13 research outputs found

    Quantum Complexity for Discrete Logarithms and Related Problems

    Get PDF
    This paper studies the quantum computational complexity of the discrete logarithm and related group-theoretic problems in the context of ``generic algorithms\u27\u27---that is, algorithms that do not exploit any properties of the group encoding. We establish a generic model of quantum computation for group-theoretic problems, which we call the quantum generic group model, as a quantum analog of its classical counterpart. Shor\u27s algorithm for the discrete logarithm problem and related algorithms can be described in this model. We show the quantum complexity lower bounds and (almost) matching algorithms of the discrete logarithm and related problems in this model. More precisely, we prove the following results for a cyclic group G\mathcal G of prime order. (1) Any generic quantum discrete logarithm algorithm must make Ω(logG)\Omega(\log |\mathcal G|) depth of group operation queries. This shows that Shor\u27s algorithm that makes O(logG)O(\log |\mathcal G|) group operations is asymptotically optimal among the generic quantum algorithms, even considering parallel algorithms. (2) We observe that some (known) variations of Shor\u27s algorithm can take advantage of classical computations to reduce the number and depth of quantum group operations. We introduce a model for generic hybrid quantum-classical algorithm that captures these variants, and show that these algorithms are almost optimal in this model. Any generic hybrid quantum-classical algorithm for the discrete logarithm problem with a total number of (classical or quantum) group operations QQ must make Ω(logG/logQ)\Omega(\log |\mathcal G|/\log Q) quantum group operations of depth Ω(loglogGloglogQ)\Omega(\log\log |\mathcal G| - \log\log Q). In particular, if Q=polylogGQ={\rm poly}\log |\mathcal G|, classical group operations can only save the number of quantum queries by a factor of O(loglogG)O(\log\log |\mathcal G|) and the quantum depth remains as Ω(loglogG)\Omega(\log\log |\mathcal G|). (3) When the quantum memory can only store tt group elements and use quantum random access memory (qRAM) of rr group elements, any generic hybrid quantum-classical algorithm must make either Ω(G)\Omega(\sqrt{|\mathcal G|}) group operation queries in total or Ω(logG/log(tr))\Omega(\log |\mathcal G|/\log (tr)) quantum group operation queries. In particular, classical queries cannot reduce the number of quantum queries beyond Ω(logG/log(tr))\Omega(\log |\mathcal G|/\log (tr)). As a side contribution, we show a multiple discrete logarithm problem admits a better algorithm than solving each instance one by one, refuting a strong form of the quantum annoying property suggested in the context of password-authenticated key exchange protocol

    Quantum attacks on Bitcoin, and how to protect against them

    Get PDF
    The key cryptographic protocols used to secure the internet and financial transactions of today are all susceptible to attack by the development of a sufficiently large quantum computer. One particular area at risk are cryptocurrencies, a market currently worth over 150 billion USD. We investigate the risk of Bitcoin, and other cryptocurrencies, to attacks by quantum computers. We find that the proof-of-work used by Bitcoin is relatively resistant to substantial speedup by quantum computers in the next 10 years, mainly because specialized ASIC miners are extremely fast compared to the estimated clock speed of near-term quantum computers. On the other hand, the elliptic curve signature scheme used by Bitcoin is much more at risk, and could be completely broken by a quantum computer as early as 2027, by the most optimistic estimates. We analyze an alternative proof-of-work called Momentum, based on finding collisions in a hash function, that is even more resistant to speedup by a quantum computer. We also review the available post-quantum signature schemes to see which one would best meet the security and efficiency requirements of blockchain applications.Comment: 21 pages, 6 figures. For a rough update on the progress of Quantum devices and prognostications on time from now to break Digital signatures, see https://www.quantumcryptopocalypse.com/quantum-moores-law

