 Thank you. Thanks for the introduction. Thank you for showing up this morning and So in this talk, I'm going to talk about encryption and authentication with information theoretic security So the typical examples are the one-time pad for encryption and universal hashing for authentication Now the obvious well-known downside of these kinds of scheme is that the key cannot be reused Right in a one-time pad you can only use your key once well That's why it's called the one-time pad and sort of in general Can only use the key a bounded number of times for these kinds of information theoretic secure schemes and the reason is quite obvious least intuitively a Attacker if can learn information on the key just by observing the cipher text or the authentication tag See if you reuse the key just by observing the communication the attacker if you'll learn more and more information on the key and will eventually know the key and What's even worse than that such a passive eavesdropping attack remains undetected, right? There's no way to detect whether If dropping took place or not so this means even if I'm not under attack And so my key would still be perfectly fine to use for a next round I cannot use it because I don't know So I have to assume the worst have to throw it away take a new key So that's sort of where now the idea of quantum kicks in or the idea of Using a scheme with a quantum cipher text or quantum authentication tag instead because there we can make use of the fundamental Property of quantum mechanics that any eavesdropping will disturb the state Right, so this is hope for a scheme that sort of encodes the cipher text or the tag Into a quantum state and that we can then Check upon arrival if the state is still in good form and if he did then conclude that no eavesdropping took place And therefore it's safe to reuse the key right? I mean if he had such a scheme this would allow us for Unbounded safe reuse of the key as long as we're not under attack now as soon as we are under attack Then if may have learned the information on the key then well There's nothing that we can do then some key refreshing has to take place But the goal is to be able to reuse the key as long as we're not under attack So if that's the general idea now this idea is not new it's only adult It actually goes back to an old paper by Bennett browser and Breitbart from 1982 So no that's even before quantum key distribution was was a proposed So in their paper they proposed a simple scheme for this kind of encryption with key recycling and gave very Hand-wavy arguments for for its security now They submitted the paper, but it got rejected and then they had the idea of doing quantum key Distribution instead and the original idea of encryption with key recycling was abandoned until in 2005 Dumbgaard, Peterson and Sunwell picked up this idea again and proposed a new scheme for for this kind of encryption with key recycling But now together with a rigorous security proof However, their scheme was More complicated than the original scheme in particular the quantum encoding was more Sophisticated and your in the original scheme to the point that in order to actually perform this quantum encoding You need quantum computing capabilities meaning for honest users to execute the scheme. Well, they need to have a quantum computer So our result is a new scheme a new simple scheme very much in the spirit of the original scheme by Bennett at all In particular, it's based on what we nowadays call BB 84 qubits or simple quantum states that we can't deal with With current technology in particular no quantum computing is involved and of course our scheme comes along with a rigorous security proof as well I will also want to briefly mention a related line of research on encryption and authentication of quantum messages Where the data that you want to protect is a quantum state So Christopher is going to talk about this kind of Of work in the next presentation here I just want to mention that some of these schemes also offer some key recycling features But in all of these schemes, we also have that the honest users need quantum computing capabilities to run the schemes Even if you restrict the message is to be classical in these schemes Okay, so before I go into more details about our result I want to say a few words about the Distinction between encryption with key recycling and quantum key distribution because well, we also gonna need quantum Communication so we're in a setting where we can also run quantum key distribution Then may wonder why do we even care about Reusing keys well if we cannot reuse the key you could just run quantum key distribution instead to produce a fresh key Right now, I mean that's true So from a high level these two things achieve pretty much the same thing But there are some subtle technical differences. So for instance one Advantage of encryption with key recycling is that it's essentially Non-interactive sort of the only interaction necessary sort of a one-bit feedback where the receiver tells the sender Whether the key is still safe or not whether it can be reused in the next round of Interaction that that feedback can be provided of line whereas in quantum key distribution That's inherently Interactive during the execution of the scheme but then on the other hand because you have this interaction quantum key distribution There you can adaptively adjust to the noise that you have in the quantum communication, which is something you can Inherently not doing a non-interactive encryption scheme But well independent of these technical differences my our main motivation was sort of Intellectual interest because encryption with key recycling was one of the very first suggestions of using quantum mechanics In the context of crypto more than 30 years later. It was me still no really satisfactory solution Okay, so in our basic scheme we're just gonna focus on Authentication right protecting the message from being modified and so when we don't care yet about if learning what the message is Building encryption on top is then not so hard anymore. And I'll say a few words about that later on So as you'll see our scheme is extremely simple And the key the shared key consists of two parts, which we call theta and K And now to authenticate the message M if not if sorry Alice does the following She chooses a uniformly random bit string X and Encodes it into cubits using theta the first part of the key SS basis So this is just a standard bb84 encoding of classical bits into cubits Which you see in essentially every talk