DS517 – Data Security

Lecture 4
Secure Communications
Post-quantum Cryptography
Elias Athanasopoulos
[email protected]
Hard problems
• We have shown that hard problems can be used
to construct cryptosystems for asymmetric
cryptography
– Discrete logarithm problem
– Factoring large integers to their primes
• These problems are computational hard
– No analytic algorithm that solves them in polynomial
time is known, so far
– Current solutions are not significantly better than
brute force

2
Classic computers
• Classic computers process information in bits, that can
take the value of 1 or 0
– We can build gates that process individual bits, and then
larger circuits that do more complex arithmetic, such as
adding and multiplying integers
– We can then build complex algorithms that essentially can
do arbitrary computation
• A classic computer may solve a problem in polynomial
time, assuming we have developed an algorithm for
that
– If we do not have such an algorithm then the problem is
considered computationally hard (many different classes
of hardness exist)

3
Quantum computers
• Quantum computers process information in qubits
– Compared to a bit, that can be either 1 or 0, a qubit may
be in any combination of possible states
• In quantum mechanics a property (e.g., a particle’s
property) can take several values at the same time, but
only one survives when the property is measured
– Qubits exhibit this, broadly called superposition, and allow
faster computation
– For instance, a quantum computation may explore several
values in parallel, and output the result of the
computation
• Quantum computers run quantum algorithms

4
Size of a quantum computer
• A quantum computer’s power is measured in
qubits
– The more qubits the computer has, the larger
computational state it can process
• Current prototypes are in the scale of a few
qubits (~64 qubits)
• State-of-the-art estimations assume that, for
breaking a 2,048 RSA private key, you need a
quantum computer of around 20 millions of
qubits
– https://arxiv.org/abs/1905.09749

5
Shor’s algorithm
• In 1995, Peter Shor proposed a quantum algorithm
that can solve the factoring problem (and the discrete
logarithm problem) in polynomial time
– The original paper, https://arxiv.org/pdf/quant-
ph/9508027.pdf
– A nice video,
https://www.youtube.com/watch?v=6qD9XElTpCE
• Shor’s algorithm can be executed only by a quantum
computer
• The basic idea is to transform the factoring problem, or
the discrete logarithm problem, to another problem of
finding the period of a function

6
The period-finding problem
• Given integers N and a, find the smallest
positive integer r such that ar - 1 is a multiple
of N
– Or, ar ≡ 1 (mod N)
– r is called the period of a modulo N
• Example, for N=15 and a=7, the period is 4,
since 74 ≡ 1 (mod 15)

7
Period-finding in Shor’s
algorithm
• We assume that a quantum computer can find very fast
the period r, given N, and a
– Shor’s algorithm deals mostly with this part
– No equivalent algorithm is known, so far, for a classic
computer
– N is the number we want to factor
• Assuming r is computed, then Shor’s algorithm
computes the gcd(N, ar/2-1) and the gcd(N, ar/2+1) for
different values of a, in the range of 1 to N-1
• ‘a’ needs to be co-prime with N, and r needs to be even
• gcd() can be computed with the Euclidean Algorithm
8
Example, N = 15

https://quantum-computing.ibm.com/composer/docs/iqx/guide/shors-algorithm
9
Implications
• Shor’s algorithm can efficiently break both the
factoring and the discrete-logarithm problem
– RSA, DHKA, Elliptic Curves, and El Gamal are all unsafe
– Increasing key sizes will not make any difference
• The algorithm to be efficient still needs a
powerful quantum computer (~millions of
qubits), compared to what we have today
• However, it is unclear when such quantum
computers can appear
– Maybe much earlier than it was originally expected

10
Post-quantum cryptography
• Finding (new) hard problems that can be used for
building asymmetric cryptosystems that cannot
be solved by a quantum computer in polynomial
time is a research area called post-quantum
cryptography
• The first set of four PQ algorithms that are
recommended by NIST was announced in July,
the 5th, 2022
• Winners were selected after a 6-year evaluation
period
11
NIST recommendations
• Key exchange
– CRYSTALS-Kyber
• Digital Signatures
– CRYSTALS-Dilithium, FALCON and SPHINCS+
• More information
– https://www.nist.gov/news-
events/news/2022/07/nist-announces-first-four-
quantum-resistant-cryptographic-algorithms

12
What about symmetric
cryptography?
• Quantum computers can run smart algorithms
that solve hard problems for conventional
computers in polynomial time
• Symmetric cryptography is not based on hard
problems
– There are many attacks in cryptanalysis for symmetric
ciphers, based on their mechanics, that do not require
quantum computation
• One common property that is shared by all
symmetric ciphers is the key space

13
Key space in symmetric ciphers
• The most common symmetric algorithm is AES
which supports three key configurations
– 128, 172, and 256 (military-grade security)
• A key space of 128 offers in practice strong
security, however for top-grade documents it
is advised to use keys of 256 bits

14
Grover’s algorithm
• A quantum search algorithm that can find an
element with a specific value in a domain of N
elements, with a complexity of O(√N)
• Grover’s search algorithm can be used to brute
force a key space
– Assuming you have a symmetric key of N bits, then
Grover can find it using √N encryptions
– Therefore, an AES key of 128 bits, is as strong as an
64-bit key, if Grover’s algorithm can be executed
– This is why an AES key of 256 bits is recommended for
top-grade security

15
Shor’s vs Grover’s algorithm
• Both are quantum algorithms that can affect
cryptography
• Shor’s algorithm is a showstopper
– You cannot make RSA or DHKA better to defend
Shor’s algorithm
• Grover’s algorithm could, in principle, degrade
symmetric encryption
– Increasing the key size is feasible

16