Lecture presented on Quantum Computing Workshop organised by Government of West Bengal Department of Information Technology on October 2018. This presentation explores the differences between Quantum Cryptography, Post Quantum Cryptography and outlines the fundamentals of Zero Knowledge Proof Protocols and how Quantum Information can redefine the landscape of Proof Systems in general and Zero Knowledge Proof in specific context.
Microteaching on terms used in filtration .Pharmaceutical Engineering
Quantum Knowledge Proofs and Post Quantum Cryptography - A Primer
1. Q U A N T U M K N O W L E D G E P R O O F S
A J O U R N E Y T H R O U G H Q U A N T U M I N F O R M AT I O N S Y S T E M S A N D Z E R O K N O W L E D G E P R O O F S
2. C U R R E N T S O F
Q U A N T U M
C RY P T O G R A P H Y
• Classical Post Quantum
Cryptography
• Quantum Cryptography
• Quantum Key Distribution
• Quantum Random Number
Generators
• Quantum Channels
• Quantum Blind
Computation
3. M O S T P O P U L A R P U B L I C K E Y A L G O R I T H M S C A N B E
E F F I C I E N T LY B R O K E N B Y S U F F I C I E N T LY S T R O N G
H Y P O T H E T I C A L Q U A N T U M C O M P U T E R S
P R O B L E M S TAT E M E N T …
4. M O S T O F T H E M R E L I E D O N T H R E E
H A R D M AT H E M AT I C A L P R O B L E M S :
R E A S O N S …
5. • I N T E G E R FA C T O R I S AT I O N
P R O B L E M
• D I S C R E T E L O G A R I T H M
P R O B L E M
• E L L I P T I C C U R V E D I S C R E T E
L O G A R I T H M P R O B L E M
T H E Y A R E
6. N I S T H A S R E C E N T LY S U M M A R I S E D T H E I M PA C T O F
Q U A N T U M C O M P U T I N G O N C O M M O N C RY P T O G R A P H I C
A L G O R I T H M S
I M PA C T …
7. B R O K E N A N D
I M PA C T E D
A L G O R I T H M S
• AES - 256
• Encryption
• Large key sizes needed
• SHA - 256, SHA -3
• Large output needed
• RSA
• No longer secure
• ECDSA, ECDH
• No longer secure
• DSA
• No longer secure
8. B R O K E N A N D
I M PA C T E D
A L G O R I T H M S
The emergence of quantum computers
would break all asymmetric public-key
cryptography and signature algorithms
used today - the type of cryptography that
protects communications over the internet.
The size of symmetric keys is also halved,
meaning the strength of 256-bit keys would
be equivalent to 128-bit keys. This is the
type of cryptography used for Full Disk
Encryption, when data is encrypted with a
passphrase.
All current generation symmetric
cryptographic authenticated modes such as
CBC-MAC, PMAC, GMAC, GCM, and OCB
are completely broken.
9. – D R . M I C H E L E M O S C A , U . O F WAT E R L O O
“There is a 1 in 7 chance that some fundamental
public-key crypto will be
broken by quantum by 2026, and a 1 in 2 chance of
the same by 2031.”
10.
11. P O S T Q U A N T U M C RY P T O G R A P H Y B E C O M E S
A S I G N I F I C A N T S E C U R I T Y P R I O R I T Y !
I N T H I S J U N C T U R E …
12. D E F I N I N G P O S T
Q U A N T U M
C RY P T O G R A P H Y
• Crypto systems which run on classical
computers, and are considered to be
resistant to quantum attacks
• Also known as “quantum-safe” or
“quantum-resistant”
• PQC needs time to be ready
• Efficiency
• Confidence – cryptanalysis
• Standardisation
• Usability and interoperability
13. 8 2 S U B M I S S I O N S - 2 3 S I G N AT U R E , 5 9
E N C RY P T I O N S C H E M E S
N I S T C O M P E T I T I O N
14. • L AT T I C E S W I T H LW E
• S I G N AT U R E A N D E N C RY P T I O N
• E R R O R C O R R E C T I N G C O D E S
• E N C RY P T I O N
• H A S H F U N C T I O N S
• S I G N AT U R E
• M U LT I VA R I AT E P O LY N O M I A L S
• S I G N AT U R E
• S U P E R S I N G U L A R E L L I P T I C A L
E M E R G I N G T E C H N I Q U E S
15.
16. R E L AT E D T O C L O S E S T
V E C T O R P R O B L E M I N L AT T I C E
L AT T I C E C RY P T O G R A P H Y - N T R U , B L I S S
17. S H O R T E S T V E C T O R P R O B L E M I N A
L AT T I C E A S A L O W E R B O U N D O N
T H E S E C U R I T Y
L AT T I C E C RY P T O G R A P H Y - R I N G LW E S I G N AT U R E
18. The Rainbow Multivariate Equation Signature Scheme is a
member of a class of multivariate quadratic equation crypto
systems called "Unbalanced Oil and Vinegar Cryptosystems"
M U LT I VA R I AT E C RY P T O G R A P H Y - R A I N B O W
19. In 2005, Luis Garcia proved that there was a security reduction of Merkle
Hash Tree signatures to the security of the underlying hash function.
