 So, third talk of the session will be on non-malleable commitments against quantum attacks worked by near bitanski, Rachel Lynn and Omri Shmueli, who will give the talk please. Thank you, Christian. Hi everyone. So, as said, I would like to tell you about non-malleable commitments against quantum attacks. So, the basis for this talk, let's start with commitments. So, a commitment scheme is a protocol between two classical polynomial time algorithms. A sender who wants to commit to a message and a receiver who gets this commitment, they interact and at the end the receiver gets this commitment and after the interaction, the sender can reveal the value and decommit to this unique value sending a message and decommitment. And the receiver can decide to accept or reject this. Okay, in terms of security, we have binding, which is going to say that the commitment is indeed committing, specifically statistical binding is going to say that any unbounded sender that interacts with this efficient receiver at the end there is at most a single message that the sender can decommit to. And another security property is the hiding. It's going to say that any quantum computational hiding is going to say that the receiver doesn't learn anything from the interaction unless the message was revealed. Formally, we can look at the quantum view of the receiver at the end for any pair of messages and the view for M1 and the view for M0 and it's going to be computationally indistinguishable. Okay, so this, this was the, the most basic and standard definition of commitment schemes, and it doesn't protect us from one of the most fundamental and basics attacks in both applied in theoretical cryptography which is many in the middle attacks. So a man in the middle attack is some efficient algorithm at the middle, it is going to try to disrupt this conversation between the two parties and make the receiver get a commitment to a different message even though it doesn't know what the message is on the left side because of the hiding. It is still going to be able to eat to like a mallet under the commitment. And accordingly we have non malleable commitment which are commitment scheme that are secure against this man in the middle attacks and intuitively not entirely formally is that the message that the receiver is going to get on the right is going to be one of two extremes it is either the man in the middle is transparent, which means that he doesn't do anything and the receiver gets M, or it is going to be completely independent of what happens on the left it can just block all the messages of the sender and commit to some zero or something. And non malleable commitments are very like active and field in cryptography they have a lot of uses in other central cryptographic objects. They also have like specialized techniques for other non malleable objects in crypto like non malleable codes extractors time lock puzzles and, and others. So they are interesting in like they have uses and also special techniques that are relevant for non malleable cryptography. Interestingly, they these these kind of objects were heavily studied by like tons of folks. However, which brings us to the subject of this talk is that all of the previous transactions are not known to be secure against general quantum man in the middle adversaries. Today I want to talk about post quantum non malleability which means that the attack in the middle is going to be by quantum polynomial time adversaries going to do to try to do exactly the same, and to be a bit more formal about this dependency of M. So the formal definition, the almost formal definition of non malleable commitments is that we're going to have the for the honest parties is still going to be classical so the center and they're still both classical parties. They have a joint input, which is a tag. This is not a CRS or something like one of them can just pick it. It can be the sender who picks it or the receiver who picks this tag. And at the end of this interaction they they have a commitment and the man in the middle attack game is as follows. Before the man in the middle tried to like change the value of the commitment under the commitment without seeing what's inside. Now it is going to try to commit to the same value, but with a different tag. We're going to gain a commitment on the left, with respect to some tag, tg that he is going to to pick. It's going to get this commitment from the on a sender. Now on the right is going to commit is going to pick a different tag tg tilde and going to try to commit but to the same message. Now it says a known fact in crypto that this definition is equivalent to the before two extremes kind of definition. And we're going to focus on this game like the full definition is a bit more general but this like kind of game is going to capture everything we want for this talk. So the only single work on post quantum non-malable commitments is by Agarwal, Bartusek, Goyal, Urana and Malavolta, which shows that if we assume the super the slight super polynomial harness of LWE, we have post quantum non-malable commitments, but they are secure only against synchronizing adversaries. This protocol also is constant rounds and synchronizing adversaries are like a very specific kind of many in the middle attack, which brings us to our results. Our main theorem is that if we have post quantum epsilon extractable commitments, we're going to define them in a bit. And with K rounds, we can construct post quantum non-malable commitments, having a number of round, which is K to the C for some constant C times a log star lambda the security parameter. And if we combine this main theorem with previous work by Chiachang Lian and Yamakawa, they show how you can construct from post quantum one way function constant round epsilon extractable commitment quantum extractable commitment. And when we combine them, we get the main corollary or main result is that if we assume post quantum one way functions, we have post quantum non-malable commitments in log star rounds. Okay, so let's break down and concentrate on the main technical lemma for today. This is our