diff --git a/chapter-qkd/Makefile b/chapter-qkd/Makefile index 0dee4e2..921a3ff 100644 --- a/chapter-qkd/Makefile +++ b/chapter-qkd/Makefile @@ -17,6 +17,7 @@ all: chapter.pdf .PHONY: preview preview: + biber chapter || true pdflatex -shell-escape '\def\thesispreviewmode{}\input{chapter.tex}' version.tex: chapter.tex diff --git a/chapter-qkd/chapter.tex b/chapter-qkd/chapter.tex index b3e291b..ece4c19 100644 --- a/chapter-qkd/chapter.tex +++ b/chapter-qkd/chapter.tex @@ -239,8 +239,12 @@ applied to solve many cryptographic problems fast enough for it to become a prob that means in practice. In this section, we will attempt convey a more concrete intuition of the magnitude of the threat that both Shor's and Grover's algorithm and variants pose to modern cryptography. -Shor's algorithm allows for the factorization of large numbers in polynomial time on a quantum computer, a problem whose -hardness (or the hardness of variants of which) is the foundation for the majority of today's asymmetric cryptography. +\textcite{shorAlgorithmsQuantumComputation1994, shorPolynomialTimeAlgorithmsPrime1997} introduced several algorithms to +solve problems in polynomial time on a quantum computer that are still believed to be hard on classical computers today. +In the original conference paper and journal article, Shor introduces several algorithms based on a similar fundamental +approach. Depending on context, \emph{Shor's algorithm} usually refers to one of two of these algorithms that solve +integer factorization as used in RSA, and the discrete logarithm problem as used in the Diffie-Hellman key exchange, +respectively. While Shor's algorithm attacks the foundations of most modern asymmetric cryptography, Grover's algorithm can be applied to hash functionss and symmetric cryptography. Fundamentally, Grover's algorithm is a search algorithm that allows a @@ -269,7 +273,7 @@ implications of which kinds of hard problems are solvable in practice, based on \emph{average} problem out of a class like $NP$ is solvable does not mean that most, or even many \emph{practical} problems are solvable. \textcite{impagliazzoPersonalViewAveragecase1995} was published after Shor's algorithm was discovered, and before Grover's algorithm was published. Impagliazzo foresaw that fast quantum algorithms could threaten -public-key security, and their analysis remains relevant facing the outlook of quantum computing today. +public key security, and their analysis remains relevant facing the outlook of quantum computing today. Impagliazzo proposes a set of five scenarios that provide increasingly extensive computational hardness properies, dubbed \emph{Algorithmica}, \emph{Heuristica}, \emph{Pessiland}, \emph{Minicrypt}, and \emph{Cryptomania}. In @@ -279,10 +283,10 @@ there is no way to efficiently sample solved instances of hard problems. The next scenario, Minicrypt is frequently cited in cryptographic works. In it, one-way functions exist, but there is no public key cryptography. Minicrypt aligns well with a world in which fast quantum algorithms exist that solve the -computational problems underlying public-key cryptosystems. Impagliazzo's last scenario is Cryptomania, which extends -Minicrypt with public-key cryptography and aligns with the world view that is commonly assumed in cryptography today. +computational problems underlying public key cryptosystems. Impagliazzo's last scenario is Cryptomania, which extends +Minicrypt with public key cryptography and aligns with the world view that is commonly assumed in cryptography today. -In Mincrypt, we assume that all computational problems that are amenable to public key cryptography fall. However, it is +In Minicrypt, we assume that all computational problems that are amenable to public key cryptography fall. However, it is not specified \emph{how} specifically this fall will happen---whether it will be classically, or by quantum algorithms---leading to two sub-variants of the Minicrypt scenario. The pessimistic sub-variant is one where classical algorithms solving all those problems are discovered. This scenario leads to identical conclusions to those Impagliazzo @@ -290,17 +294,25 @@ drew. However, if we base our Minicrypt assumption instead on the availability o problems, and thus on quantum computers being both powerful enough and generally available, we end up with an interesting spin on the original Minicrypt scenario that recently has garnered some academic attention, receiving the name Mini\textbf{Q}Crypt\cite{griloObliviousTransferMiniQCrypt2021, barootiPublicKeyEncryptionQuantum2023}. In -MiniQCrypt, on one hand, conventional public key cryptography falls before quantum computers, but the key observation is -that on the other hand, we can then use those quantum computers to do \emph{quantum} cryptography, re-gaining some of -what we have lost. The (im)possibility results for MiniQCrypt are nuanced, and provide something between the intact -conventional public-key cryptography in Cryptomania, and the total absence of it in classical Minicrypt. +MiniQCrypt, on one hand, conventional public