Hello, I'm Artinori Hoseyamada from NTT Social Informatics Laboratories.This is at-of-comprobably quantum-secure tweakable block ciphers.This is a joint work with Tetsui Wata from Nagoya University.So this is the summary of our results.First, Kaplanet all showed that some TBC modes of BCs, such as LRW constructions,are completely broken by polynomial-time quantum query attacks.And there has been no TBC modes proven to be secure against quantum query attacks.And in our paper, we showed a new scheme, LRWQ, which is a TBC mode of block ciphers.And we proved that LRWQ is secure against quantum query attacks.This is the summary of our results.Next, I would like to explain about the background of our research.First, I'd like to recall the classical attack model of chosen plaintext attacks.In the classical attack model, we usually assume there is an adversary who has a classical computer,and there is an encryption oracle.And the adversary is allowed to make many queries to the encryption oracle.And if a message m is query to the encryption oracle,then the oracle returns the corresponding ciphertext to the adversary.So this is the classical attack model of chosen plaintext attacks.Next, I'd like to explain about two attack models in the quantum setting.The first model is called the Q1 model.In this model, the computer of the adversary is replaced with a quantum one.So the adversary can use quantum computers for offline computations.But the encryption oracle is unchanged from the classical setting.And again, the adversary can make many classical queries to the oracle.This is the Q1 model.And the other model in the quantum setting is this one, which is called the Q2 model.In this model, the oracle is also replaced with a quantum one, quantum encryption oracle.And now, all of the computations and communications between the oracle and the adversary are done in the quantum superposition.So the adversary can make queries in quantum superposition.And the response from oracle is also in quantum superposition.So this is the Q2 model.And apparently, the availability of the adversary in this model, Q2 model,is much stronger than the availability of the adversary in this model.Because in the Q2 model, both of the computations and communications are done in quantum superposition.So these are the two main attack models in the quantum setting.Next, I'd like to explain about quantum security notions.So there are two security notions in the quantum setting, standard security and quantum security.The first one is security against Q1 attacks or classical query attacks.And the second one is security against Q2 attacks or quantum query attacks.And apparently, the first one, standard security is important.Because in the Q1 model, the oracle is the same as the classical one.And so the Q1 model will be realistic as soon as the registry for the torrent quantum computers are available.And sometimes the word post-quantum security just means only standard security.But here, I'd like to emphasize that studying quantum security is also important.And here, I'd like to explain three reasons.The first reason is that studying quantum security is theoretically interesting.Because many things that do not happen in the classical setting happen in the Q2 model.For instance, some symmetric schemes that are proven to be secure in the classical settingare completely broken in polynomial time in the Q2 model.And so studying quantum security is theoretically interesting.And second, considering Q2 model will be plausible in the far futurewhen lots of computations and communications are lying in quantum superposition.And finally, if a scheme is proven to be secure against Q2 attacks,then the scheme is secure against all attacks in arbitrary intermediate models between Q1 and Q2.And we can claim that the scheme is secure against all possible black box query attacks.So these are the three reasons that I think studying quantum security is also important.Next, I'd like to explain about the motivation behind our research.First, I'd like to recall very basics about tweakable block ciphers.So tweakable block cipher or TBC is a block cipher that takes an additional input called tweak.And tweaks are supposed to be completely public.And if a different tweak value is used to secure tweakable block cipher,then a completely different and independent block cipher is instantiated.And tweakable block ciphers are used in many efficient and highly secure AEs, Macs, and so on.And there are two approaches to build tweakable block ciphers.The first approach is to build TBC as a dedicated primitive, like scheme.And another approach is to build tweakable block cipher as a mode of block ciphers,like the LRW construction.And our focus is the second approach.And next, I'd like to recall basics about LRW constructions.So the LRW constructions are the most basic mode of block ciphers for tweakable block ciphersintroduced by RISCOPH, Rivest, and Wagner.And there are two variants, LRW1 and LRW2.So these constructions are proven to be secure in the classical setting.But in crypt2016, couple is also showed.This construction, LRW2, is completely broken by polynomial time q2 attack.And actually, a similar attack works on LRW1.So eventually, these both of two constructions are completely broken in polynomial time by q2 attacks.And next, I'd like to explain how the q2 attacks work.So here, I'd like to explain both of the attacks on LRW1 and LRW2.But I do not have enough time to explain both attacks.So here, I'd like to focus on the attack on LRW1.First, define a function f like this.f of t is equal to LRW1 over m0 and t plus LRW1 over a1 and t.Here, m0 and m1 are some fixed constants.And then define a value s like this,ek over m0 plus ek over m1.This is a secret value depending on the secret