 So yeah, so this is joint work with Sumega Garg and Mark Zandri. So the main question that we're going to focus on in this talk is what sorts of security notions can we expect for message authentication in a world with quantum adversaries? So we know that once quantum computers come online, we expect to see adversaries with enhanced computational capabilities, such as the ability to factor. But in addition to that, these quantum adversaries will be able to access and interact with cryptographic protocols in a quantum manner, something fundamentally different. And we would like to understand what does it even mean to be secure in such a setting. So in this work, we're going to explore, quote unquote, best possible notions of security, or at least attempt to get best possible notions of security. And we're going to give constructions realizing these security definitions. And for this talk, we're going to focus on a very basic setting. So we're going to focus on the setting of information theoretic security. And we're going to talk about private key protocols where the parties communicate only once between each other. And there's two parts. One is we're going to focus on protocols that authenticate classical messages. And then in the second part, we're going to talk about full-fledged authentication of quantum data. OK, so authenticating classical messages. Let me focus on message authentication codes, or MACs. So these are a basic crypto primitive that ensure message authenticity and integrity. And so let me explain this by a way of example. So let's say there's a bank, your favorite bank, and you want to transmit the following message M to it. Withdraw $100 from my bank account. And you like to do this in some secure and authenticated way. So let's say you use your bank card. And let's imagine that the bank card shares a random key between itself and the bank. So in the random key H, you can think of as being a random hash function. So when you send this message over, your bank card will append a hash, H of M of the message you want to send to the bank. And when the bank sees this, it can check that the tag, this H of M piece, is indeed the hash of the message it received. And it will accept and then withdraw $100 from your bank account. But what if there's an active adversary who's trying to corrupt the communication from yourself to the bank and instead wants to create an authentication of some other message M prime that, for example, could say transfer $1,000 to Charlie. If, say, the attacker's name is Charlie. And it tries to cook up a bogus authentication tag T prime to convince the bank to do this. Well, the security guarantee of a one time Mac is that even if the attacker gets to choose this original message M and it sees the message tag pair M comma H of M, with high probability it should not be able to produce a forgery, a different message tag pair. So achieving this security definition is not hard in the classical setting. If H is a pairwise independent hash function, then this gives rise to a information theoretically secure one time Mac. This is also known as the Wegman-Carter one time Mac. And this is secure against computationally unbounded adversaries or classical adversaries. All right. And this definition can be easily generalized to the many time setting. So let's say, you know, this smart card is used to authenticate multiple messages, say messages M1 up to MQ. And the attacker gets to see the authentications of all of them. It still should not be able to produce a forgery, you know, so long as the number of queries to the Mac Q is, say, polynomial and some security parameter. So the question we're interested in is, well, what if the adversary has a quantum computer? OK. If the interaction between all the parties is classical, then the Wegman-Carter Mac, for example, still remains secure. And this is because we have information theoretic security of this Mac, right? So if the interaction is still classical, then the only difference potentially is that the adversary has more computational power. But as I just explained, this doesn't affect the security. But on the other hand, if the interaction is quantum, then, you know, we have to ask ourselves, well, what does it mean to be secure? OK. So to explain what quantum interaction is like, I'm going to explain the basics of quantum information to you guys in one slide. And it's not too hard. So the first thing is, you know, imagine that you have some system that can be in de-possible classical states. So for example, you have a bit. It can be either on or off. These are two states. Quantum mechanics says that this system, the classical states, can be mathematically described by elementary basis vectors. So say state 1 is represented by the vector that's 1 in the first coordinate and 0 everywhere else. And similarly for the other classical states. But more generally, this system can also be in a quantum state. And this is described, most generally, by a complex unit vector in c to the d. And quantum states are represented by this funny bracket notation. But really, all this is just some linear combination of the d basis states. And we have the constraint that all these coefficients, alpha sub i, they're complex numbers. They can be positive, negative, or imaginary. They just have to square and sum to 1. That's if you have something like this, this is a quantum state. And the way to think about this is that if you have a system that's described by this state, you can think of it as somehow simultaneously being these classical states all at the same time, but with these complex weights somehow in the background. And how do states change over time? Well, they change over time via linear transformations that preserve L2 norm, also known as unitary matrices. So if you have some quantum state of the system psi and you apply unitary matrix to it, you get another complex unit vector psi prime. And that's just another quantum state. The last thing is something called measurement. So this is another thing that can happen to a quantum state. If you have a quantum state psi and you measure it, what you get is a classical state, i, with probability alpha i squared. And these are probabilities because they sum to 1. And the important thing to know about measurement is that once you measure, it collapses, and