key cryptography is broken by quantum computers running Shor's algorithm, +but the key observation is that on the other hand, we can then use those quantum computers to do \emph{quantum} +cryptography, re-gaining some of what we have lost. The (im)possibility results for MiniQCrypt are nuanced, and provide +something between the intact conventional public key cryptography in Cryptomania, and the total absence of it in +classical Minicrypt. In the discourse on quantum computing and its application to cryptography, it is important to be mindful of which security notion the authors of some source, or the implementors of some device base their work on. Especially in -academic work, Pessiland assumptions are often implicitly made. In this model, we can use neither public-key nor -symmetric cryptography. In this framework, secret key rate becomes paramount because it is assumed that QKD keys will be -used with an information-theoretically secure encryption scheme, requiring a never-ending secret key stream. Key -expansion functions are based on one-way-functions, which are unavailable here. +academic work, Pessiland assumptions are often implicitly made\cite{ + diamantiPracticalChallengesQuantum2016, + kwekChipbasedQuantumKey2021, + mehicQuantumKeyDistribution2021, + loSecureQuantumKey2014, +}. Here, the speedup provided by Grover's algorithm is considered to make symmetric primitives like hash functions or +symmetric ciphers unusable, leaving only information-theoretically secure cryptographic schemes such as +one time pads available. In this framework, secret key rate becomes paramount because it is assumed that QKD keys will +be used with an information-theoretically secure encryption scheme, requiring an infinite, high-bitrate secret key +stream. +\todo{introduce notions of asymmetric/symmetric ciphers, OTPs before} While in academic sources Pessiland assumptions are common, commercial systems usually are based on Minicrypt assumptions. That is, commercial systems propose QKD as an alternative to classical asymmetric cryptography for @@ -323,12 +335,13 @@ single, short key\footnote{ \label{qc-practical-implications} Given that as of yet, noone has claimed to have a quantum computer powerful enough to pose a threat to current -cryptographic protocols, one may ask the fair question why the possible future development of such a machine would be -consequential for today's cryptographic practice. The answer to this question lies in \emph{Store-Now-Decrypt-Later} -attacks. In such attacks, the attacker records all data transmitted between a cryptographic protocol's parties. The -security of any key exchange protocol rests on a computational hardness assumption about some particular problem. When -this assumption falls, for example because of a powerful quantum computer becoming available, the attacker can then -retroactively break the security of those stored protocol instances and decrypt all traffic. +cryptographic protocols\cite{roettelerQuantumResourceEstimates2017}, one may ask the fair question why the possible +future development of such a machine would be consequential for today's cryptographic practice. The answer to this +question lies in \emph{Store-Now-Decrypt-Later} attacks. In such attacks, the attacker records all data transmitted +between a cryptographic protocol's parties. The security of any key exchange protocol rests on a computational hardness +assumption about some particular problem. When this assumption falls, for example because of a powerful quantum computer +becoming available, the attacker can then retroactively break the security of those stored protocol instances and +decrypt all traffic. Modern cryptographic protocols such as TLS or the Signal messenger's key ratchet are designed with facilities to provide some degree of protection against key compromise called \emph{(Perfect) Forward Secrecy}. Forward Secrecy means that a @@ -340,7 +353,7 @@ linear increase of both protocol and attack complexity, which turns out to no ad Store-Now-Decrypt-Later attacks are considered a serious threat today based on the stark discrepancy between the capacity of today's inexpensive storage media, and the comparatively tiny bandwidth of cryptographic protocols in -applications such as \emph{End-To-End-Encrypted} text messaging. A single hard drive can conceivably store years of a +applications such as End-To-End Encrypted (E2EE) text messaging. A single hard drive can conceivably store years of a person's encrypted digital communications. There has been ongoing work on quantum secure cryptographic algorithms, and standardization of several such algorithms @@ -348,7 +361,7 @@ is progressing. However, in the time frame of cryptosystems, these algorithms ar discovery of a catastrophic key recovery attack against the Supersingular Isogeny Diffie-Hellman protocol (SIDH)\cite{castryckEfficientKeyRecovery2023} illustrates the risk in the use of immature cryptographic primitives. Thus, recommendations on the concrete steps that should be taken today to mitigate Store-Now-Decrypt-Later attacks vary. For -instance, Google's under its threat model as laid out in \textcite{schmiegGoogleThreatModel2024} recommends a list of +instance, under its threat model as laid out in \textcite{schmiegGoogleThreatModel2024}, Google recommends a list of quantum secure counterparts to classically secure cryptographic algorithms, but recognizes the relative immaturity of these quantum secure algorithms and consequently recommends \emph{Hybrid Deployment}, where a young, quantum secure algorithm is paired with a mature classically secure algorithm such that \emph{both} algorithms would have to be broken @@ -360,11 +373,11 @@ key storage, network communication and computation costs. \todo{research some more policies.