 Thank you See So first I want to get a couple warnings out of the way I was apparently hungry when I made these slides So there's the occasional breakfast reference in the talk and also Despite the title having the word quantum in it twice I'm actually going to do my best to remove as much quantum Notation terminology as possible. So if you're hoping to get knee deep in Brachette notation, I'm sorry to disappoint Okay, so I Take it. We're all familiar with the random oracle model The the idea is that you have a crypto system that uses some hash function And maybe we don't know how to prove security using collision resistance so what we might do is pretend that the hash function is actually a truly random function and Allow the adversary to query the random function in addition to the the crypto system All right, so why is the random oracle model useful? Well to illustrate Why it might be useful? Think about how we would actually simulate the Oracle in the security proof Using we can do this essentially on the fly where every time the adversary makes a query we just Sample the output of the oracle for that input at that given point and leave all the parts that the adversary hasn't queried yet Undefined So what the result of this is that we get a database of input output pairs that the adversary sees and so this allows us By looking at this database We know what inputs the adversary cares about because they're just the inputs in the database We know the corresponding outputs because they're just in the other column of the database We can even do some clever things like adaptively program the outputs As we're as we're doing the simulation and we can also very easily analyze bad events such as You know whether the adversary is able to find a collision or not So so way back in 2011 we asked the question of what happens when we move to quantum so now We have a quantum adversary and in the real world the quantum adversary can interact with the hash function on Quantum inputs because the the adversary evaluates the hash function for themselves So in the random oracle model only makes sense to model the random oracle model it as as a as a function That's queryable on quantum inputs Okay, but here's the problem So so remember this classical on the fly simulation where every time the adversary makes a query We record that input and we write down the corresponding output suddenly this becomes much trickier in quantum and the reason has to do with Something that I'll just call the observer effect, which says that Whenever you learn something about a quantum system, you necessarily risk disturbing that system And now if we think about it the the random oracle is just answering these queries Obliviously the random oracle isn't trying to learn anything about the adversary so in our reduction if the reduction is trying to Learn anything about the adversary such as learn what the query points that the adversary is interested in it seems like The reduction is going to end up disturbing the adversary So you know basically The takeaway from this seems to be that the reduction actually has to answer obliviously to or else It's easily distinguishable from the random oracle All right, so so to get around this issue what you do is rather than use these on this on the fly simulation What you do instead is you handcraft some distribution on functions that Hopefully is indistinguishable from a random function But the point is that you fix it at the very beginning of the experiment and just obliviously use this function to answer the random oracle queries And this is this is the how typical proofs in the quantum random oracle model work But there's a number of limitations because we're answering obliviously We don't know the inputs that the adversary cares about we don't know the corresponding outputs You can do some sort of programming But it can't be adaptive because you had to do the programming at the very beginning of the experiment I mean it also becomes much much less obvious how to analyze bad events and basically you have to prove quantum query complexity lower bounds to do so Okay, but despite these limitations there have actually been a number of positive results But there's some major holdouts and the the the major holdout I want to talk about today and the one that I address in this work is Something called indifference domain extension Okay, so here's here's the the core question Consider a merkle dam guard and suppose that the the hash function that we're starting from is the the the the compression function is random oracle is The is the merkle dam guard construction obtained from this does it also look like a random oracle and It turns out that the answer is yes The way we the way this is shown is using something called indifference ability I won't really spend any time defining it But a indifference ability is basically a real world versus ideal world thing or in the real world you have You have the the compression function being a random oracle and the the big hash function being merkle dam guard and in the ideal world you have The big hash function being a random oracle and the little function being simulated and the adversary is trying to tell the difference Okay, and yeah, the indifference ability implies that Rant that's merkle dam guard is as good as a random oracle in a wide variety of settings Okay, so now moving to quantum Basically, we just give the adversary quantum access to everything and ask for Indistinguishability to hold Okay, but here's a problem So remember the clock the traditional random oracle model quantum random oracle model proof technique Fixes how it's going to answer queries