Information SecurityMethods and Practices in Classical and Quantum Regimes
Cryptography•What’s that mean?
▫Kryptos: hidden, secret▫Gráphō: to write
•What does it do?▫Encryption: plaintext ciphertext▫Decryption: ciphertext plaintext
•Why would you want that?▫Confidentiality▫Integrity, authentication, signing, interactive
proofs, secure multi-party computation
Cryptology, Cryptanalysis, Cryptolinguistics• Frequency analysis
• Brute force• Differential• Integral• Impossible differential• Boomerang• Mod n• Related key• Slide• Timing• XSL• Linear• Multiple linear• Davies’ attack• Improved Davies’ attack
Demands for resilient crypto• Auguste Kerckhoff’s principle
▫ Cipher practically indecipherable▫ Cipher and keys not required to be secret▫ Key communicable and retainable▫ Applicable to telegraphic communication▫ Portable and human effort efficient▫ Easy to use
• Bruce Shneier▫ “Secrecy … is a prime cause of brittleness… Conversely, openness
provides ductility.”• Eric Raymond
▫ “Any security software design that doesn't assume the enemy possesses the source code is already untrustworthy; therefore, *never trust closed source.”
• Shannon’s maxim▫ “The enemy knows the system.”
Classical RegimeWritten language text
Transposition•Exchange the position of two symbols in
the text•Like an anagram
•Scytale
E.g. text cipherHello world! eHll oowlr!d
Substitution•Systematically exchange a symbol in the
text with another symbol
•Caesar cipher, EXCESS-3
E.g. text cipherAabcd Ddefg
Poly-Alphabetic Substitution•Repeated and dynamic
substitution(s)
•Wehrmacht Enigma•Series of rotors
One Time Pad•Perfect secrecy
▫Coined by Shannon▫H(M) = H(M|C)
•Requirements▫Perfect randomness▫Secure key generation and
exchange▫Careful adherence to process
Classical RegimeBinary bit sequence
Secret Key Crypto•Perfect secrecy
▫Coined by Shannon▫H(M) = H(M|C)
•Requirements▫Perfect randomness▫Secure key generation and
exchange▫Careful adherence to
process
Symmetric Key Crypto• The same (or similar) key
▫ For both encryption and decryption
• Data Encryption Standard▫ 56 bit key▫ Feistel network▫ Broken in 1999 in 22 hours 15 minutes by Deep Crack
• Triple-DES▫ 56 bit keys (3 unique)▫ en-de-en-crypt
• Advanced Encryption Standard (Rijndael)▫ 128-192-256 bit keys▫ Substitution permutation network
Feistel Network•Expansion•Key mixing•Substitution•Permutation
Substitution Permutation Network•Substitution
▫1/n input change 1/2 output change
▫confusion•Permutation
▫mix up inputs▫diffusion
•Round keys
Public Key Crypto•Asymmetric keys
▫public and private•No secret key•Multiple use
•TLS, SSL, PGP, GPG, digital signatures
RSA• Ron Rivest, Adi Shamir, Leonard Adleman; 1978
• Key generation▫ Pick two distinct, large prime numbers: p, q▫ Compute their product: n = pq▫ Compute its totient: phi = (p-1)(q-1)▫ Pick a public key exponent: 1 < e < phi, e and phi coprime▫ Compute private key exponent: de = 1 (mod phi)
• Encryption▫ Forward padding ▫ Cipher = text ^ e (mod n)
Exponentiation by squaring
• Decryption▫ Text = cipher ^ d (mod n)
= text ^ de (mod n) = text ^ (1+k*phi) (mod n) = text (mod n)▫ Reverse padding
Hybrid Crypto• Diffe-Hellman key exchange
• Alice and Bob agree on a finite cyclic group G (Multiplicative group of integers mod p)▫ Period p, prime number▫ Base g, primitive root mod p
• Alice picks a random natural number a and sends ga mod p to Bob.
• Bob picks a random natural number b and sends gb mod p to Alice.
