 My current one, so I'm going to present the paper entitled Quantum Security Analysis of AES, which is a joint work with Xavier Bentin and Maya Neyaplesentia. So I'm just going to start with a little bit of context, and then we're going to see how to solve such problems with quantum algorithms. And after that I'm going to go into the details of the base attack we developed in this paper, which is a quantum attack on H1 AES-256. Okay, so in this paper we are studying the security of block safers in the presence of quantum adversaries. So it is well known that some classical symmetric cryptography constructions have been broken if you're able to use quantum queries, for example the even monster save. But these are specific examples with a very strong structure, which will not be the case here. So we're going to see what we can do still. We know that a quantum adversary is capable of local quantum competitions, still capable of doing classical encryption queries, and potentially doing quantum queries. The fact that no such structure exists in our example doesn't really mean that the adversary is completely hopeless, that there may be still something better to do than simple global search. So this paper we are studying the well-known standard AES. So it is an SPN with 128-bit blocks, which are represented as a 4x4 byte matrix. In an AES round, you absorb the round key, apply the AES's box to which byte separately. There is a shift of each round in this matrix, and then we multiply each column by the AES-MDS matrix. The number of rounds depends on the key length, and as does the key schedule. So for AES-256, which is our main target, there are 14 rounds for AES-128, there are only 10 rounds. So we are going to study key recoveries in the secret key model. We have blackbooks, and we want to find the secret key of these blackbooks. Classically, exhaustive key search is simply doing a few queries to the blackbooks and then trying all keys until the encryption match. If you have a key recovery that goes below this complexity of trying all keys, this is an attack on a radius round version, and the number of rounds attack will determine the security margin of AES. In the quantum setting, we know that we can use Grover's algorithm to speed up the key recovery and to find the key into the 128-equivalent AES encryption. But the question is, what is the quantum security margin of AES? What is the highest number of rounds for which we have better procedure to recover the key than Grover exhaustive search? So in this paper, we study quantum key recovery attacks on radius round versions of AES. It turns out that the base attacks that we found required only standard encryption queries, classical encryption queries. And also some of the ideas that we had to use also gave new time-space radars for classical attacks. So Grover's bound is actually very strong constraints, and the number of rounds that we're able to reach will be actually smaller than the classical base attacks. It turns out to be one-round less than in each case. We're using quantum square attacks and Demi's analysis took me to the middle attack that I'm going to explain in my presentation. But first, let's see what we do best in a quantum setting, which is search problems, exhaustive search. And let's start with the bound that we're going to set, which is Grover's aggressive search on the key. How much does it cost? It's actually a tricky question. We have a way to write quantum algorithms as in an abstract manner using the quantum secret model. And they're all represented as reversible secrets, so we can count the number of gates in these secrets, and this gives us quantum time complexity. But, well, there are many traders possible, and there are many optimizations possible of these secrets. And it's actually not easy to write these down, so this was done actually by Krasel et al. These were the counts that we use for reference in our paper. If you consider a quantum circuit for the AES, it turns out that the most costly component is the S-box, because the S-box is a small nonlinear function, which, classically, is most often tabulated, and it's not the case in the quantum setting, so it's a very most costly component. And that way we can count everything of our complexities in the number of S-boxes that we use, that we need to evaluate. And so our bound for each round AES-256, for example, is the key can be recovered into the 138 S-boxes, which means if we go below this bound, we have an attack, we have something that's better than Grover's algorithm. Now things are going to be a bit more technical, because classically, attacks are complex procedures, and quantumly this is, of course, also going to be the case. We need to be able to write more complicated algorithms than Grover's search, but still one of the best building blocks that we have is Grover's search. We show next that this building block can be used to design algorithms, search algorithms that works in the same way, classically and quantumly. So how so? Suppose that you have a search space, and suppose that you have a predicate that is going to determine good elements in this subspace. And you want to find good elements, so we define this operation, which is filter among this search space all the good elements, which means actually lazy sampling good elements from the search space. Classically, you do that by sampling elements from X, the search space in the initial one, until the predicate evaluates it through. And this costs you this time