 Yeah, I'm going to talk about quantum non-valuability and authentication and Yeah, this is going to work with Corian alligates, and I want to start with a with a classical motivation to to get an intuition what What what these security notions want to do? So we have this guy up here? And he wants to buy a new notebook so what does he do he sends a message to his bank To transfer some money to the to the notebook store But if this message is intercepted and some malicious adversary changes the contents of the message then of course He will be very unhappy because he loses all this money. So What what kind of cryptography could could prevent this one answer is non-malable encryption? so in this case I Want to give you a specific into intuition about non-malable encryption that We will use that later to define the quantum notion. So now this guy encrypts the message instead of sending it in plain and Now no non-malable non-malability will ensure that if this malicious adversary Changes the message any such change will result in a random change at best of the message And of course the the bank will Basically be confused and not transfer anything So with this in mind I want to start presenting our results and I want to start out with giving a summary of our results So that you know what to expect so We give a new definition of information theoretic non-malability for quantum symmetric key encryption and this definition fixes the vulnerability in That was allowed by the previous definition Also, it implies secrecy just like quantum authentication implies a secrecy It can also be used as a primitive like any non-malable scheme according to this definition can be used as a primitive primitive for building authentication schemes and finally It has two equivalent two equivalent Characterizations that one of them is Based on entropies and one of them is a simulation based Characterization and these make it easy to see that this definition both generalizes a classical definition and it Improves the pre-existing quantum definition In addition we have another result on authentication We showed that the the recent Definition for authentication with key recycling that will be the topic one of the topics of the next talk can be fulfilled with unitary two designs Okay, let's start about non-malability so Classically non-malability was first defined in the context of public key cryptography and It was defined in terms of a simulation based security Using relations on the plaintext so basically it was defined in a way such that For any adversary that tries to produce a related plaintext by modifying the ciphertext There exists a simulator that doesn't even use the ciphertext Later it was realized that One can characterize non-malability and as a certain kind of chosen plaintext it's a chosen ciphertext security and this intuition was used by Hanaoka et al to to come up with a Information-theoretic definition of non-malability in the symmetric key setting so this This works in the as follows if you we have two plaintext ciphertext pairs XC and X tilde C tilde Where the two ciphertexts are different Then basically even knowing one plaintext ciphertext pair Doesn't tell me anything about the plaintext corresponding to a given different ciphertext Okay so Yeah, later. There was also another Definition given for information-theoretic non-malability. That's more in the spirit of simulation based security okay, so To illustrate what what are the challenges in making a quantum Security definition of this kind I want to describe to you what what problems can arise so This is the setup for classical non-malability So we have some plaintext X here that's encrypted into a ciphertext C Then the adversary applies some attack that Modifies the possibly modifies the ciphertext and then it is decrypted So how do we check whether such a scheme here is secure we? make copies of the of the plaintext and the two ciphertexts here and now we can for example evaluate a relation on the plaintext and On the two plaintexts here or we can calculate the conditional mutual formation That is used in the definition of Hanukkah at all But none of this is possible in the quantum case Because because of the no cloning theorem that tells us that if X is a quantum message here Then we cannot make a copy of it and if C is a quantum ciphertext. We cannot make a copy of it so one has to come up with a With a yeah with different ideas how to how to fix this Okay, so Let's see what what a quantum symmetric key encryption encryption scheme is so We have a quantum symmetric encryption scheme is given by a family of encryption and decryption maps indexed by a classical key We assume the classical key to be uniformly random chosen from some some set and these maps Yeah, the encryption map goes from a plaintext space a to a ciphertext space C and this is just a quantum channel So that's that's the the quantum version of a stochastic map basically Also, we allow the decryption map to reject. That's why the decryption map goes to like this to the slightly enlarged Plaintext space that includes this reject symbol Okay, and for for the rest of the talk to use in the in the rest of the talk Sorry, I just just wanted to state that correctness says of course if we compose these two maps we get the identity map and Yeah, for the for the rest of the talk we make this definition quantum mechanics is linear So these these encryption and decryption maps are linear maps. So we just take The expectation over all the keys of the encryption map and this is a this is a valid quantum channel again We make a similar definition for for the for the decryption map Okay, now let's let's go back to the setup. So this is this is the setup that I showed you for for classical For the classical non-malleability we have Alice that wants to send a map message and Bob one that is the receiver of the message and then in the middle sits Mallory the active adverse adversary that wants to Want to make implement a certain change on on the plaintext Now in the quantum case we have to add a reference register here and that is because Basically because of the no cloning theorem. We have to replace this whole copying procedure by some by something