Grover Search and Its Cryptographic Applications Henry - - PowerPoint PPT Presentation

Grover Search and Its Cryptographic Applications

Henry Corrigan-Gibbs Qualifying Exam Talk 21 November 2016

Quantum Computing and Crypto

Large-scale quantum computers could exist in our lifetimes.

2/40

Quantum Computing and Crypto

Large-scale quantum computers could exist in our lifetimes. Quantum computers can break today’s crypto primitives!

2/40

Quantum Computing and Crypto

Large-scale quantum computers could exist in our lifetimes. Quantum computers can break today’s crypto primitives!

Examples Outcome Public-key RSA, DH, ECDH Broken (Shor)

2/40

Quantum Computing and Crypto

Large-scale quantum computers could exist in our lifetimes. Quantum computers can break today’s crypto primitives!

Examples Outcome Public-key RSA, DH, ECDH Broken (Shor) Modes of operation GCM, CBC-MAC Broken* (Simon)

2/40

Quantum Computing and Crypto

Large-scale quantum computers could exist in our lifetimes. Quantum computers can break today’s crypto primitives!

Examples Outcome Public-key RSA, DH, ECDH Broken (Shor) Modes of operation GCM, CBC-MAC Broken* (Simon) Block ciphers AES, DES Attacks improve (Grover)

2/40

Quantum Computing and Crypto

Large-scale quantum computers could exist in our lifetimes. Quantum computers can break today’s crypto primitives!

Examples Outcome Public-key RSA, DH, ECDH Broken (Shor) Modes of operation GCM, CBC-MAC Broken* (Simon) Block ciphers AES, DES Attacks improve (Grover) Hash functions SHA2 Attacks improve* (Grover)

2/40

Quantum Computing and Crypto

Large-scale quantum computers could exist in our lifetimes. Quantum computers can break today’s crypto primitives!

Examples Outcome Public-key RSA, DH, ECDH Broken (Shor) Modes of operation GCM, CBC-MAC Broken* (Simon) Block ciphers AES, DES Attacks improve (Grover) Hash functions SHA2 Attacks improve* (Grover) Password hashing PBKDF2, scrypt Broken* (Grover)

2/40

Quantum Computing and Crypto

Large-scale quantum computers could exist in our lifetimes. Quantum computers can break today’s crypto primitives!

Examples Outcome Public-key RSA, DH, ECDH Broken (Shor) Modes of operation GCM, CBC-MAC Broken* (Simon) Block ciphers AES, DES Attacks improve (Grover) Hash functions SHA2 Attacks improve* (Grover) Password hashing PBKDF2, scrypt Broken* (Grover)

⇒ To design good post-quantum cryptosystems, we need to understand post-quantum cryptanalysis.

2/40

Quantum Computing and Crypto

Large-scale quantum computers could exist in our lifetimes. Quantum computers can break today’s crypto primitives!

Examples Outcome Public-key RSA, DH, ECDH Broken (Shor) Modes of operation GCM, CBC-MAC Broken* (Simon) Block ciphers AES, DES Attacks improve (Grover) Hash functions SHA2 Attacks improve* (Grover) Password hashing PBKDF2, scrypt Broken* (Grover)

This talk

⇒ To design good post-quantum cryptosystems, we need to understand post-quantum cryptanalysis.

2/40

Quantum Computing and Crypto

Large-scale quantum computers could exist in our lifetimes. Quantum computers can break today’s crypto primitives!

Examples Outcome Public-key RSA, DH, ECDH Broken (Shor) Modes of operation GCM, CBC-MAC Broken* (Simon) Block ciphers AES, DES Attacks improve (Grover) Hash functions SHA2 Attacks improve* (Grover) Password hashing PBKDF2, scrypt Broken* (Grover) You heard it here first!

⇒ To design good post-quantum cryptosystems, we need to understand post-quantum cryptanalysis.

2/40

Quantum Computing and Crypto

Large-scale quantum computers could exist in our lifetimes. Quantum computers can break today’s crypto primitives!

Examples Outcome Public-key RSA, DH, ECDH Broken (Shor) Modes of operation GCM, CBC-MAC Broken* (Simon) Block ciphers AES, DES Attacks improve (Grover) Hash functions SHA2 Attacks improve* (Grover) Password hashing PBKDF2, scrypt Broken* (Grover)

⇒ To design good post-quantum cryptosystems, we need to understand post-quantum cryptanalysis.

2/40

Overview

Motivation Background Analogy: Probabilistic Computation Quantum Computation Useful Tools Grover’s Algorithm Applications Conclusion

Warm up: Probabilistic Computation

(Following the treatment of Arora and Barak.)

By analogy to probabilistic computation. . .

4/40

Warm up: Probabilistic Computation

(Following the treatment of Arora and Barak.)

By analogy to probabilistic computation. . . An example computation.

• 1. Initialize a two-bit

register with input.

• 2. Swap the two bits with

probability 1/2.

• 3. Output the register state.

4/40

Warm up: Probabilistic Computation

(Following the treatment of Arora and Barak.)

By analogy to probabilistic computation. . . An example computation.

• 1. Initialize a two-bit

register with input.

• 2. Swap the two bits with

probability 1/2.

• 3. Output the register state.

x1 x0 RSwap Measure

4/40

Warm up: Probabilistic Computation

(Following the treatment of Arora and Barak.)

By analogy to probabilistic computation. . . An example computation.

• 1. Initialize a two-bit

register with input.

• 2. Swap the two bits with

probability 1/2.

• 3. Output the register state.

x1 x0 RSwap Measure

Input → Output 00 00 01 01 or 10 10 10 or 01 11 11

4/40

Warm up: State of Probabilistic Machine

◮ We can describe the distribution over

register states (00, 01, 10, 11) with a vector in R4.

5/40

Warm up: State of Probabilistic Machine

◮ We can describe the distribution over

register states (00, 01, 10, 11) with a vector in R4.

◮ Reading the contents of the register

gives a sample from this distribution.

5/40

Warm up: State of Probabilistic Machine

◮ We can describe the distribution over

register states (00, 01, 10, 11) with a vector in R4.

◮ Reading the contents of the register

gives a sample from this distribution.

R4 ∋

    

α00 α01 α10 α11

    

← Prob. of “00” ← Prob. of “01” ← Prob. of “10” ← Prob. of “11”

5/40

Warm up: State of Probabilistic Machine

◮ We can describe the distribution over

register states (00, 01, 10, 11) with a vector in R4.

◮ Reading the contents of the register

gives a sample from this distribution.

R4 ∋

    

α00 α01 α10 α11

    

← Prob. of “00” ← Prob. of “01” ← Prob. of “10” ← Prob. of “11” Every possible state is a linear combination of basis states: |00 =

    

1

     ,

|01 =

    

1

     ,

|10 =

    

1

     ,

|11 =

    

1

    

N.B. |0|1 = |01.

5/40

Warm up: State of Probabilistic Machine

◮ We can describe the distribution over

register states (00, 01, 10, 11) with a vector in R4.

◮ Reading the contents of the register

gives a sample from this distribution.

R4 ∋

    

α00 α01 α10 α11

    

← Prob. of “00” ← Prob. of “01” ← Prob. of “10” ← Prob. of “11” Every possible state is a linear combination of basis states: |00 =

    

1

     ,

|01 =

    

1

     ,

|10 =

    

1

     ,

|11 =

    

1

    

N.B. |0|1 = |01.

