 Good morning, everybody. So I'm going to talk about our work on quantum security of MNEC. And this is a joint work with FAMZON. And this is my attempt at illustrating MNEC under quantum-supproposed query. And so what I'm going to do is this. I'm going to first talk about briefly about quantum security in general. And then as a warm-up, I'm going to talk about cascade construction. And then finally, I'm going to talk about MNEC. So about quantum security, in a sense, we can say that quantum security is a stronger version of post-quantum cryptography, where the adversary not only has a computational capability, but also the computational communication capability with this environment. Of course, that can be formalized as adversaries' ability to make quantum-supproposed queries to its oracle. So unlike the classical case, instead of making a query X and receiving an oracle answer OX, the adversary can prepare a query as a superposition of different messages, X, and getting, again, superimposed answers. So perhaps one motivation for this is from the quantum-random oracle model. So if we regard a random oracle as an ideal definition of hash function, then we can see that any quantum adversary can evaluate the such hash function in superposition. Why? Well, maybe perhaps in order to do a grover search. But anyway, in that case, we can think that the traditional formulation of the random oracle model doesn't do justice in formulating the adversarial capability of quantum adversary in such setting. So therefore, the correct notion seems to be the quantum-random oracle model where the adversary can make quantum-supproposed queries to the random oracle. In a sense, the quantum security is the full generalization of the quantum random oracle model, and then now the adversary can make quantum-supproposed queries to all of its oracles. For example, when you are talking about encryption schemes, then you would be decryption oracle. And for this digital signature, that would be signing queries. So despite this is a relatively recent area, there are already many interesting results, both positive and negative. And so now there are some constructions that are developing quantum random oracles. And there are some PRFs, MEX, encryption schemes, and signature schemes, and so on. And on the other hand, there are also many interesting attacks. These attacks are especially interesting because they are successful quantum attacks on the classically secure schemes. Examples include Evans-Mannsor-Cypher, Lovirokov-Cypher, and CVCMEG, and other block-cypher-based PRFs. And especially all these works are based on quantum algorithms called Simon's algorithm in a clever way. And especially the last work about CVCMEG and others that were presented in crypto last year. And that actually partially answers the question posed by Bonnet and Zandrii. Can we construct a quantum secure PRF for a large domain from a quantum secure PRF for a small domain? In particular, do the CVCMEG or MEG constructions give quantum secure PRFs? In other words, can we do PRF domain extension in the quantum setting? And so, well, they say that for CVCMEG's case, the answer is no. But in a sense, our work is complementary to that. We have proved that MEG, HMEG, AMEG, and some other schemes are quantum secure. Of course, if the underlying small PRF is quantum secure. The main ingredients we have used for this are first, oracle indistinguishability of functions and a notion we call PRF security under random leakage. So I'm going to first talk about cascade construction. The cascade construction is I start with a small PRF where the key space is equals the core domain. And we can build a larger PRF simply by processing, iteratively, process each message block one by one. The result is the cascade construction. Here, I'm illustrating the three block case. And classically, the cascade construction is known to be secure if the number of message blocks are fixed. And the result is done by Bellary, Carnegie, and Grosig in 1996. And the proof uses a two-level hybrid argument. In one level, it's over the message blocks. And in another level, it's over the queries. And I will briefly show the outline of the proof. So the proof consists of a successive games, indistinguishable games. And all of them are identical, except how the oracle is prepared. Of course, in the original game, we have the cascade construction. And we move to the next game where the first PRF instance is switched to a uniform random function. Of course, this change is indistinguishable due to the PRF security. And in the next game, we are going to eliminate one more PRF instance by the uniform random function. And we are going to do this once more. And we finally arrive at the game where the oracle is uniform random function. But in order that this outline works, each successive game should be indistinguishable from the previous one. So we can see that each oracle query to this left-hand side part should be indistinguishable from the oracle query to the right-hand side part to allow this switch. But if you look at this carefully, then