Квантовая криптография, хеширование, цифровая...
TRANSCRIPT
Квантовая криптография,хеширование, цифровая подпись
Computer Science Club
декабрь 2015
1 / 76
D. Brassard, C. Bennet 1984 Quantum Key Distribution BB84P. Shor 1994. Quantum algorithms:
integer factorization,discrete logarithm.
“Post-quantum cryptography” http://pqcrypto.org/The book: Daniel J. Bernstein, Johannes Buchmann, Erik Dahmen(editors). Post-quantum cryptography. Springer, 2009.
...Hash-based signature schemes such as L. Lamport signatures andR. Merkle signature schemes.
Hashing itself is an important basic concept for the organizationtransformation and reliable transmission of information.
In 1995 A. Wigderson characterizes universal hashing as being atool which “should belong to the fundamental bag of tricks of everycomputer scientist”.
2 / 76
Quantum Algorithms, Quantum Cryptography
Quantum Algorithms ZOO: http://math.nist.gov/quantum/zoo/Conference Quantum Information Processing (QIP)
QIP2014 Barcelona http://benasque.org/2014QIP/QIP2015 Sidney http://www.quantum-lab.org/qip2015/QIP2016 Calgary ...
Quantum Cryptography ⇡ QKD:http://en.wikipedia.org/wiki/Quantum-cryptography
Conference on quantum cryptographyQCrypt 2014 Paris http://2014.qcrypt.net/QCrypt 2015 Tokyo http://2015.qcrypt.netQCrypt 2016 Washington
3 / 76
QCrypt 2014. 4th international conference on quantumcryptography
4 / 76
Современные тенденции в криптографии 2015
5 / 76
Современные тенденции в криптографии 2016
http://www.ctcrypt.ru/index
6 / 76
Современные тенденции в криптографии 2016
Тематика симпозиума включает следующие вопросы (но неограничивается ими):
исследование криптографических алгоритмов, в том числеанализ криптографических алгоритмов, являющихсямеждународными стандартами;эффективная реализация методов анализа криптографическихалгоритмов;оценка криптографической стойкости российскихкриптографических алгоритмов;эффективная реализация российских криптографическихалгоритмов.
7 / 76
Современные тенденции в криптографии 2016
Специальная тема симпозиума: "Будущее асимметричнойкриптографии".Перспективы развития квантовых компьютеров, а также последниерезультаты по решению задачи дискретного логарифмированияпотенциально являются серьезными угрозами для многих широкоиспользуемых механизмов асимметричной криптографии. Cледуетли ожидать серьезных прорывов в решении задачи дискретногологарифмирования и как будет развиваться пост-квантоваяасимметричная криптография –вопросы для обсуждения наCTCrypt’2016.Приглашенный докладчик: Игорь Семаев, Университет Бергена,Норвегия
В рамках симпозиума пройдет дискуссионная панель "Деньоткрытых дверей ТК 26 тема – гражданская криптография.
8 / 76
Генерация ключа
9 / 76
Ralph Merkle, Martin Hellman and Whit Diffiedeveloped the first public key cryptography exchange in1975.
10 / 76
Diffie-Hellman Problem (Discrete Logarithm Problem)
For a prime q a multiplicative group F⇥q = h{1, . . . , q � 1},⇥i of
the field Fq is cyclic, i.e. there exists a primitive element(generator) g such that
F⇥q = {g0, g1, g2, . . . }.
Given a primitive element g of a finite field Fq, the discretelogarithm of a nonzero element u 2 Fq is that integer k ,1 k q � 1, for which u = gk .Discrete logarithm problem: Given F⇥
q , g and h 2 {1, . . . q � 1}determine an integer a such that ga = h.Computational Diffie-Hellman problem: given h = ga and d = gb
find c = gab.Finding discrete logarithm is conditionally one-way function.
11 / 76
V. Shoup Theorem
A black-box group G is a finite group whose elements are encodedby (0,1)- strings (“codewords”) of uniform length n. (|G| 2
n).n is the encoding length of the black-box group.Group operations on the codewords are performed by a “black box”at unit cost.
The operations are:1. multiplication, 2. inversion, and 3. identity testing (decision whetheror not a given string encodes the identity).A black-box group is given by a list of generators.
