Embed Size (px)
DESCRIPTION
3 CS588 Lecture 22 Visual Cryptography Can we quickly do a lot of XORs without a computer? Yes: 0: 1: Key Ciphertext.5 probability
Citation preview
28 April 200528 April 2005CS588 Spring 2005CS588 Spring 2005
David EvansDavid Evanshttp://www.cs.virginia.edu/evanshttp://www.cs.virginia.edu/evans
Phun with Phun with PhotonsPhotons
2CS588 Lecture 22
Menu• Visual Cryptography• Quantum Cryptography• Quantum Computing (very briefly)
• Cryptographic Hashing Attacks– Boyd and Isabelle
3CS588 Lecture 22
Visual Cryptography• Can we quickly do a lot of XORs
without a computer?• Yes:
0:
1:
Key Ciphertext Key Ciphertext
.5 probability .5 probability
4CS588 Lecture 22
Key + Ciphertext Key Ciphertext Key Ciphertext
+ +
+ +
= 0
= 1
5CS588 Lecture 22
Perfect Cipher? Key Ciphertext Key Ciphertext
.5 probability .5 probability
Plaintext0
1
6CS588 Lecture 22
Perfect Cipher Key Ciphertext Key Ciphertext
.5 probability .5 probability
Plaintext0
1
P (C = | M = 0) = .5 P (C = | M = 1) = .5
P (C = | M = 0) = .5 P (C = | M = 1) = .5
Yes!=
=
7CS588 Lecture 22
Authentication for remote voting
• Remote voting offers convenience – 69% votes cast by mail in 2001 in state of
Washington• Electronic voting is cheaper and faster
– More secure?– New problems: virus, worm, spoofing, denial
of service• Mutual authentication
– Voter authenticated to server– Server authenticated to voter
Nathanael Paul, David Evans, Avi Rubin and Dan Wallach. Workshop on Human-Computer Interaction and Security Systems. 6 April 2003 http://www.cs.virginia.edu/evans/pubs/remote-voting.html
8CS588 Lecture 22
Doing Encryption without Computers
• Can’t trust voters to have trustworthy computers– Viruses can tamper with their software
• Need to do authentication in a way that doesn’t depend on correctness of user’s software
• Lorenz cipher: use XOR to encrypt– Is there a way to do lots of XOR’s without
a computer?
9CS588 Lecture 22
Remote Voting SystemEk (k1)
Ek(kn)
Ek(k2)
… …
STEP 1 keys
ki
S
ki = “AQEGSDFASDF”
S
STEP 2STEP 3 – if ki valid… STEP 4
Key: AQEGSDFASDF
ki =
client machine client machine
Each voter is sent a key, ki
10CS588 Lecture 22
Authentication by
Transparency
11CS588 Lecture 22
Quantum Cryptography
12CS588 Lecture 22
Quantum Physics for Dummies
• Light behaves like both a wave and a particle at the same time
• A single photon is in many states at once
• Can’t observe its state without forcing it into one state
• Schrödinger’s Cat– Put a live cat in a box with cyanide vial
that opens depending on quantum state– Cat is both dead and alive at the same
time until you open the box
13CS588 Lecture 22
Heisenberg’s Uncertainty Principle
“We cannot know, as a matter of principle, the present in all its details.”Werner Heisenberg, 1920s
If you can’t know all the details about something you can’t copy it.
Bits are easy to copy; photons are impossible to copy.
14CS588 Lecture 22
Quantum CashStephen Wiesner, late 60s:
“I didn’t get any support from my thesis advisor – he showed no interest in it at all. I showed it to several other people, and they all pulled a strange face, and went straight back to what they were already doing.”
(Quoted in Singh, The Code Book)
15CS588 Lecture 22
Photons have “spin”:
V H +45º -45º
Photon Polarity
Vertical filter:100% of V photons 50% of +45º photons (become V photons) 50% of -45º photons (become V photons) 0% of H photonsHorizontal filter:100% of H photons 50% of +45º photons (become H photons) 50% of -45º photons (become H photons) 0% of V photons
16CS588 Lecture 22
Photon Stream
Vertical filter:100% of V photons 50% of +45º photons (become V photons) 50% of -45º photons (become V photons) 0% of H photons
Can’t tell differencebetween V and +45ºand –45º photons
17CS588 Lecture 22
Quantum CashUncertainty Principal BankUncertainty Principal Bank
$10000$10000
$10000$10000
$10000$10000
$10000$10000
In Dice We TrustIn Dice We Trust
Unique ID258309274917392
Spinning Photons
Richard FeynmanRichard FeynmanSafecracker, Father of Quantum ComputingSafecracker, Father of Quantum Computing
18CS588 Lecture 22
Bank Verifies BillUnique ID
258309274917392
Spinning Photons
Uncertainty PrincipalID Amou
ntPhotons
… … …258309274917392 $10000 V-
45H+45+45V… … …
Bank aligns filters according to expected values. If photons onbill all pass through filters, the bill is valid.
