 So, the main question we try to address here is basically what would be the impact of quantum computers on symmetric cryptography. And we care about this because, well, basically some physicists think they can build a quantum computer, so I'm not going to argue whether that's true or false. Maybe it will be in five years, maybe 200, maybe never. But anyway, it's something we take seriously in the crypto community and we try to find out what would be the impact of this and how to have security that would resist this kind of event. So in a nutshell, what would quantum computers do, the idea is they will be able to solve a class of problems much faster than classical computers. So we don't expect they will break all problems, but they will break some problems much faster. And that's interesting for us because in cryptography we like hard problems and we like to have cryptosystems that rely on hard problems. So it's important to understand whether those problems are still hard for quantum computers or whether they become easy. So in the field of public key cryptography in particular, that's something that's been studied a lot. And we know there's a short algorithm that can break factoring integers and also can break this critical algorithm. And because of this, a lot of public key cryptosystems would be broken by quantum computers such as Aris said if you have an elliptic of cryptography. And there's been actually a very large effort in the public cryptography community to design new algorithms that would resist these kind of attacks. On symmetric cryptography, we don't have that much knowledge about what would happen. We know that there's an algorithm by Grover that basically can do exhaustive search of an n-bit key in times two to the n over two. But we don't know whether that is the only attack we have. We don't really know what else there could be. This is the wrong version of my slides, but I'll try to make do with it. There is something else we know, something more than Grover's algorithm. And that's a nice result by Kwakado and Mori, and they showed in 2012 that we can break the even monster cipher with quantum queries. So I tried to explain a little bit how this works. So first, what is the even monster cipher? It's a nice construction. You start from a public permutation P, and the idea is to build a block cipher and you build your block cipher by just exploring a key at the beginning and at the end. And this construction is very simple, and you have a security proof. So it's very nice. It's not really used in practice, but from a theoretical point of view it's very nice because it's quite simple and has a security proof. And it turns out, so before looking at quantum attacks, I'm going to talk about classical attacks, so there are many different ways to attack it. Of course, they don't break the security proof, so they only reach the same security level. And one of those attacks is called the slide with a twist attack. And what you do is you start with two to the end of a two null plaintext xi, and the corresponding ciphertext yi. And what you do is you assume that in this large set of plaintext, well, with high probability, two of those values will have a difference exactly k1. So we assume we have x and x prime with a difference exactly k1. And then when we encrypt them, what happens is the first step in even monster encryption is to absorb a key k1, so that basically swap x and x prime. So what we have is encryption of x is p of x prime plus k2, and encryption of x prime is p of x plus k2. So k1 goes away, and now when you combine those two equations, you can make also k2 go away. And what you get is encryption of x plus p of x is equal to encryption of x prime plus p of x prime. And this is something that's easy to detect now because you can just take all your known plaintext x. Now you just compute yi plus p of xy, you compute this for all your data, and you look for a collision. And you know that if you have a pair with this specific difference, it will be a collision. So every time you get a collision, you get a candidate for k1, and you can try them, and that gives you an attack against the even monster cipher. So this one is a classical attack. And basically what Kuwakado and Murray did is they built a quantum version of this attack. So yeah, I won't go too much into the details of quantum computing here. Basically I'll only see quantum algorithm as a black box, and because it's quantum, there's probably a cat somewhere in the box. So the way this attack works is the basic model is you're going to give a quantum oracle to the adversary instead of just a classical oracle. So you can send superposition queries to the encryption oracle, and get a superposition of corresponding outputs. Before going further, I'd like to say it's a very strong model, of course. We don't really expect such attacks to be actually practical, but also on the other hand it's hard to argue that we cannot do this kind of attack in practice. Like if you have a smart card that encrypts messages with some secret key, we don't know what happens if you send a superposition of messages. We don't really expect to get the superposition of outputs, but it's also hard to say there are no quantum effects, and everything is completely classical. So we don't really have any model in between the completely classical one and the completely quantum one, so it's still interesting to look at this model. And also, as a general thing in cryptography, we like to look at very strong models and prove security in very strong models. So I think it's very interesting to really look at what happens in this model, even though it's not really a direct threat on the cryptography we use. It's also important to understand that it's quite different from what we do with, say, Schor's algorithm. When you try to break RSA with Schor's algorithm, you just take the public key and you build a quantum circuit out of the public key, and then you run this quantum circuit, but the adversary only takes classical inputs. In this model, we assume that the adversary has a quantum box that does encryption with some secret key, so it's really a different thing. So what we're going to do in this model, we're going to use a very nice algorithm called Simon's algorithm that's basically a case of quantum period finding, and what this algorithm does is you start from this assumption that you have a function with a very specific property, but this function has collisions if and only if the input difference is some fixed value S. And the goal is to recover this value S. This is something that's relatively hard for classical algorithm. It takes time to do the other two, but for quantum algorithms, you can do it in time, linear in N. So I will not go into the details of how this works, but basically it works. We can also do it in slightly weaker cases. So I said the initial Simon's algorithm, you assume