 Thank you for the audience and thanks that you came thanks for the Congress of giving for giving me the opportunity to be here tonight to be able to tell you a bit about post quantum cryptography a bit about isogenes. I mean just educate the people a bit about what that means even Because I'm not so sure how many of you heard about that before Yeah, let's just jump right in so My day job is being a mathematics PhD student at an undisclosed university. You can ask me in private if you're interested So previously I did physics I was also or maybe I'm still a bit active in the console hacking scene And if you're interested about that shameless plug You can find us at Ninten Bros assembly later You can ask us all about our somehow console hacking endeavors, but enough about that so And I brought you some pictures screenshots of websites so I don't know if you have seen that chatter on social media and the blog sphere recently about that Google paper on quantum supremacy. So there's a nature article about that Beyond quantum supremacy and there is a verge article That Google confirms quantum supremacy and break through whatever that means There is Google's own blog post about it Notice there always these shiny pictures of these huge tabs filled with helium where they house these quantum computers So supremacy means The state or condition of being superior to all others in authority power status So calling something quantum supremacy. I mean that screams Something being pretty amazing But what what actually does this mean for us? What does it mean for cryptography? And I think I can relieve you all about from from maybe some fears that you had For us in practice. Maybe today. It doesn't really mean anything yet so For for cryptography in none of our underlying assumptions, whatever it means for now are being actively broken yet as we know of or that that we know of but in theory they are broken, okay, and Because the only broken in theory It's very good So we can still blame the designers and the implementers of whatever we cook up for for when things go wrong so that's that's nice too, but That's how I already wrote in the abstract a bit for this talk. We should be Somehow better be safe than sorry So instead of somehow waiting until the point of where quantum computers somehow become feasible to break our cryptography We should probably research it today. It's a bit with the climate change, right? It should probably try to save our climate today instead of waiting until it's too late So we're gonna we we want to do the same for for cryptography There are also three upcoming talks. I want to advertise here a bit. I think I don't remember the days But descriptions look pretty interesting. So I'm gonna leave that up for a few seconds So there's one improvable insecurity one called cryptography demystified and one about high assurance cryptography software So I'm sure this is going to be interesting Okay Let's let's return back to what I want to talk about. So there's something I Jokeling you call the post-pondum cryptography zoo There are a few buzzwords up there. You don't really have to know what they mean I'm just gonna say them out loud let his codes multivariate polynomial systems. That's also a bit of a mouthful. I'm hash based cryptography and There is the one that I want to briefly talk about tonight called super singular elliptic curve isotonists Okay, so this is this is the stuff that I really like isotonists. They're great And now I'm going to tell you why they're so great All right, so I I don't know how many of you have a mathematics background Maybe I can retest can people raise their hands where if they have some formal training in say algebra or Yeah, okay, so that's pretty good. So Just gonna tell you some something about it to their decimal numbers. This is pi Then there are rational numbers somehow there one half one third and so on and so forth Then there are the interest from minus infinity to plus infinity and I know they follow nice whole steps but For working with those numbers and for cryptography we we want something that's nicer behaved we want somehow a finite set Okay, so this is just important for implementation and the ones that we want to work with I'm just gonna remind you Are the integers modular n? So we take some positive integer n big n and then you consider the set from zero to n minus one Okay, and these numbers Default a certain addition and multiplication rules and it pretty much works like a clock face Okay, I chose n is 12 here and just bear with me imagine my clock face goes from 0 to 11 instead of from 1 to 12 But it's really the same No, for example, if I try to add 10 to 5 Okay, I start from 10. I go two steps and then I arrive at 0 This is when my clock ticks over right like on a real clock and then you go three more steps And so 10 plus 5 12 is 3 so it's numbers that kind of behave this way think of addition on on a clock face and For the computer scientists out there or I mean everyone probably knows about that for a computer They are like the 8-bit integers where n is 2 to the 8 and then these are the numbers from 0 to 255 and so on and so forth so this these are the numbers that we want to work with just to set the stage a bit and These isogenes They will live in a world where we we work with somehow related numbers to these integers mod n and now for big n We choose a prime p and then this Interters mod p they represent what we call the finite field with p elements Okay, and you can think of this as a set that has exactly p elements and it Really