Theorem (Shoup 1997)
In a “black box group” of prime order ` it takes at leastp` operations
to solve the discrete logarithm problem
12 / 76
Diffie-Hellman Protocol for Key Generation 1976
Choose a large prime q and a primitive element (generator) g 2 F⇥q
Stage I.Alice randomly selects a 2 {1, . . . , q � 1}, computes KA = ga,sends KA to BobBob randomly selects b 2 {1, . . . , q � 1}, computes KB = gb,sends KB to Bob
Stage II.
Alice computes K = K aB = gba on her side,
Bob computes K = K bA = gab on his side
Passive Melory: Security based on Diffie-Hellman problem: given ga
and gb compute gab.Active Melory: . . .
13 / 76
Diffie-Hellman Protocol Example.
q=23, F⇥23
Найти генератор g (все генераторы)Alice: a=6,Bob: b=5.Сгенерировать общий ключ.
14 / 76
1. Quantum Postulates. Qubit.
Qubit is a unit vector in the two-dimensional Hilbert complexspace H2.
| i = a0
|0i+ a1
|1i, ||| i||2 = |a0
|2 + |a1
|2 = 1
Case of real amplitudes.
| (w)i = cos ✓|0i+ sin ✓|1i
|ψ⟩
|0⟩
|1⟩
θ
15 / 76
1. Quantum Postulates. Qubit Transformation.
Quantum transformation U of qubits is a unitary transformation
U : H2 ! H2, | 0i = U| i.
Example
|0i = (1, 0)T , |+i = 1p2
|0i+ 1p2
|1i
|1i = (0, 1)T , |�i = 1p2
|0i � 1p2
|1i.
|+i = H|0i |�i = H|1i
Computational basis (C-basis): {|e0
i, |e1
i} = {|0i, |1i},Hadamar (Diagonal) basis (H-basis): {|e
0
i, |e1
i} = {|+i, |�i}
16 / 76
1. Quantum Postulates. Qubit Extracting an Information
Extracting information from | i| i = a
0
|e0
i+ a1
|e1
iMeasuring | i in respect to basis {|e
0
i, |e1
i}.
Pr [extract 0 from | i] = (he0
| i)2 = |a0
|2.
Pr [extract 1 from | i] = (he1
| i)2 = |a1
|2.
17 / 76
1. Quantum Postulates. Qubit Extracting an Information
Example
| i = 1p2
|0i+ 1p2
|1i
Measuring | i in respect to C-basis {|0i, |1i}.
Pr [extract 0 from | i] = Pr [extract 1 from | i] = 1/2
Measuring | i in respect to H-basis {|+i, |�i}.
Pr [extract 0 from | i] = (h+ | i)2 = 1.
Pr [extract 1 from | i] = (h� | i)2 = 0.
18 / 76
Quantum key Distribution. Protocol BB844
1 One cannot measure the polarization of a photon in the H-basisand simultaneously in the C-basis.- Нельзя одновременно измерить поляризацию фотона в двухразличных базисах.
2 One cannot duplicate an unknown quantum state (No cloningtheorem).- Невозможно копировать неизвестное квантовое состояние.
3 Every measurement perturbs the system.- Каждое измерение изменяет (возмущает) квантовую систему.
19 / 76
Protocol BB84 “на пальцах”
20 / 76
Protocol BB84
In the BB84 scheme, Alice begins with two strings of bits, a and b, eachn bits long. She then encodes these two strings as a string of n qubits,
| i =nO
i=1
| ai bi i.
ai and bi are the i th bits of a and b, respectively. Together, aibi give usan index into the following four qubit states:
| 00
i = |0i, | 10
i = |1i
| 01
i = |+i = 1p2
|0i+ 1p2
|1i, | 11
i = |�i = 1p2
|0i � 1p2
|1i.
The bit bi is responsible for basis (C-basis or the H-basis) in which ai isencoded in. The qubits are now in states which are not mutuallyorthogonal, and thus it is impossible to distinguish all of them withcertainty without knowing b. 21 / 76
Protocol EPR
EPR pair
| i = 1p2
|00i+ 1p2
|11i
| i 6= |�1
i ⌦ |�2
i
In the EPR protocol scheme, Alice wishes to send a private key toBob. She begins with n string of EPR pairs, ...The protocol proceeds then similar to the BB84...