} \section{The Physics of Quantum Computing} -\todo{missing} +\todoplaceholder{missing} \section{Quantum Key Distribution} -As we discussed in Section \ref{qc_comp_assum}, quantum computers promise novel attacks on many contemporary +As we discussed in Section \ref{qc_comp_assum}, Quantum Computers promise novel attacks on many contemporary cryptographic systems. At the same time, quantum technology also promises new cryptographic primitives that support security guarantees beyond what can be realized with the best classical computers. The core of this nascent field of Quantum Cryptography is a set of methods that are collectively called Quantum Key Distribution. @@ -378,10 +391,10 @@ Informally speaking, a Quantum Key Distribution system is a system that distribu generated secret key, and the probability that an attacker was able to extract some portion of the key during the protocol's execution can be bounded to some negligible $\epsilon$ by each of the parties. -Quantum Key Distribution provides a similar service as cryptographic key exchange protocols such as the classic +Quantum Key Distribution provides a similar service to cryptographic key exchange protocols such as the classic Diffie-Hellman key exchange provide. The core difference between QKD and cryptographic key exchange protocols is that QKD provides information-theoretic security based on the No-Cloning Theorem, where cryptographic protocols provide only -computational security based on the computational hardness assumption underlying some public-key cryptosystem. +computational security based on the computational hardness assumption underlying some public key cryptosystem. QKD is attractive in that it gives practically useful security guarantees without relying on any computational hardness assumptions. This way, QKD would remain secure even in a scenario where a hybrid deployment of a classically secure but @@ -395,21 +408,21 @@ with classical computers, and includes novel quantum algorithms. While QKD protocols provide information-theoretic security, part of these protocols is always an authenticated channel that is used by the protocol's parties to exchange information necessary to align both parties' quantum measurements so -that they can reconstruct the same secret key bit stream. In the security model of QKD, this authenticated channel does -some heavy lifting. While the QKD protocol provides key exchange--an asymmetric primitive--based on this authenticated -channel--which in its most simple implementation requires only symmetric primitives, an implementation of QKD using -symmetric primitives such as HMAC or CMAC for the authenticated channel would not achieve information-theoretic -security. To acheive information-theoretic security, the authenticated channel itself must use an -information-theoretically secure authentication method. The issue with that is that information-theoretically secure -authentication methods are (provably)\todo{citation on ``provably''} rather inefficient in their key use. While -symmetric MACs can use a single, short key for a very long time, information-theoretically secure MACs need a continuous -stream of fresh key bits. +that they can reconstruct the same secret key bit stream\cite{loSecureQuantumKey2014}. In the security model of QKD, +this authenticated channel does some heavy lifting. While the QKD protocol provides key exchange--an asymmetric +primitive--based on this authenticated channel--which in its most simple implementation requires only symmetric +primitives, an implementation of QKD using symmetric primitives such as HMAC or CMAC for the authenticated channel would +not achieve information-theoretic security. To achieve information-theoretic security, the authenticated channel itself +must use an information-theoretically secure authentication method. The issue with that is that +information-theoretically secure authentication methods are (provably)\todo{citation on ``provably''} rather inefficient +in their key use. While symmetric MACs can use a single, short key for a very long time, information-theoretically +secure MACs need a continuous stream of fresh key bits. In QKD, the authenticated channel can be bootstrapped by taking these MAC key bits from the QKD channel itself. The disadvantage of doing that is that it consumes a fraction of the system's precious secure key rate. As a consequence, at this point