Download Breaking RSA with Quantum Computing

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
Document related concepts

Factorization of polynomials over finite fields wikipedia , lookup

Quantum computing wikipedia , lookup

Transcript 
University of Ljubljana
Faculty of Mathematics and Physics
Breaking RSA with Quantum Computing
Blaž Bačnik
Under mentorship of dr. Marko Žnidarič
Ljubljana, 26 May 2008
Abstract
We take a look at RSA encryption algorithm and what makes it secure. Some
consideration is given to its current use, showing that it plays an important
role in ensuring privacy on the Internet. A way of factoring large numbers
with Shor’s factorization algorithm is given, as well as a shortcut to directly
breaking RSA. Next, we present basics of some of the implementations, their
drawbacks and make an estimation of how long will our RSA keys remain
safe.
Contents
1 Introduction to Quantum Computing
3
2 RSA Encryption
2.1 Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.2 Mathematical Background . . . . . . . . . . . . . . . . . . . .
2.3 Security considerations . . . . . . . . . . . . . . . . . . . . . .
4
4
5
6
3 Shor’s factorization
3.1 Reduction to order-finding . . . . . . . . . . . . . . . . . . . .
3.2 Factorization . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.3 Breaking RSA . . . . . . . . . . . . . . . . . . . . . . . . . . .
7
7
8
9
4 Implementations
10
4.1 Quantum error-correction . . . . . . . . . . . . . . . . . . . . 11
5 A look to the future
13
2
1
Introduction to Quantum Computing
Since the very beginnings of quantum computing in 1980s its fathers, the
likes of Richard Feynman and David Deutsch, envisioned the massive computing power of quantum systems. Their power lies in the way data is
represented because that allows algorithms to manipulate data in parallel.
Such algorithms, called quantum algorithms, do not operate on classical bits
representing data where every bit can only take either of the two states, but
rather operate on quantum bits, or qubits. Qubits have quantum-mechanical
properties, most importantly they can be in superposition. In terms of wavefunction, qubits can be expressed as
|Ψi = α|0i + β|1i.
It would seem that as long as we can produce qubits in a superposition
of states and we can perform certain operations on them, we should gain
unmatched parallelism. But the problem arises when we want to measure
the results of our computations. Due to fundamental behaviour of quantum
mechanics, measurement causes a collapse of qubit’s wavefunction to one of
the base states. For that reason we only get result for one of all the possible
outcomes of our algorithm and so we have to repeat the whole procedure if
we would like to get any of the other possible outcomes. It is actually even
worse since we only measure a particular outcome with a certain probability.
It might take a lot more measurements, and consequently executions of
algorithm, than there are possible outcomes to obtain all the results.
So far we haven’t actually gained anything. But what if we were able to
devise an algorithm whose results would all share same specific property?
Then perhaps we would be able to learn something with just a couple of
measurements. Indeed, such algorithms exist. Unfortunately, they aren’t
general instructions to exploit quantum mechanics for arbitrary parallelizable algorithms, due to reasons stated above, but are solutions to specific
problems, results of which already possess some nice properties. Today we
know of Deutsch-Jozsa, Grover’s and Shor’s algorithms. While the former
served as a base to the other two, it doesn’t have any practical use. On
the other hand, the latter two do. Especially Shor’s algorithm, which could
have severe implications in cryptography.
3
2
RSA Encryption
RSA is the most widely used coding mechanism for public-key cryptography
today. Public-key cryptography is a method of encryption where a person
obtains a unique pair of keys. Keys from the pair are related and one, called
a public key, they publish for everyone to see. This key is then used to
encrypt a message sent to the owner of the key pair. At the same time the
other key from the pair, called a private key, must be kept secret as it is
used for decrypting messages encrypted with a corresponding public key.
2.1
Usage
Public-key encryption schemes are very popular as they are quite practical.
They do not require both parties to agree upon a passphrase before-hand
as is the case with the well-known method we call a symmetric-key cryptography. In symmetric-key cryptography the same key is used for both
encryption as well as decryption. For public-key encryption schemes this
means that there is no need to communicate a passphrase which generally
requires a different communication channel. Reason for it being that this
channel must be trusted and secure.
In public-key cryptography all the communication can go through public,
untrusted medium, ie. the Internet. One must only authenticate a public
key, which is to ensure that the used key actually belongs to the person they
want to communicate with. This might still require some form of interaction
between the parties, either direct or indirect, but it is a one-time process.
This is a major benefit. The key exchange or authentication can also be
done via third party that both users trust. This is sometimes referred to as
a chain of trust.
