Section: New Results
Quantum Information
Participants : Xavier Bonnetain, Rémi Bricout, André Chailloux, Shouvik Ghorai, Antoine Grospellier, Anirudh Krishna, Anthony Leverrier, Vivien Londe, María Naya Plasencia, Andrea Olivo, JeanPierre Tillich, André Schrottenloher.
Our research in quantum information focusses on several axes: quantum codes with the goal of developing better error correction strategies to build large quantum computers, quantum cryptography which exploits the laws of quantum mechanics to derive security guarantees, relativistic cryptography which exploits in addition the fact that no information can travel faster than the speed of light and finally quantum cryptanalysis which investigates how quantum computers could be harnessed to attack classical cryptosystems.
Quantum codes
Protecting quantum information from external noise is an issue of paramount importance for building a quantum computer. It also worthwhile to notice that all quantum errorcorrecting code schemes proposed up to now suffer from the very same problem that the first (classical) errorcorrecting codes had: there are constructions of good quantum codes, but for the best of them it is not known how to decode them in polynomial time.
Two PhD students within the projectteam work on this topic. First, Antoine Grospellier, coadvised by A. Leverrier and O. Fawzi (Ens Lyon), studies efficient decoding algorithms for quantum LDPC codes. Beyond their intrinsic interest for channelcoding problems, such algorithms would be particularly relevant in the context of quantum faulttolerance, since they would allow to considerably reduce the required overhead to obtain faulttolerance in quantum computation. Vivien Londe is coadvised by A. Leverrier and G. Zémor (IMB) and his thesis is devoted to the design of better quantum LDPC codes: the main idea is to generalize the celebrated toric code of Kitaev by considering cellulations of manifolds in higher dimensions. A recent surprising result was that this approach leads to a much better behaviour than naively expected and a major challenge is to explore the mathematics behind this phenomenon in order to find even better constructions, or to uncover potential obstructions.
Recent results:

Decoding algorithm for quantum expander codes [48], [47], [56] In this work, A. Grospellier, A. Leverrier and O. Fawzi analyze an efficient decoding algorithm for quantum expander codes and prove that it can correct a linear number of random errors with a negligible failure probability. As an application, this shows that this family of codes can be used to obtain quantum faulttolerance with only a constant overhead in terms of qubits, compared to a polylogarithmic overhead as in previous schemes. This is a crucial step in order to eventually build large universal quantum computers.
Quantum cryptography
Quantum cryptography exploits the laws of quantum physics to establish the security of certain cryptographic primitives. The most studied one is certainly quantum key distribution, which allows two distant parties to establish a secret using an untrusted quantum channel. Our activity in this field is particularly focussed on protocols with continuous variables, which are wellsuited to implementations. The interest of continuous variables for quantum cryptography was recently recognized by being awarded a 10 M€ funding from the Quantum Flagship and SECRET will contribute to this project by studying the security of new key distribution protocols [88].
Recent results:

Security proof for twoway continuousvariable quantum key distribution [22]: while many quantum key distribution protocols are oneway in the sense that quantum information is sent from one party to the other, it can be beneficial in terms of performance to consider twoway protocols where the quantum states perform a roundtrip between the two parties. In this paper (to appear in Physical Review A), we show how to exploit the symmetries of the protocols in phasespace to establish their security against the most general attacks allowed by quantum theory.

Investigating the optimality of ancillaassisted linear optical Bell measurements [24]: Due to its experimental and theoretical simplicity, linear quantum optics has proved to be a promising route for the early implementation of important quantum communication protocols. A. Olivo and F. Grosshans study the efficiency of non ambiguous Bell measurements in this model and show both theoretical and numerical bounds depending on the number of ancilla qubits. This is important for understanding what resources are needed for building quantum repeaters, the last missing building block for secure long distance quantum key distribution networks.
Relativistic cryptography
Twoparty cryptographic tasks are wellknown to be impossible without complexity assumptions, either in the classical or the quantum world. Remarkably, such nogo theorems become invalid when adding the physical assumption that no information can travel faster than the speed of light. This additional assumption gives rise to the emerging field of relativistic cryptography. We worked on this topic for several years and Andrea Olivo was recruited as a PhD student to continue working on both theoretical and practical aspects of relativistic cryptography.
Recent results:

Relativistic commitment and zeroknowledge proofs [30]: A. Chailloux and A. Leverrier constructed a relativistic zeroknowledge protocol for any NPcomplete problem. The main technical tool is the analysis of quantum consecutive measurements, which allows us to prove security against quantum adversaries. R. Bricout and A. Chailloux also studied relativistic multiround bit commitment schemes. They showed optimal classical cheating strategies for the canonical ${F}_{Q}$ commitment scheme.
Quantum cryptanalysis of symmetric primitives
Symmetric cryptography seems at first sight much less affected in the postquantum world than asymmetric cryptography: its main known threat seemed for a long time Grover's algorithm, which allows for an exhaustive key search in the square root of the normal complexity. For this reason, it was usually believed that doubling key lengths suffices to maintain an equivalent security in the postquantum world. However, a lot of work is certainly required in the field of symmetric cryptography in order to “quantize” the classical families of attacks in an optimized way, as well as to find new dedicated quantum attacks. M. Naya Plasencia has recently been awarded an ERC Starting grant for her project named QUASYModo on this topic.
Recent results:

Hiddenshift quantum cryptanalysis [43]: X. Bonnetain and M. NayaPlasencia have obtained new results that consider the tweak proposed at Eurocrypt 2017 of using modular additions to counter Simon's attacks. They have developed new algorithms that improve and generalize Kuperberg's algorithm for the hidden shift problem. Thanks to their improved algorithm, they have been able to build a quantum attack in the superposition model on Poly1305, proposed at FSE 2005, largely used and claimed to be quantumly secure. They also analyzed the security of some classical symmetric constructions with concrete parameters, to evaluate the impact and practicality of the proposed tweak, concluding that it does not seem to be efficient

Quantum algorithm for the $k$XOR problem [49]: The $k$XOR (or generalized birthday) problem aims at finding $k$ elements of $n$bits, drawn at random, such that the XOR of all of them is 0. The algorithms proposed by Wagner more than 15 years ago remain the best known classical algorithms for solving it, when disregarding logarithmic factors. M. NayaPlasencia and A. Schrottenloher, together with L. Grassi, studied this problem in the quantum setting and provided algorithms with the best known quantum timecomplexities. In particular, they were able to considerably improve the 3XOR algorithm.

Quantum cryptanalysis of CSIDH and Ordinary Isogenybased Schemes [68]: CSIDH is a recent proposal by Castryck et al. for postquantum noninteractive keyexchange. It is similar in design to a scheme by Couveignes, Rostovtsev and Stolbunov, but it replaces ordinary elliptic curves by supersingular elliptic curves. Although CSIDH uses supersingular curves, it can attacked by a quantum subexponential hidden shift algorithm due to Childs et al. While the designers of CSIDH claimed that the parameters they suggested ensures security against this algorithm, X. Bonnetain and A. Schrottenloher showed that these security parameters were too optimistic: they improved the hidden shift algorithm and gave a precise complexity analysis in this context, which greatly reduced the complexity. For example, they showed that only ${2}^{35}$ quantum equivalents of a keyexchange are sufficient to break the 128bit classical, 64bit quantum security parameters proposed, instead of ${2}^{62}$. They also extended their analysis to ordinary isogeny computations, and showed that an instance proposed by De Feo, Kieffer and Smith and expected to offer 56 bits of quantum security can be broken in ${2}^{38}$ quantum evaluations of a key exchange.