A brief presentation on Position-Based, Device-Independent and Post Quantum Cryptographies. Detailing Position-Based QC, defining Device-Independent QC and discussing Post Device-Independent.
2. Content
ļ Background
ļ Position - Based Quantum Cryptography
ļ Device - Independent Quantum Cryptography
ļ Post - Quantum Cryptography
ļ Sources
3. Background
Quantum cryptography is the science of exploiting quantum mechanical properties to perform
cryptographic tasks. The best known example of quantum cryptography is quantum key distribution
which offers an information-theoretically secure solution to the key exchange problem.
Quantum cryptography makes use of the quantum-mechanical behaviour of nature for the design and
analysis of cryptographic schemes. Its aim is to design cryptographic schemes whose security is
guaranteed solely by the laws of nature. This is in sharp contrast to most standard cryptographic
schemes, which in principle, can be broken, i.e., when given sufficient computing power. From a
theoretical point of view, quantum cryptography offers a beautiful interplay between the mathematics
of adversarial behaviour and quantum information theory.
4. Position - Based Quantum Cryptography
(What is it?)
The goal of position-based cryptography is to use the geographical location of a player as its (only)
credential. For example, one wants to send a message to a player at a specified position with the
guarantee that it can only be read if the receiving party is located at that particular position. In the
basic task of position-verification, a player Alice wants to convince the (honest) verifiers that she is
located at a particular point. A more advanced task is secure position-based authentication where it is
guaranteed that a received message originated from a particular position and was not modified.
6. Position - Based Quantum Cryptography
Position-based cryptography has a number of interesting
applications. For example, it enables secure communication
over an insecure channel without having any pre-shared
key, with the guarantee that only a party at a specific
location can learn the content of the conversation; think of
a military commander who wants to communicate with a
base which is surrounded by enemy territory, or a country
that wants to send instructions to an embassy in a foreign
country. Another application is authenticity verification,
where position-based cryptography enables users to verify
that a received message originates from a particular
geographical position and was not modified during the
transmission. Another is access control to resources
7. Position - Based Quantum Cryptography
In 2009, it was proven by collaborators from the University of California in Los Angeles (UCLA) that position-
based cryptography is impossible in the classical (non-quantum) world in the setting where colluding
opponents control the whole space which is not occupied by honest players. In their latest research article,
they investigated whether the impossibility of position-based cryptography can be overcome if they allow
the players to use quantum communication.
The outcome of their theoretical investigation demonstrates that the possibility of doing secure position-
based cryptography depends on the opponents' capability of sharing entangled quantum states. On the one
hand, they showed that if the opponents cannot share any entangled quantum state, then secure position-
based cryptography is possible. They presented a scheme which allows a player, Alice, to convince the other
participants in the protocol that she is at a particular geographical position. In contrast, colluding opponents
who are not at this position and do not share any entangled quantum state will be detected lying if they
claim to be there. They claim their scheme is very simple and can be implemented with today's QKD
hardware.
8. Position - Based Quantum Cryptography
On the other hand, they also showed that if the opponents are able to share a huge entangled
quantum state, then any positioning scheme can be broken and no position-based cryptography is
possible at all. In fact, their result shows how colluding opponents can use their entangled state to
instantaneously and non-locally perform the honest player's operations and are therefore able to make
it appear as if they were at the claimed position.
Their results raise various interesting research questions. For example, it is a formidable technical
challenge to store and handle large quantum states. Hence, is secure position-based cryptography
possible in the realistic setting where opponents can only handle a limited amount of entangled
quantum states? Their investigation has already sparked several follow-up works and first results
indicate that there are schemes which remain secure in this bounded-entanglement setting.
9. Position - Based Quantum Cryptography
ļ Basic Task
ļ One Dimension
10. Position - Based Quantum Cryptography
Classical Scheme:
Impossible
11. Position - Based Quantum Cryptography
Quantum Based
Position Verification
12. Position - Based Quantum Cryptography
(History)
ļ 2003/2006 [Kent Munro Spiller, Hp Labs]: Quantum Tagging
ļ March 2010 [Malaney, arxiv, Australian Phiscisist]: Quantum Scheme for Position verification,
rigorous proof, but implicitly assuming no pre-shared entanglement
ļ 2010 [Kent Munro Spiller arxiv]: Insecurity of Proposed scheme, new (secure) schemes?
