 Hello, my name is Tomokimoriya, I'm very happy to be able to talk to you. The title of my presentation is SIGAMO, a super-singular ISOGENY-based PKE and its application to our PLF, and here are the main results of our study. We proposed the new ISOGENY-based PKE schemes, named SIGAMO and CCIGAMO. These schemes have in-CPS security without using hash functions. Moreover, we constructed a Nao-Lingo-Type-Sumlander function based on SIGAMO. This sumlander function is constructed without using hash functions, and here are contents. First, I'd like to tell you the introduction of ISOGENY-based cryptography. Here are main properties of ISOGENY-based cryptography. ISOGENY-based cryptography is considered as one candidate of post-continent cryptography, and it is based on ISOGENY problem. In other words, the assumption that ISOGENY problem can't be solved by even using a quantum computer is the basis for the security of ISOGENY-based cryptography, and empty carbs are used in ISOGENY-based cryptography, and the main merit is the key ranks are short, and major merit is ISOGENY-based schemes take more time than those of other candidates of post-continent cryptography. These are main properties of ISOGENY-based cryptography. Next, I'll tell some mathematical backgrounds about ISOGENY-based cryptography. This is a definition of ISOGENY. An ISOGENY is a morphism between empty carbs, which is also a group morphism on empty carbs, and there is an important formula about ISOGENY. There is a formula for computing ISOGENY. From an empty carb E and a pincer G of E, it outputs an empty carb E over G and an ISOGENY phi mapping from E to E over G, satisfying canal of phi equals G. This is a very important formula for ISOGENY-based cryptography. On the other hand, there is one problem. For ISOGENY's empty carbs, E and F compute an ISOGENY between them. This problem is called ISOGENY problem. And it is considered hard to solve this problem. This table shows the computational complexity for solving ISOGENY problems. As shown in this table, even using the quantum computers, it is hard to solve ISOGENY problems. Similarly, this computation is easy by using various formulas. However, this computation is hard even using a quantum computer. ISOGENY-based cryptography is based on this asymmetry. And these are the super-singular ISOGENY-based schemes. The many results of our study is the proposal of this sigamo and cisigamo. And these schemes are based on this seaside-key exchange. So, I next explain the seaside-key exchange. Seaside is a Dichy-Hellman-type key exchange based on a commutative group action. First, Alice takes a group M and R and computes its action on electric curve E0. And she computes R E0. And Bob computes B E0. And they exchange these electric curves. And next, Alice computes group action on B E0 and she gets R B E0. And Bob computes B R E0. When this group action is commutative, they share same electric curves. This is a seaside-key exchange. And next, I explain what this group action is. Let O be an order of an imaginary chaotic field. In a seaside setting, O equals Z root points P. And let COO be the ideal class group of O. And let R be the ideal class of an ideal R in COO. And let ELPO be the set of FP isomorphism classes of super-single electric curves, which satisfy its anomorphism link, its isomorphic to O. Then this map is a free and transitive group action, where ER is a component of condos of anomorphisms in integral ideal R. And this ER is subgroup of E. And RE is defined as E over ER. Then this map becomes a free and transitive group action. However, generally, this map cannot be computed efficiently. So in a seaside setting, we use special techniques for computing this map efficiently. First, we take a plane number P and this equation, where L1 to LN are small distinct odd primes. And let PI P be a P for this map over E. There, if E is super-singular, that PI P is isomorphic to Z root minus P. And we define LI as ideal, generated by LI and PI P minus 1. And LI bar as ideal, generated by LI and PI P plus 1. Then by some heuristic assumptions, ideal class group of Z root minus P is approximated to this set. Where M is the smallest integer satisfying this inequality? By various formulas, group actions of L1 to LN can be easily computed. So the group actions of ideal classes in this set can be easily computed. So we take E1 to LN as input and consider actions of these ideal classes. Then we can compute group actions efficiently. This is a seaside key exchange. And next, I explain the public key encryption based on seaside. I will explain one of the simplest PKE based on seaside. The public key is E0 and R E0. The secret key is R. And let print X be mu. And ciphertext is Bay E0 and mu or plus S, where S is a coefficient of R Bay E0. And in the encryption, by using R, we compute R Bay E0. So we get S. Then computing mu or plus S or plus S gives the message mu. This is PKE based on seaside. It is very similar to Algamo encryption. But there are differences between this PKE and Algamo encryption. This PKE is not in CPA secure. Then I explain the reason. Let Bay E0 and CI be the ciphertext of the plaintext randomly chosen from mu0 and mu1. And suppose I equals 0. Then CI or plus mu0 is a coefficient of super-single fd-cub. It is a coefficient of R Bay E0. And CI or plus mu1 is a coefficient of an ordinary fd-cub with high probability. So by judging super-singularity, we know which plaintext is encrypted. So this PKE is not in CPA secure. And this is one of our motivations of our study. Next, we explain the contraction of C-C Gamal and C-C Gamal. First, I explain the image points under group actions. As we've seen, group actions are computed by using an isogeny pi R whose corner is ER. So we can consider the image points under this isogeny. And here is 7. Let P be a pi Gamal and E be a super-singular fd-cub divided over fp. And let R be an integral ideal of fp-andomorphism link of E. Then the image of a point P in E under this isogeny is unique up to plus mu1. We denote the equivalent class of pi Rp by Rp. By this album, we have the commutative diagram. C Gamal and C-C Gamal is based on this commutative diagram. Next, I explain the main idea of C Gamal. Both send to the secret message mu to Alice. First, Alice computes this group action and she gets R0 and Rp0. And let these two sets be public key. And both compute these two group actions. And here is point. Both