• Alice computes (gb mod p)a mod p• Bob computes (ga mod p)b mod p• Both know gab mod p = gba mod p
Quantum RegimeBreaking classical crypto
Peter Shor’s Factorization Algorithm• Polynomial time in log N: O( (log N)3 )• Polynomial gates in log N: O( (log N)2 )• Complexity class Bounded-Error Quantum Polynomial
(BQP)
• Transform from to periodicity▫Pick 1 < r < N: ar = 1 mod N▫ar -1 = (ar/2 +1)(ar/2 -1) = 0 mod N▫N = (ar/2 +1)(ar/2 -1) = pq
• Quantum Fourier Transform▫Map x-space to ω-space▫Measure with 1/r2 probability
Factor 15• In 2001 IBM
demonstrated Shor’s Algorithm and factored 15 into 3 and 5
• NMR implementation with 7 qubits
• pentafluorobutadienyl cyclopentadienyldicarbonyl-iron complex (C11H5F5O2Fe)
DWave •Superconducting processors•Adiabatic quantum algorithms•Solving Quantum Unconstrained Binary
Optimization problems (QUBO is in NP)
Quantum RegimeFuture proof cryptography
Quantum Key Distribution•Quantum communication channel
▫Single photon, entangled photon pair
•Preparation▫Alice prepares a state, sends to Bob,
measures•Entanglement
▫Alice and Bob each receive half the pair, measure
Non-Orthogonal Bases•Complementary bases
▫Basis A: { |0>, |1> }▫Basis B: { |+>, |-> }
•Indistinguishable transmission states▫|+> = 0.5 |0> + 0.5 |1>▫|-> = 0.5 |0> - 0.5 |1>
•Random choice of en-de-coding bases ▫Succeeds ~ p = 0.5
True Random Number Generation•Quantum mechanics at < atomic scale
▫Shot noise▫Nuclear decay▫Optics
•Thermal noise▫Resistor heat▫Avalanche/Zener diode breakdown noise▫Atmospheric noise
EPR•Einstein, Podolsky, Rosen (1935)
•Entangled qubits
•Violation of Bell Inequality
BB84•Charles A Bennett, Gilles Brassard (1984) •Single photon source, polarization•One way, Alice prepares sends to Bob
▫Psi encoded as random bits a, random bases b•Bob measures
▫Decoded in random bases b’▫50% successfully measured bits a’ = a
•Measurement bases are shared publicly▫Throw away a, a’ for b != b’
E91•Artur Ekert (1991)•Entangled photon source
▫Perfect correlation, 100% a = a’ if b = b’▫Non-locality, > 50% a <--> a’▫Eve measurement reduces correlation
B92• Charles A. Bennett (1992)
• Dim signal pulse, bright reference pulse▫Maintains phase with a single qubit transmitted
• Bases: rectilinear, circular▫P0 = 1 - |u1><u1|
P0 |u0> = 1 ; p= 1 - |< u0 | u1 >|2 > 0 P0 |u1> = 0
▫P1 = 1 - |u0><u0| P1 |u0> = 0 P1 |u1> = 1 ; p= 1 - |< u0 | u1 >|2 > 0
• Throw away measurements != 1
SARG04•Scarani et. al. (2004)
•Attenuated laser pulses
Information Reconciliation•1992 Bennett, Bessette, Brassard, Salvail, Smolin•Cascade protocol, repititious •Compare block parity bits
▫Odd 1 count: parity = 1; even 1 count transmitted▫Even 1 count: parity = 0; even 1 count transmitted
•Two-out-of-five code▫Every transmission has two 1s and three 0s
•Hamming codes▫Additional bits used to identify and correct errors
Privacy Amplification•Shortened key length•Universal hash function
▫Range r▫Collision probability p < 1/r
Quantum RegimeAttacks
Intercept and Resend•Eve measures the qubit in basis b’’
▫50% probability of correct measurement•Eve sends to a’’ Bob
▫25% probability of correct measurement
•Probability of detection ▫P = 1 – (0.75)n ▫99% in n = 16 bits
Security Proofs•BB84 is proven unconditionally secure
against unlimited resources, provided that:▫Eve cannot access Alice and Bob's encoding
and decoding devices▫The random number generators used by Alice
and Bob must be trusted and truly random▫The classical communication channel must be
authenticated using an unconditionally secure authentication scheme
Man in the Middle•Senders and recipients are
indistinguishable on public channels•Eve could pose as Bob
▫Receiving some large portion of messages▫Responding promptly, at least before Bob
•Wegman-Carter authentication▫Alice and Bob share a secret key
Photon Number Splitting•No true single photon sources•Attenuated laser pulses
▫Some small number of photons per pulse, i.e. 0.1
•If > 1 photon are present, splitting can occur without detection during reconciliation
•A secure key is still possible, but requires additional privacy amplification
Hacking• Gain access to security equipment
▫ Foil random number generation▫ Plant Trojan horse
• Faked state attack▫ Eve - actively quenched detector module
• Phase remapping attack▫ Move from { |0>, |1>, |+>, |-> } to { |0>, |δ/2>, |δ>, |3δ/2> }
• Time-shift attack▫ Demonstrated to have ~ 4% mutual information gathered from
the idQuantique ID-500 QKD
Denial of Service•Stop Alice and Bob from communicating
▫Via Classical channel(s)▫Via Quantum channel(s)
•Physically block transmissions•Introduce large volume of errors
Quantum RegimeCommercially available devices
MagiQ – QPN 8505•“Any sufficiently advanced technology is
indistinguishable from magic.” –Arthur C Clarke
•Transmits qubit polarization over optical fiber
•256 bit AES; 1,000 keys per second•140 km range, more with repeaters
idQuantique – Cerberis, Centauris•Transmits qubit phase over
optical fiber•High speed layer 2
encryption•256 bit AES; 12 key-devices
per minute, 100 km range
SmartQuantum – KeyGen, Defender•Generate and distribute secret keys over
quantum channel
•Use classical encryption and communication
Quintessence Labs•G2 QKD
•Continuous variable brightness laser beams▫Cheaper than SPS
•Dense wavelength division multiplexing▫Erbium doped fiber amplifiers ~ 1550 nm
BBN Technologies •DARPA QNet
▫Fully operational October 23, 2003▫Harvard University▫Boston University▫BBN Technologies
•QKD▫Weak coherence▫5 MHz pulse rate▫0.1 mean photons/pulse
John KrahUniversity of WashingtonPhysics Department