-
Quantum Attacks without Superposition Queries: the Offline Simon's Algorithm
Authors:
Xavier Bonnetain,
Akinori Hosoyamada,
María Naya-Plasencia,
Yu Sasaki,
André Schrottenloher
Abstract:
In symmetric cryptanalysis, the model of superposition queries has led to surprising results, with many constructions being broken in polynomial time thanks to Simon's period-finding algorithm. But the practical implications of these attacks remain blurry. In contrast, the results obtained so far for a quantum adversary making classical queries only are less impressive. In this paper, we introduce…
▽ More
In symmetric cryptanalysis, the model of superposition queries has led to surprising results, with many constructions being broken in polynomial time thanks to Simon's period-finding algorithm. But the practical implications of these attacks remain blurry. In contrast, the results obtained so far for a quantum adversary making classical queries only are less impressive. In this paper, we introduce a new quantum algorithm which uses Simon's subroutines in a novel way. We manage to leverage the algebraic structure of cryptosystems in the context of a quantum attacker limited to classical queries and offline quantum computations. We obtain improved quantum-time/classical-data tradeoffs with respect to the current literature, while using only as much hardware requirements (quantum and classical) as a standard exhaustive search with Grover's algorithm. In particular, we are able to break the Even-Mansour construction in quantum time $\tilde{O}(2^{n/3})$, with $O(2^{n/3})$ classical queries and $O(n^2)$ qubits only. In addition, we improve some previous superposition attacks by reducing the data complexity from exponential to polynomial, with the same time complexity. Our approach can be seen in two complementary ways: \emph{reusing} superposition queries during the iteration of a search using Grover's algorithm, or alternatively, removing the memory requirement in some quantum attacks based on a collision search, thanks to their algebraic structure. We provide a list of cryptographic applications, including the Even-Mansour construction, the FX construction, some Sponge authenticated modes of encryption, and many more.
△ Less
Submitted 27 February, 2020;
originally announced February 2020.
-
Boosting the secret key rate in a shared quantum and classical fibre communication system
Authors:
Davide Bacco,
Beatrice Da Lio,
Daniele Cozzolino,
Francesco Da Ros,
Xueshi Guo,
Yunhong Ding,
Yusuke Sasaki,
Kazuhiko Aikawa,
Shigehito Miki,
Hirotaka Terai,
Taro Yamashita,
Jonas S. Neergaard-Nielsen,
Michael Galili,
Karsten Rottwitt,
Ulrik L. Andersen,
Toshio Morioka,
Leif K. Oxenløwe
Abstract:
During the last 20 years, the advance of communication technologies has generated multiple exciting applications. However, classical cryptography, commonly adopted to secure current communication systems, can be jeopardized by the advent of quantum computers. Quantum key distribution (QKD) is a promising technology aiming to solve such a security problem. Unfortunately, current implementations of…
▽ More
During the last 20 years, the advance of communication technologies has generated multiple exciting applications. However, classical cryptography, commonly adopted to secure current communication systems, can be jeopardized by the advent of quantum computers. Quantum key distribution (QKD) is a promising technology aiming to solve such a security problem. Unfortunately, current implementations of QKD systems show relatively low key rates, demand low channel noise and use ad hoc devices. In this work, we picture how to overcome the rate limitation by using a 37-core fibre to generate 2.86 Mbit/s per core that can be space multiplexed into the highest secret key rate of 105.7 Mbit/s to date. We also demonstrate, with off-the-shelf equipment, the robustness of the system by co-propagating a classical signal at 370 Gbit/s, paving the way for a shared quantum and classical communication network.
△ Less
Submitted 13 November, 2019;
originally announced November 2019.
