Table Of ContentSong Y. Yan
Quantum Attacks on
Public-Key Cryptosystems
123
SongY.Yan
DepartmentofMathematics
HarvardUniversity
Cambridge,MA
USA
ISBN978-1-4419-7721-2 ISBN978-1-4419-7722-9(eBook)
DOI10.1007/978-1-4419-7722-9
SpringerNewYorkHeidelbergDordrechtLondon
LibraryofCongressControlNumber:2013935220
©SpringerScience+BusinessMedia,LLC2013
Contents
1. Classic and Quantum Computation 1
1.1 Classical Computability Theory .............................. 1
1.2 Classical Complexity Theory................................. 7
1.3 Quantum Information and Computation....................... 15
1.4 Quantum Computability and Complexity...................... 21
1.5 Conclusions, Notes, and Further Reading ...................... 26
References................................................. 28
2. Quantum Attacks on IFP-Based Cryptosystems 31
2.1 IFP and Classical Solutions to IFP ........................... 31
2.2 IFP-Based Cryptography.................................... 52
2.3 Quantum Attacks on IFP and IFP-Based Cryptography......... 72
2.4 Conclusions, Notes, and Further Reading ...................... 86
References................................................. 86
3. Quantum Attacks on DLP-Based Cryptosystems 93
3.1 DLP and Classic Solutions to DLP ........................... 93
3.2 DLP-Based Cryptography ................................... 109
3.3 Quantum Attack on DLP and DLP-Based Cryptography ........ 122
3.4 Conclusions, Notes, and Further Reading ...................... 131
References................................................. 132
4. Quantum Attacks on ECDLP-Based Cryptosystems 137
4.1 ECDLP and Classical Solutions .............................. 137
4.2 ECDLP-BasedCryptography ................................ 151
4.3 Quantum Attack on ECDLP-Based Cryptography .............. 173
4.4 Conclusions, Notes, and Further Reading ...................... 184
References................................................. 185
5. Quantum Resistant Cryptosystems 189
5.1 Quantum-Computing Attack Resistant ........................ 189
5.2 Coding-Based Cryptosystems ................................ 190
5.3 Lattice-Based Cryptosystems ................................ 192
5.4 Quantum Cryptosystems .................................... 194
5.5 DNA Biological Cryptography ............................... 196
5.6 Conclusions, Notes, and Further Reading ...................... 199
References................................................. 200
Index 205
Preface
If weknewwhat it was weweredoing, itwould not becalled research,
would it?
Albert Einstein (1879–1955)
The 1921 Nobel Laureate in Physics
In research, if you know what you are doing, then you shouldn’t be
doing it.
Richard Hamming (1915–1998)
The 1968 Turing Award Recipient
It is well known that the security of the most widely used public-key cryp-
tosystemssuchasRSA(Rivest-Shamir-Adleman),DSA(digitalsignatureal-
gorithm), and ECC (elliptic curve cryptography) relies on the intractability
of one of the following three number-theoretic problems, namely, the inte-
ger factorizationproblem (IFP), the discrete logarithm problem (DLP), and
theellipticcurvediscretelogarithmproblem(ECDLP).Sincenopolynomial-
timealgorithmshavebeenfoundsofarforsolvingthesethreehardproblems,
the cryptosystems based on them are secure. There are, however, quantum
algorithms, due to Shor and others, which can solve these three intractable
problems in polynomial time, provided that a practical quantum computer
can be constructed.
The monograph provides a quantum approach to solve all these three
intractablenumber-theoreticproblemsandtoattackthecryptosystemsbased
on these three problems. The organization of the book is as follows.
Chapter 1 provides an introduction to the basic concepts and ideas of quan-
tum computation. Chapter 2 discusses shor’s quantum factoring algorithm
and its application to the cryptanalysis of IPF-based, particularly RSA
cryptosystems. Chapter 2 discusses Shor’s quantum discrete logarithm algo-
rithm and its application to the cryptanalysis of DLP-based cryptosystems.
Chapter 4 is devoted to the study of the extension of Shor’s quantum
algorithmsforsolvingthe ECDLPproblemsandthe attacksonthe ECDLP-
based cryptosystems. Finally in Chapter 5, some quantum resistant public-
key cryptosystems are studied, which can be used in the post-quantum age.
The monograph is a revised and extended version of the author’s earlier
versionCryptanalyticAttacksonRSA,withanemphasisonquantumattacks
for public-key cryptography. It is self-contained and can be used as a basic
reference for computer scientists, mathematicians, electrical engineers, and
physicists, interested in quantum computation and quantum cryptography.
It can also be used as a final year undergraduate or a 1st-yeargraduate text
in the field.
Acknowledgments
The author would like to thank the three anonymous referees for their very
helpful suggestions and comments. Special thanks must be given to Prof
Michael Sipser and Prof Ronald Rivest at MIT, Prof Benedict Gross at
Harvard, Susan Lagerstrom-Fife, Courtney Clark and Jennifer Maurer at
SpringerNewYork,fortheirencouragement,support,andhelp.Theresearch
was supported in part by the Royal Academy of Engineering, London, the
RoyalSociety, London, HarvardUniversity, MassachusettsInstitute of Tech-
nology, and Wuhan University.