22 / 76
Контроль целостности информации,аутентификация, цифровая подпись
на основе хеширования
23 / 76
One-way function
Let f : ⌃⇤ ! ⌃⇤ be a function. Consider the following experimentdefined for any inverting probabilistic polynomial-time algorithm A andany value n 2 N:
The inverting experiment lnvertA,f : N ! {0, 1}1 Choose input x 2 ⌃n. Compute y = f (x).2 probabilistic polynomial-time algorithm A is given 1
n and y asinput, and outputs x 0.
3 The output of the experiment is defined to be 1 if f (x 0) = y , and 0otherwise.
24 / 76
One-way function
DefintionA function f : ⌃⇤ ! ⌃⇤ is one-way if the following two conditions hold:
1 (Easy to compute:) There exists a polynomial-time algorithm Mfcomputing f ; that is, Mf (x) = f (x) for all x .
2 (Hard to invert:) For every probabilistic polynomial-time algorithmA, for any polynomial p(n) 2 POLY it is hold
Pr [lnvertA,f (n) = 1] 1/p(n).
25 / 76
TheoremIf One-way function exist then NP 6= P.
1.Suppose f : {0, 1}⇤ ! {0, 1}⇤ is a strong one-way function, Define
Lf = {(x , y , 1k ) : there exists u 2 {0, 1}k such that f (xu) = y},
2. Lf 2 NP since given (x , y , 1k ) 2 Lf a certificate is any u 2 {0, 1}k
such that f (xu) = y .3. Lf 2 NP\P:Suppose that P = NP. Then inverting polynomial algorithm A :Input: (f (x), 1k )z := ;; i := 1;while i k doif (z0, f (x), 1k�i) 2 Lf then z := z0 else z := z1;i := i + 1;if f (z) = f (x) output zend-while
26 / 76
Lamport digital scheme
27 / 76
Discrete Logarithm (recall)
For a prime q a multiplicative group F⇥q = h{1, . . . , q � 1},⇥i of
the field Fq is cyclic, i.e. there exists a primitive element(generator) g such that
F⇥q = {g0, g1, g2, . . . }.
Given a primitive element g of a finite field Fq, the discretelogarithm of a nonzero element u 2 Fq is that integer k ,1 k q � 1, for which u = gk .Discrete logarithm problem: Given F⇥
q , g and h 2 {1, . . . q � 1}determine an integer a such that ga = h.
28 / 76
ElGamal signature scheme. Схема цифровой подписиЭль-Гамаля.
q � (large enough) prime number. g � generator of F⇥q .
k � private key. a = gk � public key.r � random key. c = gk � second public key.m � message.Signature equation for the message and keys and its solution:
gm = gkc+rx ) x =m � kc
r.
Thengm =
⇣gk
⌘c · (gr )x = ac · cx
Protocol.1 Alice sends a everybody. Akice sends Bob m, c, x .2 Bob reads m and check whether gm = ac · cx?
29 / 76
Cryptographic hash-function
h : ⌃⇤ ! ⌃⇤, h : ⌃k ! ⌃m, k > m
1 Pre-image resistance: Given h(x), it should be difficult to find x ,that is, these hash functions are one-way functions.Хеш-функция h должна быть однонаправленной (точнее“условно однонаправленной” на сегодняшний день).
2 Second pre-image resistance: Given w , it should be difficult to findan v , such that h(w) = h(v).для заданного сообщения w должно быть “вычислительносложно” подобрать другое сообщение v , для которогоh(w) = h(v).
3 Collision resistance: It should be difficult to find any distinct pairw , v , such that h(w) = h(v).должно быть “вычислительно сложно” подобрать парусообщений (w , v) такую, что h(w) = h(v).
30 / 76
Date integrity. Целостность информации.
Криптографическая проверка целостности передаваемойинформации от Алисы (A) к Бобу (B) заключается в вычисленииАлисой хеша h(w) для передаваемого сообщения w и передачипары (w , h(w)) Бобу. Боб, получив пару (w 0, h(w)) на своей стороневычисляет значение h(w 0) и сравнивает значения h(w) и h(w 0).
31 / 76
Authetification. Аутентификация � проверкаподлинности пользователя.