-
Quantum Algorithm for the Multicollision Problem
Authors:
Akinori Hosoyamada,
Yu Sasaki,
Seiichiro Tani,
Keita Xagawa
Abstract:
The current paper presents a new quantum algorithm for finding multicollisions, often denoted by $\ell$-collisions, where an $\ell$-collision for a function is a set of $\ell$ distinct inputs that are mapped by the function to the same value. The tight bound of quantum query complexity for finding a $2$-collisions of a random function has been revealed to be $Θ(N^{1/3})$, where $N$ is the size of…
▽ More
The current paper presents a new quantum algorithm for finding multicollisions, often denoted by $\ell$-collisions, where an $\ell$-collision for a function is a set of $\ell$ distinct inputs that are mapped by the function to the same value. The tight bound of quantum query complexity for finding a $2$-collisions of a random function has been revealed to be $Θ(N^{1/3})$, where $N$ is the size of the range of the function, but neither the lower nor upper bounds are known for general $\ell$-collisions. The paper first integrates the results from existing research to derive several new observations, e.g.,~$\ell$-collisions can be generated only with $O(N^{1/2})$ quantum queries for any integer constant $\ell$. It then provides a quantum algorithm that finds an $\ell$-collision for a random function with the average quantum query complexity of $O(N^{(2^{\ell-1}-1) / (2^{\ell}-1)})$, which matches the tight bound of $Θ(N^{1/3})$ for $\ell=2$ and improves upon the known bounds, including the above simple bound of $O(N^{1/2})$. More generally, the algorithm achieves the average quantum query complexity of $O\big(c_N \cdot N^{({2^{\ell-1}-1})/({ 2^{\ell}-1})}\big)$ and runs over $\tilde{O}\big(c_N \cdot N^{({2^{\ell-1}-1})/({ 2^{\ell}-1})}\big)$ qubits in $\tilde{O}\big(c_N \cdot N^{({2^{\ell-1}-1})/({ 2^{\ell}-1})}\big)$ expected time for a random function $F\colon X\to Y$ such that $|X| \geq \ell \cdot |Y| / c_N$ for any $1\le c_N \in o(N^{{1}/({2^\ell - 1})})$. With the same complexities, it is actually able to find a multiclaw for random functions, which is harder to find than a multicollision.
△ Less
Submitted 7 November, 2019;
originally announced November 2019.
-
Improved Quantum Multicollision-Finding Algorithm
Authors:
Akinori Hosoyamada,
Yu Sasaki,
Seiichiro Tani,
Keita Xagawa
Abstract:
The current paper improves the number of queries of the previous quantum multi-collision finding algorithms presented by Hosoyamada et al. at Asiacrypt 2017. Let an $l$-collision be a tuple of $l$ distinct inputs that result in the same output of a target function. In cryptology, it is important to study how many queries are required to find $l$-collisions for random functions of which domains are…
▽ More
The current paper improves the number of queries of the previous quantum multi-collision finding algorithms presented by Hosoyamada et al. at Asiacrypt 2017. Let an $l$-collision be a tuple of $l$ distinct inputs that result in the same output of a target function. In cryptology, it is important to study how many queries are required to find $l$-collisions for random functions of which domains are larger than ranges. The previous algorithm finds an $l$-collision for a random function by recursively calling the algorithm for finding $(l-1)$-collisions, and it achieves the average quantum query complexity of $O(N^{(3^{l-1}-1) / (2 \cdot 3^{l-1})})$, where $N$ is the range size of target functions. The new algorithm removes the redundancy of the previous recursive algorithm so that different recursive calls can share a part of computations. The new algorithm finds an $l$-collision for random functions with the average quantum query complexity of $O(N^{(2^{l-1}-1) / (2^{l}-1)})$, which improves the previous bound for all $l\ge 3$ (the new and previous algorithms achieve the optimal bound for $l=2$). More generally, the new algorithm achieves the average quantum query complexity of $O\left(c^{3/2}_N N^{\frac{2^{l-1}-1}{ 2^{l}-1}}\right)$ for a random function $f\colon X\to Y$ such that $|X| \geq l \cdot |Y| / c_N$ for any $1\le c_N \in o(N^{\frac{1}{2^l - 1}})$. With the same query complexity, it also finds a multiclaw for random functions, which is harder to find than a multicollision.
△ Less
Submitted 28 January, 2019; v1 submitted 20 November, 2018;
originally announced November 2018.
-
Dual-frequency injection-locked continuous-wave near-infrared laser
Authors:
Trivikramarao Gavara,
Takeru Ohashi,
Yusuke Sasaki,
Takuya Kawashima,
Hiroaki Hamano,
Ryo Yoshizaki,
Yuki Fujimura,
Kazumichi Yoshii,
Chiaki Ohae,
Masayuki Katsuragawa
Abstract:
We report a dual-frequency injection-locked continuous-wave near-infrared laser. The entire system consists of a Ti:sapphire ring laser as a power oscillator, two independent diode-lasers employed as seed lasers, and a master cavity providing a frequency reference. Stable dual-frequency injection-locked oscillation is achieved with a maximum output power of 2.8 W. As fundamental performance featur…
▽ More
We report a dual-frequency injection-locked continuous-wave near-infrared laser. The entire system consists of a Ti:sapphire ring laser as a power oscillator, two independent diode-lasers employed as seed lasers, and a master cavity providing a frequency reference. Stable dual-frequency injection-locked oscillation is achieved with a maximum output power of 2.8 W. As fundamental performance features of this laser system, we show its single longitudinal/transverse mode characteristics and practical power stability. Furthermore, as advanced features, we demonstrate arbitrary selectivity of the two frequencies and flexible control of their relative powers by simply manipulating the seed lasers.