we can see that this does not involve just single PRF instance, but actually many PRF instances. Because whenever the adversary makes a query of z of x, that will produce a randomly chosen PRF key, row of z. So therefore, if the adversary makes total Q queries, then there are Q keys are involved. So there are Q PRF instances. To handle this situation in the classical proof, a notion called multi-oracle security was given. So this is not complicated. It simply says that if you have a polynomial number of independent PRF instances, that will be indistinguishable from the same number of independent uniform random functions. And of course, that can be proved by a simple hybrid argument. So now the multi-oracle setting is ready. Now we can argue that we can carry out the outline that I have explained. So whenever the adversary makes total Q queries, then we can prepare Q instances. And then using this multi-oracle indistinguishability, we can simulate the transition from this oracle to that oracle. So that's more or less the outline of the classical security proof of the cascade construction. Unfortunately, that doesn't really work for the quantum setting. Because obviously, if you look at this proof, then it is assumed that each individual queries are unsuperposed. And of course, that's not true in the quantum security setting. But one interesting thing is that at least one special case of the cascade construction was already proved to be quantum secure. That is, in fact, the GGM construction. Given by Goldreich, Waldwasser, and Michali, this is a way to construct a PRF out of a length doubling PRG. And in 2012, Zanderi showed that GGM is quantum secure if the underlying PRG is quantum secure. So one simple observation we can make is this. If we modify the notation a little bit, we can immediately see that GGM is in fact a special case of the cascade construction when the underlying PRF can process only one single bit. So in fact, that can be readily extended to the case if the underlying PRF has a polynomial-sized domain, because such a PRF is in fact PRG. So what we need to do is to remove this restriction to the general case. So to do that, let me briefly review Zanderi's approach for proving quantum security of GGM. So first step is to repackaging the classical GGM security using a new notion called oracle indistinguishability. And then he proved the oracle indistinguishability using new techniques suitable for quantum setting. And so let's talk about oracle indistinguishability. Suppose we have two probability distributions, D0 and D1. And of course we know what do we mean that these two are indistinguishable. So it is hard to distinguish one sample of D0 from the other sample from D1. In that case, we say that these two are indistinguishable. Then we can say that these D0 and D1 are oracle indistinguishable if it is hard to distinguish arbitrarily sized indexed family of independent and identically distributed samples from D0 and from the same kind of samples from D1. And we are going to eventually apply this to PRFs. So we need to talk about IID samples of functions. So let's be a little bit more formal. Suppose I is an index set. And suppose D is a function distribution. Here this notation y to the x is a notation for the function space from x to y. And imagine y and x are like the bit strings, space of bit strings. And then I'm going to define this D to the i. This is a distribution of random functions of type i to D, y to the x. So how do we define it? Each image f of i is chosen independently according to the distribution D. Remember that this distribution is a function distribution. So therefore, each f of i is in fact a random function from x to i. And in fact, we can take a slightly different but equivalent point of view by considering the hiring isomorphism. So simply y to the x to the i is isomorphic to the y to the i times x, y. Because as I told you before, fi is a function from x to i. So this can be evaluated on any point x. But the effect is that this gives you a function of i and x together. Because these two viewpoints are completely interchangeable, we can regard this D to the i as a distribution of random functions from i times x to i. So now we are ready to talk about oracle indistinguishability of functions. Suppose i is an index set, and we are given two function distributions. And I'm going to define that they are oracle indistinguishable if it is hard to distinguish one iid sample of D0 from another iid sample of D1 by any quantum adversary who can make quantum queries. And also, we can talk about oracle security of PRFs using this. We say that PRF is oracle secure if it is oracle indistinguishable from a uniform random function. And in fact, that turns out to be exactly the notion required for carrying out the security proof for the cascade construction. Let me show you why. So here we have an index at i. And for each index i, we need to pick a uniform random instance, independent random instance of PRF. And to do that, we need to pick a secret key for this particular i that in fact gives us a uniform random