main theorem and we can forget about this epsilon extractable commitments and this is a slightly weaker statement, which will suffice for today. And this statement is broken down like by these two lemmas we prove it. The first is the construction. And we show that if we have a post quantum extractable commitment and having K rounds we can construct post quantum non-malable commitments, also for a number of constant tags and K to the C rounds. And the second one is tag amplifications. We said that the tag can be anything any string any lambda bit string so we should have exponentially many tags. So the other lemma is just amplifying the number of tags and having a bit of a round overhead overhead. And this uses a bit of modification of previous work, which is why today we're going to focus on the main lemma, the construction. So let's, let's get a bit of intuition of why non-malability is like less trivial when we want to prove security against the quantum and in the middle, which to understand this difficulty let's first define extractable commitments. So this again is a commitment scheme. It's going to have one more very important property. It's going to have a quantum extractable so is a polynomial time quantum extractor algorithm such that for every arbitrary possibly malicious sender the extractor is going to simulate two things. So when the this malicious sender interacts with the receiver, it has a view the quantum view. It commits to a message. So the extractor is going to to simulate side the quantum view and also the committed message like the message under the commit. Okay. So here is a very common approach in non-malable cryptography. We're going to try to get from an extractable object to a non-malable commitment. So this is a successful man in the middle. It manages to commit to the same message with a different tag. And what we know is that if this man in the middle manages to do two things. The first is interaction with the sender on the left, like by the book, regular interaction, and also we can extract from the man in the middle on the right. So this is an extractable commitment. The right session in the right session the man in the middle is the sender. We can try to extract from the sender the message. If we can do this essentially we can break the hiding of the extractable commitment because the sender just sent the message here and without revealing it and we managed to extract the same message on the right. So essentially we broke the hiding of the commitment. And if we can do this we can show normal ability. Okay, but if we try to extract, usually when we extract information from any circuit, we need to maybe rewind it or have non-blackbox access to this man in the middle. And when the man in the middle in the non-malable setting it also includes the sender on the left. We need to do these same like a rewinding and non-blackbox also for the sender, which is invalid for security reduction against the hiding of the extractable commitment on the left. Why still we have non-malable commitments in the classical setting is because in the classical setting we don't just use like plain extractable commitments. We have like specialized techniques that do work in the classical settings but we don't know actually these are some examples. We don't know how to make these specialized techniques to work in a quantum setting like none of them at least until now. Okay, so which brings us to the technical question that we asked today is the only extractable cryptographic object we have in the quantum setting is like plain extractable commitments. We're trying to build non-malable commitments from just plain extractable commitments. Okay, so let's get to the techniques. We will use extractable commitments but with one more property which is first message binding. First message binding just says that if this is the protocol between the sender and the receiver, the first message in the protocol is from the sender to the receiver and it's going to be like perfectly binding. Once in send is the value in the entire commitment is fixed and we show in the paper this is a very easy to show that any standard extractable commitment can be turned to be first message binding. Okay, so let's use these commitments. So this is the first version of the protocol. The first version of the protocol, the sender is going to first secret share the message M into N shares. Then it is going to take to take each one of these shares and give an extractable commitment to it sequentially one after the other you want you to end until you end. And finally, this N which we call the block length, which is also the number of secret shares. And we're going to pick it as a function of the tag, it is going to be K plus one to the tag where K is the number of messages in the extractable commitment. So just to make sure everything here is constant like K is constant because we have a constant on protocol and also the target because we have a constant number of times. Okay. So this first version is intended to solve the first case the first case is when the tag on the left is bigger than the tag on the right. Once and we have like the the number that the block length for left and right. And this is a successful man in the middle adversary it commits to the same message M. And what one can show, which follows from the security of the secret sharing is that if we interact with the honest center on the left, like we don't need to interact with it. In an honest manner for the entire interaction we need to interact with it on a single share for some UI, not as before for the entire session. And also we managed to extract all of the shares on the right, we can perform the reduction. Another thing we can we can see is that for this choice of parameters, the number of shares on the left is bigger than the entire number of messages on the right. This means that if we look at this this like more like in a more fine grained manner on the interaction between the men in the middle and the two sides. We always have trivial trivially at least one share which is going to be free of interleaving interaction on the