 So thanks. So I'm going to talk about privacy invocation against the active counter-officerry and the counter-provenom wave oscillator. And once again, this is joint work with DVShakeable, Kymintro, and Thomas VDIC. So what is privacy invocation? Well, privacy invocation is a protocol where Alice and Bob share some weak secret eggs. And they want to iterate some uniform random key R. And in a passive case, there is a battery E here that has a side of the invocation E about the shared underneath X. And the E also sees everything between Alice and Bob. This can be done by a strong randomistic trader. And a strong randomistic trader is a determinist function. So the function takes the random source X and attains a uniform random CY. And they want to output some uniform random bit. And the trade output should be close to a uniform condition on the random seed and the side of the information E. So how do these two keobars do passive privacy invocation? Well, Alice just passed the random CY to Bob. So because both output, the iterated output of X, again, with respect to Y are the random seed. And because the random seed is the old random condition on Y being known, so the trade output will be random with respect to Y even though. And what about active anniversary? Well, active anniversary can change Y to some Y.9 equal to Y. So this breaks the previous construction. And this case has been studied a lot classically. And actually, this can be done with a two-round protocol by this week. And the protocol uses a construction called number labor trader. And that's why we study it in this work. And what about the quantum case? Well, the quantum case of active quantum anniversary still have the power to change Y to Y prime. But now also the side of information E is the quantum state. And this scenario comes naturally when you try to run some quantum protocol like QKD. And our result is we control the first privacy invocation protocol secure against quantum active anniversary. And this is done by running this week and construct the first quantum proof number labor trader. And I guess the weak point of our protocol is that we have a really high main entropy requirement. The number of the main entropy need to be bigger than over two bits. OK, so let's see how the DWO9 protocol runs. So this is the DWO9 protocol. I hope you can see it starts here. So first, at least use the number labor trader and the sample random formulae, random Y, Y. And it trades on K. Then replace the random seed. And if my change that to some Y prime, and the bob trades a K prime by that Y A prime, then bob sample another random C Y B and make a message authentication code. Use this K prime as a key to make and paste Y B and take back. Then even my change Y B and T to another Y B prime and T prime. Then at least try to check whether the make match. And if it doesn't match, then should you check otherwise both of them use another strong trader to trade X with Y B prime and Y B. So why is this secure? So let's discuss these in two cases. First is if Y equal Y A prime, then just because the trader is a deterministic function, then K will equal to Y prime. So at least the bob will have the same key on their make and the security just guaranteed by the make. What about if change Y A to Y A prime? Well, now we have some problems. So we have some K prime here that might depend on K, but it's different from K. And so those two make has different key that might be related to each other. And the make actually cannot guarantee security in this case. That's why we need number label trader. So number label trader is very similar to a trader except that the adversary also know the trader output to sound different seed Y prime. So Y prime is a seed that you can choose. So instead of just condition Y and E, E trade output is uniform, you also need to condition Y prime and E trade to resolve Y prime. Now if not, we know this is a number label trader here. So K will be uniform with respect to K. So K prime and K are kind of independent. So this is nice. Make can work in this way. Or more like if, yeah. So they were both if Y changes to Y prime. And how about the content security? Well, the previous work proved that the DW9 protocol is secure also in quantum case. But they didn't achieve a full privacy amplification against active quantum adversary because they didn't control the number label trader correctly. So we'll focus on number label trader. So what is the quantum proven on each label trader? And why is it hard? Well, the biggest problem is E prime here. So remember, Eve can produce Y prime as she wish. And of course, what she will do is she will do a measurement on all the information she holds. So that's the quantum state E and the seed Y prime here. But remember that the basic quantum mechanics says if you do a measurement, then your quantum state collapse to something else. So E will collapse to another quantum state E prime. And so what you want about your trader is instead of condition on E, the output being uniform, it should be condition on E prime and the output is uniform. But that's a big problem because you cannot condition on E anymore. And the condition on E prime, you will lose the independence