 Nice view, isn't it? Welcome in 2100. After wasting energy for unpleasure during a century, we finally run out of resources. Our world is now controlled by a huge multinational corporations, Bob's Enterprise. Because there is no oil anymore, Bob's corporations need to find lots of workers to replace machines. But, people started to rebel against the system. Bob's Enterprise decided to go to the highest level of horror. They started to develop in the lab a toxic gas. When you inhalate this gas, it takes the control of your brains and either turns you into a submissive robot or worse. But fortunately, I may know how to find an antidote. Welcome in my lab. We have not yet been presented, but for obvious reasons, I want to keep my identity secret. But you can call me Alice. It turns out that I know the toxic gas quite well. I've been able to find a set of equations describing an antidote for the gas. It turns out that in order to solve this equation and find the antidote, I need a quantum computer. You know, this computer is able to solve some problems much faster than any classical computer. It turns out that Bob is the only person owning a quantum computer on this planet. And for obvious reasons, if Bob learns the computation that I would like to do on his computer, he will try to kill me. So I will need to find a way to hide the computation. Hopefully, I know a way to hide the computation to a quantum adversary. But first, let me tell you more about quantum. A qubit is the basis building block in quantum computing. Usually, a qubit is a physical device like a photon or an atom. But for this talk, we'll just suppose that we can represent that qubit as a unit vector lying on a sphere, on the surface of a sphere. Now, if I give you a qubit, you can apply some operation on the qubit. So for example, you can rotate the qubit. But you cannot see what is inside the qubit. For you, the qubit is just a black box and you cannot see the vector lying inside this black box. However, there is one method to extract information out of a qubit, which is the measurement. So if I give you a qubit, you can measure the qubit, destroy the qubit and extract one bit of information out of this qubit. Because an arbitrary qubit lies in a continuous space, it is therefore impossible to describe this qubit using a single bit of information. This also means that it is impossible to clone one qubit into two exact copies of your initial qubit. This is very important in cryptography and is known as the no-cloning principle. So in cryptography, we can hide some information inside this qubit and then use it to perform computation with the information and encoding somehow in this qubit using a kind of one-time pad. So this method is used in the universal blind quantum computing protocol. So we will not go too much into the details of that protocol, but the important thing is that it is separated in two phases. During the first phase, Alice, that would like to delegate to quantum computation on Bob's computer, can send some qubits to Bob. So these qubits are just random qubits whose vector lies in the equatorial sphere. So we will call them plus theta, theta being the angle. And then Bob will receive lots of these random qubits and then after, he will interact with Alice in order to perform the computation. So this is an interactive protocol, but all the interactions are classical once you send this initial quantum information. Now my issue is that I cannot send a quantum photon or a quantum atom, so a qubit to Bob, because there is only one, because I don't have a quantum network. I can just access classically to Bob's computer, so I have a classical internet like you, but I don't have a quantum internet because it's very expensive and very hard to build. And maybe Bob's computer doesn't have a machine that can be wired on a quantum device. So I just have classical internet, but now my goal is to find a way to still be able to do quantum computations. So I have a friend that may know how to do and I will see what I can do. Hello my friend, I'm in a hurry. Do you know how to remotely prepare a quantum state on a server using only a classical channel? Yes. There is a protocol called QFactory that can do what you would like to do. Alice is completely classical and at the end of the protocol, Bob gets a quantum state that he cannot describe. At the other end, Alice knows the classical description of this qubit. The security relies on the learning with error problem. I really want to make sure that Bob doesn't learn the computation that I am doing. Is there any proof of security that this protocol is secure when it is composed with the UPQC Universal Blind Quantum Computing Protocol? So to answer your question, you first need to know that there exists different levels of security. The weaker model is a game-based model. This model, the adversary plays a game against a challenger. The game is said to be secure if no adversary can win this game against a challenger. The problem with this game-based security is that it is hard to think about all the possible interesting games that make sense when proving the security of a given protocol. Moreover, there is usually no guarantee in terms of composability, so when you use your protocol inside of the protocols, the security proof of the new protocol needs to be redone. Then, there is a stronger model of security that guarantees that your protocol can be composed into other protocols securely. This model are said to be composable and there are several frameworks. The Universal Composability Framework is used in classical cryptography, but not much in Quantum because it is designed to work for Turing machine mostly. In Quantum cryptography, there are several frameworks, but a quite popular one is the constructive cryptography framework, also known as abstract crypto. To answer your questions concerning classical client remote set preparation, the QFactory protocol is proven secure in the game-based model, but it was not proven before that it can be securely used to replay the Quantum channel in the Ubiquity protocol. There is also another work by Tom Avidic and Alexandre Georgieu, based on the work of Mahadev. This last work is proven secure in the constructive cryptography framework, but they require an additional assumption called measurement buffer. This also gives a security that scales polynomially with a security parameter, while we would prefer to target exponential security. So I don't know any RISP protocol that is proven secure in the plain model in a composable