 Yeah, just put it there. Yeah, I know that there I can see the time. It's my clock. Yeah, so. Yeah, got it. Okay, my apologies for the delay. Some of the appearance of text will be in the wrong order because this is not PowerPoint on this laptop, but it should be all understandable anyway. Okay, so I am going to talk about collapse-binding quantum commitments without random oracles. And if you don't know what collapse-binding commitments are, that's not a problem. I will start by motivating them and telling you why we have that. So for this, I would first like to give you an example of something we could do and which is realistic to do. So let's say we have a horse race. It's just a use case example. And a player wants to, so we want to construct a commitment in order to allow a player to commit, to bet on a horse without telling the bookie beforehand what he committed to. So that's a kind of a typical teaching example for commitments. And how can we do that? Well, for example, we could take the name of the horse, Spicy Spirit in this example, and take a hash of that name together with some randomness and send this both together to the bookie. And now let's say the Spicy Spirit is the horse that wins. What does the player do? He sends the randomness to the bookie. The bookie checks whether the name of the horse together with the randomness gives the right hash, and if so, pays the money. So that's a typical approach that we might do. And now we can ask ourselves, is this a secure protocol or not? So consider a cheating player. Could the cheating player, so we are looking at the binding property now, the hiding property is not the topic of this talk, so could a cheating player achieve the following? So instead of actually sending the hash of some horse name, he just sends some fake value H that he made up in whichever way he likes. And sends this value H to the bookie. And like when some other horse wins, say Walloping Waldo, the player performs some algorithm to find an R so that the hash of Walloping Waldo and R equals the value H he sent earlier and the bookie sends money. So this would be a typical attack. And now I ask, is this possible? Well, if we do not specify anything about the hash function, so this is what the player wants to do, if we don't say anything, of course, it could be possible. It could be that the hash function is the all-zero function or something like this. But I guess everyone here, whoops, yeah, only this should have appeared. So I guess everyone here knows that in classical cryptography all we need to do is to take a collision-resistant hash function here because collision resistance means that it is infeasible to find two different inputs to this function that have the same hash. And therefore, the player cannot find one input which contains Walloping Waldo and another input that contains Spicy Spirit that have the same hash. So the consequence is that H can be opened to one horse only and not two. And now comes the big surprise. In the quantum setting, so if the adversary has a, potentially has a quantum computer, this reasoning does not hold. So it could be that H is collision-resistant, even collision-resistant against quantum adversaries, but still it is possible that the player envies to any horse he pleases. At least relative to some rather artificial oracles, such a hash function has been explicitly constructed in prior work. So the question, well, the first question I might ask is, is this even possible? Although this is not the topic of the paper here, I would like to tell you a word or two why it is possible in principle that this can happen, because otherwise you might stop listening because you think I'm solving a problem that can't happen. So why could it be that such an attack is possible with a collision-resistant hash function? Well, on a very high level what could happen is that the player sends some fake value H, and this fake value H is produced with some quantum algorithm that does not compute only the value H, but also compute some quantum state psi. So it's a randomized quantum algorithm that outputs each time you run it an H and a quantum state together, so you can't just first pick the H and then compute the quantum state, they just come together, and then later when the player knows what horse he wants, there's some other algorithm that computes from psi the randomness needed to open to that value. And now since quantum states cannot be cloned in general, we see that there's no contradiction to the collision resistance, because this algorithm here will use up psi, we can do it only once, so we can open this hash function to whatever we want, but we cannot open it to two values at the same time, in particular we cannot find a collision. And this has been explicitly done relative to some oracles, it seems to be a threat that is at least possible. So the question is, also already done this year, you're equipped, what do we do against this? How do we improve the commitment schemes in order to avoid what I call here the walloping-walder attack? And there were two contributions, one was the definition of a stronger property of computational binding, and it turns out if you just use one-to-one the definition of computational binding that is used in the classical setting, even the definition does not exclude this attack, there's an improved definition called collapse binding. I will not show you that definition for time reasons, but let me tell you that it does imply that you cannot cheat in this example that I showed you. It is nice because it composes in parallel and it is rewinding friendly. So even in proofs that use rewinding, which are