between X and Y. And the trader always needs the independence between the inputs. So this is a page talk more about this. So classically, the site information is not a big problem because people always condition on the site information being some value and X and Y are independent and nice. But in quantum case, if you condition on E prime and X and Y are not independent, this can be checked by an easy classical case of E prime just equal to E plus Y. And if you know quantum Markov chain, you might say, maybe we can use some quantum Markov chain structure to argue for independence between X and Y. But we try a whole bunch of combination. They either are not quantum Markov chain or they leave trivial information. So these don't quite work either. And so we bypass this problem by exploiting the inner product structure of the 12, the number of trader controlled by Lee. And actually use this structure at two different points. And this is also done by reduction to communication gain. So let's talk about the number of trader of E, Lee. So the trader is relatively simple for just to look at this. So X is a vector of T elements over Fp. Y is a vector of T over two elements over Fp, unless you are doing square, then it's over Fp to a T over 2. So the double line here is concatenation. So Y and Y square concatenations together. That's also in Fp to a T. So those are nice. And the bracket outside is inner product. So the output is an element in Fp. So the classical integration is this. We see inner product is a good 2-thousand trader. And then we just see this is a number trader. But obviously it's not. There is a really simple take. That's just Y prime is a linear function of Y, Y prime equal to Ay. Then you calculate the E trade output against Y prime. And easily by linearity, it's just 8 times the output of Y. But we want this to be close to a uniform condition on this. So obviously it is not true. But we say, oh, maybe it's just a linear function is bad. So we encode Y to something nonlinear. Maybe this will be a number E trader. And that works. So let's see this again. So this is a requirement of a number E trader. One output condition on output of Y prime is uniform. So the first step is use this X or A mark that says, if there is a Z0 plus AZ is close to uniform for OA, then the Z0 condition on Z is close to uniform condition on Z. And let's just match things together. So let's say Z0 is a number E trader output, and Z is output with Y prime. So this side looks close to what we want to prove. So we want to just need to prove this side. And this side now is where we use the inner product structure. So if you just plug in what's the plus AZ here, you have this nice structure of inner product with X and the function of Y and Y prime here. There's a really nice form here. So we reduce our problem to prove this inner product of this whole thing is close to uniform. And what's the second step? Well, so first we do some notation to make things easier. So let's say this whole thing is just a function g sub A of Y and Y prime. And it's really to show with some algebra solving polynomials. And you will see that this is at most two to one function. So this function only lose one bit of entropy from Y. So this is one bit of entropy. Then so g has lots of entropy, and X can also have lots of entropy. And because it's a 2-thousand iterator, you can iterate this out and run this out. So what about the quantum setting? Well, first step, we want to do the uniform exolema again. Well, there is no quantum proof, no uniform exolema proof. So we prove it also. Actually, we prove two exolemas. One is the standard version, whereas there is no two register ex not ex. This is just ex. And you say X inner product with A is close to uniform, and X is close to uniform. So the quantum part is now the information E here is all quantum states. So we prove those two exolema. And how we prove the quantum exolema is by generalizing a classical proof based on collision probability. So we define a quantum, sorry. So we use the quantum collision probability, which is defined by TSA, et cetera. So this is the quantum collision probability. The formula looks quite complicated. But the case we use is when A is the classical register, and sigma B is just rho B. So in that case, this is more manageable. And you can prove that the collision probability, gamma C is actually less than 1. So you feel more comfortable calling it a probability. And as a standard check, if you also put the B register as classical, then we'll reduce to the classical collision probability, so sum of probability squared. And so the good probabilities of this thing is first there is a bond between 1 and 2 null. So the transients with uniform and collision probability can bond each other. And this is like a Cauchy-Schrotz thing. And also you can just expand the middle term. This is an easy equation to check. So a quick sketch of how you prove the standard exolema is let's say this. Remember, we want to prove that this is true and that this is true. So let's say A in the product with x is z. So first we start with the transducer of z to uniform. And then we use the first equation to get that to a bound on collision probability. Then use the