    Quantum Complexity for Discrete Logarithms and Related Problems

    Full text link
    This paper studies the quantum computational complexity of the discrete logarithm (DL) and related group-theoretic problems in the context of generic algorithms -- that is, algorithms that do not exploit any properties of the group encoding. We establish a generic model of quantum computation for group-theoretic problems, which we call the quantum generic group model. Shor's algorithm for the DL problem and related algorithms can be described in this model. We show the quantum complexity lower bounds and almost matching algorithms of the DL and related problems in this model. More precisely, we prove the following results for a cyclic group GG of prime order. - Any generic quantum DL algorithm must make Ω(logG)\Omega(\log |G|) depth of group operations. This shows that Shor's algorithm is asymptotically optimal among the generic quantum algorithms, even considering parallel algorithms. - We observe that variations of Shor's algorithm can take advantage of classical computations to reduce the number of quantum group operations. We introduce a model for generic hybrid quantum-classical algorithms and show that these algorithms are almost optimal in this model. Any generic hybrid algorithm for the DL problem with a total number of group operations QQ must make Ω(logG/logQ)\Omega(\log |G|/\log Q) quantum group operations of depth Ω(loglogGloglogQ)\Omega(\log\log |G| - \log\log Q). - When the quantum memory can only store tt group elements and use quantum random access memory of rr group elements, any generic hybrid algorithm must make either Ω(G)\Omega(\sqrt{|G|}) group operations in total or Ω(logG/log(tr))\Omega(\log |G|/\log (tr)) quantum group operations. As a side contribution, we show a multiple DL problem admits a better algorithm than solving each instance one by one, refuting a strong form of the quantum annoying property suggested in the context of password-authenticated key exchange protocol

    Quantum Algorithms for Attacking Hardness Assumptions in Classical and Post‐Quantum Cryptography

    Get PDF
    In this survey, the authors review the main quantum algorithms for solving the computational problems that serve as hardness assumptions for cryptosystem. To this end, the authors consider both the currently most widely used classically secure cryptosystems, and the most promising candidates for post-quantum secure cryptosystems. The authors provide details on the cost of the quantum algorithms presented in this survey. The authors furthermore discuss ongoing research directions that can impact quantum cryptanalysis in the future

    Key Agreement Against Quantum Adversaries

    Full text link
    Key agreement is a cryptographic scenario between two legitimate parties, who need to establish a common secret key over a public authenticated channel, and an eavesdropper who intercepts all their messages in order to learn the secret. We consider query complexity in which we count only the number of evaluations (queries) of a given black-box function, and classical communication channels. Ralph Merkle provided the first unclassified scheme for secure communications over insecure channels. When legitimate parties are willing to ask O(N) queries for some parameter N, any classical eavesdropper needs Omega(N^2) queries before being able to learn their secret, which is is optimal. However, a quantum eavesdropper can break this scheme in O(N) queries. Furthermore, it was conjectured that any scheme, in which legitimate parties are classical, could be broken in O(N) quantum queries. In this thesis, we introduce protocols à la Merkle that fall into two categories. When legitimate parties are restricted to use classical computers, we offer the first secure classical scheme. It requires Omega(N^{13/12}) queries of a quantum eavesdropper to learn the secret. We give another protocol having security of Omega(N^{7/6}) queries. Furthermore, for any k>= 2, we introduce a classical protocol in which legitimate parties establish a secret in O(N) queries while the optimal quantum eavesdropping strategy requires Theta(N^{1/2+k/{k+1}}) queries, approaching Theta(N^{3/2}) when k increases. When legitimate parties are provided with quantum computers, we present two quantum protocols improving on the best known scheme before this work. Furthermore, for any k>= 2, we give a quantum protocol in which legitimate parties establish a secret in O(N) queries while the optimal quantum eavesdropping strategy requires Theta(N^{1+{k}/{k+1}})} queries, approaching Theta(N^{2}) when k increases.Un protocole d'échange de clés est un scénario cryptographique entre deux partis légitimes ayant besoin de se mettre d'accord sur une clé commune secrète via un canal public authentifié où tous les messages sont interceptés par un espion voulant connaître leur secret. Nous considérons un canal classique et mesurons la complexité de calcul en termes du nombre d'évaluations (requêtes) d'une fonction donnée par une boîte noire. Ralph Merkle fut le premier à proposer un schéma non classifié permettant de réaliser des échanges securisés avec des canaux non securisés. Lorsque les partis légitimes sont capables de faire O(N) requêtes pour un certain paramètre N, tout espion classique doit faire Omega(N^2) requêtes avant de pouvoir apprendre leur secret, ce qui est optimal. Cependant, un espion quantique peut briser ce schéma avec O(N) requêtes. D'ailleurs, il a été conjecturé que tout protocole, dont les partis légitimes sont classiques, pourrait être brisé avec O(N) requêtes quantiques. Dans cette thèse, nous introduisons deux catégories des protocoles à la Merkle. Lorsque les partis légitimes sont restreints à l'utilisation des ordinateurs classiques, nous offrons le premier schéma classique sûr. Il oblige tout adversaire quantique à faire Omega(N^{13/12}) requêtes avant d'apprendre le secret. Nous offrons aussi un protocole ayant une sécurité de Omega(N^{7/6}) requêtes. En outre, pour tout k >= 2, nous donnons un protocole classique pour lequel les partis légitimes établissent un secret avec O(N) requêtes alors que la stratégie optimale d'espionnage quantique nécessite Theta(N^{1/2 + k/{k +1}}) requêtes, se rapprochant de Theta(N^{3/2}) lorsque k croît. Lors les partis légitimes sont équipés d'ordinateurs quantiques, nous présentons deux protocoles supérieurs au meilleur schéma connu avant ce travail. En outre, pour tout k >= 2, nous offrons un protocole quantique pour lequel les partis légitimes établissent un secret avec O(N) requêtes alors que l'espionnage quantique optimale nécessite Theta(N^{1+{k}/{k+1}}) requêtes, se rapprochant de Theta(N^{2}) lorsque k croît

