 In this time of social distancing, thank you all for not being here. I will present to you our article, Quantum Security Analysis of Seaside, which is a joint work with André Chaudenloheur. First of all, Seaside is a key exchange that fits into the framework of hard homogeneous spaces, which were introduced by Kouven. To have such a space, you want a group action between an abelian group G and a set X. And you want that this group action is such that it is easy to evaluate, but hard to invert. And from such a space, it is very simple to devise a non-interactive key exchange. Two parts only have to agree on a base point, X, and to choose a secret group element that will not alpha and beta. Again, they will both exchange the group action of their secret element over the base point. And from this information, they can agree on a shared secret by applying their secret element on the values they've received. This protocol is very reminiscent of standard Diffielman, and indeed we can see Diffielman as a special case of hard homogeneous space. In order to have a secure protocol, of course, we want that it is hard to obtain the secret value given the public ones. Now Seaside, in practice, it's an instance of hard homogeneous spaces whose set is a set of super singular elliptic curves over a pry field and whose group is their class group. And for the group action, each element of the class group can be associated canonically to an isogenic, and the image of a curve is the image curve through the isogenic. And for Seaside, the concrete parameters are chosen such that there are many isogenes of small degrees that are available, and the secret isogenic is sampled as a product of these small isogenes up to a small power. So this power will be bounded by 10 in the proposed instances, and it is such that this set of secret isogenes shall almost span the whole set of possible isogenes. Now that we've seen Seaside for the securities, base security parameters is a number of distinct keys, so distinct isogenes, which is roughly the size of the class group, which itself is close to the square root of P. So from that, the authors have proposed three instances of Seaside from 512 bits to 1792 bits, and each is expected to have a security that corresponds to a NIST level, so NIST 1 to 5. And I recall that this NIST level means that it shall be as hard to break the system than to perform both a classical or a quantum exhaustive search on the corresponding variant of AES. Now if we want to cryptanalyze Seaside, the classical cryptanalyzes is fairly simple. We consider that we have two curves that are linked by a secret isogenic that we note alpha, and we can recover this alpha if we find two isogenes, G1 and G2, that comes from each of the two curves, and that arrive on the same image curve, and in that case we can directly recover alpha. And as the size of the group is roughly a square root of P, a collision finding will allow us to recover alpha in roughly P to the fourth. And for the quantum cryptanalyzes, the idea is fairly similar, but seen in a slightly different way. We define two functions that correspond to the evaluation of the group action from an element of the class groups that we note F and G on each of the two curves, and we would want to find the secret value alpha by leveraging the very specific properties that these two functions are equal up to a shift of their input of alpha. Now before detailing our quantum attacks, we need to talk a bit about our cost models. In this presentation we will consider hybrid attacks, that is quantum attacks that will differ part of their computations to a classical computer. And in order to estimate the available resources, we consider that an attacker has at most enough resources to break AS quantumly and classically. Now for more detailed cost metrics for the quantum part of our computations, we consider the circuit model. We try to have a limited number of qubits as limited as possible, and we do not consider a quantum ram access, contrary to, for example, what Chris has proposed in his analysis of seaside. And for the classical cost, we allow ourselves to be slightly less precise in the estimate, and we allow classical ram access. Now in order to make our quantum attack, we first need to implement the seaside oracle, that is a quantum circuit that, given an element of the class group, evaluates the group action from a fixed curve. And this computation is in general hard to do. However, in the case of seaside, we are given many small degree isogenes by the protocol, and we can leverage that to make this evaluation more efficient. This is done in two steps. First of all, we pre-compute the class group using short algorithm, and once we've done that, we compute an approximate short basis of the relational lattice of these small degree isogenes. These two computations will be negligible in the cost of the attack, because the dimension will not be that large. And then for each quantum query, what we will do is first to decompose the isogenic over our base using Babaille's algorithm, and finally to evaluate the sequence of small isogenes with hopefully a small enough power for each one. In practice, for our quantum circuit, we built upon the work of Bernstein-Lange Martin-Leynon-Pany from last year with two main differences. The first one is that we reduced the number of qubits from hundreds of millions to hundreds of thousands at worst using some intermediate uncomputations and been straight up. And when we needed to sample points over an elliptic curve, we used quantum sampling instead of an alligator. Overall, this allows us to have some cost estimates for this oracle, so for the