 Okay, thanks. So can everyone hear me? Okay? Okay, good. Okay, so, right, so I'm gonna talk about some symmetric key crypto based on hidden shifts, and this is joint work with Alex Russell. Okay, so in a typical post-quantum crypto scenario, we're a classical user with a classical crypto system, with some classical functionality, and we're faced off against an adversary who has a quantum computer back at the lab. Okay? In a more sort of far off distant future setting, we might also imagine a scenario in which we are a quantum, and our crypto system is quantum, and the functionality we want is quantum, and sort of everything all around is quantum. But also in the past few years, people have started thinking about a sort of intermediate model in which the quantum adversary has somehow managed to creep a little bit closer to us, and now in addition to having a quantum computer back at the lab, the adversary can also somehow quantumly interface with our classical crypto system. Okay, so this is the model in that I want to talk about today. Okay, so, right, so before I can explain what it even means to have sort of quantum access to a classical crypto system, let me talk a little bit about how to execute classical functions on a quantum computer, and of course we better be able to do this because, you know, quantum computers are a generalization of classical ones. Okay, so how do we implement some function f? Well, basically we can turn it first into a reversible function, let's say by keeping the input around, and then computing the function, you know, just by X soaring it into another register. And then we can just sort of observe that this is now a unitary operator, and this is sort of suitable for running on a quantum computer. So in particular, if you have any circuit for your function f, any classical circuit for your function f, whether reversible or not reversible or whatever, there are sort of standards, ways of transforming it into a reversible circuit efficiently, and then this circuit is kind of a special case of a quantum circuit, and we can run it on our quantum hardware. Okay, of course now that we have it running on our quantum computer, we don't have to, we're not restricted to just plugging in boring classical inputs like pairs x y, we can actually prepare more complicated quantum states, which are super positions with perhaps very complex amplitudes, complicated amplitudes, certainly complex, over different pairs x and y, and then if we plug that kind of complicated state into an oracle, then we'll get the corresponding superposition of input output pairs of the function. So for example, one natural thing you might want to try is prepare a uniform superposition over the input register, and then plug that into the oracle, and the outcome will be the state, which is a uniform superposition of input output pairs of the function, and once you have that kind of state prepared using the oracle, you could try different things, you could, let's say for example, you could measure this state, unfortunately that's not so useful because in that case you will just get a random input output pair and you can do that classically, but as it turns out, if you run some interesting quantum circuit like let's say the quantum Fourier transform, whatever that is, and then you measure, then we know that in fact for some functions we can actually compute certain things that we cannot do with classical axis. So that's the basic setup for functions. Now what does this mean, or what could this mean for cryptography? Well recall that in chosen plaintext attacks we have some kind of protocol that involves an encryption scheme, and somewhere in that protocol there's an adversary doing whatever it does, and now a natural question is what happens to the security of the protocol if we grant this adversary oracle access to the encryption function. So if this is a classical oracle or a classical adversary, then it's clear what this means. The adversary just picks a plaintext x and then gets back the corresponding ciphertext, but now if a is a quantum adversary, then we can ask, does it make sense if this adversary actually gets quantum oracle access to the oracle? So what happens if these arrows, if you like, become quantum? Well then it's reasonable to argue that a should get kind of the same access that it would get with any implementation of the function f. So perhaps a now gets the quantum oracle where it can compute this encryption function into a second register reversibly. So that's exactly the model that I want to talk about. And of course one thing we should notice is that we can now do the same thing we did on the previous slide. We can run this thing on non-classical inputs. So for example we could plug in the uniform superposition and get back the uniform superposition of input output pairs or plaintext ciphertext pairs. And then perhaps we can run some interesting quantum circuit on it and measure and get out something that we couldn't using just classical access. So does this model make sense? Is it realistic? So that depends on your view. I think in some settings it makes perfect sense. Certainly in any setting in which the adversary gets access to code that code can always be transformed to a reversible circuit and then run on your quantum