 Hi, everyone. My name is Bosker. I'm a grad student at UC Berkeley, and I'll be talking about work that I did on quantum lightning. A couple years ago, Zandri defined a new cryptographic object called quantum lightning, which is similar to public key quantum money, except it provides a stronger form of unclonability. The paper made a number of contributions to this subject, but I'll just focus on one of them. They gave a concrete construction of quantum lightning and proposed a new hardness assumption that could be used to prove security. In my work, I'll show that the hardness assumption is actually false, so the proof of security does not hold. However, this doesn't mean that the construction is insecure because we haven't given a way to actually win the security game. Quantum lightning deals with unclonable quantum states called lightning bolts. A lightning bolt is a quantum state plus a classical serial number, and as with public key quantum money, the bolts can be verified using only public information, but it's hard to produce two bolts with the same serial number that will both pass verification. The difference is that the lightning bolts can also be generated using public information. This means that even an adversary could run the generation function and produce many valid lightning bolts, each with a unique serial number. Quantum lightning can be used to construct a strong form of public key quantum money, in which not even the bank that produces the banknotes can produce two banknotes with the same serial number. Quantum lightning has three functions, setup gen and bare. Setup just samples the parameters that are used throughout the scheme. Gen is the generation function which produces the bolts, and it's sometimes called the storm by analogy to a lightning storm. As with a lightning storm, there's some randomness involved in running gen that's hard for us to replicate. In our case, it will be the act of measuring a state. So when we measure a state, it collapses to some random value, and every time we run gen and make this measurement, we measure a different random value, and this is how we ensure that successive runs of gen never produce the same exact lightning bolt. Finally, there is the verification function. This verifies that a given bolt is valid, and the security guarantee is that it's hard to produce two states with the same serial number that will both pass verification. Now we'll describe Xandri's proposed construction of quantum lightning, as well as the hardness assumption that they used to prove security. We'll do this all at a high level. The construction of quantum lightning is based on a hash function that's assumed to be collision resistant. The hash function fA takes a matrix M as input and maps it to an n dimensional vector. M is constrained to be symmetric and low rank. Specifically, the rank is less than or equal to D. To compute one component of the output, we use the following formula. We're given a matrix Ai, and we dot its entries with M. What that means is we take Ai and M, we unfurl them into vectors, and then we take their dot product. There are n Ai matrices, so that's a1 through an, and they let us compute the n output components of fA. To generate a lightning bolt, we start with a superposition over all possible inputs to fA. Then we apply the hash function to it, store the result in a separate register, and measure that value. When we measure, the state collapses to a superposition over all pre-images of that hash value. This measurement is random, so every time we run Gen, we get a unique lightning bolt. I won't go into much detail about how VAIR works. The details are given in my paper, as well as the original quantum lightning paper. All we need to know is that VAIR uses a trapdoor matrix R, and R has the following property. R Ai times R transpose is the zero matrix for all components i. Finally, setup samples the parameters that we use in the construction, so it samples the trapdoor R, as well as the nA matrices. Zandri also proposed this hardness assumption and proved that if the assumption is true, then the construction of quantum lightning is secure. Essentially, the assumption says that fA is multi-collision resistant. Specifically, it's hard to find 2k plus 2 colliding inputs, and this should hold even when R is public. Our contribution is to show that the hardness assumption is actually false. We'll use the trapdoor R to construct many colliding inputs to the hash function. To understand our attack, it's useful to make an analogy to the cis-hash function. This analogy was originally used when designing the quantum lightning construction, and it's the starting point for our attack. The cis-hash function takes as input a short vector and applies a linear transformation to it. In our hash function, we take a low-rank matrix and apply a linear transformation. So in this analogy, the shortness of the vectors is related to the low-rank property of the matrices. One trapdoor that's commonly used with the cis-hash function is a short vector in the kernel of the function. And indeed, the analogy holds here. Our trapdoor R gives us a matrix that hashes to zero. So we can see, using the property of the AI matrices and R that was mentioned earlier, that R transpose R hashes to zero. Now with the cis-hash function, it's typically not collision resistant when we know the trapdoor because we can take any preimage, add the trapdoor vector to it, and we'll get a second preimage of the same hash value. However, this attack doesn't immediately work in this construction because the rank of R transpose R is larger than D. So R transpose R is technically not in the domain of FA. That means that if we took a preimage, added R transpose R to it, we won't necessarily get a second preimage in the domain. However, we can get around this problem. The key is to use the rows of R to construct rank one matrices in the kernel of FA. The set K lists the rank one matrices that we can construct in this way. And these matrices hash to zero for the same reason that R transpose R does. So now we've constructed E matrices in the kernel of FA. This is a good number of collisions, but it's not quite enough. So to construct 2K plus 2 collisions, we'll take linear combinations of the matrices in K. Just take D matrices from K, take a linear combination, and we've produced another matrix in the kernel of FA. By taking many linear combinations, we can produce more than 2K plus 2 colliding inputs, and we've broken the hardness assumption. For future work, I'm interested to know if we can break the security of the quantum lightning construction using techniques similar to the ones presented here. Intuitively, if we can construct many preimages of the same hash value, we can construct a state that is close to a valid lightning bolt. Second, even if we could patch the hardness assumption, it's still ad hoc and poorly understood. It would be better to construct quantum lightning from well-studied assumptions, such as those in lattice cryptography. I'm hopeful that we can construct quantum lightning from well-studied assumptions, and I'm eager to see where the field goes from here.