you get a classical state out, and all the information about the other alpha i's just disappear. So in this sense, quantum states are fragile. So here's an example of a quantum state. You've probably heard of Schrodinger's cat. It can either be alive or dead. But a possible quantum state of this cat is the superposition of being dead and alive, where the coefficients, these alpha i's, are 1 over square root 2. And it has a coefficient of minus 1 over square root 2 of being alive, whatever that means. OK, so now that you know as much quantum information as I do, we can now think about what different attack methods that the attacker can perform. So what if the attacker queries your bank card with a superposition of messages? So we call this a quantum-chosen message attack. And what the adversary will do is just prepare some superposition of classical messages and feed it into the smart card. And the smart card will then authenticate it in superposition. So you can imagine that now this quantum state is just possibly an exponential number of messages all authenticated simultaneously. And then the question is, well, what can the adversary do with this quantum state? Maybe it could perform some complicated quantum computation on this state to, say, extract the secret key, this hash function H. Can this adversary produce a forgery just from this one quantum superposition query? So this question has been studied before. So in 2013, Bonet and Zandri gave a security definition for this model where the attacker can make superposition queries. So we say that a MAC is Q time BZ secure. If it can make Q superposition queries to this MAC, yet no matter what quantum computation it does afterwards, it can't produce a Q plus 1 valid message tag pairs with non-negligible probability. So this is a pretty natural definition of security for message authentication codes. It kind of lines up with the classical security definition. And one theorem that they proved is if H is a 3Q plus 1 Y is independent hash family, this yields a Q time BZ secure MAC, provided the output range of the hash family is large enough. So that was a feasibility result. And as Aaron mentioned in the first talk, there are some negative results showing that there are some standard message authentication codes like CBC MAC, PMAC, and so on that actually fail to be quantum secure. That is, there are quantum superposition attacks that are able to extract the secret key. So in our work, what we ask is, so that's a very nice definition, but can we demand an even stronger guarantee than the Bonet-Zandri security definition? So their definition doesn't rule out the following situation. So let's imagine that the attacker prepares a superposition over classical messages where each of these messages M in this set, script M, are strings that are prefixed with, say, the string Alice. So this superposition gets submitted to the smart card. And it signs all of them. And it returns it to the adversary. And what the Bonet-Zandri definition says is that now this attacker can't produce, since it only made one quantum query, it can't produce two valid messages tag pairs. But it doesn't rule out producing one message tag pair, H of M prime, where M prime now is a string that starts with Charlie instead of Alice. So technically, this is allowed by the BZ security definition, but it somehow seems like there's a break in security. Like how was this attacker able to produce a valid forgery of a message that wasn't even in the original superposition? So we give a security definition that rules such behavior out, at least in the one time setting. So our security definition says the following. So let's consider the real experiment. So in this experiment, the attacker will produce an arbitrary superposition of messages, authenticate it, and perform some attack, and sends this attack over to the bank. This is just what happens in the real protocol. And we would like to compare this with the ideal experiment in which the adversary, before it does anything, it's going to measure the superposition that it receives from the smart card. And I put this powdered wig on this adversary to indicate that it's acting classically. So when it measures, what it obtains is, remember that I told you, when you measure a quantum state, you're going to get a classical outcome with some probability, and then the superposition collapses. And it will get m comma h of m with some probability alpha m squared. And then based on this classical outcome, it's going to do some processing. It's going to send some state depending on this m h of m to the bank. So in essence, this is just a classical attack. And our security definition says, your MAC is epsilon reducible to classical adversaries if both these views are epsilon indistinguishable in the accepting case. That's the guarantee that we make. And included in these views is we have the state of the secret key. It includes the message sent to the receiver. And also, we also characterize what happens to the state of the attacker's private memory. So this is a pretty all-encompassing security definition. OK. All right. So that's the secure definition. Now, can we actually achieve it? It turns out that we can. If h is a three-wise independent hash family, mapping n bits to t bits, then the security of h actually epsilon reduces to classical adversaries for exponentially small epsilon. So this shows you that the most straightforward one-time MAC that you would use in the classical setting is still secure in the quantum setting, because it just forces the adversary, even if it has a quantum computer, to act classically. And we already know of security guarantees in that case. OK. So a corollary is that the Wegman-Carter MAC, with three universal hashing, resists forgeries, even against superposition queries. And this recovers the BZ security notion for one-time MACs. And more informally, you can ask, well, what information can the adversary learn about the key? This just reduces to a question of, well, what can a classical adversary learn about the key? And not very much. So let me point out some features of our security definition. In some sense, it is the best possible security definition for one-time MACs in the quantum setting. Why is that? Well, the adversary can always measure the superposition and