Схема аутентификации вызов-ответ CHAP (Challenge HandshakeAuthentication Protocol).Протокол MS-CHAP (Microsoft Challenge Handshake AuthenticationProtocol)
1 пользователь посылает серверу запрос на доступ (login)2 сервер отправляет клиенту случайную последовательность v3 на основе этой случайной последовательности v и пароля w
пользователя клиент вычисляет значение h(vw) хеш-функциина vw
4 клиент пересылает хеш h(vw) серверу5 сервер сверяет присланный хеш h(vw) со своим вычисленным
h(vw)6 в случайные промежутки времени сервер отправляет новую
последовательность v 0 и повторяет шаги с 2 по 5.32 / 76
Quantum hashing. Basic idea
The basic idea of our work is
to hash (to encode) words (classical information) into quantum state.
Such encoding:Must be One-way function.Quantumly one-way (physically one-way).Must be collision (almost) free.Quantumly resistant (physically resistant) – encoding must bedesigned to have maximum output difference between adjacentinputs.
33 / 76
1. Quantum Postulates for Quantum Cryptography
Mathematically. Qubit
| i = a0
|0i+ a1
|1i, ||| i||2 = |a0
|2 + |a1
|2 = 1
is a unit vector in the two-dimensional Hilbert complex space H2.(H2)⌦s = H2 ⌦ · · ·⌦H2 – (2s)-dimensional Hilbert space of squbits
| i =2
s�1Xi=0
ai |ii,2
s�1Xi=0
|ai |2 = 1.
Quantum (classical-quantum) function maps words to quantum states
: ⌃k ! (H2)⌦s, : w 7! | (w)i ( : |0i,w 7! | (w)i).
34 / 76
Quantum Transformation, Extracting Information
Quantum Transformation
: H2
s ⇥ ⌃k ! H2
s : |0i,w 7! | (w)i
determined by an 2
s ⇥ 2
s unitary matrix U(w).
| (w)i = U(w)|0i.
Extracting information from | i
| i =2
s�1Xi=0
ai |ii,2
sXi=1
|ai |2 = 1.
Measuring | i in respect to orthonormal basis {|0i, . . . , |2s � 1i}.
Pr [extract |0i from | i] = (h0 | (w)i)2 = |a0
|2.
35 / 76
Quantum Branching Program � computational model forquantum functions
xj1 • ⌫��⇣⌘✓◆ · · ·
xj2 • ⌫��⇣⌘✓◆ · · ·...
xjl · · · • ⌫��⇣⌘✓◆|�1i
U1(1) U1(0) U2(1) U2(0)
· · ·
Ul(1) Ul(0)
NM���|�2i · · · NM���| 0i
8>>>>>><>>>>>>: ...|�qi · · · NM���
36 / 76
One-way ✏-Resistant Function
DefinitionLet X be random variable distributed over X {Pr [X = w ] : w 2 X}.Let : X ! (H2)⌦s be a quantum function.Let Y is any random variable over X obtained by some mechanismM making some measurement to quantum state | (X )i (of theencoding of X ) and decoding the result of measurement to X.Let ✏ > 0. We call a quantum function a one-way ✏-resistantfunction if for any mechanism M, the probability Pr [Y = X ] thatM successfully decodes Y is bounded by ✏
Pr [Y = X ] ✏.
37 / 76
Quantum One-Way property. Holevo-Nayak theorem
A. Holevo. (Проблемы передачи информации 1973)We can not extract from s-qubit quantum state | i more than s bits ofinformation.
Theorem (Holevo-Nayak)Let w is a k bit binary word.Let w be encoded into s qubit quantum state | (w)i.Let then the state | (w)i is decoded via some mechanism back toa k bit word v .
Then our probability of correct decoding is given by
Pr [v = w ] 2
s
2
k .
38 / 76
Collision �-Resistant Function
DefinitionLet � > 0. We call a quantum function
: ⌃k ! (H2)⌦s
a collision �-resistant function if for any pair w ,w 0 of different elements,��h (w) | (w 0)i�� �.
39 / 76
REVERSE-test
given w and | (v)i = U(v)|0i, applies U�1(w) to the state | (v)iand measures the resulting state in respect the state |0i.The test outputs v = w iff the measurement outcome is |0i.
PrREVERSE(v = w) = (h0 | U�1(v)| (w)ii)2 (1)
If w = v , then U�1(v)| (w)i would always give |0i, andREVERSE-test would give the correct answer.
PrREVERSE(v = v) = 1.
