Section: New Results
Quantum Information
Participants : Simon Apers, Ivan Bardet, Xavier Bonnetain, Rémi Bricout, André Chailloux, Simona Etinski, Antonio Florez Gutierrez, Shouvik Ghorai, Antoine Grospellier, Lucien Grouès, Anthony Leverrier, Vivien Londe, María Naya Plasencia, Andrea Olivo, JeanPierre Tillich, André Schrottenloher, Christophe Vuillot.
Our research in quantum information focusses on several axes: quantum codes with the goal of developing better errorcorrection strategies to build large quantum computers, quantum cryptography which exploits the laws of quantum mechanics to derive security guarantees, relativistic cryptography which exploits in addition the fact that no information can travel faster than the speed of light and finally quantum cryptanalysis which investigates how quantum computers could be harnessed to attack classical cryptosystems.
Quantum codes
Protecting quantum information from external noise is an issue of paramount importance for building a quantum computer. It also worthwhile to notice that all quantum errorcorrecting code schemes proposed up to now suffer from the very same problem that the first (classical) errorcorrecting codes had: there are constructions of good quantum codes, but for the best of them it is not known how to decode them in polynomial time.
Two PhD theses have been defended this year within the projectteam on this topic. First, Antoine Grospellier, coadvised by A. Leverrier and O. Fawzi (Ens Lyon), studied efficient decoding algorithms for quantum LDPC codes [13]. Beyond their intrinsic interest for channelcoding problems, such algorithms would be particularly relevant in the context of quantum faulttolerance, since they would allow to considerably reduce the required overhead to obtain faulttolerance in quantum computation. Vivien Londe, coadvised by A. Leverrier and G. Zémor (IMB), worked on the design of better quantum LDPC codes [14]: the main idea is to generalize the celebrated toric code of Kitaev by considering cellulations of manifolds in higher dimensions. A surprising result was that this approach leads to a much better behaviour than naively expected and a major challenge is to explore the mathematics behind this phenomenon in order to find even better constructions, or to uncover potential obstructions.
Lucien Grouès, who did an internship this summer in the projectteam, has recently started a PhD with A. Leverrier and O. Fawzi on decoding quantum LDPC codes, and preliminary numerical results have already appeared in [62].
Ivan Bardet joined the projectteam as a postdoc in March 2019, and will start a starting research position in 2020. His research focusses on the study of opensystem dynamics as well as mixing times of Markovian dissipative evolutions with the goal of better understanding the lifetime of quantum memories.
Recent results:

Decoding algorithms for Hypergraph Product Codes [62]: this work deals with numerical simulation of several variants of the SMALLSETFLIP decoder for hypergraph product codes. While this decoder had already been studied analytically in previous work in the regime of extremely low noise, we are focussing here on understanding its performance for a realistic noise model.

Towards Low Overhead Magic State Distillation [30]: the major source of overhead in quantum faulttolerance usually lies in the primitive called magic state distillation which takes a number of noisy versions of a specific quantum state and prepares a new state with less noise. An important question is to understand how efficient this procedure can be. In this work, we prove that magic state distillation can perform much more efficiently than expected when working with quantum systems of large dimension instead of qubits.
Quantum cryptography
Quantum cryptography exploits the laws of quantum physics to establish the security of certain cryptographic primitives. The most studied one is certainly quantum key distribution, which allows two distant parties to establish a secret using an untrusted quantum channel. Our activity in this field is particularly focussed on protocols with continuous variables, which are wellsuited to implementations. The interest of continuous variables for quantum cryptography was recently recognized by being awarded a 10 M€ funding from the Quantum Flagship and SECRET contributes to this project by studying the security of new key distribution protocols.
Recent results:

Security proof for twoway continuousvariable quantum key distribution [28]: while many quantum key distribution protocols are oneway in the sense that quantum information is sent from one party to the other, it can be beneficial in terms of performance to consider twoway protocols where the quantum states perform a roundtrip between the two parties. In this paper, we show how to exploit the symmetries of the protocols in phasespace to establish their security against the most general attacks allowed by quantum theory.