particularly tricky in the quantum setting, like when you use, for example, the knowledge proofs and so on, these commitments behave nicely. But the question is then, do they exist? Well, and that was the second contribution. Another notion was introduced, a security notion for hash functions called collapsing hash functions, and it was shown that with simple, kind of standard constructions from the classical world, a collapsing hash function implies a collapse binding commitment, so a commitment that is good for all purposes that we know. Collapsing is a strengthening of the notion of collision resistance, and I claim it is what we actually want from a hash function in a post-quantum setting, and it was shown that such functions exist in the random oracle model. But the big question that we might open is do collapsing hash functions actually also exist in the standard model? Because you could claim, well, I make up some definition and then I show the random oracle satisfies it, but perhaps it's impossible to achieve definition. So the goal of the present paper is to show that collapsing hash functions exist in the standard model, so without random oracle. And in particular, this then also implies the existence of collapse binding commitments in the standard model. So it solves all the problems that I've mentioned so far. Not all the problems in the world. So that was a bad button. Okay, so, yeah, it appeared too much again, but it's all right. So let me first tell you now what a collapsing hash function is. So I will now show you the definition. I'm showing you the definition here a bit differently than it is in the paper, because after the paper I came up with a bit more intuitive way of phrasing it, but it can be easily seen to be equivalent. So consider a hash function, and now we want to generalize the idea of being collision resistant to the quantum setting. And in the classical setting, collision resistant means we cannot find two values that have the same hash at the same time. In the quantum setting, as we have seen, this is not enough. Instead, we will ask for something which at least on the vague intuitive level means we cannot find a superposition of two values that have the same hash. And this is formalized as follows. So we look at an adversary that outputs a number of messages M in superposition. There should be outputs here. So here we have an adversary, he outputs a bunch of messages M. And then we take this bunch of messages, the superposition of messages, and measure which one it is, and we give that the state after the measurement back to the adversary. So quantum mechanics tells us that if the adversary produces a bunch of messages here and we measure them, what we give him back is not a superposition of messages, but randomly chosen one out of the messages that were in this superposition. And now this we contrast with the second game, where again the adversary produces the superposition of messages, but now instead of measuring which message he sends, we only measure the hash of the message. So we perform a measurement that takes less information about the quantum state. And that means that whatever the adversary gets back will be a superposition of several messages, potentially a superposition of several messages that all have the same hash that we have measured. Because we have narrowed the superposition down to all messages that have the same hash. And now the definition of collapsing is in principle very simple. It says that an adversary cannot tell whether he runs in this setting or whether he runs in this setting. What does this intuitively mean? Intuitively, if we ignore all the issues like computational limitations and so on, and just think information theoretically, it means that measuring M and measuring the hash of M do the same thing to the state. And doing this, and that means that the information content of measuring M and the information content of measuring hash of M is the same. In other words, measuring the hash tells you the same as measuring the message, which basically means there is no collision. This was some information theoretical argument. Of course, a hash function will have collisions. They are just hard to find. But this should be enough for now to have a vague feeling about why the definition is like it is. Basically, the hash function is supposed to look as if it wasn't possible to make, to send a superposition of different messages with the same hash. So that's the definition, and now the question, do they exist? And I will sketch the construction that we found on a high level. And the main tool that we use for this construction are lossy functions. You may have heard of lossy trapdoor functions. Lossy functions are the same, except that we don't need a trapdoor, so we slightly weaken the requirements. And a lossy function is a function keyed by some public parameter, which can exist in two different kinds. So depending on the parameter, the function is either injective or it is highly non-injective in the sense that the image of this function is concentrated on a rather small set of its range. And the lossy function definition says you cannot distinguish between these two kinds of parameters. And this we will use. So the construction is this one. We take a message, and the size of these blocks here represent how many bits the different inputs and outputs are so that you see where it gets smaller. So we take the message and feed it through a lossy function. Now, the bit length of the output of a lossy function is considerably longer than what we put in, so it wouldn't be a good hash function. But by definition of a lossy function, the