Transcript Lecture 22: Photons

Phun with Photons
28 April 2005
CS588 Spring 2005
David Evans
http://www.cs.virginia.edu/evans
Menu
• Visual Cryptography
• Quantum Cryptography
• Quantum Computing (very briefly)
• Cryptographic Hashing Attacks
– Boyd and Isabelle
CS588 Lecture 22
2
Visual Cryptography
• Can we quickly do a lot of XORs without
a computer?
• Yes:
Key Ciphertext
Key Ciphertext
0:
1:
.5 probability
CS588 Lecture 22
.5 probability
3
Key + Ciphertext
Key Ciphertext
Key Ciphertext
+
+
+
+
=0
=1
CS588 Lecture 22
4
Perfect Cipher?
Plaintext
0
Key Ciphertext
Key Ciphertext
1
.5 probability
CS588 Lecture 22
.5 probability
5
Perfect Cipher
Plaintext
0
Key Ciphertext
Key Ciphertext
1
.5 probability
.5 probability
P (C =
P (C =
| M = 0) = .5
=
| M = 1) = .5
P (C =
P (C =
| M = 0) = .5
=
| M = 1) = .5
CS588 Lecture 22
6
Yes!
Authentication for remote voting
Nathanael Paul, David Evans, Avi Rubin and Dan Wallach. Workshop
on Human-Computer Interaction and Security Systems. 6 April 2003
http://www.cs.virginia.edu/evans/pubs/remote-voting.html
• Remote voting offers convenience
– 69% votes cast by mail in 2001 in state of
Washington
• Electronic voting is cheaper and faster
– More secure?
– New problems: virus, worm, spoofing, denial of
service
• Mutual authentication
– Voter authenticated to server
– Server authenticated to voter
CS588 Lecture 22
7
Doing Encryption without Computers
• Can’t trust voters to have trustworthy
computers
– Viruses can tamper with their software
• Need to do authentication in a way that
doesn’t depend on correctness of user’s
software
• Lorenz cipher: use XOR to encrypt
– Is there a way to do lots of XOR’s without a
computer?
CS588 Lecture 22
8
Remote Voting System
STEP 1
Each voter is
sent a key, ki
keys
Ek (k1)
S
Ek(k2)
…
ki =
…
Ek(kn)
STEP 2
Key: AQEGSDFASDF
ki
STEP 3 – if ki valid…
STEP 4
ki =
“AQEGSDFASDF”
S
CS588 Lecture 22
client machine
9
client machine
Authentication
by
Transparency
CS588 Lecture 22
10
Quantum Cryptography
CS588 Lecture 22
11
Quantum Physics
for Dummies
• Light behaves like both a wave and a
particle at the same time
• A single photon is in many states at
once
• Can’t observe its state without
forcing it into one state
• Schrödinger’s Cat
– Put a live cat in a box with cyanide vial
that opens depending on quantum state
– Cat is both dead and alive at the same
time until you open the box
CS588 Lecture 22
12
Heisenberg’s Uncertainty
Principle
“We cannot know, as a matter of
principle, the present in all its details.”
Werner Heisenberg, 1920s
If you can’t know all the details about
something you can’t copy it.
Bits are easy to copy; photons are
impossible to copy.
CS588 Lecture 22
13
Quantum Cash
Stephen Wiesner, late 60s:
“I didn’t get any support from my thesis
advisor – he showed no interest in it at
all. I showed it to several other people,
and they all pulled a strange face, and
went straight back to what they were
already doing.”
(Quoted in Singh, The Code Book)
CS588 Lecture 22
14
Photon Polarity
Photons have “spin”:
V
H
+45º -45º
Vertical filter:
100% of V photons
50% of +45º photons (become V photons)
50% of -45º photons (become V photons)
0% of H photons
Horizontal filter:
100% of H photons
50% of +45º photons (become H photons)
50% of -45º photons (become H photons)
0% of V photons
CS588 Lecture 22
15
Photon Stream
Can’t tell difference
between V and +45º
and –45º photons
Vertical filter:
100% of V photons
50% of +45º photons (become V photons)
50% of -45º photons (become V photons)
0% of H photons
CS588 Lecture 22
16
Quantum Cash
$10000 Uncertainty Principal Bank
$10000
Spinning Photons
Unique ID
258309274917392
Richard Feynman
Safecracker, Father of Quantum Computing
$10000
CS588 Lecture 22
In Dice We Trust
17
$10000
Bank Verifies Bill
Unique ID
258309274917392
Spinning Photons
Uncertainty Principal
ID
…
Amount Photons
…
…
258309274917392
…
$10000
…
V-45H+45+45V
…
Bank aligns filters according to expected values. If photons on
bill all pass through filters, the bill is valid.
