 break that wasn't a long break that's not the break the actual break is later I'd like to have everyone back here for the next session this is not yet the coffee break the coffee break will be later so in order to give attention enough attention to the next session and that we have more time also we have a bit longer time then okay I'm pleased to introduce the special session here in the plenary lecture because it is the paper with the best paper award it is about identification protocols and signature schemes based on super singular isogenic problems Steven Galbraith, Christopher Petty and Javier Silva are the authors and Javier please okay thanks so I have two goals for this talk first that you understand what the title means and second to give you a very brief intuition of construction and why it works so as Dustin has just said in the previous talk most of cryptography relies on different helmet type problem or RSA assumptions which essentially in the end depend on two problems discreet log and factorization and when we consider quantum algorithms these problems are broken so we start to look for alternatives one alternative one of the minority alternatives is the elliptic kfisodium is so we will see what we can build with them so to give you a little bit of perspective I want to recall what it's been done in the ISO database script in the recent years so we have hash functions, key exchange protocols, the signature verifier signatures, public key encryption, ID protocols, the number of signatures, a lot of stuff and particularly we already have ID protocols and signatures and we're building a new one so why the answer is that so the signature scheme that already exists actually relies on the ID protocol that already exists and they share the same issue and it is that they rely not on the pure isogenic problem but modified problem that gives some extra information to the attacker so this is a potentially an issue problem so what we are trying to achieve in our paper is to build the ID schemes and then signatures rely on the on the pure problem without giving any extra information okay so the outline of the stock is the following first I will recall the graph isomorphism proof I believe most of you will be familiar with it but it's worth recording because it will share a common structure with with the proof we are going to build then I will talk about the super-synical isogenic graph which is one of our main tools for building this identification protocol then I will explain the construction very briefly and talk about how we can get signature from that so graph isomorphism first this is a textbook example of zero knowledge proof so we have two parties Peggy and Big and Peggy is the prover that knows a secret and wants to prove to Big the verifier that knows the secret without revealing any information about it so in this case the secret is an iso in between sorry no they saw it is yet an isomorphism between two graphs so I will represent on the left part of the screen what Peggy knows on the right part of the screen but what Big knows so difference right now is that Peggy knows a secret this iso this isomorphism and Big doesn't so how does the protocol works well first Peggy takes a random permutation of the graph G1 and produces another graph G2 and sends this graph to Big but without sending the permutation so now we sense a challenge which is just one bit either zero or one I'm going to use the red color to represent what happens when the bit is zero and look what happened when the bit is one so when the bit is zero Peggy just reveals this vertical isomorphism and in the other case reverse an isomorphism between G2 and G2 with this just a composition of these two so very intuitively why is this secure first can Peggy cheat well on a very high level what happens is that the only thing Peggy can do if she doesn't know the this secret isomorphism and wants to produce a proof is to guess which which challenge either 0 or 1 is Big going to send so either she takes a random permutation from here or from here so she can cheat with probability one half to solve this we just repeat the protocol many times to make this this cheating probability negligible our property we want this interaction to reveal nothing about the secret and intuitively that happens because when the bit is zero we're just revealing this vertical isomorphism with which is independent from the secret and in the other case we're really the composition and this part is essentially masking this one so we have the zero knowledge for property so after that we have been an identification scheme and there's a standard way to make to produce a signature scheme from that there's some general transformations traditionally the most very well known one is yes we can use it to produce signatures from my identification schemes so this this protocol that I just presented has a structure in which we move between a few graphs but actually we can think of a very similar structure within one graph which is we take as vertices we take the vertices of a graph and we have a path between them that is secret and we will assume it is hard to compute and we replicate the same structure given a challenge we either give this path the virtual one or the path from e0 to e2 but the thing is what is this graph and why is this secret hard to compute so that's where the super singular is coming to play so to introduce the super singular isogenic graph I first need to introduce a very few very few simple definitions of elliptic curve theory so elliptic curve I believe we all know what it is it is an algebraic curve with a graph structure which we can essentially add two points by using this rule and I thought it is essentially a function between two elliptic curves and and the morphism is an exogenous from a curve to itself so we have this structure in which we have two points and we have an arrow between them and we want this arrow to be hard to compute so the natural problem we come up here with is the exogenous problem we have two isolated elliptic curves and we want to compute and the exogenous between them and this is really to be hard and the related problem is given an elliptic curve can be the endomorphism range but the thing is not for any curves are these problems of the same level of hardness actually there's a classification of elliptic curves I want to get I won't get into the details of that but essentially there are two types of elliptic curves either ordinary or super singular and we can solve these problems differently for each of these types and it turns out that they are harder to solve for super singular elliptic curve actually these two problems in this case are equivalent they're not known to be equivalent for ordinary curves and we have complexities of the order of p1 half classically and p1 fourth quantumly whereas in the ordinary case we often had a sub-exponential time so we will stick with the super singular case and finally what is this super singular solgene graph it's essentially we take