 Hello, today I'm going to talk about trader tracing in the presence of a quantum computer. First, let me recall some typical attacks on classical crypto systems. The first most basic such attack is what I'll call a quantum computing attack, where an attacker is perhaps listening to communication between Alice and Bob. And using the power of a quantum computer to decrypt the communication. A slightly different kind of quantum attack occurs in the presence of random oracles. Here in the random oracle model. We have a hash function modeled as a truly random function. To capture attacks in practice, we would have to allow the attacker to make quantum queries to the random oracle. So we get a picture like this where there's some quantum interaction with some of the entities. So take this a step further and consider superposition attacks, where the attacker is actually interact forcing the honest parties to interact using quantum messages. Say the attacker can convince the honest party to encrypt a superposition. In this work, we will see a very different kind of quantum attack on classical crypto that arises in the setting of trader tracing. Let me recall the basic setup for trader tracing. Here we have an encryption scheme where there are many users who are decrypting. And each user has their own secret key. What we're concerned with is the possibility that a trader or some user rather secret key will leak their secret key to an unauthorized user. There isn't really much we can do to prevent such a leak. We hope that if we ever see the transmission from the trader to the unauthorized user that we can run some procedure to take their secret key and extract from it. Their identity and with their identity, we can then revoke their secret key or prosecute them. Another interesting challenging is that the communication between the trader and the unauthorized user is out of band and not really a part of the normal communication. And this means we can't really insist that the secret that the transmission is actually a secret key. What the adversary can do is actually send a general decoder program maybe with their secret key embedded in it that will allow the unauthorized user to nonetheless decrypt cyber tech. However, by embedding it in the program and maybe using cryptographic techniques to hide the exact secret key that was used, the trader may hope to evade tracing. The secret tracing is to identify the user who leaked the decoder program, even if the decoder program is sort of arbitrarily obfuscated. Typically we'll also want form of collusion resistance where there are many users, many trader users trying to leak the secret keys for the purposes of this talk though we will ignore collusion resistance. With this work, we update this picture to the quantum setting where imagine both the trader and the unauthorized user have quantum computers, and moreover, the decoder program that is sent is actually a quantum state so it's actually a quantum state that is going to be run as a program on the server text to get the message. The goal is upon seeing such a quantum decoder to still be able to identify the user that created it. So why should we be considering quantum decoders in the quantum setting. Well it comes back to this issue that the adversary channel is out of band. That no matter what we do, even if the entire crypto system itself is classical and all the honest users are just using the correct classical protocols. There's really nothing we can do to stop the two malicious users, the trader and the unauthorized user. There's nothing we can do to stop them from using quantum communication in order to send the decoder. There's really nothing we can do to prevent such a quantum decoder. To add to this, maybe a quantum decoder could actually help in evade tracing. For example, now that the decoder is actually a quantum object, maybe we can use techniques from quantum crypto to hide the user's identity. There might be some other advantages for the trader for using quantum decoders. Maybe he doesn't want the decoder to get too widely released. And so he would potentially try to make the decoder unclonable. So our results are the following. First, we will see that it's actually very non-trivial to even define security for trader tracing in the setting of quantum decoders. So our first result is a compelling definition for security. Our second result is a barrier or impossibility for adapting the classical trader tracing approaches to the quantum setting. And then our final result is a positive result showing how to trace certain kinds of an object called private linear broadcast encryption, which captures some of the trader tracing instructions from the literature. So let's begin with the definition. The central challenge of defining trader tracing in the quantum setting comes from the fact that the attacker can always output a dummy decoder that completely ignores the secret key and just always fails at decrypting. So in that case, we certainly cannot hope to trace the decoder and trace the decoder and actually identify the user. In the classical setting, the way this is resolved is to define a notion of good for a decoder where a decoder is good if they decrypt with some noticeable probability epsilon. So the classical definition of trader tracing then requires that if the decoder is good, the tracer will be able to actually identify the trader. On the other hand, if the decoder is bad, there are no guarantees. Now when we move to the quantum setting, this basic idea turns out to be problematic and to see why let's consider two potential quantum attacks. So the first attack is actually completely classical. So the adversary has a secret key SKI. What they'll do is they will just hard coded into the decryption algorithm to get a decoder program di that just takes his input a psychotex and runs the decryption algorithm with the given secret key. Then with probability a half, the adversary outputs either di or probability half, the adversary outputs a dummy program that always fails. For the other attack, here's a quantum looking attack where the adversary also defines this decoder object di, but now constructs two quantum states that are a quantum superposition over the good decoder program di, as well as the dummy program. And it doesn't so matter what these decoder programs look like right now. But the point is that each of these decoder programs by being equal mixtures of a good decoder and a bad decoder will be correct with probability a half. So the question is, which decoders of the four decoders here the di, the bad one, and these two quantum decoders which of these decoders are good. Unfortunately, the problem is that these attacks turn out to be physically equivalent in the sense that there's no physical procedure that you could run to distinguish between these two attacks. But this shows some problem in the notion of goodness because on the left here, any reasonable notion of goodness would have the adversary outputting a good decoder with probability a half. But on the right, the, any reasonable notion of goodness would in particular assign the same goodness to both decoders on the right because they both decrypted with the same probability. These could either both be good or bad, but in either case, the goodness of the decoder is either probability zero or one, whereas on the left of the goodness of the coders probability a half. And yet somehow these attacks are physically equivalent. The takeaway from this is that it's not well defined to assign to a quantum states, a notion of goodness. So somewhat inspired by the Schrodinger's cat paradox in quantum mechanics. The natural solution is to measure the goodness of the decoder to actually perform a quantum measurement that determines whether the decoder is good or bad. In the case of the attack. So far, this