 So, good afternoon, everyone. My name is Christian Cachin. I am sharing this session on quantum and post quantum. It must have been an unlikely outcome of the quantum algorithm that assigned me to this session because I will learn a lot of new things. The first talk is about beyond quadratic speed-ups in quantum attacks on symmetric schemes by Xavier Bontain between Schrottenlauer and Ferdinand Sibley-Rass. Xavier is going to give the talk, please. Thanks for the introduction. First of all, I will give a bit of context by presenting a very quick view on quantum attacks in cryptography. We can separate what is mostly three big families. The first one is bad news where we have quantum polynomial attacks on classically secure schemes. The two most notorious examples are of course RSA or discrete logarithm, but as Maria presented this morning, this is also the case for some symmetric schemes in the Q2 model that is with quantum queries, not classical. We also have an annoying case where we have some super polynomial game with a quantum algorithm rather compared to classical. So here quantum computing is annoying, but it does not prevent to do cryptography. This is in particular the case for some isogenic-based schemes. And in the other cases, in the most common case we can see is where we have a speed-up which is at most quadratic. So this includes pretty much everything else, including up to now symmetric schemes if we are restricted to classical queries. And in this case we can experimentally see that most of the proposed attacks are quantum improvements of classical attack. So now I will zoom a bit more on this category and I will focus more precisely in the case of symmetric schemes and of block cipher. So we know that thanks to Grover search, exhaustive search has a quadratic speed-up quantumly compared to classical. And if when we do a quantum attack, the only thing we do is to accelerate some parts using Grover's algorithm, then the overall speed-up we'll get will be at most quadratic. And this is actually something which can be extremely reassuring because if we assume that the speed-up we can get with quantum computing is at most quadratic, then if for a given scheme no classical attack beats classical exhaustive search, then we can't have any quantum attack that beats quantum exhaustive search. So this is a very simple analysis, but this is something that could occur for example for block ciphers, but we also have something similar that occurs in the NIST competition with some of the quantum security level. So of course this is a very simple analysis and in this talk I will present you the first example of a symmetric construction whose gap between its classical and quantum security is actually greater than quadratic. And now I will begin with a very short disclaimer. Most of the introduction of my work will overlap with Maria's innovative talk of this morning. So if you slept this morning you have a second chance to catch up on that. So first of all I will present Simon's algorithm and the attack and the environmental scheme. Then I will dive into the core algorithm for our attack, which is offline Simon's algorithm. And finally I will present the new stuff. So first of all I introduced to you Simon's algorithm, which is a very early quantum algorithm and a sort of predecessor of short algorithm. It serves what is called Simon's problem. This is a very simple problem when we have a function f on n bits and this function happens to be periodic. That is there exists a fixed value s such that if you add it to the input it doesn't change the output and the aim of the problem is to recover this period. Classically this reduces to collision finding, but quantumly we can do much better thanks to Simon's algorithm. The main thing to remember about Simon's algorithm is that it requires quantum queries to the periodic function, that is it needs to be able to compute given a superposition of input to the function, the superposition of the input output tuples. And from that it can efficiently sample the values that are orthogonal to the period, hence it's sufficient to repeat a new amount of time as a process and solve a linear system to recover the period. So now how to apply that in cryptanalysis. I present again the event method cipher, which is a very simple block cipher, arguably the simplest block cipher. It is built from a publicly known random permutation p and to encrypt a message x. What you do is you add a first key k1, you apply the public permutation, you add a second key and you get your survey test. And classically this simple construction is proven. Any attack requires a certain amount of time and data such as the product is at least two to the n. Now, quantumly, this is very different. There has been an attack proposed by Q Akado and Murray in 2012 and it amounts in realizing that if you take the encryption of a message x and add to this message, the image of the same x through the public permutation, you get a periodic function and the period of this function will be the first key. Hence, it is possible to recover this key by applying Simon's algorithm and once you've recovered it, you've essentially broken even monster. Thus, Simon's algorithm allows to break the even monster construction in polynomial time. But now the things we really need to have in mind is that in order for Simon's algorithm to work, we really crucially need the ability to perform quantum queries. So to compute the superposition of input output table given a superposition of input. However, this is not the scenario we tend to see at least today. In general, what we have today is a large list of classical plaintext ciphertext pairs and we have to work with that. And this is precisely what