If v 6= w
PrREVERSE(w = v) can be (unfortunately) close to 1
40 / 76
Property
Let hash function : w 7! | (w)i satisfy the following condition. Forany two different elements v ,w 2 X it is true that
|h (v) | (w)i| �.
ThenPrreverse[v = w ] �2.
Proof. Using the property that unitary transformation keeps scalarproduct we have that
Prreverse[v = w ] = |h0 | U�1(v) (w)i|2= |hU�1(v) (v) | U�1(v) (w)i|2= |h (v) | (w)i|2 �2.
41 / 76
Quantum Hash Function
Definition (✏, �)-Resistant (|⌃k |, s) Quantum Hash-functionWe call a function
: ⌃k ! (H2)⌦s
an (✏, �)-Resistant (|⌃k |, s) Quantum Hash-function if: is easily computed, that is, for a particular w 2 ⌃k a state| (w)i can be determined using a polynomial-time algorithm is a one-way ✏-resistant function is a collision �-Resistant (|⌃k |, s) function:for different words w ,w 0 2 ⌃k��h (w) | (w 0)i�� �.
42 / 76
Example 1.
Word (binary) w = w0
. . .wk�1
.Number w =
Pk�1
i=0
wi2i .
Example
We encode a word w 2 {0, 1}k into one qubit:
: {0, 1}k ! H2
| (w)i = cos
✓2⇡w2
k
◆|0i+ sin
✓2⇡w2
k
◆|1i,
43 / 76
| (w)i – one qubit
| (w)i = cos ✓|0i+ sin ✓|1i = cos
✓2⇡w2
k
◆|0i+ sin
✓2⇡w2
k
◆|1i,
|ψ⟩
|0⟩
|1⟩
θ
44 / 76
Example 2.
Example
We consider a number v 2 {0, . . . , 2k � 1} to be also a binary wordv 2 {0, 1}k . Let v = �
1
. . .�k . We encode v by k qubits:
: v 7! |vi = |�1
i · · · |�k i
45 / 76
Lower bound for s for �-Resistant (|⌃k |, s) quantumfunction
Theorem (Lower Bound)
If : ⌃k ! (H2)⌦s is �-Resistant (|⌃k |, s) quantum function then
s � log k � log log
⇣1 +
p2/(1 � �)
⌘� 1.
||| i|| =p
h | i||| i � | 0i||2 = ||| i||2 + ||| 0i||2 � 2h | 0i = 2 � 2h | 0i.
PropertyIf is �-Resistant, then for w ,w 0
⇢(| (w)i, | (w 0)i) = |||wi � |w 0i|| �p
2(1 � �) = �.
46 / 76
Balanced Quantum Hash Functions
The above properties provide a basis for building a “balanced”one-way ✏-resistance and collision �-resistance properties.That is, roughly speaking, if we need to hash elements w from adomain ⌃k with |⌃k | = K and if one can build for a � > 0 acollision �-resistant (K ; s) hash function with
s ⇡ log k log |⌃|� c(�)
qubits then the function f will be a one-way ✏-resistant with✏ ⇡ (log K/K ).
47 / 76
Quantum fingerprinting function (2001)H. Buhrman, R. Cleve, J. Watrous, and R. de Wolf
Let E : {0, 1}k ! {0, 1}n be an (n, k , d) error correcting code withHamming distance d .Family E = {E
1
, . . .En}, here Ei(w) – i-th bit of code word.Quantum fingerprinting function E : {0, 1}k ! (H2)⌦s,
| E(w)i = 1pn
nXi=1
|ii|Ei(w)i
48 / 76
Quantum fingerprinting = binary quantum hash function
Property
For s = log n + 1, � � (1 � d/n) function FE is an�
2n2
k , ��-Resistant
(2k , s) quantum hash function.
w ,w 0 h (w) | (w 0)i =?
49 / 76
Examples
Repeation codes
Hadamard Matrix H1
= [1].
H2
=
1 1
1 �1
�, H
4
=
H
2
H2
H2
�H2
�H
2
l = H2
⌦ H2
l�1
Hadamard code H.1 7! 0; �1 7! 1.
50 / 76
“Non binary” quantum hash function (2008)
F. Ablayev, A. VasilievFq – finite field, q – prime power. H = {h
1
, . . . hT} where
hj : Fq ! Fq hj(w) = bjw (mod q).
