 Hey, everyone. So I guess Mark mostly went over the introductory material on this with somewhat better slides. So as you know, we use the random oracle model a lot to model protocols where we still don't know how to prove things in the standard model under standard assumptions. And in the quantum world, we want to be able to port this over, so for which purpose we have the quantum random oracle model. But the proofs in that model are much more difficult and often give looser bounds. And we would like to, of course, be able to distinguish between some cases the proofs give looser bounds, and some cases the attacks are actually better. So the most well-known example is Grover's algorithm. And so in that direction, we want to sort of develop techniques that work in the classic ROM that still work in the Q-ROM. So you heard in the last talk how to do this for recording the adversaries queries and responding adaptively. But there's still a large number of caveats on that. And so it requires quite a lot of expertise to wield. So a simpler technique, but a weaker one, is this one way to hiding technique that sort of still works in the Q-ROM. So here we're trying to make that easier to use, apply to more cases, and have at least in some cases a lower security loss. So the original work comes from Unruh, who's one of the authors on this paper in 2015. But his one way to hiding only works in very restrictive settings and has a quadratic security loss in the number of queries Q that the adversary makes to the oracle. And in here, we sort of generalized it, removed a bunch of the restrictions, and tightened it so that it can be as low as linear loss and linear in the depth of the queries that the adversary makes to the oracle, which practically speaking could be much less than the total number. So an outline of the talk is a brief, brief discussion of the differences between the classical versus the Q-ROM. And these new one way to hiding results. And then some examples of how you can use them to prove things, sort of time permitting in a relatively sane way. So you know how the random oracle works, so most attacks either are attacking a hash function or they're just treating it as a black box that returns random numbers, so you might call them generic. And so you suppose that the attack would still work if the hash function really were a black box or a magic eight ball or something. And so this formalizes a lot of intuition that you might have when designing a protocol, such as the attacker can't know anything about the hash of a message without actually knowing what that message is. And it allows you to furthermore extract the message because it has to be presented as an oracle query before the adversary knows anything about it. And so you have all these proof techniques, right? Where the simulator can control the random oracle, can see all the queries, can choose answers adaptively, can rewind the adversary and so on. And furthermore you get some very simple information theoretic limits about what adversaries can do on certain problems. So for example, if you're given h of x, then the adversary can't find x with probability more than q plus one over the domain size because while he gets q shots to query it on random oracle queries and then maybe one guess with his output. So there's a sort of trivial proof of that almost in the classical random oracle model. But in the quantum random oracle model things get a little bit more complicated. So the adversary can now query the hash function in quantum superposition. So as Mark said, right, you could imagine like he puts in the sum of amplitude times x and gets out the sum of amplitude times hash of x but that doesn't actually work because it's gotta be reversible. So it's actually this, you know, x, y and then hash of x gets x ordered into y but same basic idea. And so it's been shown that quantum adversaries can do more in this model with fewer queries on some problems and on some they can't and so it's kind of hard to tell intuitively which ones those are going to be. And it's also very difficult to record queries to oracles. So if the oracle is a uniformly random quantum oracle then the previous talk says you can sort of record the queries approximately and there's a little bit of loss in recovering them. The simulator can in some cases respond adaptively but again there's a lot of caveats on that. So we're gonna show a technique that can recover some semblance of tightness and proofs without necessarily getting into the analysis required to figure out quantum recording of queries or to analyze too much into the quantum states. But before we do that, one note on depth restrictions. So a realistic adversary if it's querying an oracle many times is like practically gonna have to do this in parallel. So you wanna make two to the 64 queries to an oracle for your attack. If you're Bitcoin then you're doing this four times a second every second. And that works because the Bitcoin network has a huge number of computers that are operating in parallel or rather ASICs operating in parallel but if you were to do this sequentially even if you could do it every clock cycle at five gigahertz it would take more than 100 years. So practically you can say essentially no adversary on computers that we know about is going to be able to do two to the 64 sequential work but they might very well easily be able to do two to the 64 parallel work. So in addition to the number of queries we're going to use a depth of queries a sort of a circuit depth where the things that add to the depth are oracle queries which isn't necessarily less than or equal to Q. And all this really does is in the analysis it replaces query with round of queries. And the reason we're doing this is that while in the classical random oracle model it doesn't