 Next paper of the session is on classical crypto protocols in a quantum world The authors are Sean Hallgren Adam Smith and fang song Fang will be giving the top Okay, thank you. So good morning everyone. Oh, my name is fun So and I'm going to talk about some John's work done with Sean Hallgren and them Smith Sorry, but here we go Okay, now we start off by asking a very basic question So our classical cryptographic protocols secure against quantum attackers and The answer is not necessarily So most notably several computational assumptions are broken by efficient quantum algorithms For example, they well-known shores algorithm for factoring and this query log and also Hargreens algorithm for the principal ideal problem and Some may argue that in order to implement this quantum algorithms We need fully mature quantum computers, which are way beyond the current technology. So why should we care? Well turned out as shown by crypto similar several similar tab Even very primitive quantum technology like preparing and storing entanglement We'll break we'll make some classical to prefer commitment scheme no longer binding Which is otherwise information theoretically secure against any classical address Okay, women still say that all right. So these are just rare instances. Why not just use those unbroken particles instead? Well, here's the general issue Namely, we know very little about how to reason about quantum adversaries and many classical proof techniques made a longer apply In a quantum study a primitive example is Rewinding which I explain in much detail later Okay, the consequences that for many classical particles Although they are not yet broken by quantum attackers We also don't have proofs to show that they're indeed secure against quantum adversaries Well, the situation is not that bad though So several specific tasks can actually be achieved by classical particles with proven security against Quantum adversaries So in a breakthrough work by watchers He showed their knowledge proofs for MP languages against any quantum verifiers and later Hogwin, Kola, Sin and Jan the extended watchers results showing a larger class of Languages also have their knowledge proofs against quantum verifiers and then Damgar and Luleman They proved a classical conflict in protocol. It's also quantum secure and in recent work by Angru He showed proof of knowledge protocols So next we may ask what else can be done and more ambitiously We want we want to ask using classical protocols is every task Achievable against classical attackers also achieve against quantum attackers This could possibly be done either by proving the security of Existing protocols or by designing new protocols to realize these tasks against quantum attackers So in this work, we show that a broad class of tasks is actually feasible That is there exists classical secure function evaluation protocols Against quantum attacks and this parallels the classical feasibility result due to yaw and Galeric Mikhaili and Vigason in the 80s Let me quickly remind you what secure function evaluation is So here we have two parties Alice and Bob with secret inputs X and Y respectively and they want to evaluate function F But without revealing their secret inputs to the other party So our results says that you can securely evaluate any function F that is efficiently computable Even if Alice or Bob is a quantum manager And more specifically there are two steps towards our main results first we show a family of classical arguments goes through against quantum errors and Applying to existing work we have that Fully similar to zero knowledge proof knowledge is sufficient to construct quantum secure SFV protocols I Explain what fully similar to means in few slides But for those who are familiar with the terminology in secure function evaluation It is actually equivalent to the formulation of a zero knowledge ideal functionality Okay, but unfortunately we don't know if The existing their knowledge proof knowledge protocols are fully similar as well So in the second step we construct a new zero knowledge proof knowledge protocol Which we show is fully simulatable against quantum adversaries, and this completes the picture of our main results Of course security it's only meaningful if you have a rigorous definition of security So we've also put much effort in the issue of Define security models, but I'm not going to say more about this in about that in this talk Okay, let me start from the first bullet and show you how to build SFV protocols from a fully simulatable zero knowledge proof analysis All right, so the key idea is to identify a family of hybrid arguments Can actually be adapted to work against quantum adversaries as well to recall a hybrid argument tries to argue two distributions are closed by making a sequence of small changes that Transforms one distribution into the other one. Now, what if these changes are as simple as Say switching the plaintext of encryption Then in order to make the whole argument work for quantum matters as well All we need is a quantum secure encryption scheme right, so We propose a general framework which we call Simple Harvey argument to formalize this type of Harvey arguments and It is similar to the code base games in spirit Anyway, the details are not important. What's useful is that a Classical work by Kennedy, Vindale, Ostrovsky and Sahay Their secured analysis actually falls into our simple Harvey argument framework So their result translates to the quantum setting immediately Showing that Oh, sorry. We can construct quantum secure as a protocols from a fully simulatable zero knowledge proof knowledge Assuming there exists quantum secure dense encryption and pseudo random generators I'll tell you what this means shortly, but notice that both assumptions are implied by say the learning with error assumption Okay Now we are only left to show a fully simulatable zero knowledge proof knowledge. Let me first Let me first explain what fully simulatable means Okay, I consider a prover Alice who wants to convince the verifier about a true statement Say a graph G3 color and use your knowledge The prover Has a witness, but she doesn't want the verifier to learn this witness So formally we considered an arbitrary Verifier, which could be a quantum machine with an arbitrary quantum auxiliary states And the outputs of the protocol which we call the view of the very of the verifier Contains both the transcript and also the verifiers final state They require that there is a simulator Who doesn't know witness? But they're still able to produce a fake view which is indistinguishable from the real one Okay, so this is the zero knowledge part for proof of knowledge In addition to simulate a real-looking view. We also required that When if the simulator transcript is accepting Then the simulator must also output a valid witness W prime Okay, so this Simulation plus extraction condition is what we mean by fully simulatable Okay, so to Explain why extra effort is needed to construct a fully similar for their knowledge proof knowledge