Post Quantum Cryptography from Mutant Prime Knots
aa r X i v : . [ m a t h - ph ] O c t Post Quantum Cryptographyfrom Mutant Prime Knots
Annalisa Marzuoli (1) and
Giandomenico Palumbo (2)
Dipartimento di Fisica Nucleare e Teorica, Universit`a degli Studi di Paviaand Istituto Nazionale di Fisica Nucleare, Sezione di Paviavia A. Bassi 6, 27100 Pavia (Italy) (1)
E-mail: [email protected] (2)
E-mail: [email protected]
Abstract
By resorting to basic features of topological knot theory we pro-pose a (classical) cryptographic protocol based on the ‘difficulty’ ofdecomposing complex knots generated as connected sums of primeknots and their mutants. The scheme combines an asymmetric publickey protocol with symmetric private ones and is intrinsecally secureagainst quantum eavesdropper attacks.
PACS2008 :89.70.-a (Information and communication theory)02.10.kn (Knot theory)03.67Dd (Quantum Cryptography and communication security)
MSC2010 :68QXX (Theory of computing)57M27 (Invariants of knots and 3-manifolds)68Q17 (Computational difficulty of problems)1
Introduction
Knots and links (collections of knotted circles), beside being fascinatingmathematical objects, are encoded in the modeling of a number of physi-cal, chemical and biological systems. In particular it was in the late 1980that knot theory was recognized to have a deep, unexpected interaction withquantum field theory [1]. In earlier periods of the history of science, geometryand physics interacted very strongly at the ‘classical’ level (as in Einstein’sGeneral Relativity theory), but the main feature of this new, ‘quantum’connection is the fact that geometry is involved in a global and not purelylocal way, i.e. only ‘topological’ features do matter. Over the years math-ematicians have proposed a number of ‘knot invariants’ aimed to classifysystematically all possible knots. Most of these invariants are polynomialexpressions (in one or two variables) with coefficients in the relative integers.It was Vaughan Jones in [2] who discovered the most famous polynomial in-variant, the Jones invariant, and solved the Tait’s conjectures for alternatingknots. In the seminal paper by Edward Witten [1], the Jones polynomial wasactually recognized to be associated with the vacuum expectation value of a‘Wilson loop operator’ in a quantum Chern–Simons theory (see the rewiews[3], [4] for comprehensive accounts on these topics).Seemly far from the above remarks, the search for new algorithmic prob-lems and techniques which should improve ‘quantum’ with respect to clas-sical computation is getting more and more challenging in the last decade.Most quantum algorithms are based on the standard quantum circuit model[5], and are designed to solve problems which are essentially number the-oretic such as the Shor’s algorithm [6] (see [7] for a general review on thebasics of quantum algorithms). However, other types of problems, typicallyclassified in the field of enumerative combinatorics and ubiquitous in manyareas of mathematics and physics, share the feature to be ‘intractable’ in theframework of classical information theory. In particular the evaluation of theJones polynomial has been shown to be P –hard, namely computationallyintractable in a very strong sense [8]. In this perspective, efficient quantumalgorithms for computing approximately knot invariants (of the Jones’ typeor extensions of it) have been successfully addressed in the last few years[9], [10, 11, 12], [13] and indeed such problem has been recognized to be‘universal’ in the quantum complexity class BQP ( B ounded error Q uantum P olynomial), namely the hardest problem that a quantum computer canefficiently handle [14]. 2otwithstanding the improvements outlined above both in field–theoreticsettings and in quantum complexity theory, the basic unsolved problem intopological knot theory still remains the ‘recognition problem’. Namely, giventwo knots, how can we check if they are ‘equivalent’ (in the sense to be for-malized in the next section). Invariants of (oriented) knots might be usefulto this task, but there exist particular classes of knots –the ‘mutants’ of agiven knot– that cannot be distinguished in principle since by definition allof them possess the same Jones’ type invariants, a result derived by resortingto standard tools in combinatorial topology (see e.g. [15]) but recognizablealso in the field–theoretic framework as a property of expectation values ofWilson loop operators [16].As is well known, group–based cryptography has became in the last fewyears a very fruitful branch of cryptoanalysis [17], [18]. In particular, thekey–agreement protocol proposed in [19] can be implemented using