 I'm Chipeng Liu from Samus Institute. Today I will talk about the work Unifying Principling via Concentration Bounds. This is a joint work with Si Yao Guo, Qian Li and Jiapeng Zhang. We just start by looking at a famous example of practical hash function, char3. The key building block is the function in the picture. The function seems very random and achieves pretty good performance in practice. However, it is very hard to analyze even for the most fundamental properties like collision resistance and one-wayness. To deal with the difficulty in analyzing security, Belair and Rogowe observe that the random oracle model captures the most real-world attacks. Many of the most efficient schemes, including those that are currently being standardized, only have random oracle proofs. Random oracle model assumes the best way you can use an ideal hash function is by looking at its input and output behaviors. Nothing about its code and structure and the input output behaviors are kind of random. Random oracle model has many important cryptographic properties, including one-wayness and collision resistance. Security bonds in idealized models provide essential and heuristic justification and guidelines for their security in the standard model. However, traditional idealized models fail to capture pre-processing attacks. The obtained bonds in idealized models are not being accurate or not applicable at all when pre-processing is allowed. One famous example is pre-image finding. When no pre-processing is allowed, it is easy to see that it requires roughly theta-n queries to invert an image. But when pre-processing is allowed, the queries go down to n to the two-thirds. Let's look at the formal definition of idealized models with pre-processing. For this talk, let us focus on the random oracle model. When adversary in the random oracle model is allowed to do pre-processing, we call such model ox input random oracle model or AI ROM. There are two phases in the model. The first one is called the offline phase. An unbounded adversary can arbitrarily interact with a random oracle, making unbounded queries. But at the end of the day, it produces a piece of advice of length s. Then, in the online phase, another algorithm tries to win a security game. It gets the advice from the offline phase and the challenge. Then, it makes at most t queries and the goal is to output a valid answer. The reason to think about this offline procedure is because it captures the more realistic attacks, or in other words, non-uniform attacks, where you can think of the advice is generated in a non-uniform way. Another reason is that usually it is crucial to answer online queries efficiently. For example, a hacker needs to respond to a server in a short period of time. The offline phase is allowed to take a while as the hash function is public and everyone could spend a lot of time analyzing that function. We then define security in the AI ROM, which is simply the security against aspects of advice and t queries. Although this model captures the more realistic attacks, it is usually more difficult to work with, especially to prove its ST security. There are a couple of techniques for analyzing security in the AI ROM. As you may tell from the title, in this work, we will focus on pre-sampling. It gives simple and intuitive analysis, comparing to other techniques. The intuition behind the pre-sampling technique is the follows. Although the advice can be an arbitrary function of the random oracle, for example, it may be an XOR of all outputs. For now, let's assume it is well-structured. In other words, it only stores as input and output pairs of the random oracle. Therefore, for an online adversary, it only knows these fixed coordinates, but nothing else. Thus, the security is easy to analyze as long as the challenge avoids these coordinates. And informally, pre-sampling techniques say that the advantage of any complicated advice is at most the advantage of some longer and well-structured advice. And let's look at the statement more formally. We first define big-fixing model. An oracle is arbitrarily fixed on at-most peak coordinates, which is chosen by the attacker in the offline phase. And the remaining coordinates are chosen at random and independently of the fixed coordinates. This is also easy to define security in the big-fixing model. In other words, an oracle is sampled as follows. First, the outputs are arbitrarily fixed on peak coordinates by the attacker, and then the remaining coordinates are sampled by the challenger. The pre-sampling theorem says that let epsilon prime be the maximum success probability of breaking an application in the AI realm, and it will be at most epsilon prime plus xt over p. Well, this epsilon prime is the maximum success probability in the corresponding p-bit-fixing random oracle model. And when p is roughly s times t, then epsilon is at most 2 times epsilon prime. Notice that the first bound is additive and therefore works better with indistinguishability game. The second bound is multiplicative, which works better with unpredictable games. Here we show an example that using pre-sampling theorem to argue security in the AI realm. We consider pre-image finding. To prove the security epsilon in the AI realm, we only need to care about its security in the p-bit-fixing realm. If the challenge y, which is the image to be inverted, is in this fixed coordinates, then the problem is easy to solve. Because there are at most p-fix coordinates, this would only happen with probability at most p over n. And otherwise, these pre-fixed coordinates do not help invert per image y. And by making at most t queries, the advantage will be at most t over n. And therefore, the security in the p-bit-fixing realm is at most p plus t over n. With the multiplicative pre-sampling theorem, by setting p equals to s times t, we have epsilon is roughly s t over n. This is the best known lower bound for pre-image finding in AI realm. And now, let's switch to the quantum world. In the quantum