there is ongoing research\todo{citations on ongoing research} on both systems based on symmetric MACs and systems using information-theoretically secure MACs, with commercial systems often choosing the -latter\cite{bibakQuantumKeyDistribution2021} owing to the low secure key rates that are the state of the art. +latter\cite{bibakQuantumKeyDistribution2021} owing to the low secret key rates that are the state of the art. \todo{Finish this section} \subsection{The Technical Implementation of QKD} @@ -418,60 +431,66 @@ On the technical level, QKD must be distinguished from general Quantum Computing No-Cloning Theorem and sometimes quantum entanglement in their operation, the scope of their quantum operations is very limited. QKD systems always operate on photons, while general quantum computers use a variety of physical implementations for their qubits that include photons and squeezed light, but extend over atom nuclei, trapped ions, -various aspects of currents in superconducters into phonons\cite{berriosHighFidelityQuantum2012}. +various aspects of currents in superconducters as well as phonons\cite{berriosHighFidelityQuantum2012}. +\todoplaceholder{Something is missing here.} \subsection{Practical Challenges} \todo{I don't like this paragraph.} The central challenge in general quantum computers is extending the lifetime of the quantum state encoding a qubit. -Quantum states are extremely sensitive to disturbances, and despite the best efforts to shield their quantum states -against external influence, their lifetime is still inconveniently short compared to the timescales required for quantum -computation, resulting in significant amounts of noise in the output of quantum algorithms run on contemporary quantum -computers. Quantum Key Distribution systems use photons and only perform a handful of operations on each photonic state -between generation and measurement, with the vast majority of the state's lifetime spent in transit between the two -endpoints of the QKD protocol. +Quantum states are extremely sensitive to disturbances, and despite the best efforts to shield them against external +influence, their lifetime is still inconveniently short compared to the timescales required for quantum computation, +resulting in significant amounts of noise in the output of quantum algorithms run on contemporary quantum +computers\cite{yetisInvestigationNoiseEffects2021}. Quantum Key Distribution systems use photons and only perform a +handful of operations on each photonic state between generation and measurement, with the vast majority of the state's +lifetime spent in transit between the two endpoints of the QKD protocol. While QKD systems are easy to build and operationally robust compared to general quantum computers, at their core they still exchange information through quantum states that physically need to transit the distance from one endpoint to the -other. For classical computer networks, bridging distances of several hundred kilometers is no big challenge. Using -appropriate high-power transceivers, a single optical link can already bridge upwards of 100km. \todo{Citation on +other. For classical computer networks, bridging distances of hundreds or thousands of kilometers is no big challenge. +Using appropriate high-power transceivers, a single optical link can already bridge upwards of 100km. \todo{Citation on distance} Longer ranges can easily be achieved by either logically chaining multiple links, or by using optical amplifiers. In contrast, the quantum states at the core of QKD systems must necessarily be ``weak''. A single quantum state on the wire on average must consist of approximately a single photon. If the system's quantum states consisted of more than one photon carrying the same information, this would enable a \emph{Photon Number Splitting Attack}, in which an attacker -extracts one of the state's photons for later analysis, and forwards the remaining photons to the receiver. The attacker -can then later measure the captured photon to extract the same information that the receiver measured. +extracts one of the state's photons for later analysis, and forwards the remaining photons to the +receiver\cite{loSecureQuantumKey2014}. The attacker can then later measure the captured photons to extract the same +information that the receiver measured. In practical QKD setups, attenuated pulsed lasers are often used, as there are +no practical single-photon sources. The laser and its attenuator are tuned such that the average photon count of a pulse +is in the order of $0.1$ \cite{loSecureQuantumKey2014}. For such setups, mitigations exist that prevent photon number +splitting attacks\cite{wangBeatingPhotonNumberSplittingAttack2005}. However, while these mitigations patch this security +weakness for weak, attenuated pulsed lasers, they still do not allow for higher transmit power. The practical implication of this is that the optical brightness of a QKD system is directly proportional to the rate at which the system can prepare, and later measure the individual quantum states. With today's