ļ Sep. 2010 [bulo, arxiv]: extension of Kent et alās attack, proposal of new (secure?) scheme
ļ Sep. 2010 [arxiv] impossibility of position-based quantum cryptography
13. Position - Based Quantum Cryptography
(Summary)
ļ Plain Model: Classically and Quantum impossible to use the proverās location as the only credential
ļ Basic scheme for secure positioning if adversaries have no pre-shared entanglement
ļ Can be generalized to more dimensions
14. Position - Based Quantum Cryptography
(Further Study)
ļ Quantum Teleportation
ļ Instantaneous Non-Local Q Computation
ļ Impossibility of any Position-Based Q
Cryptography
ļ Quantum Teleportation Attack
ļ Works against multi-round schemes
ļ Unless entanglement isnāt shared
15. Device - Independent Quantum Cryptography
A quantum cryptographic protocol is device-independent if its security does not rely on trusting that
the quantum devices used are truthful. Thus the security analysis of such a protocol needs to consider
scenarios of imperfect or even malicious devices. Several important problems have been shown to
admit unconditional secure and device-independent protocols.
16. Device - Independent Quantum Cryptography
Quantum key distribution (QKD) is a provably secure way for two distant parties to establish a common
secret key, which then can be used in a classical cryptographic scheme. Using quantum entanglement,
one can reduce the necessary assumptions that the parties have to make about their devices, giving rise
to device-independent QKD (DIQKD). However, in all existing protocols to date the parties need to have
an initial (at least partially) random seed as a resource.
Using recent advances in the ļ¬elds of randomness ampliļ¬cation and randomness expansion, it was
demonstrated that it is sufļ¬cient for the message the parties want to communicate to be (partially)
unknown to the adversaries ā an assumption without which any type of cryptography would be
pointless to begin with. One party can use her secret message to locally generate a secret sequence of
bits, which can then be openly used by herself and the other party in a DIQKD protocol. Hence, work has
been done which reduces the requirements needed to perform secure DIQKD and establish safe
communication.
17. Post - Quantum Cryptography
Post-quantum cryptography refers to cryptographic algorithms (usually public-key algorithms) that are
thought to be secure against an attack by a quantum computer.
This is not true of the most popular public-key algorithms which can be efficiently broken by a sufficiently
large quantum computer. The problem with the currently popular algorithms is that their security relies
on one of three hard mathematical problems: the integer factorization problem, the discrete logarithm
problem or the elliptic curve discrete logarithm problem.
All of these problems can be easily solved on a sufficiently large quantum computer running Shor's
algorithm. Even though current, publicly known, experimental quantum computers are too small to
attack any real cryptographic algorithm, many cryptographers are designing new algorithms to prepare
for a time when quantum computing becomes a threat. This work has gained greater attention from
academics and industry through the PQCrypto conference series since 2006 and more recently by several
European Telecommunications Standards Institute (ETSI) Workshops on Quantum Safe Cryptography.
18. Post - Quantum Cryptography
In contrast to the threat quantum computing poses to current public key algorithms, most current
symmetric cryptographic algorithms (symmetric ciphers :algorithms are algorithms for cryptography that
use the same cryptographic keys for both encryption of plaintext and decryption of ciphertext. The keys
may be identical or there may be a simple transformation to go between the two keys. The keys, in
practice, represent a shared secret between two or more parties that can be used to maintain a private
information link) and hash functions :any function that can be used to map data of arbitrary size to data of
fixed size.
19. Post - Quantum Cryptography
The values returned by a hash function are called hash values, hash codes, hash sums, or simply hashes.
One use is a data structure called a hash table, widely used in computer software for rapid data lookup)
are considered to be relatively secure from attacks by quantum computers. While the
quantum Grover's algorithm (a quantum algorithm that finds with high probability the unique input to
a black box function that produces a particular output value, using just O(N) evaluations of the
function, where N is the size of the function's domain) does speed up attacks against symmetric
ciphers, doubling the key size can effectively block these attacks.
