 We'll proceed with the presentation of the post-quantum security of the Ewen Mansour Seifer by Gordon Allagic, chained by Jonathan Katz and Christian Majens, and please, the floor is yours. Thank you very much for the introduction. Yeah, so this will nicely connect to the previous talk because we are going to look at a very similar setting except from the viewpoint of provable security. I want to give a shout out to my co-author, who would have liked to give the talk, but couldn't come here because of visa issues. Here's an outline of my talk. I will start with some motivation. I mean, I'm in the lucky position that a lot of motivation was already covered by the previous talk and by Maria's talk in the morning, but still I want to add some a little bit of perspective from the provable security side. Then I will introduce some concepts and present our results and in the end, hopefully time permitting, I will also talk about our techniques. Let's start with the motivation. There was already a lot of surveys of quantum attacks against cryptographic systems. However, I want to give another overview because we need to kind of talk about them to compare the different models, especially the Q1 and the Q2 model. First of all, of course, we have post-quantum attacks or Q1 attacks where the most prominent family is, I guess, based on short algorithm against RSA and discrete log, and these are complete breaks of the systems. Also, against symmetric key cryptography, there's Grover's algorithm-based attacks and similar. These are generic attacks against block ciphers and hash functions, for example, but also quantum-aided differential and linear cryptanalysis, for example. These are not complete breaks, as we have seen in the previous talk and in Maria's talk, but they degrade the security compared to classical attacks. Questions, of course, by how much? Finally, there's this additional Q2 family of attacks based on Simon's algorithm, for example, and these are, for example, attacks against even when sewer and block cyber modes of operation, and these are also complete breaks. However, in this strong model, right? And as I will argue later, at least from the provable security perspective, this is, you know, it's very strong. It's maybe too strong, maybe not something that's really necessary to achieve. Now, the main motivation for this work is basically this arrow, which, for example, has materialized with the offline Simon's algorithm. So the worry is, there could be ideas in these Q2 model attacks that can be ported to the Q1 model, and then you get attacks that maybe are better than a plain Grover search attack and have speedups that are larger than Grover search, as you have just seen. So in summary, for symmetric key crypto, of course, quantum attacks are far less of a concern than for public key crypto, but still, where possible, we should definitely prove post quantum security to achieve certainty, to achieve a higher confidence in our crypto systems. Okay, so this was the motivation. So now let me introduce the necessary concepts. And we will immediately return to basically the question of what post quantum security actually is, especially from a provable security perspective. So I mean, the naive idea is just, you know, it should be security against quantum attacks. But what are realistic quantum attacks? And there are these two competing models, right, the Q1 model and the Q2 model. So let's try to be a bit more formal about exactly that means. First of all, what's common to the two models is obviously that quantum computation is allowed for the adversary. That's kind of the defining property. One implication that this has is that if we look at an idealized model, like for example, as in the previous talk with the ideal permutation, then we need to allow quantum access to the oracles that represent public cryptographic algorithms. And this is, for example, in the ideal permutation model or in the random oracle model. These oracles represent really an algorithm that you can look up on the Wikipedia or whatever and implement on your quantum computer. So this needs to, the quantum queries need to be allowed in these oracles. Now they start to differ. And that's basically because of two different approaches in the Q2 model, the approach is okay. How strong of a security model can we imagine? Of course, the strongest thing is to allow quantum access to everything where we still have non-trivial security possible. And this, for example, includes quantum access to online primitives. So for example, we would then allow quantum chosen plain text attacks and quantum chosen ciphertext attacks, quantum chosen message attacks, etc. However, in the Q1 model, we restrict to classical access of these online primitives. And the reason why this makes sense is basically that our main concern is that our devices that we use today, I mean, this one, it uses crypto. And I'm pretty sure it doesn't do quantum computation. So because these online primitives or these online queries model computations performed by the honest parties with the crypto system, it's reasonable to restrict to classical queries only. So in summary, from a provable security perspective, Q2 is somewhat unrealistic and Q1 should be sufficient. One interesting challenge in the setting where there's an idealized primitive in the Q1 model is that there's a mix of classical and quantum oracles because online primitives, offline primitives are quantum and online primitives are classical. This will feature in the evanement sewer setting. Now, I almost can skip the slide because evanement sewer was introduced a couple of times already, but maybe somebody is here that wasn't to the other talk. So let me introduce it one more time. The evanement sewer cipher is an extremely simple cipher that uses cryptographic permutation that is modeled as an ideal uniformly random permutation p from n bits to n bits. And this is public and the cipher is constructed by XORing the key into the message, then applying the permutation and then XORing here the same key, but one can also use a fresh key one more time. In some sense, this is the minimal construction of a block cipher. I mean, there's literally only three operations if we view this permutation as monolithic. However, despite its simplicity, it has found quite some applications. In particular, evanement sewer-like constructions feature in, for example, elephant, which is submitted to the current ongoing NIST lightweight competition. How about security? So as a reminder, the permutation is considered ideal. So an attacker needs to make queries to this permutation, and