necessarily help you. Like you still end up with a Q out front instead of a D out front in most cases. In the Q ROM it will help. So for example Grover's algorithm is going to depend on the depth of the quantum queries and not just the number of them. So onward to one way to hiding. So the classic version of this idea is very simple. So if you're doing a proof by a series of games then you're sort of cheating the adversary a little bit more in each game step. And one way that you might do that is by replacing the previous random oracle with a slightly different possibly less random oracle. So if you have two oracles actually they don't have to be random. They can just be any oracles classically that agree everywhere except on some like possibly small set S. Then an adversary can't tell them apart without querying an element of that set classically. It's pretty obvious, right? Because they behave the same everywhere else. And so in particular if you have a simulator that's observing the oracle queries then they can extract some X in that set if they can recognize it. And the adversary's probability of telling the two oracles apart is necessarily less than or equal to the probability that the simulator extracts an S. And so this is how you'll do, the simulator can't tell apart the encryption of two messages unless the adversary can't tell apart the encryption of two messages unless he can tell the simulator the RSA problem answer or whatever or the discrete log of something CDH problem. This is how you're gonna construct your proofs in general. Of course it's also possible that the simulator is not able to recognize elements of S like if it's a CDH problem for example. And in that case at worst it can randomly choose one of those queries and gets that that was the element of S. And then if the adversary is telling things apart with some probability that's less than the number of queries times the probability that the simulator is extracting things. So again, while this talk is sort of nominally in the random oracle model this is gonna work with things that are not necessarily random oracles. They can be oracles drawn from any sort of arbitrary distribution. They can be fixed oracles. The adversary still can't tell them apart without querying the place where they differ. So the quantum case is a little bit similar. So this appeared in Unruh's work in 2015 but with a lot of restrictions. So again if two oracles are the same except on some set S the adversary can't tell them apart without querying that set. But it might query a superposition of many inputs some of which are in the set and some of which are not. And they might have certain amplitudes possibly small amplitudes on the set and that would give some chance of telling them apart and so on. So the one way to hiding theorem says that again this is assuming to start with that the simulator cannot recognize the elements of this set. So it will randomly choose some query or since we're doing this depth restricted model randomly choose a round of queries. Measure all the queries in that round and then output them. And it's possible that one of these is in fact in this set and call that event guess. So whereas before the probability was the distinguishing probability was at most Q times the guessing probability. Here it's at most 2D times the square root of the guessing probability. And this will end up actually sort of being more like two times rad QD guessing probability because this here we're outputting like multiple possible guesses. And in the previous one we're only outputting one. Another fact that comes from the same theorem is that the difference of square roots of probabilities of two events occurring not just the distinguishing probability this is also bounded by the same value. And that's gonna be true for the other theorems in this work as well because of the structure of the proof. And the main point of this is that usually in these oracle proofs at some point you cheat the adversary so hard that he can't win. So if for example the adversary can't win here and this probability is zero then you can clear the square roots and you won't have this obnoxious square root. Whereas up here if you clear this then you still have a square root in the bound. So this raises the question of like well what happens if the simulator can recognize the set being queried. And so you could imagine well you just measure whether the input is in that set or not and that's what we do but you can't do it exactly like that. So suppose you have some quantum algorithm that recognizes an element of the set. The idea is that you get this quantum input x and then you run the recognizer on it and you measure only the output of the recognition function and not the element x. And then that tells you whether it's in the set or not. And probably once you recognize that it is in the set then you're going to measure the x and output it but if it's not in the set, if it's not the thing that the simulator is looking for then you just return the output of the oracle and continue on. And so this is what we call a punctured oracle. It's the hash punctured by this set that you're recognizing. And the reason it's called punctured is that as long as the adversary makes queries that are measured not to be in the set then his behavior doesn't depend on the value of the oracle there. So it sort of effectively removes those inputs from the domain of the random oracle. And it also follows interestingly that here we had a guess given b talking to h in this bound and since it's symmetric it's obviously also true with b talking to g but those bounds are not actually the same. It could be that in one case the adversary finds a thing and then he keeps querying it over and over and over again. So if you guess a random query to look at