world, random oracles are the same, which is a random function draw at the very beginning of the game. The only difference is that the interaction between algorithms and random oracles. Since a quantum algorithm can implement a practical hash function, for example, char3 on its own quantum device, it is very natural to assume it can make superposition queries to the random oracle. It is also natural to define AUX input quantum random oracle model. Well, both the offline and online algorithms can be quantum, and the device can be either classical or quantum. In this work, we're particularly interested in the case where the device is classical, and the algorithms is quantum. As we have seen the simplicity and tightness of pre-sampling techniques in the classical setting, we ask the following question. Can we leverage pre-sampling techniques to the quantum setting? In this work, we answer the question in three different aspects. First, we realize that direct leveraging is difficult. We show that if a direct leveraging would work, then it implies the famous Aeroson and Bannis conjecture is true. The conjecture asserts that any quantum algorithm on unstructured inputs can be approximated on most inputs by an efficient classical algorithm. This open problem dating back to 1999 or earlier was included twice in Aeroson's list of 10 semi-grand challenges for quantum computing theory. The conjecture is still quite open, and the best known bond is exponentially far from conjecture. First, with this barrier, we revisit the pre-sampling techniques in the classical setting. We find there is a much simpler proof for the previous pre-sampling theorem. We redefine bit-fixing random oracle model and work out a simpler and unified proof with only standard concentration bonds. The proof gives tight theorems of previous works for both AI random oracle model and AI random permutation model. And finally, with the new definition of bit-fixing model, we adapt it to the quantum bit-fixing model. We show that with the new definition, we can prove a quantum version of the pre-sampling theorem. And furthermore, it is optimum in the sense that it matches the optimum classical bond. And finally, we show the simplicity and generality of our theorem. We re-prove previous results on non-uniform security and gave the first non-trivial post-quantum non-uniform security of Merkle-Demgaard hash functions. Next, we overview these results. Let us record the classical definition of bit-fixing random oracle model. Well, an oracle is fixed on at-most p-coordinates, and then the remaining coordinates are chosen at random. It is natural to adapt the definition and propose the bit-fixing quantum random oracle model. Well, p-coordinates are fixed classically. Then the game is played with the quantum online algorithms and the oracle. With this proposed definition, we want to prove the following theorem, which we call our direct leveraging of the classical pre-sampling theorem. The theorem says the advantage in the IRQ ROM is bounded by the advantage in the PBBSQ ROM plus an additive term, which is ST over P. If the theorem could be proved, we would have an intuitive and easy way to analyze post-quantum non-uniform security in the random oracle model, just like what we did for the classical setting. However, as our first result points out, we show that such a theorem would imply the famous Areson and Binance conjecture. Thus, we believe such a direct leveraging has a barrier. Faced with this barrier, we revisit the definition of PBF ROM and the pre-sampling theorem. We show the following definition is equivalent. Well, an oracle is sampled through the following rejection sampling procedure. Let F be a P-query classical algorithm. Then the challenger keeps sampling a uniformly random hash function H until the function F on H outputs 1. Then the game is played with an online adversary and this hash function H. With this definition, we can easily generalize to other idealized models, like random permutation model. It is simply a rejection sampling of a random permutation conditional on some P-query function outputs 1. With this definition, we give a unified and simpler proof for both pre-sampling of random oracles and random permutations using only standard concentration bonds. This is the second result of our work. Now, let us look at the roadmap for the proofs of pre-sampling theorem. In the previous work, the first show the security in the AM model can be bonded by the security in the dense oracle model. Then they argue dense oracle model are very close to bit fixing model. In this work, we show that by proposing an equivalent definition, we can prove it directly and only rely on standard concentration bonds without decomposing the distribution and working in the dense oracle model. We can even generalize to the quantum setting. The quantum bit fixing random oracle model is defined as a rejection sampling of a random function conditioned on some p-query quantum algorithm outputs 1. We can think about it in the classical bit fixing model both F and online adversaries are classical. In the attempt quantum bit fixing model F is still classical and only adversaries are quantum. And in our real bit fixing quantum random oracle model both F and online adversaries are quantum. With this definition, we can prove our quantum pre-sampling theorem which simply follows from our classical proof. The bond is optimum in the sense that it matches the optimum classical bond. And this is our third result. Finally, we give several applications that shows the simplicity and generality of our quantum pre-sampling theorem. We first reprove the best known bonds for pre-image finding in the AIQ ROM. Second, we show the first non-trivial bond uniform security of the famous Merkle-Demgaard hash functions. We show its ST security in the AIQ ROM is ST cube over N. The best known attack achieves ST square plus T cube over N. We believe further closing the gap is an intriguing question. That's everything I want to talk about. Thanks.