on on quantum crypto and Then she sends these cubits to Bob along with an authentication tag T on the message Concatenated with this additional randomness X here so Mac here is just a Standard classical one-time secure information theoretic Mac And I mean they're using the key the second part of of their shared key SS key of this Mac here But for concreteness also because I'm actually going to use certain special properties Let's think of that particular Instanciation of such a Mac where the key consists of a random matrix a and the random vector b and the tag is Computed by means of this linear function is sort of a canonical choice of such a Mac Okay Bob well Bob he does pretty much the obvious thing now. He also knows theta He knows the basis that was used when code the bits of X into cubits So by performing the correct measurement, he's able to recover X and of course once he has X And well the message is signed sent along here as well Then he can check the correctness of the tag here That's what he does when he accepts if the check works out and the rejects if it doesn't work out Well, that's that's a scheme extremely simple So informally these are the security claims that I make about the scheme So first of all the scheme offers Authentication security meaning that Bob is gonna detect any modification to the message and well That's pretty obvious That's just sort of the job of this Mac here So if this Mac here ensures that any modification in particular to the message here is gonna be Detected at least as long as a sort of this key is sort of good And it's certainly good sort of at the beginning of time so to speak Now the second sort of more interesting claim is that if Bob accepts And then the key can be safely reused for Authenticating a second message a third message and so on and so forth So even typically this kind of Mac We can only use once with a given key here sort of the statement is if Bob accepts Then they can actually reuse the same key here in the next round for for this Authentication for computing this authentication take here and Third point if Bob rejects well, then some if stopping may have taken place You may have learned some information on the key Then some key refreshing has to take place and the claims and is it's good enough to refresh theta But K can still be reused Okay The intuition behind this key reusing properties is the following Now it's easy to see that if if gets to see well more and more Authentication tags for known messages under a fixed key Then she accumulates more and more linear information on the key will eventually be able to solve it Right. I mean that's just sort of the typical argument why you cannot reuse the key For for such a Mac here usually but now here here the difference is that the Authenticated message is partly unknown because we have this additional randomness X here in the message and sort of Intuitively because if does not know theta X is sort of hidden at least to some extent behind these qubits for Eve So intuitively We expect that there's some uncertainty in the message X and therefore there is hope that the Authentication tag does actually not leak information on the key in particular if we assume that Well, this this computation here has some extractor like properties And this is actually sort of a function that you would expect to have some extractor like properties or actually know that it has some extractor like properties and I mean that's sort of what we're proving in the end that this is the case Okay, I think it's going to be insightful before I go into more formal statements to consider a Particular attack and I have your attack in quotation marks because it's not an attack that breaks the scheme Well, our scheme is well proven It's a cure just something that you can do and I think it's insightful to see what what happens under this kind of attack So here again, I have to scheme as I had it on the previous slide except that I'm spelling out here the Individual qubits that Ellie sends to Bob Now the attack is as follows if simply measures the first qubit in the computational basis So kind of pretending theta one was one and then she leans back Okay, so let's see. What's the effect of that? Well, if the first qubit had been prepared in the computational basis, so theta one was zero then by measuring it in the Computational basis if he's not disturbing the qubit Meaning that Bob will receive the correct state so everything is gonna look okay to him and he's gonna accept However, if the first qubit had been prepared in the Hadamard basis by Ellie's so theta one was actually one Then by measuring it in the computational basis if he's gonna disturb this qubit to the point that Bob will recover Incorrect X1 with probability one half in this case is gonna reject because X is authenticated along with the message So now this means from Eve's perspective If Bob rejects she knows theta one must have been one, right? So she's learned one bit of information on on the key Now the bad news for her is that now because Bob has rejected Well by sort of definition or by the way the scheme works They now have to refresh or they refresh theta So the one bit of information she just got on the theta becomes useless to her because Bob rejected So they throw away seat and replace it by a fresh choice anyway however, if Bob accepts Then well see the one can still be both zero or one, but it's somewhat biased It's sort of more likely to be zero which can quite easily be seen So also here if has learned some information on on the key It's not sort of a constant fraction of a bit of information if you wish, but now this key is gonna be reused Now intuitively this should not worry us or this does not have to worry us Because if Eve tries to gain more and more information on theta by repeating attack pretty soon She's gonna be detected pretty soon Bob is gonna reject because every time she launches The attack Bob is gonna reject with probability one quarter and as soon as he rejects Well, they're throwing away theta replace it by a fresh choice So all the information that if gained on theta becomes useless to her Okay, so why did I discuss this attack? I think this attack shows nicely what we can or more cannot expect to be able to prove formally So it shows that it's not possible to prove a statement of the form if Bob accepts Then the key remains close to uniformly random because we've just seen an attack That sort of contradicts this that shows that this is not possible and sort of the inside here Is that it may be not be necessary for the