## Periodic Reporting for period 2 - CerQuS (Certified Quantum Security)

Reporting period: 2020-12-01 to 2022-05-31

Digital communication permeates all areas of today's daily life. Cryptographic protocols are used to secure that

communication. Quantum communication and the advent of quantum computers both threaten existing cryptographic

solutions, and create new opportunities for secure protocols. The security of cryptographic systems is normally ensured by

mathematical proofs. Due to human error, however, these proofs often contain errors, limiting the usefulness of said proofs.

This is especially true in the case of quantum protocols since human intuition is well-adapted to the classical world, but not

to quantum mechanics. To resolve this problem, methods for verifying cryptographic security proofs using computers (i.e.

for ""certifying"" the security) have been developed. Yet, all existing verification approaches handle classical cryptography

only - for quantum protocols, no approaches exist.

This project will lay the foundations for the verification of quantum cryptography. We will design logics and software tools

for developing and verifying security proofs on the computer, both for classical protocols secure against quantum computer

(post-quantum security) and for protocols that use quantum communication.

Our main approach is the design of a logic (quantum relational Hoare logic, qRHL) for reasoning about the relationship

between pairs of quantum programs, together with an ecosystem of manual and automated reasoning tools, culminating in

fully certified security proofs for real-world quantum protocols.

As a final result, the project will improve the security of protocols in the quantum age, by removing one possible source of

human error. In addition, the project directly impacts the research community, by providing new foundations in program

verification, and by providing cryptographers with new tools for the verification of their protocols.

communication. Quantum communication and the advent of quantum computers both threaten existing cryptographic

solutions, and create new opportunities for secure protocols. The security of cryptographic systems is normally ensured by

mathematical proofs. Due to human error, however, these proofs often contain errors, limiting the usefulness of said proofs.

This is especially true in the case of quantum protocols since human intuition is well-adapted to the classical world, but not

to quantum mechanics. To resolve this problem, methods for verifying cryptographic security proofs using computers (i.e.

for ""certifying"" the security) have been developed. Yet, all existing verification approaches handle classical cryptography

only - for quantum protocols, no approaches exist.

This project will lay the foundations for the verification of quantum cryptography. We will design logics and software tools

for developing and verifying security proofs on the computer, both for classical protocols secure against quantum computer

(post-quantum security) and for protocols that use quantum communication.

Our main approach is the design of a logic (quantum relational Hoare logic, qRHL) for reasoning about the relationship

between pairs of quantum programs, together with an ecosystem of manual and automated reasoning tools, culminating in

fully certified security proofs for real-world quantum protocols.

As a final result, the project will improve the security of protocols in the quantum age, by removing one possible source of

human error. In addition, the project directly impacts the research community, by providing new foundations in program

verification, and by providing cryptographers with new tools for the verification of their protocols.

We have developed a verification tool (called qrhl-tool, see the screenshot) for the verification of the security of quantum cryptographic protocols. Using this tool, it is possible to take a mathematical proof of the security of a protocol and "explain" it to the computer. The computer will then check that the proof contains no mistakes. This is necessary because humans tend to make error both when writing proofs and when verifying them; the tool gives us higher assurances in the security of the protocols. The tool is freely available as open-source.

The tool is not merely a piece of software, it comes with a large amount of mathematical theory behind it. To be sure that the tool performs as desired, we need to create a mathematical "logic" in which we write the computer-verified proofs. We developed a logic called qRHL; the qrhl-tool understands this logic (so the user of the tool needs to explain the proof in qRHL). Our development of the mathematical foundations so far includes: the basic logic qRHL, an extension of qRHL to handle local program variables (used only by one subprocedure in the cryptographic protocol we analyze), a mathematical theory of what a variable in a quantum program is in the first place, a variable of qRHL that allows us to express quantitative statements.