Dirac’s very useful “ket” notation

5/40

Warm up: State of Probabilistic Machine

◮ We can describe the distribution over

register states (00, 01, 10, 11) with a vector in R4.

◮ Reading the contents of the register

gives a sample from this distribution.

R4 ∋

    

α00 α01 α10 α11

    

← Prob. of “00” ← Prob. of “01” ← Prob. of “10” ← Prob. of “11” Every possible state is a linear combination of basis states: |00 =

    

1

     ,

|01 =

    

1

     ,

|10 =

    

1

     ,

|11 =

    

1

    

N.B. |0|1 = |01.

5/40

Warm up: Probabilistic Operations

We can use stochastic matrix to describe the action of the swap gate on the register state.

6/40

Warm up: Probabilistic Operations

We can use stochastic matrix to describe the action of the swap gate on the register state. S =

    

1 1/2 1/2 1/2 1/2 1

    

6/40

Warm up: Probabilistic Operations

We can use stochastic matrix to describe the action of the swap gate on the register state. S =

    

1 1/2 1/2 1/2 1/2 1

    

S|00 → |00 S|10 → 1 2(|01 + |10) S|01 → 1 2(|01 + |10) S|11 → |11

6/40

Warm up: Probabilistic Operations

We can use stochastic matrix to describe the action of the swap gate on the register state. S =

    

1 1/2 1/2 1/2 1/2 1

    

S|00 → |00 S|10 → 1 2(|01 + |10) S|01 → 1 2(|01 + |10) S|11 → |11 ⇒ Computation is just a matrix-vector product.

6/40

Probabilistic Computation

Register state: a vector in R2n.

7/40

Probabilistic Computation

Register state: a vector in R2n.

Probabilistic Computation

• 1. Initialize the register to |x, on input x ∈ {0, 1}n.

7/40

Probabilistic Computation

Register state: a vector in R2n.

Probabilistic Computation

• 1. Initialize the register to |x, on input x ∈ {0, 1}n.
• 2. Run the computation by computing a matrix-vector product

FT · · · F3F2F1|x (i.e., apply the circuit to the register).

7/40

Probabilistic Computation

Register state: a vector in R2n.

Probabilistic Computation

• 1. Initialize the register to |x, on input x ∈ {0, 1}n.
• 2. Run the computation by computing a matrix-vector product

FT · · · F3F2F1|x (i.e., apply the circuit to the register).

• 3. Measure the register.

7/40

Probabilistic Computation

Register state: a vector in R2n.

Probabilistic Computation

• 1. Initialize the register to |x, on input x ∈ {0, 1}n.
• 2. Run the computation by computing a matrix-vector product

FT · · · F3F2F1|x (i.e., apply the circuit to the register).

• 3. Measure the register.

If the output of the computation is

y αy|y, we will measure y with

probability αy.

7/40

Probabilistic Computation

Register state: a vector in R2n.

Probabilistic Computation

• 1. Initialize the register to |x, on input x ∈ {0, 1}n.
• 2. Run the computation by computing a matrix-vector product

FT · · · F3F2F1|x (i.e., apply the circuit to the register).

• 3. Measure the register.

If the output of the computation is

y αy|y, we will measure y with

probability αy. We require that Fis:

7/40

Probabilistic Computation

Register state: a vector in R2n.

Probabilistic Computation

• 1. Initialize the register to |x, on input x ∈ {0, 1}n.
• 2. Run the computation by computing a matrix-vector product

FT · · · F3F2F1|x (i.e., apply the circuit to the register).

• 3. Measure the register.

If the output of the computation is

y αy|y, we will measure y with

probability αy. We require that Fis:

◮ come from a fixed set of universal gates (AND, OR, etc.),

7/40

Probabilistic Computation

Register state: a vector in R2n.

Probabilistic Computation

• 1. Initialize the register to |x, on input x ∈ {0, 1}n.
• 2. Run the computation by computing a matrix-vector product

FT · · · F3F2F1|x (i.e., apply the circuit to the register).

• 3. Measure the register.

If the output of the computation is

y αy|y, we will measure y with

probability αy. We require that Fis:

◮ come from a fixed set of universal gates (AND, OR, etc.), ◮ preserve the L1 norm (i.e., are stochastic matrices).

7/40

Probabilistic Computation

Register state: a vector in R2n.

Probabilistic Computation

• 1. Initialize the register to |x, on input x ∈ {0, 1}n.
• 2. Run the computation by computing a matrix-vector product

FT · · · F3F2F1|x (i.e., apply the circuit to the register).

• 3. Measure the register.

If the output of the computation is

y αy|y, we will measure y with

probability αy. We require that Fis:

◮ come from a fixed set of universal gates (AND, OR, etc.), ◮ preserve the L1 norm (i.e., are stochastic matrices).

Probabilities sum to one.

7/40

Probabilistic Computation

Register state: a vector in R2n.

Probabilistic Computation

• 1. Initialize the register to |x, on input x ∈ {0, 1}n.
• 2. Run the computation by computing a matrix-vector product

FT · · · F3F2F1|x (i.e., apply the circuit to the register).

• 3. Measure the register.

If the output of the computation is

y αy|y, we will measure y with

probability αy. We require that Fis:

◮ come from a fixed set of universal gates (AND, OR, etc.), ◮ preserve the L1 norm (i.e., are stochastic matrices).

7/40

Quantum Computation

Register state: a vector in C2n. (A “superposition”)

Quantum Computation

• 1. Initialize the register to |x, on input x ∈ {0, 1}n.
• 2. Run the computation by computing a matrix-vector product

FT · · · F3F2F1|x (i.e., apply the circuit to the register).

• 3. Measure the register.

If the output of the computation is

y αy|y, we will measure y with

probability |αy|2, where αy is an “amplitude.” We require that the Fis:

◮ come from a fixed set of universal gates (H, T, etc.), ◮ preserve the L2 norm (i.e., are unitary matrices).

8/40

Quantum Computation

Register state: a vector in C2n. (A “superposition”)

Quantum Computation

• 1. Initialize the register to |x, on input x ∈ {0, 1}n.
• 2. Run the computation by computing a matrix-vector product

FT · · · F3F2F1|x (i.e., apply the circuit to the register).

• 3. Measure the register.

If the output of the computation is

y αy|y, we will measure y with

probability |αy|2, where αy is an “amplitude.” We require that the Fis:

◮ come from a fixed set of universal gates (H, T, etc.), ◮ preserve the L2 norm (i.e., are unitary matrices).

Probabilities sum to one.

8/40

Example: Quantum Circuit

x3 x2 x1 x0 F1 F2 F3 Measure

9/40

Observations about QC

10/40

Observations about QC

• 1. Gates must represent unitary transformations (UU † = I),

so all computation must be reversible.

10/40

Observations about QC

• 1. Gates must represent unitary transformations (UU † = I),

so all computation must be reversible.

• 2. Amplitudes can be negative, unlike probabilities.

– This is the source of QC’s apparent power.

10/40

Useful Tool: Hadamard Gate

Definition The Hadamard gate H is the quantum analogue of a classical bit-flip: H = 1 √ 2

• 1

1 1 −1

• .

11/40

Useful Tool: Hadamard Gate

Definition The Hadamard gate H is the quantum analogue of a classical bit-flip: H = 1 √ 2

• 1

1 1 −1

• .

