 Thanks a lot for the introduction. Yeah, I'll just dive right into it. There you go. So quantum adversaries can break RSA. And indeed, an adversary that has access to a large-scale quantum computer can use the short algorithm to break a couple of most widely used public key crypto systems. And the question that this fact poses might be, are there quantum attacks breaking symmetric crypto systems? And yeah, the answer is yes. And this is indeed the superposition attack by Kaplan and others and Santori and Schaffner. And those attacks work in the so-called Q2 model. So this means that we give the adversary quantum access to the function, maybe also key functions. So this gives her more power than the usual post-quantum model. And this will be the model that we are in this talk. And we present a scheme that is secure against those superposition attacks in the stronger model. So first, I will talk about the attack and somehow give you the gist of it. So it attacks, among other things, the CBC construction. So here it is. We have the CBC takes the internal function fk. And how you evaluate it, you take the message divided into orbit blocks and then access to the internal state. And apply f repeats until the whole message is analyzed. And the security notion that we aim here at is the PRF security. So we want a random key for the construction to be indistinguishable computationally indistinguishable from a random function. In the model where we give the adversary, again, superposition access to the whole thing. So as you have seen on the previous talks, the adversary can prepare a superposition of messages. And the second register, she gets the outputs of the function. And there is an attack running in the inner time in the number of bits of the internal state that breaks the construction. Namely, the adversary can find collision that allows her to easily distinguish from a random function. So this is how the attack works. And this is our result. So if fk is a pseudo-random function secure in the Q2 model, then the sponge construction, similar to the one you've seen before, that I will give more details on it later. So this is the superposition that the adversary can prepare against the function. Then the resulting construction is secure in the Q2 model as well. And this is her interaction with the whole construction. So this is a short version of the result. Right. So in the following, we'll discuss details of this statement. First, I will give you the definition of the construction. And you will see how similar it is to the CBC construction. And in the end, we'll discuss why the attack does not work in this case. Then I will restate the theorem, giving you more details, and then give you a sketch of the proof that works following the modular structure of the proof by Andrieva and others. And somehow the key statement that we need to make is the indistinguishability of random sponges. So we take the sponge construction, instantiate it with a random function. And we want to show that this is indistinguishable from a random function. And this is the hard part that is solved by kind of the main lemma of our paper that takes more than half of it, basically. And there we use the quantum polynomial method by Andrieva. And then I will conclude posing some open questions. So the sponge construction differs from CBC by the internal state. So now it consists of two parts, one of Arbus and then second part consists of C bits. And when we feed the input into the construction, we XOR the Arbus blocks only to the first Arbus of the state. And the second part is left untouched. Well, until we evaluate the internal function on the whole state. And then we feed all the rest of the blocks. And this is called the absorbing phase. So some take a sponge and absorb water. And then to get this water out, we squeeze it. And this is what happens in the squeezing phase. We output the first Arbus of the state. And in this construction, we can actually ask for longer outputs. So we can output more and more blocks of the output by applying phi again and again. So the most prominent use of this construction is in Ketchak. So the standardized hash function shall3 and others. And somehow the use that is closest to our approach or our result is the Haraka function used in the hash-based signature scheme Sphinx plus. I point this out because Haraka uses this construction with phi being the keyed function. So somehow OK. I will explain this keying business here a bit more. So this is the same theorem I may have seen before with more details. So now I added the deal. So f is a fixed input length Sudo-Random function or Sudo-Random permutation, securing the Q2 model where I give this superposition access to this guy. And the advantage of this is epsilon. And then the resulting keyed internal function, sponge, this guy, is a variable input length Sudo-Random function, securing the same model with advantage epsilon plus Q to the power over 2 to C. And the C, we call it the capacity. This will be important later. And right, coming back to how we key the sponge. So those of you that know the construction and know how we key it, this is a very specific way to do it. Because sometimes the internal state is keyed. So basically instead of starting with all 0 string, we put the key there. So we start from a different place or we even prepend the message with the key. But here we just key the internal functions. So how do we prove this statement? This is pretty straightforward. So we start with the sponge, with the keyed function. We want to show that it is close to some computationally indistinguishable from sponge with a random internal function. So this follows from the definition of fk. And then we want to go to the random function kind of with the same input output format as sponge. And this is done by indistinguishability. So basically this is what we call quantum indistinguishability. And this is the hard part because this follows from the definition. So quantum indistinguishability of a construction sponge is when no adversary can distinguish the construction from a random oracle. And those phi is phi here. And g are uniformly and random. Now it's important to know that we give the adversary access only to the whole construction and not the internal function. Because this would put us in the realm of indistinguishability that we discussed before. But this is not what we do. We can use only this notion to prove the statement that the sponge is a PRF. So right classically, for example, the Andreava and others paper, they use the indistinguishability bound. But it's not necessary. So as I said, this is the main kind of technical statement that we need. So to prove this, we're going to focus on the sponge construction with fixed capacity. So this is this guy versus with capacity going to infinity. And so this is part of the construction. So some of this part will be either some fixed value, say 1,024 bits, or going to infinity, so huge. So why we do that? We do that because if c goes to infinity, we can show that this is actually a random function. So basically, if this is infinity, I mean, very, very large, going