then you're always gonna get yes on the one side and on the other side he doesn't query it over and over again. But here the finding probability is actually the same on both sides. So the main lemma that we have on this that slide was just the description. So the main lemma is that if you have these two sets then the bound now has d or rather d plus one inside the square root. So before it was 2d square root of p guess now it's 2 square root of d plus one p find. And you can actually, this is not in the paper but it's not difficult to tighten this d plus one to a d in here but not here. This one is still d plus one actually. Also the difference between a h and a h punctured is bounded by this smaller term as our a h punctured and not find, a g punctured, a g punctured and not find. Some fairly large number of things that really only differ in the case where you found an element of s. And so what this is saying, so up leveling a minute from the equations, what this is saying is that measuring whether the adversaries queries are in this set will disturb the adversaries state. That's unavoidable because that's the observer effect in quantum mechanics. But it only will disturb the adversaries state by an amount that's proportional to the chance that he actually was querying an element of this set. And therefore proportional to, or the square root of that actually, but proportional to the square root of the chance that he was querying an element of the set. And therefore proportional to the square root of the chance that you got the answer that you were looking for. If the adversary is not very good at finding elements of this set and querying them then measuring the queries or measuring whether they're in the set doesn't change it very much. So I don't wanna go into the proofs of these theorems. They're not terribly difficult, but the basic ideas that they are based on the sort of geometry of quantum states that quantum states are like unit vectors in this high dimensional complex vector space. But basically you can think of them as just being like vectors, right? And so the idea is that you can bound the probabilities of differences in probabilities of final measurements having some distinguishing probability or whatever based on the distance between those quantum states in a Euclidean measurement. So it's well known if you do quantum computation that this thing is bounded by something called the trace distance. In fact, that's basically the definition of the trace distance. And both that and this difference of square roots are bounded by another quantity called the Bohr's distance which is more complicated but is roughly the expected Euclidean distance between the two states or at least is bounded by that. So that means that if you can prove something in geometry about how far apart these states are or how far apart they can be for a given value of probability of find or probability of guess, then you will get these bounds on the distinguishing probabilities. So a final question that is actually pretty interesting to me but is an important detail in these proofs on using semi-classical oracles is what is the finding probability, right? So if you have a classical oracle, takes classical input, gives classical output and you have a criterion that holds with probability epsilon everywhere, then and the adversary has no other information about where to find it, then the finding probability is necessarily less than q epsilon, less than the number of queries he makes times the probability that any one of them succeeds. But if the oracle gives quantum output, then it could be up to q squared epsilon or I guess dq epsilon as we'll see later. But that's because of Grover's algorithm, right? Grover's algorithm lets you get a quadratic or almost quadratic speed up on searching for some rare property in an unstructured function. But in this case, you have a situation where the adversary makes a quantum query and he gets a classical output, right? Is this in the set or not? And so it's not clear intuitively whether this is more like the classical case or more like the quantum case. It turns out to be more like the classical case. So it turns out that this can speed up over the classical case by a factor of asymptotically exactly four. So there's some algorithm that will search at least in some cases of unstructured function for a value satisfying a predicate with a semi-classical oracle for it that's four times faster than the classical case but not more than that. So a result of this is that actually the fully quantum case of one way to hiding can be factored into this search theorem plus the semi-classical case with a loss of about two in the bound but it's interesting to note that asymptotically at least it follows from the other two theorems in the paper. So as a summary of these various one way to hiding methods, like imagine you're trying to distinguish, the adversary is trying to distinguish two oracles, he does it with probability delta and the simulator is trying to extract a value of the set where they differ and does it with probability epsilon then we have these various bounds. So in the classic case, if you can recognize it then you get deltas less than epsilon and if you can't, you get deltas less than q epsilon. In the quantum case, we've improved Unruh's bound from two q-rad epsilon to something like two-rad dq epsilon but I guess we'll get to that in a minute. But the difference is that, the bigger difference is that instead of having to be uniformly random oracles that differ in one uniformly random place, now they can be arbitrary oracles, possibly jointly distributed in some complicated way that differ in some arbitrary set of places. So we've removed a lot of restrictions on that. Additionally, if the simulator can recognize the set that