lossy function always looks injective. No matter whether we use a lossy parameter or an injective parameter, it will always look like it's an injective function. And an injective function is easily seen to be a collapsing function, because an injective function doesn't even have collisions. So in particular, you will not be able to have a superposition of collisions. So a lossy function is a collapsing function, but a collapsing function with a range that is bigger than the domain, so that's so far pointless. However, if we run the lossy function in the lossy mode, then although the range here is very big, the actual image that is used here will be a very small subset of this, so much smaller than this box hash in the end. So we have many bits, but only very few bits strings are actually possible. And now we use a universal hash function, and we can very easily show that if you have applied universal hash function to a set that is very small, then this universal hash function is with very high probability injective. So when the key here is lossy, then this hash function will be injective on the actual image of this lossy function, and therefore will be collapsing. So the concordination of these two functions will be collapsing, and the output will actually be shorter than the message. So now we have managed to construct a collapsing function that takes a message of some length and makes a hash of shorter lengths from it. Are we done now? Well, it depends. For some purposes, that may be good enough, but generally we would like hash functions that can take a very, very long message and bring it to a short hash. While here, the more we want to compress the stronger the assumption about the lossy function will become, so we would actually prefer to have a simple computational assumption, as weak as possible assumptions, which means that ideally we will cut off only a few bits or perhaps half the size, but not make like a gigabyte into a kilobyte or something. So what we need to do is to hash long messages. I need the text here. It will come soon, yeah? Okay, so how do we hash long messages? Well, in classical crypto, there are many constructions that are well known, and in particular for our purpose, the Merkel-Dumgaard construction turns out to work. So if the hash function, now I get rid of this again, so if the hash function h is collapsing, but takes two blocks into one block, then a construction like this, like we hash part of the first block of the message, get something, connect, concatenate with the second block, hash it, concatenate with the third hash it, and so on, with some suitable padding, this is a collapsing hash function. Why is that the case? Well, what we need to show is measuring the hash is equivalent to measuring everything that goes in. And I will sketch that, so assume we measure the hash here. This, because this hash function on its own is collapsing, is indistinguishable from also measuring the inputs to that function. And now this output of this function is measured, which will be indistinguishable from measuring this and those inputs, and so on. This is simplified because we can't do an induction over the length because it's dynamic, et cetera, but the basic intuition of what's happening is captured by this. And that means that measuring the hash of the function is indistinguishable from measuring the input, and we said that is what we mean by a collapsing hash function. So I have more results, but no time, so I skipped them. And I only mentioned my main interesting question. The main interesting question is, can we construct collapsed binding commitments on even weaker assumptions? Or can we do it perhaps with walnut functions or with collision-resistant hash functions? Because lossy trapdoor functions are already a relatively powerful tool, so we would like to ideally do it with walnut functions, because, classically, we can do computationally binding statistically-hiding commitments even using just walnut functions. So that's an open question. Thank you for your attention. Thank you very much for dealing with the technical issue, but still finishing on time, I'm impressed. So we have actually time for a quick question. Classical hash functions might give you problems in the quantum world. So can you tell me whether SHA-2 or SHA-3 have any chances of exhibiting this weird behavior? Well, since the random oracle on its own is collapsing, so if we assume that SHA-3 is like a random oracle or SHA-2, then we are on the safe side. Of course, it's not clear whether this is true, but basically in the classical setting, we make a similar thing. We say the compression function behaves ideally, and therefore it's also collision-resistant. So I don't see any problems with those functions, especially since, for example, for SHA-2, the building block is kind of done by, I don't know, throwing the bits around heavily enough so that everything looks random, and then we build the full hash function using Merkle-Dumgaard, which has been shown secure here. So with SHA-3, I'm very confident that everything is fine with SHA-2. With SHA-3, we don't use the Merkle-Dumgaard, we use the sponge construction. They are also pretty confident, but that is based on unpublished proofs that I only have on my whiteboard so far. So the sponge construction is, yeah, so one needs to additionally analyze the sponge construction, which is a bit difficult, different, because it doesn't seem to be indifferential in the quantum model and so on, but if you trust scribbling on my whiteboard, then everything is fine there as well. Okay, great, thanks. All right, thanks Dominic for your talk. Thank you.