actually completely fixes things. Basically, all we do is we just measure the decoder output by the adversary. And we'll see that in both cases, the result of measuring the decoder is identical for both attackers. We had a good decoder probability half and a bad decoder with probability half. The problem that is that in general, just the simple measurements of the decoder states could destroy the decoder. In this example here that's not the case, but it's not hard to come up with examples where just a straightforward measurement of the decoder will destroy it. And as our solution is we define a very careful measurement of the decoder that we show works. And I won't get into details for this talk through the paper for details. But what we do is we prove the existence of what I what we call a project of implementation. And this is a special kind of measurement on the decoder program. Which produces a real number P between their own one and will have some effect on the decoder states and I'll call and I'll do this prime state is the results of the resulting states after measurement. The guarantees of the project of implementation. Is that this measurement process actually doesn't change the overall decryption probability of the quantum state. So the probability that the primed decoder decrypt remains the same as the original decoder. And then property one and then property two is that if we condition on the on the actual outcome of this measurement. We get that the probability that the prime decoder decrypt conditioned on observing the result of measurement P is actually identical to P. So we've learned the probability that the decoder decrypt. The definition therefore applies to projective implementation and defines good decoder is good if the quantity P is greater than the threshold up for with a now with a definition in hand, we will turn to trying to actually achieve it. So the first attempt might be to just see if classical trader tracing algorithms will work against a quantum decoder. So we recall that the classical tracing algorithms work in a black box model for tracing, where they take the decoder and basically ignore its entire inner workings and all they do is run the decoder on a handful of cyber techs. So both the results of the decoder is, and based on that they will determine the identity. So we may hope to actually just use the classical tracing algorithms against the quantum decoder, where we run the tracing, the classical tracing algorithm and just replace the evaluation of the decoder with the quantum evaluation of the decoder. So our second result is actually to show that this doesn't work that if you try to take any classical tracing algorithm and apply it to a quantum decoder that you will not be guaranteed to succeed. So the proof details, but the idea is that we can set up a decoder that's that in this black box model of tracing. Every time you make a query, the quality of the decoder degrades to the point where after enough queries. The decoder is essentially useless, but you don't have enough information to identify the trader. Now this, our example, our counter example is only sort of a weak barrier, showing that the definition we defined is impossible to achieve in the classical black box tracing model it doesn't rule out weaker tracing guarantees. But it shows that the guarantees that you get classically cannot be generically listed to the quantum setting. We finally turn to our positive results, which is based on a typical approach for building trader tracing in the classical setting, using something like private linear broadcast encryption. So private linear broadcast encryption is an encryption scheme, where there are n different secret keys. And in addition to taking the public can a message also takes as input an index I, and there are two guarantees. The first guarantee is that the user is less than or equal to I will be able to decrypt. While the user is greater than I will not. This is the linear part of the of the encryption scheme. The second requirement is that the index I is actually hidden. Now of course, if you have a secret key, and you're given a cipher text, you can learn whether the index that was encrypted to is greater than or less than your own index, just by seeing whether your secret key decrypts, but the security requirement basically stipulates that you can't learn anything else other than whether the index was greater than or less than your own. So let's recall how private linear broadcast encryption or PLB was used classically to build trader tracing. The idea is to encrypt a message M, you just encrypt with the index and meaning that all users are able to decrypt. To trace. Here's what you do. You have a decoder. You're going to define these probabilities P sub I as the probability that the decoder encrypt. Cipher text to the index I what you'll do is for each I from one to end, you will estimate the probability piece by. You will accuse any user I where PI minus one is not close to PI. So why does this work. Well by the security of the PLB, we know a couple things. So first P zero corresponds to encrypting to index zero. Because no users can decrypt. So by the by PLB security we know that P zero has to be small. On the other hand, any user outside of the adversary's control, any honest user, we know by the index hiding property that piece of I minus one has to be pretty close to piece of by. The goodness of the decoder itself means that P sub n is big. This is because P sub n corresponds to the actual the trader tracing encryption algorithm, right we want to encrypting under the trader tracing algorithm we encrypt to index and and the goodness of the decoder means that the address that the decoder can actually decrypt the cipher tax we know that P sub n is big. Three facts taken together imply that there must be some gap between some PI minus one and PI, and that gap must be at a malicious user. So what happens when we move to the quantum setting. Well, first, just like in the definition of trader tracing. It turns out that these PI quantities are non physical. There are some similar issues there. Another problem is that our impossibility shows that the easy way of estimating PI by just querying the decoder on various encryption to that index. Actually can't work our possibility demonstrates that this actually can't work to estimate the piece of eyes. Another problem is that the decoder, as we're operating on it as we're trying to query it, it will change, and it may become useless at any point, in which case we can't really do anything else with it and we have to be ready to a user. The solution consists of two parts. So the first part is we give an quantum algorithm for approximately measuring the PI values. We can't exactly measure the PI values that turns out to be computationally infeasible but we can nonetheless approximate it. And then our second, the second part of our solution is a careful analysis showing that if we measure the approximations of PI in the correct order, namely order of decreasing I that we can actually accuse users much the same way as we did in the classical algorithm by seeing if there's it by accusing any user where there's a gap in the adjacent PI. And this gives a tracing algorithm that works for any private linear broadcast encryption satisfying the syntax and security requirements that we define. Fortunately, we, our solution does not handle all private linear broadcast encryption scheme. And in particular for subtle reasons it doesn't work for the learning with errors based trader tracing boy by Goyal at all. And it also doesn't work for many of the combinatorial constructions of trader tracing, for example those based on fingerprinting code. And so these two sort of overcoming these two issues are interesting directions for future work. That concludes my talk. Thank you.