For s = log T + 1 Quantum function H : Fq ! (H2)⌦s,
| H(w)i = 1pT
TXj=1
|ji✓
cos
2⇡hj(w)
q|0i+ sin
2⇡hj(w)
q|1i
◆.
Property (Ablayev, Vasiliev 2013)
For � > 0, for T = d(2/�2) ln(2q)e, for s = log T + 1 there exists afamily
H�,q = {h1
, . . . , hT}such that H�,q is an �-R (q, s) quantum hash function.
51 / 76
Quantum function generated by a family of functions.Example
Binary word w = w0
. . .wk�1
, number w =Pk�1
i=0
wi2i , bj 2 Fq.
Family H = {h1
, . . . , hT}hj(w) = bjw (mod q).
Quantum function hj : {0, 1}k ! H2 generated by h 2 H
| hj (w)i = cos
2⇡hj(w)
q|0i+ sin
2⇡hj(w)
q|1i
Quantum function H : {0, 1}k ! (H2)⌦(log T+1) generated by H
| H(w)i = 1pT
TXj=1
|ji| hj (w)i =
1pT
TXj=1
|ji✓
cos
2⇡hj(w)
q|0i+ sin
2⇡hj(w)
q|1i
◆.
52 / 76
Quantum hash generator
Let G = {g1
, . . . , gD} be a family of functions gj : ⌃k ! Fq. Let ` � 1
be an integer and gj , j 2 {1, . . . ,D}, be a quantum functions
gj : ⌃k ! (H2)`,
determined by gj 2 G. Let d = log D. We define a quantum function
G : ⌃k ! (H2)⌦(d+`)
by the rule
G(w) =1pD
DXj=1
|ji|{z}d
| gj (w)i| {z }`
.
We call G a �-R (|⌃k |, d + `) quantum hash generator, if G is an �-R(|⌃k |, d + `) quantum hash function.
53 / 76
Examples of quantum hash generator
Binary
For binary (n, k , d) error correcting code E : {0, 1}k ! {0, 1}n withHamming distance d the following is true.For � = 1 � d/n The family
E = {E1
, . . .En}
is �-R (2k , log n + 1) quantum hash generator
Non binary
For � > 0, for q prime power, for T = d(2/�2) ln(2q)e there exists a set
H�,q = {h1
, . . . , hT}
which is an �-R (q, log T + 1) quantum hash generator.
54 / 76
✏-Universal Hash Family (Carter, Wegman 1979).
q � prime, Fq � field, K = |Fkq| = qk .
✏-Universal (n, qk , q) hash family
A hash function is a map f : Fkq ! Fq.
A hash family F = {f1
, . . . , fn} is called ✏-Universal, if the f 2 F ischosen uniformly at random, then the probability Pr [f (w) = f (w 0)]that any two distinct words w ,w 0 2 ⌃k collide under f is at most ✏
Pr [f (w) = f (w 0)] ✏.
The parameter ✏ is often referred to as the collision probability ofthe hash family F .The case of ✏ = 1/n is known as universal hashing.
55 / 76
✏-Universal Hash Family
q � prime, Fq � field, K = |Fkq|.
A hash function is a map f : Fkq ! Fq.
✏-Universal hash familyA hash family F = {f
1
, . . . , fn} is called ✏-Universal, if for any twodistinct words w ,w 0:
|{f 2 F : f (w) = f (w 0)}| ✏n.
F – ✏-U (n;K , q)
56 / 76
Quantum hashing via classical hashing constructions
Let F = {f1
, . . . , fN} be an ✏-U (N; |⌃k |, q) hash family
fi : ⌃k ! Fq.
Let H = {h1
, . . . , hT}hj : Fq ! Fq.
be an �-R (q, log T + `) quantum hash generator.Define composition G = F � H of families F and H
G = {gij(w) = hj(fi(w)) : i 2 {1, . . . ,N}, j 2 {1, . . . ,T}},
TheoremArXiv http://arxiv.org/abs/1404.1503G = F � H is an �-R (|⌃k |, s) quantum hash generator, where
� ✏+ � and s = log N + log T + `.
57 / 76
Quantum hashing based on Freivalds’ fingerprinting 1979
For w 2 {0, 1}k (also w 2 F2
k ), for the i-th prime pi a function
fi : {0, 1}k ! Fpi fi(w) = w (mod pi).
is a fingerprint of w .
