Factoring Safe Semiprimes with a Single Quantum Query

Shor's factoring algorithm (SFA), by its ability to efficiently factor large numbers, has the potential to undermine contemporary encryption. At its heart is a process called order finding, which quantum mechanics lets us perform efficiently. SFA thus consists of a \emph{quantum order finding algorithm} (QOFA), bookended by classical routines which, given the order, return the factors. But, with probability up to $1/2$, these classical routines fail, and QOFA must be rerun. We modify these routines using elementary results in number theory, improving the likelihood that they return the factors. The resulting quantum factoring algorithm is better than SFA at factoring safe semiprimes, an important class of numbers used in cryptography. With just one call to QOFA, our algorithm almost always factors safe semiprimes. As well as a speed-up, improving efficiency gives our algorithm other, practical advantages: unlike SFA, it does not need a randomly picked input, making it simpler to construct in the lab; and in the (unlikely) case of failure, the same circuit can be rerun, without modification. We consider generalizing this result to other cases, although we do not find a simple extension, and conclude that SFA is still the best algorithm for general numbers (non safe semiprimes, in other words). Even so, we present some simple number theoretic tricks for improving SFA in this case.Comment: v2 : Typo correction and rewriting for improved clarity v3 : Slight expansion, for improved clarit

Large-Scale Simulation of Shor's Quantum Factoring Algorithm

Shor's factoring algorithm is one of the most anticipated applications of quantum computing. However, the limited capabilities of today's quantum computers only permit a study of Shor's algorithm for very small numbers. Here we show how large GPU-based supercomputers can be used to assess the performance of Shor's algorithm for numbers that are out of reach for current and near-term quantum hardware. First, we study Shor's original factoring algorithm. While theoretical bounds suggest success probabilities of only 3-4 %, we find average success probabilities above 50 %, due to a high frequency of "lucky" cases, defined as successful factorizations despite unmet sufficient conditions. Second, we investigate a powerful post-processing procedure, by which the success probability can be brought arbitrarily close to one, with only a single run of Shor's quantum algorithm. Finally, we study the effectiveness of this post-processing procedure in the presence of typical errors in quantum processing hardware. We find that the quantum factoring algorithm exhibits a particular form of universality and resilience against the different types of errors. The largest semiprime that we have factored by executing Shor's algorithm on a GPU-based supercomputer, without exploiting prior knowledge of the solution, is 549755813701 = 712321 * 771781. We put forward the challenge of factoring, without oversimplification, a non-trivial semiprime larger than this number on any quantum computing device.Comment: differs from the published version in formatting and style; open source code available at https://jugit.fz-juelich.de/qip/shorgp

Security, Scalability and Privacy in Applied Cryptography

In the modern digital world, cryptography finds its place in countless applications. However, as we increasingly use technology to perform potentially sensitive tasks, our actions and private data attract, more than ever, the interest of ill-intentioned actors. Due to the possible privacy implications of cryptographic flaws, new primitives’ designs need to undergo rigorous security analysis and extensive cryptanalysis to foster confidence in their adoption. At the same time, implementations of cryptographic protocols should scale on a global level and be efficiently deployable on users’ most common devices to widen the range of their applications. This dissertation will address the security, scalability and privacy of cryptosystems by presenting new designs and cryptanalytic results regarding blockchain cryptographic primitives and public-key schemes based on elliptic curves. In Part I, I will present the works I have done in regards to accumulator schemes. More precisely, in Chapter 2, I cryptanalyze Au et al. Dynamic Universal Accumulator, by showing some attacks which can completely take over the authority who manages the accumulator. In Chapter 3, I propose a design for an efficient and secure accumulator-based authentication mechanism, which is scalable, privacy-friendly, lightweight on the users’ side, and suitable to be implemented on the blockchain. In Part II, I will report some cryptanalytical results on primitives employed or considered for adoption in top blockchain-based cryptocurrencies. In particular, in Chapter 4, I describe how the zero-knowledge proof system and the commitment scheme adopted by the privacy-friendly cryptocurrency Zcash, contain multiple subliminal channels which can be exploited to embed several bytes of tagging information in users’ private transactions. In Chapter 5, instead, I report the cryptanalysis of the Legendre PRF, employed in a new consensus mechanism considered for adoption by the blockchain-based platform Ethereum, and attacks for further generalizations of this pseudo-random function, such as the Higher-Degree Legendre PRF, the Jacobi Symbol PRF, and the Power-Residue PRF. Lastly, in Part III, I present my line of research on public-key primitives based on elliptic curves. In Chapter 6, I will describe a backdooring procedure for primes so that whenever they appear as divisors of a large integer, the latter can be efficiently factored. This technique, based on elliptic curves Complex Multiplication theory, enables to eventually generate non-vulnerable certifiable semiprimes with unknown factorization in a multi-party computation setting, with no need to run a statistical semiprimality test common to other protocols. In Chapter 7, instead, I will report some attack optimizations and specific implementation design choices that allow breaking a reduced-parameters instance, proposed by Microsoft, of SIKE, a post-quantum key-encapsulation mechanism based on isogenies between supersingular elliptic curves