and we replace it by adding a register here which basically contains all the information that All the objects say that a contains information about that that that the message contains information about Then also we We will basically make a definition in the spirit of semantic security So we allow Mallory to possess some initial side information about the about the message and this is this register be here Okay, so now for To formalize Non-malleability we make we define the effective map now. So the effective map is just The composition of encryption The attack map and the the decryption. So basically the whole the whole Protocol here and then taken the we take the expectation over the key so this is basically the map that Mallory expects to Apply to the plaintext space and her side information register Okay, so now I think we we're ready to to have a look at the new definition So the idea is to define Non-malleability such that Mallory cannot increase her correlations with the honest parties So remember that in in the beginning I'd give you this intuition that non-malleability means that any change on the ciphertext space means Will will at best implement a random change on the plaintext so such a such an interference cannot be used to build up correlations between Mallory and and the honest parties but there's of course one thing that Mallory always can do and that's she can either let the message through or she can destroy it basically and She can also do this Realistically for example, she can flip the coin record the outcome and then Depending on the out on the on the outcome either discard the plaintext or let it do so This gives her an opportunity to slightly increase her her correlations with the honest parties So Our goal is to define non-malleability such that only this unavoidable at attack as possible basically And that's what we we did so let's have a look at this definition So down here. We have the we have the setup again. So now I am I drew this dashed line So we start out with some quantum state row on these three register and we have some final quantum state sigma so what we would like to say is that the quantum mutual information between Mallory side information here and the honest parties does not increase under the protocol But we already saw that this is impossible So we have to add a small term to this which is basically It's a binary enter entropy term and it accounts for this unavoidable attack here So this is this the binary entropy term of some probability The probability is given down here, but the actual definition is not so important. Let me just say what it means It's just a way to Yeah, it's basically intuitively it's the probability that this attack map lambda acts as the identity on the ciphertext space here When the input on the on the side information is a row Okay, so this is This is nice and and and it's an entropic characterization And if you sit down with a piece of paper and then you can like quickly write down a particular choice of side information register reference register and attack map such as to recover the definition of Hanaoka et al in in the classical case But then also we can give Definition that's more that gives more practical security guarantee like an equivalent characterization of our definition So and this looks like as follows. So We can prove that a scheme is Quantum non-malable if and only if the effective map resulting from such a Scheme for a map for an attack map lambda has this form here. So this is a combination of the identity and a replacement map and this replacement map it just disguised the plain text and Replaces it by the decryption of a random ciphertext with a random key and These are of course paired up with some maps on the side information that that Mallory always can implement okay, so This is a good point to to compare this this definition with the previously existing definition this was given by Ambinus Bowder inventor in in 2009 and Let's first look at the setup. So they they include a reference register here This is basically because this this is what one definitely needs to do in the quantum case, but they don't allow Initial site information for for the adversary and what is maybe even more important? They is Another difference. So their definition is also into in the simulation paradigm. So they just say that The effective map will always look look like this It's a bit similar as as our definition, but Instead of having this very particular replacement map where the input is replaced by the random decryption random ciphertext decrypted with a random key They replace it by Yeah, the all replacement maps that are random decryptions Decryptions with a random key are allowed. So basically the adversary can pick a ciphertext and then have it decrypted with a random key This doesn't look so bad, but actually There is a separation between these two definitions. So we have a scheme the separation scheme that shows that basically That is secure according to this ABW and non-malability and this insecure according to Our definition and it allows the adversary to basically choose the output of the decryption function So basically, yeah, the adversary can send any message to to to Bob This doesn't seem so bad if you think of the public key Setting because there this is always possible, but in the private key setting. This is somehow unnecessary So one can give a definition that prevents it and that's that's what we what we did Okay, so let me give some more properties of the definition. So In the case where the encryption map For any given K is unitary. We can prove that our definition of non-malability is Equivalent to the fact that the set of encryption maps the encryption unitaries is a unitary to design And this is also a quibble This is what has already been shown by I'm buying that out that this is Equivalent to their to their definition as well. So in the case of unitary encryption maps The two definitions of quantum non-malability are equivalent However, they are interesting Settings where where non-unitary encryption schemes are important and that's for example For authentication if one wants an authenticating scheme then this can never be unitary It needs to