CS588 Lecture 22
18
Counterfeiting Quantum Cash
• To copy a bill, need to know the
photons.
• Counterfeiter can guess, but loses
information. Physics says there is no
way to measure the spins without
knowing them!
CS588 Lecture 22
19
Perfect Security?
• Bill photons: V (¼), +45 (¼), -45 (¼), H (¼)
• Guess V-filter: passes 100% of V photons, ½ of
+45 and ½ of -45
– p (M = V | passes V filter) =
.25 / (.25 + (.5 * .25) + (.5 * .25)) = .25/.5 = .5
If photon passes, counterfeiter can guess it is a V
photon, right ½ of the time. If photon doesn’t pass,
guess it’s a H photon, right ½ of the time.
– p (M = +45 | passes V filter) = .25
• Actually a bit more complicated – can guess
some photons wrong, and 50% chance bank
won’t notice.
CS588 Lecture 22
20
Guessing One +45º Photon
• Passes through V-filter (.5)
– Counterfeiter guesses V-photon
– Passes through Banks +45 filter (.5)
– .25 chance of getting it right
• Doesn’t passes through V-filter (.5)
– Counterfeiter guesses H-photon
– Passes through Banks +45 filter (.5)
– .25 chance of getting it right
• Probability of not getting caught = .5
• Forge bill with 6 photons = 1/26; use more
photons for more valuable bills.
CS588 Lecture 22
21
Quantum Key Distribution
CS588 Lecture 22
22
Quantum Key Distribution
• Charles Bennett (1980s)
• Use quantum physics to transmit a key with
perfect secrecy
• Alice sends a stream of random photons
• Bob selects random filters to try and guess
photons
• After, they communicate over insecure
channel to figure out which bits were
transmitted correctly
CS588 Lecture 22
23
Quantum Key Distribution
1. Alice generates a random sequence.
Transmits:
0:
or
(Randomly pick H or –45)
1:
or
(Randomly pick V or +45)
2. Bob randomly guesses filter:
Rectilinear detector: recognizes H and V
photons with 100% accuracy, randomly
misrecognizes diagonal photons.
Diagonal detector: recognizes -45 and +45
photons with 100% accuracy, randomly
misrecognizes H and V photons.
CS588 Lecture 22
24
Detecting Photons
• Bob picks the right detector:
– 100% chance of correctly recognizing bit
• Bob picks the wrong detector:
– 50% chance of “guessing” bit
• Bob can’t tell the difference
• But, Alice can (since she picked the
photon encoding)
CS588 Lecture 22
25
Finding Correct Guesses
3. Alice calls Bob over an insecure line,
and tell him rectangular/diagonal for
each bit. Bob tells Alice if he guessed
right. They use the bits he guessed
right on as the key.
4. Alice and Bob do some error checking
(e.g., use a checksum) to make sure
they have the same key.
CS588 Lecture 22
26
What about Eve?
• Eve can intercept the photon stream,
and guess filters.
• If she guesses right, she can resend
the same photon.
• If she guesses wrong, 50% chance
she will send the wrong photon.
• 50% chance Bob will guess the right
filter on this photon, so 25% chance
of error
CS588 Lecture 22
27
Eve is Caught
• When Alice and Bob agree on
which bits to use, Eve will have the
wrong ones since she guesses
different polarities.
• Eve cannot eavesdrop without Alice
and Bob noticing an unusually high
error rate!
CS588 Lecture 22
28
Is this practical?
CS588 Lecture 22
29
http://www.idquantique.com/
(Geneva, Switzerland)
CS588 Lecture 22
30
Movie Teaser
What’s in the “Sneakers”
Black Box?
A Quantum Computer
CS588 Lecture 22
32
Quantum Computing
• Feynman, 1982
• Quantum particles are in all possible states
• Can try lots of possible computations at once with
the same particles
• In theory, can test all possible
factorizations/keys/paths/etc. and get the right
one!
• In practice, major advances required before we
can build it (unless the NSA knows something we
don’t…): 7-qubit computer
– Adding another qubit is more than twice as hard
CS588 Lecture 22
33
Cryptographic Hashing Attacks
CS588 Lecture 22
34
Charge
• Tuesday:
– Project presentations
• Order will be determined pseudorandomly
– Reports due
• Sneakers: send me email before
Monday if you are coming
CS588 Lecture 22
35