 Good morning and welcome to the session on quantum cryptography. We will have three papers in this session The first paper is on Merkel puzzles in a quantum world The co-authors are Gilles Brassard, Peter Hoyer, Kaseem Kalash, Mark Kaplan, Sophie Laplante and Louis Selveil and Kaseem will give the talk. Good morning everyone Merkel puzzles in a quantum world. This is a joint work with Gilles Brassard Peter Hoyer, Mark Kaplan, Sophie Laplante and Louis Selveil Consider the key distribution problem in which we have two distant parties, Alice and Bob, having no secret information in common Are in need to share a secret S over a communication channel The channel is authenticated, but no protection against eavesdropping In fact, we assume that an eavesdropper has full knowledge of any communication between Alice and Bob And is eager to learn the secret S The challenge is to make the eavesdropping effort grow as much as possible in their legitimate effort Effort are measured in terms of query complexity Because all parties have private access to a random oracle. The first solution to this problem Was proposed by Raph Mehlke in 1974 as a project proposal in a course on computer secretly IUC Berkeley The idea was rejected by the professor, but Merkel continued working on it and submitted the paper to communications of the ACM Initially the paper was rejected Because it was beyond the cryptography thinking at that time. However, it was eventually published in 1978 For more details visit Merkel's website Merkel's scheme is based on the birthday paradox and It's a provably secure in the random oracle model in contrast with the schemes based on the assumed difficulty of some mathematical problems In this model a Protocol is considered to be secure if the cryptanalytic effort it grows super linearly with a legitimate effort And now we present Merkel's scheme in Merkel's scheme Alice and Bob have access to a black box function F of a domain size and a square and the first step Alice selects at random points in the domain of F Evaluates F on them and transmits their images to Bob Let Big X be the set of a randomly selected points And why be the set of corresponding images? In the second step Bob finds one element of X or if you like Bob inverts an arbitrary image To do so He follows the following optimal strategy. He selects a random point S in the domain of F Evaluates F of S and verifies if F of X belongs to the set Y He repeats this process again and again Until If he gets yes meaning that until he succeeds to avert some image F of X I and the secret will be X I The question is now What's the complexity of Bob's effort to accomplish this this step? Since the domain of F is n square and the number of possible images is n This can be done in the order of n queries based on the birthday paradox Having got S Bob sends F of S to Alice Now Alice given F of S use the table to find The matching image in the second corner of the table and this can find X I at this level Alice and Bob Can share a secret S and the order of n queries And the question is now what's the if dropping effort? This is a view with the adversary access to a black box of domain size n square and Full knowledge of the conversation between Alice and Bob While Bob has the freedom to avert any of the n images the adversary is faced to avert F of S Since F is given as a black box The remaining list is uses for the adversary and the only way to avert F of S is To try random points in the domain of F one by one So on the average the adversary has to try have the points in the domain Therefore the adversary needs omega n square queries to find us The natural question is can we do better than this quadratic security? No, due to Barack and Mahmoudie They proved that every key exchange protocol in the random Oracle model can be broken in the order of n square queries Therefore miracle scheme is optimal since we have this upper bound and Imaging lower bound and the problem is settled But what about the quantum world? First of all Being in a quantum world will assume that the adversary is all with the quantum However, Alice and Bob the legitimate parties are allowed to be quantum. I mean they are allowed to use the quantum computers However, the channel is all with the classical and all is authenticated It's important to keep in mind that we don't transmit quantum information We need to introduce two fundamental quantum search tools a Grover's algorithm and it's a generalization BBHT for why a brass are higher in top In fact, they're essential to understand most of this talk consider the following search problem given a black box function of domain size n and T distinct images of this function The problem is to invert one of them BBHT solved this problem after about square root of n divided by T However, if we are faced to invert a specific image Meaning that T equal one a Grover's algorithm finds the solution after about a square root of n and This is optimal Now back to the security of medical scheme, however in a quantum world because we saw that Miracle scheme provides quadratic security against a classical adversary but now The domain of F is n squared and the adversary is faced to invert f of s a Quantum adversary can find s After about a square root of n square which equal n Thus Merkel scheme is completely broken so because of his robbing effort equals to the secret chain of the process up to constant factor and Now we arrived to our two motivating questions. The first one is Can the quadratic security of Merkel scheme possible in the classical world? Be restored in a quantum world if the legitimate users make use of quantum powers The second question which is more challenging Can every key exchange protocol in the random Oracle model? be broken in the order of any quantum queries when legitimate parties are restricted to classical world Fact we made too many contributions we answered the second questions and made progress on the first one and The first progress of the first one is it you to brass are in selvi who introduced quantum Merkel puzzles In a quantum Merkel puzzles they allow Alice and Bob to use the quantum computers precisely Bob and they increase the domain of the black box from n square to any cube and The remaining of the protocol is very similar to Merkel scheme in the first step Alice Selects random points and transmits their images