20. Post - Quantum Cryptography
Imagine that itās ļ¬fteen years from now and someone announces the successful construction of a large
quantum computer. The New York Times runs a front page article reporting that all of the public-key
algorithms used to protect the Internet have been broken. Users panic. What exactly will happen to
cryptography? Perhaps, after seeing quantum computers destroy RSA and DSA and ECDSA, Internet
users will leap to the conclusion that cryptography is dead; that there is no hope of scrambling
information to make it incomprehensible to, and unforgeable by, attackers; that securely storing and
communicating information means using expensive physical shields to prevent attackers from seeing
the informationāfor example, hiding USB sticks inside a locked briefcase chained to a trusted courierās
wrist. A closer look reveals, however, that there is no justiļ¬cation for the leap from āquantum
computers destroy RSA and DSA and ECDSAā to āquantum computers destroy cryptography.ā There
are many important classes of cryptographic systems beyond RSA and DSA and ECDSA:
21. Post - Quantum Cryptography
(Algorithms Used and Their Security Downsides)
Algorithms Used
ļ Hash-Based
ļ Code Based
ļ Multivariable
ļ Lattice Based
ļ Supersingular Elliptic Curve Isogeny
ļ Symmetric Key Quantum Resistance
22. Post - Quantum Cryptography
(A hash-based public-key signature system)
This signature system requires a standard cryptographic hash function H that produces 2b bits of output.
For b = 128 one could choose H as the SHA256 hash function. Over the last few years many concerns
have been raised regarding the security of popular hash functions, and over the next few years NIST will
run a competition for a SHA-256 replacement, but all known attacks against SHA-256 are extremely
expensive. The signerās public key in this system has 8b2 bits: e.g., 16 kilobytes for b = 128. The key
consists of 4b strings y1[0],y1[1],y2[0],y2[1],...,y2b[0],y2b[1], each string having 2b bits. A signature of a
message m has 2b(2b + 1)bits: e.g., 8 kilobytes for b = 128. The signature consists of 2b-bit strings
r,x1,...,x2b such that the bits (h1,...,h2b) of H(r,m) satisfy y1[h1]=H(x1), y2[h2]=H(x2), and so on through
y2b[h2b]=H(x2b).
How does the signer ļ¬nd x with H(x)=y? By generating a secret x and then computes y = H(x).
Speciļ¬cally, the signerās secret key has 8b2 bits, namely 4b independent uniform random strings
x1[0],x1[1],x2[0],x2[1],...,x2b[0],x2b[1], each string having 2b bits. The signer computes the public key
y1[0],y1[1],y2[0],y2[1],...,y2b[0],y2b[1] as H(x1[0]),H(x1[1]),H(x2[0]),H(x2[1]),...,H(x2b[0]),H(x2b[1]).
23. Post - Quantum Cryptography
(A hash-based public-key signature system)
To sign a message m, the signer generates a uniform random string r, computes the bits (h1,...,h2b) of H(r,m),
and reveals(r,x1[h1],...,x2b[h2b]) as a signature of m. The signer then discards the remaining x values and
refuses to sign any more messages. What Iāve described so far is the āLamportāDiļ¬e one-time signature
system.ā What do we do if the signer wants to sign more than one message? An easy answer is āchaining.ā
The signer includes, in the signed message, a newly generated public key that will be used to sign the next
message. The veriļ¬er checks the ļ¬rst signed message, including the new public key, and can then check the
signature of the next message; the signature of the nth message includes all nā1 previous signed messages.
More advanced systems, such as Merkleās hash-tree signature system, scale logarithmically with the number
of messages signed. To me hash-based cryptography is a convincing argument for the existence of secure
post-quantum public-key signature systems. Groverās algorithm is the fastest quantum algorithm to invert
generic functions, and is widely believed to be the fastest quantum algorithm to invert the vast majority of
speciļ¬c eļ¬ciently computable functions (although obviously there are also many exceptions, i.e., functions
that are easier to invert).
24. Post - Quantum Cryptography
(A hash-based public-key signature system)
Hash-based cryptography can convert any hard-to-invert function into a secure public-key signature
system. See the āHash-based digital signature schemesā chapter of this book for a much more detailed
discussion of hash-based cryptography. Note that most hash-based systems impose an extra
requirement of collision resistance upon the hash function, allowing simpler signatures without
randomization.
25. Post - Quantum Cryptography
(A code-based public-key encryption system)
Assume that b is a power of 2. Write n =4 blgb; d = ālgnā; andt = ā0.5n/dā.For example, if b = 128,
thenn = 3584; d = 12; andt = 149. The receiverās public key in this system is a dtĆn matrix K with
coeļ¬cients in F2. Messages suitable for encryption are n-bit strings of āweight t,ā i.e., n-bit strings
having exactly t bits set to 1. To encrypt a message m, the sender simply multiplies K by m, producing
a dt-bit ciphertext Km. The basic problem for the attacker is to āsyndrome-decode K,ā i.e., to undo the
multiplication by K, knowing that the input had weight t. It is easy, by linear algebra, to work
backwards from Km to some n-bit vector v such that Kv = Km; however, there are a huge number of
choices for v, and ļ¬nding a weight-t choice seems to be extremely diļ¬cult. The best known attacks on
this problem take time exponential in b for most matrices K. How, then, can the receiver solve the same
problem? The answer is that the receiver generates the public key K with a secret structure, speciļ¬cally
a āhidden Goppa codeā structure, that allows the receiver to decode in a reasonable amount of time. It
is conceivable that the attacker can detect the āhidden Goppa codeā structure in the public key, but no
such attack is known.
