 Okay, so thanks for the introduction. It's a pleasure to be here so Okay, so what was the initial motivation of this work is to? Try to we think about long-term security and to try to avoid computational assumptions when it is possible and So it's a quantum session. So we know that sometimes with quantum mechanics We can do things like for example quantum key distribution, but it's Sometimes for other primitives. It's impossible like information theoretically even with quantum mechanics. So another idea is to use relativistic cryptography, which is a fancy name to say that we have Two Provers that cannot communicate. So it was first theoretical idea that kind of Emerged I think in the in the in the 80s and we saw like Multi-prover interactive proofs and also like what we can do with two Provers in terms of cryptographic primitives for example in terms of bit commitment or other such primitives and there was a recent resurgence of of this area and People thought okay like because it was thought to be something theoretical, but you know, can we actually create physical conditions in order to Make sure that two Provers cannot communicate and if yes, how and the main idea is to use the relativistic constraint or just more simply to say that if the Provers are far apart then the information has to take some time to go from one Prover to the other one and Which has a high speed limit of the speed of light that information cannot travel faster than the speed of light so that was the the main idea and And so what were recent results? So there were a series of recent results in relativistic cryptography Mostly dealing with bit commitment. So there was this first paper. So there was this first observations that If you have two Provers if you have these two Provers that cannot communicate if you want quantum mechanics things can go differently, so there's paper from Provers in isolation that that sometimes even information theoretically you can have Protocols that are secure in the classical setting but not in the quantum setting because they share an entangled state and also there has been constructions of bit commitment schemes which are secure against quantum adversaries and So our initial motivation was can we use This bit commitment scheme to do other stuff and in today's talk I'll talk about how to use bit commitment to do zero knowledge, which are things that we know how to do normally, but When you do this reduction sometime you have issues or here you have and the multi-prover setting and the quantum setting and everything so it's not clear how all these things will compose well together and The main technical contribution of this talk is will actually be to analyze and improve tool for analyzing the disturbance of quantum measurements and how this these tools will be useful to improve The analysis of security against quantum adversaries. So actually I spend a large part of my talk of talking about This quantum measurement problems because like they're more generic so that will not Talk too much about like to Prover settings. I'll talk a little bit about it at the end and somehow that Many people that try to prove security of classical protocols against quantum adversaries can relate to so Okay, so before again like being too vague I'll just start from one simple example and then see from there like what are the problems and what solutions We bring in this paper. So suppose a Any kind of Prover verifier scenario. So here I took like a Sigma protocol. We have a Prover that has a Public key a secret key the verifier only has the public key and the Prover wants to convince the verifier that he knows a secret key Without revealing it. So it's some kind of a proof of knowledge some kind of a Sigma protocol Just a message a challenge first match And the second message so and In many cases the security of those protocols are based on some property called special soundness is that if the Prover can answer two Different challenges let's say to then this will be approved that he knows the secret key and But what we do is that okay? So of course the verifier could send well give I will send to the Prover two challenges I'll tell him answer those two challenges, but then the verifier will also be able to extract that secret key. So The verifier will only send one challenge and somehow this will be enough To prove that the Prover knows a secret key without revealing any information about the secret key So these are something, you know, which are quite known which are which are pretty which are pretty nice and So the question is so there is this difference between one challenge and two challenge How do you go from one challenge to two challenges? Well, normally it's very simple. So you have an algorithm that answers, you know One challenge. So if you ask to then you apply the algorithm for the first challenge and then for the second challenge And you get the answer to both. So somehow it's relatively easy normally to to go from one to two and What about the quantum setting? So, okay, so we do the same thing we get a first challenge And we answer and then we get a second challenge or get them at the same time But after the first answering this first challenge What happened is that the internal quantum state has changed. So somehow the question is Did answering the first? query made it impossible to answer the second one and And it may complicate answering the the second challenge. So this is Basically what most of the of the technical part of paper deal it and what I'll talk about here. So just to I get pictures. So look at quantum consecutive measurement. So this is exactly what I said So if you have an internal state for all you have a quantum algorithm, you have a first challenge C1 and an output one and If you're given a second challenge, then you're a new internal status row prime and if You output and in many cases this row prime can be very different from role and somehow these things are kind of hard to control in in general so okay, so When does the thing work well? so suppose that you have only one valid good outcome, so you give a challenge and you have one good answer and You get this answer with high probability then We know so there is this Okay, so there are several ways of calling but one of the things called a gentle measurement lemma is that you can perform this measurement only By modifying slightly this internal state rule that somehow if your measurement You're almost certain that you're gonna get a good answer of one possible answer. Then you're not gonna Change much, but in many cases. That's not what's happening. So