 Okay, so I'll be speaking about our paper measure rewind measure tighter quantum random oracle model proofs for one way to hiding and CCA security. The authors are Veronica Kuchta, Amin Saxad, Damien Steele, Ron Steinfeld and Sifeng Sun. We are all from faculty of IT Monash University Australia except for Damien Steele who is from ENS Leon in France. So I'll be talking about the Fujisaki Okamoto transform and its security in the quantum random oracle model and the core technique behind such proofs is the one way to hiding lemma and I'll talk about prior work that used a query-based secret extraction technique which suffers from a square root advantage loss limitation and I'll explain the origins the quantum origins behind it and then I'll introduce our new technique called measure rewind measure or MRM for the one way to hiding lemma which is based on a measurement based secret extraction technique and I'll summarize our new one way to hiding lemma that avoids the square root loss in the tightness of the reduction and then I'll apply our tighter one way to hiding lemma to the Fujisaki Okamoto cure on proof without square root loss and I'll conclude with some open problems. So the Fujisaki Okamoto or FO transform is very commonly used in practice for transforming public encryption schemes that are secure against chosen plaintext or CPA attacks into more secure schemes that are secure against chosen ciphertext attacks or CCA and this technique this transformation is very commonly used in the for example the NIST post-quantum cryptography competition for strengthening the security of public encryption schemes. Now we will focus on the FO perp knot scheme which uses two hash functions h and h prime that are modeled as random oracles. The function h prime is used to make the scheme deterministic so the original scheme is randomized but the new scheme has its randomness derived from the message by hashing with the function h prime in order to make it deterministic. So this is the T transform part of the FO transform and there is another transform called U which derives an encapsulated key k as the hash of the message in the ciphertext using the function random function h. So this is used to make a key encapsulation mechanism as the result of the FO transform where the encapsulated key k or the encrypted key k is the encrypted value and we're going to be assuming certain assumptions on the underlying CPA secure public key scheme that I'll mention later on. So security proofs in the quantum random oracle model or QROM they model the access of the adversary to these hash functions used in the FO transform as queries to a quantum oracle that will denote by UO that given an input states that encodes the input x to the function produces an output quantum state that encodes the output of the function or O of x at this point and in the quantum model attackers can query super positions of inputs lots of x's to the oracle and get an output which is a superposition of the corresponding evaluations of the oracle at those inputs. So they are potentially so this model is potentially much more powerful than the classical random oracle model and it's such a model arises against quantum attacks because quantum attackers can implement the hash function as a quantum circuit and now these kind of quantum random oracle model attackers can be modeled as a sequence of steps denoted by a sub i where a sub i is the ice part of the attack that outputs the ice query to the oracle and this is followed by the application of the oracle so that overall after n such queries there is a final measurement M produced done by the attacker in order to produce its output. Now in prior security proofs of the Fujisaki Okamoto transform in the quorum the results that were obtained were of this form so the advantage of any attack against the CCA security of the FO transform scheme was upper bounded by the square root of the advantage of attacks against the CPA security of the underlying original scheme and there was also a square root of Q multiplicity factor in this security proof reductions where Q is the number of queries of the oracle. So this is not a tight reduction especially because of that square root which leaves the possibility that CCA secure that FO schemes are much less secure in terms of CCA security than the corresponding CPA security of the original scheme. Now in our work we have we show the first security proof for Fujisaki Okamoto where we avoid this square root loss in the advantage so we show that the advantage of a CCA attacker against the FO scheme is at most Q squared times the advantage of the CPA attacker so although we don't have the square root we do pay a bit in the multiplicative cost which is now Q squared. Now the the core tool in CCA proofs for the Fujisaki Okamoto transform in the quantum random oracle model is the so-called one way to hiding lemma and this lemma essentially argues allows us to argue that if any if an attacker can distinguish the encapsulated key K from a random key then there exists another attacker called the extractor that can extract the secret that is that was hashed from such an attacker and the way it's formulated in the Q in the Q-ROM in the quantum random oracle model is by a game like this so this is the one way to hiding game introduced by Unruh in 2014 so here the distinguisher A is given an oracle O that is either H or G now H and G are both random functions but they differ only at one point X star which is that secret point at that point they output independent values Y H and Y G and so what the one way to hiding lemma tries to show is that given any distinguisher A that can distinguish whether it's given being given access to the oracle H or to the oracle G there exists an extractor algorithm B that using the distinguisher A can extract the secret X star with a significant probability so that's the advantage of B is the probability that B can extract this X star and therefore contradict the one wayness of the original encryption scheme that encrypts X star now the original strategy for doing this extraction in used by Unruh was what I call the query based extraction method and in fact all subsequent work until ours use this approach and the approach is in order to extract the secret X star from a distinguisher that distinguishes