the braidgroup B n (a non–Abelian group on (n-1) generators that can be associated togeometric configurations of n interlaced strands whose endpoints are fixed ontwo parallel straight lines in the plane). Knots and braids are indeed closelyinterconnected since we can get a (multi–component) knot by ‘closing’ upan open braid, and a number of interesting algorithmic problems related tothis group can be addressed [20]. Roughly speaking, a braid–group–basedcryptographic protocol relies on the existence of an ‘easy’ problem (recognizewhether two braids W and W ′ , expressed algebraically in terms of generatorsof the braid group, are the same element) and an ‘intractable’ one (recognizewhether two words W and W are conjugate to each other, namely if thereexists a W ′ for which W = W ′ W ( W ′ ) − ). As reviewed in [17], basic in-gredients for implementing secure cryptosystem are the computational timerequired to execute the protocol, the number of bits that are to be exchangedbetween Alice and Bob, the number of passes (exchange of information), thesizes of keys and the sizes of system parameters. However modern security isoften much more demanding, so that at present braid–group–based protocols[19, 21] do not seem safe from eavesdropper attacks.The theoretically secure protocol we propose in this paper is framedwithin topological knot theory and the basic ingredients are ‘prime’ knotsdepicted in a standardized manner in Knot Tables currently available on theweb. The scheme relies on the ‘easy’ problem of associating with prime knotsin Knot Tables their Dowker–Thistlethwaite codes, numerical sequences which3re different for inequivalent knots. Then we resort to the ‘difficulty’ of fac-torizing, so to speak, complex knots generated by composing prime knotsand their mutants. The scheme resorts to purely classical cryptographictools, combining an asymmetric public key protocol with symmetric privateones.The adjective ‘post quantum’ in the title comes about a posteriori in lightof the fact that most currently popular public–key cryptosystems rely on theinteger factorization problem or discrete logarithm problem (arising e.g. inthe framework of cyclic group–based protocols), both of which would be easilysolvable on large enough quantum computers using Shor’s algorithm. Ourprotocol is not based on the quoted two problems, neither seems reducibleto them, and thus the standard meaning of post–quantum –secure against‘quantum’ attacks– can be taken for granted until someone will be able toprove the converse. In a somehow extended sense, and according to theremarks made above on quantum algorithms for computing knot invariants,an attack based on (quantum) calculations of such polynomials would fail inview of the presence of mutants, not detectable even by a quantum computer.In section 2 we review in brief some basic notions in topological knottheory, while in section 3 the cryptographic protocol is presented. A fewmore comments and conclusions are collected in section 4. A knot K is defined as a continuous embedding of the circle S (the 1–dimensional sphere) into the Euclidean 3–space R or, equivalently, into the3–sphere S . = R ∪ {∞} . A link L is the embedding of the disjoint union of M circles, ∪ Mm =1 ( S ) m into R or S , namely a finite collection of knots. Sinceeach circle can be naturally endowed with an orientation, we can introducenaturally oriented knots (links).Referring for simplicity to the unoriented case, two knots K and K aresaid to be equivalent , K ∼ K , if and only if they are (ambient) isotopic.An isotopy can be thought of as a continuous deformation of the shape of,say, K ⊂ R which makes K identical to K without cutting and gluingback the ‘closed string’ K .The planar diagram , or simply the diagram , of a knot K is the projection4f K on a plane R ⊂ R , in such a way that no point belongs to theprojection of three segments, namely the singular points in the diagram areonly transverse double points. Such a projection, together with ‘over’ and‘under’ information at the crossing points –depicted in figures by breaks inthe under–passing segments– is denoted by D ( K ). In what follows we shallidentify the symbols K with D ( K ), although we can obviously associate witha same knot an infinity of planar diagrams.The number of crossings of a knot (diagram) is clearly a good indicator ofthe ‘complexity’ of the knot and indeed Tait in late 1800 initiated a programaimed to classifying systematically knots in terms of the number of crossings.In Knots Tables (see [22] and the Knot Atlas on Wikipedia) there appear di-agrams of unoriented ‘prime’ knots listed by increasing crossing numbers as ̥ N , where ̥ is the number of crossings and N = 1 , , . . . enumerates in aconventional way the (standard projections of) knots with the same ̥ . The(unique) ‘unknot’ or trivial knot K (cid:13) has standard projection given by thecircle, i.e. ̥ N ( K (cid:13) ) = 0 with N = 1. A prime knot is defined as a non–trivialknot which cannot be decomposed into two (or more) non–trivial knots. De-composition is in turn the inverse of the topological operation of compositionof knot diagrams. More precisely, given two knot diagrams K and K , it ispossible to draw a new knot by removing a small segment from each knotand then joining the four endpoints by two new arcs. The resulting diagramis the connected sum of K , K , denoted by K K . As shown below,starting for instance from the diagrams of the trefoil knot K (configuration3 in Knot Tables) and its mirror image K , their connected sum turns outto be the so–called ‘square’ knot, the six–crossings configuration listed as 6 . K K K The connected sum of knot diagrams (well defined for oriented knots) iscommutative and associative and has an identity element given by the trivialknot K (cid:13) , namely K (cid:13) K = K for each K . Remarkably, to each diagramrepresenting a composite knot it is possible to associate a decomposition intoprime knots which is unique [23] –up to ordering of summands. The (mini-mal) crossing number used for building up Knot Tables is the first exampleof a numerical knot ‘invariant’ since it depends only on the ambient isotopyclass of the knot. Switching to knot (link) diagrams, it can be proved thata knot invariant is a quantity (a number or a polynomial, see below) whichdoes not change under applications to the diagrams of finite sequences ofthe so–called Reidemeister moves (we leave aside this issue and refer to theclassic books [24, 15, 25, 26] also as general references on knot invariants).It is not difficult to recognize that polynomial invariants can take the samevalue on inequivalent knots, and it is the biggest open problem in knot the-ory to establish a ‘complete’ set of invariants able to distinguish (and thusclassify) all equivalence classes of knots. Most famous polynomial invariantsof knots, such as Alexander polynomial, Jones polynomial [2] and its exten-sions [27] (in one formal variable) as well as HOMFLY [28] and Kauffman[25] polynomials (in two variables) are able to distinguish particular sub–classes or types of knots. Actually, even resorting to all of them, there existsquite a large number of examples (with relatively small crossing numbers) inwhich indistinguishable diagrams still remain. In particular, neither Jones,Kauffman and HOMFLY polynomials, nor more general invariants such asReshetikhin–Turaev ones, are sufficient to distinguish any knot K from itsmutations K ′ [15, 16].To explain what is a ‘mutant’ knot we introduce first a ‘tangle’ notationfor dealing with knot diagrams. A tangle is defined as a region of the planardiagram of an oriented or unoriented knot bounded by a circle (not belongingto the diagram) such that the knot strands cross the circle exactly four times.Thus any knot can be always presented by resorting to (at least) two tangles,6ay S and R , joined by 2+2 strands (this shorthand graphical notation for asingle knot should not be confused with the operation of connected sum onknot diagrams). S R
Starting from a tangle presentation of an oriented knot K , a mutant K ′ arises by removing, e.g. , the tangle labeled by R (two strands ingoing andtwo outgoing) and replacing it with a tangle R ′ obtained by rotating R (andreversing orientation of some strands if necessary). Admissible rotations aredepicted below: the inner content of the tangle undergos π –rotations withrespect to three mutually orthogonal axes which can be thought as pointingfrom the central configuration toward the other three embedded in a reference3–space. Note that only two of these rotations are independent, but of coursethe process of mutation can be carried out at will on different subsets of asame knot diagram including at least one crossing. RR RR
