 Okay, all right. Hello everyone. Welcome to the session on information theoretic cryptography. I suppose this is the session on quantum information theoretic cryptography. So we have two exciting talks today and I guess as a quick reminder, so this is now Cosmos 1 and 2. Cosmos 2 is Cosmos, well, yeah Cosmos 3 is hosting what's formerly Cosmos 3 and then Cosmos 3 is closed. So yeah, this is the correct room for information theoretic security. Okay, so the first talk today is online extractability in the quantum random oracle model. This is work by Yelly Don, Serge Fair, Christian Mayans, and Christian Schaffner and Yelly will give the talk. Thank you for the introduction. Yes, indeed, online extractability. To get on the same page, let's first do a quick recap of what extraction is and where we find it in cryptography. We find it in a context where some algorithm A sends messages that depend on some secret S and in an honest execution, S indeed remains secret, but there exists an extractor algorithm that given some kind of enhanced access to the algorithm. I'll explain later on a bit more what this enhanced access is, can then recover the secret S. Some examples, probably the most well-known example is that of zero-knowledge proofs of knowledge, like the Sigma protocol that you see here. It's a three-round interactive scheme that allows some proof or Alice to prove her knowledge of a secret witness W for an NP relation to the verifier Bob. And indeed the zero-knowledge property ensures that the witness remains W, yet the very definition of a proof of knowledge requires the existence of such an extractor that by interacting with Alice can recover the secret witness W. Another obvious example is, of course, extractable commitments. Perhaps a bit less obvious is the use of extractors in improving CCA security. They come into play in simulating the decryption oracle, which the reduction needs to do in such a proof. Namely, for every query that the adversary makes to the decryption oracle, this ciphertext has to be, sorry, the corresponding plain text to that ciphertext has to be extracted somehow without using the secret key. So we need an extractor for that as well. Then there are different kinds of extraction. Two important properties for extractability are a so-called straight line extractor, which means that the extractor only leads to run the adversary once instead of rewinding it, going back and forth, executing it multiple times. And indeed the straight line extraction is the preferable option because usually it leads to a better loss factor since, well, we don't need to rely on the adversary succeeding multiple times and also better run time. I guess that's self-evident. Another important property is on-the-fly. So whether the extraction happens during an execution or only after the adversary has produced this final output. In particular, if we want an on-the-fly extractor, it's important that the extraction that we do does not disturb the view of the adversary since we wanted to be able to still continue and produce the same output as before. And this is indeed the kind of extraction that we need in this example of proving CCA security. Then if a particle allows for an extractor that satisfies both these properties, we call it online extractable. Okay, so a bit more about this enhanced access. Again, a few different flavors. I've already mentioned rewinding. That's something you often find in proofs of knowledge or improving the zero-knowledge property. Another one example of enhanced access that we can give to the extractor is giving it some trapdoor information. This one you find often in, for example, extractable commitments. And then there's the random oracle model for particles that have some application of a hash function that we can then model as an idealized random oracle, which the adversary has to query. And therefore, we can give the extractor read access to the queries that the algorithm makes. And it's also allowed to reprogram the random oracle. This method for extraction, we can use in, for example, hash-based commitments, commit an open protocol. So also talk about a bit more later on. And again, this CCA security example. And indeed, this is the kind of extraction that we are interested in in this work, because, of course, we want to ask the question, can we do the same in the quantum random oracle model? To answer the question, let's first look at a simple example of extraction in the classical random oracle model. A hash-based commitment, that means that some algorithm can commit to a secret S by evaluating the random oracle on an input X, where X consists of this secret concatenated with some random string. And then with this read access that we allow the extractor to the algorithm's queries, we can do the following method for extraction. Very simple. The algorithm just writes down every query in a so-called query transcript. And then after this commitment C has been output by the algorithm, the extractor can just look through this query transcript. And then, at least intuitively, if the adversary is able to open the commitment, then there must be some X prime in the transcript that evaluates to C, because otherwise he wouldn't know the right pre-image. And if he can further open it to reveal the secret S, then also this X prime must be equal to the X that he will output later in opening to the secret. So that's all pretty straightforward. But then we go to the quantum setting, and then things kind of break down. Because in the quantum random oracle model, the algorithm is allowed to make superposition queries to the oracle. And in particular, because of something