electronics, rates up to -a few \unit{\GHz} are feasible. Alas, this brightness limit interacts poorly with the reality of optical communication, -especially through fibers. Even modern, high-quality fiber-optic cables have attenuation in the order of -\qty{0.5}{\dB\per\km}, -which corresponds to roughly half of the signal being lost every \qty{5}{\km}. In classical optical networks, this can -be compensated by increasing transmit power--i.e. packing more photons into each bit--or by optically amplifying the -signal partway through the fiber. In QKD systems however, the signal cannot be amplified, and the system's bit rate -exponentially decreases with distance due to absorption. Some QKD systems can reach ranges of several hundred kilometer, -but the useable data rate (here called \emph{key rate}) of these systems usually is in the kilobits per second or worse. +a few \unit{\GHz} are feasible\cite{grunenfelderFastSinglephotonDetectors2023}. Alas, the brightness limit interacts +poorly with the reality of optical communication, especially through fibers. Even modern, high-quality fiber-optic +cables have attenuation in the order of \qty{0.5}{\dB\per\km}, which corresponds to roughly half of the signal being +lost every \qty{5}{\km}. In classical optical networks, this can be compensated by increasing transmit power--i.e. +packing more photons into each bit--or by optically amplifying the signal partway through the fiber. In QKD systems +however, the signal cannot be amplified, and the system's bit rate exponentially decreases with distance due to +absorption. Some QKD systems can reach ranges of several hundred kilometers, but the useable data rate (here called +\emph{secret key rate}) of these systems usually is in the kilobits per second or worse. QKD signals cannot be amplified because their security rests on the fact that each transmitted quantum state on average -only contains on the order of one photon each. Security rests on the No-Cloning Theorem, which implies that not just +only contains on the order of one photon each. Security rests on the Nomegabits Theorem, which implies that not just attackers, but even the system's operators are unable to duplicate the quantum state in flight without destroying it. -When transmitted over a fiber, there are multiple effects that degrade the quantum-optical signal of a QKD system. We -can coarsely classify these degrading effects into two categories: \emph{Decoherence}, and \emph{Absorption}. -Decoherence effects result in the quantum state being changed in transit, which depending on the QKD implementation may -mean destroying information contained within the state such as by disturbing the pulse's polarization, or destruction of -entanglement between the in-flight state and another local state. In an optical channel affected by such decoherence -effects, a quantum state enters the channel, and subsequently exits it at the other end changed. In contrast, absorption -means the quantum state is not ever leaving the channel. +When transmitted over a fiber, there are multiple effects that degrade the quantum-optical signal of a QKD system, which +are collectively referred to as \emph{loss}. We can coarsely classify these degrading effects into two categories: +\emph{Decoherence}, and \emph{Absorption}. Decoherence effects result in the quantum state being changed in transit, +which depending on the QKD implementation may mean destroying information contained within the state such as by +disturbing the pulse's polarization, or destruction of entanglement between the in-flight state and another local state. +In an optical channel affected by such decoherence effects, a quantum state enters the channel, and subsequently exits +it at the other end changed. In contrast, absorption means the quantum state is not ever leaving the channel. In practice, absorption limits the length of an individual fiber run, as it becomes problematic at short distances. Decoherence is less relevant for the distance limitation, and mostly limits which fiber-optic technologies can be utilized in the first place. Due to decoherence, QKD systems usually use Single-Mode (SM) fiber over Multi-Mode (MM) -fiber, and makes it more difficult to utilize Wavelength Division Multiplexing (xWDM) to send multiple either quantum or -classical optical signals through a single fiber. -\todo{go more into the details on xWDM, elaborate on decoherence mechanisms, especially crosstalk in the context of +fiber, and decoherence makes it more difficult to utilize Wavelength Division Multiplexing (xWDM) to send multiple +either quantum or classical optical signals through a single fiber. \todo{go more into the details on xWDM, elaborate on +decoherence mechanisms, especially crosstalk in the context of xWDM.