Attacking the ECDLP with Quantum Computing

Attacking the ECDLP with Quantum Computing Sam Green and Can Kizilkale [email protected], [email protected]

December 7, 2015

CS 290g Fall Term 2015

Attacking the ECDLP with Quantum Computing

1 / 27

Table of contents 1

2 3 4

5

Motivation for this talk August 2015 NSA announcement Quantum computing in Fall 2015 news Review of ECDLP Classical ECDLP attacks Intro to quantum computing What is a qubit? Bloch sphere Multiple bits Entanglement Quantum gates Example: Deutsch’s algorithm Quantum ECDLP attacks Applying quantum to ECDLP Shor’s algorithm Shor’s algorithm Algorithm comparisons CS 290g Fall Term 2015

Attacking the ECDLP with Quantum Computing

2 / 27

Motivation for this talk

August 2015 NSA announcement

August 2015 NSA announcement

”Currently, Suite B cryptographic algorithms are specified by the National Institute of Standards and Technology (NIST) and are used by NSA’s Information Assurance Directorate in solutions approved for protecting classified and unclassified National Security Systems (NSS). Below, we announce preliminary plans for transitioning to quantum resistant algorithms.” [0]

CS 290g Fall Term 2015

Attacking the ECDLP with Quantum Computing

3 / 27

Motivation for this talk

Quantum computing in Fall 2015 news

Quantum computing in Fall 2015 news Hype: ”A ’watershed announcement’ from Google regarding quantum computers is expected to be made on 8 December, according to a board member of the quantum computing firm D-Wave.” [1] ”Intel to Invest $50 Million in Quantum Computers” [2] ”LANL Orders 1000+ Qubit D-Wave 2X [adiabatic] Quantum Computer” [3] ”...nearly 20 qubits have been juxtaposed in a single quantum register. However, scaling this or any other type of qubit to much larger numbers while still contained in a single register will become increasingly difficult, as the connections will become too numerous to be reliable.” [4] CS 290g Fall Term 2015

Attacking the ECDLP with Quantum Computing

4 / 27

Review of ECDLP

Review of ECDLP

Let E be an elliptic curve over Fp given by the Weierstrass equation E : y 2 ≡ x 3 + ax + b (mod p). And let points S and T be in E (Fp ). The ECDLP is to find k (assuming it exists) such that k ≡ logT S (mod p) or S ≡ [k]T (mod p).

CS 290g Fall Term 2015

Attacking the ECDLP with Quantum Computing

5 / 27

Classical ECDLP attacks

Classical ECDLP attacks Exhaustive Search O(n) Pollard ρ √ O( p), where p is the largest prime divisor of n Pohlig-Hellman √ O( p), where p is the largest prime divisor of n Index-calculus (only sub-exponential attack) 1 Lp [ , 1.923] 3 Reference: [7] CS 290g Fall Term 2015

Attacking the ECDLP with Quantum Computing

6 / 27

Intro to quantum computing

What is a qubit?

What is a qubit? A classical bit only takes 1 or 0. Qubit: 2 dimensional complex vector, so each qubit ∈ C2 . There are 2 base vectors |0i, |1i which are orthogonal to each other: |0i = (0, 1)T , |1i = (1, 0)T . Each qubit is represented as a superposition of these. That is |φi = α|0i + β|1i, where |α|2 + |β|2 = 1. CS 290g Fall Term 2015

Attacking the ECDLP with Quantum Computing

7 / 27

Intro to quantum computing

What is a qubit?