RSA encryption in particular is used in Public-Key Infrastructure, or
PKI for short. PKI serves as a base for securing different electronic transactions, most notably in e-commerce and electronic banking. Lately, governments have started using this technology as well. Of particular interest
to readers could be Slovenian “eUprava” as they might be familiar with the
service. It utilizes PKI and, consequently, RSA encryption.
4
2.2
Mathematical Background
RSA coding algorithm by itself is based on finite groups of integer numbers.
Group operation is multiplication modulo N and N is a fixed integer number,
usually a product of two prime numbers p and q. RSA public key consists
of a pair (e, N ), where e is public key exponent. Likewise, a pair (d, N )
represents private key, with d being private key exponent respectively. d
and e are chosen in a way that
ed ≡ 1
mod (p − 1)(q − 1)
is true. Encryption is then performed in two steps;
• message M is mapped to an integer m < N (this is just a trivial
technicality)
• m is then ciphered to c according to the following equation
c ≡ me
mod N.
(2.1)
Similarly, for decryption
• integer m is deciphered from c by relation
m ≡ cd = (me )d = med
mod N
• and then m is reverse-mapped back to original message M .
5
(2.2)
2.3
Security considerations
Strength of a cipher is a measure of how secure it is or, in other words, how
hard it is to obtain the original message without prior knowledge of the key
needed for decryption. RSA relies on the fact that evaluating equation (2.2)
for every possible private key d is computationally expensive, even with efficient algorithms such as square-and-multiply 1 . Another assumption that
RSA depends on is that no efficient method for factoring large numbers exists. This is important since such a method would greatly simplify equation
(2.2) by factoring N . For this reason alone N has to be big and a product
of two prime numbers if security is desired.
The size of N is usually expressed in bits. Since log2 N is not always an
integer, we define its size in bits n as ceil;
n = dlog2 N e.
Typically used N are roughly 300 decimal digits long and corresponding
RSA keys consist of 1024 or more bits. The largest number factored as of
this writing was RSA-200 which is 663 bits or 200 decimal digits long. While
the difference between 663- and 1024-bit key does not seem that big, one
must account for the fact that factoring this 663-bit number already took
the equivalent of a 75 years work for a single 2.2 GHz personal computer.
The best known conventional algorithm — number field sieve — does not
scale too well with n either. It runs in
64 1/3 1/3
n (log n)2/3
)
(
9
(2.3)
O e
steps, or non-polynomial time. In comparison, if n is 256 bits or less, N can
be factored in a couple of hours on that same personal computer.
Adi Shamir, that is “S” in RSA (named after its inventors), has in collaboration with his colegue devised a device named TWIRL which could hypothetically factor 1024-bit numbers in a time scale of a year2 . Even though
at the moment TWIRL is still nothing more than a concept of a highly optimised classical device for factoring numbers, the currently recommended
key length is 2048 bits. 4096-bit key implementations are already available
as well and these are practically considered unbreakable with conventional
computers in the forseeable future.
1
Square-and-multiply is basically an optimized way of evaluating equations (2.1) and
(2.2).
2
At the cost of “a few dozen million US dollars”.[1]
6
3
Shor’s factorization
In 1994 an algorithm for factoring numbers was presented by Peter Shor of
AT&T Research. It requires only
O n2 log n log log n
(3.1)
steps for factoring n-bit numbers which is an enormous reduction from exponential time of classical algorithms — (2.3). Basically, Shor managed to
translate number factoring into order-finding that can be done efficiently
with quantum computers.
3.1
Reduction to order-finding
Mathematical foundation for Shor’s work lies in the same finite group theory
that is also the basis of RSA. As said, group operation is multiplication
modulo N and group elements are integer numbers. Now suppose that x is
coprime to N , meaning that x and N share no common factors. In other
words, their greatest common divisor, GCD(x, N ), equals 1. Then we can
define order of x modulo N as the lowest positive integer r such that
xr ≡ 1
mod N
(3.2)
holds true. This is always possible, since number theory guaranties that
function
f (a) = xa mod N
is periodic if x is coprime to N . If then f is a periodic function, it has some
period r. Therefore it follows that
x0 ≡ x0+r
r
1≡x
mod N
mod N
and order r exists, since it is a period of f .
Suppose further that r is even. From equation (3.2) it then follows
xr ≡ 1 mod N
r 2
x 2 ≡ 1 mod N
r 2
x 2 − 1 ≡ 0 mod N
r
r
x 2 + 1 x 2 − 1 ≡ 0 mod N,
meaning that N divides (xr/2 + 1)(xr/2 − 1). As long as 1 < xr/2 < N − 1
holds true, then 0 < xr/2 ± 1 < N and, obviously, N cannot divide any
of them. Since N does divide their product, at least one of them has to
7
share a non-trivial factor with N . Therefore either GCD(xr/2 + 1, N ) or
GCD(xr/2 − 1, N ) yields a factor of N .