hardware. And so certainly in the case of public encryption or hash functions or when you're exposing code via obfuscation, this is definitely a model that you need to be thinking about. In other setting maybe this depends on the model that you're interested in or somehow the physics or even the engineering of the particular device. So for example, maybe in private encryption, your encryption scheme will run on some very small smart card and you're worried that some clever adversary will be able to take it back to their lab and put it into their dilution refrigerator and run it coherently. But in any case, I'd like to convince you that the model is certainly a theoretical interest. And so let me talk about that in the next couple of slides. So first of all, is anything secure at all in this model? Is it a trivial model? So yes, things are secure because we still have pseudo randomness. So Jean-Dry showed that in fact the same sort of GGM construction for pseudo random functions, but with a more complicated proof happens to be quantum oracle secure. So even if the adversary gets to plug in superpositions of inputs into the PRF and get back the corresponding superposition of outputs, still it looks like a random function. Of course, you have to start from a quantum one way function to build up this. And this yields sort of authentication and encryption that secure in this model using sort of the standard constructions that we use from PRFs. So just the standard PRF Mac and the standard encryption scheme, symmetric key encryption scheme from PRFs just works. Okay, so then you might say, well, maybe everything is okay, maybe classical access against quantum adversaries is the same as quantum access against quantum adversaries. That turns out not to be the case somewhat dramatically. So let's look at this simplest block cipher, which is a variant of Evan Mansour with a single key. So here, we have a public random permutation P. And to turn it into a sort of a private permutation, we select a uniformly random key. And then we encrypt by extorting the key into the plain text applying the permutation and then extorting in the key again. Okay. So this is this is a strongly pseudo random permutation. Classically, you know, and you can't decrypt, you can't forge and so on and so forth. So this is sort of a good block cipher. So what happens quantumly? So quantumly, it turns out that there's an attack in the quantum oracle model. So how does this attack work? Well, it's pretty simple. It says, you know, given that you have oracle access to P and oracle access to E, you should just form the XOR of these two things, and then run something called Simon's algorithm. Okay. So what is Simon's algorithm if you haven't seen it? So Simon's algorithm is a very simple predecessor to shore, to shore's algorithm. In fact, it's kind of one of the ideas that motivated shore to think about whether factoring is possible on a quantum computer. And here's the problem that it solves. You have oracle access to some function. And you're promised that there's some secret K so that if two inputs differ by K, then they're mapped to the same value. And if they don't, they're mapped to a different value. Okay, so this is Simon's promise. And Simon's algorithm outputs K with a linear number of queries. And it's an extremely simple algorithm. It basically just computes this function in the Fourier basis using the quantum Fourier transform. But in this case, the quantum Fourier transform is extremely simple. It's just a depth one circuit, you know, of single qubit Hadamard gates. Okay, so it's an extremely simple algorithm, one of the simplest examples of quantum algorithms. So, why does this work? Well, you can simply just check that, you know, the XOR of these two things has exactly this Simon's property up to a little bit of error, which is no problem because we're doing sort of this global Fourier computation that doesn't care about little disturbances. And in fact, we know that this attack will actually now output K. Okay, so this is a devastating attack in this model at least. It gives completely key recovery with only a linear number of queries space and time. So, this was observed by Koukata and Mori. They also showed that, in fact, Simon's algorithm can be used to distinguish the three-round Feistel cipher from random. And then last year, there was a nice crypto paper and another paper which showed that, in fact, Simon's algorithm can be used to break a whole host of other things, including encrypted CBC Mac, these tweakable ciphers, and lots of other stuff. Okay, so, right, so this Simon attack breaks quite a few things. So, what's really happening underneath? So, if you view these attacks in a certain way, and they're all kind of a little bit different, but from a certain point of view, they all build, first, a pair of shifted functions f and g. In the Evan-Mensor case, you know, these functions are just given to you, and the shift is just the key. In other cases, maybe you have to work a little bit to build these functions, and then the thing that you get from the shift is sort of a yes-or-no answer, like, is it pseudo-random or is it random. But the basic story looks like this, and then you just apply Simon's algorithm to the XOR of these two functions. Okay, so, if you've