7n view of applications in cryptography we conclude this section by intro-ducing Dowker–Thistlethwaite (DT) notation (or code) for oriented knots.This allows us to associated to each planar diagram its (minimal) DT se-quence (actually a string of relative integers) from which it is possible toreconstruct (almost) uniquely the knot. Consider as an example an orientedalternating knot with n crossings (namely a diagram with an alternating se-quence of over and under–crossings) and start labeling an arbitrary crossingwith 1. Once fixed an orientation, go down the strand to the next crossingand denote it by 2. Continue around the knot until each crossing has beennumbered twice. Then each crossing is decorated with a pair of even/oddpositive numbers, running from 1 to 2n, as shown below for the knot 5 . .................................................................................................................................................................................... ............................................................................................................................................................................................. ............................................................................................................................................................................................. .......................................................................................................................................................................................... ................................................................................................................................................................................ ± signs) grows linearly with the crossing number. Let us remind some basics facts about RSA cryptosystem, the most famousprotocol of all times invented by Rivest, Shamir and Adleman [29] and basedon the concept of ‘asymmetric’ public key. Imagine that A (Alice) must senda secret message to B (Bob). It would take the following steps:1. B generates a public key χ by resorting to a certain set of ‘generators’.2. B sends the public key to A. Anyone can see it.3. A uses the key to encrypt the message M ;4. A sends the encrypted message M χ to B, but none can decrypt it.5. B receives the message M χ and, knowing the generators, is able todecrypt it.Actually most RSA–type protocols are based on the computational com-plexity of factorization of prime numbers, because the generators are twolarge prime numbers (p and q) and the public key is the product of them(N = pq). Once given N, decrypting the message needs the knowledge of itsprime factors, and this is of course a computationally hard problem. Notehowever that public key algorithms are very costly in terms of computationalresources. The time it takes the message to be encoded and decoded is rel-atively high and this is actually the main drawback of (any) asymmetricdecoding. This problem can be overcome or even solved by using a symmet-ric key together with the asymmetric one, as we are going to illustrate in thefollowing statements defining our knot–based cryptosystem.A must send a secret message to B and they share the same finite listof prime knots K ’s. The message M will be built by resorting to a finitesequence of (not necessarily prime) knots L , ..., L N as described belowstep I) Through a standard RSA protocol, B sends to A an ordered sublist of N prime knots (taken from current available Knot Tables) K , ..., K N ,9ogether with mutation instructions to be applied to each K i (also nomutation on some of them is allowed). Then a second list K ′ , ..., K ′ N is generated by picking up definite mutations of the original sequence.step II) A takes K ′ , ..., K ′ N and performs a series of ordered connected sums L K ′ , L K ′ , . . . , L N K ′ N with the knots L , ..., L N associated with the message to be sent.These composite knots are now translated (efficiently) into Dowker–Thistlethwaite sequences and sent to B. Obviously at this stage every-one has access to these strings of relative integers.step III) B receives the (string of) composite knots. Since he knows the DTsub–codes for the prime knots of the shared list, he can decompose thecomposite knots, thus obtaining the DT code for every L i . Then theplanar diagrams of L , ..., L N can be uniquely recovered.Basically we are using in the protocol both a public key (step I) and aprivate key (step II). In fact the message is encrypted (by A) and decrypted(by B) using the same key, the sequence of prime knots that they share (se-cretly) thanks to step I. There are a number of advantages in basing a cryptosystem on complex ge-ometric structures such as knots, where the selected prime knots could belooked at as providing an encryption alphabet. Note first that the coding pro-cedure that provides the Dowker–Thistlethwaite string ( e.g. written in thestandard binary notation) is efficiently implementable since it grows linearlywith the crossing number. As noted above, decomposing a composite knot inits prime components is at least as difficult as finding the prime factors of alarge number, while of course the composition (corresponding to