right. We call such share on the left a free share. Now, the second thing that we use is going to be the first message binding. It means that all of the commitments that like start the first message of them is going to be before the start of this free share on the left. We can just fix everything until then, and then start the reduction then have like a non uniform extraction because all of the messages before fixed. And for the rest that happened after this free share we can just use the online efficient extraction that we have from the fact that these are acceptable commitments. Okay, so this only solves like the first case where the left one is the bigger and the second one is intended to solve the full case. So what do we do when we don't know who which which side is going to be bigger. The center now is going to partition twice and one into M share and the second one into and head shares. And then it's going to do kind of the same is going to give sequential extractable commitments to the to the first block and then sequential extractable commitment to the second one. And we're going to pick the block length is the first one the top block is going to be as before. And the bottom block is going to be to define like this where the tower is the number of possible tags, which again is constant. Okay. So what happens now. So we show a few things in the paper. We first of all we define an ideally scheduled execution of a commitment of a block commitment so let's let's like just make sure that we we know what's going on here. We have on each of the sides to block commitments, a top one and a bottom one. We, we say that a commitment a block commitment on the right is ideally scheduled if two things happen. First, we have that on the block commitment on the left the top one we have one free share. And the block commitment on the left, which the bottom one we also have a free share with respect to the same block commitment on the right. So here is one example where like this bottom right block commitment is free with respect to you and minus one is also free and non interleaving with respect to you had to. We also show that if we have an ideally scheduled right block which is a property of the execution like we can say, if we had an ideally scheduled block or not at the end of the execution. And the man in the middle essentially decides how this is going to play out. And if we have such block we can do the reduction. Okay, some additional hurdles is that in the paper we show by like a combinatorial relatively simple argument why there is always an ideally scheduled block on the right. And then we also, part of a deeper analysis of, of, of ensuring the security we need to give a zero knowledge proof at the end that the two, the M at the top at the end of the month at the bottom or the same message essentially, which adds a bit of complexity so we define ideally scheduled block in a bit, a bit of a different way but for the sake of this talk, we simplified it. And just to finish the talk with some open with one open problem. The protocol that we get is a lock star rounds in the classical setting where a constant round non-malable commitment protocol we actually have many. And one I think very nice problem is post quantum non-malable commitments with constant rounds. Thank you. That's time for questions. Yes, if you could use a microphone, but a benefit of those who watched the recording later. Okay. So I guess in regards to this open problem. Is it like, if you had sort of more like fancier extractable commitments would you sort of immediately get this or is there something else in the quantum setting that breaks down. So I think there's something else because if if you like, we did get constant number of facts from constant constant round we have like, in terms of extractable commitments. We do have like constant round and epsilon extractable from one way functions or not epsilon extractable from just LWE. It's unclear what are the special properties that such constant round commitment should have in order for them to like compile to a full blown protocol with exponentially many tasks. So we don't even know what kind of property we need from the extractable commitments. Yeah, we're like clueless here. Just as a follow up this the second part of your result that I got my vacation is that also like do you need to do something specific for the quantum setting or is it. No, not really the second part is mainly technical we look at some classical reduction with target application is something known in the in the normal setting. We just make sure that the same actions actually apply to the quantum setting that the target application is technical but easy. Thanks. Thanks for the more questions yes. So, hi, so great talk. What about CCA commitments in particular what about CCA non interactive CCA commitment of the Corona. Is that something is there some non interactive CCA commitment which is okay. Yeah, if we looked into this. No, not really. Yeah, okay, thanks. And thanks for the great talk. Is it on. Yes. Okay. Yeah, I wanted to ask about the extractable commitment schemes so the order one project protocols in the classical setting versus your protocol. And are they all black box extractable or are they all non black box extractable or is one be one of them. Yeah, that's that's that's like you're hitting the nail on the head so some are like non black box extractable some of them if you know like zero knowledge protocol. Some non black box zero knowledge protocol we did like make them work in the quantum setting this specifically box protocol is something that's heavily using the non malleable setting. And we don't know how to make it work out to like to show that this is post quantum secure. And this is like one non black box example other example just usually winding. Just classical constant round non malleable commitment that don't use non black box techniques. Yes. Okay, thanks. Yes. If no one else then. Thank you again. Let's beat. Let's beat. We are two minutes early for the break there's a break with refreshments here we can beat the other crowd. We will be back here at 1625