to Bob Bob finds one element of X or if you like inverts arbitrary image But now I am of course the secret will be as But now a classical Bob cannot do that job because the domain is any cube. However Using bbht this can be done about After about square root of any cube divided by n where any cube is the size of the domain and n is a number of possible images So this can be done in the out of n quantum queries The remaining step are exactly the same Bob will send f of s Alice given f of s can use the table and Find f of x i that's x i At the end of the protocol Alice makes exactly two queries to the Oracle F Bob makes and the out of any quantum queries and they have a shared key s And now what's the security of quantum Merkel puzzles? It's very similar to the similar previous analysis Adversary is faced to invert f of s, but now the domain is any cube Even a quantum adversary He can find s in the order of Square root of any cube which equal order of and three half and this is optimal And the left and opening question is if we can do better and this our first contribution We answer positively. Yes, we devise a quantum protocol and The proof is security of theta of and five-third in our protocol We introduced another black box function t of domain size and a cube and The first step remain the same However in the second step Bob finds two element of x instead of one as before and To find each of them We use bbhd and in this case the secret will be as a surprise instead of as as before now Bob having got as a surprise sense T of s bitwise exclusive or T of a surprise on Alice's side Alice queries the Oracle T on the set x and Now given w She can use the table and bitwise XOR to find the secret as a surprise and Finally Alice and Bob share a secret as a surprise it's a clear that Alice makes exactly T queries to the Oracle f and exactly T queries to the Oracle T and Classical queries and Bob makes in the order of any quantum queries If we also clear about time It seems at first that Alice will will need to try about any square pairs To find as a surprise Unfortunately fortunately we can do that in inner time Now for the security of our first contribution. It's better than two parts first to devise a quantum attack which can be accomplished on the other off and Five-third and proved a matching lower bound of Omega of and five-third I give a brief idea about these two steps The quantum attack is based on quantum ox on Johnson graph and It's adaptation of on by this is algorithm for the element this thinks the problem which is optimized you to answer and she The element this is problem is to decide if a function see given as a black box is one to one For a domain of size and this problem can be solved in theta off and to a third and the question is why do we have Order of and times and to third in our case Because in our case the domain of C is X and the size of X is n and X is embedded into and three and two elements and to query C Requires theta of any queries using BBHT For the lower bound of proof It's a three-step process We defined a search problem related to element the sickness and we proved Omega of and five-third As a lower bound for this search problem and finally reduce the search problem to the if the wrapping strategy against our protocol The main observation is that The defined search problem is the composition of a variant of element the sickness on An elements with searching each element in a set of size and the square One would like to apply the composition theorem for quantum query complexity due to higher Lee and Spalik and Lee metal record and Spalik Unfortunately, the theorem is not applicable in our case because it requires as an inner function to be Boolean Therefore, we proved a new competition theorem using similar techniques in particular the quantum is dropping strategy is n Omega and to third times and Where omega and to third is the complexity of element the sickness on an elements and n is the complexity of search In a set of size and a square our second contribution Answer the following questions Can every key exchange protocol in the random oracle model be broken in the order of n quantum queries When legitimate parties are restricted to classical world The answer is no because we devise a classical protocol and prove its security of theta of n 7 over 6 in fact It's very similar to the first one now Bob is back to the classical world and The domain of black box functions is reduced from any cube to n squared The first step is the same Bob finds elements of x The secret is s as a prime, but now we can't use VHD But since a domain since the domain is n square Bob as before use random points in the domain of F and This can be done in the order of n and Bob sent to f s resort to a surprise This is the same as the previous protocol a quantum adversary find the secret in theta n of n 7 over 6 and this This this proof is the same as At the first protocol using the same attack and lower bound technique in summary While market scheme provides quadratic security in the classical world It's completely broken in the quantum world. However, we devise a classical protocol Providing security theta of n 7 over 6 When else and Bob are allowed to use the quantum computers We made improvement over the scheme of brassir and salvi from theta of 3 half to theta of n 5 3 In fact, the protocols you presented the stock are different from the two protocols in the proceedings the classical protocol improves over theta of n 13 over 12 Which is the first classical protocol secure against a quantum adversary However, the quantum protocol is similar, but provides the same security in addition We proved a new competition theorem for quantum query complexity The first open question is are our two protocols optimal? We can jigsaw. They are not Because we discovered a sequence of quantum protocols in which our most efficient quantum attack tends to theta of n square and a sequence of classical protocol in which our most efficient attack tends to theta of n 3 half and Our current question open question is are these attacks optimal other open question is They're a quantum protocol that exactly achieve the quadratic security Is there a quantum protocol that achieves better than a quadratic security? What's the optimal classical protocol? Thanks for your attention questions. So let's thank the speaker again