key to be uniformly random to do its job in this Authentication scheme that it might be good enough to have high enough uncertainty indeed. That's what what what we show I think it's sort of this Inside that explains at least to some extent why in previous approaches sort of people fail Because in previous approaches people try to prove exactly the statement that after the If Bob accepts then the key stays close to uniformly random But if you have a scheme that works QB twice then this kind of attack always works and sort of contradicts this statement Okay, so the formal statement that we prove slightly informally stated here is if before the execution We have the following sort of security property on the key First the guessing probability on theta from East perspective should be small and K The second part of the key should be close to uniformly random if this holds before the execution of thinking of the scheme Then it's also gonna hold after the execution of the of the scheme where I take it as understood here that After the execution of the scheme I'm gonna look at theta prime, which is the possibly Refreshed version of theta so it's equal to theta if Bob accepted and it freshly chosen otherwise So we have sort of this invariant that is kept alive over Over all execution in particular It's in short that K the key for the max stays close to uniformly random and does its job as a key for a for the Mac so this means for instance We start off with a uniformly random key Then we can keep on reusing it as long as Bob accepts and we can still keep on reusing it if Bob rejects If theta part is refreshed Okay, I'm gonna walk you through the easy part of the proof For that let's first note that if view after the execution of the scheme consists of her old view Before the execution of the scheme the authentication tag that you observed Whatever quantum information she keeps on the original qubits that Alice sent and Bob's decision To accept or reject so then we can spell out the guessing probability after the execution of the scheme Like this and then we can decompose this into the case where Bob rejects and the case where Bob accepts Then we observe that if Bob rejects then theta prime is freshly chosen if he accepts then theta prime equals theta But well for a freshly chosen theta prime the guessing probability is just one over the number of possible choices for a theta And here we're using the property of the guessing probability that the guessing probability cannot in if you condition on an event The guessing probability cannot increase by more than one over the probability of this event Which is that sort of cancelled out with this probability here So we end up with this term here and then we note that by assumption the key the Authentication key is close to uniformly random So a and b are close to uniformly random which means the t here the tag is close to uniformly random independent of theta so that doesn't contribute to the guessing probability here and Q's information that if has kept on the original qubits Well doesn't provide her more information than the original qubits and here we can observe that x is uniformly random Joe's and and therefore these qubits are independent of theta at first glance They look dependent on theta because we have theta in the exponent but because x is uniformly random It's a little bit like a one-time path of that removes all dependency from these qubits From theta and so this also doesn't contribute and we end up with the guessing probability before the execution of the scheme And so if that was small then the guessing probability after the execution is small as well Okay, so that was the easy part the other part proving that the other part of the key stays close to uniformly random is way more Involved and we're building up on well techniques from a previous paper Okay, so extending this basic scheme to an encryption scheme with key recycling is quite Easy we just use the randomness extractor with a seed that is part of the shared key to extract the randomness from x and use That randomness to a to one-time path encrypt the message You can also Enhance the scheme to take care of noise in the quantum communication here Doing the air correction is straightforward way Brings us into trouble, but there's a nice air correction without leaking partial information techniques by Afghani and Adam that that come to the rescue I want to say sort of just very quickly. What's the trouble with with air correction? Sort of the obvious solution for doing error correction is just to send the syndrome of x along so that if Bob Recovers a noisy version of x he can recover the right x with the help of this syndrome But the problem is if you then go through this this Analysis that I just did a couple of slides ago Then we get this expression where we now additionally condition on the syndrome here And now the argument that because x is uniformly random This does not depend on see that does not hold anymore because given the syndrome x obviously is not uniformly random anymore Now if one sort of meditates over this expression and understands what it captures It's quite clear that it should still be small, but we have no clue how to prove it Okay, so in conclusion what we did is we well considered one of the very first ideas For quantum crypto one of the very first ideas of using techniques from quantum mechanics to circumvent the classical impossibility result in Crypto an idea that was suggested more than 30 years ago even before quantum key distribution was invented and we give the first provably secure solution that doesn't require any quantum computing capabilities and An intriguing open problem is to do this error correction in a better way if you could do it in the Straightforward in the obvious way this would give us not only a nicer more natural skin But what also allows to tolerate more noise because these techniques by if gaining and that and the only work for a relatively small amount of noise and another interesting question or line of Direction would be from practical perspective to minimize the amount of quantum communication necessary to make the scheme really competitive with a quantum key distribution and That's concludes my talk. Thank you for your attention Any quick question? Do you have an intuition why these attacks to quantum money like visitor quantum money doesn't work here because it's the same kind of states that you like they had there I don't know what what these attacks or that you're talking about Maybe you can talk a flag. Yes. Mm-hmm. Sure