H|0 → |0+|1

√ 2

11/40

Useful Tool: Hadamard Gate

Definition The Hadamard gate H is the quantum analogue of a classical bit-flip: H = 1 √ 2

• 1

1 1 −1

• .

H|0 → |0+|1

√ 2

The operator H⊗n applies H to each of n qubits.

11/40

Useful Tool: Quantum Queries

Fact (Lecerf 1963, Bennett 1973) If f : {0, 1}n → {0, 1} is computable with a T(n)-size classical circuit, then there is a size-O(T(n)) quantum circuit that maps: |x|y → |x|y ⊕ f(x), possibly using O(T(n)) extra “work” bits.

12/40

Useful Tool: Quantum Queries

Fact (Lecerf 1963, Bennett 1973) If f : {0, 1}n → {0, 1} is computable with a T(n)-size classical circuit, then there is a size-O(T(n)) quantum circuit that maps: |x|y → |x|y ⊕ f(x), possibly using O(T(n)) extra “work” bits.

Can make quantum queries to a classical function!

12/40

Useful Tool: Quantum Queries

Fact (Lecerf 1963, Bennett 1973) If f : {0, 1}n → {0, 1} is computable with a T(n)-size classical circuit, then there is a size-O(T(n)) quantum circuit that maps: |x|y → |x|y ⊕ f(x), possibly using O(T(n)) extra “work” bits. There is also a quantum circuit Qf of similar size that takes: |x → (−1)f(x)|x.

12/40

Useful Tool: Quantum Queries

Fact (Lecerf 1963, Bennett 1973) If f : {0, 1}n → {0, 1} is computable with a T(n)-size classical circuit, then there is a size-O(T(n)) quantum circuit that maps: |x|y → |x|y ⊕ f(x), possibly using O(T(n)) extra “work” bits. There is also a quantum circuit Qf of similar size that takes: |x → (−1)f(x)|x. This essentially changes the sign of “good” xs in a superposition.

12/40

Overview

Motivation Background Grover’s Algorithm Unstructured Search The Algorithm Lower Bound Applications Conclusion

Definition (Unstructured Search Problem) Given oracle access to a function f : [N] → {0, 1}, find a value x ∈ [N] such that f(x) = 1.

14/40

Definition (Unstructured Search Problem) Given oracle access to a function f : [N] → {0, 1}, find a value x ∈ [N] such that f(x) = 1. Many cool applications discussed in a moment.

14/40

Definition (Unstructured Search Problem) Given oracle access to a function f : [N] → {0, 1}, find a value x ∈ [N] such that f(x) = 1. Many cool applications discussed in a moment. A few interesting variants:

14/40

Definition (Unstructured Search Problem) Given oracle access to a function f : [N] → {0, 1}, find a value x ∈ [N] such that f(x) = 1. Many cool applications discussed in a moment. A few interesting variants: Unique solution,

14/40

Definition (Unstructured Search Problem) Given oracle access to a function f : [N] → {0, 1}, find a value x ∈ [N] such that f(x) = 1. Many cool applications discussed in a moment. A few interesting variants: Unique solution, Exactly s solutions,

14/40

Definition (Unstructured Search Problem) Given oracle access to a function f : [N] → {0, 1}, find a value x ∈ [N] such that f(x) = 1. Many cool applications discussed in a moment. A few interesting variants: Unique solution, Exactly s solutions, Unknown # of solutions.

14/40

Definition (Unstructured Search Problem) Given oracle access to a function f : [N] → {0, 1}, find a value x ∈ [N] such that f(x) = 1. Many cool applications discussed in a moment. A few interesting variants: Unique solution, Exactly s solutions, Unknown # of solutions. Fact A classical algorithm for unstructured search that succeeds with constant probability must make Ω(N) queries.

14/40

Theorem (Grover 1996)

15/40

Theorem (Grover 1996)

There is a quantum algorithm for unstructured search that makes O( √ N) quantum queries and succeeds with probability at least 2/3.

15/40

Grover’s Algorithm

Let f : {0, 1}n → {0, 1} and let N = 2n.

16/40

Grover’s Algorithm

Let f : {0, 1}n → {0, 1} and let N = 2n.

◮ Oracle: operator Qf that maps |x → (−1)f(x)|x. ◮ We can define an operator Q0 that inverts the sign of |0n. ◮ H⊗n is the quantum n-bit flip operator.

16/40

Grover’s Algorithm

Let f : {0, 1}n → {0, 1} and let N = 2n.

◮ Oracle: operator Qf that maps |x → (−1)f(x)|x. ◮ We can define an operator Q0 that inverts the sign of |0n. ◮ H⊗n is the quantum n-bit flip operator.

The Algorithm.

• 1. Initialize an n-bit register to the state H⊗n|0n.
• 2. Apply the following operator O(

√ N) times: G = −H⊗nQ0H⊗nQf.

• 3. Measure the state of the register and output it.

16/40

Analysis of Grover’s Algorithm

(Following expositions of Watrous and Jozsa)

Define: A = {x | f(x) = 1} (“awesome strings”) with a = |A|, and

17/40

Analysis of Grover’s Algorithm

(Following expositions of Watrous and Jozsa)

Define: A = {x | f(x) = 1} (“awesome strings”) with a = |A|, and B = {x | f(x) = 0} (“bad strings”), with b = |B|.

17/40

Analysis of Grover’s Algorithm

(Following expositions of Watrous and Jozsa)

Define: A = {x | f(x) = 1} (“awesome strings”) with a = |A|, and B = {x | f(x) = 0} (“bad strings”), with b = |B|. Define: |A =

1 √a

• x∈A |x, and

|B =

1 √ b

• x∈B |x.

17/40

Analysis of Grover’s Algorithm

(Following expositions of Watrous and Jozsa)

Define: A = {x | f(x) = 1} (“awesome strings”) with a = |A|, and B = {x | f(x) = 0} (“bad strings”), with b = |B|. Define: |A =

1 √a

• x∈A |x, and

|B =

1 √ b

• x∈B |x.

Orthogonal unit vectors

17/40

Analysis of Grover’s Algorithm

(Following expositions of Watrous and Jozsa)

Define: A = {x | f(x) = 1} (“awesome strings”) with a = |A|, and B = {x | f(x) = 0} (“bad strings”), with b = |B|. Define: |A =

1 √a

• x∈A |x, and

|B =

1 √ b

• x∈B |x.

17/40

Analysis of Grover’s Algorithm

(Following expositions of Watrous and Jozsa)

Define: A = {x | f(x) = 1} (“awesome strings”) with a = |A|, and B = {x | f(x) = 0} (“bad strings”), with b = |B|. Define: |A =

1 √a

• x∈A |x, and

|B =

1 √ b

• x∈B |x.

