboqs will also include a test harness and benchmarking routines to compare performance of post-quantum implementations. Furthermore, OQS also provides integration of liboqs into OpenSSL.
  30. 30. Z E R O K N O W L E D G E P R O O F S A N I N T R O D U C T I O N
  31. 31. H I S T O RY • Goldwasser, Micali, and Rackoff, 1985. Zero knowledge was first demonstrated in the model of interactive proofs, in which a resource-unbounded prover interacts with a probabilistic polynomial-time verifier to the end of convincing it of the validity of a statement. • Interactive Proof Systems – Challenge-Response Authentication – Prover and Verifier – Verifier Accepts or Rejects the Prover
  32. 32. R AT I O N A L E An interactive proof system has the property of being zero-knowledge if arbitrary verifiers that interact with the honest prover of the system learn nothing from the interaction beyond the validity of the statement being proved.
  33. 33. Z K P P R O B L E M S Several interesting computational problems that are not known to be polynomial-time computable admit zero-knowledge interactive proof systems in the classical setting. Examples include the Graph Isomorphism and Quadratic Residuosity problems, various lattice problems and the Statistical Difference and Entropy Difference problems, which concern outputs of Boolean circuits with random inputs.
  34. 34. R E L E VA N C E • Zero knowledge Transfer between the Prover and the Verifier • The verifier accepts or rejects the proof after multiple challenges and responses • Probabilistic Proof Protocol • Overcomes Problems with Password Based Authentication
  35. 35. T Y P E S • ZK proof of a statement – convincing the verifier that a statement is true without yielding any other information – example of a statement, a propositional formula is satisfiable • ZK proof of knowledge – convincing the verifier that one knows a secret, e.g., one knows the discrete logarithm logg(y)
  36. 36. P R O P E R T I E S • Completeness – Given honest prover and honest verifier, the protocol succeeds with overwhelming probability • Soundness – no one who doesn’t know the secret can convince the verifier with non negligible probability • Zero knowledge – the proof does not leak any additional information – Impossibility of transferring proofs
  37. 37. F O R M A L I S I N G T H E P R O P E R T Y • A protocol is ZK if a simulator exists – Taking what the verifier knows before the proof, can generate a communication transcript that is indistinguishable from one generated during ZK proofs • Intuition: One observes the communication transcript. If what one sees can be generated oneself, one has not learned anything new knowledge in the process. • Three kinds of indistinguishability – Perfect (information theoretic) – Statistical – Computational
  38. 38. Q U A N T U M Z E R O K N O W L E D G E N E X T S T E P S
  39. 39. F R O M C L A S S I C A L Z K P T O Q U A N T U M Z K P In the classical setting, zero knowledge proofs use rewinding technique to construct an extractor which extracts the witness w from the prover. In the quantum setting, classical rewinding is impossible: measuring a quantum state in superposition fixes the state. In order to overcome this issue clever quantum rewinding techniques have been introduced.
  40. 40. H O N E S T V E R I F I E R Z E R O K N O W L E D G E A Σ-protocol (P, V ) is honest- verifier zero-knowledge if there is a quantum- polynomial-time algorithm SΣ (the simulator) such that the transcript of the interaction ⟨P (x, w), V (x)⟩ quantum- computationally indistinguishable from the output of SΣ(x). Namely, we require that there exists a quantum-polynomial-time SΣ such that for any quantum-polynomial- time DΣ and any polynomial l, there is a negligible μ such that for all (x, w) ∈ R with |x|, |y| ≤ l(η), and for all states |Ψ⟩:
  41. 41. Q U A N T U M C O M P U TAT I O N A L Z E R O K N O W L E D G E An interactive proof system (P, V ) for relation R is quantum computational zero-knowledge iff for every quantum polynomial- time verifier V ∗ there is a quantum-polynomial-time simulator S such that for any quantum polynomial time distinguisher D and polynomial l there is a negligible μ such that for any (x, w) ∈ R with |x|, |w| ≤ l(η),
  42. 42. Q U A N T U M Z E R O K N O W L E D G E S O FA R Watrous introduced honest-verifier zero knowledge for quantum interactive proofs (interactive proofs in which the prover and verifier are quantum machines), and studied the resulting complexity class QSZKHV . Kobayashi studied a non-interactive variant of this notion. Damga ̊rd, Fehr, and Salvail achieve zero knowledge for NP against malicious quantum verifiers, but only via arguments (i.e., computationally sound proofs) in the common reference string model. Subsequently, Watrous constructed quantum interactive proofs that remain zero knowledge against malicious quantum verifiers.
  43. 43. R E S E A R C H A R E A S Zero knowledge for quantum interactive proofs has since then remained an active area of research, and several aspects and variants of it were studied in recent works, including • the power of public-coin interaction • quantum proofs of knowledge, • zero knowledge in the quantum random oracle model • zero knowledge proof systems for QMA • oracle separations for quantum statistical zero knowledge. • Multi prover based interactive proofs
  44. 44. – N I E L S B O H R If Quantum Mechanics hasn’t profoundly shocked you, you haven’t understood it yet