Asymptotic security of continuousvariable quantum key distribution with a discrete modulation [29]: in this work, we establish a lower bound on the secret key rate of a practical quantum key distribution protocol that will be implemented in the context of the H2020 project CiViQ.
Quantum cryptanalysis of symmetric primitives and quantum algorithms
Symmetric cryptography seems at first sight much less affected in the postquantum world than asymmetric cryptography: its main known threat seemed for a long time Grover's algorithm, which allows for an exhaustive key search in the square root of the normal complexity. For this reason, it was usually believed that doubling key lengths suffices to maintain an equivalent security in the postquantum world. However, a lot of work is certainly required in the field of symmetric cryptography in order to “quantize” the classical families of attacks in an optimized way, as well as to find new dedicated quantum attacks. M. Naya Plasencia has been awarded an ERC Starting grant for her project named QUASYModo on this topic.
In parallel to this work, S. Apers is developing generic quantum algorithms solving combinatorial problems, notably in graphs. He also recently proposed a unified framework of quantum walk search, that will likely find applications in the context of quantum cryptanalysis.
Recent results:

Quantum algorithm for the $k$XOR problem and for list merging: The $k$XOR (or generalized birthday) problem aims at finding $k$ elements of $n$bits, drawn at random, such that the XOR of all of them is 0. The algorithms proposed by Wagner more than 15 years ago remain the best known classical algorithms for solving it, when disregarding logarithmic factors. A. Chailloux, M. NayaPlasencia and A. Schrottenloher, together with L. Grassi, studied this problem in the quantum setting and provided algorithms with the best known quantum timecomplexities [38], [39].

Quantum security of AES [17]: In order to determine the postquantum secuirty margin of AES256, X. Bonnetain and M. NayaPlasencia have proposed generalized and quantized versions of the best known cryptanalysis on reducedround versions of AES256, including a quantum DemirciSelçuk meetinthemiddle attack.

Quantum attacks without superposition queries : In symmetric cryptanalysis, the model of superposition queries has led to surprising results, but the practical implications of these attacks remain blurry. In contrast, the results obtained so far for a quantum adversary making classical queries only were less impressive. For the first time, M. NayaPlasencia and A. Schrottenloher, together with A. Hosoyamada and Y. Sasaki, managed to leverage the algebraic structure of some cryptosystems in the context of a quantum attacker limited to classical queries and offline quantum computations. Most notably, they are able to break the EvenMansour construction in quantum time $\tilde{\mathcal{O}}(2\mathit{n}/3)$ with $\mathcal{O}(2\mathit{n}/3)$ classical queries and $\mathcal{O}\left({n}^{2}\right)$ qubits only.

Quantum cryptanalysis of CSIDH and Ordinary Isogenybased Schemes [16]: CSIDH is a recent proposal by Castryck et al. for postquantum noninteractive keyexchange. It is similar in design to a scheme by Couveignes, Rostovtsev and Stolbunov, but it replaces ordinary elliptic curves by supersingular elliptic curves. Although CSIDH uses supersingular curves, it can attacked by a quantum subexponential hidden shift algorithm due to Childs et al. While the designers of CSIDH claimed that the parameters they suggested ensures security against this algorithm, X. Bonnetain and A. Schrottenloher showed that these security parameters were too optimistic: they improved the hidden shift algorithm and gave a precise complexity analysis in this context, which greatly reduced the complexity. For example, they showed that only ${2}^{35}$ quantum equivalents of a keyexchange are sufficient to break the 128bit classical, 64bit quantum security parameters proposed, instead of ${2}^{62}$. They also extended their analysis to ordinary isogeny computations, and showed that an instance proposed by De Feo, Kieffer and Smith and expected to offer 56 bits of quantum security can be broken in ${2}^{38}$ quantum evaluations of a key exchange.

New graphrelated quantum algorithms. A first paper presents an approach to improve expansion testing using quantum FastForwarding and growing seed sets [64]. A second paper introduces a graph sparsification algorithm [65], which when combined with existing classical algorithms yields the first quantum speedup for approximating the max cut, min cut, min stcut, sparsest cut and balanced separator of a graph. Moreover, combining it with a classical Laplacian solver yields a similar speedup for Laplacian solving, for approximating effective resistances, cover times and eigenvalues of the Laplacian, and for spectral clustering.

Quantum walks: in a first work, S. Apers describes a new quantum algorithm for quantum walk sampling using growing seed sets [42] with applications for $st$connectivity and problems related to graph isomorphism. A second work [66] introduces a new quantum walk search framework that unifies and strengthens the existing ones.

Quantum query lower bounds [59], [60]: Many computational problems, such as finding collisions in a function, are symmetric in their inputs. A. Chailloux showed that for this class of problems, any quantum algorithm can have at most a cubic advantage over the best classical algorithm in the query model, while the previously known bound gave up to 7th root advantage. This result enhances our understanding on the limitations of quantum algorithms.