 So, the next talk of this session is practical post-quantum signature schemes from isomorphism problems of trilinear forms. The talk will be given remotely by Gangtung and I will allow him to introduce his co-authors. So Gangtung, please go ahead. Okay, thank you for the introduction. So this is the joint work with Dong Huang Dong, Antoine Jokes, and Thomas Planter, Yoming Chao, and Wenyi Socilo. So I'm going to talk about practical post-quantum signature schemes from isomorphism problems of trilinear forms. Okay. So, first, let me give some preliminary for isomorphism programs and GMW plus IFS framework. So the classical graph isomorphism problem asks whether two graphs are the same up to relabeling the vertices. So look at these two graphs. The given two graphs G and H consist of a vertex set and edge set, where a vertex set N just delos a set from 1 to N. So we say that these two graphs G and H are isomorphic if and only if we have a random permutation belongs to SN, map to N to N such that we have sigma take this edge set E is equal to F. So this formula just means that for any edge consist of i, j belongs to E if and only if we have sigma i, sigma j belong to F. So there's some preliminary about tensors. So tensors are multi-way arrays. You can image if we have dimension two. The matrices are two-way arrays. So in this talk, we just focus on three-way arrays or we so-called three-tensors. Specifically, we define three-tensors is equal to a i, j, k for each one, a i, j, k just delos the entry belongs to field F and i, j, k for the index i, j, k belongs to N. So what's the tensors isomorphism problem? So like graph isomorphism, we also have an input for these two tensors A and B is the size of M cross N. The question is to find an invertible matrices L, R, T such that we have L act on this direction, the first direction and the invertible matrices R act on the second direction and the last one act on the third direction. So fellow from this three-direction action, so we get another tensor B. It is tensors isomorphism problem. So from this isomorphism problem, we can design a digital signature based on these problems and it is studied in multivariate cryptography and isogenic cryptography. And the construction is linear. We have two steps here. The first one, we just construct a identification scheme based on Goldratch, McCauley-Witterson, zero-knowledge protocol for graph isomorphism. And then we just use field Sharma transformation to turn this identification scheme to a digital signature. Okay, so let's look at step one, how to construct an identification scheme, a zero-knowledge interactive protocol for graph isomorphism. Just include two players, we call Prover and Verifier and they are given two graphs G and H. If G and H are isomorphic, the only Prover loads an isomorphism and the goals for the Prover, she will demonstrate that she loads the isomorphism without revealing it to Verifier and the goals for Verifier to guarantee it must satisfy these two properties, we call the companies and the sound is complicit. It is if G and H are isomorphic and the Prover loads the isomorphism, he always accepts. And the sound is that if G and H are load isomorphic or Prover does not load the isomorphism, he rejects with non-negligible probability. Okay, so let's look at what's the GMW zero-knowledge protocol for graph isomorphism. First, given two graphs G and H as our public key and let sigma be an isomorphism as secrecy, such that sigma sends G to H, so that we have sigma of G is equal to H. And then Alice generates a random permutation, pi, which sends G to K. So we have the below interactive process. Alice first sends K to Bob and Bob will run sample a B from zero one and return to Alice. When Alice receives B, if B is equal to zero, Alice just sends R is equal to pi to Bob, otherwise sends R is equal to pi times sigma inverse. And when Bob receives the response R, Bob will check if B is equal to zero, Bob checks whether R of G is equal to K, otherwise just checks R of H is equal to K. Okay, so that's the construction of GMW protocol as our identification scheme. Then we just apply field-sharmier transformation to get a digital signature. Field-sharmier proposes a method that's taken an identification scheme and turns it to a digital signature. The key idea is to use a hash function to simulate the interaction process. The identification scheme faced an isomorphism problem faced this method. Also, the field-sharmier transformation, the security of field-sharmier transformation just proved in the random oracle model. And very recently, it's also proved in the quantum or random oracle model. So, more generally, an isomorphism testing problem asks whether two combinatorial or edge-break objects are essentially the same. Besides graphs, isomorphism testing