Transcript Tallinn University of Technology Quantum computer impact on

Tallinn University of Technology
Quantum computer impact on public
key cryptography
Roman Stepanenko
Agenda
Introduction
 Explanation of RSA
 Principles of quantum computers
 Shor’s factorization algorithm

Introduction
Most cryptography systems rely on the
difficulty of factoring large numbers.
 No known efficient algorithm for number
factorization on classical computer.
Available algorithms take exponential time
in respect to input size. Factorization of
hundreds digits long numbers is
practically impossible.

Introduction

But what if there is a fast way to factor
large numbers…?
Explanation of RSA
To explain why big number factorization is
so important to cryptography we need to
analyze how RSA works.
 After a brief explanation a short example
will follow which I took from the all
knowing Wikipedia.
 It will be shown why RSA is vulnerable

Explanation of RSA
RSA algorithm consists of three steps: key
generation, encryption and decryption.
RSA uses a public and a private key.
 Let’s look at how this is done.

Steps of RSA
randomly generate two distinct prime
numbers p and q of similar length
 compute n = pq which will be used as
modulus for both private and public keys
 totient* function φ(n) = (p – 1)(q – 1)
needs to be computed

*Euler's totient of a positive integer n is
defined to be the number of positive
integers less than or equal to n that are
coprime to n.
Steps of RSA



choose an integer e so that φ(n) and e are
coprime and 1 < e < φ(n), number e is the
public key exponent
to get the private key exponent d it is
necessary to calculate the multiplicative
inverse of e mod φ(n):
d = e-1 mod φ(n)
public key consists of the modulus n and the
encryption exponent e, private key consists
of the decryption exponent d
Steps of RSA
message needs to be converted to an
integer m (padding scheme is used)
 ciphertext c = me (mod n) is computed
 m = cd(mod n) to decrypt
 from m we recover the original message

Example of RSA encryption
taken from http://en.wikipedia.org/wiki/RSA#A_working_example
1.
2.
3.
Choose two distinct prime numbers,
such as p = 61 and q = 53.
Compute n = pq giving n = 61 · 53 =
3233.
Compute the totient of the product as
ϕ(n) = (p − 1)(q − 1) giving ϕ(3233) =
(61 − 1)(53 − 1) = 3120.
Example of RSA encryption
taken from http://en.wikipedia.org/wiki/RSA#A_working_example
4.
5.
Choose any number 1 < e < 3120 that is
coprime to 3120. Choosing a prime
number for e leaves us only to check
that e is not a divisor of 3120. Let e =
17.
Compute d, the modular multiplicative
inverse of e (mod φ(n)) yielding d =
2753 (solved for example using the
extended Euclidean algorithm*).
*http://www.ahuwanya.net/blog/post/The-ExtendedEuclidean-Algorithm.aspx
Example of RSA encryption
taken from http://en.wikipedia.org/wiki/RSA#A_working_example

The public key is (n = 3233, e = 17). For a
padded plaintext message m, the
encryption function is m17 (mod 3233).

The private key is (n = 3233, d = 2753).
For an encrypted ciphertext c, the
decryption function is c2753 (mod 3233).
Example of RSA encryption
taken from http://en.wikipedia.org/wiki/RSA#A_working_example

For instance, in order to encrypt m = 65,
we calculate
c = 6517 (mod 3233) = 2790.

To decrypt c = 2790, we calculate
m = 27902753 (mod 3233) = 65.
Both of these calculations can be
computed efficiently using the squareand-multiply algorithm for modular
exponentiation.
Factorization attack

If it was possible to efficiently factor the
integer n, which is stored in the public key,
it would be possible to find the totient
φ(n) = (p – 1)(q – 1). Knowing that and
the public exponent e, it is possible to
compute the private exponent using the
equality d = e-1 mod φ(n).
Brief introduction into Quantum
Computing
Base of the classical memory register is
the bit.
 Base of the quantum memory register is
the qbit.
 Ideas how to implement a qbit: using a
quantum particle’s spin value, using
hydrogen atom’s electron state and so on.