After initialization, the register is in the uniform superposition over strings: H⊗n|0n = |h = 1 √ N

• x

|x =

a

N |A

• Awesome

+

• b

N |B

• Bad

17/40

Analysis of Grover’s Algorithm

G = −H⊗nQ0H⊗nQf |B |A

Analysis of Grover’s Algorithm

G = −H⊗nQ0H⊗nQf |B |A |h

18/40

Analysis of Grover’s Algorithm

G = −H⊗nQ0H⊗nQf |B |A |h Initial

18/40

Analysis of Grover’s Algorithm

G = −H⊗nQ0H⊗nQf |B |A |h Initial

18/40

Analysis of Grover’s Algorithm

G = −H⊗nQ0H⊗nQf |B |A |h

18/40

Analysis of Grover’s Algorithm

G = −H⊗nQ0H⊗nQf |B |A |h

18/40

Analysis of Grover’s Algorithm

G = −H⊗nQ0H⊗nQf Claim: H⊗nQ0H⊗n reflects

• ver plane orthogonal to |h.

|B |A |h

18/40

Analysis of Grover’s Algorithm

G = −H⊗nQ0H⊗nQf Claim: H⊗nQ0H⊗n reflects

• ver plane orthogonal to |h.

|B |A |h

18/40

Analysis of Grover’s Algorithm

G = −H⊗nQ0H⊗nQf |B |A |h

18/40

Analysis of Grover’s Algorithm

G = −H⊗nQ0H⊗nQf |B |A |h

18/40

Analysis of Grover’s Algorithm

G = −H⊗nQ0H⊗nQf |B |A |h

19/40

Analysis of Grover’s Algorithm

G = −H⊗nQ0H⊗nQf |B |A |h

19/40

Analysis of Grover’s Algorithm

G = −H⊗nQ0H⊗nQf |B |A |h

19/40

Analysis of Grover’s Algorithm

G = −H⊗nQ0H⊗nQf |B |A |h

19/40

Analysis of Grover’s Algorithm

G = −H⊗nQ0H⊗nQf |B |A |h

19/40

Analysis of Grover’s Algorithm

G = −H⊗nQ0H⊗nQf |B |A |h

19/40

Analysis of Grover’s Algorithm

G = −H⊗nQ0H⊗nQf |B |A |h

19/40

Analysis of Grover’s Algorithm

G = −H⊗nQ0H⊗nQf |B |A |h

And so on. . .

19/40

Analysis of Grover’s Algorithm

G = −H⊗nQ0H⊗nQf |B |A |h

θ

19/40

Analysis of Grover’s Algorithm

|B |A |h

θ

19/40

Analysis of Grover’s Algorithm

|B |A |h

θ

2θ

19/40

Analysis of Grover’s Algorithm

|B |A |h

θ

2θ

19/40

Analysis of Grover’s Algorithm

|B |A |h

θ

2θ

19/40

Analysis of Grover’s Algorithm

|B |A |h

θ

2θ

19/40

Analysis of Grover’s Algorithm

|B |A |h

θ

2θ

19/40

Analysis of Grover’s Algorithm

|B |A |h

θ

2θ

19/40

Analysis of Grover’s Algorithm

|B |A |h

θ

2θ Where θ = sin−1

a N ≈

• a

N

19/40

Analysis of Grover’s Algorithm

After t Grover iterations, the angle between the register state and |B is ≈ 2θt. We want the bad state |B and the register state to be orthogonal: 2θt = π 2 .

20/40

Analysis of Grover’s Algorithm

After t Grover iterations, the angle between the register state and |B is ≈ 2θt. We want the bad state |B and the register state to be orthogonal: 2θt = π 2 .

• Num. Solutions

Iterations 1

π 4 ·

√ N a

π 4 ·

• N

a

Unknown t ←R {1, . . . , √ N}

20/40

Analysis of Grover’s Algorithm

After t Grover iterations, the angle between the register state and |B is ≈ 2θt. We want the bad state |B and the register state to be orthogonal: 2θt = π 2 .

• Num. Solutions

Iterations 1

π 4 ·

√ N a

π 4 ·

• N

a

Unknown t ←R {1, . . . , √ N} One query per iteration ⇒ O( √ N) queries.

20/40

Lower Bound

Definition (Decision Grover Problem) Given oracle access to f : [N] → {0, 1}, decide whether there exists an x such that f(x) = 1 with probability better than 2/3.

21/40

Lower Bound

Definition (Decision Grover Problem) Given oracle access to f : [N] → {0, 1}, decide whether there exists an x such that f(x) = 1 with probability better than 2/3. Theorem (Bennet, Bernstein, Brassard, Vazirani 1997) For every quantum algorithm that makes o( √ N) queries to f, there exists an f for which the algorithm fails to solve the Decision Grover Problem.

21/40

• Thm. For every quantum algorithm that makes o(

√ N) queries to f, there exists an f for which the algorithm fails to solve the DGP.

22/40

• Thm. For every quantum algorithm that makes o(

√ N) queries to f, there exists an f for which the algorithm fails to solve the DGP. Proof Idea. Fix a T-query quantum algorithm: QfUT Qf · · · QfU3QfU2QfU1|0n

22/40

• Thm. For every quantum algorithm that makes o(

√ N) queries to f, there exists an f for which the algorithm fails to solve the DGP. Proof Idea. Fix a T-query quantum algorithm: QfUT Qf · · · QfU3QfU2QfU1|0n If f is zero everywhere, Qf = I.

22/40

• Thm. For every quantum algorithm that makes o(

√ N) queries to f, there exists an f for which the algorithm fails to solve the DGP. Proof Idea. Fix a T-query quantum algorithm: QfUT Qf · · · QfU3QfU2QfU1|0n If f is zero everywhere, Qf = I. Interpolate between the non-zero case and the all-zero case. . .

22/40

• Thm. For every quantum algorithm that makes o(

√ N) queries to f, there exists an f for which the algorithm fails to solve the DGP. Proof Idea. Fix a T-query quantum algorithm: QfUT Qf · · · QfU3QfU2QfU1|0n If f is zero everywhere, Qf = I. Interpolate between the non-zero case and the all-zero case. . . |φx∗ = QfUT Qf · · · QfU3QfU2QfU1|0n

22/40

• Thm. For every quantum algorithm that makes o(

√ N) queries to f, there exists an f for which the algorithm fails to solve the DGP. Proof Idea. Fix a T-query quantum algorithm: QfUT Qf · · · QfU3QfU2QfU1|0n If f is zero everywhere, Qf = I. Interpolate between the non-zero case and the all-zero case. . . |φx∗ = QfUT Qf · · · QfU3QfU2QfU1|0n QfUT Qf · · · QfU3QfU2U1|0n

22/40

• Thm. For every quantum algorithm that makes o(

√ N) queries to f, there exists an f for which the algorithm fails to solve the DGP. Proof Idea. Fix a T-query quantum algorithm: QfUT Qf · · · QfU3QfU2QfU1|0n If f is zero everywhere, Qf = I. Interpolate between the non-zero case and the all-zero case. . . |φx∗ = QfUT Qf · · · QfU3QfU2QfU1|0n QfUT Qf · · · QfU3QfU2U1|0n QfUT Qf · · · QfU3U2U1|0n

22/40

• Thm. For every quantum algorithm that makes o(

√ N) queries to f, there exists an f for which the algorithm fails to solve the DGP. Proof Idea. Fix a T-query quantum algorithm: QfUT Qf · · · QfU3QfU2QfU1|0n If f is zero everywhere, Qf = I. Interpolate between the non-zero case and the all-zero case. . . |φx∗ = QfUT Qf · · · QfU3QfU2QfU1|0n QfUT Qf · · · QfU3QfU2U1|0n QfUT Qf · · · QfU3U2U1|0n QfUT Qf · · · U3U2U1|0n

22/40

• Thm. For every quantum algorithm that makes o(

√ N) queries to f, there exists an f for which the algorithm fails to solve the DGP. Proof Idea. Fix a T-query quantum algorithm: QfUT Qf · · · QfU3QfU2QfU1|0n If f is zero everywhere, Qf = I. Interpolate between the non-zero case and the all-zero case. . . |φx∗ = QfUT Qf · · · QfU3QfU2QfU1|0n QfUT Qf · · · QfU3QfU2U1|0n QfUT Qf · · · QfU3U2U1|0n QfUT Qf · · · U3U2U1|0n . . .

