 So, I realized that the audience here is possibly quite mixed, so I tried to start from some classical concept, so from classical randomness extractors, and then motivate our quantum definitions. Okay, so we start with classical randomness extractors, and in our setup we will call this classical to classical randomness extractors, and I will just give you a definition and explain the parameters and constructions. And then from this, I want to go to this quantum to classical randomness extractors, so I also want to give you the definition here, and also some explicit constructions of these extractors. And well, so I guess the main reason why this paper got accepted here is because there's an application in the so-called noisy storage model, so that's a two-party cryptographic model. And well, actually the parties here are quantum, and they're assumed that they only have like a noisy storage, and under this assumption some security can be shown. Okay, and it turns out that this randomness extractor have actually a very close connection to entropic and certain curation with quantum sign information, and this is also a reason why we came up with this concept. So if I have time, I will also tell you a bit about that, but I want to mainly focus on the noisy storage application, and then we're just going to conclude and tell you some open problems. Okay, so what's the classical randomness extraction? Well, so the basic question is given an unknown weak source of classical randomness, how can we convert it to uniformly random bits? We have some source here, right? So that would be an example of a source which is only weakly random, but not uniformly random. So how can we convert that? Well, and so the idea is we can apply a function to it, and condense it to like a smaller random variable m, and if we choose that function right, we hope that this output is uniformly random. So again, here we have an example. So we apply this function f, which just takes n1 plus n2 plus n3 model 2, and then we see that the output here is nearly random. So the probability of a zero is 0.52, whereas for one single copy of nI was just two-third. Okay, so but now the point is that this function, well, this was specifically designed to work for this input. So what we want is that we want to find a function that works for all inputs, only what we want to assume is that we have some guarantee about the entropy of the source, and the meaningful measure here is the mean entropy. It's just defined as minus the logarithm of the maximum of the probability distribution. And I want to also write it as optimal guessing probability of guessing the random variable, because this, well, this can then be generalized to a more general setting. Okay, so we want to find a function that works if we only know something about the mean entropy, and it turns out that this is not possible using deterministic functions. But what we instead have to do is to invest a small amount of perfect randomness. So it is we have this classical input n, and then we want to apply functions according to some seeds, to some randomness. And then over the average of all these functions, we want that the output is uniform. Okay, and actually there exists the idea of strong extractors, and they have the property that seeds can be reused. So even after the seed is used, it's still uniform. Okay, and so on this classical randomness extractors, they have many applications in information theory, cryptography, computational complex theory, and so on. And this is a very nice review reference to. Okay, now from a cryptographic viewpoint, it's an interesting question how to deal with prior knowledge. And the question that we have a second party, which has some knowledge about our source. And then the question is, does to this randomness extractor still works relative to that second party. And it turns out that for classical side information, this is no problem at all. You can just use your randomness extraction. But for quantum side information, this is not clear. And actually this paper guy, Gavinsky et al, they give an explicit example of a classical extractor, which fails if one takes quantum side information into account. Okay, and so the mathematical model would then be that the source is described by a so-called classical quantum state. So the first part is still classical. So it's probability distribution. And the second part is quantum systems. So these are just like density operators on some finite dimensional Hilbert space. Okay, so let's have a look at this setting. We have this classical input, which is correlated to some quantum system. Okay, this red circle, just classical systems. This yellow stuff is quantum systems. We have this input, classical quantum state. And then we want to apply some function according to some seed, d. And we want that the output here, well, we want that the output is random, but also not correlated to the quantum system anymore. And so, okay, this only has to be the case approximately. And the distance measured to choose it is this trace distance. And this corresponds to a strong extractor because they also write the seed in here. Okay, good. And now, again, we want that this whole extractor thing works. If you only know something about the mean entropy of the source. Now, because we have sign information, the right measure is conditional mean entropy. It's defined as minus log, the optimal guessing probability, given the quantum sign information at hand. Okay, I'll just write it like that. Okay, and one example for this is a two-universal hashing, privacy amplification. So it is known that for all classical quantum states with sufficiently high mean entropy, the output of the hashing is random and no longer correlated to the quantum sign information for an output size of 2 to the power of k times epsilon squared. So this is a strong, this is called a strong k epsilon extractor against quantum sign information. And here the seed is of the order of the input system. This is quite bad, so much better, constructions are known. But again, it's a strong extractor, so what can reuse the seed? It's not