sort of thought about quantum algorithms before, you'll probably notice this, this shifted problem here. This is exactly the hidden shift problem that the quantum algorithms community has been studying since, basically, since Schor's algorithm. So, in the general case, it's stated like this, you have some finite group g, and you have oracle access to two injective functions, and a promise that there's a shift, you know, their shifts of each other, and the goal is to output that shift. Okay, so here's a couple of sort of random, random looking functions, their shifts, actually. So, what do we know about this hidden shift problem after, you know, 20-some years of thinking about it? So, we know that it requires exponentially many queries classically, okay, and here the right sort of complexity parameter is log the size of the group, and we know that it's efficiently solvable for Z mod two to the n by the algorithm that I just told you about, Simon. However, for most other groups, this problem appears to be hard, okay? So, on cyclic groups, the best-known algorithm takes time two to the root n, this is the Kuperberg sieve, and this is still the best known algorithm, and it's certainly not for lack of trying, because we know from a result of Regev 2002 that if we could make basically our only idea for this problem work, this is called coset sampling, then we would put unique SVP into quantum polynomial time. Okay, and when I say this is our only idea, I really mean this is our only idea. Like, there are no other strategies that have made any progress whatsoever. In some group families, this coset sampling thing makes quite a bit of progress, and it's sort of a generalization, a natural generalization of what happens in Schor's algorithm, but besides that we have no other ideas. Okay, and then you can go to more complicated groups, like symmetric groups, and where there we really have have no idea what to do, we don't have any even sub-exponential time algorithms, and we have quite a few negative results saying that, you know, this coset sampling strategy is probably not going to go anywhere. Okay, so this suggests sort of a natural fix for this problem with all these Simon attacks, which is to select some exponentially large group like cyclic groups or dihedral groups or matrix groups, your favorite group family, and to replace the input-output spaces in all of these different schemes with G, and replace the bitwise XOR operation with the group operation on G, and see if you can get away from this sort of special feature that Z mod 2 to the N has kind of in the quantum world. Okay, so of course you should do a sanity check first to make sure this doesn't affect classical access security, and that all is fine. So what happens, so I should say I mean certainly people have thought quite a bit in the past about block ciphers on other domains, so in a sense this is not kind of a new idea, but let's see what happens. So for Evan Mansour we now need a public permutation on G, and we select a uniformly random element of the group as our key, and then we do the natural thing. We compose the plaintext with the key, apply the permutation, and then compose with the key again. For Feistel networks you can do the same thing, you need some pseudo random functions on the group. The keys themselves can just be whatever the keys are for the PRF, and then you just run the usual Feistel ladder construction replacing a bitwise XOR with the group operation, just the natural thing. And this, you know, we can go on to all of these other schemes, but okay let's maybe at least say the encrypted CBC Mac. For that you need a pseudo random permutation on G, and you need the messages to be encoded somehow as powers in powers of the group, okay, and then you decompose them and do the standard construction to get the tag out. Okay, okay so I guess the real question is, is this fix a good idea? Should we do this? So when thinking about this problem, as it turns out, we we observed some interesting new things about the hidden shift problem that somehow had not been noticed before. And so let me try to first convince you that the hidden shift problem seems to be a good crypto primitive. So first of all it's random self-reducible, so a little more carefully what do I mean by that? We mean that if you take a randomized version of the hidden shift problem where one function is random and the other one is a shift, then in fact you can prove kind of an amplification theorem that says that as soon as you give me a quantum algorithm that solves this problem for an inverse polynomial fraction, a non-negligible fraction of inputs, then in fact I can solve it everywhere. And this is relatively straightforward to do, basically using Gendry's Quantum Secure PRFs and some simple tricks for you know randomizing the shift and randomizing functions around, and then doing some sampling and checking to see if the answer is correct, we can amplify this all the way to you know one minus negligible success. Okay, the other reason to think that it's a good crypto primitive is that in most cases the decision and search version turns out to be equivalent, as we were also able to show this. So the proof idea, okay in one direction it's obvious in the other direction you have to work a little more. So