量子密码学_量子密码学与量子后密码学

量子密码学

Originally published at https://www.amarchenkova.com on July 5, 2020.

最初于 2020年7月5日 发布在 https://www.amarchenkova.com 上。

With interest growing in developing universal quantum computers, examining post quantum algorithms and quantum cryptography that can replace modern cryptosystems is of vital importance to the security of our data in a world where a large scale, fault tolerant quantum computer exists.

随着人们对开发通用量子计算机的兴趣日益浓厚，在存在大规模容错量子计算机的世界中，研究可以替代现代密码系统的后量子算法和量子密码学对于我们数据的安全至关重要。

Shor’s algorithm is the killer algorithm for cryptography. But having a quantum computer large enough to run this algorithm is still many years away. While some scientists argue that a quantum computer that can run Shor’s algorithm will never be possible to build, since it requires millions of qubits, others believe it’s inevitable and that we need to start preparing for this future.

Shor的算法是密码学的杀手级算法。 但是，拥有足够大的量子计算机来运行该算法还需要很多年。 尽管一些科学家认为，无法运行能够运行Shor算法的量子计算机，因为它需要数百万个量子比特，但其他科学家则认为这是不可避免的，我们需要开始为这个未来做准备。

There are two approaches. One is post-quantum cryptography, which is a new set of standard of classical cryptographic algorithms, and the other is quantum cryptography, which uses the properties of quantum mechanics to secure data. Both may have a place in the future of secure communication, but they work fundamentally differently.

有两种方法。 一个是后量子密码学，它是一组经典密码算法的新标准，另一个是量子密码学，它使用量子力学的特性来保护数据。 两者都可能在安全通信的未来中占有一席之地，但是它们的工作原理根本不同。

量子后密码学 (Post-Quantum Cryptography)

Post-quantum cryptography is classical cryptography that stands up to the attacks of a large quantum computer. It does not use any quantum properties. It doesn’t need any specialized hardware. It’s based on hard mathematical problems, just like the cryptography we have today. However, post-quantum cryptography avoids using integer factorization and discrete log problems to encrypt data. We already know that these problems are vulnerable to algorithms run on a quantum computer.

后量子密码学是经典的密码学，可抵御大型量子计算机的攻击。 它不使用任何量子性质。 它不需要任何专用硬件。 它基于困难的数学问题，就像我们今天拥有的密码学一样。 但是，后量子密码学避免使用整数分解和离散对数问题来加密数据。 我们已经知道，这些问题很容易受到量子计算机上运行的算法的影响。

All of these post-quantum cryptography algorithms would not need any quantum hardware to encrypt data. They base the encryption on new mathematical problems that are not vulnerable to known quantum computing attacks. And of course, we have to make sure that while it stands up to (known) quantum computing attacks, it also holds against supercomputers.

所有这些后量子密码算法都不需要任何量子硬件来加密数据。 它们基于不易受已知量子计算攻击影响的新数学问题进行加密。 当然，我们必须确保它能够抵御(已知的)量子计算攻击，同时还能抵御超级计算机。

The government and NIST has been worried about this possibility for a while. Even as early as 2013 there have been talks about moving away from the Suite B cryptography ciphers to something that can be quantum secure. In late 2016, NIST ran a competition for Post-Quantum Cryptography Standardization to find a suitable quantum-resistant public-key encryption algorithms.

政府和NIST一直担心这种可能性。 甚至早在2013年，就一直在谈论从Suite B密码学密码过渡到可以量子安全的密码。 在2016年末，NIST开展了“后量子密码学标准化”竞赛，以找到合适的抗量子密码的公共密钥加密算法。

What properties does the winning algorithm have to have?