function kappa from the index at i to the key space of f. And we need to compare this oracle with another oracle chosen by choosing a uniform independent random function for each index. But if you think about it, that's simply a uniform random function of i and x together. So in fact, oracle security gives us this indistinguishability, which exactly is the right shape for carrying out the security proof for the cascade construction. So the only remaining problem is, is the PRFf oracle secure? The answer is yes. In fact, it can be more, slightly more general. And if we have two efficiently sampleable indistinguishable function distributions, then we can prove that d0 and d1 are oracle indistinguishable. In the classical setting, the proof will be even easier. So it can be done by simple hybrid argument over queries. But of course, in the quantum setting, that is not possible. But again, we can rely on a technique developed by Zandri for the context of the GGM security that we can switch to small range distribution. So unlike the IID distribution, in the small range distribution, each image fi are not chosen independently. Instead, we fix a small number r, and we are going to first choose r number of independent samples. And each fi's are chosen to be uniformly one of those r samples. So there will be necessarily lots of duplicates, and only there are only r genuine independent copies. And what Zandri showed in the security of GGM setting is that it is indistinguishable from switching from the IID distribution to the small range distribution. So here, what we need to do is to compare small range distributions of d0 and d1. And in fact, now what we can do is we can do the hybrid argument over those r independent copies. So gradually, one by one, we can switch those r samples from d0 and d1 to finish the proof for the ORACLE indistinguishability. Well, now we are ready. Everything's not essentially done for cascade. So if f is a secure PRF, then according to previous argument, f is ORACLE secure, then using the ORACLE security, we can carry out the hybrid argument for the cascade construction, which proves the quantum security of cascade construction. OK, let's move on to the MMAG. MMAG is simply a cascade construction with additional post-processing by additional independent PRF instance. And so it requires two keys, one for the cascade and another for the post-processing. And that post-processing prevents the extension attack. So unlike the case of the cascade construction, it allows processing variable length messages. And classically, of course, the security of MMAG is proven. And when you try to adapt those classical proofs to the quantum setting, we weren't able to do that. So we have devised a direct hybrid argument using an extended version of ORACLE indistinguishability. And for do this, we need an additional property of a secure PRF. But before that, the first step in our proof is to replace this outer PRF instance with a random ORACLE H. Of course, this is possible due to the PRF security. And so from now on, I'm going to pretend that, so here is an illustration again for a three block case. And from now on, I'm going to pretend that this is the definition of MMAG. OK. So this post-processing random ORACLE is very helpful because it prevents the extension attack. But on the other hand, this is not helpful because it prevents using PRF security. The reason is this. The adversary can make different message block queries. So if the adversary makes zero block query, then the cascade will simply output the security k and which will be post-processed by H. And the adversary now has access to H of k. Of course, this is problematic because what is PRF security? After all, that's simply ability to substitute one PRF instance with a random function. But in order to guarantee that, the security k should be, well, completely secret. And so now the adversary knows H of k. This is an information leakage. However small this might be. So what we need is that this PRF instance should remain secret to the random, even when H k is leaked for a random ORACLE H. So now we can expect that because the amount of information leakage is too small, intuitively it is almost clear that if F is secure, F should be again secure even under random leakage. And in fact, that's I'm going to say that. So anyway, I have defined this notion, formalized this notion, security under random leakage as follows. So imagine two games. In one game, the adversary is given PRF instance a random ORACLE and a hash of the security k. And in another game, the adversary is given a uniform random function and a random ORACLE and a fake hash value. And if these two games are indistinguishable, then we say that PRF is secure under random leakage. And of course, so classically, it is not that hard at all to show that a secure PRF is secure under random leakage. And we were able to do the same in the quantum setting. And the techniques we have used are Dominic Unruh's 1A to hiding lemma, and also PRF security against key recovery. So by invoking a 1A to hiding lemma, we were able to