However, if we prove by hand that the logic used by qrhl-tool is correct, haven't we simply shifted the problem? Now it could be that there are errors in our manually checked proof of the correctness of that logic. Or we could have made mistakes when implementing them in qrhl-tool. To avoid this problem, we plan to go one step further: qrhl-tool itself should not just "trust" what steps are allowed in qRHL. Instead, it should break down each step into elementary mathematical reasoning steps that each are as simple as possible. Now we just need to be sure of only a small part of the toolchain, namely the trusted core that checks those elementary steps. (This is called the "foundational approach".) At this point, we have not yet reached this point, but we have made considerable progress: We use a general-purpose theorem prover for mathematical theorems, called Isabelle/HOL, to check some of the proof steps qrhl-tool makes. For this, we have already implemented support for various mathematical theories in Isabelle/HOL, such as support for reasoning about bounded operators over complex Hilbert spaces, and a foundationally verified implementation of our theory of variables in quantum programs.

But is it feasible to use qrhl-tool to verify actual real-world cryptographic protocols? After all, "explaining" the security proof to qrhl-tool, while possible in principle, might be so labor-intensive that it cannot practically be done. To make sure that this is not the case, we have verified in qrhl-tool a state-of-the-art result in post-quantum cryptography, namely the security of the so-called Fujisaki-Okamoto transform. (This is an important technique for constructing encryption schemes that withstand quantum attacks. It is used, for example, in many candidates for future industry-standard encryption schemes.) This both gives deeper trust in the security of those encryption schemes, as well as shows that our approach of verifying the security of quantum protocols with the computer is feasible.

The tool is not merely a piece of software, it comes with a large amount of mathematical theory behind it. To be sure that the tool performs as desired, we need to create a mathematical "logic" in which we write the computer-verified proofs. We developed a logic called qRHL; the qrhl-tool understands this logic (so the user of the tool needs to explain the proof in qRHL). Our development of the mathematical foundations so far includes: the basic logic qRHL, an extension of qRHL to handle local program variables (used only by one subprocedure in the cryptographic protocol we analyze), a mathematical theory of what a variable in a quantum program is in the first place, a variable of qRHL that allows us to express quantitative statements.

However, if we prove by hand that the logic used by qrhl-tool is correct, haven't we simply shifted the problem? Now it could be that there are errors in our manually checked proof of the correctness of that logic. Or we could have made mistakes when implementing them in qrhl-tool. To avoid this problem, we plan to go one step further: qrhl-tool itself should not just "trust" what steps are allowed in qRHL. Instead, it should break down each step into elementary mathematical reasoning steps that each are as simple as possible. Now we just need to be sure of only a small part of the toolchain, namely the trusted core that checks those elementary steps. (This is called the "foundational approach".) At this point, we have not yet reached this point, but we have made considerable progress: We use a general-purpose theorem prover for mathematical theorems, called Isabelle/HOL, to check some of the proof steps qrhl-tool makes. For this, we have already implemented support for various mathematical theories in Isabelle/HOL, such as support for reasoning about bounded operators over complex Hilbert spaces, and a foundationally verified implementation of our theory of variables in quantum programs.

But is it feasible to use qrhl-tool to verify actual real-world cryptographic protocols? After all, "explaining" the security proof to qrhl-tool, while possible in principle, might be so labor-intensive that it cannot practically be done. To make sure that this is not the case, we have verified in qrhl-tool a state-of-the-art result in post-quantum cryptography, namely the security of the so-called Fujisaki-Okamoto transform. (This is an important technique for constructing encryption schemes that withstand quantum attacks. It is used, for example, in many candidates for future industry-standard encryption schemes.) This both gives deeper trust in the security of those encryption schemes, as well as shows that our approach of verifying the security of quantum protocols with the computer is feasible.

All the results described in the preceding section are progress beyond the state of the art: Our work provides the first framework for analyzing the security of quantum or post-quantum protocol. The analysis of Fujisaki-Okamoto is the first computer-verified analysis of a non-trivial post-quantum secure protocol.

At the end of the project, we expect to have a fully workable foundational qrhl-tool, with all background theories fully verified in Isabelle/HOL. We expect to have several case studies of new and existing post-quantum and quantum protocols performed in qrhl-tool; giving us high assurance in their security.

This will come with sound logical foundations that can be used beyond just our qrhl-tool.

At the end of the project, we expect to have a fully workable foundational qrhl-tool, with all background theories fully verified in Isabelle/HOL. We expect to have several case studies of new and existing post-quantum and quantum protocols performed in qrhl-tool; giving us high assurance in their security.

This will come with sound logical foundations that can be used beyond just our qrhl-tool.