获胜算法必须具有哪些属性？

1. It must stand up to quantum computing attacks, as well as classical attacks.
   它必须经受住量子计算攻击以及传统攻击。
2. It must be fast. We don’t want to slow down communication. This encryption also needs to run on the web, smartphones, sensors, and a lot of other devices that have more limited compute power. A very slow algorithm will hamper communication.
   一定要快。 我们不想减慢沟通速度。 这种加密还需要在网络，智能手机，传感器以及许多其他功能更有限的设备上运行。 一个非常慢的算法会妨碍通信。

Further details about the 26 candidate algorithms are published in the NIST Internal Report (NISTIR) 8240, Status Report on the First Round of the NIST Post-Quantum Cryptography Standardization Process.

有关26种候选算法的更多详细信息，已发布在NIST内部报告(NISTIR)8240 ，NIST量子后密码学标准化过程第一轮状态报告中。

The 26 algorithms had very different approaches, but mostly lay in 3 families: lattice based, error correcting code based, and multivariate based cryptosystems. Lattice based systems have a large body of work behind them, starting back in 1996, and are considered one of the strongest candidates for post-quantum cryptographic standards.

这26种算法的方法截然不同，但主要分为3个系列：基于晶格，基于纠错码和基于多变量的密码系统。 始于1996年的基于晶格的系统有大量工作要做，被认为是后量子密码标准最有力的候选者之一。

基于晶格的密码学 (Lattice-Based Cryptography)

How does a lattice based cryptographic system work? This is lattice is a grid of points — you’re familiar with a two (x, y) or three dimensional grid with coordinates (x, y, z), but a grid can extend to many more dimensions. There are multiple potential problems that are hard to solve here as the number of dimensions increase: closest vector problem, bounded distance problem, and the covering radius problem. Lattice-based problems use hundreds or thousands of dimensions, and the goal is to find two lattice points that are close together. There are no efficient algorithms, classical or quantum, that can solve these in less than exponential time.

基于格的密码系统如何工作？ 这是点阵网格，是点的网格-您熟悉具有坐标(x，y，z)的二维(x，y)或三维网格，但是网格可以扩展到更多维度。 随着维数的增加，这里有许多潜在的问题难以解决：最近向量问题，有界距离问题和覆盖半径问题。 基于晶格的问题使用数百或数千个维度，目标是找到彼此靠近的两个晶格点。 没有经典或量子的有效算法可以在不到指数时间内解决这些问题。

In 2020 and 2021, NIST will continue to review and test these post-quantum encryption standards, with the aim to have drafts of the recommended standards ready sometime between 2022–2024.

NIST将在2020年和2021年继续审查和测试这些量子后加密标准，以期在2022年至2024年之间的某个时候准备推荐标准的草案。

After that begins the process of upgrading computing systems worldwide to use these algorithms. In a world where the a large quantum computer exists, we’d need to upgrade almost everything being sent online, and that’s a LOT of change. This is expensive and costly, and will take a lot of time. Previously, it has taken 20 years to move encryption algorithms from mathematical problems to full implementation . This includes building the software, implementing the hardware layer if needed, and knowing how precisely hard it would be to break . And now we have to include research on the risk analysis of quantum computers that haven’t been built yet. Waiting to find a quantum-safe cryptosystem until the point when a quantum computer does approach the magnitude to break modern encryption would be entirely too late.

之后，开始升级全球计算系统以使用这些算法的过程。 在存在大型量子计算机的世界中，我们需要升级几乎所有在线发送的内容，这是很多改变。 这既昂贵又昂贵，并且将花费很多时间。 以前，将加密算法从数学问题转变为全面实现已经花费了20年的时间。 这包括构建软件，在需要时实施硬件层，以及知道要分崩离析的难度。 现在，我们必须包括尚未构建的量子计算机风险分析的研究。 等到找到量子安全的密码系统，直到量子计算机确实达到破坏现代加密的程度，这一点为时已晚。

量子密码学 (Quantum Cryptography)

Quantum cryptography actually uses quantum mechanical principles as the basis of the security. Because these cryptography systems utilize the laws of physics instead of mathematical proofs, they are theoretically “unbreakable”. Of course, that doesn’t apply to side channel attacks.