called the no cloning theorem, which says that an unknown quantum state cannot be copied, it's no longer possible to just write down every query that the algorithm makes. So there no longer exists such a thing as a query transcript. However, in 2019, Mark Zandri introduced a compressed oracle technique, which in a sense is meant to overcome this very problem. What it does, it gives a method to simulate the random oracle in such a way that we get access to an internal quantum state of the simulator. That does contain some information on the interaction that has taken place between the algorithm and the simulator. It's not the case that this quantum state now functions as a quantum version of a query transcript, or we can just look up all the queries that the algorithm made because that's what I already explained. That's not possible. I like to think of it more as the queries of the algorithm leaving some kind of footprint in this quantum state that we can then investigate to deduce at least some information on what the algorithm has and has not learned about the values of the oracle. But in order to do so, we have to measure this quantum state. As you may know, in general, measuring a quantum state can disturb the state, which is something we want to avoid for our online extractability purposes, because again, we want to be able to continue the run of the adversary after doing the extraction. In particular, due to this interaction that has happened between the algorithm and the simulator, their internal states have become entangled, which means that disturbing the oracle state may in turn also disturb the view of the adversary. That's also the reason that this compressed oracle technique so far in previous literature has mostly been used in cases where it's okay to do the measurement only at the very end of the run. There have been some cases where it was applied on the fly, but then it was either with some measurement that had a deterministic outcome, which means that the measurement does not disturb the quantum state, or it was just acceptable to have some polynomial loss, which again, in our case, is not acceptable because we need to not disturb the view of the adversary at all. So that has been indeed the technical core of our result to try to bound the disturbance of some suitable extraction measurement. And we do so by bounding the norm of a certain commutator, namely, of that measurement and a unitary O, which describes the evolution of the compressed oracle for a single query, for a single call to the oracle. And we have a bound that is negligible in the output size of the oracle, which means that, at least in the analysis, we are free to move this measurement around. So the extraction actually does the measurement at one time, but then in analyzing the behavior of the adversary, we are free to just commute it with all the oracle queries. And since the measurement is only on the site of the oracle, it also commutes with the local computation that the adversary does. So we can just push it towards the end. And then, of course, introducing a measurement at the end does not affect the view of the adversary because he's done, gone home. And we can conclude that the adversary does not notice our measurement. That then, in turn, allows us to present our main result. We apply this technical lemma to show the existence of a simulator that simulates the random oracle. So it has both a random oracle interface and a Disney, some extraction interface, such that for every bounded query algorithm A, we have the following picture. A is allowed to query this random oracle interface. Then at some point, put a commitment C on the table, continue to run, do more queries. But as soon as the C has been output, the reduction can then enter it, query it to this extraction interface. And the simulator will do some internal quantum measurement, produce a guess x prime for guessing what's inside the commitment. And then our theorem gives the following promise. If at some later point, the adversary outputs x, which is promised to be the opening for the commitment C, then with high probability, either this x is equal to our guess x prime, or else x is not an opening to C at all. So indeed, we see that we managed to preserve the intuition that we had in the classical random oracle. Now, this is in fact just a simple example for the purpose of the current talk. I always thought this slightly more general. Namely, we proved that this extraction method works for any function, any arbitrary fixed function f, where if the adversary outputs some value t with the promise that it's the result of applying f to x and h of x. And additionally, this function has the property that for every x and t, there are not too many y's, such as f maps x and y to this particular t. Then again, intuitively, this f has a similar kind of binding property as this original commitment example. And so our extraction method works here as well. That's the main theme of our work. We go on to apply it in two additional use cases. The first one being these commit and open protocols. It's a particular kind of subclass of sigma particles, where the first method consists of a number of hash based commitments. And then the random challenge by the verifier just asked to open a random subset of those. For this class of sigma particles, we can now show tight online extractability. And in particular, we don't need special properties, like collapsing us or unique responses that previous techniques required to do the extraction. And also, these previous techniques incur the loss, I should say, at least the cubic loss, because in fact, it's the success