tk.Then, with some straightforward calculation,we can confirm that this function f is periodic and s is the period.That is, f of t plus s is equal to f of t.This equation holds for all t.This means that the period s can be recovered by applyingSimon's quantum period finding algorithm on this function f.Here, please note that this algorithm,Simon's quantum algorithm is a polynomial time algorithmthat finds a period of periodic function.Please note that now we are assumingthe adversary can make quantum superposition queries to LRW1.So, the adversary can evaluate this function f in quantum superposition.And thus, the adversary can apply Simon's quantum algorithmon this function f.And next, suppose that this LRW1is replaced with a tweakable random permutationor ideally random tweakable block cipher.Then, even if the adversary applies Simon's algorithmon this function f,the Simon's algorithm will not return any period.And so, the adversary can distinguish LRW1from a tweakable random permutationor ideally random tweakable block cipherby checking if Simon's algorithm will return a period or not.Importable time.So, this is a very rough overview abouthow the attack on LRW1 works.And then, now the important point isso far there does not exist any TBC modeor quantum query attacks.And this is the starting pointor the motivation of our research.And our goal in our paper is to buildTBC mode with provable securityadvanced to attacks or quantum query attacks.Next, I would like to introduceour new construction, LRWQ.So, recall that LRW1 construction looks like this.This is secure in the classical settingand very roughly speaking,the reason that this structureis completely broken in the Q2 model is thata T-dependent value, e to the m,this value is added or XORedwith variable T under full control of adversaries.So, this is a very rough reasonthat LRW1 is completely brokenin Q2 model.I mean, if such a property holds,we can make a periodic function from this structureand we can apply a salmon algorithmto break this scheme.And so, to preventor to break such property,we introduce additional block ciphercores here.And this is our new construction, LRWQand we use three different keys,Q1 and Q2 and Q3for different block ciphercores.And so, by introducing additionalblock ciphercores here, we can prevent attacksusing Simon's quantum algorithm.And next, I'd like to explain abouthow we proved the situation of LRWQconstruction against quantum query attacks.So, this is our main result.LRWQ, this one,is indistinguishable from two-week morerandom permutation by Q2 attacksup to order 2 to the power n over 6quantum encryption queries.That means LRWQ is secure against quantumchosen plaintext attacks.And here, please note thatwe do not claim any security against quantumchosen ciphertext attacks.And we assume adversariescan query both of m and t in quantumsuperposition.I will explain details aboutsecurity against quantumchosen ciphertext attacks later.And to prove this theorem,we used the compressed OLABO technique.And next, I'd like to explaina brief overview about this technique.So, in the quantum setting,one of the most significant difficultiesimproving quantum security is thatit is not trivial how to record queriesto order calls.So, in the classical setting,it isvery trivial that we can record queriesto order calls or a response from order calls.But in the quantum setting,if werecord queries to the order calls inthe naive way,there it completely,brakes the quantum state of theadversary,and the proof does not work.And so,in the quantum setting,it isnon-trivial how to record queriesto order calls.But in2019,Chandoriinterviewed a very useful techniquewhich is named the compressedorder call technique.This techniqueinables us to record queriesand responses of random functionsto some extent.Actually,this technique issomewhat close to orsimilar to the classical lazysampling.And the behaviorof the compressedorder call for arandom function f looks like this.First,if a fresh value x iscreated to the compressedorder call,then theorder call lazilysamples the value y isequal to f of x,and thenrecord the pair x and f of x inthe database.And so,thiscomplexedorder call keeps a databasewhich storeshistory of queriesand responses,like theclassical lazysampling.And next,if anon-fresh value x iscreated to theorder call,then thecomplexedorder call returns therecorded value.This part is thesame as theclassical lazysampling.But unlike theclassical lazysampling,thecomplexedorder call sometimesremove or relights the record ifx iscreated to theorder call.So this is somewhatdifferent from the classical lazysampling.And this may seemsomewhat weird,but this partis essential to record queriesin the quantum setting.And sothis part is somewhatdifferentfrom the classical lazysampling.But still,thistechnique enables us to usethe intuition on classical lazysampling to some extent.So thisis a raw value ofcomplexedorder call.And next,I'd like toexplain how to provethe indistinguishability ofthisconstruction,LRWQand tweakable randomparametation,or ideally randomtweakable block cipher.And toproveindistinguishability,I'dlike to use thecomplexedordercalltechnique.Please notethat thecomplexedorder calltechnique is applicable onlyto random functions.And itis not applicable forother preemptives such asrandomparametations.And sonext,our first,I'd like tochange these streams so thatthey will be composed ofonly random functions.Andfirst,by assumingthe underlying block ciphersare secure,we can replacethe block ciphers torandomparametations,RP0,RP1,RP2like this.And thesetup will becomplexedorder calltechnique like this.And thesetup loss will be verysmall,if the underlyingblock cipher is secure.Andnext,I'd like to also replacerandomparametations intorandomfunctions,RP0,RP1,RP2and the