framework, but I know someone that can help us with that problem. Hello, I am the Distinguisher. You know the important guy in composability. What do I do? Distinguish. What do I distinguish? Object or resources. For example, let's take this object. It is an ideal resource. It's your dream, the best resource, the best protocol, the best object that you could get. It is even information theoretically secure. It's really the dream. The thing that in practice, it's very hard to obtain such information theoretically secure with perfect guarantees, and we have less interesting resources to start with. For example, let's consider some aluminum foil. So this aluminum is far from being this resource, but hopefully with some protocols, I can try to turn that aluminum foil into this ideal resource. So for that, there is a protocol that turns one weak resource into a bigger, more interesting resource. So let's see what is the protocol between Alice and Bob. Now, hopefully, this new object is supposed to be quite close to that one. So in order to see if this protocol is really as secure or as good as this ideal resource, my goal is to distinguish. If you want, I am the bad guy, the attacker that will try to see what I can do with this protocol, what I can do with this protocol, and see if I can distinguish these two resources. So let's imagine, for example, that I pick randomly one of these two objects. So for example, I take this one, then I can analyze it, and at some point I need to put a stamp in order to say if I think it is a real or one. So here I think that it's a real protocol. It doesn't look really fancy or anything. And then I start again. I take randomly another object and then I label it again. Here it's really the ideal one. It looks perfect. So as you can see here, it is pretty easy for me to distinguish because I have access to what happens inside the resource. So in order to get a more meaningful scenario, I must have access to only a black boxed version of that resource. So now I have only access to what is called the interfaces. So each party is associated with one interface, and there are two kinds of interfaces. So if the party is honest, then I can choose the input of that party and observe the outputs of the party. Now if the party can be malicious, it can take the place, so I can take the place of that party and actually receive and send messages on its behalf. So for example, let's start with a simple protocol, a secure channel between three parties. So Alice will send a message, Bob will receive the message, and a potentially malicious if dropper that will try to learn the message. So because Alice is honest, I can only input a message that I can choose. Because Bob is honest, I can just observe the final message. But because Eve is malicious, she can try to learn information about the transmitting message. So here we define our security guarantee as follows. Eve should not learn anything more than the size of the message. So this resource is now trivially secure, even information theoretically secure, and it will be our definition of security for all protocols realizing that resource. So it means that a computationally secure protocol must be computationally indistinguishable from an information theoretically secure resource. But so resources are also used to specify the correctness property. And so here, when all parties are considered as being honest, then there is no leakage to Eve because Eve is just being honest. So we can also describe correctness properties of our resource. Okay, so now let's consider a protocol that realizes that resource. So now again, Alice is honest, so I can only input a message X. Bob is also honest, so I will observe the output message X. And because Eve is malicious, he will be able to intercept the message going from Alice to Bob. So it means that the if dropper will have access to the encryption of the message. Maybe it will be a one-time pad, maybe it will be an RSA encryption. It depends on the protocol. But remember, in the real world, I just have access to the size of my computations. Well, to the size of the message, sorry. So here, I can see a bit string. On the real ideal world, I can see the size of a message, so it is easy for me to distinguish. So to avoid that issue, we need to come back to our ideal resource. And we will wrap what is called a simulator around this malicious interface. So the rule of the simulator is to fake the interface of the real protocol. So here, for example, if we use a cypher that is computationally indistinguishable from a random string, then we could ask to the simulator to take as input the size of the message coming from the resource and to output to the distinguisher, so to me, the random bit string that corresponds to the size of this message. So now, I cannot make the distinction anymore between the ideal world and the real world because I only see a bit string that looks random to me. So now, just a small remark about why indistinguishability is interesting. So let's imagine for a second that in the real protocol, sorry, I could extract from the cypher text the input message X. So I will also be able to do the same here in the ideal world, otherwise I could easily distinguish. But here it is impossible because the simulator just has access to the input size of the message. So the simulator and the distinguisher, so that we'll try to extract the message from the cypher text, cannot learn the value of the message. So that's why, indistinguishably, T implies security. Okay, so now let's come back to our setting, classical client remote state preparation, RSP for short. So in the following, we will prove that there exists no classical protocol that realizes any interesting RSP resource. So more precisely, we link the property of security, which is a computational property, with an information theoretical property that we call describability. This allows us to apply on computational protocol tools that comes from information three, such as the no-coning principle or the non-signaling principle. So but first, what is an RSP resource? So an RSP resource is a resource with two interfaces, one for Alice, one for Bob, and we will assume that Alice is an S and Bob can be potentially malicious. So this resource must produce when both parties are nest a quantum state on Bob's interface and a corresponding classical description on Alice's interface. So note that this property characterizes only the correctness of the resource. If Bob is malicious, he could get more information about the