So typically like if you can answer the the first challenge only with some Not so high probability or in particular the thing is that okay? Let's say I'll always answer correctly, but it's one out of many possibilities. So let's say, you know, you have many good answers and You're answering your first challenge. You'll just get one of them So even if you always get one of the good challenges, then somehow this will have disturbed the state a lot so you cannot really like extract one of the good answers without disturbing the state a lot and This problem arises in many problems of soundness analysis when you look at Simulation of zero knowledge if you want to do rewind not been talking about Rewinding where if you got kind of witness extraction and in many cases this This this is this is a problem And so there there was a paper by a mindless medicine on rule like from a few years ago That truly said that in the most general case This is a problem that you cannot solve that you can find Algorithms and measurements so that you can easily answer one of the two challenge any challenges If if you get one challenge, but it's very hard to get two of them So in the most general case, this is this is really a problem and we know how to construct Examples where this happens so okay, and so Final thing is can we still do something so okay? So if the most general case is problematic, what are the cases where we can still do something so? Just a recap we want to relate two quantities p1 is the probability that if a quantum algorithm I've given a challenge to get a good answer and p12 which is the probability output correctly on two different challenges and so okay, so here we're only consider for p12 for strategies that In when you get the two challenges when you do this very naive strategy that Look at the first challenge you try to answer then you get the second challenge and you try to answer There might be more clever ways of doing but that will only let's say improve our results So let's say that already with this very naive strategy. We have some interesting results so Okay, so I'll I'll already show what are the the main theorems so First case is as I said single good outcome. So let's say that for any challenge There's a unique good answer and let's say the challenge size is n and is the Is the dimension of the challenge space so meaning that log n so log n bits So if the challenge is of log n bits then We can show that p12 is larger than this quantity which is related to p1 so And if we have as good outcomes if we have as good solutions for each challenge, then we just lose a factor of s so okay, so then a little bit discussed like quantitatively like what this means and There was actually already one one bound like there were several bounds for like specific cases, but let's say though Think the most generic case was like from paper by who was actually studying like proof of knowledge So exactly here. Let's say that if p1 is larger than one over root k. Okay, so case should be n here then He has a bound which is similar similar to to the first bound but for this p1 which is Not so it this would be useful for p1 only larger than one over root n and not one over n and Okay, so Just to look okay, so how how tight are those things? Okay, so it's not clear how to how to interpret those bounds So in the single good outcome, let's let's look at this inequality These are actually pretty tight So first we see that if we take p1 which is large enough then we have p12 which is larger than some cube version of p1 which was actually already the case in Unro that if p1 is very large then somehow we have p12 which is larger than the cube and We can't find states and measurements so we can find setups where this cube stays somehow so we have no We have no hope in reducing this cube to a square and on the second hand if we take p1 Which is equal to one over n Which Basically, so this is kind of an extremal case it kind of so you can't think of setups where Let's say the quantum algorithm can only answer to one challenge one specific challenge That would give him a probability of one over n. So this is this is why somehow we cannot we cannot go below Yeah, so I mean of course. Yeah, this this holds only for the other way It's negative so it's fine So and if p1 equal one over n then we have also some cases where the strategy will give p12 equals zero So it's tight in those two settings. So somehow, okay the one over 64 is probably not tight What happens in the cube and what happens in different behaviors? It's probably not tight in several ways, but at least in these extremal points. We know that we cannot improve so, okay, so It was a very natural question so it was a very natural question and so We hope that we can use it in several things. So as I said in the proofs of knowledge and like this small example that I showed before more generally for a bounding value of entangled games if that's if that's your thing and the original motivation of Why we why we started to study this was relativistic zero knowledge for np secure against quantum adversaries and so Actually, what happens is that once we have this once we had this bound Then the rest was actually pretty pretty straightforward at least for the for the kind of security we wanted to prove so not going into the the technical details of how it works, but you know once we have this then the the rest is fine and Yeah, and then okay, so now I'll just spend a spend a few minutes talking about like this Multi-prover scenario so that you can see see a little bit like where we use this thing. So Then we did something very simple. We had we know a protocol for Hamiltonian cycle that We know a zero-knowledge protocol for Hamiltonian cycle that uses bit commitment and we have a bit commitment scheme so we just so we just put them together and we see what what happens, right, but that's a that's a very natural thing and Yeah, so it was also also just like a quick note is that typically This would not work for like for three coloring typically is that like this Because of the reasons because a little bit of the special soundness kind of issues is that with only two of only two challenges Somehow the Hamiltonian cycle will only have two challenges and you can recover if you can answer both challenges We can recover the whole cycle Whereas in three coloring if you're only you know You it gives you some information if you can answer two challenges, but you cannot recover the whole coloring So then it's not clear like what what to do So, okay, so, okay, so here. I okay So here I I just briefly we mentioned