19CS588 Lecture 22
Counterfeiting Quantum Cash
• To copy a bill, need to know the photons.
• Counterfeiter can guess, but loses information. Physics says there is no way to measure the spins without knowing them!
20CS588 Lecture 22
Perfect Security?• Bill photons: V (¼), +45 (¼), -45 (¼), H (¼)• Guess V-filter: passes 100% of V photons, ½
of +45 and ½ of -45– p (M = V | passes V filter) =
.25 / (.25 + (.5 * .25) + (.5 * .25)) = .25/.5 = .5If photon passes, counterfeiter can guess it is a V photon, right ½ of the time. If photon doesn’t pass, guess it’s a H photon, right ½ of the time.
– p (M = +45 | passes V filter) = .25• Actually a bit more complicated – can guess
some photons wrong, and 50% chance bank won’t notice.
21CS588 Lecture 22
Guessing One +45º Photon• Passes through V-filter (.5)
– Counterfeiter guesses V-photon– Passes through Banks +45 filter (.5)– .25 chance of getting it right
• Doesn’t passes through V-filter (.5)– Counterfeiter guesses H-photon– Passes through Banks +45 filter (.5)– .25 chance of getting it right
• Probability of not getting caught = .5• Forge bill with 6 photons = 1/26; use
more photons for more valuable bills.
22CS588 Lecture 22
Quantum Key Distribution
23CS588 Lecture 22
Quantum Key Distribution• Charles Bennett (1980s)• Use quantum physics to transmit a key
with perfect secrecy• Alice sends a stream of random photons• Bob selects random filters to try and
guess photons• After, they communicate over insecure
channel to figure out which bits were transmitted correctly
24CS588 Lecture 22
Quantum Key Distribution1. Alice generates a random sequence.
Transmits:0: or (Randomly pick H or –45)
1: or (Randomly pick V or +45)
2. Bob randomly guesses filter:Rectilinear detector: recognizes H and V photons with 100% accuracy, randomly misrecognizes diagonal photons.
Diagonal detector: recognizes -45 and +45 photons with 100% accuracy, randomly misrecognizes H and V photons.
25CS588 Lecture 22
Detecting Photons• Bob picks the right detector:
– 100% chance of correctly recognizing bit
• Bob picks the wrong detector:– 50% chance of “guessing” bit
• Bob can’t tell the difference• But, Alice can (since she picked the
photon encoding)
26CS588 Lecture 22
Finding Correct Guesses3. Alice calls Bob over an insecure line,
and tell him rectangular/diagonal for each bit. Bob tells Alice if he guessed right. They use the bits he guessed right on as the key.
4. Alice and Bob do some error checking (e.g., use a checksum) to make sure they have the same key.
27CS588 Lecture 22
What about Eve?• Eve can intercept the photon
stream, and guess filters.• If she guesses right, she can
resend the same photon.• If she guesses wrong, 50% chance
she will send the wrong photon.• 50% chance Bob will guess the
right filter on this photon, so 25% chance of error
28CS588 Lecture 22
Eve is Caught• When Alice and Bob agree on
which bits to use, Eve will have the wrong ones since she guesses different polarities.
• Eve cannot eavesdrop without Alice and Bob noticing an unusually high error rate!
29CS588 Lecture 22
Is this practical?
30CS588 Lecture 22
http://www.idquantique.com/(Geneva, Switzerland)
Movie Teaser
32CS588 Lecture 22
What’s in the “Sneakers” Black
Box?A Quantum Computer
33CS588 Lecture 22
Quantum Computing• Feynman, 1982• Quantum particles are in all possible states• Can try lots of possible computations at
once with the same particles• In theory, can test all possible
factorizations/keys/paths/etc. and get the right one!
• In practice, major advances required before we can build it (unless the NSA knows something we don’t…): 7-qubit computer– Adding another qubit is more than twice as hard
34CS588 Lecture 22
Cryptographic Hashing Attacks
35CS588 Lecture 22
Charge• Tuesday:
– Project presentations• Order will be determined
pseudorandomly– Reports due
• Sneakers: send me email before Monday if you are coming