22/40

• Thm. For every quantum algorithm that makes o(

√ N) queries to f, there exists an f for which the algorithm fails to solve the DGP. Proof Idea. Fix a T-query quantum algorithm: QfUT Qf · · · QfU3QfU2QfU1|0n If f is zero everywhere, Qf = I. Interpolate between the non-zero case and the all-zero case. . . |φx∗ = QfUT Qf · · · QfU3QfU2QfU1|0n QfUT Qf · · · QfU3QfU2U1|0n QfUT Qf · · · QfU3U2U1|0n QfUT Qf · · · U3U2U1|0n . . . |φ = UT · · · U3U2U1|0n

22/40

Proof Idea (cont’d).

• x

αx,t|x = state before t-th query x∗ = the “target” value

23/40

Proof Idea (cont’d).

• x

αx,t|x = state before t-th query x∗ = the “target” value

◮ With each query, the Euclidean distance between the two

states can grow by at most 2|αx∗,t|.

23/40

Proof Idea (cont’d).

• x

αx,t|x = state before t-th query x∗ = the “target” value

◮ With each query, the Euclidean distance between the two

states can grow by at most 2|αx∗,t|.

◮ To distinguish, the distance after T queries needs to be at least

a constant ǫ, so: ǫ ≤ 2 T

t=1 |αx∗,t|.

23/40

Proof Idea (cont’d).

• x

αx,t|x = state before t-th query x∗ = the “target” value

◮ With each query, the Euclidean distance between the two

states can grow by at most 2|αx∗,t|.

◮ To distinguish, the distance after T queries needs to be at least

a constant ǫ, so: ǫ ≤ 2 T

t=1 |αx∗,t|. ◮ To complete the proof, sum over all N possible x∗s:

ǫN ≤ 2

T

• t=1

N

• x∗=1

|αx∗,t| ≤

T

• t=1

√ N

• N
• x∗=1

|αx∗,t|2 ≤ 2T √ N.

23/40

Proof Idea (cont’d).

• x

αx,t|x = state before t-th query x∗ = the “target” value

◮ With each query, the Euclidean distance between the two

states can grow by at most 2|αx∗,t|.

◮ To distinguish, the distance after T queries needs to be at least

a constant ǫ, so: ǫ ≤ 2 T

t=1 |αx∗,t|. ◮ To complete the proof, sum over all N possible x∗s:

ǫN ≤ 2

T

• t=1

N

• x∗=1

|αx∗,t| ≤

T

• t=1

√ N

• N
• x∗=1

|αx∗,t|2 ≤ 2T √ N. ⇒

ǫ 2

√ N ≤ T

23/40

Overview

Motivation Background Grover’s Algorithm Applications Breaking Block Ciphers Collision Finding Password Cracking Conclusion

Breaking Block Ciphers

For this talk, a block cipher is an efficient deterministic function: E : K × {0, 1}n → {0, 1}n.

25/40

Breaking Block Ciphers

For this talk, a block cipher is an efficient deterministic function: E : K × {0, 1}n → {0, 1}n. A necessary (not sufficient) security property is that, for k

R

← K, an adversary given E(k, “0”), E(k, “1”), E(k, “2”) cannot recover k faster than a brute-force search of the key-space.

25/40

Breaking Block Ciphers

For this talk, a block cipher is an efficient deterministic function: E : K × {0, 1}n → {0, 1}n. A necessary (not sufficient) security property is that, for k

R

← K, an adversary given E(k, “0”), E(k, “1”), E(k, “2”) cannot recover k faster than a brute-force search of the key-space. Viewing E(·, ·) as an oracle, an adversary making q queries should succeed with probability at most ≈ q/|K|.

25/40

Breaking Block Ciphers

Grover search recovers the key in time O(

• |K|).

26/40

Breaking Block Ciphers

Grover search recovers the key in time O(

• |K|).

Attack Using Grover

• 1. Attacker receives challenge c = (c0, c1, c2).
• 2. Define a function fc : K → {0, 1} as:

fc(k)

def

=

(E(k, “0”), E(k, “1”), E(k, “2”)) = (c0, c1, c2) .

• 3. Run Grover’s algorithm on fc.
• 4. In O(
• |K|) iterations, Grover returns k w.h.p.

26/40

Breaking Block Ciphers

Grover search recovers the key in time O(

• |K|).

Attack Using Grover

• 1. Attacker receives challenge c = (c0, c1, c2).
• 2. Define a function fc : K → {0, 1} as:

fc(k)

def

=

(E(k, “0”), E(k, “1”), E(k, “2”)) = (c0, c1, c2) .

• 3. Run Grover’s algorithm on fc.
• 4. In O(
• |K|) iterations, Grover returns k w.h.p.

Attacking AES-128

26/40

Breaking Block Ciphers

Grover search recovers the key in time O(

• |K|).

Attack Using Grover

• 1. Attacker receives challenge c = (c0, c1, c2).
• 2. Define a function fc : K → {0, 1} as:

fc(k)

def

=

(E(k, “0”), E(k, “1”), E(k, “2”)) = (c0, c1, c2) .

• 3. Run Grover’s algorithm on fc.
• 4. In O(
• |K|) iterations, Grover returns k w.h.p.

Attacking AES-128 Special-purpose classical attack: 2126.1 (Bogdanov et al. 2011)

26/40

Breaking Block Ciphers

Grover search recovers the key in time O(

• |K|).

Attack Using Grover

• 1. Attacker receives challenge c = (c0, c1, c2).
• 2. Define a function fc : K → {0, 1} as:

fc(k)

def

=

(E(k, “0”), E(k, “1”), E(k, “2”)) = (c0, c1, c2) .

• 3. Run Grover’s algorithm on fc.
• 4. In O(
• |K|) iterations, Grover returns k w.h.p.

Attacking AES-128 Special-purpose classical attack: 2126.1 (Bogdanov et al. 2011) Generic quantum attack: 264. !!!

26/40

Hash Collisions

Let H be a random function.

27/40

Hash Collisions

Let H be a random function. Problem: Given oracle access to H : [2N] → [N], find distinct elements x and x′ such that H(x) = H(x′).

27/40

Hash Collisions

Let H be a random function. Problem: Given oracle access to H : [2N] → [N], find distinct elements x and x′ such that H(x) = H(x′). To succeed with constant probability (by the Birthday Bound), a classical algorithm requires Θ( √ N) queries.

[Compute H(0), H(1), H(2), . . . until you find a collision.]

27/40

Hash Collisions

Let H be a random function. Problem: Given oracle access to H : [2N] → [N], find distinct elements x and x′ such that H(x) = H(x′). To succeed with constant probability (by the Birthday Bound), a classical algorithm requires Θ( √ N) queries.

[Compute H(0), H(1), H(2), . . . until you find a collision.]

Theorem (Brassard, Høyer, Tapp 1997) There is a quantum collision-finding algorithm that makes O(N1/3) quantum queries and succeeds with constant probability.