setup lossdue tochangingrandomparametationstorandomfunctions islike this.And thissetup loss is still small,sufficiently small,ifthe number of quantum queriestue is not large.Andnext,I'd like to also replacethis tweakable randomparametationintorandomfunction,like this.And now,the setup lossofchanging tweakable randomparametation into a singlerandomfunction of two inputsis like this.SoI mean,this setup lossis not so large orsufficiently small,ifthe number of quantum queriestue is not large.Andnext,I'd like tochange thisrandomfunctionfurther,so thatthe structures of thisfunctionand thisfunction will beclose to eachother as much as possible.And I'd like to changethisrandomfunctionlike this.So,again,thisRF0,RF1 arerandomfunctions.AndthisRFbik is alsoanother independentrandomfunction.And thisrandomfunction takes3inputs,m,and thissome,and thist.And this structure seemsa little bit more complicatedthan just a singlerandomfunction.But still,thedistribution,output distributionof thisstructure is completelythe same as the outputdistribution ofrandomfunctionbecause thisRFbik takesm and t themselvesas inputs.And so,there isno security loss for changingrandomfunction tothiscomplex structure.And I'd like to call thisstructure as fsfsmall.AndI'd like to call this structureas fsfbik.And please note that thesefunctions,RF0,RF1,and RF2,and RFbik,thesearerandomfunctions.And wecan use the compressed oracletechnique to thesefunctions.And next,please recall thatthe compressed oracle keepsdatabase,thatto store history of queriesand responses.And so,the oracle of thisstructure,fsfsmall keepsthreedatabases,databased0 for RF0,anddatabase d1 for RF1,anddatabase d2 forRF2.And similarly,theoracle of thisstructure keeps threedatabases,d0and d1and dbik.And next,suppose thatthe table of database,d0and d1and d2 for this structuredoes not contain any collisionhere,at inputto RF2.And we say that suchdatabase is good,orsuch a good database isa good database.Andsimilarly,we say thatif a table of database,d0and d1and dbik does not containany collision here,thenwe say that this is a gooddatabase.And now,theimportant thing is,there is anatural one-to-one correspondence betweenthe set of good databases forthis construction and theset of good databases forthis construction.And roughlyspeaking,this means that thecomponent of quantum state ofthe adversary interacting withfsfsmall containing good databasesis almost equal to thecomponent of quantum state ofthe adversary interacting withfsfbik containing good databases.And intuitively,thisfurther means that the two functionsfsfsmall and fsfbikthese are indistinguishableas long as databases aregood.And so,whatis remained to be shown isproducing bad databases ornon-good databases is hard.And next,I'd like to explainwhywe can showproducingnon-good databases orbad databases is hard.Andplease note that a couple ofdatabase,these are onlydewind data forfsfsmall isbad ornon-good,if andonly if it contains a certainkind of collision like this.Inthe classical setting,showingthe hardness ofproducing suchbad databases orshowing thehardness ofproducing suchcollision is very easy byusing the lazy sampling.Andeven in theclassical setting,thanksto the compressed oracle technique,wecan use the intuition ofclassical lazy samplingto some extent.Becausethe compressed oracle,veryroughly speaking,the compressed oracleenables us to usethe classical intuition oflazy sampling to some extent.Andso,this is a very roughoverview about how weshowed the quantumsecurity of LRWQ.Andhere,I would like toprovide some remarks.First,LRWQ,ourconstruction is not secure againstchosen-cypher-text attacks,evenin the classical setting,becausechosen-cypher-text attack,makingorder1-classical queriesdistinguishesLRWQ.Andsecond,very recently,we found some errorsin the details of the proof.Actuallywe observed thatsuch errors,these errors can be fixed by modifyingthe definition of good databases slightly.Andby modifying this definition,thebound ofprovision8 in our paper,intermediateprovision,will be changedfrom this one to this one.Butfortunately,the final bound,this one,willnot be changed.Andwe are preparing LRWQ,andwe are going tomake this LRWQpublic soon.So,finally,I'd like to summarize today's my talk.Sofirst,there has been noTBC mode of BCs proven to be securehidrenist quantum query attacks,what youdo attacks.Andin our paper,we introduced a newconstruction,which we namedLRWQ.This is a modified version ofLRWQ.AndLRWQ,and we proved thatthisconstruction is securehidrenist quantum query-chosen-cypher-text attacks.Andwe used the compressed ordercode technique to prove thesaturity.Andactually,recently,we foundthere is some errors,there aresome errors in ourproof,but we observedthat they can be fixedby slightly modifying thedefinition of good databases.Andwe are preparing anerrata,and we willmake it public soon.Andfinally,I'd like to explainpossible future work.Apparently,theimportant future work isto come up withnew construction with securityhidrenist quantum-chosen-cypher-text attacks,because our constructionis not securehidrenist-chosen-cypher-text attacks.Butto prove securityhidrenist-chosen-cypher-text attacks,permutation version of the compressed ordercodeis necessary,becausethe compressed ordercode techniqueis applicable only to random functions.Butto prove securityhidrenist-chosen-cypher-text attacks,we have to record queries to decryption ordercodes.Andto record queries to decryption ordercodes,appermutation version of the compressed ordercodewill be necessary.Andrecently,some researcheshave been working ondevelopingappermutation version of the compressed ordercode.Butas far as I know,one has succeeded yet.Sothis task is somewhat difficult.But still,I think these topics will be very interesting future works.That's all.Thank you for your attention.