all the solgene super singular elliptic curves over fp squared for a very large prime p up to some equivalent relation but that doesn't matter not just think of the vertices as the super singular elliptic curves and the edges will be the exogenous between this curve the functions between them and this graph has a very nice property it's called a ramanujan graph which essentially means it has lots of lots of edges between the vertices it has lots of connectivity and it is easy to start from one point only one vertex in the graph and reach any other point in a very in very few steps so we now have all the all the elements we need to build our identification protocol just to recall the very formal definition of what an identification protocol is you might have seen this as a sigma protocol or zero-knowledge proof of knowledge essentially we have two parties that's before page and b and they will interact in a certain way and Peggy will want to prove to be that she knows the secret without revealing the secret so we want three properties from this we want completeness if she knows the secret she should be able to convince big what we call sadness which is a if she doesn't know the secret she shouldn't be able to cheat she shouldn't be able to produce a valid proof and finally zero-knowledge property which said which means that this interaction reveals nothing about the secret itself so we had this with this structure we have it here again but now we can give a meaning to to any of the elements here now we have two isolyneoselectric curves if you see only one and the secret isolyne between them and the structure of the protocol will be to either given a challenge zero or one reveal this vertical isolyne or this isolyne from e0 to e2 so this looks very simple but it's not as simple as in the as in the graphics morphism case because they're the only thing we have to do to compute this isolyne this is what this morphism in that case was to take the the composition of these two now we can't do that and the reason for that is that isolynes are not the same as isomorphisms if we do that an attacker could try to could actually factor this this isolyne into each step each step in the graph and actually recover this this first part of the path which is the secret so if we do this we cannot expect to have the zero-knowledge property so how we solve this there's an algorithm that we can build and it is based on an algorithm for a related problem it was published a few years ago by Colt, Lauter, Tieta and Dignol and essentially what it does is it allows us to take this isolyne we have from e0 to e2 and compute another one that is that is independent on the path we took before so it's essentially a sense of re-randomization of this path so what we do now is when the beat is what we want we want to answer with an isolyne from e0 to e2 so first we take the composition of these two but we don't reveal it we just apply to it this new path algorithm and compute this re-randomized path between e0 and e2 and this is the one we reveal and this way we're solving the zero-knowledge problem we had before and also well I want to give you now an intuition of the security of this obviously some this is essentially the same as in the graph isomorphism case it's the same idea and for zero-knowledge zero-knowledge is usually formalized as simulation of the transcripts essentially we want to prove that we can produce transcripts which are indistinguishable from the from general transcripts but we can produce them without knowing the secret so let's see how we do that we have two curves you see running one we don't know the isolyne which was a secret so we start by taking a beat and if it's zero we reveal the vertical isolyne and we do that by just taking random walk from e1 producing e2 sorry and reveal the path and for the other case we just take the random walk from e0 to e2 and we could reveal this isolyne but it wouldn't have the same distribution because this re-randomization algorithm that I mentioned doesn't give you a uniformly random isolyne from e0 to e2 so what we do here is apply the same trick we re-randomize here too and we get an isolyne am I doing that and we get an isolyne which has the correct distribution between e0 and e2 and finally very briefly how to get signature from this so I've mentioned before there's there are standard transformations so classically we have transformation which is essentially replacing the challenges by a hash function of the the commitments the curves e2 and and the message we want to sign so what is happening is that Peggy is doing the protocol by herself and then when base wants to verify the signature all he has to do is recompute the hash and verify that the proof is consistent so this is proven to be secure in the random oracle model but this is what we are thinking about in terms of quantum security post quantum security Fiat Shamir is not known to be secure so we replace it by another transformation due to umru which is proven to be secure in the quantum random oracle model so this this transformation is in some way similar to Fiat Shamir it's more complicated but it's the same idea of using some hash functions to replace the verifier so to summarize what we did we start with isolyne problems which we believe are a good candidate for post quantum security we have an identification scheme based on the pure isolyne problem in contraposition to the previous scheme which was based on a potentially weaker problem a key to do this was this verandumization algorithm that was a key step of our proof and finally we can derive signatures in a standard way using generic transformations and that's the end of the talk thank you very much I think we have time for questions yes now can you provide some numbers key sizes signature sizes if you implement it in a secure way actually I can't provide the concrete numbers right now I don't have to deal but I can say this is not very efficient if you want I can give you some numbers later but I don't have them here all the questions especially in the back but I think yes so I'm wondering about how it compares so you were talking about previous signature schemes based on isolynes that were based on more specific problems than the one that you're considering but then if you take the security parameter into account and the difference in efficiency do those problems become incomparable or can you say that you have a more solid problem even regardless of that so I believe the previous scheme is slightly more efficient than ours but but there's this problem of the problem being potentially we're getting there's it's not that there's an algorithm that solves the other problem faster in general but there are some cases in which this additional information that is given can be exploited to produce some attacks okay if you have a question then you have to see either the speaker or me otherwise I don't see anyone else anymore okay so we thank everybody else again for the questions and authors of course for the paper