26. Post - Quantum Cryptography
(A code-based public-key encryption system)
Speciļ¬cally, the receiver starts with distinct elements Ī±1,Ī±2,...,Ī±n of the ļ¬eld F2d and a secret monic degree-t
irreducible polynomial g ā F2d[x]. The main work for the receiver is to syndrome-decode the dtĆn matrix
where each element of F2d is viewed as a column of d elements of F2 in a standard basis of F2d. This matrix
H is a āparity-check matrix for an irreducible binary Goppa code,ā and can be syndrome-decoded by
āPattersonās algorithmā or by faster algorithms.
The receiverās public key K is a scrambled version of H. Speciļ¬cally, the receiverās secret key also includes an
invertible dtĆdt matrix S and an nĆ n permutation matrix P. The public key K is the product SHP. Given a
ciphertext Km = SHPm, the receiver multiplies by Sā1 to obtain HPm, decodes H to obtain Pm, and
multiplies by Pā1 to obtain m. What Iāve described here is a variant, due to Niederreiter (1986), of McElieceās
original code-based public-key encryption system. Both systems are extremely eļ¬cient at key generation,
encryption, and decryption, butāas I mentioned earlierāhave been held back by their long public keys. See
the āCode-based cryptographyā and āLattice-based cryptographyā chapters of this book for much more
information about code-based cryptography and (similar but more complicated) lattice-based cryptography,
including several systems that use shorter public keys.
27. Post - Quantum Cryptography
(Challenges)
Some cryptographic systems, such as RSA with a four-thousand-bit key, are believed to resist attacks
by large classical computers but do not resist attacks by large quantum computers. Some alternatives,
such as McEliece encryption with a four-million-bit key, are believed to resist attacks by large classical
computers and attacks by large quantum computers. So why do we need to worry now about the
threat of quantum computers? Why not continue to focus on RSA and ECDSA? If someone announces
the successful construction of a large quantum computer ļ¬fteen years from now, why not simply switch
to McEliece etc. ļ¬fteen years from now? This section gives three answersāthree important reasons that
parts of the cryptographic community are already starting to focus attention on postquantum
cryptography:
28. Post - Quantum Cryptography
(Challenges)
ā¢ We need time to improve the eļ¬ciency of post-quantum cryptography.
ā¢ We need time to build conļ¬dence in post-quantum cryptography.
ā¢ We need time to improve the usability of post-quantum cryptography. In short, we are not yet
prepared for the world to switch to post-quantum cryptography.
Maybe this preparation is unnecessary. Maybe we wonāt actually need post-quantum cryptography.
Maybe nobody will ever announce the successful construction of a large quantum computer. However,
if we donāt do anything, and if it suddenly turns out years from now that users do need post-quantum
cryptography, years of critical research time will have been lost.
29. Post - Quantum Cryptography
(Challenges: Efficiency)
Elliptic-curve signature systems with O(b)-bit signatures and O(b)-bit keys appear to provide b bits of
security against classical computers. State-of-the art signing algorithms and veriļ¬cation algorithms
take time b2+o(1). Can post-quantum public-key signature systems achieve similar levels of
performance? My two examples of signature systems certainly donāt qualify: one example has
signatures of length b2+o(1), and the other example has keys of length b3+o(1). There are many other
proposals for post-quantum signature systems, but I have never seen a proposal combining O(b)-bit
signatures, O(b)bit keys, polynomial-time signing, and polynomial-time veriļ¬cation. Ineļ¬cient
cryptography is an option for some users but is not an option for a busy Internet server handling tens
of thousands of clients each second. If you make a secure web connection today to
https://www.google.com, Google redirects your browser to http://www.google.com, deliberately
turning oļ¬ cryptographic protection. Google does have some cryptographically protected web pages
but apparently cannot aļ¬ord to protect its most heavily used web pages. If Google already has trouble
with the slowness of todayās cryptographic
30. Post - Quantum Cryptography
(Challenges: Efficiency)
software, surely it will not have less trouble with the slowness of post-quantum cryptographic software.