27/40

Quantum Collision Finding

Algorithm Idea

28/40

Quantum Collision Finding

Algorithm Idea

◮ Build a big table of

random values and their hashes.

28/40

Quantum Collision Finding

Algorithm Idea

◮ Build a big table of

random values and their hashes.

r0 H(r0) r1 H(r1) r2 H(r2) r3 H(r3)

. . . . . .

O(N1/3)

28/40

Quantum Collision Finding

Algorithm Idea

◮ Build a big table of

random values and their hashes.

◮ Use Grover search to

quickly find a value that collides with one in the table.

r0 H(r0) r1 H(r1) r2 H(r2) r3 H(r3)

. . . . . .

O(N1/3)

28/40

Quantum Collision Finding

Algorithm Idea

◮ Build a big table of

random values and their hashes.

◮ Use Grover search to

quickly find a value that collides with one in the table.

r0 H(r0) r1 H(r1) r2 H(r2) r3 H(r3)

. . . . . .

O(N1/3)

28/40

Quantum Collision Finding

Algorithm

• 1. Sample O(N 1/3) random integers ri ∈ [2N], compute hi ← H(ri),

and store each (ri, hi) in a table T.

• 2. Define a function fT : [2N] → {0, 1}:

fT (x)

def

=    h∗ ← H(x) Look for a pair (ri, hi) ∈ T with hi = h∗ If such a pair exists and ri = x, return 1.

• 3. Use Grover search to find a “good” x.
• 4. Use the table to find the colliding r, and output (x, r).

29/40

Quantum Collision Finding

Algorithm

• 1. Sample O(N 1/3) random integers ri ∈ [2N], compute hi ← H(ri),

and store each (ri, hi) in a table T.

• 2. Define a function fT : [2N] → {0, 1}:

fT (x)

def

=    h∗ ← H(x) Look for a pair (ri, hi) ∈ T with hi = h∗ If such a pair exists and ri = x, return 1.

• 3. Use Grover search to find a “good” x.
• 4. Use the table to find the colliding r, and output (x, r).

Analysis

◮ Step 1 makes O(N1/3) queries to H.

29/40

Quantum Collision Finding

Algorithm

• 1. Sample O(N 1/3) random integers ri ∈ [2N], compute hi ← H(ri),

and store each (ri, hi) in a table T.

• 2. Define a function fT : [2N] → {0, 1}:

fT (x)

def

=    h∗ ← H(x) Look for a pair (ri, hi) ∈ T with hi = h∗ If such a pair exists and ri = x, return 1.

• 3. Use Grover search to find a “good” x.
• 4. Use the table to find the colliding r, and output (x, r).

Analysis

◮ Step 1 makes O(N1/3) queries to H. ◮ Step 3 is a Grover search over space of size 2N, with ≈ N1/3

possible solutions.

29/40

Quantum Collision Finding

Algorithm

• 1. Sample O(N 1/3) random integers ri ∈ [2N], compute hi ← H(ri),

and store each (ri, hi) in a table T.

• 2. Define a function fT : [2N] → {0, 1}:

fT (x)

def

=    h∗ ← H(x) Look for a pair (ri, hi) ∈ T with hi = h∗ If such a pair exists and ri = x, return 1.

• 3. Use Grover search to find a “good” x.
• 4. Use the table to find the colliding r, and output (x, r).

Analysis

◮ Step 1 makes O(N1/3) queries to H. ◮ Step 3 is a Grover search over space of size 2N, with ≈ N1/3

possible solutions. ⇒ O(

• N/N 1/3) = O(N1/3) queries.

29/40

Collision Finding in Practice

Is the collision-finding algorithm practical?

30/40

Collision Finding in Practice

Is the collision-finding algorithm practical?

◮ The query complexity is O(N1/3).

30/40

Collision Finding in Practice

Is the collision-finding algorithm practical?

◮ The query complexity is O(N1/3).

30/40

Collision Finding in Practice

Is the collision-finding algorithm practical?

◮ The query complexity is O(N1/3). ◮ What is the size of the quantum circuit?

30/40

Collision Finding in Practice

Is the collision-finding algorithm practical?

◮ The query complexity is O(N1/3). ◮ What is the size of the quantum circuit?

. . .

G G G H⊗n

. . .

Measure

30/40

Collision Finding in Practice

Is the collision-finding algorithm practical?

◮ The query complexity is O(N1/3). ◮ What is the size of the quantum circuit?

. . .

G G G H⊗n

. . .

Measure

Each Grover iteration encodes a table of size Θ(N1/3), so the G circuit has Θ(N1/3) gates. (!)

30/40

Collision Finding in Practice

◮ Mounting the attack requires a QC with Θ(N1/3) qubits!

(In contrast, the cipher attack requires a QC with a few thousand qubits.)

31/40

Collision Finding in Practice

◮ Mounting the attack requires a QC with Θ(N1/3) qubits!

(In contrast, the cipher attack requires a QC with a few thousand qubits.)

◮ If you have Θ(N1/3) qubits, you might as well use parallel

Grover search:

31/40

Collision Finding in Practice

◮ Mounting the attack requires a QC with Θ(N1/3) qubits!

(In contrast, the cipher attack requires a QC with a few thousand qubits.)

◮ If you have Θ(N1/3) qubits, you might as well use parallel

Grover search:

G G G G H⊗n

. . .

Meas G G G H⊗n

. . .

Meas G G G H⊗n

. . .

Meas G G G H⊗n

. . .

Meas

31/40

Collision Finding in Practice

Parallel Grover (Grover and Rudolph 2003)

• 1. Pick an x0

R

← [N].

• 2. Define f : [2N] → {0, 1} as:

fx0(x)

def

= {H(x) = H(x0) and x = x0}.

• 3. Divide search space into N1/3 pieces.
• 4. Run Grover on each piece in parallel.

32/40

Collision Finding in Practice

Parallel Grover (Grover and Rudolph 2003)

• 1. Pick an x0

R

← [N].

• 2. Define f : [2N] → {0, 1} as:

fx0(x)

def

= {H(x) = H(x0) and x = x0}.

• 3. Divide search space into N1/3 pieces.
• 4. Run Grover on each piece in parallel.

Analysis. Each machine searches over a space of size O(N/N 1/3).

32/40

Collision Finding in Practice

Parallel Grover (Grover and Rudolph 2003)

• 1. Pick an x0

R

← [N].

• 2. Define f : [2N] → {0, 1} as:

fx0(x)

def

= {H(x) = H(x0) and x = x0}.

• 3. Divide search space into N1/3 pieces.
• 4. Run Grover on each piece in parallel.

Analysis. Each machine searches over a space of size O(N/N 1/3). We expect one space to contain a colliding input.

32/40

Collision Finding in Practice

Parallel Grover (Grover and Rudolph 2003)

• 1. Pick an x0

R

← [N].

• 2. Define f : [2N] → {0, 1} as:

fx0(x)

def

= {H(x) = H(x0) and x = x0}.

• 3. Divide search space into N1/3 pieces.
• 4. Run Grover on each piece in parallel.

Analysis. Each machine searches over a space of size O(N/N 1/3). We expect one space to contain a colliding input. Running time is O( √ N2/3) = O(N1/3).

32/40

Collision Finding in Practice

Parallel Grover (Grover and Rudolph 2003)

• 1. Pick an x0

R

← [N].

• 2. Define f : [2N] → {0, 1} as:

fx0(x)

def

= {H(x) = H(x0) and x = x0}.

