 Okay, thank you very much. Do you hear me? Is it fine? Good Yeah, good morning I'm very happy to be here very excited to be here at crypto. I really enjoyed the weather in Santa Barbara I enjoyed it so much that two nights ago at the Anacapalona I got the bed sore throat So I will try my best, but if you don't understand just raise your hand wave and I will repeat Good so In this work we studied the Quantum security of classical encryption schemes before you start shouting post quantum Wait a second so Just to fix the ideas. I'm only going to talk about Symmetric key encryption scheme or secret keys encryption schemes This is I mean, there's nothing fancy here It's one of the simplest cryptographic primitives that you can think of You just have one secret key and then you have one encryption procedure and one decryption procedure Each of them map respectively plain text to cipher text and cipher text to plain text and this primitive is classic So whenever you see the yellow box, it's a classic encryption scheme Okay, so what can we say about the security of of this encryption primitives? So usually when we model security of the schemes, we have something like this in mind So we have some adversary and since we look at computational security here. We consider the adversary to be Bounded a polynomially bounded machine and the adversary Interacts in a classical way with the scheme and After some interaction it breaks the security of the scheme. Whatever it means So then when we look at the security of the schemes against quantum adversary So what what we usually do is? We give the adversary access to a quantum computer. So now we model the adversary as a Bounded quantum machine But the interaction with the scheme is still classical Because the scheme is a classical object and this is usually what we call post quantum security Now I would like to show you why? This might not be enough sometimes. So there might be cases where you want to give a bit more power to the adversary so usually what the model that we have in mind is something like this so we have an adversary and the adversary is trying to Compromise the security of some external target some user, but what might happen in reality is Something similar to this scenario So the target of the adversary might be a tiny encryption device using some fancy technology We already have chips using you know opto electronics components and Optic fiber so one thing Become more and more like this people start having fun and become creative So this is what happens So what you see here is a commercially available Equipment for performing fault analysis attacks on chips So you know there are this crazy hacker people having a lot of fun shining lasers into your cheap and pouring liquid nitrogen on it and changing the voltage of the electricity and by Interacting in with the device in an unexpected way they can extract information which should not be available and this is This things was supposed to be you know science fiction until I don't know 20 years ago But nowadays we have a whole branch of cryptography devoted to designing systems resistant to this kind of attacks So What we advocate in this case is the following Quantum security beyond post quantum security What we mean is that The adversary might be able to get quantum interaction with the classical device This is this was our first motivation, but there are other scenarios where this is this might happen So very briefly For example, you might consider the case where a classical primitive is used as a sub protocol or a component or of a more complex or Involved quantum protocol and then it's not clear how the security of the classical primitive Combines with the security of the role protocol. This is also important in security reduction You might also have this kind of Fault attack. Let's call it so where a honest user wants to run a classical algorithm on Her quantum computer and then at the end of the measurement at the end of the computation measure The outcome in order to have a classical result to send over the internet or whatever and then your adversary might temper and interfere with the Measurement operation and be able to assess quantum information before the measurement Finally, you might also have obfuscation So the adversary might receive the code for performing encryptions in an obfuscated form But then he might run it on his quantum computer and then to some extent it might be able to at least partially You know interact quantumly with With the classical primitive So this sounds strange. We are not the first one to consider this kind of Of model in particular, I want to mention this work by Bonet and Zandri from 2013 Where they look at the security of encryption scheme and of classical encryption scheme and they model the fact that the Adversary could be able to perform Quantum queries of this form So instead of asking for an encryption of one message and receiving back the encryption the adversary might query the encryption oracle on a superposition of Messages and get back a superposition of encryptions So what's the situation so far the situation so far so the the results from their paper and look As follows so first of all if you try to define a Reasonable or at least an intuitively Intuitively good the notion of security in this model what you obtain is a An achieved is an unachievable security notion then what you can do is to obtain a compromise so to switch to an almost classical security notion and This compromise works because you can show that it's achievable and it's strictly stronger than Indistinguishability under choose and play index attack, which is the Standard that let's say the minimal security notion that you consider classical and the situation looks like this so on one end you have equivalent notions of Indistinguishability and semantic security for the classical world on the quantum side You have a very strong notion that you cannot achieve and in between somehow you have this Almost classical indistinguishability notion so what we do ups what we do is we extend this framework and we complete