} \todo{CV-QKD} diff --git a/chapter-qkd/figures/ihsm-secondary-mesh b/chapter-qkd/figures/ihsm-secondary-mesh index 3a7edbd..6011599 160000 --- a/chapter-qkd/figures/ihsm-secondary-mesh +++ b/chapter-qkd/figures/ihsm-secondary-mesh @@ -1 +1 @@ -Subproject commit 3a7edbd1127cacc8f4c90376595b894105f3d479 +Subproject commit 601159904f4269366e29d85c2e90cbf000157f4f diff --git a/main.bib b/main.bib index a8628fe..bdaa177 100644 --- a/main.bib +++ b/main.bib @@ -920,6 +920,24 @@ file = {/home/jaseg/Zotero/storage/S8S9P8L5/Deshotels - Inaudible Sound as a Covert Channel in Mobile Devi.pdf} } +@article{diamantiPracticalChallengesQuantum2016, + title = {Practical Challenges in Quantum Key Distribution}, + author = {Diamanti, Eleni and Lo, Hoi-Kwong and Qi, Bing and Yuan, Zhiliang}, + date = {2016-11-08}, + journaltitle = {npj Quantum Information}, + shortjournal = {npj Quantum Inf}, + volume = {2}, + number = {1}, + pages = {16025}, + issn = {2056-6387}, + doi = {10.1038/npjqi.2016.25}, + url = {https://www.nature.com/articles/npjqi201625}, + urldate = {2024-09-02}, + abstract = {Abstract Quantum key distribution (QKD) promises unconditional security in data communication and is currently being deployed in commercial applications. Nonetheless, before QKD can be widely adopted, it faces a number of important challenges such as secret key rate, distance, size, cost and practical security. Here, we survey those key challenges and the approaches that are currently being taken to address them.}, + langid = {english}, + file = {/home/jaseg/Zotero/storage/MQBTKDF8/Diamanti et al. - 2016 - Practical challenges in quantum key distribution.pdf} +} + @inproceedings{disserBreakingSizeBarrier2023, title = {Breaking the~{{Size Barrier}}: {{Universal Circuits Meet Lookup Tables}}}, shorttitle = {Breaking the~{{Size Barrier}}}, @@ -1302,6 +1320,24 @@ file = {/home/jaseg/Zotero/storage/PSGQDYRQ/Grisafi et al. - PISTIS Trusted Computing Architecture for Low-end.pdf} } +@article{grunenfelderFastSinglephotonDetectors2023, + title = {Fast Single-Photon Detectors and Real-Time Key Distillation Enable High Secret-Key-Rate Quantum Key Distribution Systems}, + author = {Grünenfelder, Fadri and Boaron, Alberto and Resta, Giovanni V. and Perrenoud, Matthieu and Rusca, Davide and Barreiro, Claudio and Houlmann, Raphaël and Sax, Rebecka and Stasi, Lorenzo and El-Khoury, Sylvain and Hänggi, Esther and Bosshard, Nico and Bussières, Félix and Zbinden, Hugo}, + date = {2023-05}, + journaltitle = {Nature Photonics}, + shortjournal = {Nat. Photon.}, + volume = {17}, + number = {5}, + pages = {422--426}, + issn = {1749-4885, 1749-4893}, + doi = {10.1038/s41566-023-01168-2}, + url = {https://www.nature.com/articles/s41566-023-01168-2}, + urldate = {2024-09-02}, + abstract = {Abstract Quantum key distribution has emerged as the most viable scheme to guarantee information security in the presence of large-scale quantum computers and, thanks to the continuous progress made in the past 20 years, it is now commercially available. However, the secret key rates remain limited to just over 10\,Mbps due to several bottlenecks on the receiver side. Here we present a custom multipixel superconducting nanowire single-photon detector that is designed to guarantee high count rates and precise timing discrimination. Leveraging the performance of the detector and coupling it to fast acquisition and real-time key distillation electronics, we remove two major roadblocks and achieve a considerable increase of the secret key rates with respect to the state of the art. In combination with a simple 2.5-GHz clocked time-bin quantum key distribution system, we can generate secret keys at a rate of 64\,Mbps over a distance of 10.0\,km and at a rate of 3.0\,Mbps over a distance of 102.4\,km with real-time key distillation.}, + langid = {english}, + file = {/home/jaseg/Zotero/storage/PFQ9ZFFV/Grünenfelder et al. - 2023 - Fast single-photon detectors and real-time key dis.pdf} +} + @article{guazziNoncontactMeasurementOxygen2015, title = {Non-Contact Measurement of Oxygen Saturation with an {{RGB}} Camera}, author = {Guazzi, Alessandro R. and Villarroel, Mauricio and Jorge, João and Daly, Jonathan and Frise, Matthew C. and Robbins, Peter A. and Tarassenko, Lionel}, @@ -1898,6 +1934,24 @@ file = {/home/jaseg/Sync/Research/Zotero/2012_Kryjak et al_FPGA implementation of camera tamper detection in real-time.pdf} } +@article{kwekChipbasedQuantumKey2021, + title = {Chip-Based Quantum Key Distribution}, + author = {Kwek, Leong-Chuan and Cao, Lin and Luo, Wei and Wang, Yunxiang and Sun, Shihai and Wang, Xiangbin and Liu, Ai Qun}, + date = {2021-06-14}, + journaltitle = {AAPPS Bulletin}, + shortjournal = {AAPPS Bull.}, + volume = {31}, + number = {1}, + pages = {15}, + issn = {2309-4710}, + doi = {10.1007/s43673-021-00017-0}, + url = {https://link.springer.com/10.1007/s43673-021-00017-0}, + urldate = {2024-09-02}, + abstract = {Quantum key distribution is a matured quantum science and technology. Over the last 20 years, there has been substantial research and development in this area. Recently, silicon technology has offered tremendous promise in the field for improved miniaturization of quantum key distribution through integrated photonic chips. We expect further progress in this area both in terms of protocols, photon sources, and photon detectors. This review captures some of the recent advances in this area.