• 3. Divide search space into N1/3 pieces.
• 4. Run Grover on each piece in parallel.

Analysis. Each machine searches over a space of size O(N/N 1/3). We expect one space to contain a colliding input. Running time is O( √ N2/3) = O(N1/3). If you have a size-Θ(N1/3) classical computer, finding collisions with the parallel rho method only takes time O(N1/6)!

(Van Oorschot and Wiener 1999) (Bernstein 2009)

32/40

Password Cracking

Modern OSes store passwords as H(salt, password), where: – H is a “moderately hard” function, and – salt is a random string.

33/40

Password Cracking

Modern OSes store passwords as H(salt, password), where: – H is a “moderately hard” function, and – salt is a random string. User Password alice cardinal650 bob Stanford! carol CSRulez . . .

33/40

Password Cracking

Modern OSes store passwords as H(salt, password), where: – H is a “moderately hard” function, and – salt is a random string. User Password alice cardinal650 bob Stanford! carol CSRulez . . .

33/40

Password Cracking

Modern OSes store passwords as H(salt, password), where: – H is a “moderately hard” function, and – salt is a random string. User Password alice cardinal650 bob Stanford! carol CSRulez . . . User Salt HashedPass alice 0x0738 0x89d7f1a bob 0xaab3 0x1704193 carol 0x9c3e 0x726ebd9 . . .

33/40

Password Cracking

Modern OSes store passwords as H(salt, password), where: – H is a “moderately hard” function, and – salt is a random string. User Password alice cardinal650 bob Stanford! carol CSRulez . . . User Salt HashedPass alice 0x0738 0x89d7f1a bob 0xaab3 0x1704193 carol 0x9c3e 0x726ebd9 . . . If someone steals your password file, they have to do some work (“password cracking”) to recover the stored passwords.

33/40

Password Cracking

Problem: Given oracle access to H : [N] → [N], a dictionary of candidate passwords D = {password, 12345, qwerty, ...} ⊆ [N], and a target τ, find an x ∈ D such that H(x) = τ.

34/40

Password Cracking

Problem: Given oracle access to H : [N] → [N], a dictionary of candidate passwords D = {password, 12345, qwerty, ...} ⊆ [N], and a target τ, Inverting a function with hints. find an x ∈ D such that H(x) = τ.

34/40

Password Cracking

Problem: Given oracle access to H : [N] → [N], a dictionary of candidate passwords D = {password, 12345, qwerty, ...} ⊆ [N], and a target τ, find an x ∈ D such that H(x) = τ.

34/40

Password Cracking

Problem: Given oracle access to H : [N] → [N], a dictionary of candidate passwords D = {password, 12345, qwerty, ...} ⊆ [N], and a target τ, find an x ∈ D such that H(x) = τ. Classical attack: Θ(|D|) queries to H (to succeed w.p. 1/2)

34/40

Password Cracking

Problem: Given oracle access to H : [N] → [N], a dictionary of candidate passwords D = {password, 12345, qwerty, ...} ⊆ [N], and a target τ, find an x ∈ D such that H(x) = τ. Classical attack: Θ(|D|) queries to H (to succeed w.p. 1/2) Grover search: O(

• |D|) attack.∗ (New?)

34/40

Password Cracking

Problem: Given oracle access to H : [N] → [N], a dictionary of candidate passwords D = {password, 12345, qwerty, ...} ⊆ [N], and a target τ, find an x ∈ D such that H(x) = τ. Classical attack: Θ(|D|) queries to H (to succeed w.p. 1/2) Grover search: O(

• |D|) attack.∗ (New?)

Quantum computers essentially break all password hashing functions.

34/40

Quantum Password Cracking

• 1. Define a function fD : {1, 2, . . . , |D|} → {0, 1} as:

fD(i)

def

=

• di ← “ith entry in dictionary D”

return τ

?

= H(di)

• 2. Run Grover search to find a “good” i.

Search will use O(

• |D|) queries to H and D.

35/40

Quantum Password Cracking

• 1. Define a function fD : {1, 2, . . . , |D|} → {0, 1} as:

fD(i)

def

=

• di ← “ith entry in dictionary D”

return τ

?

= H(di)

• 2. Run Grover search to find a “good” i.

Search will use O(

• |D|) queries to H and D.

◮ CH = Cost of H query. ◮ CD = Cost of D query.

35/40

Quantum Password Cracking

• 1. Define a function fD : {1, 2, . . . , |D|} → {0, 1} as:

fD(i)

def

=

• di ← “ith entry in dictionary D”

return τ

?

= H(di)

• 2. Run Grover search to find a “good” i.

Search will use O(

• |D|) queries to H and D.

◮ CH = Cost of H query. ◮ CD = Cost of D query.

Attack cost = (# iterations) · (Cost per iteration)

35/40

Quantum Password Cracking

• 1. Define a function fD : {1, 2, . . . , |D|} → {0, 1} as:

fD(i)

def

=

• di ← “ith entry in dictionary D”

return τ

?

= H(di)

• 2. Run Grover search to find a “good” i.

Search will use O(

• |D|) queries to H and D.

◮ CH = Cost of H query. ◮ CD = Cost of D query.

Attack cost = (# iterations) · (Cost per iteration) ≈

• |D|(CH + CD)

35/40

Quantum Password Cracking

• 1. Define a function fD : {1, 2, . . . , |D|} → {0, 1} as:

fD(i)

def

=

• di ← “ith entry in dictionary D”

return τ

?

= H(di)

• 2. Run Grover search to find a “good” i.

Search will use O(

• |D|) queries to H and D.

◮ CH = Cost of H query. ◮ CD = Cost of D query.

Attack cost = (# iterations) · (Cost per iteration) ≈

• |D|(CH + CD)

(Could be ≈ |D| log N)

35/40

Quantum Password Cracking

• 1. Define a function fD : {1, 2, . . . , |D|} → {0, 1} as:

fD(i)

def

=

• di ← “ith entry in dictionary D”

return τ

?

= H(di)

• 2. Run Grover search to find a “good” i.

Search will use O(

• |D|) queries to H and D.

◮ CH = Cost of H query. ◮ CD = Cost of D query.

Attack cost = (# iterations) · (Cost per iteration) ≈

• |D|(CH + CD)

(Could be ≈ |D| log N) ≈ |D|3/2 + √ D · CH

35/40

Quantum Password Cracking

• 1. Define a function fD : {1, 2, . . . , |D|} → {0, 1} as:

fD(i)

def

=

• di ← “ith entry in dictionary D”

return τ

?

= H(di)

• 2. Run Grover search to find a “good” i.

Search will use O(

• |D|) queries to H and D.

◮ CH = Cost of H query. ◮ CD = Cost of D query.

Attack cost = (# iterations) · (Cost per iteration) ≈

• |D|(CH + CD)

(Could be ≈ |D| log N) ≈ |D|3/2 + √ D · CH This often beats the classical |D| · CH attack!

35/40

Quantum Password Cracking

If we can represent the dictionary D with a small circuit, then the quantum attack is devastating: |D| · CH decreases to ≈

• |D| · CH.

36/40

Quantum Password Cracking

If we can represent the dictionary D with a small circuit, then the quantum attack is devastating: |D| · CH decreases to ≈

• |D| · CH.

Using amplitude amplification (Brassard, Høyer, Mosca, Tapp 2002), we can generalize the attack from password dictionaries to password distributions.