the you know the Framework for analyzing the security of of encryption scheme by Defining a new security notion quantum indistinguishability We show that it's strictly stronger than other previous notion We show that it's achievable and then we show equivalent notions of semantic security and Let's see how we do it So indistinguishability indistinguishability is a security notion for encryption scheme Where you have an adversary the adversary? produces two plain text of his choice the two plain text are sent to a challenger and The challenger selects one of the two plain text at random without telling the adversary Encrypts it and sends back the encryption to the adversary and we call this the challenge phase The goal of the adversary is to guess which one of the two plain text was encrypted Clat this is a classical notion and also it can be extended to a stronger notion Which is called indistinguishability under chosen plain text attack where we give the adversary the possibility of Performing one learning phase before and after the challenge phase By learning phase. I mean the adversary is allowed to query a polynomial number of times the encryption oracle adaptively on plain text of his choice So what Bonet and Zendri did that this almost one to almost classical security notion is they extend The security notion to a quantum adversary Where the learning phase is now quantum, but the challenge phase is still It is still classic So why is this so first of all they show that This notion is achievable and it's three. It's strictly stronger than the classical one it And you might wonder why Don't why can't you Just do Quantum indistinguishability phase as well Well, what happens is that if you try to do this in the more natural way you obtain this notion, which is unachievable It's unachievable because there is an attack which is completely independent of the Encryption scheme that you consider and it always allows the adversary to distinguish the encryption of different superpositions If you have questions, I can show you later about this So, yeah, this notion is unachievable what we did Instead is the following so we started from this consideration and we looked at the implicit assumption that you have to make in order to Define this unachievable notion and then we said, okay, can we do something different? I mean whenever we we have to make a choice can we can we do something different and By looking at all the options we span this tree of security definitions and then we look at it So that by choice. I mean, I don't know. Can we rule out some form of entanglement? How can we give? Additional constraints of the adversary So the first thing we do is we cut off the tree We cut off the branches which do not make sense Because some of these options are are not compatible with each other From from what is left? We remove the notions which are still unachievable because of the same attack of the fully quantum notion and Then of amongst the few left candidates We pick up the one Which is more? It's more targeted to our security model and I I don't have time to go into the detail of how we do this but very briefly just to give you an idea These are the main differences with the unachievable notion So in the unachievable notion whenever you have an encryption oracle This is basically assumed to be a gate like a quantum gate embedded in the circuit of the adversary and This models a scenario Where the adversary has almost complete control of the encryption tar of the encryption device or in this case the target? In our case instead We look at this model. So we consider a challenger as an external Device as an external quantum circuit And the adversary has some communication channel With this challenger so he can query that the challenger on some proposition of of encryptions Which is more suited to you know a network scenario where the adversary wants to compromise some external target In other differences the following so usually what? What you might consider is The adversary selects one quantum state of his choice this state is sent to the challenger The challenger encrypts the state and send it back We consider something slightly different Where the adversary is not allowed to feed quantum states directly to the challenger But he's only allowed to select a classical description of a quantum state Then this quantum state is gonna be built by the challenger encrypted and sent back What do I mean by classical description? It's it's nothing terrible. It's I don't mean that the adversary has to specify the amplitudes of the state I only mean that The adversary specifies The quantum circuit producing the state Why we do this? The reason is that classically there is no difference between a Message and a classical description of the message in the quantum world. There is a huge difference because The former I mean if you can't feed up if you can directly feed the message to the challenger You can entangle yourself with the state and This is something which we consider a bit unreasonable in our scenario, but we can get rid of this Well, I will show you later The last thing is Usually when you consider encryption operations, this is what what is done in This is the canonical way of evaluating a classical function as a unitary you You do it like this because this allows you to Revert the to invert the operation even if The function is not Invertible but in our case we are not dealing with the one-way functions or anything like that. We are dealing with encryptions with by their own nature they are Reversible operations, so what you can do is this type of operation instead so you can simply Encrypt on the fly You know that The quantum register Now this kind of operations are very well known and studied and then you might know them as a minimal oracles And it is well known that they are very different from what we call type one in particular They are more powerful because if you want to Build a circuit computing the type two operation you need the secret key Despite this We can show that in our model they are both acceptable So by keeping in