an attacker is also allowed queries to the cipher. And the right security notion for such a block cipher is that of a pseudo random permutation. So the task of an attacker is to distinguish the cipher from a random permutation. Now let's look at an adversary that makes QE queries to the cipher and QP queries to the permutation. The classical setting is this result that has been known for a long time that the product of the queries to the permutation and the cipher needs to be two to the N, or of the order two to the N, to achieve a constant distinguishing advantage. As we've seen a couple of times already, and as I've mentioned before, in the Q2 model, in this quantum access model, there is a complete break of the cipher. So that's the Simons algorithm-based attack that breaks it using order of N queries. Now the question is in Q1, right? There are attacks known, as we have seen, but there's no currently no or before our work, there was no proof of security in the Q1 model. Okay, so let me move on to presenting our results. And that basically consists of a proof of security for the even mensur cipher in the post quantum setting or in the Q1 model. So let me go through the theorem together with you. So we have two random permutations, P and R, P is the primitive and R is the random permutation that the cipher should be indistinguishable from. And we have the even mensur cipher that's constructed using P. Now any quantum adversary that makes at most QP queries to P quantum queries and QE classical queries to an oracle O can not distinguish the situation where O is equal to the even mensur cipher from the situation where O is equal to the random permutation with an advantage larger than the one that is shown on the slide. This result was already shown by Jaeger, Song and Tesaro last year for adversaries that in advance of their execution declare a list of queries that they will make to the cipher. And our result is for the adaptive setting where the adversary can adaptively to switch inputs to query to the cipher. The bound looks a bit weird in particular because of the sum, right? But it turns out that in a very natural setting where the number of online queries is much smaller than the number of offline queries, it is actually tight in the sense that it tightly characterizes the query complexity of breaking even mensur. And that's because of it matches the BHT and offline Simon's algorithm. Okay, so this was the result. Now there's I guess plenty of time left to talk a bit about our techniques and also a bit about our technical results, which might come in handy in the future as well. First, let me talk a bit about the general approach. So in the classical setting, security proofs for even mensur like ciphers usually use what I would call global techniques. So for example, a popular approach is basically to define some bad events that could happen in terms of the query transcript of an adversary. And now basically prove that these bad events only happen with a small probability. Another technique is the so-called edge coefficient technique. And it also kind of uses, let's say, non-local information about the query. So information that joins information from several queries together to reach the result. And these things are unfortunately not something one can do in the quantum setting because if you have quantum queries, you cannot compile in general query transcript. So one solution to this conundrum that was recently proposed is Jean-Dries' compressed oracle technique that allows for, in some sense, it allows to compile a query transcript, but it only works for random functions, at least currently it is not known how to do it for any other family, interesting family of functions. So because of that, we kind of had to resort to something more primitive in some sense, which is a hybrid argument. So there you just gradually change the real setting to the ideal setting and hope that the distinguishability of adjacent hybrids is not too large. Let me try to explain how we apply the hybrid argument here. So first of all, we split up the adversary into Qe plus 1 stages, one before the first query to the classical oracle, which could be the cipher or the random permutation. This is the task to distinguish the two. Then one between the first and the second, one between the second and the third, et cetera, up to one extra stage after the last query to the classical oracle. So here I want to note that each stage can make an arbitrary number of queries to the quantum oracle for P, except that the total number of queries is bounded by some number QP. So basically the adversary can adaptively choose how to distribute the quantum queries between the different stages. Now the naive idea would be, of course, to replace the instances of the cipher by random permutation one by one. So we start by replacing the first call with the random permutation, then the second, et cetera. However, there's a subtle issue with consistency of the oracles that come up. And I want to explain that in the next slide. But first of all, let me already present the solution. And it's a bit, let's say, naive sounding, but it works. It's basically to postpone the problem until it goes away. Sounds magical, but it works. So here is a little bit more detail. These are our hybrids. So indeed, the IS hybrid has the first I calls to the classical oracle be answered with the random permutation R. And afterwards we switch to answering with the Evans-Mansour construction EK. However, in addition, we need to modify the permutation a little bit from that point on where we switch to the Evans-Mansour cipher. The reason why we need to modify this is the following. So imagine that you have an adversary that just breaks the cipher completely and recovers the key. Then one thing one can do is first make a couple of random queries, then run this attack to recover the key, and then check whether the first couple of queries were actually answered by the Evans-Mansour cipher. So that I can now do a posteriori because I have recovered the key. And this is, of course, unfortunate because, I mean, of course, we don't think that it's possible to recover the key with a limited amount of queries, but we don't want to use the result that we are trying to prove to show that basically the adversary cannot notice the switch from the random permutation to the cipher. Therefore, we make these modifications to create permutation p tilde that slightly differs from p. Now, the problem is, of course, that p tilde gets messed up more and more as I grow. So we replace more and more queries, p tilde gets messed up. But if you