Visualizing superposition ⇔ |1⟩

⇔ |0⟩

⇔ |0101⟩ ⇔ |5⟩

⇔ |4⟩ + |5⟩ qubits can be in a superposition of all the clasically allowed states image credit: Wikipedia

CS 290g Fall Term 2015

Attacking the ECDLP with Quantum Computing

8 / 27

Intro to quantum computing

Bloch sphere

Bloch sphere To represent a qubit in 3D space, we use a Bloch sphere

image credit: Wikipedia

|ψi = cos( 2θ )|0i + sin( 2θ )e iφ |1i CS 290g Fall Term 2015

Attacking the ECDLP with Quantum Computing

9 / 27

Intro to quantum computing

Bloch sphere

Measurement What are we measuring? For a standard qubit: α|0i + β|1i = |α|2 , |β|2 . The phase-shift information (e iφ ) is lost. By changing the basis with a unitary transformation, we capture phase shift information: |0i |1i |+i = √ + √ , 2 2 |0i |1i |−i = √ − √ . 2 2

e iθ |1i 1 − e iθ 1 + e iθ |0i √ + √ → √ |+i + √ |−i 2 2 2 2 CS 290g Fall Term 2015

Attacking the ECDLP with Quantum Computing

10 / 27

Intro to quantum computing

Multiple bits

Multiple bits in one register Every sequence of bits will be mapped into an orthogonal state in a register. For example, when we have two qubits, the state of the register will be a superposition of |00i, |01i, |10i, and |11i. Register = α1 |00i + α2 |01i + α3 |10i + α4 |11i

CS 290g Fall Term 2015

Attacking the ECDLP with Quantum Computing

11 / 27

Intro to quantum computing

Entanglement

Entanglement Can the state of the register be written as the multiplication of multiple qubits? Yes, this is quantum entaglement. No entanglement example: (a1 |0i + b1 |1i)(a2 |0i + b2 |1i) = a1 a2 |00i + a1 b2 |01i + b1 a2 |10i + b1 b2 |11i. We measure the first bit. If it is |0i or |1i then the second bit is always a2 |0i + b2 |1i. Entanglement example:

1 2 |00i

+

√ √3 |10i 2 2

+

√ √3 |11i. 2 2

We measure the first bit. If it is |0i then the second bit is always |0i. If is is |1i the second bit is √12 |0i + √12 |1i.

CS 290g Fall Term 2015

Attacking the ECDLP with Quantum Computing

12 / 27

Intro to quantum computing

Quantum gates

Quantum gates

 NOT-gate = Pauli-X =

0 1 1 0



Corresponse to the rotation of a point on the Bloch sphere by π radians around the x-axis. Also     0 −i 1 0 Pauli-Y = , and Pauli-Z = . i 0 0 −1

CS 290g Fall Term 2015

Attacking the ECDLP with Quantum Computing

13 / 27

Intro to quantum computing

Quantum gates

Hadamard gate

1 H=√ 2



1 1 1 −1



Deals with a singular bit. Allows transformation of both |0i and |1i into states with equal probabilities.

CS 290g Fall Term 2015

Attacking the ECDLP with Quantum Computing

14 / 27

Intro to quantum computing

Quantum gates

Phase-shift gate

 Θ=

1 0 0 e iθ



Maps |0i to |0i Maps |1i to e iθ |1i

CS 290g Fall Term 2015

Attacking the ECDLP with Quantum Computing

15 / 27

Intro to quantum computing

Example: Deutsch’s algorithm

Example: Deutsch’s algorithm Solves contrived problem: Given f : {0, 1} → {0, 1}, determine if f (0) = f (1). Need one more concept: Uf (|xi|y i) = |xi|y ⊕ f (x)i Uf is a device whose inputs and outputs can be known, but there is no information about its internal structure.

image credit: [5]

CS 290g Fall Term 2015

Attacking the ECDLP with Quantum Computing

16 / 27

Intro to quantum computing

Example: Deutsch’s algorithm

Deutsch’s algorithm

1. Take two qubits, in states |0i and |1i. Then |φ0 i = |0, 1i. 2. Apply Hadamard gate to both qubits to put them in a superposition of states. The state is now

