 First content cryptography for the read track, and we'll start with the first talk, so we have two talks, the first talk is a type of an existential and forgeable signature scheme based on multivariate quality equations by Kuhn, Chin, Choe, Min Park and Nam Hoon Koo, and Nam Hoon Koo is giving the talk. Thank you for introducing me. Thank you for introducing me. Today I present about a new existential and forgeable signature scheme based on multivariate order system. This is the contents of my presentation. First, I briefly mentioned about post-contact cryptography, especially quality cryptography based on multivariate quality system. And I summarized our contributions, and I explained about our new proposed MQ signature scheme named ASA, and explained about security analysis of ASA against known attacks of MQ signature scheme. And I explained about the implementation results of ASA, and compare with post-contact cryptosignature schemes. Finally, I concluded my presentation. As mentioned in invite talk this morning, if short-scan term algorithm is implemented, then public cryptography based on integer factorization problem and discrete logarithm problem are broken. There are several well-known classes of cryptography primitives that are believed to remain secure in the presence of a counter-crupter. Especially, MQPKC is based on the hardness of solving large system of multivariate quality equation called MQ problem in short. Public is a system of multivariate quality polynomial, and a tractor is hidden in secret opined layers using the opined substitution, opined structure. Its security relies on the hardness of the isomorphism of polynomial problem. Most of the MQ problem schemes have been broken due to the uncertainty of the IQ problem. A scheme based in MQ plus IQ paradigm is not only based on the MQ problem, but also some variance of IQ problem. There are only two exceptions from the MQ-IP paradigm, HFVV minus variance and UOV variance. MQ signature schemes are superior to other competitors in terms of performance and signature size, but they have relatively larger key sizes and no security reduction to the hardness of the MQ problem. This is a summary of our contributions. We proposed a new MQ-based signature scheme based on a hidden layer of quality equations. This method makes it possible to remove the use of Gaussian illumination. Our scheme is the best public signature scheme for both signing and verification among the state-of-the-art signature scheme, including classic ones and post-counter ones. Compared to other MQ signature schemes, our scheme has shorter key sizes, with the essential compatibility of our scheme. In most of MQ signature schemes, a central map app is a system of N-quality polynomials in N variables, which can be easily inverted. S&P are to apply all linear maps to hide the structure of the central map app. Public key is P equals to S sub-labs of P to be hardly distinguishable from a random system and therefore to be difficult to invert. And the secret key is a tuple, S, F, T. How to construct the central map app is the most important part of the construction of MQ signature scheme. So I still play about how to construct the central map in our scheme. There are four in this set, LKRU, and this expression means the tuple of all variables in this set in the sub-script. And M and N are determined like this, where M is the number of equations and N is the number of variables in public map and central map. Then the central map is determined like this. In the first layer, there are KL sub-j times R sub-ij for j from 1 to R and a quadratic polynomial. Each polynomial in the second layer is a sum of S sub-j times R sub-ij prime for j from 1 to R. And a quadratic polynomial psi-i and a linear polynomial S sub-j in these variables satisfy this relation in the hidden layer where L is a linear polynomial in these variables and constant psi-i. We call this relation in a hidden layer by the relation L throughout this presentation. Then lambda is this coefficient matrix of these linear polynomials and lambda sub-R is this R by R importable sum matrix of lambda. So ij in the first layer is a linear polynomial in these variables. This relation comes from these equations where the last equality is from the relation L in hidden layer. So this term minus this term equals to this term so we get this equality. Each entry of this matrix is a linear polynomial so we can write this matrix as this coefficient matrix form. Theta is this coefficient matrix and Theta sub-k is k by k importable sum matrix of Theta. And each pi sub-i in the first layer is a quadratic polynomial in these variables and psi sub-i in the second layer is a sparse quadratic polynomial in these variables of this form. Each r sub-ij prime in the second layer is a linear polynomial in these variables. Similar to the first layer we get this relation L to Theta and Theta sub-k, Theta is this coefficient matrix and Theta sub-u is this U by U importable sum matrix of Theta. And S sub-i prime is a linear polynomial in these variables. From these constructions we store only these ones instead of all the coefficients of F. I explain how to invert the central of F or to solve the f of x equals to r for given gamma, for F of x equals gamma to given gamma. In the first layer, multiply L of x of L on both side of equation equations. This multiplied system by relation L in the hidden layer. Choose a random new vector s of L, plug it into the system to get a new linear system of k equations with k variables. New linear system can be solved by this matrix multiplication. In the hidden layer, plug s of L plus k into a quadratic system L, linear system of r equations with r variables. This linear system can be solved by this matrix multiplication. In the second layer, it is similar with the first layer. Multiply L of x of L on both side of equations in the second layer. This multiplied system. And plug