量子密码术实际上使用量子力学原理作为安全性的基础。 因为这些密码系统利用物理定律而不是数学证明，所以它们在理论上是“牢不可破的”。 当然，这不适用于侧通道攻击。

Quantum key distribution uses these quantum mechanical properties to create a shared key and distribute it, while being certain* that a third party hasn’t eavesdropped. For quantum states, we have several properties of nature that gives quantum information an extra level of security. Quantum states collapse when they are measured. If an attacker tried to read out information in an entanglement based protocol, the quantum states would no longer be in a superposition. Additionally, the no-cloning theorem for quantum mechanics states that it’s impossible to copy a quantum state. So, an attacker couldn’t copy the quantum information being transmitted and do operations on their copy. If someone tries to eavesdrop, Alice and Bob will know.

量子密钥分发使用这些量子力学特性来创建共享密钥并进行分发，同时确定*第三方尚未进行窃听。 对于量子态，我们具有自然的几种性质，这些性质赋予量子信息额外的安全性。 量子态在测量时会崩溃。 如果攻击者试图以基于纠缠的协议读出信息，则量子态将不再处于叠加状态。 此外，量子力学的无克隆定理指出不可能复制量子态。 因此，攻击者无法复制正在传输的量子信息，也无法对其副本进行操作。 如果有人试图窃听，爱丽丝和鲍勃就会知道。

Quantum cryptography is based on the laws of physics, and not our knowledge and understanding of mathematics and hard problems. This means that it will remain secure no matter how much more powerful both classic computers and quantum computers become.

量子密码学基于物理定律，而不是我们对数学和难题的了解和理解。 这意味着无论经典计算机和量子计算机变得多么强大，它都将保持安全。

Long distance quantum communication utilizes quantum properties. BB84 and E91 (entanglement-based) are the most famous communication protocols for quantum key exchange. These protocols generate a shared secure key.

长距离量子通信利用量子特性。 BB84和E91(基于纠缠)是用于量子密钥交换的最著名的通信协议。 这些协议生成共享的安全密钥。

BB84量子密钥交换协议 (BB84 Quantum Key Exchange Protocol)

How would you do the BB84 protocol with a quantum system?

您如何使用量子系统处理BB84协议？

1. Alice prepares the bit string she wants to send and randomly selects a polarization basis. She can select either a horizontal/vertical polarization basis, where horizontal polarization is the 0 state, and vertical polarization is a 1. Or she can select a diagonal polarization basis, with the downward angled polarization basis being a 1 state, and a upward for the 0 state.

1.爱丽丝准备好要发送的位串，并随机选择一个极化基准。 她可以选择水平/垂直极化基础，其中水平极化为0状态，垂直极化为1。或者她可以选择对角极化基础，向下成角度的极化基础为1状态，向上为0状态。

2. Alice prepares a sequence of photons, sending the polarization

2.爱丽丝准备一个光子序列，发送极化

For example, Alice selects a bit string 01 and chooses a horizontal/vertical polarization. Then, the first photon she sends will be horizontally polarized, and the second will be vertically polarized.

例如，爱丽丝选择一个位串01并选择一个水平/垂直极化。 然后，她发送的第一个光子将被水平极化，而第二个将被垂直极化。

Source: Wikipedia 资料来源：维基百科

3. Bob chooses whether to measure in the diagonal basis, or the horizontal/vertical basis. However, this means he loses information when he randomly chooses the wrong basis. If he chooses to measure a diagonal polarized photon with a horizontal and vertical detector, he gets a random answer and destroys the original polarization. If he chooses the correct basis, we will be sure that the readout result is the correct one. We detect and record the results for the entire bit string.

3. Bob选择是对角线还是水平/垂直线进行测量。 但是，这意味着他在随机选择错误的依据时会丢失信息。 如果他选择使用水平和垂直检测器测量对角极化光子，他将获得随机答案并破坏原始极化。 如果他选择正确的依据，我们将确保读出的结果是正确的依据。 我们检测并记录整个位串的结果。

(Practically, this can be imagined by a polarizing filter, like in fancy sunglasses. It works by only letting through photons of the correct polarization. The lack of a photon means the polarizing filter blocked it from transmitting.)