three proposed instances of seaside that range from 2 to the 52 gates to 2 to the 63, we have a limited number of qubits, so up to hundreds of thousands of qubits. Of course, some other trade-offs are possible between the number of gates and the number of qubits, and you can trade between them depending on the amount of available level of resources you have. Now that we have constructed our quantum oracle, we want to solve our hidden shifter problem that is given black box access to these two quantum oracles that corresponds to the evaluation of the group action, find the secret group values that links them both. So in other words, we have two functions, f and g, which are equal up to a shift on their input, and we want to know the value of this secret shift. Classically, this problem is not that interesting because it reduces to collision finding, but quantumly we can leverage this specific shift property to obtain much more efficient algorithm. Now, as all these algorithms use what we call labeled qubits, I will present them now a modular power of 2, but we can devise very similar algorithms that have roughly the same cost for any obedient group. The idea is to start from the all-zero state, then we compute using Hadamard gate, the uniform superposition over the first two registers, then we apply the quantum oracles we've constructed before. This allows us to obtain the uniform superposition of all inputs or outputs over f and g. Then we measure the last register, we obtain a random image of the function, and thanks to the hidden shift promise, this projects the first two registers over this superposition for an unknown value x0. Now, from this superposition, we apply a quantum Fourier transform on the second register, which allows us to obtain a uniform superposition over l, but with different phases, and if we measure this l, what we obtain is a superposition of 0 and 1 with a very specific phase shift presented here that only depends over l, which is classically known because we've just measured it, and s, which is the value that we want, and now all the principles of hidden shift algorithm would be to extract this value of s given these labeled qubits. So, first of all, we can remark that for some with some specific labels, we can obtain some information on the on the secret directly. For example, with the label 2 to the n minus 1, this qubit will be 0 plus 1 if s is even and 0 minus 1 if s is odd. Hence, if we can construct it, we can recover the parity of s, and we can do very similarly for other bits of s using some other labeled qubits. So, how can we construct such a qubit? The first idea is due to Kuiperberg in 2005, which is simply to use a c-note to take two labeled qubits, destroy them, and produce a new labeled qubit whose phase, depending on the measurement in this circuit, will either be the sum or the difference of the two previous labels. And from this very simple circuit, we can devise an efficient algorithm. The idea is to begin with a large number of labeled qubits, and to look for pairs which will be equal modulo power of 2, and when we find such pairs, we combine them. And if we are lucky, we obtain a new label which will be a multiple of a power of 2. And once we've done that, we obtain a smaller list of labels which will all be multiples of a smaller of a power of 2, and we can iterate and so on, until in the end we will obtain labels which will either be 0 or 2 to the n minus 1, and this allows us to product the value we want. So, the general algorithm principle is to begin with many random labeled qubits, and to combine them to converge to the labels we want. This algorithm is sub-exponential, it's asymptotic complexities in 2 to the square root of 2 log 3 of n, up to some polynomial factors, both in quantum time and in quantum memory. And we can't have a low quantum memory because we need to have this large list of labeled qubits in memory in order to combine them. So, now that we have our quantum algorithm, if we want to use it on c-side, first of all, the group order for c-side is not a power of 2, so we need to apply some variance. So, there are two ways to do that. The classical way is that for order groups you converge to 1 to the n minus 1, considering higher order bits instead of lower order bits, and for composite groups you do a mix of the both approaches. But there is another approach which is that for cyclic groups or groups that have a huge cyclic component, as it is the case in c-side, we can work modulo up over 2 and hope that the final equality will hold over the integers and not only over modulo 2 to the n, and in that case we will obtain the label we want. And we've simulated this latter approach, and from simulations, heuristically, we obtain a concrete cost of 2 to the 1.8 square root of n plus 4.3, which roughly matches the asymptotic estimates with a small constant as the polynomial overhead. Now that we have a query cost and that we know the cost of the quantum oracle, we can estimate the overall cost of the attack using this variant of a hidden shift algorithm. And we can see that for the large instances of c-side, the number of required t-gates will be smaller than the number of t-gates required to do a quantum search and the corresponding variant of AES. This algorithm has two limitations. The first one is that it requires a large amount of qubits from a billion to 2 to the 56 depending on the instances and that we don't really have any degree of freedom to increase the classical time. And here we waste a lot of classical time, we could use much more. And if we want to have more freedom, we need to use different variants of hidden shift. For example, we can