|φ2 i =

|0i + |1i |0i − |1i |0, 0i − |0, 1i + |1, 0i − |1, 1i √ √ = . 2 2 2

CS 290g Fall Term 2015

Attacking the ECDLP with Quantum Computing

17 / 27

Intro to quantum computing

Example: Deutsch’s algorithm

Deutsch’s algorithm 3. Apply Uf to get |0, 0i − |0, 1i + |1, 0i − |1, 1i ) 2 |0, 0 ⊕ f (0)i − |0, 1 ⊕ f (0)i + |1, 0 ⊕ f (1)i − |1, 1 ⊕ f (1)i = 2 |0, f (0)i − |0, f (0)i + |1, f (1)i − |1, f (1)i = 2 f (0) f (−1) |0i + (−1) (1) |1i |0i − |1i √ =[ ][ √ ] 2 2 ( |0i−|1i √ √ (±) |0i+|1i if f is constant, 2 2 = |0i−|1i |0i−|1i √ (±) √2 if f is balanced. 2

|φ2 i = Uf (

CS 290g Fall Term 2015

Attacking the ECDLP with Quantum Computing

18 / 27

Intro to quantum computing

Example: Deutsch’s algorithm

Deutsch’s algorithm

4. Apply Hadamard gate

|φ3 i =

( √ (±)|0i |0i−|1i 2 √ (±)|1i |0i−|1i 2

if f is constant, if f is balanced.

5. Measure the state of the first qubit. Measured result gives the solution of the initial problem.

CS 290g Fall Term 2015

Attacking the ECDLP with Quantum Computing

19 / 27

Quantum ECDLP attacks

Applying quantum to ECDLP

Applying quantum to ECDLP

image credit: [6] CS 290g Fall Term 2015

Attacking the ECDLP with Quantum Computing

20 / 27

Quantum ECDLP attacks

Shor’s algorithm

Shor’s algorithm introduction

Gven a natural number N, find its nontrivial factors. The best classical factoring algorithm requires 1

2

O(e 1,9(log N) 3 (log log N) 3 ). And Shor’s factoring algorithm [8] is only O(log N 3 ).

CS 290g Fall Term 2015

Attacking the ECDLP with Quantum Computing

21 / 27

Quantum ECDLP attacks

Shor’s algorithm

Shor’s algorithm circuit

image credit: [5]

CS 290g Fall Term 2015

Attacking the ECDLP with Quantum Computing

22 / 27

Quantum ECDLP attacks

Shor’s algorithm

Shor’s algorithm [5]

CS 290g Fall Term 2015

Attacking the ECDLP with Quantum Computing

23 / 27

Quantum ECDLP attacks

Algorithm comparisons

Quantum algorithm comparisons [6]

Eicher-Opoku √ O(nlogn + n p) Proos-Zalka √ O( n) Kaye-Zalka √ O( n)

CS 290g Fall Term 2015

Attacking the ECDLP with Quantum Computing

24 / 27

Quantum ECDLP attacks

Algorithm comparisons

Algorithm comparisons [6]

CS 290g Fall Term 2015

Attacking the ECDLP with Quantum Computing

25 / 27

Conclusion

Questions?

CS 290g Fall Term 2015

Attacking the ECDLP with Quantum Computing

26 / 27

Conclusion

References [0] [1] [2] [3] [4] [5] [6] [7] [8]

https://www.nsa.gov/ia/programs/suiteb_cryptography/ http://www.ibtimes.co.uk/google- plans- watershed- quantum- computing-announcement- december- 1528915 http://www.wsj.com/articles/intel- to- invest- 50- million- in- quantum-computers- 1441307006 http://www.hpcwire.com/off- the- wire/lanl- orders- 1000- qubit- d- wave-2x- quantum- computer/ http://jqi.umd.edu/news/how- do- you- build- large- scale- quantum- computer M. Kranjcevic, F. Kirsek, and P. Kunstek. Quantum Computing. White paper. S. Yan. Quantum Attacks on Public-Key Crypto Systems. Springer, 2013. D. Hankerson, A. Menezes, S. Vanstone. Guide to Elliptic Curve Cryptography. Springer, 2003. Peter Williston Shor (1959.-), American mathematician.

CS 290g Fall Term 2015

Attacking the ECDLP with Quantum Computing

27 / 27