Shor s algorithm and secret sharing

Shor’s algorithm and secret sharing

Goals:

1

To explain why the factoring is important.

2

To describe the oldest and most successful public key cryptography.

3

Knowing period is equivalent to breaking RSA.

4

To explain how to compute quantum mechanically.

5

To explain Shor’s algorithm.

Easy and hard problems

EASY HARD

multiply factoring (Q)

determinant permanent

Gauss elimination knapsack

sorting discrete logarithm (Q)

primarility testing traveling salesman problem LL(1) parsing belonging to LL

encryption decryption (Q)

Example — easy

p = 738873402423833494183027176953 q = 3787776806865662882378273 p·q = 2798687536910915970127263606

347911460948554197853542169 Example — hard

p·q = 3809798755658743385477098607864681010895 8511558183839848107245951081227104782967 11610558197642043079

p = ?

q = ?

Why does one need hard problems?

Secure communication over networks, bank transactions Distributions of keys

By classical trusted channels

By quantum mechanical trusted channels By public key algorithms

Possible solutions (public key)

One needs easily computable but hard-to-invert functions

1

Modular arithmetics

2

Elliptic curves

3

Knapsack

4

· · ·

RSA — an idea

Easy to find lagre primes

Easy to multiply, to make powers Hard to factorise

Factoring is the only known door

RSA protocol

1

1969 - James Ellis at GCHQ had an idea of public key cryptography

2

1973 - Clifford Cocks at GCHQ discovered RSA

3

1975 - Whitfield Diffie and Martin Hellman did the same as Ellis

4

1977 - Ronald Rivest, Adi Shamir and Leonard Adleman Bibliography (Number theory, RSA, Cryptography)

1

S. Singh, Kniha kódů a šifer, Argo+Dokořán, Praha, 2003

2

W. Stein, Elementary number theory, 2004 (on-lline)

3

A. Menezes, P. van Oorschot, S. Vanstone, Handbook of

applied cryptography, CRC Press, 1997 (on-line)

Creation the keys

Alice wants to receive some secret messages by RSA.

1

She chooses two large primes p, q and computes n = p · q.

2

She computes ϕ(n) = (p − 1) · (q − 1) and chooses invertible in Z ϕ(n) number d . Her secret key will be the (n, d ).

3

She computes the inverse e = d ⁻¹ in Z ϕ(n) . The pair (n, e)

will be the public key.

Bob sends a message to Alice

1

Bob computes z = w ^e in Z n using the Alice’s public key (n, e).

2

Bob sends z to Alice by public channel.

3

Alice receives z and computes w = z ^d in Z n .

Example

1

Bob wants to send the message “PUBLIC KEY

CRYPTOGRAPHY” to Alice using her public key (2537, 13).

2

Bob first translates the letters into their numerical equivalents.

And then groups these numbers into block of four.

1520 0111 0802 1004 2402 1724 1519 1406 1700 1507 2423

3

Bob encrypts each plaintext block into a ciphertext block, using the formula z = w ¹³ mod 2537. Encrypting all the plaintext blocks, he obtains the ciphertext message

0095 1648 1410 1299 0811 2333 2132 0370 1185 1957 1084

4

To decrypt the message, Alice chooses her private key

(2537, 937) and behaves like Bob.

Example

1

Eve receives the following message

1402590192 4491156271 5456170360 6218336917 7495217553 3838307479 8636900168 3433148116 7995123149 9324473812

knowing the public key is

(3809798755 6587433854 7709860786 4681010895 8511558183 8398481072 4595108122 7104782967 1161055819 7642043079,55589).

2

She also knows the ASCII code was used.

3

Decrypt the message!

Attacking RSA

1

Brute force attack

2

Factoring n knowing ϕ(n)

3

Factoring n if p and q are close

4

Factoring n knowing d (key ingredient in Shor’s algorithm)

5

Other techniques?

Open problem: Is Breaking RSA equivalent to factoring n?

Question: Can the proof of Generalized Riemann Hypothesis threat

the security of RSA?

Algorithm in (4) and example

1

We know that a ^ed ≡ a mod n for each a. Then m = ed − 1 satisfies a ^m ≡ 1 mod n for all a coprime to n.