Finally, the author would specifically like to thank Prof Yanxiang He,
Dean of Computer School of Wuhan University for his encouragement, sup-
port, and collaboration.
Cambridge, MA S.Y. Yan
1. Classic and Quantum Computation
Anyone who is not shocked by quantum theory has not understood it.
Niels Bohr (1885–1962)
The 1922 Nobel Laureate in Physics
Inthischapter,weshallfirstgiveanaccountofthebasicconceptsandresults
inclassicalcomputabilityandcomplexityandthen,thequantumcomputabil-
ity and complexity, which will be used throughout the book.
1.1 Classical Computability Theory
Computabilitystudies whatacomputercando andwhatacomputercannot
do. As a Turing machine cando everythingthat a real computer cando, our
study of computability will be within the theoretical framework of Turing
machines.
Turing Machines
The idea and the theory of Turing machines were first proposed and studied
bythegreatEnglishlogicianandmathematicianAlanTuring(1912–1954)in
his seminal paper [43] published in 1936 (see Fig.1.1). First of all, we shall
present a formal definition of the Turing machine.
Definition 1.1. A standard multitape Turing machine, M (see Fig.1.2), is
an algebraic system defined by
M “pQ,Σ,Γ,δ,q ,l,Fq (1.1)
0
where
2 1. Classic and Quantum Computation
Figure 1.1. Alan Turing and the first page of his 1936 paper
1. Q is a finite set of internal states.
2. Σ is a finite set of symbols called the input alphabet. We assume that
Σ ĎΓ ´tlu.
3. Γ is a finite set of symbols called the tape alphabet.
4. δ is the transition function, which is defined by
(a) If M is a deterministic Turing machine (DTM), then
δ : QˆΓk ÑQˆΓkˆtL,Ruk (1.2)
(b) If M is a nondeterministic Turing machine (NDTM), then
δ :QˆΓk Ñ2QˆΓkˆtL,Ruk (1.3)
where L and R specify the movement of the read–write head left or
right. When k“1, it is just a standard one-tape Turing machine.
5. lPΓ is a special symbol called the blank.
6. q PQ is the initial state.
0
7. F ĎQ is the set of final states.
1.1 Classical Computability Theory 3
Finite State
Control Unit
Read–Write Heads
Tape 1
Tape 2
Tape k
Figure 1.2. k-tape (k ě1) Turing machine
Turing machines, although simple and abstract, provide us with a most
suitable model of computation for modern digital and even quantum
computers.
Example 1.1. Giventwopositiveintegersxandy,designaTuringmachine
thatcomputesx`y.First,wehavetochoosesomeconventionforrepresenting
positive integers. For simplicity, we will use unary notation in which any
positive integer x is represented by wpxqPt1u`, such that |wpxq| “x. Thus
in this notation, 4 will be represented by 1111. We must also decide how x
and y are placed on the tape initially and how their sum is to appear at
the end of the computation. It is assumed that wpxq and wpyq are on the
tape in unary notation, separatedby a single 0, with the read–writehead on
the leftmost symbol of wpxq. After the computation, wpx`yq will be on the
tape followed by a single 0, and the read–write head will be positioned at
the left end of the result. We therefore want to design a Turing machine for
performing the computation
˚
q wpxq0wpyq$q wpx`yq0,
0 f
4 1. Classic and Quantum Computation
˚
where q PF is a final state and $ indicates an unspecified number of steps
f
as follows:
q wpxq0wpyq $¨¨¨$q wpx`yq0.
0 f
Constructing a program for this is relatively simple. All we need to do is to
movethe separating0 tothe rightendofwpyq, sothatthe additionamounts
to nothing more than the coalition of the two strings. To achieve this, we
construct
M “pQ,Σ,Γ,δ,q ,l,Fq,
0
with
Q“tq ,q ,q ,q ,q u,
0 1 2 3 4
F “tq u,
4
δpq ,1q“pq ,1,Rq,
0 0
δpq ,0q“pq ,1,Rq,
0 1
δpq ,1q“pq ,1,Rq,
1 1
δpq ,lq“pq ,l,Lq,
1 2
δpq ,1q“pq ,0,Lq,
2 3
δpq ,1q“pq ,1,Lq,
3 3
Note that in moving the 0 right we temporarily create an extra 1, a fact
that is remembered by putting the machine into state q . The transition
1
δpq ,1q “ pq ,0,Rq is needed to remove this at the end of the computation.
2 3
This can be seen from the sequence of instantaneous descriptions for adding
111 to 11:
q 1110011 $ 1q 110011
0 0
$ 11q 1011
0
$ 111q 011
0
$ 1111q 11
1
$ 11111q 1
1
$ 111111q
1
$ 11111q 1
2
$ 1111q 10
3
.
.
.
$ q l111110
3
$ q 111110,
4
or briefly as follows:
˚
q 1110011$q 111110.
0 4