kind of behaves like the real numbers. Okay, you can add numbers You can subtract numbers who can divide by everything but 0 Okay, and this finite field of p elements works really the same It's just a finite set, but everything is invertible except 0 Okay, and these are the numbers that we're going to work with and computers can do that. So that's fine and Just for the sake of telling you there are also fields that have somehow p to the r elements, but they are not the same as Mod p to the r. Okay, but there is a way to construct it, but that's all you need to know about So this is really the set of numbers that we're going to work over and that that's all you need to know Okay, so The cryptographic problem that I want to focus in this talk is Simple key exchange. I'm not gonna talk about signatures. Not gonna talk about a crypto nothing Let's just focus on this one simple problem of how do Alice and Bob exchange a key Without anyone else somehow getting access to that key and I mean there are somehow classical solutions to that I could put my key in a suitcase and I couldn't bring it to Alice or I could somehow pay someone to bring The suitcase to Alice or maybe people heard about that thing where I put my lock on the box and I ship it to Alice And she puts her lock on the box and she ships it back and I remove my lock and then I ship it to Alice again Okay, so there they are countless ways, but we want to somehow do this in a nice instantaneous kind of way using mathematics, okay, so this simple problem is what we're going to focus on and classically Whatever that means for now This has been solved by Diffie and Helman and this is this nice paper from 1979 the title is new directions in cryptography So this already tells you that something important must be going on and What do you somehow invented there was a way to to exchange keys between two parties using a nice well-defined problem? Okay, and How does it work? Okay? I'm just gonna tell you how it works So there are two parties Alice and Bob and B. They agree on Safe prime modulus n. Okay, so this is the integers mod and that we just saw and Generator G. So what does that mean? Basically in my set from 0 to n? I want to single out one element such that every element element can be written as a power of that element and This means it generates it, right? So every y can be written as G to the x mod n Okay, this is my setup and then there is Alice and Bob and they agree on these two parameters. Okay And now how do they do the key exchange? So It's very symmetrical So Alice chooses a random a in the set from 1 to n minus 1 and she sends big a is G to the small a mod n to Bob And as you might have guessed it because I said it's a metric called Bob does the same. Okay So how does the picture go so Alice on the left? She chooses a random small a and She sends that big a to Bob Bob chooses a random small B. He sends that big B to Alice And then somehow the now they have to combine this somehow, right and how did you do this? so This is nice. They compute the shared kk The shared key so Alice takes the B She got got from Bob and raises it to the power of her own random secret value and Bob does the same and magically from mathematics they both get the same small k and now I'm going to tell you why somehow this is hard for anyone else to get the same small k So now bear with me I'm gonna write it down mathematically first of all, I'm gonna teach you a bit about that as well. So This is this diagram this commutative diagram somehow that represents this key exchange that just happened Okay, so Bob and Alice they both start in the left upper corner with the G and They both end up in the lower right corner the G to the AB So they both are able to somehow compute G to the AB and no one else's and how does that work? Well, Alice will only compute the horizontal arrows So she only raises to the power of small a because that's her random secret that only she knows and Bob only computes the vertical arrows So he only raises to the power of small B because that's the secret who knows and no one else does and I mean by by the commutativity and associativity of Exponentation they just agree on on the same G to the AB which is which is cool and Somewhere in there there hides a problem that we like to call the discrete logarithm problem And it just happens for integers mod n if I choose my and appropriately I'm not gonna tell you how but just believe me if I choose it appropriately If I give you Y and G for you, it's hard to find the small X It's somehow like taking a logarithm and we call it the discrete logarithm because it's a discrete set of numbers instead of the continues decimal numbers with what we started with was this discrete finite set of numbers and this DLP is hard okay, this this is a hard problem for classical computers and The best classic generic algorithm I'm not gonna talk about somehow Algorithms that specifically target integers mod n. I'm just going to talk about generic algorithms for for this DLP problem the best algorithm somehow has run time square root of big n of the number of elements and Say I chose my n about the size of 2 to the small n so n bits then Solving this takes exponential time in n right because the square root of 2 to the n is still pretty big Okay, this is about 2 to the n half and if I make n, I don't know a thousand It's still 512 bits. So this is a hard problem, but recently there has been a record for factoring and this and and DLP over a 795 bit Modulus and they used a bit a bit of a better algorithm, but