probability of the adversary with an exponent 2k plus 1 for k special sound protocols, so cubic for two special sound protocols. And our reduction, as I said, is tight, so we have no loss at all. These CNO protocols, they are used in the popular MPC in the head paradigm. One example of which is the candidate picnic in the ever ongoing NIST competition. So there's a caveat that our current result actually applies to the just the interactive protocol that underlies the signature scheme. Picnic uses the Fiat Shamir transformed, so non interactive version for which the current work is not sufficient. But we do have a follow up work, appearing at this year's crypto, where we can also for this non interactive version, prove tight online extractability. And then the other application that we give in the paper is to the Fujisaki Okamoto transform. We have the first complete post quantum security proof of the so called textbook F.O. transform. There have been many many papers on post quantum Fujisaki Okamoto. But they all up to now had to introduce some alteration, some addition to the original transform in order for the for the proof to go through, such as the session key being derived as H of M and C instead of just M. There was this additional key confirmation has which also increased the size of the ciphertext. And furthermore, our reduction works with explicit rejection, as well as implicit rejection. And again, this F.O. transform also features primarily in the miscompetition on the campsite. So summarizing, we are now able to lift a powerful extraction method from the classical random oracle model to the quantum random oracle model, which works straight line and on the fly. We use it to give a tight reduction of commit and open protocols in the QROM and a post quantum analysis of textbook F.O. And I guess the main message of this talk should be the next time you run into an adversary that outputs some T with the promise that you can output X such that F of X and H of X equals T. Give us a call and we can extract it online. Thank you. All right. Thanks for the talk. We have time for a few questions. As a reminder, if you have a question, please come to the microphone. So people attending on Zoom can hear you. Right, like there is no general quantum. All applications is only for some specific applications like commitment and then put it back your commotto. So maybe two questions, like, do you think that there is any hope of like some construction that emulates an oracle that would be useful, you know, that could be used generically for whatever application, like through, let's say, Feistel transform or something of the sort. And that's one question. And is it rather like a common usage of random oracles for Fiat Shamir, non-interactive knowledge proofs? So did you look at that application or do you know if other people did or what do you think the hopefulness of that being quantum secure? Yeah. So the first question, the current technique, it works in any situation where there is some form of commitment, even this generalized form that I showed with the function F. So I think in that sense, we do achieve more or less the same as can be done in the classical random oracle, whenever the classical run proof requires us to look at the transcript to extract some pre-image. Of course, that doesn't cover like all classical random oracle model proofs, but at least those where there is such a hash-based commitment present. And the second question for Fiat Shamir, yes, there are previous works that prove security of Fiat Shamir in the QROM, albeit at a loss quadratic in the number of queries that the adversary makes. And furthermore, in this follow-up work that we have, that's also about non-interactive Fiat Shamir transformed version of the CNL protocols. And there we can actually prove a tight security reduction, so without the square loss in the number of queries. All right. Any other questions? Okay. Question. With this technique, can you also program the random oracle? With this technique, no, it doesn't really... No, no, so you don't need for the result, but my question was more, can you apply the result if, I don't know, in another scenario where you need to program the oracle? You mean whether it's sort of compatible with the situation where you have to reprogram? Well, yeah, we show that our extraction measurement, it does disturb the state of the oracle, but not the view of the adversary. So in that sense, I think that it wouldn't sort of interfere with some other reprogramming techniques. So my guess is yes. Okay, thank you. All right, I guess I had one question on my own. So you had this general condition for this function f, which I guess introduces some constraints which allows for online extraction. I was curious whether f has to be completely independent of the random oracle or can f in some ways depend on the random oracle. So I'm thinking, for example, of a case where maybe we have h of x and we want to extract the original preimage. Right. Yeah, at least in our theorem, it has to be an arbitrary fixed function, so not depend on h. Yeah, I guess intuitively, as long as there is this sort of binding quality, that that's what what matters that that if you see some T, then it's very hard to, sorry, if you see some T that has been produced by evaluating f on x and h of x, then it should be really hard to find a different x prime that also, together with h of x prime maps to the same T. That's sort of the important quality. So as long as that is guaranteed, the result should still go through. Okay, thanks. All right. Looks like there's no more questions. So let's thank the speaker and