36/40

The End of Password Hashing?

Say that an attacker’s budget allows for 224 hash computations. . .

37/40

The End of Password Hashing?

Say that an attacker’s budget allows for 224 hash computations. . .

Type Len Classical Quantum Lower-case alpha 6 char 228 214 8 char 237 219 10 char 247 224 Alphanumeric 6 char 236 218 8 char 247 223 10 char 260 230 Printable ASCII 6 char 239 220 8 char 252 226 10 char 266 233

37/40

Overview

Motivation Background Grover’s Algorithm Applications Conclusion

Conclusions

Quantum computers can solve black-box search problems faster than classical computers can.

39/40

Conclusions

Quantum computers can solve black-box search problems faster than classical computers can. Future Directions

39/40

Conclusions

Quantum computers can solve black-box search problems faster than classical computers can. Future Directions

• 1. Find quantum collision-finding algorithms that beat the

classical ones, in terms of qubit complexity. (Grover and Rudolph 2003)

39/40

Conclusions

Quantum computers can solve black-box search problems faster than classical computers can. Future Directions

• 1. Find quantum collision-finding algorithms that beat the

classical ones, in terms of qubit complexity. (Grover and Rudolph 2003)

◮ . . . or prove that none exist. 39/40

Conclusions

Quantum computers can solve black-box search problems faster than classical computers can. Future Directions

• 1. Find quantum collision-finding algorithms that beat the

classical ones, in terms of qubit complexity. (Grover and Rudolph 2003)

◮ . . . or prove that none exist.

• 2. Cryptanalyze proposed post-quantum cryptosystems.

Switching from RSA → LWE doesn’t necessarily protect you.

39/40

Conclusions

Quantum computers can solve black-box search problems faster than classical computers can. Future Directions

• 1. Find quantum collision-finding algorithms that beat the

classical ones, in terms of qubit complexity. (Grover and Rudolph 2003)

◮ . . . or prove that none exist.

• 2. Cryptanalyze proposed post-quantum cryptosystems.

Switching from RSA → LWE doesn’t necessarily protect you.

• 3. Prove time-space lower bounds for quantum algorithms in the

random-oracle model.

39/40

Conclusions

Quantum computers can solve black-box search problems faster than classical computers can. Future Directions

• 1. Find quantum collision-finding algorithms that beat the

classical ones, in terms of qubit complexity. (Grover and Rudolph 2003)

◮ . . . or prove that none exist.

• 2. Cryptanalyze proposed post-quantum cryptosystems.

Switching from RSA → LWE doesn’t necessarily protect you.

• 3. Prove time-space lower bounds for quantum algorithms in the

random-oracle model.

Thank you!

39/40

References

Background ◮ Sanjeev Arora and Boaz Barak. Computational Complexity: A Modern Approach. ◮ Michael Nielsen and Isaac Chuang. Quantum Computation and Quantum Information. ◮ John Watrous. Lecture notes: Introduction to Quantum Computing https://cs.uwaterloo.ca/~watrous/LectureNotes.html Grover’s Algorithm ◮ Lov Grover. “A Fast Quantum Mechanical Algorithm for Database Search” (1996). https://arxiv.org/abs/quant-ph/9605043 ◮ Michel Boyer, Gilles Brassard, Peter Høyer, and Alain Tapp. “Tight Bounds on Quantum Searching” (1996). https://arxiv.org/abs/quant-ph/9605034 ◮ Richard Jozsa. “Searching in Grover’s Algorithm” (1999). https://arxiv.org/pdf/quant-ph/9901021 Gives the nice geometric interpretation of Grover search. ◮ Gilles Brassard, Peter Høyer, Michele Mosca, and Alain Tapp. “Quantum Amplitude Amplification and Estimation” (2000). https://arxiv.org/abs/quant-ph/0005055

References

Lower Bound ◮ Charles H. Bennett, Ethan Bernstein, Gilles Brassard, and Umesh Vazirani “Strengths and Weaknesses of Quantum Computing” (1997). https://arxiv.org/abs/quant-ph/9701001 ◮ Ronald de Wolf. Lecture notes: “Quantum Lower Bounds” (2005). http://www.iro.umontreal.ca/~tappa/Summer%20School/montreal05.pdf ◮ Scott Aaronson. Lecture notes: “6.845: Quantum Complexity Theory” (2009). https: //ocw.mit.edu/courses/electrical-engineering-and-computer-science/ 6-845-quantum-complexity-theory-fall-2010/lecture-notes/ Collision Finding ◮ Gilles Brassard, Peter Høyer, and Alain Tapp. “Quantum Algorithm for the Collision Problem” (1997). https://arxiv.org/abs/quant-ph/9705002 ◮ Paul van Oorschot and Michael J. Wiener. “Parallel Collision Search with Cryptanalytic Applications” (1999). http://people.scs.carleton.ca/~paulv/papers/JoC97.pdf ◮ Lov Grover and Terry Rudolph. “How Significant are the Known Collision and Element Distinctness Quantum Algorithms?” (2003). http://arxiv.org/pdf/quant-ph/0306017 ◮ Daniel J. Bernstein. “Cost Analysis of Hash Collisions: Will Quantum Computers Make SHARCs Obsolete?” (2009). http://cr.yp.to/hash/collisioncost-20090823.pdf

2/4

References

AES Cryptanalysis ◮ Andrey Bogdanov, Dmitry Khovratovich, and Christian Rechberger. “Biclique Cryptanalysis of the Full AES” (2011). http: //research.microsoft.com/en-us/projects/cryptanalysis/aesbc.pdf

3/4

Analysis of Grover’s Algorithm

Claim The operator R = H⊗nQ0H⊗n reflects over the hyperplane

• rthogonal to |h.

4/4

Analysis of Grover’s Algorithm

Claim The operator R = H⊗nQ0H⊗n reflects over the hyperplane

• rthogonal to |h.

The Q0 operator flips the sign of |0n in a superposition: Q0 = I − 2|0n0n|.

4/4

Analysis of Grover’s Algorithm

Claim The operator R = H⊗nQ0H⊗n reflects over the hyperplane

• rthogonal to |h.

The Q0 operator flips the sign of |0n in a superposition: Q0 = I − 2|0n0n|

• uter product

.

4/4

Analysis of Grover’s Algorithm

Claim The operator R = H⊗nQ0H⊗n reflects over the hyperplane

• rthogonal to |h.

The Q0 operator flips the sign of |0n in a superposition: Q0 = I − 2|0n0n|.

4/4

Analysis of Grover’s Algorithm

Claim The operator R = H⊗nQ0H⊗n reflects over the hyperplane

• rthogonal to |h.

The Q0 operator flips the sign of |0n in a superposition: Q0 = I − 2|0n0n|. Then R = H⊗nQ0H⊗n = I − 2|hh|, so R takes: |h → −|h and |h⊥ → |h⊥.

4/4

Analysis of Grover’s Algorithm

Claim The operator R = H⊗nQ0H⊗n reflects over the hyperplane

• rthogonal to |h.

The Q0 operator flips the sign of |0n in a superposition: Q0 = I − 2|0n0n|. Then R = H⊗nQ0H⊗n = I − 2|hh|, so R takes: |h → −|h and |h⊥ → |h⊥. So, for any vector |v = α|h + β|h⊥, R maps: α|h + β|h⊥ → −α|h + β|h⊥.

• 4/4