}, + langid = {english}, + file = {/home/jaseg/Zotero/storage/L6XGR229/Kwek et al. - 2021 - Chip-based quantum key distribution.pdf} +} + @inproceedings{lamonacaBloodOxygenSaturation2015, title = {Blood Oxygen Saturation Measurement by Smartphone Camera}, booktitle = {2015 {{IEEE International Symposium}} on {{Medical Measurements}} and {{Applications}} ({{MeMeA}}) {{Proceedings}}}, @@ -2895,6 +2949,25 @@ file = {/home/jaseg/Zotero/storage/QQZ7V3G4/Rezmerita et al. - 2017 - A self and mutual inductance calculation resonator.pdf} } +@incollection{roettelerQuantumResourceEstimates2017, + title = {Quantum {{Resource Estimates}} for {{Computing Elliptic Curve Discrete Logarithms}}}, + booktitle = {Advances in {{Cryptology}} – {{ASIACRYPT}} 2017}, + author = {Roetteler, Martin and Naehrig, Michael and Svore, Krysta M. and Lauter, Kristin}, + editor = {Takagi, Tsuyoshi and Peyrin, Thomas}, + date = {2017}, + volume = {10625}, + pages = {241--270}, + publisher = {Springer International Publishing}, + location = {Cham}, + doi = {10.1007/978-3-319-70697-9_9}, + url = {https://link.springer.com/10.1007/978-3-319-70697-9_9}, + urldate = {2024-09-02}, + abstract = {We give precise quantum resource estimates for Shor’s algorithm to compute discrete logarithms on elliptic curves over prime fields. The estimates are derived from a simulation of a Toffoli gate network for controlled elliptic curve point addition, implemented within the framework of the quantum computing software tool suite LIQU i| . We determine circuit implementations for reversible modular arithmetic, including modular addition, multiplication and inversion, as well as reversible elliptic curve point addition. We conclude that elliptic curve discrete logarithms on an elliptic curve defined over an n-bit prime field can be computed on a quantum computer with at most 9n + 2 log2(n) + 10 qubits using a quantum circuit of at most 448n3 log2(n) + 4090n3 Toffoli gates. We are able to classically simulate the Toffoli networks corresponding to the controlled elliptic curve point addition as the core piece of Shor’s algorithm for the NIST standard curves P-192, P-224, P-256, P-384 and P-521. Our approach allows gate-level comparisons to recent resource estimates for Shor’s factoring algorithm. The results also support estimates given earlier by Proos and Zalka and indicate that, for current parameters at comparable classical security levels, the number of qubits required to tackle elliptic curves is less than for attacking RSA, suggesting that indeed ECC is an easier target than RSA.}, + isbn = {978-3-319-70696-2 978-3-319-70697-9}, + langid = {english}, + file = {/home/jaseg/Zotero/storage/B8JEIE23/Roetteler et al. - 2017 - Quantum Resource Estimates for Computing Elliptic .pdf} +} + @inproceedings{roySelftimedSensorsDetecting2022, title = {Self-Timed {{Sensors}} for {{Detecting Static Optical Side Channel Attacks}}}, booktitle = {2022 23rd {{International Symposium}} on {{Quality Electronic Design}} ({{ISQED}})}, @@ -3110,6 +3183,40 @@ file = {/home/jaseg/Zotero/storage/9JF534CK/Shen et al. - 2020 - Thermal Modeling and Design Optimization of PCB Vi.pdf} } +@inproceedings{shorAlgorithmsQuantumComputation1994, + title = {Algorithms for Quantum Computation: Discrete Logarithms and Factoring}, + shorttitle = {Algorithms for Quantum Computation}, + booktitle = {Proceedings 35th {{Annual Symposium}} on {{Foundations}} of {{Computer Science}}}, + author = {Shor, P.W.}, + date = {1994-11}, + pages = {124--134}, + doi = {10.1109/SFCS.1994.365700}, + url = {https://ieeexplore.ieee.org/document/365700}, + urldate = {2024-09-02}, + abstract = {A computer is generally considered to be a universal computational device; i.e., it is believed able to simulate any physical computational device with a cost in computation time of at most a polynomial factor: It is not clear whether this is still true when quantum mechanics is taken into consideration. Several researchers, starting with David Deutsch, have developed models for quantum mechanical computers and have investigated their computational properties. This paper gives Las Vegas algorithms for finding discrete logarithms and factoring integers on a quantum computer that take a number of steps which is polynomial in the input size, e.g., the number of digits of the integer to be factored. These two problems are generally considered hard on a classical computer and have been used as the basis of several proposed cryptosystems. We thus give the first examples of quantum cryptanalysis.{$<>$}}, + eventtitle = {Proceedings 35th {{Annual Symposium}} on {{Foundations}} of {{Computer Science}}}, + keywords = {Circuit simulation,Computational modeling,Computer simulation,Costs,Cryptography,Mechanical factors,Physics computing,Polynomials,Quantum computing,Quantum mechanics}, + file = {/home/jaseg/Zotero/storage/XIZ8N8T8/365700.html} +} + +@article{shorPolynomialTimeAlgorithmsPrime1997, + title = {Polynomial-{{Time Algorithms}} for {{Prime Factorization}} and {{Discrete Logarithms}} on a {{Quantum Computer}}}, + author = {Shor, Peter W.