    Symmetric-key Authenticated Key Exchange (SAKE) with Perfect Forward Secrecy

    Get PDF
    Key exchange protocols in the asymmetric-key setting are known to provide stronger security properties than protocols in symmetric-key cryptography. In particular, they can provide perfect forward secrecy, as illustrated by key exchange protocols based on the Diffie-Hellman scheme. However public-key algorithms are too heavy for low-resource devices, which can then not benefit from forward secrecy. In this paper, we describe a scheme that solves this issue. Using a nifty resynchronisation technique, we propose an authenticated key exchange protocol in the symmetric-key setting that guarantees perfect forward secrecy. We prove that the protocol is sound, and provide a formal security proof

    That’s not my signature! Fail-stop signatures for a post-quantum world

    Get PDF
    The Snowden\u27s revelations kick-started a community-wide effort to develop cryptographic tools against mass surveillance. In this work, we propose to add another primitive to that toolbox: Fail-Stop Signatures (FSS) [EC\u2789]. FSS are digital signatures enhanced with a forgery-detection mechanism that can protect a PPT signer from more powerful attackers. Despite the fascinating concept, research in this area stalled after the \u2790s. However, the ongoing transition to post-quantum cryptography, with its hiccups due to the novelty of underlying assumptions, has become the perfect use case for FSS. This paper aims to reboot research on FSS with practical use in mind: Our framework for FSS includes ``fine-grained\u27\u27 security definitions (that assume a powerful, but bounded adversary e.g: can break 128128-bit of security, but not 256256-bit). As an application, we show new FSS constructions for the post-quantum setting. We show that FSS are equivalent to standard, provably secure digital signatures that do not require rewinding or programming random oracles, and that this implies lattice-based FSS. Our main construction is an FSS version of SPHINCS, which required building FSS versions of all its building blocks: WOTS, XMSS, and FORS. In the process, we identify and provide generic solutions for two fundamental issues arising when deriving a large number of private keys from a single seed, and when building FSS for Hash-and-Sign-based signatures

    The art and architecture of mathematics education: a study in metaphors

    Get PDF
    This chapter presents the summary of a talk given at the Eighth European Summer University, held in Oslo in 2018. It attempts to show how art, literature, and history, can paint images of mathematics that are not only useful but relevant to learners as they can support their personal development as well as their appreciation of mathematics as a discipline. To achieve this goal, several metaphors about and of mathematics are explored
    corecore