Garcia showed in his paper that if computationally one-way hash
functions exist then the Merkle Hash Tree signature is provably secure.
H A S H C RY P T O G R A P H Y - M E R K L E S I G N AT U R E S C H E M E S
20. Long-studied crypto systems with moderately high confidence for some code
families . Challenges in communication sizes . In 2016, Wang proposed a random
linear code encryption scheme RLCE [32] which is based on McEliece schemes. RLCE
scheme can be constructed using any linear code such as Reed-Solomon code by
inserting random columns in the underlying linear code generator matrix.
C O D E B A S E D C RY P T O G R A P H Y - R L C E
21. Security is related to the problem of constructing an isogeny
between two super singular curves with the same number of
points. Slower computation. Slower communication.
S U P E R S I N G U L A R E L L I P T I C C U R V E I S O G E N Y C RY P T O G R A P H Y
22. E U R O P E A N C O M M I S S I O N
R E C O M M E N D AT I O N S
R E F E R E N C E - W H O N I X
23. S Y M M E T R I C
E N C RY P T I O N
• Symmetric systems are usually not
affected by Shor’s algorithm, but they
are affected by Grover’s algorithm
• Under Grover’s attack, the best security
a key of length n can offer is 2(n/2)
• Hence, AES - 128 offers only 2^64 post
quantum security
• Recommended
• AES - 256
• Salsa20
• Serpent - 256
24. S Y M M E T R I C
A U T H E N T I C AT I O N
Some message-authentication codes
provide “information-theoretic
security”, guaranteeing that they are
as secure as the underlying cipher
(within a negligible mathematically
guaranteed forgery probability), even
against an adversary with unlimited
computing power. These
authentication mechanisms are not
affected by quantum computing.
• Poly1305
• GCM using 96 bit nonce and a 128
bit authenticator
25. P U B L I C K E Y
E N C RY P T I O N
For public-key encryption the currently
used algorithms based on RSA and
ECC are easily broken by quantum
computers. Code-based cryptography
has been studied since 1978 and has
withstood attacks very well, including
attacks using quantum computers.
McEliece with binary Goppa codes
using length n = 6960, dimension k =
5413 and adding t = 119 errors.
The Stehl ́e–Steinfeld version of the
NTRU lattice-based crypto system.
26. P U B L I C K E Y
S I G N AT U R E S
Similar to encryption, currently used
signatures are based on problems that
become easy to solve with a quantum
computer. Signatures use cryptographic
hash functions in order to hash the
message and then sign the hash.
Following two hash functions can
achieve 2^128 post quantum security
• XMSS which is stateful
• SPHINCS which is stateless
• HFEv multivariate quadratic signature
27. F R E E S O F T WA R E
I M P L E M E N TAT I O N S
P O S T Q U A N T U M C RY P T O G R A P H Y T O O L K I T S
28. L I B R A R I E S
A N D T O O L S
• CodeCrypt
• Cyph
• OneTime
• TinySSH
29. P Q C RY P T O V P N P R O J E C T
I M P L E M E N TAT I O N I N I T I AT I V E S
30. A S I G N AT U R E S C H E M E U S I N G S Y M M E T R I C K E Y P R I M I T I V E S A N D N O N
I N T E R A C T I V E Z E R O K N O W L E D G E P R O O F S . M I C R O S O F T R E S E A R C H
I M P L E M E N T I N G P I C N I C I N A P K I U S I N G H A R D WA R E S E C U R I T Y M O D U L E S .
P I C N I C
31. O P E N Q U A N T U M
S A F E P R O J E C T
Open Quantum Safe[53][54] (OQS) project was
started in late 2016 and has the goal of
developing and prototyping quantum-resistant
cryptography. It aims to integrate current post-
quantum schemes in one library: liboqs.[55]
liboqs is an open source C library for quantum-
resistant cryptographic algorithms. liboqs
initially focuses on key exchange algorithms.
liboqs provides a common API suitable for
post-quantum key exchange algorithms, and
will collect together various implementations.
liboqs will also include a test harness and
benchmarking routines to compare
performance of post-quantum
implementations. Furthermore, OQS also
provides integration of liboqs into OpenSSL.
32.
33. Z E R O K N O W L E D G E P R O O F S
A N I N T R O D U C T I O N
34. H I S T O RY
• Goldwasser, Micali, and Rackoff, 1985.
Zero knowledge was first demonstrated in
the model of interactive proofs, in which a
resource-unbounded prover interacts with
a probabilistic polynomial-time verifier to
the end of convincing it of the validity of a
statement.