the offline Simon's algorithm does. So now to present this algorithm, I will present a slight generalization of the even monster construction which is the FX construction. It is the same except that instead of a public permutation p in the middle, we have a block cipher indexed by a secret key k. And classically, we have a very similar time data tradeoff, which is that any attack must have the time data product greater or equal than n plus k. And we can have a look at some attack that matches this tradeoff. There are many variants, but here I present one simple attack, which is that we first gather a large list of encryptions of many messages. Here we saw the encryption of two messages with different inputs. This is only to remove the key k2. And once we've done that once, we will try to compute the correct inner key by testing every possible inner key and for each candidate key, we will compute the encryption of a message x and we will observe it. And we will find a collision with the other key. And each time we find a collision, this will give us a key both for the value of the inner key k and the first key k1, because we know that for the correct key, or if we do the correct key guess, and the difference between the input in the first list and the second list is equal to k1, we must have a collision. And once we have a guess, then it's easy to check if it's correct by using only a few more plain text hypertext errors. Now, how can we attack that quantumly? There has been a very simple idea proposed by Leander on May in 2017, which is that if we know the inner key k, then it degenerates to an event sensor. Hence, we can check whether the inner key is correct or not by trying to apply the previous attack. If it's correct, it's the correct guess. Otherwise, for a wrong guess, it will fail. Thus, we can attack this construction by doing a quantum search to apply Simon's algorithm to check whether the key is correct. And here the cost will be polynomial because Simon's algorithm is polynomial times the cost of the quantum search, so 2 to the k over 2. Now, the remark on the effects construction to go to the offline Simon's algorithm is that what does the government Simon algorithm is to check for a family of functions, which one is a periodic and to find the periodic function. And here we do not have a random periodic function. It has a very specific structure. It is the sum of a part that is secret. This is the encryption of an x. And this part does not depend on the current guess of the function. And we add to this first function some things that only depends on values we know. So the input x and the current guess for the value of the inner key. That means that during the attack, what we do, each time we do a test, is to do one quantum query to the secret function with the exact same input. And then we add some elements to obtain the functional amount. Hence, we do exponentially many times the exact same quantum query to the exact same secret function. And this seems to be a bit wasteful. And indeed, we can do better than that if we change a bit the way we do the quantum. So first, we assume that we do before the attack all the quantum queries to the secret function. And then when we want to do our test of periodicity, what we will do is to get the quantum queries, construct reversibly the function that we want to test for periodicity, test it, and then we revert all the operations to get back the queries and we'll be then able to use them in the next test and so on. So in terms of cost compared to the previous attack, it doesn't change the time because we still have the same quantum search and we still apply Simon's algorithm. But in terms of the number of queries to a secret function, we drastically reduce to from an exponential number to only a linear number. And in terms of memory, we're still polynomial. However, a linear number of queries is still not zero. So we can actually completely get rid of quantum queries. For that, we need the ability to construct the quantum state that corresponds to a quantum query. And this happens to be possible if you know all the classical elements that it contains. That is, if you know the full codebook of the function, then you can manually construct a quantum state that corresponds to the quantum queries. And if we do that, then we obtain an attack whose cost will be two to the n before arm because we have to process all the classical queries. And we have a search cost which will be of two to the k over two up to polynomial factors. Now we can actually reduce the cost of the attack. If the data cost of the attack, if we guess part of the period, this will allow us to reduce the number of classical queries at the expense of increasing the size of the search space. So we have a nice trade-off where the setup becomes to the n minus u and the cost of the search increase in k plus u over two. So here we have the comparative time data trade-off between classical and quantum attack and we can see that we have a nice quadratic speed up for any fixed amount of data. And we can remark that we have a quadratic speed up, but we have slightly more than that because quantumly we are always polynomial in memory, but classically we can't always be polynomial in memory. In some cases we need to have some. So now I will move to the new stuff which is how can we have larger gates than that. And for that I need to present the extended FX constructions, which is a variant of the Tuxor cascade of constructions that have already been studied in the past. It is the same as the FX construction, except that after it we add a second call to another block cipher whose inner key is the same as the middle block cipher. And this construction has already been studied. So