the hash of X star from random the idea is to just measure a random query of the distinguisher A and hope that since one of these queries should contain X star in some sense that the result of this measurement of the queries will give X star and what the Unruh was able to show using this extraction query based extraction method is that the advantage of any distinguisher A is bounded by the square root of the advantage of this query based extractor B up to a multiplicity factor of Q the number of queries of A now subsequent work culminating in Dindal et al last year removed this factor of Q but still left the square root on the advantage of the extractor and so it's still far from being a tight reduction now last year there was a paper by a Jiang et al that asked the question about whether this kind of square root advantage loss is inevitable in such query based extraction and what they proved is in fact a kind of impossibility result that says yes it is in fact unavoidable if you use query based extraction to have a square root loss and what they showed in fact is that there is a quantum distinguisher A that achieves a square root advantage in terms of the advantage of the query based extractor and so it's impossible to remove that square root if you use a query based extraction now in this paper our main observation is that if we look more closely into that square root distinguisher we can it suggests in fact another way to do extraction of the secret from a this from such a distinguisher that can circumvent that square root loss and we call this idea a measurement based extractor because instead of extracting the secret from the queries that the distinguisher makes to the oracle it extracts the secret from the measurements the quantum measurements that the distinguisher makes so let's see in order to see how this works we'll review Jiang et al's distinguisher this optimal distinguisher that achieves the square root advantage now what that distinguisher does is it queries a superposition of input to the oracle and it gives each of these some amplitude that will denote by square root of px prime so the the secret x star has an amplitude of square root of px star and if we measure using the query based extraction if we measure this input register in this state we'll get x star we'll get the secret x star with probability px star so assume that this extraction probability is very small and we want to extract it with a much higher probability of square root of px star or so or even higher so what we do is in the case of this distinguisher the response of the oracle is going to be either psi h or psi g now the psi h is the state where the output corresponding to x star is the output of h and psi g is where it is the output of g now to distinguish whether the oracle is h or g what this distinguisher does is it makes a measurement called a projective measurement with respect to some measurement vector v and v is chosen as a vector in the span of psi h and psi g at an angle of 45 degrees from psi h and at the end of this measurement the distinguisher will return one with probability that is effectively the squared length of the projection of the state along the measurement vector v so let's see how the geometry looks like of this situation we have in in blue the psi g and in red the psi h you can see that the angle between them theta is in the order of square root of px star now if the attacker makes the its projective measurement on v which is shown in purple here the projections of psi h and psi g are shown by the dotted lines and if we square those projection projected lengths we get a difference between the squares that is indeed a square root of px star up to a constant and so we can see that the attack this distinguisher using this purple vector v can achieve a square root advantage now our observation is that in fact in order is that in order to make such a high advantage distinguishing measurement the attacker effectively has to know the secret x star in order to make such a measurement and in the following sense that if we if we somehow make the system go into the state v the projection the measurement vector then if we measure the input register to the oracle in the state v in fact what we get is the secret x star with probability close to a half so basically the measurement vector itself reveals the secret x star now how do we get the state of the system to be v that's our second observation is that in fact if we just let the attacker perform its measurement with respect to v then after this measurement of the attacker the state of the system collapses to v that's the collapsing property of quantum measurements and so by doing this we can transform the system state to be v and it happens also with a high probability of about a half so what we end up with is our measurement based extraction algorithm shown here which first runs the attacker to output its oracle query then we process this query with the oracle g it transforms the state to psi g then we let the attacker perform its projective measurement with respect to v which collapses the state to v with with high probability and finally we we measure the input register in the state v and it it gives us the secret x star with again a high probability so overall this extraction this measurement based extraction succeeds with a high probability of one quarter now in fact the attacker that performs this this projective measurement with respect to v because v is not a so-called computational basis vector this attacker has to implement that measurement at step three as the following three sub steps 3.1 to 3.3 they involve first a unitary operation then a computational basis measurement and finally a rewinding back to the query phase so these three sub steps 3.1 to 3.3 are equivalent to the step we said before we call it three and so if we write it in this way we can see that in fact our method involves running the attacker and letting it do its measurement M then rewinding the attacker back to the query phase and finally making a final measurement of the input register to extract the secret and so this measurement rewind measurement process is the reason for why we call our technique measure rewind measure or MRM now in fact in our paper we show how to generalize this approach this MRM approach