Previously a lot of assumptions were made. First, x has to be chosen to
be coprime with N . This can be easily accomplished by choosing a random
number from (1, N ) and computing GCD(x, N). If GCD(x, N) = 1, x is
coprime to N , otherwise a factor of N has just been found. Second, r has to
be even and 1 < xr/2 < N − 1. According to [2], if x is chosen uniformly at
random, it has rather high probability of satisfying these conditions. Actual
probability is
1
P ≥ 1 − k−1
2
where k is a number of prime factors of N . Considering worst-case scenario
of N being a product of two primes, probability of choosing an appropriate
x at random is still good — greater than or equal to 0.5. While this makes
algorithm probabilistic, it does not pose a serious problem. Use of GCD is
acceptable as well, since it can be implemented efficiently, ie. with Euclidean
algorithm.
3.2
Factorization
The actual algorithm can then be constructed as follows;
1. Find x coprime to N
2. Using Quantum Period Finding obtain order r
3. If r does not satisfy conditions from 3.1, retry by returning to step 1
4. Return factor of N from GCD(xr/2 ± 1, N )
It should be noted that all the steps can be performed on a classical computer
as they are classical by their nature. The only exception is step 2.
This factorization relies on Quantum Period Finding (QPF) to do all
the heavy lifting. QPF works by first calculating 2j powers of x modulo
n−1
N ; x, x2 , x4 , x8 , . . . , x2
mod N . This computation is performed by a
square-and-multiply algorithm, also known as modular exponentiation or
exponentiation by squaring. Next, a register, denoted by z, is prepared in a
superposition of states and the following operation is performed
xz
mod N = (xz0 2
0
mod N )(xz1 2
1
mod N ) . . . (xzn−1 2
n−1
mod N ).
Since, naively speaking, every qubit of z represents both 0 and 1 at the
same time, the product xz contains the combination of chosen x to every
exponent up to 2n − 1.
As there is no way for us to just read the contents from a quantum register due to collapse of wavefunction after measurement, we perform quantum
Fourier transform on register z to obtain the period r.
8
To illustrate Shor’s algorithm, we will factor number 21. First we choose
x = 2, since 2 is a prime number and so it is coprime to 21. Second, we find
period r of
f (a) = 2a mod 21.
Because we do not have a quantum computer at hand (yet), we make a table
of f (a) by conventional means.
a
f (x)
0
1
1
2
2
4
3
8
4
16
5
11
6
1
It is obvious that period r is 6 and is even. It also satisfies relation 1 < 23
mod 21 < 20 and GCD(8 + 1, 21) = 3 actually yields a factor of 21. In this
particular case GCD(8 − 1, 21) = 7 does as well.
3.3
Breaking RSA
Even though RSA encryption can be broken by factoring N , there exists a
shortcut. In section 2.2 we said that we encrypt a message by relation
c ≡ me
mod N.
For decrypting this message knowledge of order r of c modulo N is sufficient.
To show this, suppose we know d˜ such that
ed˜ ≡ 1
mod r.
(3.3)
Thus we can write
ed˜ = 1 + qr
for some integer q and
˜
˜
˜
cd ≡ (me )d ≡ med ≡ m1+qr
mod N.
As m has to be coprime to N for RSA to function, exponentiation of m
has to be a periodic function. Exponentiation of c is a periodic function as
well and m is part of the set of values that c takes during exponentiation
because cd ≡ m mod N . This, in turn, means that period of m must be
equal to period of c.
Strictly speaking, numbers coprime with N form subgroups under group
modulo N and order r denotes number of their elements. Since subgroup
generated by c contains m = cd and subgroup generated by m contains
c = me , they must be identical, which is the reason their orders are the
same.
If order of m is r, then mr ≡ 1 mod N and
m1+qr ≡ m(mr )q ≡ m(1)q ≡ m mod N.
Now we see that we can obtain d˜ from equation (3.3) with extended
˜ N)
Euclidean algorithm if we know the period r of encrypted message c. (d,
is then private key pair used for decryption.
9
4
Implementations
Figure 1: Molecule used for computation in IBM-sponsored 7-qubit quantum
computer being the first to perform Shor’s factorization[3]
Even though we have seen a couple of actual working implementations of
quantum computers, they are generally still more of a proof-of-concept experiments than they are actually useful. The only type of quantum computer
constructed that managed to perform Shor’s algorithm was NMR-based. It
used spins from a single molecule for its quantum register (Figure 1) that
was manipulated with radiofrequency pulses and the answer was read from
a nuclear magnetic resonance spectrum. Thus, it should not be surprising
that it was very limited and NMR is generally not considered a scalable
architecture.