(实际上，这可以通过偏光滤镜来想象，就像在花式太阳镜中一样。它只能通过使正确偏振的光子通过。缺少光子意味着偏光滤镜会阻止其透射。)

4. Alice and Bob publicly compare their encoding basis. Using the chart above, Alice says that for photon 1, I used the horizontal basis. If Bob used the diagonal basis to read this out, the result he got was random. They discard that bit in the sequence. They keep only the bits when the basis they prepared the photon in and the measurement basis match. The shared key is the remaining sequence.

4.爱丽丝和鲍勃公开比较他们的编码基础。 使用上面的图表，爱丽丝说，对于光子1，我使用水平基准。 如果鲍勃使用对角线基础来读出这一点，那么他得到的结果是随机的。 他们丢弃序列中的该位。 当准备光子的基础和测量基础匹配时，它们仅保留位。 共享密钥是剩余的序列。

Eve can come in and listen in on the photons , if she wants to. She is in the same position as Bob to choose a random basis. However, as soon as she interferes with the photons, Eve introduces errors into the measurements. Alice and Bob can check for errors by choosing a subset of the key and publicly compare it. If there are more errors than expected (more than the expected losses in the channel or measurement), they discard the key.

如果夏娃愿意，她可以进来听光子。 她与Bob处于同一位置，可以随机选择。 但是，夏娃一旦干扰了光子，就会在测量中引入误差。 爱丽丝和鲍勃可以通​​过选择密钥的一个子集并公开比较来检查错误。 如果错误比预期的多(超过通道或测量中的预期损失)，则它们将丢弃密钥。

为什么我们不总是使用量子密码术？ (Why don’t we always use Quantum Cryptography?)

So why don’t we just use quantum cryptography if it’s so secure? Quantum cryptography requires specialized equipment. For example, you need these photon detectors, beamsplitters, and other equipment to make it work. So we can’t put all of this into a small device like your phone.

那么，如果它如此安全，为什么我们不只使用量子密码学呢？ 量子密码学需要专用设备。 例如，您需要这些光子检测器，分束器和其他设备才能正常工作。 因此，我们无法将所有这些内容都放入像手机这样的小型设备中。

Also, just because the encryption itself is fundamentally secure by the laws of physics, that doesn’t mean no attacks can ever occur. Even without quantum computers, intrusion does occur even on currently secure classical cryptographic algorithms. It’s not because some computer can break the encryption. Side channel attacks can occur. These happen because of weakness in the implementation of the cryptosystem instead of a weakness in the algorithm itself. Even though you can be sure that no one has directly intercepted the photons in the process of creating the key in the quantum key distribution protocols, side channel attacks do exist in quantum cryptography as well.

同样，仅仅因为加密本身从根本上是受物理定律保护的，这并不意味着不会发生任何攻击。 即使没有量子计算机，即使在当前安全的经典密码算法中也确实会发生入侵。 这不是因为某些计算机可以破坏加密。 可能会发生旁道攻击。 之所以发生这种情况，是因为密码系统的实现存在缺陷，而不是算法本身存在缺陷。 即使可以确定在量子密钥分配协议中创建密钥的过程中没有人直接拦截过光子，但量子密码术中也确实存在侧通道攻击。

The hardware requirements make it very difficult to use quantum cryptography everywhere. So, we will still need a post-quantum cryptographic protocol to secure the majority of devices. Post-quantum cryptography and quantum cryptography are fundamentally different, but both have their place in strengthening security in a potential future where we have large quantum computers.

硬件要求使其很难在任何地方使用量子密码术。 因此，我们仍然需要后量子密码协议来保护大多数设备。 后量子密码学和量子密码学在本质上是不同的，但是在我们拥有大型量子计算机的潜在未来中，两者都有其在加强安全性方面的地位。

翻译自: https://medium.com/swlh/quantum-cryptography-vs-post-quantum-cryptography-c769429cb06f

量子密码学