△ Less
Submitted 7 April, 2016;
originally announced April 2016.
-
Quantum algorithms for problems in number theory, algebraic geometry, and group theory
Authors:
Wim van Dam,
Yoshitaka Sasaki
Abstract:
Quantum computers can execute algorithms that sometimes dramatically outperform classical computation. Undoubtedly the best-known example of this is Shor's discovery of an efficient quantum algorithm for factoring integers, whereas the same problem appears to be intractable on classical computers. Understanding what other computational problems can be solved significantly faster using quantum algo…
▽ More
Quantum computers can execute algorithms that sometimes dramatically outperform classical computation. Undoubtedly the best-known example of this is Shor's discovery of an efficient quantum algorithm for factoring integers, whereas the same problem appears to be intractable on classical computers. Understanding what other computational problems can be solved significantly faster using quantum algorithms is one of the major challenges in the theory of quantum computation, and such algorithms motivate the formidable task of building a large-scale quantum computer. This article will review the current state of quantum algorithms, focusing on algorithms for problems with an algebraic flavor that achieve an apparent superpolynomial speedup over classical computation.
△ Less
Submitted 26 June, 2012;
originally announced June 2012.
-
Measurement of Positronium hyperfine splitting with quantum oscillation
Authors:
Y. Sasaki,
A. Miyazaki,
A. Ishida,
T. Namba,
S. Asai,
T. Kobayashi,
H. Saito,
K. Tanaka,
A. Yamamoto
Abstract:
Interference between different energy eigenstates in a quantum system results in an oscillation with a frequency which is proportional to the difference in energy between the states. Such an oscillation is observable in polarized positronium when it is placed in a magnetic field. In order to measure the hyperfine splitting of positronium, we perform the precise measurement of this oscillation usin…
▽ More
Interference between different energy eigenstates in a quantum system results in an oscillation with a frequency which is proportional to the difference in energy between the states. Such an oscillation is observable in polarized positronium when it is placed in a magnetic field. In order to measure the hyperfine splitting of positronium, we perform the precise measurement of this oscillation using a high quality superconducting magnet and fast photon-detectors. A result of $203.324 \pm 0.039\rm{~(stat.)} \pm 0.015\rm{(~sys.)}$~GHz is obtained which is consistent with both theoretical calculations and previous precise measurements.
△ Less
Submitted 25 November, 2010; v1 submitted 24 February, 2010;
originally announced February 2010.
-
On zeros of exponential polynomials and quantum algorithms
Authors:
Yoshitaka Sasaki
Abstract:
We calculate the zeros of an exponential polynomial of some variables by a classical algorithm and quantum algorithms which are based on the method of van Dam and Shparlinski, they treated the case of two variables, and compare with the complexity of those cases. Further we consider the ratio (classical/quantum) of the complexity. Then we can observe the ratio is virtually 2 when the number of t…
▽ More
We calculate the zeros of an exponential polynomial of some variables by a classical algorithm and quantum algorithms which are based on the method of van Dam and Shparlinski, they treated the case of two variables, and compare with the complexity of those cases. Further we consider the ratio (classical/quantum) of the complexity. Then we can observe the ratio is virtually 2 when the number of the variables is sufficiently large.
△ Less
Submitted 12 August, 2009;
originally announced August 2009.
-
On exponential polynomials and quantum computing
Authors:
Yasuo Ohno,
Yoshitaka Sasaki,
Chika Yamazaki
Abstract:
We calculate the zeros of an exponential polynomial of three variables by a classical algorithm and quantum algorithms which are based on the method of van Dam and Shparlinski, they treated the case of two variables, and compare with the time complexity of those cases. Further we compare the case of van Dam and Shparlinski with our case by considering the ratio (classical/quantum) of the time co…
▽ More
We calculate the zeros of an exponential polynomial of three variables by a classical algorithm and quantum algorithms which are based on the method of van Dam and Shparlinski, they treated the case of two variables, and compare with the time complexity of those cases. Further we compare the case of van Dam and Shparlinski with our case by considering the ratio (classical/quantum) of the time complexity. Then we can observe the ratio decreases.