used up. Okay, well, okay, so that was all about the classical extractors. I wanted to tell you now let's come to this quantum to classical randomness extractors. So the basic idea is to make the input quantum. Before we had this classical input system N, and we wanted to extract randomness from that, and now the idea is to start with a quantum system. And, well, why is that well motivated? So I would say the basic question is how do we get this weak randomness at first? Before I assume we have some weak source of randomness, and the question is how to get that. And one way to get it is to have a look at quantum mechanics to take a quantum source and do some measurements on these quantum sources. Because in quantum mechanics we can get real randomness out. Okay, so I want to start with a quantum system and see how much randomness can be extracted from that. So that would be the setup. So we start with a quantum system here, do some kind of measurements, and then we end up with a classical system M. Okay, so here in more detail, again if we consider this quantum sign information, we have some quantum system N which can be correlated to some other quantum system E. And then we are going to apply our extractor, we want to apply some measurements according to some seed, and in the end the output is classical at first, and second it should be random and not correlated to E anymore. And again it's a strong extractor, I also write the D in here. Okay, and the setup should be completely the same as before. So we assume that we have no control over the source, but only we know something about the conditional min entropy of the source. And now we need a fully quantum definition of this min entropy. See, we start with two quantum systems here, and actually this is a well-known definition. It's given by that. If you've never seen it, it may be a bit complicated, but so it's minus log N times maximization, and here we maximize over quantum channels, lambda, and these channels go from the E system to some system N prime, and N prime is just a copy of N, and then we take this F, F is called the fidelity, some kind of distance measure, from the maximum entangled state here between N and this copy N prime, and the channel applied to the input state. So this is a generalization of this gassing probability I showed you before. But maybe we just accept this, I want to make one remark about it. So this is a fully quantum entropy now, it's a conditional entropy, and in the quantum case this can get negative. And okay, this is a bit weird at first, but one can make perfect sense out of it, I would say. And in fact, if you take this maximum entangled state and put it in here, then this can get as negative as minus log N. So how does the definition look like? This is again the setup. Before we have this input system, we want to mix it and then measure it, and we get this classical output system. And so here comes the thing, so the mixing operation, we want to do with a unitary operation. What do they do? They just take one basis of the Hilbert space of the quantum system and rotate it into another Hilbert space. And then in the second part, we want to do this measurement and discarding. So remember that the M system is at most as large as the N system, as the input system, and actually we can write this whole thing as one big measurement map, which I call tau. And what this map does is it measures in one predetermined computational basis of your Hilbert space and then discards some of the measurement outcomes. And if one now first applies some unitary operation and then this measurement map, then this corresponds to measuring in a basis given by this unitary operation followed by discarding some of the measurement outcomes. So this leads us to the main definition of the talk. I define the following thing. A set of unitary operators, you want to UD, defines a strong k-epsilon quantum to classical randomness extractor against quantum side information. If for any state, rho and E, now this is fully bipartite quantum state, with sufficiently high mean entropy. We have this, so let me just say here again, this mean entropy, it can get negative, so this k can also be negative now. So we want that the output of this map on average over all the unitaries is close to being mixed and decoupled from this quantum side information E. And again, I write the seed in here, the D system, because I want it to be a strong extractor. Okay, and now stuff like this has been considered in the literature before. And so one example is if you forget about the quantum side information here, just delete the E system, then this corresponds to so-called epsilon metric on certain relations. And another thing one could also imagine, to have a look at the fully quantum problem of this, so the input system would be quantum and the output system would be quantum too. So, and this is known as the coupling theorems or quantum state randomization or also quantum extractors. So we will call this set up just like quantum to quantum randomness extractors. But we're not interested in this. We're really interested in this intermediate thing where we start with a quantum system and end up with a classical system. Okay, so let's look at what we can do. So in this extractor business, one usually starts with probabilistic constructions. So here this would correspond to random unitaries. And if we take random unitaries, we can show the following. We can show that we can get an output size of the minimum between n and n times 2 to the power of k times epsilon to the power of 4. And remember this k here, this can also get negative. Okay, so if we have entanglement between the n system and the e-system, this k can actually be negative. So this expression makes sense. And the seed size of this probabilistic construction is m times log n times epsilon to the power of minus 4. And actually that's quite bad. See, the seed has to be basically proportional to the size of the output system. So this is quite bad. But again, these are strong extractors, so one can reuse the seed. Okay, so let's look for converse bounds. And for the output