state that Alice gets. Okay, so now, for example, let's consider a resource that we would like to have in the universal band quantum protocol. So this resource gives Bob a random plus theta, a random qubit, to Bob's, because it is what the ubiquity protocol expects, and it will give to Alice the corresponding theta, which is a description of the state. So then let's forget a second about this resource and we'll talk about the describability property. So we will say that a resource is describable if an unbounded adversary can extract from Bob's interface the classical description of that qubit. So for example, on this resource, it will mean that it is possible to get theta, giving only access to the plus theta qubit. So in particular, this resource is not describable because otherwise we could use this description in order to clone the qubit and it will violate the node cloning principle. So note that this property of describability is an information theoretical property. Being describable is usually not desirable since, remember, we expect the ideal resource to be trivially secure, which means information theoretically secure. So our first result states that any RSP resource realized from only a classical channel must be describable. So in particular, it means that this example resource is impossible to classically realize. So now we will explain quickly how the proof goes. But in the paper, we also give a more general definition of RSP resources because it is a whole class of resource and we also take into account resources that accept inputs from Alice. Okay, so now let's see the proof and we'll assume by contradiction that there exists a classical protocol that realizes this resource. So it also means by definition of realisation that there exists a simulator that fix the interface that Bob would have with Alice. Okay, so since Bob can be malicious, I can control him and I can see the message exchange with Alice. And because the protocol is classical, it means that the simulator will output only classical messages to Bob's interface. So now as a distinguisher, I can just run the honest protocol on Bob's side. And therefore we'll have a few bits at the end and I can measure the state obtained by Bob using the description provided by Alice. So this is easy for me, even if I'm computationally bounded. So you can see that operation as a test that checks if the produced state is indeed close to the expected one. So in the real world, because the protocol is correct, it means that the measurement will always match the description. So it must also be the case in the ideal world, otherwise I can distinguish easily if they do not match. So it is possible to prove that this is the case, if this is the case, then the state that I obtained in the ideal world is also very close to the state described by Alice. So starting from there, I'm not useful anymore. I was just useful to say, OK, this state is indeed a plus theta. So starting from here, the distinguisher is not useful anymore and we will now construct a describer that can find the description of the quantum state given only access to Bob's interface. So remember in this example, this is forbidden due to the no-cloning principle, because even if the cloning box is in body, you cannot clone the state. OK, so to create the describer, the idea is to classically simulate the honest Bob's protocol. So this is possible since all the communication are classical. So it means that we can just replace all the quantum operations that would have been done on qubits with the equivalent operations, but we will do them on big classical matrices. So that way we know everything so we can just simulate classically the computation. So not of course that this simulation may take an exponential time, because qubit representation takes an exponential space, but it is not important since the describability property is an information theoretic property. OK, so now this concludes the proof because it is possible to recover the classical description of that state. And so it means that any classically realizable RSP resource is describable. And it freaks me that all interesting resources are impossible to realize in a composable fashion. So then we have two other results linked with time with the universal blind quantum protocol, UBQC for short. So the second result is also an impossibility result. So we prove that there exists no RSP protocol that can replace the quantum channel in the UBQC protocol and such that the overall classical client UBQC protocol is secure in the composable constructive cryptography framework. So this could have been possible because sometimes smaller protocol are not composable, but when you use them in bigger protocol, the resulting protocol may be secure. So we show that in UBQC it is not possible. I won't go into the details of the proof, but the idea is to turn a classical client UBQC protocol into a classical client RSP protocol. So due to our first result, the corresponding RSP resource might be describable. But we show that this resource could be used to send a message faster than the speed of light, which is impossible since we violate the non-signaling principle. So basically if UBQC protocols can be classically realized, then we violate the non-signaling principle which applies in quantum mechanics. And finally, our third result shows that the Qfactory protocol can be securely used to replace the quantum channel in the universal blind quantum protocol if we target game-based security instead of composable security. So we prove more precisely that the protocol is blind in the sense that if the adversary tries to behave in a malicious manner, then it cannot learn neither the input nor the computations performed by Alice. So I won't go into the details, but basically we proceed by doing a series of game reductions that reduce any attack on the UBQC protocol to an attack on the learning with error problem. That is supposed to be secure even in hard to solve even for quantum adversaries. So I think that Alice can still use the Qfactory protocol to perform the computations she would like to do on Bob's computer. Oh, so it means that it is impossible to prove in constructive cryptography framework the security of any remote preparation protocol and the classical client universal blind quantum protocol, but that it is possible to prove the security of Qfactory and universal blind quantum computing plus Qfactory in the game-based model. Okay, good enough. Then I will just use Qfactory and UBQC and let's continue the rebellion.