△ Less
Submitted 7 August, 2009;
originally announced August 2009.
-
A quantum protocol to win the graph colouring game on all Hadamard graphs
Authors:
David Avis,
Jun Hasegawa,
Yosuke Kikuchi,
Yuuya Sasaki
Abstract:
This paper deals with graph colouring games, an example of pseudo-telepathy, in which two provers can convince a verifier that a graph $G$ is $c$-colourable where $c$ is less than the chromatic number of the graph. They win the game if they convince the verifier. It is known that the players cannot win if they share only classical information, but they can win in some cases by sharing entangleme…
▽ More
This paper deals with graph colouring games, an example of pseudo-telepathy, in which two provers can convince a verifier that a graph $G$ is $c$-colourable where $c$ is less than the chromatic number of the graph. They win the game if they convince the verifier. It is known that the players cannot win if they share only classical information, but they can win in some cases by sharing entanglement. The smallest known graph where the players win in the quantum setting, but not in the classical setting, was found by Galliard, Tapp and Wolf and has 32,768 vertices. It is a connected component of the Hadamard graph $G_N$ with $N=c=16$. Their protocol applies only to Hadamard graphs where $N$ is a power of 2. We propose a protocol that applies to all Hadamard graphs. Combined with a result of Frankl, this shows that the players can win on any induced subgraph of $G_{12}$ having 1609 vertices, with $c=12$. Combined with a result of Frankl and Rodl, our result shows that all sufficiently large Hadamard graphs yield pseudo-telepathy games.
△ Less
Submitted 21 September, 2005; v1 submitted 7 September, 2005;
originally announced September 2005.
-
Two-Party Bell Inequalities Derived from Combinatorics via Triangular Elimination
Authors:
David Avis,
Hiroshi Imai,
Tsuyoshi Ito,
Yuuya Sasaki
Abstract:
We establish a relation between the two-party Bell inequalities for two-valued measurements and a high-dimensional convex polytope called the cut polytope in polyhedral combinatorics. Using this relation, we propose a method, triangular elimination, to derive tight Bell inequalities from facets of the cut polytope. This method gives two hundred million inequivalent tight Bell inequalities from c…
▽ More
We establish a relation between the two-party Bell inequalities for two-valued measurements and a high-dimensional convex polytope called the cut polytope in polyhedral combinatorics. Using this relation, we propose a method, triangular elimination, to derive tight Bell inequalities from facets of the cut polytope. This method gives two hundred million inequivalent tight Bell inequalities from currently known results on the cut polytope. In addition, this method gives general formulas which represent families of infinitely many Bell inequalities. These results can be used to examine general properties of Bell inequalities.
△ Less
Submitted 3 September, 2005; v1 submitted 9 May, 2005;
originally announced May 2005.
-
Deriving Tight Bell Inequalities for 2 Parties with Many 2-valued Observables from Facets of Cut Polytopes
Authors:
David Avis,
Hiroshi Imai,
Tsuyoshi Ito,
Yuuya Sasaki
Abstract:
Relatively few families of Bell inequalities have previously been identified. Some examples are the trivial, CHSH, I_{mm22}, and CGLMP inequalities. This paper presents a large number of new families of tight Bell inequalities for the case of many observables. For example, 44,368,793 inequivalent tight Bell inequalities other than CHSH are obtained for the case of 2 parties each with 10 2-valued…
▽ More
Relatively few families of Bell inequalities have previously been identified. Some examples are the trivial, CHSH, I_{mm22}, and CGLMP inequalities. This paper presents a large number of new families of tight Bell inequalities for the case of many observables. For example, 44,368,793 inequivalent tight Bell inequalities other than CHSH are obtained for the case of 2 parties each with 10 2-valued observables. This is accomplished by first establishing a relationship between the Bell inequalities and the facets of the cut polytope, a well studied object in polyhedral combinatorics. We then prove a theorem allowing us to derive new facets of cut polytopes from facets of smaller polytopes by a process derived from Fourier-Motzkin elimination, which we call triangular elimination. These new facets in turn give new tight Bell inequalities. We give additional results for projections, liftings, and the complexity of membership testing for the associated Bell polytope.
△ Less
Submitted 18 April, 2004; v1 submitted 2 April, 2004;
originally announced April 2004.