complexity. Quantumly, things are a bit different because we use Grover's algorithm to benefit from its quantum speedup. So we have to start from the uniform subspace over the search space, and we use Grover's algorithm to transform this superposition into a uniform superposition over the good subspace. And the number of times we have to iterate our operations of sampling and evaluating the test is reduced by a square root. So quantum search is a bit different from classical search. Intuitively, as I said, classical search is only testing elements at random until we find a good one. And this is doing that. Taking an element, it's not good. Another one is not good, another one is not good. This one is good. We're finished. Quantumly, the search is a stateful operation that starts from a state which is a superposition over the whole subspace, and then modifies it into a superposition over the good subspace. But, well, this is an operation that can be also used as a subcomponent in an algorithm. In the same way that, classically, in order to sample from the space X, there's another search. I'm going to take an example of that. Imagine that we have to evaluate a conjunction predicate, which is remote elements that satisfy P1 and P2. So naively, we would only take elements from X and check if P1 is true and if P2 is true, and we will have this first formula. But we can better, using lazy evaluation, we're going to take elements from X, evaluate P1, and evaluate P2 only if P1 is already true. This saves a little time. It turns out that this lazy evaluation can be also rewritten as a combination of filters. You're actually doing a search among all elements satisfying P1 for an element that in addition satisfies P2, and it did search to sample from XP1, and you're testing if the element satisfies P2. This is an essay search. In the quantum setting, we'll have a similar procedure. We'll have a global search among XP1, in which this sample operation is also a global search that produces XP1, and the test is only testing P2. This is a generic principle that it takes the following. If you have a procedure which is a combination of filters, we call that filtering operation, or lazy samplings, or procedures that look this way, you have a corresponding quantum procedure which is a combination of quantum searches. To get from one to another, you change the time complexity by taking square roots over all the number of iterations in this nested procedure. And that's it. This gives you a recipe for a quantum attack. The idea would be first write a classical attack, written as a combination of filters. So it's going to be a classical attack of a very specific form. And then we take each of these filters and replace it by a quantum search. We obtain a quantum algorithm that does the same. And the complexity of this quantum algorithm is obtained by computing the complexity of the classical one and replacing the number of iterations by square roots. If in the classical attack, the search terms are dominant, you get a global square root factor, which means that if your attack is below classical exhaustive search, then your quantum attack is also going to be below exhaustive search. Or at least it can be. Because there is some technical post-processing to do, we have to check a posteriori that there are small factors that separate quantum from exhaustive search. We also have to check the success probabilities and so on. But the most... these quantum technicalities can be handled later. At the time, we already we're already almost sure that we have a good attack. Okay, let's see how it goes. With an example, in our paper of a quantum attack on each one of the years, 256. So this attack follows the Demi-Sissouk meeting the middle principle and the improved version by Derbez, Wuckangian. It starts from a rebound distinguisher on five rounds a year. So there is a property that says if you have an AES of five rounds regardless of the round keys and if you have an input-output pair which has an input difference active in only one byte and an output difference active in only one byte also. The bytes can be anywhere. So you have such a pair. Now if you encrypt a sequence of states which are obtained from this pair but making the difference in the blue box here taking some arbitrary values including that a delta sequence and if you collect the sequence of output differences in the right byte turns out that these sequences in output can take only two to the 192 possibilities. So there are two to the 192 possible sequences that you are able to obtain with a five round AES. If it wasn't a five round AES you would be able to obtain any sequence. So without going into the technical details the idea of this distinguisher that you write all the rounds here if you have this input and this output differential you can start from both ends you can guess a few but just a few bytes of the internal states and you can complete the whole path by solving AES-SBOX differential equations. So this equation says I give you an input an output difference on an SBOX and there is approximately on average one possible byte value that has this input and output difference. So we'll have the time and the possibilities and have the time and so in the end you only have 24 bytes state bytes to guess to complete the whole path using these equations and once you have the whole path then if you put a difference here you can propagate everything right until the end. So this property is going to fit here in our