problem for groups, edge graphs, ledges, and linear codes have also been studied. But graph ISO is not good because graph ISO is low and very easy problem, both in theory and in practice. So, naturally, we'll have a question, can we rescue this framework, the GMW plus field-sharmier to other isomorphism problems? In 1996, part of it suggested to replace graph isomorphism with polynomial isomorphism. In particular, it suggested a digital signature scheme as we described. So, polynomial isomorphism is a family of problems. So, it just depends on the polynomial degrees, the number of polynomials, and so on. So, some from this family, such as isomorphism of quadratic or polynomials with one secret, is so-called IP1S turns out to be easy. And also, it gives rise to a series of walks in multivariate topography. Also, in isogenic-based topography, covenants, first proposed, the use of class group actions are inept curves in topography. They adapted the GMW identification protocol to this action, and Stone-Bullard suggested to apply the field-sharmier transformation to this identification problem protocol to get a signature scheme. However, the use of ordinary inept curves has issues, including the sub-explanation time quantum algorithm and slow performance. So, this leads to some serious walks next. So, the attention that tends to super-singular inept curves is so-called site or say site. This also leads to some bogus signatures again recently. Okay. So, let's look at the tensileism of them in the post-quantum cryptography. In post-quantum cryptography, we wish to devise cryptography protocols that are hopeful to resist attacks by quantum computers. This requires to utilize limitations of the quantum algorithm. And a later development of the short algorithm for integer factorization and the discrete log is the hidden sub-group program framework. So, one key reason for utilizing Knight's program in post-quantum cryptography lies in the connection with the dihedral hidden sub-group program. So, the best algorithm for dihedral hidden sub-group program is just a sub-explanation proposed by Cooperberg. So, similarly, a key reason for utilizing tensileism of the nice in the connection with the hidden sub-group program for general linear groups. So, for which there exists strong negative evidence for the current techniques to work. And also, there's some consequence of the strongness such insights we have about limits of quantum algorithms. Okay. So, here's some comparison of the best algorithm for graph iso and tensile iso. So, for the graph iso, we have a brute force algorithm running in time and factorial times polyn. In worst case, we have a causal polynomial time proposed by bye-bye. And in average case, it will be solved in linear time. And in practice, if we choose n, it's larger than 10 to the 6. It is very easy to solve. However, if we focus on the tensileism of them in brute force, we just run in time q to the n square times poly of n log q. In worst case, we have algorithm running in time of q to the 1 half times n square plus a constant. In average case, we have a q to the o n algorithm. Also, in practice, if we choose n, it's equal to 10 to the 11. So, the evidence shows us it's hard to solve. Okay. So, here's some criteria for constructing a secure protocol. So, first one is practical complexity and theoretical complexity and well-studied. So, the tensileism of them just satisfy all the above based on current evidence. So, G and Chow and Song Yang in TCC lighting may propose to use tensileism of them as the security basis for the GMW plus FS framework just based on advances on complexity and algorithms. In the complexity side, Fortune and Chow propose a complex class so-called tensileism of them. In the algorithm side, based on many works in multivariate cryptography and some of another works. Okay. So, laterally, we'll have a question. Can we make GMW plus FS plus tensileism of them practical? So, as I described above, Fortune and Chow define a new complexity class Ti complete consisting of problem that are polynomial time equivalent to tensileism of them. Next, we have GI complete just consists of problem that are polynomial time equivalent to graphism of them. Okay. So, let's introduce a new concept which called alternating trinomial form. So, first the way that GL and FQ be the general linear group consisting of n by n invertible matrices of FQ. And FAY is said to be trinomial if linear in all the three arguments, we say that a trinomial from FAY from FQ to then cross FQ to then cross FQ to then to FQ is alternating if whatever two agreements of FAY are equal and FAY will evaluate to zero. A natural group action of A belongs to GL and FQ on the alternating trinomial form. FAY just sends FAY UVW to FAY act on A and it just means A is transpose act on