2

If m is even and a ^m/2 ≡ 1 mod n for several randomly choosen a, set m ← m/2 and go to step 1. Otherwise let a be such that a ^m/2 / ≡ 1 mod n

3

Compute g ← gcd(a ^m/2 − 1, n)

4

If g > 1 we are done, otherwise go to step 2 and choose

different a.

Algorithm in (4) and example

1

Somehow we discover that the RSA cryptosystem with encryption key

(32295194023343, 29468811804857) has the following decryption key

(32295194023343, 11127763319273).

We use previous algorithm to factor 32295194023343. Let m = ed − 1 = 327921963064646896263108960.

2

For each a ≤ 20 we find that a ^m/2 ≡ 1 mod n. So we replace

m ← m/2 = 163960981532323448131554480.

Algorithm in (4) and example, continued

1

Again we find that a ^m/2 ≡ 1 mod n. So we replace m by 81980490766161724065777240. Yet again, for each a ≤ 20, a ^m/2 ≡ 1 mod n, so we replace m by

40990245383080862032888620. This is enough, since 2 ^m/2 = 4015382800099 mod n.

2

Then

g = gcd(2 ^m/2 − 1, n) = 737531, and we have found a factor of n.

3

Then dividing n by g we find that

n = 737531 · 43788253.

How to break RSA?

The crucial point of the previous algorithm was not the knowledge of the decryption key, but the fact that we had know the multiple of the period of the function

f (x ) = a ^x mod n.

Breaking RSA — algorithm

1

Choose a at random.

2

Compute the period r of the function f (x ) = a ^x mod n.

3

If r is even compute t = a ^{r /2} mod n, otherwise go to 1.

4

If t + 1 ≡ a ^{r /2} + 1 6≡ 0 mod n, then gcd(t − 1, n) > 1 and gcd(t + 1, n)1, otherwise go to step 1.

There is at least 50% probability that randomly choosen a satisfies

all conditions in the above algorithm.

Models of computation

The following are equivalent:

1

Turing machine

2

Flowcharts

3

Recursive function

4

Lambda calculus

5

Classical circuit model

6

Quantum circuit model

Turing machine

· · ·

· · ·

· · ·

· · · 0 1 1 0 1 1 1 0 0 0 1 1 0 0

  /// /

Flowchart

x := x − 1

x = 0

y := 3 x := x ²

D D D D D D zzz zzz

zzz zzz D D D D D D

YES NO

Recursive function

f (n) = 0

g (n) = n + 1 h(n, m, p) = n + m · n

f (0) = 8

f (n + 1) = n + 5 ∗ f (n)

Lambda calculus

λx .yx

λx .y (λx .y )

(λxy .yx )y

Classical circuit

AND

XOR

)) )) )) )) )) 

 

 

x

y

c

x ⊕ y

Quantum circuit

Identity NOT Hadamard

X H

Controlled NOT Toffoli

•

⊕

•

•

⊕

Semantics of quantum circuit

We describe the action of the circuits on the base vectors. We extend the action on all vectors by linearity.

Identity

|0i 7−→ |0i |1i 7−→ |1i X (NOT)

|0i 7−→ |1i |1i 7−→ |0i H (Hadamard)

|0i 7−→ ^{√ 1}

2 (|0i + |1i) |0i 7−→ ^{√ 1}

2 (|0i − |1i)

Semantics of quantum circuit, continued cNOT (Controlled NOT)

|00i 7−→ |00i |01i 7−→ |01i

|10i 7−→ |11i |11i 7−→ |10i Toffoli

|000i 7−→ |000i |001i 7−→ |001i

|010i 7−→ |010i |011i 7−→ |011i

|100i 7−→ |100i |101i 7−→ |101i

|110i 7−→ |111i |111i 7−→ |110i

Quantum logical circuit Quantum NOT

|xi X |NOT xi

Quantum AND

•

•

⊕

|xi

|y i

|0i

|xi

|y i

|x AND y i

Quantum logical circuit, continued Quantum XOR

•

•

⊕

|xi

|1i

|y i

|xi

|1i

|x XOR y i Quantum COPY

•

•

⊕

|xi

|1i

|0i

|xi

|1i

|xi

Classical and quantum half adder Classical half adder

AND

XOR

)) )) )) )) ))  

 



x

y

c

x ⊕ y

Shor’s Algorithm

Shor’s Algorithm

In the previous section we show that the knowledge of the period of the function f (x ) = a ^x mod n is sufficient to factor n with high probability.