still it I mean it still took them a long time Okay, so if I remember correctly this Feed took them 4,000 core years on a 2.1 gigahertz computer I mean it's still 4,000 core years. So this is a long time Okay, but as you can see it's possible to solve this I mean that just put enough if I have big enough hammer I I can solve this okay, but Again, you can make n pretty big bigger than Anything being able to solve this anymore But okay, so there's a quantum algorithm for this and this is this other paper from 95 Peter shore So he thought of this algorithm that solves the DLP in polynomial time Okay, now remember our big and we took about 2 to the small n and this this shores algorithm only takes small End to the cube and I mean if n is a hundred hundred cube It's not that big and I can make n a thousand by the thousand cube is still not that big Okay, so there is a good algorithm that assumes the existence of a quantum computer I mean as outlandish that might sound but still this algorithm in theory breaks the DLP Okay, so I don't know maybe in 20 years or in 30 years or 100 years I don't know personally, but if there's a quantum computer eventually that somehow runs this thing Okay, DLP is broken classically. So well what to do as I said let's just try to Come up with cryptography for which we don't know a quantum algorithm Okay, or for which we expect there won't be a quantum algorithm ever. There are a few candidates again There's the sue let's just calls this long word and I saw Chinese Okay Now what I want to tell you about is what is an I saw Cheney and how do I do key exchange with an I saw Cheney? Okay, because I don't know it's a fancy word, but what does it mean? Okay And there was this other word that the start with elliptic curve I saw Cheney So probably I should tell you about what is an elliptic curve or give you a remainder if you have seen this before so I look at this equation into variables and to constants the variables x and y my constants are a and b and the equation is y square is xq plus ax plus b and Now what I want to look at is all the solutions to this equation all the possible pairs y and x or x and y and of course they're going to look different somehow for the different Possible numbers that I can plug in for x and y and again you might have guessed it First of all, we're going to look at it over the decimal numbers and then later We want to consider this again over our finite field. Okay, because we like we like this discreteness and over our a Simple equation. I just show some values for a and b be a set of zero a set of one a set of zero b a set of one the solution set looks like this and Actually, it extends infinitely far on the right side up and down Okay So this is just somehow a snapshot of what the solution set looks like but over my finite field And I chose one with 101 elements. It looks like this set of points. Okay, so elliptic curves look Elliptic curves look differently over different fields, but that's fine. That's fine Okay, now quick reminder of why people like elliptic curves So there's something called the point addition law So I can take two points on this curve and I can somehow add them Okay, but this is not really addition in the sense of numbers. There's somehow a law that I have to apply and let me quickly show of how this is done So how do you add two points on this curve? Well, you take these two points You put a line through it and then there is a law that says that if I put a line through two points Then it has this line has to cut the curve in the third point. Okay, so I Put the line through these two points it cut the curve in the third point all the way up on the right And now what I'm going to do is I'm going to reflect the point down on the x-axis Okay, so I draw this other line I reflect it down and then what I define is that other that other cut This I define to be the sum of these two points okay, so And that works, okay, I can add point I can subtract points there will be the inverse So this kind of like acts like integers mod n When you only consider addition, okay kind of kind of it's not really the same, but you can also single out a special point all Like beautiful all we call the origin whatever that is and this origin kind of acts like a zero So if I add the origin to a point well, I get the point again Or if I add the point and it's inverse I get that point I get zero. Okay, so there's something like a zero and You can also multiply points, right? I mean what is multiplication? It's just repeated addition So in brackets and this is what I write for point multiplication Just add the point and times to itself. Okay, so there's nothing fancy going on here so you can somehow add points you can multiply points that's pretty cool and If you look closer, you can look at the special set here that I denoted E Brackets big N and these are all the points on the curve such that if I Multiply this point by N. It gives me zero. Okay, and this set I'm for the mathematically inclined people among us. I will say this is somehow The end torsion of the delictic curve whatever it means, but if you're interested you can look it up And this set kind of acts like additive integers mod n like to cut copies of it, okay, and Now this is where the term super singular comes from one of the definitions This is not the only definition, but this is one of them if you look at the delictic curve not over the reels Okay, or which other numbers but over this finite field and if you look at the torsion the p torsion then this Behaves differently for different