like what are the requirements? Okay? This is all very informal now of course But so what are the requirements of a commitment scheme? So want to commit for a bit D and so there are two phases after the commit phase want that The verifier has no information about D and that after the reveal phase the prover cannot change his mind So Okay So what do we do? So as I said, so okay So now it's kind of the only picture that kind of splits those two provers is that okay? So we start from two so we start from P1 P2 Okay, and they're very there. They're very very far away Okay, don't have to be very far away, but let's say you know like a few hundred thousand kilometers And let's say that beforehand, you know, they managed to So they have a secret they they have a secret a they have a secret string a and we'll always be working in some finite field of Dimension Q so all of these strings will be of size lock you and then Again the verifier so if the two provers are far away and we won't like to have very like sharp synchronization We cannot have one verifier that talks to the two of them and somehow like have something meaningful, right? Otherwise would give more power to the verifier. So we'll also split the verifiers into two and Do the following so the first message the verifier will send a random string B in FQ to the prover And you will send back Y equals a the secret plus B times D be the query and D being the The bit so D is in D isn't zero one here, but you know, it just is the same multiplication and the prover two will just send a And D and then the two verifiers They will check this thing But then you know after after this prover send this message Then let's say the protocol is over and they can check offline somehow you can a lot of time can pass and you know you can check that Everything is valid somehow that's the the Y and the a D everything corresponds so and the only thing that we require from the scheme is that We correct P2 to send this message Before he has any information about B before any information about be can travel to the second prover. So, you know if If you're a hundred, you know, if you're 300 kilometers away, it takes a millisecond. So it's not you know Which is not that which is not that short, you know, it's in in 2017 right unlike in 1980 so and Okay, so this was so this is was okay So what I got the FQ the FQ scheme which was like proposed by lungi et al. And so they did an analysis and you know so somehow they reduce this this protocol to an entangle game and we know that That the protocol that the protocol is secure and the arguments are in the end the arguments are a little bit similar than this special this consecutive measurements is that if the P2 can answer both can Can give two openings one for equal zero and one for equal one that will satisfy those two checking properties Then you can easily extract be which and be should be hidden from P2 so this is the This is the main thing. Okay. This. Okay. So this is the textbook. This is a Textbook Hamiltonian cycle zero knowledge protocol for Hamiltonian cycle with commitments. Okay, I don't have a lot of time. So I will not Go too deep into this into this protocol you can read it. The only thing I want to say is that We said first of all as I said before if you have if you can answer the two challenges Then somehow you'll be able to recreate the Hamiltonian cycle, but there's actually also a problem in this in this protocol is that There are many possible answers is that somehow there is this hidden permutation pi in the protocol and for each pie there is a valid opening somehow so you have V let's say if now M is the number of vertices you have m factorial possible Possible answers so and we said that you know you lose of you lose a factor of one by m factor m factorial somewhere and somehow Will it will still work out? So somehow we will just work on these very low probabilities and We'll see how it works. So okay, so again all of this is very informal But just you know just trying to show you how all these kind of quantities go together As I said is that okay if there's no Hamiltonian cycle somehow you'll have to break the commitment scheme and breaking the commitment scheme as I said before it will happen to probably one over Q and So somehow this P12 somehow breaking the commitment schemes what I say meaning being able to have produced the two openings so this P12 will be one over Q and If you want P1 to be smaller than epsilon we need to take Q If we know if you just plug this in the other formula we need to take Q which is this huge thing To huge thing, but it's the dimension of the thing. So actually the communication is log of this So log of this is actually fine. So as long as the messages you sent are polynomial in the number of vertices and in one over epsilon then We can We can show the security of this protocol so Okay Running late. I'm just gonna you know, just this is that's a quick recap. So which so just take bound for consecutive measurements and we prove zero knowledge and okay, so What are the open questions now? So here the security prove is very basic So again, so we had a bit commitment scheme that we don't know how to compose We wanted to use it for your knowledge so we had to redo the whole thing from scratch somehow and again now we have a zero knowledge scheme and Again, if we want to use it for something else, we'll have to redo the whole thing from scratch, right? another thing which is kind of a Bit surprising is because we work on these low probabilities. This isn't even a proof of knowledge So if you can so if you can win this game, we cannot show that you can produce the cycle actually because because of this Factorial because of this m factorial thing you can only show that you can create this Hamiltonian cycle of probably one over m factorial which is not Which is not great and also like other primitive so also you say oh well, okay, so these things work well, so you can use this bit commitment, you know, you're kind of What do you can you do it for something else? typically Oblivious transfer you say okay in the quantum setting you have a Reduction from bit commitment to oblivious transfer. So I say great Let's use it as well. And actually here. This is a case where things don't work out very well somehow Because you have this bit commitment scheme that only work for a certain amount of time and then oblivious transfer You need some very kind of static security for for both players somehow you can break those schemes and of course like You know what are other applications of the bound and I learned here. Thank you