 Thank you. So this is joint work that I've done with the AGP that is here this week search fire from The Netherlands and we salvage my supervisor in Montreal So we're talking about adaptive and non-adaptive strategies. What let me just define that on the first slide So forget everything you know about the adaptivity in cryptography. This is This is the only definition that you're going to have to work with with the rest of my slides So we say that an adversary in general is adaptive if it has access to some Side information that's correlated in some way to the honest participants so we're gonna have of course classical and quantum side information and we say that the adversary is non-adaptive if it has No access to such side information So I'm gonna introduce what I mean by some information with a simple example So you have two players Alice and Bob and Alice plays a part of the adversary And they're gonna share two random variables. This is a classical case of Adaptivity so they share random variables x and y so you can think of y as either the whole memory of the honest participant or some value that he wants to keep secret and The correlation between x and y classically is described by a joint probability distribution over your possible values So you can think of these these values as being generated by a previous protocol being given by a third party or or anything and They play a game where the goal is for Alice to produce a J That will determine some function that Bob will apply on his value and Bob will either output pass or fill and the goal of Alice is to compute a function of her side information that will make Bob output pass and for for some fixed distribution and Some fixed distribution and a set of function H of J We're gonna define the adaptive success probability, which is The case where Alice has access to classical side information and she's just gonna maximize over all classical functions that maximizes our probability of Passing the test and the non adaptive case is Where Alice does not have access to J So her best strategy is just Sorry, where Alice has no access to X. So her best strategy is just to Choose a J that will maximize our probability. So classically you can very easily control What advantage you get by having side information because a possible non adaptive strategy is just to Guess the value of the side information and apply the corresponding adaptive attack. So you get The non adaptive success probability is at least the probability of guessing the side information This to the bar minus 10 if you have n bits of some information Times the probability of success of the corresponding adaptive attack and if you rearrange those terms you get what we call a adaptive versus non adaptive relation Which upper bounds the adaptive success probability in terms of the non adaptive success probability? So this is an exponential blowout that we have to pay But it gives a non trivial bound as long as you can control the sides the size of the side information and the success probability for non adaptive adversaries right, so Our goal is to have something similar in the quantum setting So we're gonna look at the quantum version of our game So in the quantum version of our game you have Alice and Bob also Alice is the adversary and she holds Quantum side information that we denote a and the honest participant Bob has some quantum state B That is entangled with Bay and this correlation this entanglement is described by the joint state of Alice and Bob So now the goal is the same Alice wants to produce J such that Bob now performs a measurement that is specified by J, which is either pass or fail and Adaptive Alice will maximize over all measurement on her state that will produce this output J by using her quantum side information and Sorry, so and non adaptive success probability is the same So she just chooses the J that maximizes the probability that Bob's outcome will pass but now quantum adaptivity much more difficult to analyze because Well Because the specifics of quantum information when Alice performs some measurement and get some output J. This has a An effect on Bob's register if they are entangled so Bob's Bob's state will collapse to some Some state that is unknown to him But that may be known to the adversary and that may give the adversary some advantage In order to cheat a scheme or in this case to pass the test So we'd like to have an adaptive versus non adaptive relation for quantum information as well, but there is no direct Translation of the the last argument that we had because it doesn't make sense to guess quantum side information So we can use the following analogy. Well what we did pretty much in a classical case is we replace the side information X with a uniform random guess So now you can take the joint probability mass function of X and Y and you can trivially upper bounded by to to the power of n probability of guessing X times probability of getting Y and If you replace this mass function in the adaptive The definition of the adaptive success probability Then this gets up above bounded by the same thing when we replace that by the right-hand side and this gets you the Non-adaptive success probability, so we can think we can rearrange our argument this way And now this has the closest quantum analog so you can replace Alice a state with the completely uniform state Which is the stage on which she has maximum uncertainty Then you can show that the joint state of Alice and Bob is upper bounded by this uniform state tensor Bob's state by paying some price of two to the power of two n and So now we see that Alice and Bob are completely uncorrelated and I have to take a moment to explain this inequality because on the left-hand side we have Real numbers and on the right-hand side we have matrices So this is for people that are familiar with it. It's the Partial order on complex matrices that's an induced by Positive semi-different matrices, but the only thing that we need to know for the purpose of this talk is that if You feed row to some measurement apparatus Then the probability that you get outcome