types of curves. Okay, the p torsion is either empty and then we call the curve super singular Or it's just one copy of of integers mod p and then we call it ordinary. Okay It's not really important to know what that means. It just means that there is a distinction for curves somehow that did somehow ingrained mathematically deep down there and Because this e n torsion is somehow two copies of of integers mod n additive integers mod n I can generate it by taking linear combinations of two points say p and q and these are like the generators We saw earlier right, but these are not additive generators instead of somehow exponential generators But everything be caves kind of behaves kind of similar And now you can you can really use this to do cryptography already if you wanted to write it You can you can somehow look at the DLP in that group But there is the problem again that the DLP in there but they're there shorts algorithm again, right? So even if you do cryptography in this group You run into the same problem. Okay, so we have to do a bit better. We have to search further and This is where I saw Chinese come on come into the plate so One way you can think of an isotomy is Remember how we found the integers mod n By somehow dividing said by by all the n multiples and you can do something similar with an elliptic curve You can somehow take part of this n torsion and You can divide an elliptic curve by this you can mod it out and Turns out this is mathematically well defined and it gives you another elliptic curve. Okay? So I take a curve e1. I take a part of my n torsion I divide elliptic curve e1 by g and I get another elliptic curve e2 and There's something else that comes along with this construction and this is what we call the isotomy. This is a map Okay, along with this construction comes a map from e1 to e2 and This map is what we call an isotomy. So for us now an isotomy. It's just a map That takes us from one curve to another curve Okay, and this map is kind of special because it behaves in a nice way and it plays nicely With the structure that's already ingrained on our curve Namely, I can either add two points on my starting curve and send it through that map To the other curve or I can take Two points on my starting curve I can send it through the map and add it over there and it gives me the same thing Okay, so this net map somehow behaves nicely with point addition. That's pretty nice. Just as a side note. So this map is special So this is this is just a remainder of what I said Adding points on e1 and sending the result to e2 is the same as somehow Sending points to e2 and adding them there. So this map somehow plays nicely with with my laws on my elliptic curve And now I have to make a definition So in mathematics, we call the kernel of a map We call that the set of all the inputs to the map that are sent to zero Okay, and we saw this origin O here that acted like zero. So the kernel of my isotomy I'm just going to define as all the inputs to the isotomy that are sent to the zero on the other curve Okay, and in written notation It's the set of all p on e1 such that the map of p is zero and turns out that this kernel for for my isotomy that I started out with somehow Recovers This this part of the end torsion that I used to construct it. Okay, so there are somehow two ways now to to think of an Isotomy so This is what we started with we reconsidered e1 mod g and it gave us this map from e1 to e2 But if I start with this map from e1 to e2, we also find the g again Okay, so somehow there are two ways to represent this map. We can think of a subgroup this g or we can think of the map and Ultimately somehow there is a correspondence between the various subgroups for different n and Isotomies that are somehow emanating from a curve You can think of this like all the hairs on my head they're going out and then they are going to reach other elliptic curves, maybe and These notions can be changed used interchangeably. So somehow there is a there's a correspondence and Again, I can choose different ends. Okay, so somehow from from one curve I can have many many outgoing isotomies that are that are different in a sense and Now the thing is in practice, we actually want to compute with these maps So right now this is just general abstract nonsense I didn't tell you anything of how to compute with these things I just told you there are somehow correspondences, but I mean what does it even mean, right? it's useless if I if I can't use it in practice and Then there's another thing You can you can compute these things there are formulas people have worked on this but somehow the cost grows If I if I enlarge an N. Okay, so really in practice for for applications. I want to choose small n Okay, maybe two or three that would be pretty good And now the thing is it's the super singular curves for which I can somehow control or choose the possible ends very very easily Okay, so this is the reason why we consider super singular curves and Now I can choose my prime to be of this form and then magically this is going to force two and three Being possible. Okay, so this this is the reason why we choose super singular ones There's some theory which is not interesting for you, but it's just it's important for for for for Implementation and there's a way basically for us to to force the curve to have those isogenes that we like But there is another important reason okay, and this is this is the reason that actually makes it interesting for cryptography so what I can do is I start with an arbitrary