use regas variant. The principles are fairly similar for this variant, but the combination is different. The idea is not to use two qubits to combine but a small number k. And we consider the transfer product of all these k label qubits, which corresponds to a superposition of 2 to the k values, each value having its specific phase shift. Then we compute the value of the phase shift modulo of 2 for each of the components of the superposition. Once we've done that, we measure the value we've just computed and this will project the superposition of 2 to the k value to the subset of values whose phase modulo 2 to the 1 m will be equal to the thing we've just measured. Now from that, what we can do is to extract two values in the superposition that has the correct phase. So we can do this do this classically because all the values are classically known. And once we've done that, then we can project on these two values. And finally, we can relabel our superposition and map one of them to 0 and the other to 1. And once we've done that, we will obtain a new label qubit whose phase will be the difference of the two phases of the two components we had. We had found and by construction, this phase difference will be a multiple of 2 to the m. So now in order to obtain an efficient quantum algorithm, we can use as before this method iteratively to obtain labels which are multiple of larger and larger power of 2. But here we have a huge difference than before, which is that we have a large classical cost which amounts in computing the solution of this equation, which corresponds to the phase of the elements in the superposition. So this algorithm has been estimated by Chai-Jou and Sukarev, and they obtained an asymptotic cost in 2 to the square root of 2n log of n, which is worse than the previous asymptotic estimate. But it gains in the fact that we use only a linear amount of quantum memory. Now we can remark that we have in fact a lot of possible ways to make this algorithm work, and in particular we can play on the size of the number of qubits we combine. And if we increase the number of qubits we combine at each step, then we will increase the classical cost, but on the other hand it will allow us to perform less steps which will decrease the number of required queries. And in fact if we look a bit more closely to the equation of the of the phase in the superposition, we can remark that this corresponds to a subset sum instance, which means that we can use classical algorithm for subset sum in order to find the solutions. And if we want to have a really low quantum cost, as low as possible, then we can reduce this algorithm to only one step. In this case we would have a very small number of required quantum queries, so not only a quadratic amount, but the classical cost would be exponential with the exponent of subset sum. So 2 to the point 291 at the time of the of the paper in time and memory. And now from this cost estimate we can obtain concrete cost by plugging the cost of the recall, and we see that we have as expected a lower t-gate count than before. We also have a lower number of required qubits because here we are bounding by the number of qubits in the quantum miracle, but at the expense of having a much larger classical time for the attack. And of course there are also some other tradeoffs and if you allow a larger quantum cost, then the classical cost will quickly decrease. This allows for many tradeoffs with this quantum algorithm. However, it is outperformed in many cases by Kuiperberg's second algorithm, which is very similar with the difference that we do not do the last projection in a rigorous variant. And in this case we no longer have subset sum, but we have least merging problems and the overall shape of this algorithm is extremely similar. I do not detail this algorithm, but we do it in the paper and we obtain some other tradeoffs between classical and quantum time. So overall we've seen multiple hybrid attacks over over seasides and we can ask what would be a set of parameters that is safe and that cannot be attacked by such quantum algorithms. Unfortunately, the NIST metrics are not precise enough to provide a definitive answer to this question. So we propose two sets of parameters for list level one. The first one is an aggressive set of parameters. So we consider that NIST level one means that we can have a classical time memory product of 2 to the 128 and that quantum oracle is such that we can afford 2 to the 20 queries. And in that case we would need a prime of roughly 2000 bits in order to avoid these attacks. If we want to be more conservative, for example we can consider that NIST level one means that you can have access to 2 to the 128 classical time and 2 to the 64 classical memory. And if you're more optimistic on the quantum oracle you can consider that it allows for 2 to the 40 quantum queries. And in that case we would need a much larger prime so roughly 5000 bits. To conclude the quantum attacks on seasides have many degrees of freedom that allows us depending on the amount of resources we consider to trade between classical and quantum time classical memory and number of qubits. As we have a sub-expansion algorithm it means that the safe instances are harder to estimate because a small change in the way we count the cost of the attack can lead to a significant change in the corresponding parameters. And finally here we consider that NIST levels depend on concrete time and not only on a number of queries which means that a classical improvement on the execution of the seaside protocol may lead to an improvement of the quantum circuits for seaside and improve the quantum attacks.