 Hello everybody! My name is Barbara and I am a PhD student at the Technical University of Darmstadt. And in this video I want to give you an overview of our paper Nostradamus Goes Quantum, which analyzes the Nostradamus attack on hash functions and the quantum setting. This paper is a joint work together with Mike Fischlin and Moritz Huppert. In case you liked this video and want to know more about our paper, I would like to invite you to hear my talk at AsiaCrip and of course to read our paper. I will provide all the relevant information on my last slide. Probably you have feared the name Nostradamus before. Nostradamus was a well-known pharmacist of the 16th century who published poems in order to predict the future. We could call this approach somehow secure since it requires real magic to write believable poems about future events. And it's hard to pretend to be a Nostradamus or in other words to be a Nostradamus attacker if you are a non-magician. In 2006, Calze and Kono introduced a modern Nostradamus who uses cryptography instead of poetry for his predictions. And furthermore, Calze and Kono analyzed the effort of a non-magician to be a modern Nostradamus attacker. So this modern Nostradamus wants to prove his prior knowledge about a specific event with the help of a hash function. For example, he wants to predict the numbers of the lottery draw next Saturday. This would happen like this. Before the lottery draw, he commits to a hash value-wide target and says, Hey, I know the lottery numbers, but I cannot tell you which numbers because then you could cheat the lottery. And yeah, we don't want this. But what I can tell you is the hash value of my prediction, which I would send you after the lottery draw. And hey, you don't need to try to guess the lottery numbers based on this hash value-wide target because I add a secret signature to my prediction to avoid this. And afterwards, he publishes the document containing the correct prediction as well as his signature and having this hash value-wide target. Of course, this picture of a modern Nostradamus is just something to keep in mind to have an intuition. Nonetheless, this is a desirable security property for a hash function that this can only happen if someone knows the lottery numbers. Under some assumptions, we can specify the effort of Kelsey and Kona's Nostradamus attack, which is a generic attack. This means that the adversary do not exploit any concrete details of the hash function. Our contribution is the development of a Nostradamus attack in the quantum setting, which is a generic attack as well, and shows that the time complexity can be reduced significantly if the quantum adversary is allowed to use Grover's algorithm. You can see it here. The factor before N changes from 2 over 3 to 3 over 7. Moreover, we give a lower bound for the quantum Nostradamus attack by using a result of Leo and Zandri, which proves that our attack is essentially optimal. And this is what you can expect from my talk at Asia Group. First, I will explain our quantum attack, and then I will show you the proof idea of the lower bound. And as promised, you can find here on my last slide the link to the full version of our paper, and also another link where you can find our Qiskit experiments. For more information, please look into our paper. My talk at Asia Group will be at the 7th of December at 5.30pm in Taiwanese time. Thank you for the attention and maybe see you then again.