• Interactive Proof Systems
– Challenge-Response Authentication
– Prover and Verifier
– Verifier Accepts or Rejects the Prover
35.
36. R AT I O N A L E
An interactive proof
system has the property
of being zero-knowledge
if arbitrary verifiers that
interact with the honest
prover of the system learn
nothing from the
interaction beyond the
validity of the statement
being proved.
37. Z K P
P R O B L E M S
Several interesting computational
problems that are not known to be
polynomial-time computable admit
zero-knowledge interactive proof
systems in the classical setting.
Examples include the Graph
Isomorphism and Quadratic
Residuosity problems, various lattice
problems and the Statistical
Difference and Entropy Difference
problems, which concern outputs of
Boolean circuits with random inputs.
38. R E L E VA N C E
• Zero knowledge Transfer
between the Prover and the
Verifier
• The verifier accepts or rejects
the proof after multiple
challenges and responses
• Probabilistic Proof Protocol
• Overcomes Problems with
Password Based
Authentication
39. T Y P E S
• ZK proof of a statement
– convincing the verifier that a
statement is true without yielding
any other information
– example of a statement, a
propositional formula is satisfiable
• ZK proof of knowledge
– convincing the verifier that one
knows a secret, e.g., one knows
the discrete logarithm logg(y)
40. P R O P E R T I E S
• Completeness
– Given honest prover and honest
verifier, the protocol succeeds with
overwhelming probability
• Soundness
– no one who doesn’t know the secret
can convince the verifier with non
negligible probability
• Zero knowledge
– the proof does not leak any
additional information
– Impossibility of transferring proofs
41. F O R M A L I S I N G
T H E P R O P E R T Y
• A protocol is ZK if a simulator exists
– Taking what the verifier knows before the
proof, can generate a communication
transcript that is indistinguishable from one
generated during ZK proofs
• Intuition: One observes the
communication transcript. If what one
sees can be generated oneself, one
has not learned anything new
knowledge in the process.
• Three kinds of indistinguishability
– Perfect (information theoretic)
– Statistical
– Computational
42. Q U A N T U M Z E R O K N O W L E D G E
N E X T S T E P S
43. F R O M C L A S S I C A L
Z K P T O Q U A N T U M
Z K P
In the classical setting, zero
knowledge proofs use rewinding
technique to construct an extractor
which extracts the witness w from
the prover.
In the quantum setting, classical
rewinding is impossible: measuring
a quantum state in superposition
fixes the state. In order to overcome
this issue clever quantum rewinding
techniques have been introduced.
44. H O N E S T V E R I F I E R
Z E R O K N O W L E D G E
A Σ-protocol (P, V ) is honest- verifier
zero-knowledge if there is a quantum-
polynomial-time algorithm SΣ (the
simulator) such that the transcript of
the interaction ⟨P (x, w), V (x)⟩ quantum-
computationally indistinguishable from
the output of SΣ(x).
Namely, we require that there exists a
quantum-polynomial-time SΣ such that
for any quantum-polynomial- time DΣ
and any polynomial l, there is a
negligible μ such that for all (x, w) ∈ R
with |x|, |y| ≤ l(η), and for all states |Ψ⟩:
45. Q U A N T U M
C O M P U TAT I O N A L
Z E R O K N O W L E D G E
An interactive proof system (P, V )
for relation R is quantum
computational zero-knowledge iff
for every quantum polynomial-
time verifier V ∗
there is a
quantum-polynomial-time
simulator S such that for any
quantum polynomial time
distinguisher D and polynomial l
there is a negligible μ such that
for any (x, w) ∈ R with |x|, |w| ≤ l(η),
46. Q U A N T U M Z E R O
K N O W L E D G E S O
FA R
Watrous introduced honest-verifier zero
knowledge for quantum interactive proofs
(interactive proofs in which the prover and
verifier are quantum machines), and studied
the resulting complexity class QSZKHV
.
Kobayashi studied a non-interactive variant
of this notion. Damga ̊rd, Fehr, and Salvail
achieve zero knowledge for NP against
malicious quantum verifiers, but only via
arguments (i.e., computationally sound
proofs) in the common reference string
model.
Subsequently, Watrous constructed quantum
interactive proofs that remain zero
knowledge against malicious quantum
verifiers.
47. R E S E A R C H
A R E A S
Zero knowledge for quantum interactive
proofs has since then remained an active area
of research, and several aspects and variants
of it were studied in recent works, including
• the power of public-coin interaction
• quantum proofs of knowledge,
• zero knowledge in the quantum random
oracle model
• zero knowledge proof systems for QMA
• oracle separations for quantum statistical
zero knowledge.
• Multi prover based interactive proofs
48. – N I E L S B O H R
If Quantum Mechanics hasn’t profoundly shocked
you, you haven’t understood it yet