 Hello everyone, I'm Ersan Ibrahim, a postdoctoral researcher at the University of Luxembourg. I will tell you about the research, titled Relationship between Confirmation, Distinguishance, CPE and Emissions. This is a joint work with Kastem, Tarbi and Horu. The full version of our paper is available at e-print. For the rest of the presentation, I will turn off my videos since it covers some of the text in the slides. I'm sorry for that. Okay, so I first give you a setting that we consider here. Often postcommon terms setting refers to the setting in which a quantum adversary tries to attack the classical cryptographic constructions, but the communication between adversary and this classical primitive is classical. Obviously, the computational problem used in this cryptographic primitive has to be quantum hard. We can consider more adversarial setting in which quantum adversary is allowed to make superposition queries in the classical cryptographic constructions. Obviously, this setting has some consequences. First, that it might break the security of some cryptographic schemes, and also we need to revisit the security notions in this set and see how the notion can be defined considering this adversarial superposition course. In this talk, we look at the quantum CPE notions in this setting. I recall the classical CPE notion for symmetric inclusion schemes. The notion consists of two phases, the learning phase and the challenge phase. In the learning phase, the adversary is querying the encryption circle, and then the challenge phase and the adversary suffits to some some challenge messages, and the challenger applies to these messages depending on the random BTP. And the adversary's goal here is to guess this beta B that is chosen by the challenge. The adversary wins if he gets it right. But depending on how the challenge phase can be implemented, there are three possible classical and symmetric CPE notions. So the first way of limiting the challenge query is that the adversary sends two messages M0 and M1 and receives back the encryption and B and encryption and B4 for a random BTP. We call these two cybertext return. Another way of implementing this is that after receiving M0 and M1 from the adversary, the challenger basically sends the encryption of Mb for random BTP. Only it sends one cybertext. We call these one cybertext return. And the third way of implementing a challenge query is that the adversary sends a message M and receives back either encryption of M or encryption of a random message. We call these real or random return type. It turns out that all these notions are current in the classical set. Now there's the question that may arise is that how quantum counterparts in this CPE notion can find and what are the relationships? How they are related together? We're trying to answer this question in this time. So in order to define the CPE notion in a quantum setting, in a setting that we consider adversarial superposition queries, we need to fill in these question marks. If first go through the existing quantum CPE notions, first is the bonus definition in which they implement encryption queries in the learning phase using the standard protocol model. And the challenge queries are classical with the one cybertext return type. So the standard way of implementing a classical function in a quantum device is that in this way that there is two registers. One is for input and the other for the output. And the evaluation of the function here is the encryption function on the input register is stored on the output register. So here's an image of the modern learning condition. So in the learning phase the app there is a standard protocol access to the encryption protocol. And in the challenge phase there's two classical message and the CPE gets back in encryption of MB for random B2B. And of course at the stage tries to get this B2B. Another definition is that they use a minimal query model in both challenge phase and the learning phase. And then the challenge phase, the challenge query is implemented as a one cybertext return type. So minimal query model is different from standard query model in which there's only one register and it's an input register and that the CPE gets back the evaluation of the encryption function on this input register as an output register. Basically this is the way that the minimal query model is defined. Excuse me. Here is the image of their definition that is the learning phase, the queries are implemented as a minimal query model. And then the challenge phase, the adversary chooses two quantum messages 0 and 0 1. And the challenger sends the encryption of row B. And of course the adversary tries to get this B2B. This is how the challenge queries are implemented. So depending on the B2B either we swap this to register or we don't. If the B is 0, then we get my encryption of row 0. If B is 1, then we get my encryption of row 1. Row 0 or 1 can be entangled here as well. The third definitions, they use standard query models with the real or random return type in the challenge phase. So both the learning phase and the challenge phase is quantum and it's implemented in the standard local model. Here is the image of their definitions in the learning phase. We have standard local access to the encryption local in the challenge phase that adversary outputs two registers, one for the input and the other for the output. And it gets back basically to the M and Y XOR encryption of high M when B is 1 and