have a cypher's text space. That's larger than the than the plain text space Okay, so one more Property that I already mentioned is that this definition of quantum non-malability. It implies information theoretic indistinguishability this is somehow contrary to the classical setting where non-malability and Indistinguishability are completely independent properties But it's analogous to the setting of quantum authentication where this has already be shown a long time ago and Also, what I what I want to talk about in the last part of the talk is the fact that One can build authentication schemes from any Scheme that is non-malable according to to to the new definition Okay, this is just a visual summary of what I told you so far basically and Let us move on to authentication now So just a reminder what what authentication means So if I if this guy the notebook ordering guy encrypts encrypts its messages with an authenticating scheme Then any change any change by the adversary will be detected So basically if the adversary changes the message then the decryption function will output a reject message or an error message In the quantum setting Authentication has been first studied in 2002 by Barnum at all The most most use definition was given by Duprin Nielsen as a why but last year there was given a new definition by Garry Q1 and January which will be featured in the next talk and This definition is stronger. It provides security guarantees with high probability over the key and allows for key recycling and This definition looks like this and it looks a bit frightening. So I will not explain it in detail now, but Basically the the spirit of it is that It gives a yeah, it is it's Secures that the expected distance between the similar simulator and the And the actual Protocol is small. So it gives a guarantee that that That the security property holds with high probability over the key okay, so in the in the original paper This definition was shown to be achievable using unitary eight designs And what what we did is we took the scheme and replace the eight design by two design and using a different Analysis we could show that it is also secure if for the case of two designs and This this fact what was independently proven by Portman and the advantage is of course that two designs require much shorter keys and They are very nice constructions like for example the Clifford group or They're there are also derived constructions from the from the Clifford group Okay It seems like I have time to quickly give you an idea about the proof of this fact So the first observation is that one can basically As as basically as in the classical case Randomized strategies are don't help so basically one can restrict to pure quantum states as initial states and Isometries as attack maps And So if we have an attack isometry, this is just a matrix basically from on these bases then then Then we define a simulator here by just taking the The trace over the C Space so we have a tensor product space, but we only take the trace over the first factor and this simulator was the same simulator was used in the In the original paper and it was first introduced by broadband and Wainwright also in 2016 So basically what we want to do is we want to bound the difference between what actually happens and the simulator And this is in the two norm here And so so the strategy now is because this is a to design this comes from a to design here we can replace this expression by an integration over the higher measure and Use sure as lemma for the representation of the unitary group given by the double tensor product to To to bound this difference here Okay, so Let me so the last part is about how to build Authentication from a non-malibu scheme. So basically now Instead of just sending the plain message this guy here is thinks he's smart and Says okay, I will tell the bank in advance I will attach like a string of zeros in the end of my message and now encrypt this with the non-malibu scheme Now if an adversary changes this We know that this will result at best in a random change of the message So random change will with high probability Change this last line here from not from from being all zero string to something else So the only thing the decryption function has to do is check is this the or zero string? And if no it will just reject. So this is how basically This this kind this notion of non-malability can be used to produce an authenticating scheme and The last result is that I that I want to present is that exactly this works in the quantum case. So basically if we Define a new scheme by basically taking by Taking a smaller message space embedding it in the bigger message space So basically taking a message and depending like a constant tack to it and encrypted with a non-malibu scheme And then the decryption function is as defined exactly as shown in the last picture Just decrypt the normal scheme and then check whether the tag is intact then this provides Quantum authentication according to the definition by Dupree Nielsen at survey Okay, so This was the the the last slide basically here is a quick summary of our results about authentication we showed that this standard notion of authentication can be obtained from from a quantum non-malibu scheme and The stronger notion can be obtained with two designs So I want to finish with a few open questions. So of course now the question is what about computational security and and Chosen chosen plain text chosen cipher text security and so on So there are there's some ongoing work with with Cori and I like it's my co-author on this Paper and Tomas of Al-Yadoni also The question is can we give some security guaranteed guarantee with high probability for for non-malibu non-malibu ability because right now we always talk about the average over the key. So this is somehow It would be better if we could give a Guarantee with high probability and then also like some minor pointers I would like to beautify the the dependency on on the on the attack map because this this This quantity P equals like kind of tower counterintuitive. So it would be good if we could remove it Okay, so with this this is the end of my talk. Thank you for listening