Estimating the cost of generic quantum pre-image attacks on SHA-2 and SHA-3

We investigate the cost of Grover's quantum search algorithm when used in the context of pre-image attacks on the SHA-2 and SHA-3 families of hash functions. Our cost model assumes that the attack is run on a surface code based fault-tolerant quantum computer. Our estimates rely on a time-area metric that costs the number of logical qubits times the depth of the circuit in units of surface code cycles. As a surface code cycle involves a significant classical processing stage, our cost estimates allow for crude, but direct, comparisons of classical and quantum algorithms. We exhibit a circuit for a pre-image attack on SHA-256 that is approximately $2^{153.8}$ surface code cycles deep and requires approximately $2^{12.6}$ logical qubits. This yields an overall cost of $2^{166.4}$ logical-qubit-cycles. Likewise we exhibit a SHA3-256 circuit that is approximately $2^{146.5}$ surface code cycles deep and requires approximately $2^{20}$ logical qubits for a total cost of, again, $2^{166.5}$ logical-qubit-cycles. Both attacks require on the order of $2^{128}$ queries in a quantum black-box model, hence our results suggest that executing these attacks may be as much as $275$ billion times more expensive than one would expect from the simple query analysis.Comment: Same as the published version to appear in the Selected Areas of Cryptography (SAC) 2016. Comments are welcome

Entanglement cost and quantum channel simulation

This paper proposes a revised definition for the entanglement cost of a quantum channel $\mathcal{N}$. In particular, it is defined here to be the smallest rate at which entanglement is required, in addition to free classical communication, in order to simulate $n$ calls to $\mathcal{N}$, such that the most general discriminator cannot distinguish the $n$ calls to $\mathcal{N}$ from the simulation. The most general discriminator is one who tests the channels in a sequential manner, one after the other, and this discriminator is known as a quantum tester [Chiribella et al., Phys. Rev. Lett., 101, 060401 (2008)] or one who is implementing a quantum co-strategy [Gutoski et al., Symp. Th. Comp., 565 (2007)]. As such, the proposed revised definition of entanglement cost of a quantum channel leads to a rate that cannot be smaller than the previous notion of a channel's entanglement cost [Berta et al., IEEE Trans. Inf. Theory, 59, 6779 (2013)], in which the discriminator is limited to distinguishing parallel uses of the channel from the simulation. Under this revised notion, I prove that the entanglement cost of certain teleportation-simulable channels is equal to the entanglement cost of their underlying resource states. Then I find single-letter formulas for the entanglement cost of some fundamental channel models, including dephasing, erasure, three-dimensional Werner--Holevo channels, epolarizing channels (complements of depolarizing channels), as well as single-mode pure-loss and pure-amplifier bosonic Gaussian channels. These examples demonstrate that the resource theory of entanglement for quantum channels is not reversible. Finally, I discuss how to generalize the basic notions to arbitrary resource theories.Comment: 28 pages, 7 figure

Preliminary Design of Reactive Distillation Columns

A procedure that combines feasibility analysis, synthesis and design of reactive distillation columns is introduced. The main interest of this methodology lies on a progressive introduction of the process complexity. From minimal information concerning the physicochemical properties of the system, three steps lead to the design of the unit and the specification of its operating conditions. Most of the methodology exploits and enriches approaches found in the literature. Each step is described and our contribution is underlined. Its application is currently limited to equilibrium reactive systems where degree of freedom is equal to 2 or less than 2. This methodology which provides a reliable initialization point for the optimization of the process has been applied with success to different synthesis. The production of methyl-tert-butyl-ether (MTBE) and methyl acetate are presented as examples

Near-term quantum-repeater experiments with nitrogen-vacancy centers: Overcoming the limitations of direct transmission

Quantum channels enable the implementation of communication tasks inaccessible to their classical counterparts. The most famous example is the distribution of secret key. However, in the absence of quantum repeaters, the rate at which these tasks can be performed is dictated by the losses in the quantum channel. In practice, channel losses have limited the reach of quantum protocols to short distances. Quantum repeaters have the potential to significantly increase the rates and reach beyond the limits of direct transmission. However, no experimental implementation has overcome the direct transmission threshold. Here, we propose three quantum repeater schemes and assess their ability to generate secret key when implemented on a setup using nitrogen-vacancy (NV) centers in diamond with near-term experimental parameters. We find that one of these schemes - the so-called single-photon scheme, requiring no quantum storage - has the ability to surpass the capacity - the highest secret-key rate achievable with direct transmission - by a factor of 7 for a distance of approximately 9.2 km with near-term parameters, establishing it as a prime candidate for the first experimental realization of a quantum repeater.Comment: 19+17 pages, 17 figures. v2: added "Discussion and future outlook" section and expanded introduction, published versio

Unconstrained distillation capacities of a pure-loss bosonic broadcast channel

Bosonic channels are important in practice as they form a simple model for free-space or fiber-optic communication. Here we consider a single-sender two-receiver pure-loss bosonic broadcast channel and determine the unconstrained capacity region for the distillation of bipartite entanglement and secret key between the sender and each receiver, whenever they are allowed arbitrary public classical communication. We show how the state merging protocol leads to achievable rates in this setting, giving an inner bound on the capacity region. We also evaluate an outer bound on the region by using the relative entropy of entanglement and a `reduction by teleportation' technique. The outer bounds match the inner bounds in the infinite-energy limit, thereby establishing the unconstrained capacity region for such channels. Our result could provide a useful benchmark for implementing a broadcasting of entanglement and secret key through such channels. An important open question relevant to practice is to determine the capacity region in both this setting and the single-sender single-receiver case when there is an energy constraint on the transmitter.Comment: v2: 6 pages, 3 figures, introduction revised, appendix added where the result is extended to the 1-to-m pure-loss bosonic broadcast channel. v3: minor revision, typo error correcte

Separation of Reliability and Secrecy in Rate-Limited Secret-Key Generation

For a discrete or a continuous source model, we study the problem of secret-key generation with one round of rate-limited public communication between two legitimate users. Although we do not provide new bounds on the wiretap secret-key (WSK) capacity for the discrete source model, we use an alternative achievability scheme that may be useful for practical applications. As a side result, we conveniently extend known bounds to the case of a continuous source model. Specifically, we consider a sequential key-generation strategy, that implements a rate-limited reconciliation step to handle reliability, followed by a privacy amplification step performed with extractors to handle secrecy. We prove that such a sequential strategy achieves the best known bounds for the rate-limited WSK capacity (under the assumption of degraded sources in the case of two-way communication). However, we show that, unlike the case of rate-unlimited public communication, achieving the reconciliation capacity in a sequential strategy does not necessarily lead to achieving the best known bounds for the WSK capacity. Consequently, reliability and secrecy can be treated successively but not independently, thereby exhibiting a limitation of sequential strategies for rate-limited public communication. Nevertheless, we provide scenarios for which reliability and secrecy can be treated successively and independently, such as the two-way rate-limited SK capacity, the one-way rate-limited WSK capacity for degraded binary symmetric sources, and the one-way rate-limited WSK capacity for Gaussian degraded sources.Comment: 18 pages, two-column, 9 figures, accepted to IEEE Transactions on Information Theory; corrected typos; updated references; minor change in titl