X is upper bounded by the probability that you get the same outcome by feeding sigma instead so now since the adaptive success probability is The out the probability of some outcome on a measurement on row a b Then you get that the adaptive success probability is upper bounded by this factor Times the same measurement on the right-hand side, but since it's completely uncorrelated. This is non-adaptive attack All right, so we got some sort of Quantum a versus an echo Relation, but we have an additional factor to that is unfortunate and the question is can we get rid of it and in fact We can but this because this holds very generally, but It's tight There are some state for a b for which the smallest constant the smallest factor that you can choose is this one And I forgot to mention and n is the number of qubits that Alice holds So our main result is that we can get rid of this factor too, and we can even Improve on that if we consider sorry if we consider Just the game that I described and for this particular game for any state that Alice and Bob receive and for any measurement on Bob's part then we recover the Adaptive versus non-adaptive relation. So having access to n qubits can only increase Alice's success probability by two to the power of n In fact, we can show something A little bit better We can show that it's up about it by two to the power of lambda times the adaptive success probability where lambda has Pretty complex definition, but it's pretty it's pretty much the minimum The minimal number the minimal amount that we have to pay in order to uncorrelate the result the measurement result of Alice and Bob's register All right, so this Gives us a pretty point Very powerful relation to analyze quantum cryptographic scheme because we can reduce the adaptive attacks to the non-adaptive attacks That are much easier to analyze. So we'll demonstrate that by showing two Applications of our result. So the first one is to show that the primitive one bit cut and choose is universal So I'll introduce this cryptographic primitive so Generally m bit cut and choose you have an input x on Alice's side that has size M on Bob's site you have an input C Alice just gets Bob's input and Bob will get Alice's input if C is equal to 1 and If C is equal to 0 he gets nothing So at first glance, it's really not clear that this primitive is useful for anything And in fact in a classical world, you have a infinite hierarchy of Cut and choose it that are specified by the input length In which every member is strictly weaker than the one after it So 2cc can be used to implement 1cc, but 1cc cannot implement 2cc for example However in the quantum world things change quite dramatically so you have a very nice paper by search for genetic cats another in 2013 that say that in quantum two-party cryptography Almost every two-party primitive is either trivial, which means that it can be implemented by a protocol quantum protocol Are the universal so it can be used as a black box in a quantum protocol to implement any two-party task or Can implement an XOR which is equivalent to just a swapping the input of the respective parties and Yeah, so I say almost in parentheses because they were able to show that the infinite Classical hierarchy collapses to the synchrony level, but they were unable to show whether 1cc to which three categories 1cc belong and So we show in our paper that 1cc is universal for two-party cryptography and The proof is pretty complicated it because the paper concerns quantum university composable security, which is a very strong notion of security and So I'm just gonna sketch the proof for a much simpler notion of security But you'll still get all the intuition from where the cryptographic power of 1cc comes within a quantum protocol so Briefly so the proof idea is that we use 1cc as a black box in a quantum protocol to implement bit commitment It's it has been known for quite some time that bit commitment can be used As a black box in a quantum protocol to implement OT and OT is Complete for two-party cryptography, so we're gonna show how we can implement this implication So for people who are not familiar with it bit commitment Is a primitive where the sender puts you can imagine it as a safe So the sender puts a bit in a safe keeps the key sends the safe and then after some time in there if you want if he wants to reveal the bit he just sends the key and The receiver can open the safe. So our bit commitment protocol Is gonna I'm just gonna briefly sketch what we can consider as a preparation phase So Alice is gonna choose a random String theta and she's gonna send to Bob a quantum state that is specified by the B92 encoding specified by theta and This B92 encoding so for a specific bit of theta if this bit is zero she sends the zero computational basis state and if this bit is one she sends an equal superposition of zero and one and So we denote the state that Bob received by Robey and since Bob doesn't know theta he has Uncertainty about the state that he has received All right, so afterwards we're gonna use the one cc primitive So Alice is gonna input first or the first bit of theta in the one cc primitive Bob is gonna choose at random if he wants to see this theta or not So he's gonna want to look at some of the position and still have some uncertainty about the others so Alice will see if Bob has checked this position or not and Then if Bob did choose to open the cotton shoes He will get theta which then allows him to verify that the state of his first qubit is the the right state that they was supposed to send so they repeat this for every position and Effectively what this step does is what is called quantum sampling so quantum sampling is a very nice result by search fire and nick booman and They say that you can you can observe a quantum random positions of a quantum state and From the rest from the measurement result of those positions. You can infer something about the rest of the state All right, so this is a quantum sampling so that the the C is Specify a sampling of the positions that Bob will observe So Alice knows which position