Figure 2: Superconducting niobium-based quantum computer from D-Wave
Systems, Inc. with 16 qubits that cannot perform Shor’s factorization[4]
In November 2007 Canadian firm D-Wave Systems, Inc. presented a
28-qubit successor to their 16-qubit adiabatic quantum computer (Figure
10
2). With this technique supposedly metals like aluminium and niobium are
cooled to superconducting state, so electrons in the metals form Cooper
pairs. Qubits are manipulated by slowly varying magnetic field. Nevertheless, this implementation cannot perform Shor’s factorization, which caused
a lot of controversy. Moreover, the fact that the development team seems
reluctant to provide any insight into workings of their computer, led many
scientist to doubt wether D-Wave actually have a working quantum computer. Besides, recent research shows that quantum adiabatic computation
might have other limitations, such as being too time consuming.
Trapped ion quantum computers, being currently the most prominent
architecture, work on charged atomic particles that are confined with electromagnetic field and manipulated by laser pulses. Even though every basic
operation was experimentally tested and a fair amount of research papers
were published, describing scalable trapped ion architectures based on currently available technology, we are still waiting for an operating implementation.
A couple of other types of quantum computers are known, some of which
are quite interesting, e.g. topological ones. Here, anyon braids form qubits
and are considered very stable, since a small perturbation cannot easily
change topological properties of the braids. This kind of computer is only
theoretical for the moment, although gallium arsenide near absolute zero in
strong magnetic field could create braids as indicated by recent research in
this field.
Obviously, current state of quantum computers does not provide many
qubits and for this reason optimization of Shor’s algorithm was developed.
Instead of previous storage requirements of about 5n (n being number of
qubits), algorithm with only 2n + 4 required qubits was presented[5]. Of
course this improvement in storage space resulted in increased execution
time. This modification,
called Linear Nearest Neighbour Qubit Array, now
requires O n3 steps, which is still comparable to original algorithm, but
we have gotten interaction restrictions to nearest neighbour for free.
4.1
Quantum error-correction
Noise presents a problem in every computer system to date and quantum
computers are no different. Rules of the game on the other hand are. Standard way of dealing with errors in classical systems is to make copies of
data to provide redundancy. But quantum world is governed by no-cloning
theorem and collapse of wavefunction upon measurement, so, at the first
glance, it would seem that classical methods would not work.
Thanks again to Peter Shor, we know of a simple quantum code which
can protect against noise. The basic idea is to encode a single qubit on multiple qubits since probability of more qubits simultaneously getting corrupted
lowers. We start as we would with classical computers — by encoding the
11
bit we wish to protect, in this case on 2 additional qubits.
α|0i + β|1i → α|000i + β|111i
We can then check for a bit flip error with projection operators (bit flip
error here signifies that one of the bits changed)
P0 = |000ih000| + |111ih111|; no error
P1 = |100ih100| + |011ih011|; bit flip on qubit 1
P2 = |010ih010| + |101ih101|; bit flip on qubit 2
P3 = |001ih001| + |110ih110|; bit flip on qubit 3
and we see that measurement does not cause any change to the state (it
is the same before and after measurement). So we have found out wether
an error occured without disturbing measured state and can then recover
original state. This works as long as at most one qubit gets corrupted.
We can apply the same procedure for phase flip protection. Phase flip
error is when
α|0i + β|1i → α|0i − β|1i
happens. If we work in qubit basis
1
|+i = √ (|0i + |1i)
2
1
|−i = √ (|0i − |1i),
2
phase flip acts like bit flip on |+i and |−i. So, we can combine both protections into Shor code by first doing phase flip code |0i → | + ++i, |1i →
| − −−i and then bit flip code on each qubit |+i or |−i. We get
1
|0i → √ (|000i + |111i)(|000i + |111i)(|000i + |111i)
2 2
1
|1i → √ (|000i − |111i)(|000i − |111i)(|000i − |111i)
2 2
which protects against bit and phase flip. That comes at a cost of 9 qubits
for encoding only one. Though, it is most surprising how quantum errorcorrection of a discrete set of errors corrects continuous errors. It should be
noted, however, that there exist other error-correction codes, some of which
require only 5 qubits. This is theoretical lower bound as well.[6]
Besides noise, errors get introduced into quantum computation systems
by decoherence. It is result of system’s interaction with environment. Since
qubits here are coupled to a common quantum reservoir and therefore errors
are not independant, error-correction codes do not help, for they assume
errors are either independent or mildly dependant in that the probability
of errors that affect k qubits drops off exponentially in k.[7] This kind of
correlated errors might be what will ultimately keep us from constructing a
scalable quantum computer.
