Cryptography in the age of quantum computers

When a website like Gizmodo, that arguably is more about science fiction than about science, speculates what quantum computer games will be like, it becomes clear that quantum computers are a hot topic even far outside of the scientific community. That this media attention is at least partially justified is due to the far-reaching capabilities quantum computers will have. But how exactly will the arrival of fault-tolerant quantum computers change different areas of computer science? Cryptography is one of the areas which will be most affected. Two of the most well-known examples are Shor's algorithm and quantum key distribution, the former (and its variants) breaking all currently deployed public-key cryptography and the latter providing unconditionally secure key expansion over a public quantum channel, something that cannot be achieved with only classical resources.

As the fields of quantum cryptography and post-quantum cryptography (classical cryptography that is secure against quantum attackers) mature, many more questions of fundamental and practical importance arise.  Can we encrypt quantum data with security guarantees comparable to the TLS protocol, the cryptographic protocol behind https? How do we deal with the fact that a quantum attacker can implement public parts of the cryptosystem, like hash functions or cryptographic permutations, on their quantum computer? More generally, what changes if we run classical cryptography on a quantum computer?

These questions are central to my research, as exemplified by contributions to answering the first (pdf), the second (pdf) and the third one (pdf).

Currently, there is a clear hierarchy of importance between the different questions about the interaction of quantum computing and cryptography. While all cryptography that requires a quantum computer to run is in the stage of fundamental research (except for some experimental deployment of quantum key distribution), the development of post-quantum cryptography is very urgent. This fact is consensus among most researchers and practitioners, and NIST is running a standardization project. Recently, I have focused much of my research on answering provable-security questions arising in the context of that standardization effort (resulting in, e.g., these works: 1 2 3 4 5 6).

Quantum information processing and its mathematical structure

Quantum mechanics governs many parts of our everyday life, from the fact that plants are green, to the functioning of our electronic devices. Yet it defies our intuition, and features like quantum entanglement are fundamentally different from any classical analogue. With Quantum mechanics as underlying physical theory, quantum information theory exhibits a plethora of interesting and sometimes counter-intuitive features like the no-cloning theorem enabling private capacities of quantum channels, superactivation and data hiding, but also cryptographic functionalities like unconditionally secure key expansion ("QKD"), certified-deletion encryption etc.

My research in quantum information theory has established new insight into quantum correlations and communication protocols. With our intuition being severely limited in the quantum world, it is arguably even more important than in the classical case to develop appropriate mathematical tools. This has been an important feature of my work. As an example, the combined might of representation theory of the symmetric and unitary groups, random matrix theory and spectral theory of differential operators enabled me and my coauthors to determine the resource requirements for port-based teleportation (pdf), a protocol that can be used to circumvent some apparent road blocks due to the no-cloning theorem. Another example is the generalization of the ubiquitous decoupling technique to the conditional (pdf) and catalytic setting (pdf), as well as its application to entanglement theory (pdf).