attack so we put the middle rounds here and we're going to have some key byte guesses in the first and in the last rounds. So here is the idea and it's really following the classical attack principle. We first have to query AES-SBOX to find many pairs input output pairs that satisfy these conditions so active in only a diagonal here input and active only here in output. If we have enough pairs that satisfy these conditions then we can proceed with an exhaustive search over the key bytes that I put with the bullet points here. So there are 10 such key bytes and for each choice of them we have approximately one pair that is going to satisfy the blue to red path here and we can find this pair. Then let's see we have such a pair so we can start making the difference in the blue byte vary. This means that we have to make new queries and so we take new differences in the blue bytes and we have to we have to partially decrypt using the key byte guesses to get to an input state that we encrypt through the black box we partially decrypt the output to get the difference in the red byte but we use the key byte guesses basically. So we can make the difference in blue byte vary, collect the difference in the red byte and now we can find whether the difference, the sequence of differences in the red byte belongs to the possibilities that gives us the distinguisher. Classically we tabulate this distinguisher so we have a big table and just check whether we are on this table and the table will be too big for us actually, so we don't tabulate it and now we have to make another search inside the search. Let's see do we have an attack here? We have 10 key bytes to search through and we have 24 bytes to guess in the middle states. This means that we have 34 bytes and this is bigger than the key so this is not an attack yet. But we can do a bit better because there are relations between the key bytes that we guessed and the middle states that we are sieving through and we found actually four relations that come from the key schedule of AES-256 which means we have only 30 bytes of freedom to search through and this is smaller than exhaustive search so we may have an attack and we, so in the classical setting we evaluated that we would need 250 S-boxes instead of 263 for exhaustive search. There are many details that needs investigation. For example, we need something to solve the S-box differential equation because when we are sieving the possible states in the middle we have to recompute everything. We have to recompute basically this table that we are not tabulating. So we needed to give a circuit to do this and we did that in about two S-box computations which is much more efficient than doing a go research for the solution of the equation. Quantum queries Do we need quantum queries? Actually they seem necessary at first sight so if we first write down the whole attack you seem to need quantum queries in the middle but they can be removed in terms of that all the quantum queries we needed to make could be replaced by 2 to the 88 classical queries. Do we need quantum accessible memory? Actually it seemed also necessary but we also removed it classical memory, classical queries and it more or less looks like well it's not much resourceful than Grover's algorithm. I must make a little update regarding our paper because as I said computing the exact cost of where the search is complicated and actually since we wrote this paper the costs notably the cost of the S-box circuit has been improved this was a paper at Eurocorp 2020 by Jax et al and there is like a factor 26 in the gate count of the S-box circuit which changes in our paper only the relative cost of solving the S-box differential equation so now the differential equations cost much compared to an S-box and turns out that this doesn't change our final result because this wasn't the dominating term in the complexity so in this quantum attack we used the tableset but changed the way it was written because initially in the classical setting we tabulated the rebound distinguisher and we see the subkey bytes and in our case we didn't tabulate the rebound distinguisher we do the search this idea can actually be used classically if you don't tabulate the distinguisher what you're going to do is to put the key guesses in the table instead and then you make a search over the degrees of freedom of the distinguisher and you see the key guesses using this search this gives new time memory shadows for key recoveries on the AES and notably it improves the trade-offs for the 9-round attacks on AES 256 so to summarize we have analyzed existing attacks on AES and tried to find the best quantum key recovery that we could and this provides the first analysis of the security margin in the quantum setting for these attacks that we obtained which are square attacks reward them in this search framework that unifies quantum and classical exhausted search procedures and this enabled us later to analyze in an easier way the quantum attack basically allows to delay the technicalities of the quantum technicalities while designing the attack the second we also showed how to explore the structure of the S-box to design an efficient circuit for solving the differential equation which may be used in other quantum attacks for example so we rate an 8-round attack on AES 156 the question is open or whether we can do better than that and also new trade-offs for classical for classical attacks in this setting so that's all thank you for your attention