basically you know we need some additional condition on the group, we need that it has this efficient subgroup series, but this is true for most groups of interest. And then basically we can do sort of an iterative or recursive rather algorithm that descends down the subgroup tower, and you know it has to do a little work, it has to work through the transversal, adjusting these shifts as it goes, and calling the decisional algorithm kind of on each transversal element and on each level of the tower, and then eventually you can build the entire shift. Right, so I should have said what I mean by the decisional version of the problem, I just mean that you decide between these two cases. So I give you two functions and I promise either both of them are random or one is random and the other is a shift. Right, so the other reason to think that this is a generic fit, that this fixes a good idea is that at least sort of on the face of it, it seems to frustrate all of these attacks. Okay, so if you just try to run the same attack on these sort of hidden shift versions of these constructions, then it really seems like you end up with needing a subroutine that solves the hidden shift problem, and you know by our theorems and some previous results this seems pretty unlikely. Okay, so this would yield worst-case algorithms for hidden shift and the hidden subgroup problem. You know, as I said over the cyclic groups, if it follows the only idea we know, it would lead to attacks on lattice crypto. Over the symmetric group it would give us polynomial time quantum algorithms for graph isomorphism and also some attacks on meccalese. So this seems unlikely. And so finally, we were also able to show the following, we were able to give some security reductions. So we start with the following assumption. We start with the assumption that there does not exist a polynomial time quantum algorithm for the hidden shift problem, a worst-case algorithm, and then we were able to show that, first of all, that the hidden shift evanements or cipher is pseudo-random and that the hidden shift encrypted CBC MAC is collision free. Okay, so there's quite a few other schemes that I have not mentioned in terms of security reductions. I think in many of those cases, so for example, I think for LRW two-couple ciphers, sort of a simple adaptation of this theorem would also give you a security reduction. In that case, for all the other things, I think it's mostly a matter of trying and working harder to get those reductions. I think it's likely that they exist. Okay, so let me summarize by saying the following. So right, so by these amazing results from last year and the past few years we know that in this quantum oracle security model, many standard schemes are broken. However, there seems to be a pretty easy kind of generic patch, which is to replace the bitwise XOR operation with, let's say, modular addition, so that at least gets you to to where the best known quantum attacks are sub-exponential time, or you could pick your favorite group operation and in general, then we really don't know what to do quantumly. And we observe that the quantum resistance of these sort of of these adaptive schemes is now connected to the hidden shift in hidden subgroup problems, which is kind of a nice new observation that allowed us to prove some new things about these problems that somehow had not been noticed by the quantum algorithms community in the past. As far as what's next, I mean, I think obviously we should we should try hard to break more things in this model. I think it would be nice to think about whether hidden shift or hidden subgroup can serve as a basis for other quantum secure cryptography, maybe even public key constructions. And in general, I think there's some nice work to be done in understanding exactly what the right security notions should be for encryption and authentication and signatures in this in this quantum oracle model. There's been some work on this already, but I think there's still quite a bit to do. Okay, so thanks. Any questions? Could you comment on the relation between the security of the hidden shift and Mechilis? The security that we achieved in Mechilis? No, the fact that if you can break the hidden shift for a certain group, then you break the security of Mechilis. My question is in which sense? Yeah, so there's this paper by Dinmore and Russell from a few years ago where they noticed that you can think about Mechilis in this sort of in the known code adversary scenario as sort of a hidden shift in a certain group. It's like the symmetric group product with a certain general linear group where these are like the two matrices on either side of your code. And then they can show that, well right, I mean then in that model if you had a solution to the hidden shift problem over that group then you could attack the scheme. So they showed that in fact you would also need some more advanced algorithmic techniques to do this, but you know if you had a general polynomial time hidden shift algorithm for that group family, so like I said I think it's a symmetric group product with gln fq, then you would be able to break it, break this. I don't think, I mean I think this known code model is not exactly what happens in reality. I'm not an expert on Mechilis but you know