Quantum Computational Supremacy: Security and Vulnerability in a New Paradigm

Despite three decades of research, the field of quantum computation has yet to build a quantum computer that can perform a task beyond the capability of any classical computer – an event known as computational supremacy. Yet this multi-billion dollar research industry persists in its efforts to construct such a machine. Based on the counter-intuitive principles of quantum physics, these devices are fundamentally different from the computers we know. It is theorised that large-scale quantum computers will have the ability to perform some remarkably powerful computations, even if the extent of their capabilities remains disputed. One application, however, the factoring of large numbers into their constituent primes, has already been demonstrated using Shor’s quantum algorithm. This capability has far reaching implications for cybersecurity as it poses an unprecedented threat to the public key encryption that forms an important component of the security of all digital communications. This paper outlines the nature of the threat that quantum computation is believed to pose to digital communications and investigates how this emerging technology, coupled with the threat of Adversarial Artificial Intelligence, may result in large technology companies gaining unacceptable political leverage; and it proposes measures that might be implemented to mitigate this eventuality

Proof of Latency Using a Verifiable Delay Function

In this thesis I present an interactive public-coin protocol called Proof of Latency (PoL) that aims to improve connections in peer-to-peer networks by measuring latencies with logical clocks built from verifiable delay functions (VDF). PoL is a tuple of three algorithms, Setup(e, λ), VCOpen(c, e), and Measure(g, T, l_p, l_v). Setup creates a vector commitment (VC), from which a vector commitment opening corresponding to a collaborator's public key is taken in VCOpen, which then gets used to create a common reference string used in Measure. If no collusion gets detected by neither party, a signed proof is ready for advertising. PoL is agnostic in terms of the individual implementations of the VC or VDF used. This said, I present a proof of concept in the form of a state machine implemented in Rust that uses RSA-2048, Catalano-Fiore vector commitments and Wesolowski's VDF to demonstrate PoL. As VDFs themselves have been shown to be useful in timestamping, they seem to work as a measurement of time in this context as well, albeit requiring a public performance metric for each peer to compare to during the measurement. I have imagined many use cases for PoL, like proving a geographical location, working as a benchmark query, or using the proofs to calculate VDFs with the latencies between peers themselves. As it stands, PoL works as a distance bounding protocol between two participants, considering their computing performance is relatively similar. More work is needed to verify the soundness of PoL as a publicly verifiable proof that a third party can believe in.Tässä tutkielmassa esitän interaktiivisen protokollan nimeltä Proof of latency (PoL), joka pyrkii parantamaan yhteyksiä vertaisverkoissa mittaamalla viivettä todennettavasta viivefunktiosta rakennetulla loogisella kellolla. Proof of latency koostuu kolmesta algoritmista, Setup(e, λ), VCOpen(c, e) ja Measure(g, T, l_p, l_v). Setup luo vektorisitoumuksen, josta luodaan avaus algoritmissa VCOpen avaamalla vektorisitoumus indeksistä, joka kuvautuu toisen mittaavan osapuolen julkiseen avaimeen. Tätä avausta käytetään luomaan yleinen viitemerkkijono, jota käytetään algoritmissa Measure alkupisteenä molempien osapuolien todennettavissa viivefunktioissa mittaamaan viivettä. Jos kumpikin osapuoli ei huomaa virheitä mittauksessa, on heidän allekirjoittama todistus valmis mainostettavaksi vertaisverkossa. PoL ei ota kantaa sen käyttämien kryptografisten funktioiden implementaatioon. Tästä huolimatta olen ohjelmoinut protokollasta prototyypin Rust-ohjelmointikielellä käyttäen RSA-2048:tta, Catalano-Fiore--vektorisitoumuksia ja Wesolowskin todennettavaa viivefunktiota protokollan esittelyyn. Todistettavat viivefunktiot ovat osoittaneet hyödyllisiksi aikaleimauksessa, mikä näyttäisi osoittavan niiden soveltumisen myös ajan mittaamiseen tässä konteksissa, huolimatta siitä että jokaisen osapuolen tulee ilmoittaa julkisesti teholukema, joka kuvaa niiden tehokkuutta viivefunktioiden laskemisessa. Toinen osapuoli käyttää tätä lukemaa arvioimaan valehteliko toinen viivemittauksessa. Olen kuvitellut monta käyttökohdetta PoL:lle, kuten maantieteellisen sijainnin todistaminen, suorituskykytestaus, tai itse viivetodistuksien käyttäminen uusien viivetodistusten laskemisessa vertaisverkon osallistujien välillä. Tällä hetkellä PoL toimii etäisyydenmittausprotokollana kahden osallistujan välillä, jos niiden suorituskyvyt ovat tarpeeksi lähellä toisiaan. Protokolla tarvitsee lisätutkimusta sen suhteen, voiko se toimia uskottavana todistuksena kolmansille osapuolille kahden vertaisverkon osallistujan välisestä viiveestä

Cybersecurity and Quantum Computing: friends or foes?

L'abstract è presente nell'allegato / the abstract is in the attachmen