look very closely, there are also fewer and fewer calls to p tilde. And in the end, it's gone. So there's nothing to worry about. So on a technical level, there's two steps in each transition from one hybrid to the next. And the first one is to replace the cipher by a random permutation and to repair this permutation p tilde at the same time. And the second step is to replace one call to p tilde by a call to p, right? Because we only want to use p tilde after the first call to ek. And these two steps translate into two technical lemmas. The first one is one we call a resampling lemma for random permutations. And the second one is a reprogramming lemma in terms of the expected number of quantum queries. Let me quickly tell you what these are. So the resampling lemma is a permutation version of what we used to call the adaptive reprogramming lemma in a work by Alex Bril, Kathrin Höfelmans, Andreas Hülsing and myself. And this is basically a game where an adversary needs to detect whether the permutation has been modified, but in a way that's consistent with the distribution of a random permutation. And I don't think I have time to describe the game in detail, but we can show that this kind of change in the permutation can only be detected with a small advantage. The second technical lemma is an expected number of queries version of the so-called blinding lemma that we introduced in earlier work with Gorin Allagit, Alex Russell and Fang Tsang. And there basically the adversary can decide everything except that some reprogramming happens that's randomized and the adversary needs to find out whether it happened or not. And the important part here is that we get about in the terms of the expected number of queries because if you remember each stage of the adversary could make an arbitrary number of queries except that it was bounded by the total number of queries and the sum was bounded. So somehow this expected number of queries avoids us to get another loss in terms of the number of classical queries. So I don't think I have time to talk about reprogramming in detail, but here really the adversary supplies a function, then it's reprogrammed or not, and the adversary has to detect. And this game has the typical advantage that you would expect in a setting where a Grover search is possible. Okay, so I think it's time to summarize. So we have proved the post quantum security of the even man sewer cipher. And this is in this Q1 model that is should be sufficient for security of classical cryptographic algorithms. And I mentioned applications of even man sewer like constructions. The reason why I didn't go into detail is because these applications, at least for example, the applications to elephant and also the ISO standardized Mac chaskey, they actually use generalized versions of the even man sewer construction. Also this work by Jaeger et al that proved the non adaptive setting, they can actually prove security of the FX construction that you have seen in the previous talk as well. And for this we have them follow up work by the same set of authors plus Patrick stroke. And I guess this will be on e print soon. I hope. Finally, I want to slip in a shameless piece of advertisement. So I expect to be able to open a PhD's position and fall in beautiful Copenhagen. So if you know anybody, please ask them to apply. Thank you very much. Thank you very much for ending with the see you on e print soon. Line questions. Go on. Yes. Yes, use the microphone. Otherwise, we won't hear you. You shout the microphone is here. It's a very short question. I was just curious about the probability of distinguishing advantage in in the adaptive setting that you guys showed versus the non adaptive work. Was it the same or was there a game? So it's definitely the same up to the constant. And the constant is almost the same. I don't remember exactly, but I think the constant is within the effect of two of each other. So it's really the same amount, which is surprising in some sense, because their technique is completely different. Returning my question from just just to keep your life here. Returning to the quantum models q one q two. How likely is it for a hardware designer to understand whether they are probed classically, whether that hardware itself is probed classically or quantumly? Is there a chance to detect this in some in a certain way? Because the difference between the models where you can query where the quantum signal or with a classical signal, right? Right. And yeah, I mean, that's that's this kind of almost a meme. There's this this idea of the frozen smart card where you can kind of force it to behave like a quantum device. I don't think it's personally, I don't think it's very realistic. In particular, if I have my phone in my pocket, it's very warm for quantum standards. And so I'm pretty confident that it doesn't do quantum computation. I think if you can achieve q two security without a lot of extra cost, you should definitely go for it because what's the loss, right? And and then you don't be used to kind of, you know, you can forget about that worry. Definitely agree. On the other hand, we saw yesterday morning that they don't attack your smart card and while it's in your pocket, they have a lot. We have a lot taken out. And it's that's where security is will be tested to real adversaries. That's that's true. But still, I think the main picture that I at least have in my mind is basically a lab where somebody tries to take a cheap classical device and try to force it to behave it behave quantumly versus the insane engineering feeds that people try to go through to try and create an actual quantum computer. So somehow this gives me a lot of confidence that there's no accidental quantum computation. So thank you. Hey, thanks for the nice talk. I was just curious, have you thought about how the best attacks would change if you could pre process the permutation in Evan Montour. So say the attacker looks at the entire permutation advanced store some advice and then and then the attack is as Q1 here. Right, that's a very interesting question. So that basically this class of models that's called auxiliary input or a random model. And in this case, it would be auxiliary entered random permutation model, right? I don't know how it changes. And one thing that I can say is that as far as I know, the results that are known for auxiliary input models, they're quite complicated to prove. And in particular, some of them use a genre's compressed Oracle technique. And this of course poses a challenge in the setting with a random permutation. Awesome. Thanks. Thank you again.