curve and This this might not be a super singular one just any curve and say I consider all the outgoing two isogenes If these are possible for n is two So there's going to be one two and three and then again from E1 I Can again consider all the outgoing isogenes and so on and so forth So what's going to happen here is this is going to generate a graph where the vertices of my graph I elliptic curves and the HSI is oxygen is okay, so somehow In behind the scenes, there's this graph hidden and now turns out That if you do this for a super singular elliptic curve, and then I generated this yesterday for you So this is one possible graph. I can't remember which prime I took But here you can see all the ellipses are elliptic curves and all the edges between them are two isogenes So this is this is an example of a super singular two isogenic graph. Okay, this looks pretty wild So I can do the same for say n is three if it's possible or n is five and so on and so forth So there are many many graphs hidden, but why is the super singular graph? Specific and important. Well, it turns out that somehow the super singular one is connected and It's what we call a ramanushan graph. Okay, and this is I'm going to explain this in a second and as a bonus for implementation purposes it turns out that you Can do all your implementation and arithmetic in the finite field with p squared elements. This is nice Okay, so I'm just gonna say that if if you don't consider super singular elliptic curves And you go along these graphs then what's going to happen is that somehow this field of definition with what we call it Could grow for you to be able to go further But that would suck for implementation. Okay, but super singular ones is nice So fp squared is enough for us. So this is this is again is good for implementation so somehow magically many many things happen here that are benefiting us and Again, why is it nice that this is a ramanushan graph? So a ramanushan graph has certain optimal expansion properties and this means that if I start from a random point in my graph And I take a random walk With somehow logarithmic log many steps of the total amount of vertices then this will will put me in a very uniform place in that graph, okay, and This is this is good for cryptography Okay, because you only need to take log many steps to somehow randomize yourself in that graph and This is this is what this could look like So I started at that red ellipses over there This was my starting point and then I I generated a few random walks and the blue the blue points are where I got placed This might not prove anything, but it gives you an idea of how somehow uniformly it places me around that graph, okay? so It's good for cryptography, but there are other reasons so super singularity curves somehow I Can actually compute how many of these curves I will have in my graph So this is another reason to be looking at these things because if I don't even know how many curves I my graph Well, I can't really say anything about the security, but at least for super singular ones I can say they're roughly P over 12 many Okay, and then again if I choose my P about n bits Well, then I will know that my graph has about two to the n elements and at least there I can I can say something about the cryptographic strength, right? I can I can make n big and then you can say oh, yeah You have this random graph you take some n length walks and then it places your random way in there And your whole graph is about two to the l l n elements and then I can I can say something about the Expected runtime of my algorithms, right? So this is another reason why we want to consider super singular curves because I can tell you how many elements are in this graph Okay, so a quick summary of what we saw why this is nice So what you get is somehow a compact representation of an L plus one regular graph and we saw examples for example L is two or L is three bigger values are possible But we don't even care about those because this is what gives us the fastest somehow arithmetic such that We can work over fp square. This is nice. This keeps our implementation fast and I can tell you how many words is designed my graph about P over 12 and Again such that the graph has some mixing properties that are useful for cryptographic applications so because I want to use this ultimately for cryptography and Again, that's what we said if I choose an mp prime P then the graph has about two to the n vertices so exponentially many vertices and Turns out that There are some hard Problems that I can ask you to solve in this graph That they don't have good quantum algorithms. So one hard problem is this I Take two super singular elliptic curves So I just give you two random curves in this graph and I ask you Find an isotope in the path between those of two isotopes or three Isotenes, okay, and it turns out somehow that just doesn't have good quantum algorithm So classically, I mean the numbers are not super important here But classically the complexity is P over P the fourth root of P and the best quantum algorithm is a bit better But I mean again, it's not super important. What's there? What's important is that? There is no polynomial time algorithm compared compared to our DLP that we started with okay, so I make this P very large Your quantum computer your hypothetical quantum computer will probably not solve this, okay? So that's cool. So how do we do key exchange? so I Start with a super singular elliptic curve E where I chose my frame my prime P such that two and three isotopes