Freivalds 1979
Pick c > 1, pick M = ck ln k .⇡(M) – the number of primes less than or equal to M.⇡(M) ⇠ M/ ln M as M ! 1.The set
FM = {f1
, . . . , f⇡(M)}of fingerprints is a (1/c)-U (⇡(M); 2k ,M) hash family.
58 / 76
Quantum hashing based on Freivalds’ fingerprinting
Theorem1 Let c > 1, let M = ck ln k . Let FM = {f
1
, . . . , f⇡(M)}be a (1/c)-U (⇡(M); 2k ,M) hash family.
2 Let q 2 {M, . . . , 2M} be a prime, let � > 0. Let H�,q = {h1
, . . . , hT}be an �-R (q, log T + 1) quantum hash generator.
Then family G = FM � H�,q is a �-R (2k ; s) quantum hash generator,where
� 1
c+ � s log ck + log log k + log log q + 2 log 1/� + 3.
Lower bond
s � log k + log log q � log log
⇣1 +
p2/(1 � �)
⌘� 1.
59 / 76
Quantum hashing from universal linear hash family
1979-1980Let k > 0 – integer, q – prime power, X = (Fq)k\{(0, . . . , 0)}.For every vector a 2 (Fq)k define hash function fa : X ! Fq by the rule
fa(w) =kX
i=1
aiwi .
ThenFlin = {fa : a 2 (Fq)
k}is an (1/q)-U (qk ; (qk � 1); q) hash family (universal hash family).
60 / 76
Quantum hashing from universal linear hash family
TheoremFor arbitrary � 2 (0, 1) composition G = Flin � H�,q is a �-R (qk ; s)quantum hash generator with � (1/q) + � and
s k log q + log log q + 2 log 1/� + 3.
Lower bound
s � log k + log log q � log log
⇣1 +
p2/(1 � �)
⌘� 1.
This lower bound shows that the quantum hash function G is notasymptotically optimal in the sense of number of qubits used for theconstruction.
61 / 76
✏-Universal Hash Family
q � prime, Fq � field, K = |Fkq|.
A hash function is a map f : Fkq ! Fq.
✏-Universal hash familyA hash family F = {f
1
, . . . , fn} is called ✏-Universal, if for any twodistinct words w ,w 0:
|{f 2 F : f (w) = f (w 0)}| ✏n.
F – ✏-U (n;K , q)
62 / 76
Error Correcting Codes
q � prime, Fq � field.
[n, k , d ]q linear code[n, k , d ]q linear error correcting code with Hamming distance at least d .
C : Fkq ! Fn
q, C = {C(w1
),C(w2
), . . . ,C(w|qk |}
63 / 76
✏-Universal Hash Family and Error Correcting Codes
Theorem (Bierbrauer, Johansson, Kabatianskii 1994)1 If there exists an [n, k , d ]q code, then there exists an ✏-Universal
(n, qk , q) hash family with
✏ ✓
1 � dn
◆.
Conversely.2 If there exists an ✏-Universal (n, qk , q) hash family, then there
exists an [n, k , d ]q code with
d = n(1 � ✏).
64 / 76
✏-Universal Hash Family and Error Correcting Codes
q � prime, Fq � field.
✏-Universal Hash Family
f : Fkq ! F
F = {f1
, . . . , fn}F � ✏-Universal (n; k , q), if for any two distinct words w ,w 0 2 Fk
q:
|{f 2 F : f (w) = f (w 0)}| ✏N.
d � n � �n.
Theorem
65 / 76
Quantum hash functions based on error correcting codes
Theorem
Let C – be a linear [n, k , d ]q ECC
C : Fkq ! Fn
q.
Then for arbitrary � 2 (0, 1) there exists �-R (qk ; s) quantum hashgenerator G, where
� = (1 � d/n) + �,
s log n + log log q + 2 log 1/� + 4.
Proof idea. Having [n, k , d ]q ECC C one can construct (1 � d/n)-U(n; qk ; q) hash family FC . J. Bierbrauer, T. Johansson, G. Kabatianskii,B. Smeets 1994
66 / 76
Quantum hash functions based on [n, k , d ]q RS-code
q – prime power, k n q. A common special case is n = q � 1. Eachword w 2 (Fq)k , w = w
0
w1
. . .wk�1
associated with the polynomial
Pw (x) =k�1Xi=0
wixi .