compute amplification of mu and vRp0. And both send the two set to Alice as a ciphertext. And Alice computes this group action. She gets Rbe0 and Rbp0. And by solving this group algorithm problem, Alice gets the message mu. If the point mu vRp0 and Rbp0 have a smooth order, by using Poich-Hellman algorithm, the discrete algorithm problem can be easily solved. This is the main idea of C Gamal. Next, I explain the construction of C Gamal. Let P be a prime such that this equation. This is very similar to prime in C-Side setting. And here is a different point. In C-Side setting, this number is 4. But in C Gamal setting, this number is 2 to the R's power. And let P be a point of order 2 to the R's power in E0 fp. The public key is this set. And secret key is the integral ideal. The prime takes mu, which is embedded in a group of unit of that over 2 to R's power z. And this is a ciphertext. And here is a point. And in decryption, by using R, compute Rbp0 and Rbp0. And using Poich-Hellman algorithm, we can compute the message mu. This is a construction of C Gamal. Next, I'll explain the construction of C C Gamal. C C Gamal is a compression version of C Gamal. First, I'll just compute this action. The outputs these two sets as a public key. And Bobo computes these two actions. And he also compute this point. Here, this blue point is a point which has order 2 to R and define it over fp. And Alice and Bob publicly shared the algorithm generates this point. There are many algorithms like this. For example, algorithm which outputs the point which has the smallest x coordinate among points meeting the conditions. And by solving this algorithm problem, Bob gets mu star. By this computation, Bob compressed the information of this set to mu star. And Bob compute the multiplication of mu star and bp0. And Bob send to Alice only this set as a ciphertext. And Alice compute this action and she get this set. And this set is equals this set. And Alice compute this blue point and by solving this algorithm problem as gets the secret message mu. This is a C C Gamal. Here is a comparison of C Gamal and C C Gamal. The sides of the public key in C Gamal and C C Gamal are same. It is both times log base 2p. And sides of the plain text are also same. It is r minus 2. But there is different between sides of the ciphertext. Sides of ciphertext in C Gamal is 4 times log base 2p. But the sides of ciphertext in C C Gamal is 2 times log base 2p. So C C Gamal is a compression version of the C Gamal. And this is a construction of C Gamal and C C Gamal. Next, I explain the security and computation costs of C Gamal and C C Gamal. First, I explain the new assumption, PCSS DDH assumption. This assumption is similar to the DH assumption. In the C Gamal setting, the following two probability distributions are computationally indistinguishable. The first distribution is come from a commutative diagram. And in the second distribution, the final point is multiplied by k, where k is a random element of a group of units in z over 2 to rz. So in the second distribution, the final point is a random point. And any PPT algorithm cannot distinguish these distributions. This is the PCSS DDH assumption. And it is hard to solve that PCSS DDH assumption is true. This assumption has come from the idea that it is hard to compute the image point under a hidden isogeny. And it is also hard to solve that this idea is true. But we have an example which makes this idea seem true. And this is a torsion attack. Let pi be an isogeny. And in a special situation, we can compute pi from the points p, q, and pi p, and pi q. Where p and q generate a certain torsion subgroup. In other words, by computing the images of p and q under pi, we can solve an isogeny problem. As you know, an isogeny problem is hard to solve. So the problem computing an image point is also considered difficult. And here is one cell. If the PCSS DDH assumption holds, then sigma and cc gamma have NCP security. And here is comparison with other PK schemes. SIDH, she said, have NCP security. But these schemes use hash functions. And CETA does not use hash functions. But CETA have only one way CPE security. So in this meaning, sigma is more secure than these PK schemes. Next, I explain the computational costs of sigma and cc gamma. We implemented sigma and cc gamma and measured the computational cost of these schemes. Furthermore, we measured those of c side and compared those costs. We take three parameters. First parameter is p0. It is from the c side original paper. The second one is p128. It is 522-bit and the size of print text is 128-bit. And third one is p256. It is 515-bit and the size of print text is 256-bit. And this is the result of our experimentation. Values in this table are values of m plus 0.8 times s plus 0.05 times a, where m is the number of multiplication of fb as the number of squaring of fb and a is the number of addition of fb. And the values of encryption and decryption of c side are values predicted from key generation. And as shown in this table, in 128-bit, the costs of cc gamma and cc gamma is about 1.5, then that on c side. And in 256-bit, the costs of cc gamma and cc gamma is about three or more times than those of c side. And finally, I explained the PLF based on c gamma. And I explained the theorem function based on sigma. The public key is E0 and P0. The secret key is ideas, R0 to RT. And this is input. Output is a new x. It satisfies this equation. This is our proposed new theorem function. And there is one seven. If the PCSZDH assumption and DDH assumption whole, then the function f is the pseudorandom function. We have CSZDH assumption as the security assumption for c side. So our proposed function is the pseudorandom function. And finally, I explained the container costs of our proposed pseudorandom function. In a natural way, the competition costs of the PLF is those of t times group action, where t is the humming weight of the input. But before computing these group actions, computing the sum vectors, we can reduce the competition of costs. By using the central limit theorem, we conclude the costs of the PLF are about root 80 over 3 pi times that of the group action of c. This is also confirmed by the experimentation. And this is the result of our experimentation. This is the psychological values. And these are the values from experimentation. These values are very close. Then my presentation is over. Thank you for listening.