are possible and Then Alice Really, I remember she chose a random number a but now Alice will choose a random subgroup big a and She will send E mod a to Bob Okay, this amounts to Alice for for computing in as attorney and Again, this is a very symmetrical key exchange Except that now Bob won't use the same generator, but Bob will use the three as attorneys Okay, so Bob will choose a random subgroup B and then he will compute E mod B and send this to Alice and This is the picture. There's Alice. There's Bob again Alice chose a Bob chooses P Alice sends E mod A to Bob Bob sends E mod B to Alice and then how do they somehow agree on a shared key? Well, the way they're going to agree is they will just mod out by their respective Subgroups again and turns out the elliptic curve that they find is going to be the same for both of them Okay, so how does that work again? Let's return to our graph I So say Alice and Bob they agree on a black curve, okay? The back curve on the left side and then Alice will compute these red steps Which correspond to taking a subgroup? So Alice will compute these red steps for her secret subgroup and she will end up at the red curve in the upper right corner and Bob will do the same but now Bob is not in the two graph but in the three graph so this is the three graph and The black curve that they started from in the three graph is down there and he will also select a random subgroup Compute the secret path and Bob will end up in a blue curve And now Alice will send her red curve to Bob and Bob will send his blue curve to Alice And then Alice will will consider the blue curve in the two graph. Okay, so Alice She starts from the blue curve that you got from Bob and this is the position in the two graph and Again, she computes that same secret path and ends up in the green curve, which is up there Bob got the red curve from Alice. So Bob He has the red curve there again computes that path and then that ends up at the green curve And it turns out that the green curves here and there they are the same and this is going to be the shared key for them This is SIDH. Okay. This is how you exchange a secret key using the super singularized alternate graph and that's somehow the whole magic and Again, let's compare these two things a bit the DLP based one and the SIDH one So we had this square where Alice and Bob started in the upper left corner and again ended up in the lower right corner and Now SIDH looks very similar. Okay, so Alice and Bob start with this common curve E in the upper left corner again Alice computes only the horizontal arrows because she knows her secret group big A Bob only computes the vertical arrows because only he knows his secret group big B and Again, they both end up in the lower right corner Where they defined a shared key, but now in this case the shared key is not this element E to the AB but an elliptic curve, but again, there's a mathematical way somehow to attach a unique number to it so it's a solved problem to somehow actually make some bytes out of this and Yeah, that's SIDH. That's that's everything. This is a nice example of a post quantum somehow cryptography scheme that we have today and now let me finish with a quick conclusion so I Showed you the zoo. There are several candidates somehow for post quantum cryptography and Among of them are some schemes based on super similar elliptic curve isogenes and We've seen that we know some hard problems involving these isogenes that are somehow hard for quantum computers which makes this One possible scheme for somehow a quantum computer world, okay and Probably I should say that we don't envision a world here where we're users like me or you are in possession of quantum computers probably What we we think about is somehow that state actors are in possession of quantum computers, right? so this is even more important for us to be looking into these things and What we saw was somehow to perform a different like key exchange using these isogenes But and this is what I didn't tell you about in this talk There are also schemes for signatures based on isogenes There is a scheme for key encapsulation based on isogenes so so there are other possible candidates for for other somehow cryptographic building blocks based on isogenes and these hard problems and If you're super interested about this you can either ask me or come to our assembly And if you like reading somehow scientific papers Papers about isogenes and cryptography in general you can find this on the e-print archive, okay? So this is a web page where people post Preprints about their papers and there's a huge collection about among of them isogenes papers So if you're interested in this this this is somehow the place to to research Okay, and with that I would like to thank you all for your attention Yeah Is there any question Okay, I got the signal angel there doing some Morse code Yes, um, can you recommend any literature for the theoretical background theoretical background? There are a few papers that are nice some okay the question again was Literature about theoretical background and yes, there are a few papers that are giving some nice even theoretically involved Summaries about the background and your best bet is to to go to e-print and You enter isogenes in the mask of search terms or SIDH and you look at the papers that somehow say Maybe a short introduction to isogenes something like that. I mean you will find them if you search for them I don't know them from the top of my head, but they are out there for sure Yeah, and thanks for