at the very beginning and just fixes that once and for all In the context of indifference ability this basically corresponds to the simulator being stateless But it's actually a really easy theorem to show that stateless simulation is impossible for domain Extension and this holds classically quantumly whatever and the idea is basically a stateless simulator allows you to compress a truth table For the big hash function into a truth table for a little hash function because these truth tables are random You you get it a contradiction Okay, so this is the question Okay, so in this work we and we actually Perhaps surprisingly answer this question positively and say and show that actually we can do different in differential domain extension And the core technique is a new way to do on-the-fly simulation But for quantum random oracles Okay, so let's just jump right into the idea So the first step is we're going to take we're going to take this uniform distribution over function And we're going to do something called purification, which is really just the turning this Classical probability distribution into a quantum state. I won't really say what this is But it's some it's some weird quantum states such that if you try to actually peer inside it and measure it things are going to Basically, you're going to recover the uniform distribution going to destroy the quantum state and recover the Uniform distribution and so this purification process can be thought of as sort of the opposite of quantum measurements I do want to get a one little annoying Thing out of the way quantum computation is reversible and so we have to model our quantum queries as a reversible computation so the way we do this is the adversaries query actually contains an input and an output and The result of the query basically just XORs the query output into the value supplied by the adversary Okay, so why did Why did quantum of quantum of fine the random oracle model do something do anything useful? Well a consequence of the the wave particle duality is that we can basically interpret quantum states as signals And once we have a signal we can do Fourier analysis And I don't know if there's a name for this But there's this nice principle that I'll just call reciprocity which says that if a If you have two systems quantum systems and system a is acting on system B in the primal domain When you look at it in the Fourier domain when you do your Fourier analysis What you actually see that's happening is that system B is acting on system a and this this reciprocity has been used in a lot of places it was used in a lot of these old impossibility results for unconditionally secure quantum protocols and It was also it's also the idea behind this classical result that quantum authentication implies encryption and and Hopefully it's not too hard to see how this happens So if you know if you say if you had a quantum authentication scheme and it did not imply Encryption if you're actually able to learn something about the state well that means that's essentially saying that the Encryption is acting on your state because you're able to learn about it So when you look at the Fourier domain, it says that you you are actually acting on the quantum state therefore violating authentication Okay, and the proof of this is basically very simple Just basically using simple rules of Fourier transform where So system a acting on system B in the primal domain if we think of our Operations is linear basically corresponds to an upper triangular matrix being applied to the system and when we look at things in the Fourier domain Applying a linear transformation Turns out to be another linear transformation in the Fourier domain in the linear transformation is just the inverse transpose And when you inverse transfers an upper triangular matrix you get a lower triangular matrix Which corresponds to system B acting on system a All right, so what we're do what we're gonna do is we're gonna sort of turn things on their head we're going to look at the Fourier domain and If we actually sort of work out This transpose inverse what happens is something really interesting So the adversaries query again is this x y and the oracle state is this h hat And what happens is the initial oracle state is just zero corresponding to the fact that the Uniform distribution or the constant signal has all its mass in the Fourier domain on the or at the origin And the update procedure actually as expected by the reciprocity updates the oracle and it updates it in this interesting way Where basically we add to the oracle a point function that an input x outputs y and I'll put zero everywhere else Okay, so the once we have this the next idea is that Because our oracle is now just the sum of all these point functions right started out as zero and we're just every query We're adding a point function. We can actually compress it. So after q queries this function is non-zero at at most q points So all we have to do is just represent our oracle instead of the giant truth table. We just represented it as all the non-zero points Right, and so this is you know very simple to write down what the update procedure is for this compressed version of our oracle So it looks like we've made progress we have that the oracle state now is a database of input output pairs It's you know small and in fact the the inputs correspond to the adversaries queries The inputs are exactly the points that the adversary queried Or at least some subset thereof The problem is that the the outputs are these weird Fourier coefficients basically and they don't really correspond to Outputs of the oracle so all we do then