you have collision if and only if the difference is S, but in our case, we will sometimes have something a little bit weaker that we have collision if the difference is S, but not only if the difference is less. Like there are some extra collisions like don't follow this exact difference. And if those extra collisions are not structured, they are mostly random, then the algorithm will still work. So you can look in the papers for the details on this. So now, how do we break Event Montour with this? The idea is to do something very similar to a classical attack. It's basically a quantization of a classical attack I showed earlier on Event Montour. So we're going to build a function F. You build it like this. And this is what you do to encryption of X plus permutation of X. And so you look at this function. And the important thing is this function satisfies F of X is equal to F of X plus K1. And that's just the same thing as I showed in the classical attack. That's just because when you write down what this function is, it's something like this, and if you input X plus K1, you just swap out those two terms. So of course, there will be collisions. So this is exactly what we want for Simon's algorithm. So now we can run Simon's algorithm and this function will recover K1. And that's how we break Event Montour Cypher. And now this attack only takes tack linear in M. So it's a very efficient attack. So that's what was known so far about quantum attacks on symmetric cartography. And now I'm going to show that actually, it's a lot more general. We can break a lot of modes of operation using the same techniques. So I'll start with CBC max. So I think everybody knows what a max is. But the important thing is the security notion we're going to use is security against chosen plain text attacks. So that's very classical. So what you do is you have some oracle and the adversary can send messages and receive the corresponding tag. And the goal of the adversary at the end is to predict the tag of a new message, a message that was not sent to the oracle, and you have to predict the message for this tag. So that's the classical security notion. Now, when we try to move to a quantum set, so what we want to do is change, replace this classical oracle by a quantum one. So it means now the adversary sends a superposition of messages and gets the corresponding superposition of a max values. But we also have to change a little bit what it means to do a forgery. Because if you send a superposition of messages, you can just send a superposition of all messages. But now we don't know what is a new message, because you already send everything to the oracle. So that's what we want to do. So that's what we want to do. We want to send everything to the oracle. So instead of asking for a new message, what we ask is if you make K queries, you have to create K plus one valid tags and message at the end. So that's the security notion we use, and it's due to a Boolean's injury. So now let's look at CBC Mac. So it's a very common Mac. It's using a lot of protocols. It's a pretty old one. And it comes with a security proof. So it's a good construction. And what you do is basically, you start with your message, you encrypt, you XOR another message block, you encrypt, and so on, and at the end, you encrypt again. So let's keep the classical attacks. So how do we do a quantum attack on CBC Mac? So the main step of the attack will be to define a function f with good properties. That's how all those attacks are going to work. And then we're going to run Simon's algorithm in this function, of course. And the way we're going to build this function here, we take two inputs, a one-bit input and one message block. And what we do is we expand this one-bit input to a full block, and we can't get in the other block. And so when you write out what happens when you evaluate this function, so if you start with B equals 0, you're going, the Mac is going to be just encryption, encryption of X plus encryption of 1. And if you start with bit 1, you have encryption of encryption of X plus encryption of 0. You can see that there is a hidden period in this function. If you put, if you change the bit B and you put a difference in X that corresponds to the difference in those two terms here. So if you put difference 1 in the first term and delta in the second, where delta is encryption of 0 plus encryption of 1, you get collisions. So it's basically a differential attack. You put difference 1 here and here you put the corresponding difference to cancel it. So this is nice. Now we can apply Simon's algorithm. We're going to recover this value. In terms of that, we can use this value to make forgeries for exactly the same reason. Now you just put again this difference, corresponding difference here, corresponding difference here, it's consoles, it's collision, and you have forgeries. So this is how we can break CBC Mac using quantum queries. So the main structure is like this. On all the attacks we have in this paper follow this same structure. The next thing is to build some function F with a hidden delta in it that can be used later. So that's where you have to be a little bit clever to see how you can build this function, how you can build your inputs to your Mac and how you have to combine maybe the outputs. And if you do this nicely, well, you have such a function then you use Simon's algorithm, you recover delta, and you can build forgeries. And yeah, an important thing is you need to make a quantum implementation of this function F in order to run Simon's algorithm, so of course you need a quantum version of your recall, and you also need sometimes some extra bits of circuit that you're going to combine with it. So we can use the same kind of ideas on many different constructions, actually, and that's really something a bit surprising that we can really break the variety of model operations. So I'm going to show a few of them. So this one here is PMac. So it's a parallelizable Mac and so the main structure is you encrypt in parallel all your message blocks, but before encrypting, you have to XOR some secret values delta and then you basically XOR the outputs and encrypt again. And if you look at this structure here, if you put only two blocks of messages, it's actually the same shape as CBC Mac, so you can just use the same attack. We can also do an alternative attack just for the sake of variety maybe. What we can do instead is build a different function where we start with one block of message and we just repeat it twice. Then when we compute the Mac of X concatenated with X, it turns out that again you have some structure, you have collisions if you input difference delta 0, XOR delta 1. Let's just, if you think of it, if you have X on X here and if you XOR delta 0, XOR delta 1 into this value X, well you're just swapping around the first two encryption blocks. So of course you're going