you're looking for, then it improves to d plus one inside the square root. And then, as an interesting corollary, this was proved after this work but it's based on Gendry's talk. You can use this oracle recording technique to, if the simulator can simulate both of the oracles, like for example, if they differ only at the preimage of some function and the simulator knows the function but they don't know, and they know the difference but they don't know the preimage, then you can get a bound that doesn't depend on the number of queries the adversary makes. So that's kind of nice but they have to, there's still a restriction on that. They have to differ in only one place. So finally, time check. Okay, let's get to a couple of applications. I guess I probably won't get to all of them with four minutes of these techniques. So the simple one is let's reprove bounds on Grover's algorithm. So suppose that you have a function that you're searching for, it's got some property with probability epsilon at every point and let's compare this to a function that doesn't have that property anywhere. So h is zero everywhere. So these differ at the set S, which is exactly where, you know, g of x is one and the adversary wants to output an element of that set or just to simplify the analysis, you might say that you want that if you take the adversary and then you run g afterwards, which you could call a sub one of g, then you get one. And so the one way to hiding theorem tells us that the square root of the probability that that happens minus the probability that happens for h is bounded by the guessing probability. But in fact, it can't happen for h because h is zero everywhere. It doesn't have that property anywhere. And also h has no information about this set because it's zero everywhere. So the guessing probability is at most like the number of queries, although we added a query here and a depth. The number of queries over the depth, because that's the average number of queries the adversary is making every round. And so when you plug that into this equation above and remove the square roots, then you get the probability that you find an element with this property in the sparse random function is at most four d plus one q plus one epsilon. So in other words, and I think this was well known before, but it's bounded by the depth of the adversary's computation times the number of queries he can make, not just by the number of queries squared, for example. So it doesn't parallelize very well. Another simple application, maybe I'll skim over this, is that if you have a function fk of x, which is h of k comma x, where h is a random oracle, then this is a pseudo random function. So this is fairly obvious in the classical world. And in the quantum world, indeed you can get the PRF advantage is sort of less than this bound. And this bound is also very similar to the cost of a Grover attack on the seed of the pseudo random function or the key of the pseudo random function. So it's about what you would expect. And this comes just sort of straight from the one way to hiding lemma. So then I wanna mention also briefly the Fujisaki Okamoto proof, which is slightly more involved. But the basic idea is, so suppose that you have an in-CPA secure public key encryption algorithm that's randomized. So it takes an input of coins and you wanna de-randomize it because you need to use it in Fujisaki Okamoto or whatever. And so you'll set the coins equal to the hash of the message. And since it's in-CPA secure, it's hard if you have two messages and a challenge that's the encryption of one of them with some unknown coins to figure out which one of these messages it is. And so the proof technique is that you have your hash H and you can also define a hash G that is a variant of H that actually returns those coins, but you don't know what they are when the adversary queries the right message. So you can't simulate this oracle. But you do know where it differs from the oracle H. It differs at like at most M0 and M1. Actually only one of those, but you don't know which one. And so if you plug this into the semi-classical one-way to hiding lemma, you get that the one-way advantage or the square root of it minus the chance that it returns M and doesn't find in a punctured version, which you can arrange to be zero, is bounded by this finding probability, which expands out to the one-way advantage is less than D plus two times the finding probability. And this is the probability that the sort of find thing either measures M0 or it measures M1. And so this is a distinguisher on the classical, I mean, there's a quantum computer, but it returns a classical result, a distinguisher on this NCPA secure encryption system because it returns either M0 or M1, but the adversary doesn't actually have any information about the one that wasn't the encryption that you got. And so that means that by the search theorem, there's a small chance that he finds it. And the chance that he finds the other one is bounded by that plus the end advantage because it's a distinguisher against the randomized encryption scheme. And so in sum, he has this limited advantage that's like D plus two times the end advantage, so that's not good, that's hopefully not tight, but we don't know. Plus this term, which is actually just a grover attack on the message, which is what you would expect times two or something. So anyway, so this is a useful technique. It's been used already in a few papers doing mostly Fujisaki Okamoto kind of stuff. And I hope that we can sort of simplify it further and like synthesize this with the other techniques that we have, like recording oracle queries so that they can be sort of more accessible and easier to use. So that's all. We don't have time for questions, but Mike will be around. Bye, guys.