The main tast of the Shor’s algorithm is to find such a period.

Shor’s Algorithm — false approach

We begin by using our quantum computer to construct the state

2

−1

X

x =0

|xi|f (x)i.

Then we measure the output register. If the measurement yields the value f 0 , then the rule of measurement tells us that the state of the input register will be

|ψi =

m−1

X

j =0

|k + jr i.

Here k is the smallest value of x at which f (x ) = k and m is the

smallest integer for which mr + k ≥ 2 ^t .

Shor’s Algorithm — false approach, continued

If we could produce a small number of identical copies of the state

|ψi we would be done. But this is impossible by the no-cloning

theorem. And if we ran the whole algorithm again, we would end

up with a state |ψi for another random value k.

|0i

|0i

|0i

|0i

|0i ^⊗s

H

· ·

· H H H

U _f

 _{s 99s}

s

Quantum Fourier transformation

The heart of Shor’s algorithm is the superfast quantum Fourier transform procedure. The quantum Fourier trannsform on the basis is given by

U _FT |xi =

2

−1

X

y =0

e ^{2πixy /2}

|y i.

Applying this transform on the state |ψi above yields

U _FT

m−1

X

j =0

|k + jr i =

2

−1

X

y =0

e ^{2πiky /2}

m−1

X

j =0

e ^{2πijry /2}

|y i.

If we now make a measurement, the probability that we obtain

valuable information about r is at least 40%.

Shor’s Algorithm

1

Classical part.

2

Quantum mechanical part.

Classical part

1

If N is divisible by 2 then return 2.

2

For a ≥ 1 and b ≥ 2 if N = a ^b then return a. This can be

done classically.

Quantum mechanical part

1

Choose 1 < x < N. If gcd(N, x ) > 1 then return f = gcd(N, x ).

2

Select t resp. s such that N ² < 2 ^t resp. N ≤ 2 ^s .

|ψ 1 i Initialize register 1, which is t qubits in size to |0i ^⊗t and register 2, which is s qubits in size to |0i ^⊗s .

|ψ ₂ i Create a superposition on regiter 1: P 2

−1

a=0 |ai|0i ^⊗s .

|ψ 3 i Compute f (a) = x ^a mod N using a quantum circuit, to get a superposition P 2

−1

a=0 |ai|x ^a mod Ni.

|ψ 4 i Measure the second register. Now the first register contains the periodic superposition P 2

/r −1

j =0 |jr + ki for some k.

|ψ ₅ i Apply QFT on the first register and measure it.

3

Find the period r of f (a) = x ^a mod N. If r is even, compute

a = gcd(x ^{r /2} + 1, N). If a > 1 then return a. Otherwise go to

step 1.

|0i

|0i

|0i

|0i

|0i ^⊗s

H

· ·

· H H H

U f

 _{s 99s} s

QFT

 _{s 99s} s

 _{s 99s} s

 _{s 99s} s

 _{s 99s} s

↑

|ψ ₁ i

↑

|ψ ₂ i

↑

|ψ ₃ i

↑

|ψ ₄ i

↑

|ψ ₅ i

Protocol BB84

1

Alice chooses (4 + δ)n random data bits.

2

Alice chooses a random (4 + δ)n-bit string hbi (control bits).

She encodes each data bit as {|0i, |1i} if the corresponding control bit of hbi is 0, otherwise she encodes it as {|+i, |−i}.

3

Alice sends the resulting state to Bob.

4

Bob receives the (4 + δ)n qubits, announces this fact, and measures each qubit in the {|0i, |1i} or {|+i, |−i} basis at random.

5

Alice announces hbi.

Protocol BB84 — continued

6

Alice and Bob discard any bits where Bob measured a different basis than Alice had prepared. There are at least 2n bits left (if not, abort the protocol). They keep 2n bits.

7

Alice selects a subset of n bits that will serve as a check on Eve’s interference, and tells Bob which bits she selected.

8

Alice and Bob announce and compare the value of the n

check bits. If more than an acceptable number disagree, they

abort the protocol.