encryption of M when Y is 0. So either the challenger apply a permutation to the input register or it doesn't before encrypt. And the adversary goal here is to guess if this random permutation has been applied to the input register or it hasn't. Now we may ask the question, are these all possible definitions? And the answer for this question is no, if it's systematically answered. So you will see that the possible motion, the possible definition for quantum CPA notion are huge. So let's look at the different ways that we can define the quantum CPA notions. As you saw in the previous slides, the queries to the encryption local can be implemented in different ways. So it can be classical query, the input of X, the classical input of X, and then we get that the state gets by the encryption of this message. Or it can be implemented as a standard query models or minimal query model. And also it can implement as an embedding query model in which the output register is always zero. So the difference between the embedding query model and the standard query model is that here the output register is zero in the embedding query model. But in the standard query model, the output register can be chosen by adversary. So this Y can be chosen by adversary. Also you saw in the previous slide, there were different ways to implement the challenge queries. And there are different return types, namely one ciphertext return, two ciphertext return, and read or random return types. In addition, the number of queries matters. So the number of queries can be zero, one or polynomial number of queries. So now we can theoretically calculate all possible definitions. You know, for the learning queries, we have five choices. And for the challenge queries, we have two times four times three choices. And if we do the maths, we get 120 possible notions. This is really frightening if you want to get to study these notions and also study the relations between them. We excluded some definitions, also some of the definitions are possible to achieve. So excluded notions are the notions that have different quantum queries in the learning phase and the challenges. These notions are 36 notions of this category. Of course, we consider this notion to be exotic, but of course, this is our... In addition, there are some notions that correspond to the one-time CPA notion. That is, there is only one challenge query. There are 12 notions of this category. And impossible security notions are 15 options that they cannot be achieved with any encryption scheme. In other way, any encryption scheme is insecure with respect to these notions. So if we do the maths, then we get 57 notions left to study. And still, this number is huge to basically figure out all the relations between them. I give you an example of such notions. For instance, if we combine a minimal query model and the real or random return type, then we get this definition shown in the image. So the learning query is all implemented as a minimal query model. And then in the challenge phase, the adversary chooses one register, one input register, and sends the challenger either apply or no permutation to do this register, or it doesn't. And then encrypt this register after this. So the adversary's goal is to guess if this permutation has been applied to the message or it hasn't been applied. So all the other components can be defined similarly. So we studied these 57 possible notions, and we grouped the equivalent notions together, and this resulting to 14 panels. So these 14 panels consist of notions that are equivalent. And we studied relations between these 14 panels. So the implication and the non-implication between these 14 panels. This is a table of our results. So there are some slots that have a question mark. Also, there are some red non-implications. So these are the open questions. And the red non-implications are conjectures. In the paper, we gave a discussion about this, and we basically, we discussed why we consider this direction as a conjecture, and we basically think that this direction hold, the non-implication basically hold. And also, we show that if this non-implication hold in this conjecture hold, then all the open question can be resolved, can be solved by a transitive. So the table will be complete if this red non-implication hold. Also, we gave a reason why this might, the non-implication is more likely to hold. So we reached the last slide of my presentation. Here, I give you some conclusions of this table, table that we got here. And I skip also, many of the conclusions also, I skip the techniques that use it now. So as a first conclusion is that the two definitions imply all other definitions together. And these two definitions are the standard query model with the real or random return time in the challenge phase, and the minimal query model with the one-sided vertex return time in the challenge phase. So here, both the challenge phase and the learning phase are implemented quantumly. And one is with the standard query model and one with the minimal query model. We also present a scheme that's secure with respect to both definitions. And this means that this scheme is secure with respect to all 57 definitions. We also show that these two definitions are not comparable, definition one and two are not comparable. And also opposite to the classical case, different quantum the security pay notion may not be equivalent. I think the presentation is finished. Thank you a lot for listening.