Section: New Results
Quantum Information
Participants : Xavier Bonnetain, Rémi Bricout, Kaushik Chakraborty, André Chailloux, Antoine Grospellier, Gaëtan Leurent, Anthony Leverrier, Vivien Londe, María Naya Plasencia, JeanPierre Tillich.
Quantum codes
Protecting quantum information from external noise is an issue of paramount importance for building a quantum computer. It also worthwhile to notice that all quantum errorcorrecting code schemes proposed up to now suffer from the very same problem that the first (classical) errorcorrecting codes had: there are constructions of good quantum codes, but for the best of them it is not known how to decode them in polynomial time.
Two PhD theses started in September 2016 on this topic. First, Antoine Grospellier, coadvised by A. Leverrier and O. Fawzi (Ens Lyon), will study efficient decoding algorithms for quantum LDPC codes. Beyond their intrinsic interest for channel coding problems, such algorithms would be particularly relevant in the context of quantum faulttolerance, since they would allow to considerably reduce the required overhead to obtain faulttolerance in quantum computation. Vivien Londe is coadvised by A. Leverrier and G. Zémor (IMB) and his thesis is devoted to the design of better quantum LDPC codes: the main idea is to generalize the celebrated toric code of Kitaev by considering cellulations of manifolds in higher dimensions. A recent surprising result was that this approach leads to a much better behaviour than naively expected and a major challenge is to explore the mathematics behind this phenomenon in order to find even better constructions, or to uncover potential obstructions.
Recent results:

Introduction of a new class of quantum LDPC codes, “Quantum expander codes”, featuring a simple and very efficient decoding algorithm which can correct arbitrary patterns of errors of size scaling as the squareroot of the length of the code. These are the first codes with constant rate for which such an efficient decoding algorithm is known [36], [59].
Quantum cryptography
A recent approach to cryptography takes into account that all interactions occur in a physical world described by the laws of quantum physics. These laws put severe constraints on what an adversary can achieve, and allow for instance to design provably secure key distribution protocols. We study such protocols as well as more general cryptographic primitives such as coin flipping with security properties based on quantum theory.
Recent results:

A. Chailloux, together with colleagues from IRIF and Jerusalem, established the existence of quantum weak coin flipping with arbitrarily small bias [12].

A. Chailloux and international collaborators performed an experimental verification of multipartite entanglement in quantum networks [24].

A. Chailloux and collaborators established the optimal bounds for quantum weak oblivious transfer [15].

Security analysis of quantum key distribution with continuous variables [35].
Relativistic cryptography
Twoparty cryptographic tasks are wellknown to be impossible without complexity assumptions, either in the classical or the quantum world. Remarkably, such nogo theorems become invalid when adding the physical assumption that no information can travel faster than the speed of light. This additional assumption gives rise to the emerging field of relativistic cryptography. We recently started investigating such questions through the task of bit commitment. In a paper in Physical Review Letters in 2015, K. Chakraborty, A. Chailloux and A. Leverrier developed a security proof for a simple and easily implementable protocol that can achieve arbitrarily long commitment times, thereby establishing that relativistic cryptography is a very practical solution.
André Chailloux was awarded an ANR “Jeune chercheur” to develop the field of relativistic cryptography [31].
Recent results:

R. Bricout and A. Chailloux [70] considered explicit attacks against the relativistic protocol for bit commitment mentioned above and proved that the security analysis published in Physical Review Letters 2015 is essentially tight.

A drawback of the relativistic bit commitment protocol is that it requires that all communications remain perfectly synchronized during the entire commitment time, and a single network failure leads to aborting the protocol. K. Chakraborty, A. Chailloux and A. Leverrier proposed a more robust version of the protocol allowing to deal with such network failures, a required feature in order to implement the protocol in realistic conditions [16], [71].
Quantum cryptanalysis of symmetric primitives
Symmetric cryptography seems at first sight much less affected in the postquantum world than asymmetric cryptography: its main known threat is Grover's algorithm, which allows for an exhaustive key search in the square root of the normal complexity. For this reason, it is usually believed that doubling key lengths suffices to maintain an equivalent security in the postquantum world. However, a lot of work is certainly required in the field of symmetric cryptography in order to “quantize” the classical families of attacks in an optimized way. M. Naya Plasencia has recently been awarded an ERC Starting grant for her project named QUASYModo on this topic.
Recent results:

Differential and linear attacks in the quantum setting: G. Leurent, A. Leverrier and M. Naya Plasencia, in collaboration with M. Kaplan, have obtained some results on quantum versions of differential and linear cryptanalysis [23]. They show that it is usually possible to use quantum computations to obtain a quadratic speedup for these attacks, but not for all variants. Therefore, the best attack in the classical world does not necessarily lead to the best quantum one.

Application of Simon's algorithm to symmetric cryptanalysis [51], [33]: Leurent et al. also proved that several attacks can be dramatically sped up using a quantum procedure known as Simon's algorithm for finding the period of a function. As a first application, the most widely used modes of operation for authentication and authenticated encryption (e.g. CBCMAC, PMAC, GMAC, GCM, and OCB) are completely broken in this security model. These quantum attacks are also applicable to many CAESAR candidates: CLOC, AEZ, COPA, OTR, POET, OMD, and Minalpher. Second, Simon's algorithm can also be applied to slide attacks, leading to an exponential speedup of a classical symmetric cryptanalysis technique in the quantum model.