I like to discuss a little bit about why their knowledge is complicated against quantum Adversaries, okay now classically we know the main technique to construct a simulator is Rewinding we're basically a Simulator tries to answer questions from the verifier just as the river does But without the witness the simulator may not be able to answer all of them So usually what a similar does is that he picks a random branch from all the possible interactions and Check if he could proceed successfully along that branch Okay, if not He just goes back and tries again from the same input row So classically this is very easy to do because we can just copy your the classical 3-year-old and keep trying to success However consum that There's a problem because this natural approach requires making copies of arbitrary quantum state job which is prohibited by quantum non-colonial there and We're still even just checking whether the random gaze will succeed or fail made destroyer Okay, and despite of difficulty watchers show that it is possible to construct to construct a simulator for quantum firefighters and The key observation he made was that if the probability of success or failure of the random gas is independent of real then you're always not disturbed on a failure attempt and Can and essentially can be recovered Efficient to it for another attempt So this allows generating a real-looking view eventually Okay but This technique doesn't seem sufficient for personal knowledge because we also need extracting a witness and An extraction Typically requires combining multi-answers from the prover However, what you're similar is in some sense believers because it doesn't remember any information About the current branch once it goes back Okay, now I want to mention that if extraction is the only goal Then it is also possible and shown by I'm grew But it is unclear how to do both simulation and extraction and the same time All right now Let me give our reconstruction of a fully simulatable there now the proof of knowledge and The essence is that we make sure a single answer from the prover will be sufficient to recover a witness So it starts with the corn flipping preamble and Interpret the outcome of the corn flipping and the encryption key then in the second phase the prover encrypts the witness and proves in their knowledge that The suffer attacks indeed encodes a witness Okay, now there are two properties of the corn flipping sub particle First an honest prover can always make sure the outcome is uniformly random on the other hand a proof of knowledge simulator Can actually control the outcome and This is the crucial property that allows a proof of knowledge simulator to do simulation and extraction simultaneously Okay, now there are also two properties of the encryption scheme we use one it is dense meaning a valid public key is indistinguishable from a uniformly random stream and Second it is lossy meaning if the key is uniformly random then the encryption of any two messages We all have the same distribution and this lossy encryption Essentially allows a zero knowledge simulator to give a proof to the verifier without knowing a witness Okay, now with this properties, it's not difficult to figure out why this construction works So I'm including the slides of proof just for completeness Okay, now to put things together Recall that we've shown how to construct quantum secure SFV protocols from a fully similar to both their knowledge proof knowledge And we constructed such a zero knowledge proof knowledge particle then combine these two We have quantum secure SFV protocols in a plain model meaning we don't need any extra trusted setup Okay, now we can also show an interesting equivalence between Confliping and their knowledge proof knowledge and this suggests that we can also build SFV protocols from a fully similar to both conflict in product and that's basically what's been done in Independent work by Lunaman and Nielsen where they got very similar feasibility result But there's some there's something more in our work, which I don't don't have time to discuss but you can find in the paper Okay, now at this moment hopefully I have sort of delivered message that Some key pieces of classical crypto still hold even in the presence of quantum attackers But many of the rest remains unclear Now to wrap up, let me mention a couple of open questions. The first can we extend our result to other settings say multi-party and achieving concurrent security and Second what's the optimal run complexity of these particles say can we construct constant run? their knowledge and Confliping particles secure against quantum adversaries and another interesting question to consider is that Is there any nature two-party particle? classical particle that is broken by quantum attackers, but not because of computational assumptions Okay, I'll just stop here and I'm happy to take any questions. Thank you for your attention So I have a couple of questions Concurrent zero knowledge, which is secure against quantum adversaries That I don't know there's no Protocols now to be secure against quantum attackers achieving concurrent zero knowledge And let's say you start with the UC secure protocol. That's right. I'm very assumptions are already secure against quantum adversaries Now the assumption I mean in the classical work There are assumptions like a secure encryption pseudo and generator So we have to like make stronger assumptions say those encryption and also pseudo and generators are also secure against quantum attackers So given those assumptions all the secure analysis goes through against quantum attackers so any Classical use is secure protocol is also quantum secure. No, not really not really Okay, because you don't need to rewind so what are the problems in such cases so, yeah, that's a very good question it's just Problem most of those are still secure against quantum attackers, but the problem is we don't know We just have to be careful in every step of the proof Right, so here we have shown a small class of classical arguments still holding a quantum case Although we believe that maybe a larger class also hug, but for now, which is it's just unclear Just to maybe answer partly your last question here There are natural two-party classical protocols for oblivious transfer based on the random oracle model Oh, you know, right now come on. Yeah, so it is secure in the sense of it being super linear secure If you need you need to work more to cheat than to be honest So there are classical protocols for O.T. They're very natural They're secure in that definition against the classical adversary provably so and you're broken by quantum adversary So the same protocol is classically secure And broken by quantum that doesn't mean that that protocol cannot be tweaked to become secure against quantum But there is a protocol which is natural security is classical and not against quantum Okay, nice in the information in the information series information series. We'd run a more cool. Thank you. Let's thank the speaker again