we know it's classical security and as expected it's better than for the FX construction. We still have the same time data trade-off as before, but we have a nice national constraint, which is that the time can't be lower than k plus n over two. And we can have a look at what this means in terms of attack. And a matching attack for this bound is very similar to the FX attack. The idea is that we want to apply the FX attack, but before looking for a collision we first have to remove the second block cipher call. So that means that for all candidate keys that we test we first have to process all the queries we've done by inverting the second block cipher call and then we look for a collision. And this means that here for this attack, contrary to the FX attack, we have to process the queries at least once per keys we test. So we can no longer amortize the cost of the number of queries using the fact that we're testing a large number of keys. This is why when we look at the time data trade-off, once we reach the birthday bound, we're stuck and we can do better than that. But now, ultimately, what can we do? We have still something that's very similar to the FX construction, so we want to apply Simon's algorithm. And here we need a periodic function. We can still construct a periodic function. It will be almost the same as before, except that we add the decryption of the second block cipher to obtain the period we need. So in order to be able to apply the offline Simon's algorithm, we need to have some additional properties to this function. That is, we need to be able to have one set of queries done once and for all. And we can still do that here because we still have the secret part which is fixed and independent of the key guess Z. And we have a part that's purely publicly computable. It's no longer the sum of two functions here. We first need to reversibly transform the quantum query by composing through the decryption of the second block cipher call. And then we add the encryption to the first block cipher call to recover the periodic function. So with this additional decryption, everything behave exactly as for the FX attack. And so the cost is actually the same up to some polynomial factors. And so if we have a look at the comparative classical and quantum security for extended effects, what we can see is that as long as the amount of data is below the birthday bond, we're in the same case as for the FX construction, we have a quadratic speedup. But once we go above that, then the quantum attack continues to get better when the classical attack is stuck. Hence in all this area, we have a gap which is later, which is greater than the quadratic. So the exact gap we reach depends on the amount of data and the relative size of k and m. And the maximum gap that we can reach with this approach is actually 2.5 with the maximum amount of data on a q, which is of size 2n. So now to conclude on this attack, we have studied the extended effects constructions, which is a construction that actually do appear in some actual cryptosystems. We have some standard MAC. We can be seen as an instance of that. For these constructions, the gap we have is tight. That is, we have a quantum lower bound with unlimited data for our attack, and we match it with our attack. And this also shows that contrary to the classical case where extended effects actually offered an increase of security compared to the FX construction, quantumly, the second block safer call is actually useless because the security is the same. Now, if we have a look at the attack, this attack demonstrates that in symmetric cryptography, we can have classical quantum speedups that are more than quadratic in the ideal models with classical queries only. For the offline assignments algorithm, it is not possible to get a gap that's larger than 2.5. And a nice implication of that is that it's often said that in order to apply hidden subgroup algorithm, you need to have a strong algebraic structure. And here, the strong algebraic structure that allows us to obtain a meaningful application is only the core of a secret, which is pretty neat. So now I will finish my talk with a few open questions. The first one is that we only have a quantum lower bound if we do not limit the amount of data. We believe the attack is also tight with restricted data, but this is left to be done. The most unquadrative gap we've obtained require an amount of data, which is pretty large, greater than the birthday bound. Would be interesting to see if we can do better with a lower amount of data. And finally, the other question would be how far can we go? Are there some other approaches that would allow for even greater gap? We conjecture that in this model, it could be possible to go up to a cubic gap, but this is an open question to this day. Thank you for your attention. We do have time for some questions. Please walk up to the microphones. Meanwhile, you've posted the questions yourself there. Yeah. Because this was actually my question. That I also came up with. So let me rephrase, how likely do you see it that we can go from 2.5 to 3 in the exponent or something? Well, we would need another algorithm, the same answer algorithm. So it would be hard. What you would need, in fact, is a quantum polynomial time algorithm, or sub-expansion, whose classical equivalent has cost 2 to the n. So if you have something that reduces to collision finding like shore or Simon, I think you can't reach that. So you would need something else, which is it and it's unclear. Well, we can reasonably think that such problem exists, but it's unclear that it would have a cryptographic application. Okay. Okay. Question? No. Well then, we thank you again and move to the next talk.