mind this difference is we define our notion of Quantum indistinguishability under quantum choosing plain text of tech It is easy to see that it's at least as strong as the other achievable notions But we can say more we can say that it's strictly stronger and how do we do this? Well consider the following scheme. This is a very standard encryption scheme Which uses a pseudo random function to? generate a key for the one-time pad basically, it's a it's a the standard construction that you probably know from your textbooks and Bonnet and Xander showed that as long as the PRF is quantum secure This notion and this scheme achieves their security notion But what we what we can show is that this scheme is insecure according to our notion And this is a consequence of a more general impossibility result that we give Which covers a much broader range of encryption schemes The impossibility result goes as follows so whenever you consider an encryption scheme which works by You know taking the plain text Encrypting it and appending some randomness independent of the plain text we Say that whatever is not independent of the plain text is what we call the core function of the cipher and We say that a scheme is quasi length preserving If this core function is a bijection Basically, it means that the scheme does not Meaningfully increase the size of the encryption in respect to the size of the plain text And there are a lot. I mean a lot of examples we have worked like this. So for example, I Keep spoiling my slides. I'm sorry For example, the Goldreich scheme One-time pads block ciphers in ECB mode stream ciphers. These are all all of them are of this form And our impossibility result is if you have a scheme Which is quasi length preserving then it cannot be secure according to our definition Which is terrible because then you might wonder, okay, what do you do with the security definition? What's the problem here the problem is that You know, whenever you have an encryption procedure This works by mapping plain text to a cipher text space in an unpredictable way, but for a quasi length preserving scheme This mapping is actually a permutation on a smaller subspace, which is somehow easy to identify So what happens now is that Yes So you see if you have So you have one plain text This is mapped to a cipher text in this smaller subspace and therefore if you have a distribution of plain text This is mapped to a distribution on the smaller cipher text, but keeping the amplitudes And now you see the problem because if this distribution becomes smoother Also the target distribution As spread as it can be it gets smoother and smoother Until you arrive at you know the uniform distribution and the uniform distribution is mapped to a uniform Distribution of cipher text in the target space. What does it mean? It means that there are Quantum states quantum superposition of messages which are left unchanged by the encryption operation and This is a consequence of the fact that in the quantum world if you want to encrypt one qubit You need two bits of classical information. We have seen it at the talk by ifke before that for the quantum one time pad you need one bit for Zero for masking zero one and one bit for masking plus minus so these states are easy to distinguish and then You it's clear that you cannot reach a satisfiable security A security argument if you have this problem, how do we overcome this problem? Well, this is our solution We consider an additional randomness space next to the plain text space and we merge the two spaces together at this point what happens is that the the mapping of The quasi-length preserving scheme is broken in the sense that now you don't have any more of this easily identifiable subspace in particular now if you have a Uniform distribution a uniform superposition of plain text this is mapped this is spread in a Larger space in an unpredictable way depending of the of the randomness So if you change the randomness, it's spread in a different way. You change the randomness again. It's spread in a different way How do we? What do we do with this? Well, we consider a family of quantum-resistant pseudo random permutations then Our encryption key is a permutation and its inverse and when we want to encrypt a message What we do is we just so first we append some randomness to the state and then we encrypt and This construction is secure according to our definition of course it does not Keep the size of the plain text, but this is exactly what we need for achieving this level of security and Yeah, the idea of the proof is to consider the mixer and the mixed state coming out from the encryption Okay, so just to sum up I'm just in time This is the situation that we have now so we have this We completed this framework for studying the security of classical encryption scheme in In the quantum world there is more So first of all we show that the assumption of the classical description is not necessary We can get rid of that Because all of our results basically holds even for arbitrary quantum states. The only thing is that This classical description makes things a lot easier and it's more Reasonable in our in our scenario where the adversary is not able to To watermark somehow the challenger Next what we do is we can show we can extend our construction Basically, we use our construction within some sort of randomized the ECB mode of operation So we can extend it to deal with messages of arbitrary size. So we are not restricted to you know one block Depending on the size of the permutation, but we can deal with arbitrary messages and Finally some other interesting directions to look at Look at public encryption Everything should work fine in theory, but better be careful. So we haven't really looked at that CCA security again, CCA one should be trivial to extend the CCA two is much trickier and Finally a patch a general patch to transform Schemes security according to the almost classical definition into schemes secure secure according to our Definition So this concludes my talk. Thank you very much and if you have questions