is after we do this compression we revert back to the primal domain and Now things are looking pretty good The input still remains the points that the adversary queried and the output is approximately the Corresponding outputs of the oracle. There's a there's a caveat that I'll get to in a couple slides though and actually Remarkably if you if you work out the details of what the of the update procedure for this for these databases It's actually very similar to the the classical on the fly simulation The main difference is that occasionally we actually have to erase and the reason is if you if you sort of think about What's happening in the Fourier domain if you? You know query on the same point function twice The the effects will cancel and you'll actually remove a point from your database And this this also happens well after we revert back to the primal domain whereas classically you never forget anything All right, so I Called these things compressed oracles and they solve a lot of the problems that we had with the traditional Approaches for the quantum random oracle. It allows us to know what the inputs the adversary cares about They're just the x columns of our database. We know the corresponding outputs. There's the y columns this this So far this approach doesn't let you do any programming But actually later on in this session in some subsequent work where we actually do Show how to program and also it turns out you can easily analyze Bad events like collisions. It's much harder than classical still but easier than it was Okay, so what happened we had we had this argument that we had to do we had to do our Reduction having the fixing the oracle at the very beginning So how did we get around that and it turns out that the the core problem which was this observer effect actually also offers our solution so Intuitively what's happening is the adversary is actually learning about the the hash function h through its queries and So by quantum of buying the random oracle we see that by the observer effect one the adversary learns anything about the Oracle the adversary actually had to disturb the oracle So as the adversary is making queries he's necessarily affecting the the random oracle and the the compressed oracles basically offer a way to decode this disturbance Now there are caveats So because of the way we did the compression in the four if you call in the Fourier domain and for the compression We're only storing the points that are non-zero So for all the points in the database once we've reverted back to the primal domain. We've effectively removed the the constant Fourier coefficient and This causes some small error So the the y values aren't exactly the query outputs are close but not exact and then there's the Additional problem that examine if we actually took this database and we tried to examine it It's it's this funny quantum states and learning anything about it is going to disturb it and potentially mess up the whole system So we have to actually still be very careful about how we use this database but nonetheless This this technique is good enough for many applications. It turns out it gives you exactly the right just Coincidentally it seems exactly the right information needed to do simulation for quantum indifference ability of Merkel Damguard It turns out we can also reprove a lot of existing quantum lower bounds in a more unified and maybe direct approach and we also Show the CCa security of plain Fuji sake Okamoto There's been a number of Variants that have been proven secure, but we were able to show that the original scheme is secure And and since our since this work we've there've been a number of follow-up works showing many more applications So with that I'll conclude and just finish with the message that when working with quantum random oracles always purify your oracle Few minutes for questions. Please come to the microphone There's something which bothers me about the model you presented you say that when you are making a query You are modifying the oracle With that point function if you are querying the same point again, then it is cancelled Exactly, and if I'm going to query the oracle a third time will I get the original? Answers in the first and second or will I get a different one? I think the right answer is that the question is not really well-defined, but Maybe the the intuitive answer is no you actually won't aren't guaranteed to get the same answer but in order to actually If you think about querying twice At the end of that at the end of the second query you actually know nothing about the oracles So it's okay that the oracle answered differently, but in this sense. It's different than the classical model It is a random oracle. It is different or the the the model is the same. This is just in the proof Right in the proof. We're saying we're going to take the We're going to take the classical random probability distribution replace it with a quantum state and it has this property But the the original model still just has a random a random oracle that's fixed at the very beginning Thanks It's good to see you here, Addy One more question. Could you go back to the the follow-up work? Are there any particular applications that still remain? Not well addressed by the technique. I mean there's you know Many papers that have not yet been proven secure in the random oracle model I think for me the perhaps the most interesting open question right now is if you can Show that the random oracle model implies the ideal cipher model so basically extending the indifference ability to these constructions of ideal ciphers Any other questions? Let's thank mark again