were observed and which were not so they can both agree on the positions That remain on which there is still uncertainty and what come what quantum sampling says is that after This step the joint state of Alice's and Bob is close to this So if Alice was dishonest and wanted to stay entangled with the Bob state Then she could only be entangled with some error. So on Bob's side you have Almost the right state that Alice was supposed to send plus some error vector some error pattern and Alice is only entangled with those patterns and Since the number of errors is a parameter of the sampling we can control the size of the the number of entanglement that Alice holds and it's not too hard to show that the Two to the power of lambda factor in our main result is upper bounded by the number of possible error patterns and So this yields an easy proof because from this we can construct bit commitment scheme that is secure against non-adaptive adversary and then we just apply our main result with this bound on the On the size of the side information and we can show security very easily using our a versus any relation All right. So this is it for the first application The second application of our main result concerns the security of the BC GL bit commitment scheme Which I will introduce just now so Historic perspective of quantum bit commitment scheme the BC GL Bit commitment I'm spoiling ahead the BC GL bit commitment scheme was proposed in 93 around 1993 by Brassard Crepeau-Jossin Langlois as an unconditionally secure quantum bit commitment and Of course back then this was still thought to be possible, but now as most of you probably know Quantum mechanics alone do not allow to implement bit commitment as was shown independently by Mayors and Lowent Show And you have to wait quite a few years before there starts to appear new proposal for bit commitment quantum bit commitment that rely only on realistic physical assumptions, so you have Damgaard, Fer, Salva and Schaffner that proposed in 2005 a bit commitment scheme That is secure under the assumption that the adversary can only store a limited amount of qubits And again some years later you have a different physical assumption This one is the noisy storage model though so it was introduced by König, Wiener and Wuschleger and Their assumption basically is that the adversary cannot reliably store a Lot of information so there will be some noise model applied to its memory before it tries to access To access it so So we have those two schemes with physical assumptions that implement bit commitment, but The techniques involved do not apply to BCGL and I will elaborate on that in just one slide So the security of the BCGL scheme was never revisited since it was proposed in 93. So now we So we're gonna look at the differences between those schemes and BCGL which Which makes it hard to analyze so for the bounded storage and noisy storage schemes It's the receiver's memory that is either bounded or noisy so the receiver of the quantum information has a bound on its memory and What this does is that you have knowledge over the state that the adversary holds because it's prepared by By the honest participant So this allows you to use uncertainty relations to lower bound the uncertainty that the adversary has on its measurement outcome when measuring the state and So These techniques don't seem to apply easily to the BCGL scheme for the following reason in the BCL scheme It's the sender of quantum information that has more power. So it's the sender's memory that needs to be bounded This means that the adversary can prepare an arbitrary state we have absolutely no control over it and So you cannot apply at least not directly uncertainty relations and it's difficult to see whether you could at all but with our adaptive versus non adaptive relation as long as we have some control over the memory of the adversary and We know how to prove the scheme secure in the non-adaptive settings then we can show that the scheme is secure and This is what we do. So we need the following assumptions. So we have to have some bound on the adversaries memory which is characterized by lambda the The parameter from our main result So we need an upper bound on lambda and in the bounded storage model This is readily available because we have upper bounded lambda by the number of qubits that the adversary can store But we still don't know how to do it in the noisy storage model and we would like to do that in the future All right, and the second assumptions that we need is that the adversary can only perform projective measurements So this is usually pretty strong Assumption but since we already bound the adversaries quantum capabilities, it's somehow mitigated and Actually, we don't we don't this assumption is because of our proof technique and we don't believe that we need it at all But we were unable to show that that we can we were unable to get rid of it All right, and what we show is that if a if a scheme That we call on it non-interactive I'll go back on this in a second is epsilon binding against non adaptive adversary Then it is binding against adaptive adversaries that satisfy those two assumptions with a corresponding loss in the security parameter and RTRM applies generally to non-interactive schemes scheme is non-interactive if All all the information goes from the committer to the rare fire So from the sender to the receiver. You only have one way communication and BCGL scheme satisfies this this criteria So RTRM applies to the BCGL scheme and of course the BC is the BCGL scheme is easy to show secure for non-adaptive adversary, so from this we get a security result for adaptive adversaries All right, so just to conclude the main takeaway is that quantum adaptivity is really hard to analyze compared to classical adaptivity as we have defined it and We then show how we can reduce quantum adaptivity to quantum adaptive attacks to quantum non-adaptive attacks which are much easier to analyze and We apply this result to solve the main questions of This paper and obtain the first security result on the BCGL scheme. Thank you