Constraints on space and time have always posed critical research challenges to cryptographers and
will continue to pose critical research challenges to post-quantum cryptographers. On the bright side,
research in cryptography has produced many impressive speedups, and one can reasonably hope that
increased research eļ¬orts in post-quantum cryptography will continue to produce impressive
speedups.
31. Post - Quantum Cryptography
(Challenges: Confidence)
Merkleās hash-tree public-key signature system and McElieceās hidden-Goppacode public-key
encryption system were both proposed thirty years ago and remain essentially unscathed despite
extensive cryptanalytic eļ¬orts. Many other candidates for hash-based cryptography and code-based
cryptography are much newer; multivariate-quadratic cryptography and lattice based cryptography
provide an even wider variety of new candidates for postquantum cryptography. Some speciļ¬c
proposals have been broken. Perhaps a new system will be broken as soon as a cryptanalyst takes the
time to look at the system. One could insist on using classic systems that have survived many years of
review. But often the user cannot aļ¬ord the classic systems and is forced to consider newer, smaller,
faster systems that take advantage of more recent research into cryptographic eļ¬ciency. To build
conļ¬dence in these systems the community needs to make sure that cryptanalysts have taken time to
search for attacks on the systems. Those cryptanalysts, in turn, need to gain familiarity with post-
quantum cryptography and experience with post-quantum cryptanalysis.
32. Post - Quantum Cryptography
(Challenges: Usability)
The RSA public-key cryptosystem started as nothing more than a trapdoor one-way function, ācube
modulo n.ā (Tangential historical note: The original paper by Rivest, Shamir, and Adleman actually used
large random exponents. Rabin pointed out that small exponents such as 3 are hundreds of times
faster.) Unfortunately, one cannot simply use a trapdoor one-way function as if it were a secure
encryption function. Modern RSA encryption does not simply cube a message modulo n; it has to ļ¬rst
randomize and pad the message. Furthermore, to handle long messages, it encrypts a short random
string instead of the message, and uses that random string as a key for a symmetric cipher to encrypt
and authenticate the original message. This infrastructure around RSA took many years to develop,
with many disasters along the way, such as the āPKCS#1 v1.5ā padding standard broken by
Bleichenbacher in 1998
33. Post - Quantum Cryptography
(Challenges: Usability)
Furthermore, even if a secure encryption function has been deļ¬ned and standardized, it needs software
implementationsāand perhaps also hardware implementationsāsuitable for integration into a wide
variety of applications. Implementors need to be careful not only to achieve correctness and speed but
also to avoid timing leaks and other side-channel leaks. A few years ago several implementations of
RSA and AES were broken by cache-timing attacks; Intel has, as a partial solution, added AES
instructions to its future CPUs. Post-quantum cryptography, like the rest of cryptography, needs
complete hybrid systems and detailed standards and high-speed leak-resistant implementations.
34. Sources
ļ Alves, Carolina Moura and Kent Adrian. "Quantum Cryptography." National University of Singapore.
http://www.quantumlah.org/?q=tutorial/quantumcrypto
ļ Azzole, Pete. "Ultra: The Silver Bullet." Crypotolog. November 1996.
http://www.cl.cam.ac.uk/research/security/Historical/azzole1.html
ļ Brumfiel, Geoffrey. "Quantum Cryptography is Hacked." Nature. April 27, 2007.
http://www.nature.com/news/2007/070423/full/news070423-10.html
35. Sources
ļ Edgar A Aguilar, Ravishankar Ramanathan, Johannes Koļ¬er4, and Marcin PawÅowski, Completely Device
Independent Quantum Key Distribution. arXiv:1507.05752v1 [quant-ph] 21 Jul 2015
ļ Messmer, Ellen. "Quantum Cryptography to Secure Ballots in Swiss Election." Network World. October 11,
2007. http://www.networkworld.com/news/2007/101007-quantum-cryptography-secure-
ballots.html?t51hb
ļ Stix, Gary. "Best-Kept Secrets: Quantum cryptography has marched from theory to laboratory to real
products." Scientific American. January 2005.
http://www.sciam.com/article.cfm?chanID=sa006&colID=1&articleID= 000479CD-F58C-11BE-
AD0683414B7F0000
ļ Vittorio, Salvatore. "Quantum Cryptography: Privacy through Uncertainty." CSA. October 2002.
http://www.csa.com/discoveryguides/crypt/overview.php
ļ "Quantum Cryptography Tutorial." Dartmouth College. http://www.cs.dartmouth.edu/~jford/crypto.html