to infinity, then every input to phi is different. So and phi is a random function. And when evaluated on fresh inputs, it will always output uniformly random output. So this also be the case in the squeezing phase. So all outputs will be just random strings. So this works. So now we focus on the fixed c. And the important observation that we make is to say that the probability of adversary interacting with the construction is a linear combination of probabilities that's bunch of xi equals yi for 2q perx xi yi. Also for this goes over every possible inputs and outputs. And this statement is somewhat standard in the quantum, well, post-quantum cryptography, say. But we will use this. So this is the same statement in the following way. So we're going to focus on this part and say that this is a polynomial of a small degree and 1 over 2, 2 capacity. Why we do that? That's because if this is the case, so this part, this probability of 2q input output is a polynomial of small degree, then the whole thing is also a polynomial of small degree. And this gives us the indistinguishability statement that we aimed at. And this part is the hard part because we need to analyze these probabilities. And you have already seen the picture, but the construction is not straightforward. So to find this polynomial was the hard part. OK, maybe one thing more. So if we have those polynomials, then going to the indistinguishability is completely outside of the scope of cryptography, or it's just a statement about polynomials. Then we say that two polynomials differ and somehow yeah. OK. So again, this is the main lemma. Finding this polynomial and also finding the parameter in which it is a polynomial. And we show that this is 1 over 2 to c. And the proof goes by just case distinction and counting number of possibilities. By that, I mean number of possible values inside the construction of values of the internal states in those 2q evaluations. And basically, there's nothing quantum going on here. It's just in-depth, very detailed analysis of the probability expression. So this is basically it. So what we have done, we've proven quantum indistinguishability of random sponges. So this is the technical part, and you can use it to write, to know that sponge keyed by keying the internal function is a quantum secure pseudo-random function in this very strong model. Now we did it by direct calculation of the probability. I didn't say it before, but we also managed to prove the whole statement for f being a random permutation, or phi being a random permutation directly. So not going through the PRFPRP switching lemma, but looking at the polynomials and generalizing a bit the bounds. So this might be of independent interest. And now we wanted to also think of why the superposition attack doesn't work. And the intuition is that, well, because of this hidden state. So this part is the adversary has no access to this part. And in the attack against the CBC construction, she prepares a large superposition that are supposed to interfere in the end to make that attack work. And this interference does not happen if there's a part that she does not control. But yeah, so this is kind of maybe a technical explanation. And we're looking for something more general, more useful for other possible attacks and constructions. Right, and the second thing is that we think that our result is tight. We don't have the algorithm, but this Q to the third power suggests that just a collision attack would suffice. Right, so the main open question is, well, work hard on the proof, where can we use it? Maybe some other construction. But there, to see this polynomial, we need this part of the state that is hidden from the user. But maybe there are other interesting cases. We would like to understand better why this superposition attack does not work. As I said, we have a technical understanding, but not so much high level. And then, right, what about indifference ability, so kind of the notion more general, and also useful when we talk about hash functions, so not heat objects. And right, so we actually have managed to do this together with Christian Mayans, Christian Schaeffner, and Sebastian Zur. And we used the technique presented two presentations ago, and actually also the one way to hide in Lema, myambinus, Hamburg, and UNRU presented on the previous presentation. So thank you very much. We have a few minutes for questions. In classical crypto analysis, we sometimes consider related key attacks in which you are allowed to modify the key in a particular way and see what is the effect. Did anyone look in the quantum world what happened when you are allowed to modify a fixed classical key with a superposition of many, many possible changes simultaneously? So you are doing a related key attack but in the quantum world? I am not sure. I wondered it. Your techniques, for example, will apply. If you look at your construction, suppose that the key is only the state of the initial register. And now you're allowed to add to the key any superposition of initial states. What will happen to your proofs? Well, so while analyzing this probability of those two-q input-output pairs, we have to constrain somehow the kind of which ones we are looking at. So there we fixed the initial state to be zero. So we would just need to say that this is also under the control of the adversary. So I guess, yeah, we can do this. We have another. It would be interesting if we just expand. Thanks. Initially, you said that you cannot prepend the keys, that your analysis is for the kind of dedicated key mode, that the functions, the internal function is keyed. But with the indifferenceability result, does it mean that you can do essentially what the sponge initially suggested to building a PRF, that you can just prepend key and that is secure? Does it follow from indifferenceability maybe with sub-tight bound? Right. Yeah, I would think so. So we go through indistinguishability because we need to do this step, kind of get rid of the keys stuff and then do the kind of indistinguishability part. And this somehow gives us the, we escape from the fact that we don't want the adversary to have access to the internal function. And in the case you're talking about, this would be natural. But you're saying, so your technique doesn't directly apply but indirectly through indifferenceability it would be secure? Through indifferenceability, yeah, I would say so. But this is completely different proof technique. One question about the O2 model. So you're giving superposition access to this primitive and then getting superposition answer back. Is there a real world or a compositional motivation for this model? It's a kind of a general question. Right. So one motivation that I've heard about is kind of a hardware where you imagined hardware with this key function that someone has it and somehow it's maybe some kind of obfuscated. Well, the key is in there but not really accessible. And you can cool it down and make it quantum. But the most real world is the post-quantum model. Right. We have maybe one or two more minutes for questions. Let's thank you all again.