multiplyingintegers) is an easy task. In order to attack such kind of protocol, one mightresort to two strategies. • The first approach is based on the use of topological invariants whichprovide, at least in case of low crossing numbers, quite a lot of information.10ooking at Knot Tables we note that, up to seven crossings, all knots arealternating, so that, in particular, the crossing number of a knot built asa connected sum of alternating knots is the sum of the individual crossingnumbers (but this is not true for non–alternating knots). On the other hand,most powerful knot polynomials (quoted in section 2) are multiplicative withrespect to connected sums. So, for instance, we can evaluate [25] the Jonesinvariant J K ( t ) of a given composite knot K getting a (Laurent) polynomialin the formal variable t , but still it is a hard task to extract the polynomialsassociated with the prime factors of K . As a matter of fact, such a strategybased on knot invariants is effectively unfeasible because topological invari-ants of polynomial type are not able to distinguish a (generic) knot from oneof its mutations. • Another way is to try to decompose the knot diagram containing themessage by resorting to iterated combinatorial operations aimed to recognizein the encrypted message L K ′ , L K ′ , . . . , L N K ′ N at least some of theprime knots in the public list. But there exists no known algorithm to ad-dress the decomposition problem of a generic knot into its prime components.Finally, as pointed out in section 2, it is certainly true that the recognitionproblem can be associated with combinatorially recursive procedures, butHaken [30] was able to prove only the existence of an algorithm running inexponential time. On the other hand, the unknotting problem [31] –a partic-ular case of the recognition problem stated in term of comparison of a givenknot K with the unknot K (cid:13) – is shown to belong to the complexity class NP [32, 33].The new knot–based cryptographic protocol proposed in this paper re-lies on quite simple mathematical notions and needs of course to be furtherspecified and checked against different types of attacks. Note however thattechniques developed within the framework of braid group–based cryptogra-phy (see [17], section 4) do not seem to be implementable in such a purelytopological setting . It is worth recalling that the set of (prime) knots equipped with connected sum K –namely the minimum number n such that there exists a braid W ∈ B n whoseclosure reproduces K – is again a hard problem, cfr. section 4 of [20]. Then the knot–basedprotocol is not effectively reducible to the group–based approach to classical cryptography.
11n conclusion, it seems quite promising that, besides brute force attackswhich would be exponential resources consuming as the topological com-plexity of the knots grows, more sophisticated attacks based on (exact orapproximate, classical or quantum) calculations of polynomial invariants ofknots are intrinsically unreliable.
Acknowledgments
A special debt of gratitude goes to Chiara Macchiavello and Claudio Dappiaggifor useful conversations.
References [1] Witten E 1989
Commun. Math. Phys.
Bull. Amer. Math. Soc. Encycl. Math. Phys. (Amsterdam: Elsevier) eprint arXiv: hep-th/0504100[4] Boi L 2009
Int. J. Geom. Meth. in Mod. Phys. Quantum Computation and QuantumInformation (Cambridge University Press)[6] Shor P 1994 Algorithms for Quantum Computation: Discrete Logarithmsand Factoring in
Proc. 35th Ann. Symp. Found. Comp. Sci.
Complexity Math. Proc. Camb. Phil. Soc.
Op. Sys. Inf. Dyn. Quant. Inf. Comp.
12] Garnerone S, Marzuoli A and Rasetti M 2007
J. Phys A: Math. Theor. Quant. Inf. Comp. Combinat. Prob.Comp. An Introduction to Knot Theory (Springer–Verlag, NewYork).[16] Ramadevi P, Govindarajan T R, Kaul R K 1995
Mod. Phys. Lett.
A10 eprint arXiv:0906.5545v2[18] Gonz´alez Vasco M I, Magliveras S and Steinwandt R 2010
Group–theoreticcryptography (Chapman & Hall / CRC Press)[19] Anshel I, Anshel M and D. Goldfeld 1999
Math. Res. Lett. Braids: a survey in Handbook of KnotTheory
Menasco W and Thistlethwaite M eds (Amsterdam: Elsevier) eprint arXiv: mathGT/0409205[21] Dehornoy P 2004
Contemp. Math.
Math.Intelligencer S.-B Heidel. Akad. Wiss. Math.-Nat. Kl. Knots and Links (Publish or Perish, Berkeley, CA).[25] Kauffman L 2001
Knots and Physics (World Scientific, Singapore)[26] Adams C 2004
The Knot Book: An Elementary Introduction to the Mathe-matical Theory of Knots (Amer. Math. Soc., Providence, RI)[27] Reshetikhin N and Turaev V G 1991
Invent. Math.
Bull.Amer. Math. Soc. Commun. ACM
30] Haken W 1961
Acta Math.
Geom. Topol. J of the ACM Cha. Sol. Fra.569