to have collisions. So this is an alternative attack against PMAC and the nice thing is it's also going to work if you put an encryption block here and this happens in some authenticated encryption modes, you have an extra encryption here and in this case the CBC Mac attack is not applicable to PMAC, but this variant will be applicable. It's nice to have a number of different ways to attack them. So next I'm going to look at GMAC. So GMAC is basically the authentication part of GCN and it's a Carter of Eggman Mac, so you have some polynomial evaluation and then you XOR an encryption of the nodes. I'm not going to go into those details. The important thing is, again it looks very similar to CBC Mac when you look at the picture. You're basically XOR messages and apply some function. So you really want to do the same kind of attack. So you're going to define the same kind of function and turns out you have again that f of BX is equal to f of B plus one X plus delta, so that's the same kind of structure we want for Simon's algorithm. However it's a little bit different because there is a nodes here. So every time we query this oracle we're going to get actually different functions. It's not the same function we're going to query all the time. So that makes the attack a little bit different but even though all those functions are different they all have the same periods because the nodes only appears at the end of the computation. So if you have collisions before you input the nodes, the structure of the collision doesn't depend on the nodes. Thanks to this we can actually apply Simon's algorithm. So it's not exactly Simon's algorithm because we have a family of function but it's basically the same thing and it still works. Also it's nice when you think about this structure this works because the nodes is at the end. If you would put the nodes somewhere closer to the beginning, those attacks would not really work like this. We have also looked at authenticated encryption with associated data. The basic idea is you have two inputs, a message and some associated data A and you want to authenticate the message and only authenticate the associated data and something interesting is in a lot of AEAD construction what you do is you first process your associated data independently of the nodes and then you process the nodes, the message and something that comes from this processing of the associated data and because of this a lot of those attacks will still be applicable because we will just attack the part where you process the associated data and so if you have collisions before the nodes comes in then we can just do the same thing. So to summarize there's a lot of modes that we can break with this really so we can break a lot of modes that are really used that are standardized and really used like CBCMAC, PMAC, GCM, OCB those are really important modes and turns out they are not secure if you can do quantum queries to the oracle. We have also looked at Caesar candidates and it turns out we can break eight of them so that's also a non-negligible fraction. So there's really something happening here. If you compare this to the situation with encryption modes surprisingly it's very different. Most encryption modes are actually secure against quantum queries so a lot of authentication modes are broken but encryption mode seems to be secure. I don't really have a good explanation for this but personally something different happening. It's also important to see that even though we can break a lot of them it's still possible to build a secure max. It's not that the model is too strong and we break everything. Just before concluding I'd like to talk about something a little bit different. Everything so far was about mode of operation and I'm going to talk about cryptanalysis techniques so I'm looking inside the block cipher and I'm going to look at slide attacks. Slide attack is a class of attack where you look at an iterated block cipher and you assume that it's iterating exactly the same function so you repeat the same permutation at every round and you absorb the same key at every round. If you do this there's a nice attack where the idea is to find a pair of inputs xx prime so that they are basically shifted by one round. So the encryption starts one round later and ends one round later. And it turns out it's possible to find values with this kind of relations and if you want to do a classical attack to find this I will skip the details but basically we can detect this by finding collisions and this attack can also be quantized so it's also possible to build a quantum version of this attack and what we do is we build this or function in this way so it's actually a little bit different from the attacks I showed so far but the function is now defined in a different way so we use a one bit input plus one block of data and what we do is if a bit is zero we're going to take x plus p of encryption of x and if a bit is one we're going to take x plus encryption of p of x. And now if you try to write down exactly what this makes you can see that if you have f of zero x you can write down what you get it's actually the same as f of one x plus k so you actually have a period also in this function the period will give out a secret key k so if you have a block cipher with this very strong structure well I should say that actual block cipher usually avoid this structure because we know there are issues with it but it's still interesting to see that if you have this structure you can actually break this in time that's only polynomial in n and that's the first case to the construction So to conclude the first message is that Simon's algorithm actually breaks real problems that's something that was not completely of use from the quantum side of this when Simon's algorithm was first introduced it was a very important result because it was the first case where we had a quantum algorithm that was exponentially faster than classical algorithms but the problem that it solves is considered as very artificial not really something that was important in real life and turns out in cryptography this very problem is actually important for a lot of systems that we use so that's something interesting here and in terms of applications we can break a lot of MAC modes and autenticated encryption modes with attacks that takes only linear time and we can also improve some cryptanalysis techniques so the really big result is well there's not just other algorithms if we look at the security of symmetric cryptography against quantum algorithms there are actually better attacks than Grover's algorithm so I think it's worthwhile looking at it and seeing really what we can do on the other hand this attack is not really practical in the sense that it uses a very strong model so we don't really expect that it will break actual implementations of crypto and this will conclude my talk thank you