just pass on. Once it measures, it passes on the classical outcome it gets, and this will never be detected by the receiver. The receiver, all it does is just it gets a message tag pair and just checks that they're consistent. And if you measure the superposition and pass on a valid message tag pair, the receiver is always going to accept. So you can never rule such an attack out. And what we're saying is this is the only type of operation that the adversary can do. So it gets this classical outcome and then just does some processing on the message it receives and its own private space. And we can never rule such a thing out. So another feature of our security definition is that it considers the state of the key in the view. So it considers the correlations between all the parties, the messages, the adversary with the key. And so in fact, our security definition holds with high probability over the choice of key. So that's that for authenticating classical messages. Let me now turn to the quantum setting where we want to authenticate full-fledged quantum data. So now all parties possess quantum computers. This is in the future. And let's say Alice and Bob share a secret key. And Alice has some quantum state that she wants to send to Bob. And Bob wants to recover the state and detect if any tampering has happened to this quantum state that Alice wanted to send. So in this protocol, Alice will try to encode her quantum state somehow, so e of psi. She sends it across the wire. And now the adversary will just perform some arbitrary quantum attack, a on this encoding. And Bob now has to decide whether to accept or reject. And hopefully, if it accepts, it produces a quantum state psi prime that's close to the original state psi. So what kind of security guarantees can we hope for in this setting? Well, we saw in the previous talk that actually we can hope for quite a lot. So here's what we can hope for. So here's the real experiment. They run this some protocol. And we have a secure protocol if this view is indistinguishable from the following ideal experiment where Alice just sends her encoding of her message straight through. And the adversary doesn't even look at it. And the adversary just performs some quantum operation on his own private memory. He doesn't even interact with the system. OK. This is the ideal experiment. And it turns out, so our security definition is that these two views are indistinguishable in the accepting case. And again, included in the view is the message sent to the receiver, the state of the attacker's private memory, and also the state of the secret key. And this definition extends previous definitions. The main feature is that now the key is also included as part of the view before. The key was just this indistinguishability statement held on average over the key. So first let me describe what are some consequences of this security definition. So first, this says that if you have a secure quantum authentication protocol, you've effectively made the attacker oblivious to the communication. So in the accept case, the adversary effectively doesn't even look at the message. And this is rather strong. I mean, in the classical world, you can never prevent the attacker from examining the messages that are sent across the wire. But one feature of quantum mechanics is that if you try to measure a quantum state, it necessarily disturbs it. And it's this disturbance that hopefully will be detected by the receiver. So that's one thing. The other thing is this definition actually allows for key recycling. So if you look at this ideal experiment, the message just goes across to Bob, and the adversary doesn't even look at the message. So what that means is that the adversary can't be correlated with the key because it was independent to begin with, and it's going to be independent afterwards. So that means in the accept case, you can safely reuse the secret key for some other protocol in full. And this is something that, again, in the classical world is not possible without computational assumptions. And I also want to mention that previous works were also able to argue that you can reuse the key or partially reuse the key. But here, our security definition says that, and in fact, you can use all of it. All right, so let me mention some constructions that satisfy this security definition. The previous talk describes this unitary design scheme, and they showed, in fact, that if you use something called unitary two designs, which is like the quantum analog of a pairwise independent hash function, in some sense, this actually gives rise to a quantum secure authentication scheme. I won't talk about this here. I want to talk about another protocol we give, which we call auth QFT auth. And this is a secure authentication scheme that actually uses the Wegman-Carter Mac as its building block. There's one caveat that satisfies a slightly weaker definition of security, which I'll describe in a second. So this is how it works. So let's say you have a classical Mac. Just think of the Wegman-Carter Mac. H is like a three-wise independent hash function. And so this is how the encoding is going to work. So Alice has some quantum state psi. It's going to just treat psi as if it were a classical message. So it applies the Wegman-Carter Mac. And then on the resulting state, it's going to apply the quantum Fourier transform on this state. And then after that, it's going to apply another invocation of the Wegman-Carter Mac using a fresh key, H prime. Very simple. The coding is just simply the reverse process. The receiver is just going to check that the outer authentication tags were consistent with the message. It then performs the inverse quantum Fourier transform and then checks that the inner authentication checks out. It turns out that this simple authentication scheme is secure if we don't, as long as we don't consider the second key, H prime. But aside from this caveat, we have exactly the same guarantee with high probability. If there's any tampering on this state, the receiver will be able to detect it. All right, it looks like my amount of time. So let me summarize. We give some new security notions for measures authentication in the quantum world, both for classical authentication and quantum authentication. We gave some constructions. OK, thank you.