size, we can basically get converse bounds that matches this probabilistic construction. So it's m always has to be smaller or equal than n times 2 to the power of k epsilon. Now, this is not exactly 2 to the power of k, but k epsilon. So this is something which is called a smooth mean entropy. And I don't want to go into details now. I just want to say that this is basically the same if you think about it in a particular way. So the output size, the probabilistic construction basically gives you the optimum output size. But for the seed size, we can only get the lower bound of 1 over epsilon. So you see we have this huge gap of the seed size. And actually, using our proof techniques, we can also show that we can only show that the seed size is always lower bounded by basically the output size of the extractor. So this is by bad, but I think we have some ideas. And if using a better probabilistic construction, one should be able to make these two match. But I don't want to talk about that because, well, I don't know how to do it. And for the application in cryptography, we need to find explicit constructions that have certain properties. Okay, so let's do that. Again, it's a setup. So one known construction is what's called a unitary 2-design or almost unitary 2-design. So what these do, they just reproduce the second moment of random unitaries. And this actually implies that there are quantum-to-classical randomness extractors with just given parameters here. Then we have a new construction, and this is based on a full set of mutually unbiased bases, together with two-wise independent permutations. So unfortunately, I don't really have time to go into the details of this construction, but we can use it for assert construction, which then is going to be useful in a cryptographic setting. And we call this bit-wise quantum-to-classical randomness extractors. So we have an input system, consist of n qubits, an output system, n bits, and then we define our set of unitaries as a full set of mutually unbiased bases for each qubit. So this just corresponds to three bases for each single qubit. And for example, we can take the Pali-X, Pali-Y, Pali-Z, and then we take the n-fold tensor product of this. And in addition, we also put in two-wise independent permutations. We get the QC randomness extractor with these parameters, but the important thing here is that it's really bit-wise. So these unitaries here, they really have this tensor product structure. The input is n qubits, so it's a tensor product structure, but these unitaries also have tensor product structure. So this is very important. And okay, the two-wise independent permutations, they don't have this tensor product structure, but what happens is they commute with the measurement. So what we can do is just apply these unitaries which have tensor product structure, then do the measurement and then permute the classical measurement outcomes. So it's important that these unitaries have this tensor product structure. So these are the constructions we know. And now I want to use this last one for this two-party cryptography application. So one example would be secure function evaluation. So we have two parties, L is Bob, they have input x and y, and they want to calculate some function f, which depends on x and y, and they can communicate which is other. Now remember, all of this is now assumed to be quantum, okay? And well, so why is it called secure function evaluation? Well, these two parties don't trust each other, so Alice should not learn the value of y and Bob should not learn the value of x, okay? And even in the quantum case, it was shown that it's not possible to solve this without some assumptions. And well, so classically, usually the kind of assumption one makes to solve a task like that are some kind of computational assumptions, like factoring is hard or whatever, but we don't want to do this. We want to make a more physical assumption. So we want to assume, well, that the quantum storage these two parties have is bounded. And well, under this assumption, secure function evaluation actually becomes possible, and moreover, the honest parties, they don't need any quantum storage to implement this protocol. They only need some quantum channel to communicate. So the thing we have a look at is not bounded quantum storage, but noisy quantum storage. We assume that the parties only have access to some noisy quantum storage. So what can the adversary do? Well, it's computationally all-powerful. It has unlimited classical storage, and actions are instantaneous. So the only restriction we really have is that the quantum storage is noisy. And okay, so the setup looks like that. What can the adversary do? Well, he can do some encoding, but at some point he has to store the quantum information he has in the quantum storage, which is noisy, and then the classical storage he can just use. And so you can already see from this picture what's the basic idea of this protocol. So the basic idea is that we have waiting times, because whenever we have a waiting time, the adversary has to store his quantum information in the quantum memory and then loses information. And based on this assumption, what we can actually show using our bitwise quantum classical randomistic section, that the security in this model is linked to the entanglement fidelity of the quantum storage. So the worse your storage is, the more security you have. And technically this is done using a task called weak string arrangement, okay? So well, and then I don't really have time for this, but just want to point out here in this last box, so this QC extractor there are very closely related to this entropic uncertainty relation with quantum sign information. So if you have one of them, you can also get the other one and vice versa. Okay, so we have conclusions, and well, the open problems here, well, I guess the big open problem is really to understand what would be the optimal seed size, and there is actually an interesting series of work concerning classical extractors also against quantum sign information about getting a short seed. Okay, that's it.