 Good morning. I'm Leo Ducat. I have the pleasure to chair this session this morning and also be responsible for mispronouncing numerous Asian names. I'm very sorry in advance for that. We'll be starting with limits of polynomial packing for ZPK and FPK and the talk will it's a joint work between Jean-Cahy Cheon and Kiwo Lee and the talk will be given by Kiwo. Okay, thank you for the introduction and thank you for coming. I know it's early morning and we had a party last night so yeah thank you for coming. Today I will talk about limits of polynomial packings for ZPK which is integer ring modulo p2k and finite field FP2k. This is a joint work with my advisor, Jean-Cahy Cheon. So I want to begin with a sketch of our work. So the starting point of our work is an observation that an observation that very similar mathematical objects are being studied independently in sub-fields of cryptography. So we abstract these concepts as what we call polynomial packing and initiate formal and unified study of polynomial packing. And then we prove some upper bounds and impossibility results. That is we prove that we cannot achieve certain level of efficiency and we cannot construct some packing, polynomial packing satisfying some desirable features. And next coming back to our context we observe how these results imply in the context. What these results imply in the context. So yeah for the sake of limited time I will first define polynomial packing and then see how we abstract existing concepts. So what is polynomial packing method? It is a pair of algorithms packed and unpacked. So pack is a pack literally packs some several copies of small ring R into a large polynomial ring script R and unpack which is opposite of a pack. As our title suggests we are mostly concerned with the case where R is that pk or fpk. We measure the packing density which is we measure the efficiency of our packing method by its packing density which is defined as the ratio between the bit size of packed rings and the bit size of the polynomial ring. Without any algebraic structure polynomial packing is no more than just labeling. So what we find useful and interesting is degree d packing which satisfies a kind of homomorphic property that is for any polynomial p of degree not greater than d. We have this commutative diagram where p is applied element wise in the left side that is if we pack message into a polynomial and evaluate p on the polynomial and unpack it we get the results which we get if we directly apply p to the messages element wise. To prevent future confusion I want to remark that unpacked algorithm may differ for each multiplicative level. So this is how we formally define degree d packing in our paper. It is pretty short but you do not have to read it right now. I just wanted to make sure that actually degree d packing is defined as a collection of packing methods so unpack may differ for each multiplicative level. So now the context. First homomorphic encryption it is a crypto system which supports computation on encrypted data. That is for a class of functions we have procedure called eval which makes this diagram commute so that if we encrypt a plain text and apply eval p on it and decrypt it we get the results which we get if we directly apply p to the plain text. Another remark is that contraint HE schemes are often based on being LWE problem rather than plain LWE problem for efficiency regarding heat dyes and etc. This includes a renowned BGV scheme and FAB scheme which is in mainstream in HE community. But what does it really mean to be a LWE based homomorphic encryption? That means our plain text is now a scary looking polynomial ring and our scheme is so more big up to computation. Computations namely additions and multiplications of this polynomial ring. So using ring LWE enhances efficiency but not about practical usability. So this scary looking polynomial ring structure does not seem to reflect practical reality. So who would want to compute on this polynomial ring for real life applications? So the great idea of smart Denver was essentially to use polynomial packing for more friendly structure or in their language to use homomorphic in the operation. That is if we attach this packing method in front of HE scheme we can use HE scheme with regard to more friendly structure R while not losing too much efficiency by embedding. Not losing too much efficiency in omertite sense by embedding as many elements as we can. Here are some examples of HE packings. The traditional packing method by smart Denver turn packed messages through CRT ring isomorphism. Thus their method naturally has a degree infinity and perfect density of one. The special case where the cyclotomic polynomial fully splits modulo p is still universally used in HE applications. But a limitation of the traditional method is that it does not provide packing for general ZPK especially when p is small. In this regard a packing method for Z2K was first suggested by Gentry Hallevi smart and later generalized to ZPK by Hallevi and Schup. I will call this method packing in this talk and their idea was to pack messages only at the constant term of CRT components of the polynomial ring. Considering ZPK was to improve the efficiency of FHE bootstraping but this leads to a significant loss in packing density. New packing methods were suggested along the recent developments in SHG-based MPC over Z2K which recalls speeds family if you are familiar with that term. An observation made by overdrive 2K was that degree 2 packing is enough for diverse triple generation and they achieve density of roughly 1 over 5 and megahertz 2K of all of work by our team achieve density of roughly a half. Next I will briefly talk about RMFE in cryptography using large field is often required due to mathematical structure or security