 Hi there. This talk is about a combinatorial approach to quantum running function. I am Xiheng and it's co-worked by Nikol Duttling and Julio Malavota. Here is a brief overview of this talk. I'm going to start with the background of pseudo-running functions and the motivation of our work. Next, I will use an example to explain the challenge we encountered. Then, I will show you our results and detailed construction step-by-step. At the end, I finish this talk with a short summary. So, basically, a pseudo-running function, or PRF, is a semi-running function, which means for a distinguisher running in polynomial time, it looks the same as a truly running function on the black box axis. In other words, this pseudo-running function and the truly running function are indistinguishable for the efficient adversary. PRF has a lot of applications such as message authentication codes and symmetric encryption schemes. It's a fundamental building block in modern crypto assumptions. What about PRF analogues in quantum world? In general, there are two definitions. The first one is post-quantum PRF, or some authors call it standard secure PRF for quantum adversary, which means even the adversary can do quantum computation locally, but it can only send classical queries to its overcome. The other definition or the second definition is quantum secure PRF, QPRF, which means the adversary or distinguisher can query via superpositions. Here, superpositions simply means you can query linear combinations of all your possible inputs. Now, let's see what our QPRF can be used for. For instance, it can be used to build quantum mining. So, quantum mining is backed by the cloning theorem that is impossible to forge. This is intrinsically ideal for back nodes. Also, QPRF can also be used to build student quantum states and quantum secure max. In this work, we focus on quantum secure PRF. Before us, the entry in that stick with this stuff heavily, especially in Fox 2012 and Quibble 2012. He gave an outstanding separation result, which shows that if secure PRF exists, then there are post-quantum PRF that are not QPRFs. Apart from this separation result, the entry also proved that many constructions of post-quantum PRF are also quantum secure. But he used completely different analyses for each one. Those proofs are complicated and not tied. This motivated us to think if there is a generic construction for QPRF with simple analysis and optimally tied proof. Our inspiration is from domain extension techniques. However, the challenge came as follows. It is not trivial to extend the domain even for the truly random function. Here, we use a concrete example to show this challenge. Suppose we have a truly random function f mapping between two lemma base strings. We would like to extend it by using a random linear function or universal hash function h in this way. We compute f prime as f of h of x. This is statistically indistinguishable from a truly random function for a classical adversary with Oracle access. However, Bernay and Limton in BNL95 suggested that one can find the period of a function efficiently via superposition queries. In this case, one can find the kernel of our linear function h that makes this function f prime distinguishable. Anyway, let me first show our results in this work. We explored a definite role to construct QPRF based on the framework of George Lee and Schroder in crypto 2015 and have the following result. Given any post quantum PRF with small domain, our construction can extend it to a full-fledged QPRF. The key ingredient is a highly unbalanced bipartite expander, which I will explain in this bipartite expander later. This crucially allows us to reduce the quantum hardness of our PRF to the classical hardness of a small domain PRF. So this makes our analysis or our proof almost totally classical. Here's another result. Our construction preserves the key homomorphic property of the underlying PRF, thus we can give a quantum key homomorphic PRF for free. Key homomorphic PRF were introduced by Bernay at all. So in a nutshell, for key homomorphic PRF, the k-space is a group and it holds for all x such that PRF k1 plus k2x equals to PRF k1x plus PRF of k2x. Key homomorphic PRFs have applications in the context of proxy ring correction and related key security. It gives rise to a very natural protocol for distributed PRF. Here's an outline of our construction. There are two steps. The first step is domain extension step. In this part, we take a small domain post quantum PRF to build a cube bounded quantum PRF on a large domain. Here, cube bounded means if a PRF is cube bounded, its security is only guaranteed for the rest race which can make cube queries at the most. The second step is called combiner step, which combines a small number of bounded quantum PRFs which have the same domain. Let's start with the second step, the combiner step. The key idea here is to set the bounds in an exponentially increasing way. Specifically, if fqx is a cube bounded PRF, we combine them into a function fx via adding all of them together from f2 to 1 to f2 to t. Here, t will be chosen slightly super logarithmic in the security parameter lambda. We claim that if fqx is a cube bounded cube PRF as long as q is polynomial, then fx is an unbounded cube PRF. The security derives from the following fact. For an efficient bqp distinguisher, there is an hyperbond cube prime on the number of superposition queries it can make. Here, hyperbond cube prime, which can only be polynomial at large. Thus, we are able to choose i prime equals to log of cube prime to reduce the security of f to the i prime's bounded PRF f2 to i prime. Now, let's go back to the first step, a domain extension step. As mentioned, domain extension is somewhat challenging and we also showed statistical secure against classical diversity in this step is not sufficient. So, we need a perfectly secure domain extension step. If so, we can use Landry's lemma in Fox-2012, which states that any classical 2q uniform function is identically distributed to a uniform function from the view of a cube bounded quantum adversary. This directly gives us a cube bounded quantum PRF. Here's a high-level description of our construction. From a post-quantum PRF, the small domain will let it pass through an extender and a combiner to get the final quantum PRF. In the extender part, this is the most important part. We notice that a perfectly secure domain extension can be achieved from a highly unbalanced expander. So, what's an unbalanced expander? So, as you can see from this figure, a bipartite expander is a bipartite graph, whose left word says it can be super polynomial at large, its right word says it's just polynomial at large, and also its degree is polyloguismic. Moreover, we require an additional property for this unbalanced bipartite expander. We call it q unique. Basically, it means that for any subset of left word says with such not larger than q, than some bond q, there exists a vertex in the neighborhood of this subset connected to only one vertex in this subset, or in other words, this vertex only has one neighbor. So, a construction of such a q unique expander is given in GOV 09. Now, we have all the tools prepared. Let's start with extending a random function to q uniform function first. So, here q uniform means for any pairwise distinct x1 from x1 to xq, the g of x1 to g of xq are independent and uniformly random. With this q unique expander, for a random function defined on a small domain, we can extend it to q uniform function g defined on the large domain by adding all of these terms together. So, why does it work? By the q unique property of this expander, for any subset, there exists a vertex v prime having a unique neighbor xi prime. Thus, there is an index j prime such that, such that this term f of gamma of xi prime j prime only appears only appears once, only appears in the gxi prime, but no other gxi. Given this term is uniformly random and independent of other gxi, the gxi prime is also uniformly random and independent of other gxi terms. Therefore, we can recursively repeat to show every gxi is uniformly random and independent. Then, we replace the truly random function with a small domain prf and choose q equals to 2q. We claim that if this small domain prf is post-quantum, then it holds that fx is indistinguishable from the 2q uniform function gx, for any q bond bqp distinguisher. Finally, by using zangous lemma, we are done. We will get a q bond qprf. We only need to show that f and gx are indistinguishable. Suppose there's a q-bounded bqp adversary a can distinguish between f and gx. We will show that another a prime, another adversary a prime can break the post-quantum security of the underlying prf. Let the adversary a prime classically query the oracle and to build its function table, because the underlying function is defined on the small domain. So, the adversary a prime can do this efficiently. Then, a prime locally compute the quantum circuit corresponding to this function table. Now, we let a prime give the adversary a superposition access to a simulated oracle o prime and outputs what is the adversary a outputs. Clearly, if a can distinguish f and gx, the a prime can also distinguish prf from a truly random function with the same advantage. To make a summary, we showed a generic and a symbol construction in its work, which does not need to go through ggm construction, and our analysis is almost classical with an optimally tied proof. That's all. Thanks for watching this video.