to work for general and not necessarily optimal distinguisher's a and the main idea for this modification of our method is to switch the oracle that we give to the attacker from from being g to a kind of superposition of g and h and the superposition oracle you can see outputs the sum of g of x and h of x states with an amplitude of a half and the difference of these two states with also with an amplitude of a half and we have an additional entangling bit here that is zero in the first case and one in the second case so this is what's called a double-sided oracle and it can be efficiently implemented by the extractor if it's given access to both the g and the h oracles so this is what's called a double-sided extraction as as was called by Bindel at our last year and so our modified the generalized MRM technique uses this superposition oracle and then it measures this entangling bit and if the bit is zero so it gets that sum of states it performs an MRM extraction on that sum otherwise if the bit is one it uses the query-based extraction on the different state and if we analyze this in our paper we analyze this generalized MRM technique and what we show is that the advantage of any distinguisher a can be upper bounded by an inner product between the this the this different state and the projection of the sum state along the the measurement subspace of the attacker so overall what we what we end up showing is that the advantage of the distinguisher a is upper bounded by the maximum up to a factor of four the maximum of the advantage of the query-based extractor b and the MRM-based extractor c and all this was done for only one oracle query so in our paper we also generalize it to handle any number q of queries and the main idea is to use the classical hybrid techniques over the q oracle queries to show that effectively the advantage of a with q queries is reduced to the advantage of the attacker for one query up to a factor of q multiplicative loss now we also observe that the multiplicative factor of q can be reduced to in fact d where d is just the query depth of the attacker in the case where the attacker makes a lot of parallel queries it's only the sequential depth that actually matters here and as a consequence our reduction is nearly tight for low depth attackers that corresponds to low query depth attackers that corresponds to highly parallelized attacks so here's a statement of our generalized one way to hiding lemma and you can see that we achieve a relation between the advantage of a distinguisher and the advantage of the extractor that is within a factor linear in the query depth d of the attacker and with no square root advantage loss now compared to earlier one way to hiding results you can see here that our result uses a double-sided oracle with h and g used by the extractor similar to bindel et al but we avoid the square root advantage loss in the previous work and instead have a multiplicative loss of the query depth d another difference is that our distinguishing event for the distinguisher is whether the distinguisher outputs one whereas in previous work it could be an arbitrary or not necessarily efficiently checkable event now in our application of our one way to hiding to fuji sake okamoto cca security in the quorum as we said we focus on the variant of fuji sake okamoto which doesn't explicitly reject the cipher text but instead if the cipher text fails the decryption check it returns a pseudo random value depending on the cipher text now our cca proof for this this variant of fuji sake okamoto because it uses our new double-sided one way to hiding lemma we need a a proof that can work with such double-sided extraction and such a proof was given by bindel et al but using their old square root loss one way to hiding lemma so we adapt their proof a variant of their proof to work with our new one way to hiding lemma and there's just one slight variation in our proof compared to bindel et al's is that because their proof used applied the one way to hiding to a non-efficiently checkable event and our new lemma only works with efficiently checkable events we have slightly modified their proof to work with our efficiently checkable events for the distinguisher so in order for this proof to work it it needs to simulate the decryption oracle in the proof without the secret key and as part of this the simulation of the decryption oracle has to replace the hash of the message and cipher text by another evaluation of some other random oracle r on the cipher text only and in order to correctly simulate the original oracle during this replacement we need two properties on the underlying deterministic encryption scheme first is injectivity which means that the encryption function is injective the deterministic encryption function is injective except for sufficiently negligible probability over the choice of the key and second is the usual hardness to find cipher text that cause a decryption failure and so the statement of our result for the u transform of the fuji sake okamoto is shown here you can see the multiplicative factor of d and the other terms related to ffc and this is the final result for the ncca security in terms of the cpa security of the original scheme and you can see that we just lose a multiplicative factor related to the query depth of the attacker so our result is nearly tight for low query depth but we avoid the square root loss on the ncpa advantage and there's other terms related to the injectivity and ffc now in the ongoing and future work we are looking at how to improve the tightness of our result in particular to reduce the dependence on the query depth d by replacing the hybrid argument we used by tighter techniques such as the techniques by bindel et al or zendri's query recording technique we're also working on removing the double-sided oracle so that our extractor can use a single-sided oracle and to remove the injectiveness requirement from our cca proof for fuji sake okamoto and we're also have already some preliminary results on the injectivity analysis and concrete implications of our results for the nist pqc encryption candidates and finally it would be interesting to see if there are other applications of our mrm technique in other areas of cryptography so that's all i'll stop here and thank you very much