this vector into the system to get a new linear system of u equations with u variables. This new linear system can be solved by this matrix multiplication. The solution of F of x equals to gamma by performing only three matrix multiplications and computation of quadratic terms without Gaussian elimination. Next, we propose a new and two signature scheme named ELSA. For this generation, choose randomly two or five maps as tilde and t tilde until they are invertible. Here tilde means the inverse of each map throughout this presentation. And choose randomly these maps that define all the positions described before. These maps need to be invertible. Finally, compute the public p. To generate a signature for the message m, compute apply s tilde f inverse t tilde for the message hm in turn. To verify a signature, creation holds one knot. I explain about the security analysis of our scheme against the known attests of MQ schemes. These attests are divided into two classes. Direct attack is to solve the multivariate system from public p. Key recovery attack is an attempt to find equivalent keys of security. Key recovery attack using Bukki is a generalization of rainbow-band separation attack. And there are seven key recovery attacks. For direct attacks, we consider regular basis algorithm like F4, F4, F5 for solving the MQ problem. Complexity of the MQ problem is determined by the HEM5 algorithm, which gets some of the variables to create over-determined system before applying M5 algorithm. The complexity of HEM5 algorithm can be estimated by this formula, where it is the index of the first positive correction in this polynomial expression. And omega is in replacement attack, one can replace a linear polynomial by a monomial. So one can get f bar of this form. Because we set t sub r like this, and let f bar equal to f sub r, we can assume that the central map is f bar, when we consider the other attests on our scheme. Key recovery attack using Bukki is such one example. We consider this attack for central map f and f bar. This is the symmetric version of coefficient matrix of central map and f bar. Here, great parts are arbitrary values, and five parts are zero coefficients. This attack starts from this relation. We get these equations of this form. Since we have already known that some coefficients are zero by the construction of central map. So we get a new multivariate system. But this system has too many variables and equations. So we consider equivalent key and Bukki. If there are two invertible linear maps, sigma and omega, satisfying these equations, and f prime and f have the same structure, then this is an equivalent key or a secret key. Here, the same structure means the same five parts in a coefficient matrix. So we can find this equivalent key for f is for f bar. Here, diagonal blocks are identities of matrices. f can be a generalized version of f bar with this coefficient matrix. Then we can find this equivalent key with high probability. Equivalent key is still complicated. So we use the concept of Bukki to find it more efficiently. For this equivalent key, there are two invertible linear maps, sigma prime and omega prime, satisfying this equation. And if two prime has the same structure with f in heart, then we call this a Bukki. For central map f, this Bukki. And we get the same Bukki for central map f and f bar. So there are a replacement attack on Bukki finding attack. The main complexity of this attack is determined by solving n-1 by homogeneous equations and n-coded equations with n variables. By our estimation, complexities of our schemes against all the known attack can be determined like this. For existential prohibitability, please report a paper because of time limit. Based on our secretive analysis, we choose this parameter at 125 with security level. And we summarize complexities of our parameter against all known attacks in this table. We implement our scheme with selected parameter on this hardware and this environment. It takes 6 microseconds for signing and about 13 microseconds for verification. Compared to other NQ signature schemes, our scheme has much better in terms of key sizes and performance for signing and verification. This is a comparison result. You can see that our scheme is the fastest in both signing and verification. Signing and verification among the post quantum ones and classical ones. Our scheme has relatively large public size. So we are eternity in reducing it. And optimal implementations and preventing size channel attacks are the part of our future research topics. This is the end of my talk. Thank you for your attention. Is there any question? We have many open source. Is there any limitation of open source? Thank you for your question. Did I understand the essential trick correctly? So you pre-compute the inverse, which is why you don't need God's elimination during signing? Is that kind of a good one sent to summary? Or did I miss another essential trick? So you said you reduce the sign time from NQ to N squared. And it seems the trick that you're using is that you pre-compute the inverse so you don't have to do God's elimination. Did I understand that correctly, or did I misunderstand that? Maybe you were correct. Yes. What's your question? I have one. So is there one of the 82 submissions that we have sent this morning? Maybe yes. Maybe. We've got one. Any other questions? I think existential anguishability with the applicable to other signature schemes is the difference of the schemes and other schemes. But, for example, I think the labor scheme is also an existential anguishability. Great. Great. Thank you. Thank you. Thank you. I think that rainbow schemes is also an existential anguishability. Is that not the one? Yes. Similar to our idea, rainbow schemes has also this this anguishability. So our proof is not such a street of existential anguishability. No more questions? So let's have the speaker again.