}, + date = {1997-10}, + journaltitle = {SIAM Journal on Computing}, + shortjournal = {SIAM J. Comput.}, + volume = {26}, + number = {5}, + pages = {1484--1509}, + publisher = {{Society for Industrial and Applied Mathematics}}, + issn = {0097-5397}, + doi = {10.1137/S0097539795293172}, + url = {https://epubs.siam.org/doi/10.1137/S0097539795293172}, + urldate = {2024-09-02}, + abstract = {A digital computer is generally believed to be an efficient universal computing device; that is, it is believed able to simulate any physical computing device with an increase in computation time by at most a polynomial factor. This may not be true when quantum mechanics is taken into consideration. This paper considers factoring integers and finding discrete logarithms, two problems which are generally thought to be hard on a classical computer and which have been used as the basis of several proposed cryptosystems. Efficient randomized algorithms are given for these two problems on a hypothetical quantum computer. These algorithms take a number of steps polynomial in the input size, e.g., the number of digits of the integer to be factored. MSC codes 81P10 11Y05 68Q10 03D10 Keywords algorithmic number theory prime factorization discrete logarithms Church's thesis quantum computers foundations of quantum mechanics spin systems Fourier transforms}, + file = {/home/jaseg/Sync/Research/Zotero/1997_Shor_Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a.pdf} +} + @online{siffermanUnlockingPerformanceProximity2023, title = {Unlocking the {{Performance}} of {{Proximity Sensors}} by {{Utilizing Transient Histograms}}}, author = {Sifferman, Carter and Wang, Yeping and Gupta, Mohit and Gleicher, Michael}, @@ -3350,6 +3457,23 @@ file = {/home/jaseg/Zotero/storage/2HCQ4S6I/Vu et al. - 2020 - Design and Performance of Relay-Assisted Satellite.pdf} } +@article{wangBeatingPhotonNumberSplittingAttack2005, + title = {Beating the {{Photon-Number-Splitting Attack}} in {{Practical Quantum Cryptography}}}, + author = {Wang, Xiang-Bin}, + date = {2005-06-16}, + journaltitle = {Physical Review Letters}, + shortjournal = {Phys. Rev. Lett.}, + volume = {94}, + number = {23}, + pages = {230503}, + issn = {0031-9007, 1079-7114}, + doi = {10.1103/PhysRevLett.94.230503}, + url = {https://link.aps.org/doi/10.1103/PhysRevLett.94.230503}, + urldate = {2024-09-02}, + langid = {english}, + file = {/home/jaseg/Zotero/storage/4WQLMTSB/Wang - 2005 - Beating the Photon-Number-Splitting Attack in Prac.pdf} +} + @inproceedings{wangBernoulliHoneywords2024, title = {Bernoulli {{Honeywords}}}, booktitle = {Proceedings 2024 {{Network}} and {{Distributed System Security Symposium}}}, @@ -3619,6 +3743,21 @@ file = {/home/jaseg/Zotero/storage/9BBJ86AQ/Yang et al. - 2018 - Quantum key distribution network Optimal secret-k.pdf} } +@inproceedings{yetisInvestigationNoiseEffects2021, + title = {Investigation of {{Noise Effects}} for {{Different Quantum Computing Architectures}} in {{IBM-Q}} at {{NISQ Level}}}, + booktitle = {2021 25th {{International Conference}} on {{Information Technology}} ({{IT}})}, + author = {Yetis, Hasan and Karakoes, Mehmet}, + date = {2021-02}, + pages = {1--4}, + doi = {10.1109/IT51528.2021.9390130}, + url = {https://ieeexplore.ieee.org/document/9390130}, + urldate = {2024-09-02}, + abstract = {Today, all the implemented quantum computers are in Noisy Intermediate-Scale Quantum (NISQ) level. In such quantum computers, when circuit length and size increase, the results become less reliable because of the increasing effect of noise. The noise is an important factor that should be handled in NISQ level quantum computers. In this study, we investigate the noise factor on 5 qubit IBM-Q computers for basic circuits. For this purpose, existing 5 qubit IBM-Q computers with different architectures are examined. Then quantum circuit equivalents corresponding to basic logic gates such as XOR, AND, and OR are presented. Quantum circuits created for XOR, AND, and OR are run 10 times on different quantum computers of 5 qubits named Santiago, Athens, Valencia, Vigo, Ourance, and IBMQX2. Statistical information such as std., mean is obtained from the results. The consistency of the results obtained and their difference from the optimum result are discussed. As a result of the study, there is no contradiction in the results obtained with quantum volume. Studies show that even small growths in XOR, AND, and OR circuits can lead to a big deflection in results.}, + eventtitle = {2021 25th {{International Conference}} on {{Information Technology}} ({{IT}})}, + keywords = {Computer architecture,Computers,Integrated circuit reliability,Logic gates,Quantum circuit,Qubit,Standards}, + file = {/home/jaseg/Zotero/storage/CJXHEBEI/9390130.html} +} + @article{yuSecretKeyProvisioningCollaborative2022, title = {Secret-{{Key Provisioning With Collaborative Routing}} in {{Partially-Trusted-Relay-based Quantum-Key-Distribution-Secured Optical Networks}}}, author = {Yu, Xiaosong and Liu, Yuhang and Zou, Xingyu and Cao, Yuan and Zhao, Yongli and Nag, Avishek and Zhang, Jie},