12
5
A look to the future
Taking into account requirements for quantum error-correction, which seem
to be architecture independant, it looks like practically-usable quantum computers will have to handle at least 2048 · 5 = 10240 qubits in order to have
a shot at breaking today’s 2048-bit RSA keys.
Figure 3: Comparison of Moore’s law with experimental data[8]
Moore’s law (Figure 3) relatively accurately describes a trend of computer hardware nowadays — doubling of the number of transistors that can
be inexpensively placed on an integrated circuit every two years actually
means exponential growth. It describes a mature industry based on a scalable platform. Even if Moore’s law held for quantum computers as well, we
couldn’t really expect to see them in widespread use anytime soon.
But reality looks even worse. We are still about three or four orders
of magnitude away from 10000-qubit machines and the one architecture
that actually works (NMR) doesn’t really scale, while the other supposedly
functioning (adiabatic) has problems running quantum algorithms, Shor’s
in particular.
Unless there is some breakthrough in the field, it should be obvious that
expecting commercially available quantum computers in the next couple of
years would be illusory. This is not only true for general-purpose machines,
where perhaps a better estimate would be decades, but it holds for specialpurpose devices as well.
This should be reason enough not to worry about security of our Internet
communications in the near future, at least as far breaking RSA encryption
with quantum computing is concerned.
13
References
[1] http://people.csail.mit.edu/tromer/twirl/, accessed 10 May 2008
[2] A. Ekert and R. Jozsa: Quantum computation and Shor’s factoring
algorithm, Reviews of Modern Physics 68, 733-753 (1996)
[3] http://domino.research.ibm.com/comm/pr.nsf/pages/news.20011219 quantum.html,
accessed 10 May 2008
[4] http://www.sciam.com/article.cfm?id=first-commercial-quantumcomputer, accessed 10 May 2008
[5] Austin G. Fowler, Simon J. Devitt, Lloyd C. L. Hollenberg: Implementation of Shor’s Algorithm on a Linear Nearest Neighbour Qubit Array,
Quant. Info. Comput. 4, 237-251 (2004)
[6] Michael A. Nielsen, Isaac L. Chuang: Quantum Computation and
Quantum Information, Cambridge University Press, 2000
[7] Robert Alicki, Michal Horodecki, Pawel Horodecki, Ryszard Horodecki:
Dynamical description of quantum computing: generic nonlocality of
quantum noise, Phys. Rev. A 65, 062101 (2002)
[8] http://en.wikipedia.org/wiki/Moore’s law, accessed 20 May 2008
[9] http://people.ccmr.cornell.edu/∼mermin/qcomp/chap3.pdf, accessed 9
May 2008
14
Related documents
Lecture 22: Simon`s Problem and towards Shor 1 Overview 2
Lecture 22: Simon`s Problem and towards Shor 1 Overview 2
Quantum mechanical model
Quantum mechanical model
David Williams (University of Cambridge)
David Williams (University of Cambridge)
COMP 9 / EN47 - Exploring Computer Science
COMP 9 / EN47 - Exploring Computer Science
HWU4-21 QUESTION: The principal quantum number, n, describes
HWU4-21 QUESTION: The principal quantum number, n, describes
9-30 powerpoint
9-30 powerpoint
Project suggestion as part of the course 203-1-3431 November 7 , 2011
Project suggestion as part of the course 203-1-3431 November 7 , 2011
Quantum Computing And the Future of Copyright
Quantum Computing And the Future of Copyright
An Introduction to Quantum Computing
An Introduction to Quantum Computing
Prof. Bertrand Reulet, Université de Sherbrooke, Canada Talk: 23. May 2014
Prof. Bertrand Reulet, Université de Sherbrooke, Canada Talk: 23. May 2014
File - sitdownandlogon
File - sitdownandlogon
Probing contextuality with superconducting quantum circuits Talk 27. Oct. 2015 ABSTRACT:
Probing contextuality with superconducting quantum circuits Talk 27. Oct. 2015 ABSTRACT:
Some Families of Probability Distributions Within Quantum Theory
Some Families of Probability Distributions Within Quantum Theory
Non-equilibrium physics of quantum materials Department of Physics and Physical Oceanography Colloquium
Non-equilibrium physics of quantum materials Department of Physics and Physical Oceanography Colloquium
Bonus Slides: About Computer Science
Bonus Slides: About Computer Science