reasons. On the other hand we usually want to compute over small fields namely F2 the Boolean field. So the idea of Cascudo, Cramer, Singh and Yuan was to study this reverse multiplication friendly embedding which embeds algebraic structure of copies of small fields into a larger field. For example embedding copies of Boolean fields into a binary extension field. Essentially RMFEs are degree 2 packing from N copies of FQ into FQ to the D which is isomorphic to FQX quotient by some irreducible polynomial and I want to know that RMFEs indeed a polynomial packing and I want to know that RMFE is now a standard tool in information theoretical multi-party computation and is also being used in zero knowledge. Now theorems and implications. In this talk I will only state theorems for is that PK case analogous theorems holds for FPK and you can check the paper if you are interested. And also we will not talk about proofs. A short remark is that although our theorems may seem very natural proofs are slightly involved due to algebraic subtleties so if you're interested you can check the proofs but honestly I do not recommend to do that because proof is not the fun part of this paper. First we have an upper bound on packing density. Roughly speaking density of degree D packing method is not greater than 1 over D and to be more precise we have this bound. So we can check that this is consistent with traditional packing which is degree infinity packing and has perfect density of 1 but in that case the polynomial the cyclotomic polynomial fully splits. So this small D is 1 so yeah this makes sense. And so implications. First, mega2k achieves near optimal density as a degree 2 packing for Z2k as since its density is roughly a half and second our proof of FPK version of this theorem implies a new and more general proof for upper bound on rate of RMFE. Here general means it can be extended to higher degree not just degree 2. And last our theorem implies the first upper bound on rate of RMFE over Galois ring which is first considered Kramer and Rambod and Singh and level consistency. So we call a packing method level consistent if the packing structure is same for all multiplicative level. Since level consistency directly implies degree infinity packing this is desirable for the use in fully homomorphic encryption. And if a packing is consistent then we can perform homomorphic computations between different multiplicative levels. So what is this good for? For example we need these kinds of operations during reshare protocol which is an important building block of SHC based MPC mainly speeds family. So our theorem says we cannot pack more than the number of irreducible factors of Gaussian polynomial modulo p. First, our theorem implies that the highly packing for Z2k is an optimal level consistent packing with respect to packing density. Second, it is impossible to achieve efficient level consistent HE packing for Z2k. And followingly this shows the importance of a trick suggested in mega Z2k to bypass some drawback of level dependent packings in reshare protocol. So we call a packing method subjective if any element of polynomial ring is a valid packing for some messages. So the activity is desirable since if not a malicious packer might leverage this invalid packings in protocols. Our theorem says we cannot pack more than the number of linear factors of quotient polynomial modulo p to the k. First, our theorem implies that it is impossible to construct any subjective HE packing for Z2k. And followingly this shows the importance of a concept named zero knowledge proof of message knowledge suggested in mega Z2k which proved that this hypertext contains a validly packed message. Okay, so summary. We initiated the formal and unified study of polynomial packing which appears in various contexts including homomorphic encryption, somatomorphic encryption based multi-party computation, and information theoretical MPC and also zero knowledge. Then we proved upper bound on packing density and the possibility results regarding level consistency and surjectivity. Our results have implications on SHG based MPC over Z2k, namely optimality and some justifications of techniques used in megahertz 2k. And implications on HE packing that heavily packing is optimal if we want Z2k message space and level consistency. And also implications on upper bound on rates of RMSE. As a conclusion, I want to say something about why I think this work is interesting. First, a packing is not a question as before secure computation. Since messages are static in traditional cryptosystems like vanilla public encryption, we do not have to worry about algebraic structure of the message space. Second, packing is a question shared by secure computation primitives such as HE, MPC, and zero knowledge. In this regime, messages are dynamic and of course algebraic structure of message space matters. And I believe that there are more questions of like this, namely which is not a question as before secure computation, but is a question shared by secure computation primitives. And this must be especially visible when we try to apply secure computation to real life problems seeking practical usability. And that's it. Thank you for listening. Thank you. Any question for him? We have quite a bit of time. No, no one. I'll shoot one first and then let's see if someone else. So have you also looked at the applications of your serum outside of cryptography? Because this kind of embedding techniques, they look a lot like what is done, for example, by Harvey and von der Poel for inter-germanization in times and log in all this kind of algebra, computational algebra. So no, not really. So that will be interesting direction, future direction. Yeah. Okay. Anything else? Okay. So let's thanks Kiwo again and we'll come on next speaker.