Brief introduction into Quantum
Computing
Bit can be either in 0 or 1 state
 Qbit exists in a superposition of 0 and 1
base states, it can be represented as a
linear combination:

where α and β are probability
amplitudes and are complex numbers.
Brief introduction into Quantum
Computing

What do the α and β coefficients actually
mean?
◦ If measured a qbit will be either 0 with
probability |α|2 or 1 with probability |β|2.
◦ |α|2 + |β|2 = 1
◦ A qbit while left alone exists in a combination
of 0 and 1 states, however when measured it
becomes strictly 0 or 1 with certain
probability.
Brief introduction into Quantum
Computing







We are not limited to one qbit systems.
A quantum system composed of m qbits requires 2m complex
numbers to describe.
A classical register with n bits requires only n integers to describe.
Theoretically a quantum register can store exponentially greater
amount of information than a classical register with the same
amount of bits.
A quantum register exists in the superposition of base states. From
this quality something called quantum parallelism arises.
Each component of the superposition may be considered as an
argument to a function, so a function performed on the
superposition of states is in turn performed on each component of
the superposition.
The larger the number of possible states is, however, the smaller
the probability that you will measure any particular state becomes.
Shor’s algorithm

In 1994 Peter Shor who was working as a
scientist in Bell Labs devised a polynomial
time quantum algorithm for big integer
factorization. This became a great driving
force for quantum computer research.
Shor’s algorithm
F(a) = xa mod n is a periodical function
with some period r.
 It is clear that x0 mod n = 1, therefore
xr mod n = 1, x2r mod n = 1 and so on.

Shor’s algorithm
xr mod n = 1,
xr ≡ 1 mod n,
(xr/2)2 ≡ 1 mod n,
(xr/2)2 – 1 ≡ 0 mod n,
and if r is an even number
(xr/2 – 1) (xr/2 + 1) ≡ 0 mod n.
From the last identity it can be seen that (xr/2 – 1) (xr/2 + 1)
is an integer multiple of n. If |xr/2| ≠ 1, then at least one of
(xr/2 – 1), (xr/2 + 1) will have a non-trivial factor in common
with n. Then by computing the gcd(xr/2 – 1, n) and gcd(xr/2 + 1,
n), we will obtain a factor of n. We can use the Euclidean
algorithm for that.
Shor’s algorithm
Shor‘s algorithm is designed to find r.
1. A quantum memory register with two
parts has to be created.
2. A number q is chosen so that
n2 ≤ q <2n2 and q is the power of two.
3. The first part of the memory register is
loaded with a superposition of the
integers which are to be a‘s in the
xa mod n function. The a‘s are chosen to
be integers 0 through q – 1.

Shor’s algorithm
4.
5.
The algorithm calculates xa mod n with
the superposition of the states a placed
in the first part of the memory register,
and places the result in the second part
of the register.
If measured the state of the second part
of the register will collapse into some
value k.
Shor’s algorithm
6.
7.
The first part of the quantum register
will collapse into a superposition of the
base states consistent with the value
observed in the second part. It will
contain values c, c + r, c + 2r... and so on,
where c is the lowest value that would
produce xc mod n = k.
In the next step a discrete quantum
Fourier transform is performed on the
contents of the first part of the register.
Shor’s algorithm
8.
It peaks the probability amplitudes of
the first part of the register at integer
multiples of the quantity q/r.
Shor’s algorithm
Measuring the first part of the register
will yield an integer multiple of the
inverse of the period with high
probability.
10. Analysis of this number is done on a
classical computer to get the period r.
9.
Conclusion

Based on the ideas stated before it can be
said that the invention of a quantum
computer will put public key
cryptography systems that rely on
difficulty to factor large numbers (RSA,
DSA, ECDSA) in danger.
Conclusion

There are many important classes of cryptographic
systems beyond RSA and DSA and ECDSA:
◦
◦
◦
◦
◦

Hash-based cryptography
Code-based cryptography
Lattice-based cryptography
Multivariate-quadratic-equations cryptography
Secret-key cryptography
All of these systems are believed to resist classical
computers and quantum computers.