him. So there is a very recent paper by Craig Costello Also, somehow titled the short introduction something like that. Yeah, so this is also maybe a good source for you to look at Yeah, I thought you need for beginners. I thought you need for beginners. Thank you Yeah Oh, yeah So You've used elliptic curve as a as an algebraic group right to Compute these isogeny graphs So why do you use elliptic curves? What's the properties of elliptic curves as a group? What why? so Could you use any group to compute these graphs and could you use these as the basis for your? scheme for your K exchange screen scheme Okay, so the question was why you the elliptic curves and And the group structure that they impose to look at isogeny graphs involving elliptic curves And whether I could use maybe other groups and actually There's a two-fold answer maybe so If I if I go back or actually let me go to my backup slide which gives you SIDH and is full glory I see there's some extra information being sent namely these generators for my group and Actually the same commutative diagram for SIDH you couldn't theory compute using it another group as well That has the proper subgroup structure But the graph that you will find is probably not going to be interesting Okay, I mean it's really really Somehow that Richelow property that that makes the graph interesting for for cryptography, but yes In theory the SIDH commutative diagram you could also compute for other groups. Yes Okay How good are classical algorithms that try to reverse that SIDH? problem Because that will be the bound for how large your keys have To be to be secure Yes, so the question was how good are classical algorithms and Again, I said I think the runtime for those is squared of P and This is this tells you how big you have to choose P. Yeah, and How confident are you that this really is hard for quantum computer as well? Well, how confident I am I that this is really hard for quantum computers So first of all cryptography is all about confidence, right? So someone proposes a problem this problem gets crypt analyzed And if it's not broken after 40 years then people will say oh, yeah, I'm pretty pretty confident. This is good And maybe if the NSA doesn't tell you anything about it or maybe if they don't have you know Anything on it then you can also see that you're confident in it But I think this this is really an answer that the only time this this is a question that only time can answer Right. I mean, yeah, I have a question for the same one. Yeah Is it possible to prove that no polynomial time algorithms for the isogenes problems can exist for a quantum computer? Yeah, that's a good question. How do you prove? How do you prove that no algorithm exists? This is brings us Into territories like I don't know. Yeah, no Let's not let's not do that Michael from one Yeah, good good talk by the way. Um, the last slide you say that yeah, this this It's hard for a program But that can't be true because we don't even know if any algorithms hard for classic computers, right? So it's so I'm guessing you're saying that intuitively there it feels hard Which you know the same intuition we have about like factoring and so on So you mentioned there's multiple candidates for post-quantum cryptography and they all intuitively feel hard somehow Do you do you know if you know this specific candidate, you know, would this be your horse in a race? Like is there anything about this specific? Way that you think would be the best fit for post quantum cryptography Okay, so Your opinion is very valid. Of course, we don't know if it's hard, right? This this again connects back to the other questions How do you trust something like that again people do crypt analysis for 40 years or whatever and then you say No one found anything. It's probably hard Right, but hasn't been 40 years You cannot say that these things are relatively new and personally I'm not gonna I Don't know Believe in any of these things until some time passes So my my reason for looking into these things really is more somehow a mathematical curiosity because I think these things are beautiful and Somehow the cryptography that arises from it is more of a side effect for me personally So I'm not gonna put out any any somehow You know guesses on which which of these things is actually gonna win the PQ race or whatever. Yeah The function I am you showed or said you think it's hard for the classical way and for the quantum cryptography way I think I just read a paper like last year about a combined way doing classical and Quantum photography combined which outperforms either one of those ways Do you think this could also be a can be relevant or? Yeah, make this one way In computable and polynomial time So so are you talking about an algorithm that somehow combines a classical step and a quantum step to break this? Yeah, well, I mean most algorithms somehow that we say use a quantum computer Involve a classical part anyways. I mean you think about chores algorithm. There's a classical part in the quantum computer part. So I'm not sure which algorithm you read about but I'm sure that somehow all the quantum algorithms involve a classical part implicitly anyways Yeah, can you please name the mentioned contestants in the NIST challenge based on isogenes? So there is there is psych. I believe Super singular is attorney key encapsulation, but I actually I don't really follow The NIST and think it closely so I actually couldn't even name all the names that are involved in it but you can look it up on the NIST website and