CRS : (Fq)k ! (Fq)
n w 7! CRS(w) = (Pw (1) . . .Pw (n))
(k � 1)/q-U (q;Fkq; q) hash family FRS = {fa : a 2 A} For a 2 Fq\0
define fa
fa : (Fq)k ! Fq fa(w
0
. . .wk�1
) =k�1Xi=0
wiai .
67 / 76
Quantum hash functions based on Reed-Solomon codes
Theorem.Let q be a prime power and let 1 k q. Then for arbitrary ✓ 2 (0, 1)there is a �-R (qk , s) quantum hash generator GRS such that� k�1
q + ✓ and s log (k log q) + 2 log 1/✓ + 4.
If we select n 2 [ck , c0k ] for constants c < c0, then � 1/c + � for� 2 (0, 1) and
s log (q log q) + 2 log 1/�+ 4.
Lower bound
s � log (q log q)� log log
⇣1 +
p2/(1 ��)
⌘� log c0/2
Thus, Reed Solomon codes provides good enough parameters forresistance value � and for a number s of qubits we need to constructquantum hash function RS.
68 / 76
Explicit constructions of GRS and GRS .
Let H�,q = {h1
, . . . , hT}, where hj : Fq ! Fq and T = d(2/�2) ln 2qe.composition
GRS = FRS � H�,q = {gj i = hj(fai ) : j 2 [T ], i 2 [n]}
For s = log n + log T + 1 defines function GRS for a word w 2 (Fq)k bythe rule.
GRS (w) =1pn
nXi=1
|ii ⌦0@ 1p
T
TXj=1
|ji| gji (w)i1A .
=1pnT
n,TXi=1,j=1
|ii|ji|{z}log n+log T
⌦⇣
cos
2⇡hj(fai (w))
q|0i+ sin
2⇡hj(fai (w))
q|1i
⌘| {z }
| gji (w)i – one qubit
.
69 / 76
Application for Digital Signature. Lamport scheme(Quantum variant)
1 Alice private keys:a word w = �
1
. . .�k for the bit 0
a word v = �01
. . .�0k for the bit 1.
2 Alice prepares two pairs – public key (quantum state) and aclassical bit:
(| (w)i, 0) and (| (v)i, 1)by preparing states : |0i,w 7! | (w)i and : |0i, v 7! | (v)i
3 Alice sends pairs (| (w)i, 0) and (| (1)i, 1) to Bob.Bob keeps these pairs.
4 Sign procedure:Alice decided to sign the bit 1. ThenAlice sends (classical) pair (v , 1) to Bob.
5 Verifying Signature: Bob using v Reverse | (v)i to | i.Bob verify whether | i = |0i.
70 / 76
Double key Signature. (Quantum variant)
: Zn ! (H2)⌦s – public Quantum Hash Function (QHF)1 Alice private key:
an element a 2 Zn2 Alice public key (quantum state) | (a)i3 Alice sends | (a)i to Bob.4 Alice Sign procedure:
message m 2 Zn,Signature equation x + m = a.second private key x , second Public key | (x)i.Pair (message,signature) is (m, | (x)i).
5 BobVerifying Signature: using m computes state | (x + m)iverify whether | (a)i = | (x + m)i.
The probability Pr [y = a] to find y = a from | (a)i (y = x from| (x)i)
Pr [y = a] = log |Zn|/|Zn|.71 / 76
How to compute | (w)i – one qubit quantum function
| (w)i = cos ✓|0i+ sin ✓|1i = cos
✓2⇡w2
k
◆|0i+ sin
✓2⇡w2
k
◆|1i,
|ψ⟩
|0⟩
|1⟩
θ
72 / 76
Computational model
x1 • ···
x2 • ···...
xn ··· •|0i
R R
···R NM���
73 / 76
Computational model – Quantum Branching Program –quantum case of Algebraic Branching Program
xj1 • ⌫��⇣⌘✓◆ · · ·
xj2 • ⌫��⇣⌘✓◆ · · ·...
xjl · · · • ⌫��⇣⌘✓◆|�1i
U1(1) U1(0) U2(1) U2(0)
· · ·
Ul(1) Ul(0)
NM���|�2i · · · NM���| 0i
8>>>>>><>>>>>>: ...|�qi · · · NM���
74 / 76