second equation to expand this algebra. Then you get to collision probability of x. Then you just use the first equation again to get the bound on transients of x. And you prove this. And the approval of the non-uniform one is similar. OK, so we prove we succeeded in our first completion to get this equation we want to prove. But the e prime is still here and it's still breaking independence. And that's really annoying. So how we deal with e prime? Do we carefully analysis its independence on everything? No, that's too complicated. So actually, how about just try not talk about it at all? Yeah, that's much easier. So this is done by a reduction to communication gain. And this reduction of quantum proof between traitors to communication gain is actually quantum common. And I would like to think that it's for a similar reason. OK, so how does communication gain work? So remember, we want to prove this thing. Inner part of x and g is close to uniform. Well, the idea is that it's kind of negation proof. So prove a contradiction. So if it's easy to distinguish from a uniform, then it's kind of easy to guess the exact value of this thing. Of course, it's a factor of P lose, but P is log size, so it's OK here. So we change our goal to guess the value of the inner product and rearrange everything into communication gain. So what you can do, you can get the set of information of e above x. So we have a list that hold x and send our quantum information e out to Bob, and even knows y, so Bob knows y. And if can produce the y prime equal y, so Bob will also output the y prime. And if need to guess the inner product of x and g, so Bob will output the inner product of x and g with respect to the same y prime he output. And now we successfully hide the e prime. e prime now is just the internal variable of calculation of Bob. And it's not obviously outside of this problem. And now this is the renational communication problem. So the usual communication problem will be Alice and Bob want to compute a function of f of x and y. But now Bob get to choose this y prime. So he can output multiple correct answers as Bob can output. Now we reduce this communication gain, but how do we bound this? The idea is use the inner product structure here again. And so we can just apply Fourier transform to which contract x. But if Bob can reconstruct x, then x cannot have too much entropy condition on e. So as a toy model, let's say it's Bob want to do communication gain inner product of x and y. And to make it even easier, let's say they are doing f2. So inner product is just the inner product of B string that everyone is familiar with. So if Bob can calculate x inner product with y for all y, then obviously he can construct this protocol of y to minus 1 to the x inner product with y. Then Bob can calculate x easily as this. So he prepare the uniform superposition of everything, then apply this protocol. So uniform superposition times the minus 1 to x dot y. Then if he just apply a headman, AVQ bits, then Bob will recover x. And so that's a toy model. Because in the real model, you need to change back to fp. And then you need to think about what GA do. And Bob don't succeed on everything actually. You are considered on low success probability of 1 over p plus epsilon. And the input is over uniform y. But if you check the maze, everything works out. And then we can get a bound on the main entropy of x condition e that depends on the success probability of this protocol. Log on by some here. And also this over to that get carried to everywhere that's entropy search hole. And then you trace back to everything. You can prove the security of the non-mailable trader. So a quick summary. We give the first privacy application protocol secure against quantum activity of the mystery by doing, by construct the quantum proof non-mailable trader. And all the trader has the main entropy requirement of bigger than over 2 bits. So obvious future question will be, can we construct a non-mailable trader with entropy breaking this over 2 search hole? So thank you. Any questions? So I mean just one quick question. So you proved that this non-mailable extractor is quantum proof. Like what would the difficulty be if you would try to prove some other non-mailable extractor is quantum proof? So I think this can be answered in two directions. One is extend the existing trader and the proof to quantum. And the other one is journalize these two other extractors. So the existing traders, I guess the most popular one, are based on alternative instructions. And a lot depends culturally on conditional site information, since they are independent. And as we talked about, we'll just change E to E prime. And we don't have quite a way to deal with E prime. And the other thing is extending our work to other things. As I said earlier, we use the inner product structure here on two points. So first one is we use this and the XOLMA to compress the variables. And the last one seems hard to journalize to other case. The other place we use is to do a reconstruction to bound the communication. Again, that seems to be doable. We tried hard enough. But the XOLMA part seems pretty hard to journalize. Yeah. Let's thank the speaker again.