each agreement. So, let's give a definition of alternating trinomial equivalence like tensileism of them given two alternating trinomial from FAY and PASI whether there exists a invertible matrix A such that we have A just sends PASI to FAY. So, and computes one such A if it exists. And also we have a theorem it just says alternating trinomial form equivalence problem is in TI complete specifically that is ATFE and TI are poly time equivalence. So, here's some motivations from cryptography because of you if we want to implement this scheme we will generate the tensor we generated the alternating trinomial form but if we generate a tensor it will cost NQ but for the alternating trinomial form we just cost N truth 3 for example if we choose N is equal to line NQ is equal to 729 but N truth 3 is just 84. So, this is a big saving practice and also we have a practical algorithm for ATFE it's running in time Q to the two two-third times polynomial and no Q. So, also we just we also analyze some attack based on global basis. So, we have its environmental results on Naples and MACMA and it shows that if we choose N is smaller than 6 it will be very fast and N is equal to 6 and the Q is 5 it will run in about 700 second and N is equal to 7 it cannot achieve. Also, we give a improved experimental results we just add some add more equations and guess some entries. So, these these equations will be redundant for us but it seems helpful for global basis and this result shows if N is smaller than 8 it will be very fast and it will permit breaking N is equal to 10 but N is equal to 9 it also cannot achieve. So, it is reasonable to choose N is larger or equal to 9. Okay, so that's some parameter choice of our scheme and Namla delos the security parameter R delos the number of wrong and the two-third say just delos the number of alternating trinomial form generated in each wrong and we have some estimations about like R times C is larger than or equal to Lamla and we also have the formula of our public key size, private key size and signature size and with these estimations and based on the global basis attack but we can choose the reasonable R and C to balance our parameters like public key and private key and signature key size. Also, we have an implementation for our scheme and when we we have four concrete schemes one two three four and we choose the reasonable parameter Q and R C and we calculate the public key private key and signature size. Also, for the implementation, we have the running time of key generation, sign and verify. Okay, let's give a summary unlike graph ISO, ATFE seems to be a much harder problem both in theory and in practice and the hardest of alternating trinomial form equivalence can be explored to devise cryptographic protocols essentially in light of post quantum cryptography and we propose a practical signature scheme based on this problem and we also analyze attacks on the global basis and the final way choose the reasonable parameters well carefully to balance and implement this scheme. Thank you very much. Thank you. Are there any questions? If so, please go to the mic. Yes, so there's a question incoming. Hi, thank you for a great talk. So I was wondering what's the motivation to go to dimension three? What does this have that dimension two doesn't have and what about dimension four? Is that then even better? Which one dimension do you mean for alternating trinomial form? Yeah, so the motivation from the practice here motivation because if we use the tensile smoothing it will cost it will be expensive because if we store a center it will cost but if we just store a alternating trinomial form it will be untrue. So I guess I was maybe I'm a little bit confused but if we go all the way back to the beginning we're talking about matrices of dimension three or tensor products of dimension three where normally like I'm used to matrices of dimension two where you can only multiply them both on two sides and you're using matrices of dimension three and I was just curious about does that make sense? Yeah, yeah and I was wondering like what's what's the motivation to go to dimension three in this case of dimension three? What's the motivation go dimension three? Yeah, because if you if you just focus on these two dimensions it will be easy because if you just make this the second dimension for another side it will be to solve a linear polynomial. The problem will be to solve equations of linear equations. Ah okay thank you. Okay there's still time for another question. So I have a quick question so your four schemes parameter sets do they have they been set to match the AES sorry the NIST post quantum levels? Yeah it's this parameter just matched the security parameter for 128. Okay thank you. There's no other questions let's thank the speaker again.