I believe Somewhere there is also a classification of the contenders in Into the zoo so they will tell you which contenders are based on lettuces and we which contenders are based on codes And which ones are somehow based on isogenes, but off the top of my head. I actually I don't even know no Sorry Hey, Michael from one so if I got everything correctly those Isogenes are group homomorphisms between the elliptic elliptic curves and the factor group of the elliptic curve by G and Which has kernel G again? Yes, and Well, you said that finding the I said I certainly path in the graph is rather difficult But wouldn't the real difficulty rather be finding the subgroups G? Because group homomorphism between the elliptic curve and the factor group with kernel G is simply the canonical protection exactly, so I See you are mathematically trained, which is very nice And I am very happy about that and yeah if you look at this slide actually so The secrets are these alphas in betas Which somehow determined the subgroup and yes, so finding the I certainly path is equivalent to finding the alpha Somehow to generate this group and as you said correctly finding the I certainly path is somehow finding finding this group, but You it's just somehow restating the problem, but it's still hard somehow to find the subgroup. Yeah, all right. Thanks Thank you. Very cool Okay, thank you for the great talk so Can you play this game a little bit further? I mean, can you choose higher dimensional ability of varieties to? Make it even more secure or is it just absolutely inaccessible I mean from the computation perspective like the choice of field of definition is difficult For example, so okay So the question was on whether you can use higher dimensional ability in varieties and maybe for the people who don't know what that means Somehow you can attach a dimension to these things in elliptic curves Somehow have a dimension one attached to them and the question one was can you somehow look at dimension two or dimension three or higher? and actually Back in the days when people were thinking about the DLP problem on on the points of elliptic curves that I mentioned briefly People had the idea of maybe using dimension two or dimension three But it turns out somehow that this DLP problem actually at some point gets easier in higher dimension Okay, so so classically if you look at the DLP you somehow want to stay a dimension two But now what you can do of course is you can look at isochines between dimension two or dimension three ones And actually the problem that arises there and this makes elliptic curves very special is that we can compute isochines Rather efficiently for elliptic curves because of Baylor's formulas, okay So somehow this gives us a very direct means of computing these but it actually gets hard as the dimension grows For example for dimension two already The only isochines that I somehow am able to efficiently compute are two and three isochines So there are some packages out there that can compute higher ones but only if my prime is very small and For dimension three and higher it gets even harder. Okay, and then there is another thing that comes into play So dimension two varieties somehow they all arise from what we call hyper elliptic curves But if you look at dimension threes and higher then somehow sometimes you land at the point in your graph That does not come from a hyper elliptic curve anymore. So there is another complication. So I mean I Had a friend who was looking into genus two isochines and it's possible to do there, but I don't know I think personally this is more of a toy then then something that's That's good in practice. Yeah Can you use this scheme to implement a fully homomorphic encryption scheme or is it already? No No Yeah, no fully homomorphic encryption is somehow a pipe dream But I mean sometimes it's possible. So the idea is somehow that you can Add ciphertexts and get the sum of the ciphertexts and have a second somehow Operation namely you should be able to multiply ciphertexts and get the multiplication of those ciphertexts But we didn't even talk about encryption. Okay, so Yeah Another question. Is there any crypto primitive used in the isogenic approach that cannot be stark reduced to finding a hidden suck group in an abling group? Could you repeat the question, please? Is there any crypto primitive used in the isogenic approach that cannot be stark reduced to finding a hidden suck group in an abling group? Okay, so this I think This question tries to connect back to somehow Maybe the hidden shift problem or the hidden subgroup problem and group of Berg's algorithm, but I think I'm not Able to answer that question now without talking to the person that actually asked it because it's a bit vague So I'm sorry about that What do you send an elliptic curve over the wire? Yeah, maybe I should answer that actually so we saw the parameterization of the curve that had these These coefficients big a and big b but what I didn't tell you is that to an elliptic curve You can actually attach What we call an invariant in mathematics and for an elliptic curve. This is a j is this called a chain variant It's a single integer which somehow Determines this elliptic curve uniquely. So if I want to send an elliptic curve, I can simply send you its chain variant and If you know the field of definition, you're going to be able to somehow Recompute it just from the single value. So it's actually quite a compact representation, which makes this also interesting Yeah, I Got this is all thank you