bound the advantage of the adversary under random leakage by this right-hand side term. So you can see that, basically, if the function f is secure, then the right-hand side is negligible. Well, this is a very weak bound, but still, as enough to prove security under random leakage. But what about the I mentioned security against key recovery? But what about key recovery? Isn't it obvious? So if key is recovered, then all bets are off. But contrapositively, if your scheme is secure, then it should be very hard to recover the key. And of course, in classical setting, there is a very easy proof. And let's briefly see how it works. So if you have a key recovery attacker, then using A, you can build a distinguishing attacker. B runs this key recovery attacker until it outputs a candidate key, k. And what Bnext does is to check if this answer is right or not by verifying this key at an uncured point, z. So you'll see if this equation holds or not. And this B will output 1 if and only if this verification checks out. And in fact, this is fine in the classical case, because if this oracle is a PRF instance, then B will output 1 with non-negligible probability, as large as the success probability of A. And on the other hand, this is a crucial part. If all is a uniform random function, this all z, because z is uncured, so this left-hand side will be independent from the right-hand side. And this is really from random. So therefore, the verification may check out only with a negligible probability. So that's how classical proof goes. But as you can see, in the quantum setting, the problem is that even one single query may potentially probe all the points in the superposition. So in other words, there may not exist any point z in the domain where all z is independent from the right-hand side, fk of z. So the classical argument doesn't hold here. So of course, the obvious way out is to instead of verifying at an uncured point z, we can verify at a random point. And intuitively, we can see that this should obviously work, but still analyzing this may not be completely trivial. And in fact, we are able to prove that if the PRF is secure, then it is secure against key recovery by reducing to a variant of quantum search problem. So now, we know that PRF f is secure on the random leakage. And this can be looked in a slightly different way, an equivalent way. So consider two function distributions. In a one-function distribution, key is chosen and hk is concatenated by a PRF instance. So in this function, the first part is essentially random constants. And in D1, again, a random w is chosen, which is concatenated by a uniform random function. So what PRF security on the random leakage says is that these two distributions are indistinguishable. If f is secure, the question is, are they automatically indistinguishable? Well, almost, but not so fast. Look at the definition of D0. This construction depends on h. And the adversary also has access to h. So therefore, we need actually one more update to the notion of autocorrect indistinguishability. So in fact, that's possible. And now we can say that D0 and D1 are autocorrect indistinguishable relative to h. And we can essentially say the similar things. So now these two distributions are autocorrect indistinguishable. What do they mean? So given any index at i and any index i, we can pick a random key, kappa of i. So due to this autocorrect indistinguishability, in short, we can safely pretend that h of a random function kappa of i and f of kappa of i and x can be swapped with the independent uniform random functions of i and ix respectively. Actually, this substitution is enough to prove quantum security or NMAC. So I'm going to show you briefly. So I'm going to illustrate this by the blocks up to three. And again, all the games are identical except how the oracle is prepared. Of course, in the original oracle, we have NMAC. And first thing we are going to do is to substitute this random key syntactically with a random function of a singleton domain. Of course, they are the same thing. It's only a syntactical change. And now that's done, let's look at this. So this part is h of random function and f of random function, same random function and argument and so on. So from the oracle security, we can see that we can substitute these two parts independently to arrive at this. And of course, we can do one more same substitution. So again, this is h of a random function and f of the same random function and some other argument. And again, we can substitute these with two independent random functions once more. And of course, we can repeat this until we get rid of all of PRFs. And finally, we arrive at a game where the oracle is uniform random function. And essentially that proves the quantum security of NMAC. And so I have shown you the proof that cascade construction and NMAC are quantum secure. And using some additional assumption, the quantum security of HMAC follows immediately. And using similar techniques, we were able to also prove quantum security of augmented cascade and NMAC. Thank you for your attention.