 OK, thank you. Thank you everybody, especially ... Oh, there is some echo if you could, especially the ... Could you check the echo, there is some echo here. Yes, OK. Yes, so especially the administrative staff and everybody taking care of everything the academic, the chairs for inviting this lecture, selecting this lecture. Okay, so, I do not assume anything about the background. All you know that you know what is a group. Okay, so this lecture I will try to make it accessible for this, I do the usual stuff that I took away all the not so relevant stuff from the paper. There are many painful details. I took just what is the heart of the matter. So if you occasionally ask yourself, is this the situation in that system, začelijte, na kaj pa je zelo, da je to še početno vse začal. To, neko bo, je do zelo, da je vse napravila. Včetno to je zelo všim vsehov početnjakim v Adibu in Viener. Zelo je izredno vsehov počet. Zelo je, da se početno. Zelo si je zelo, da vse početno je, da vse početno vse početno vse početno. and innovations in Eleven blocks. Problems upon them on which we are building PkC is mainly abails. Building blocks are mainly abails. Many people said quantum insecure. So let's take a look. What we have in practice? We have discrete logarithml problems in finite fields or also in elliptic curves and factorization. For many, many years in to, da je tudi nekaj protokol in vseh vseh kriptografi. To je vsezivno. Zato je vsezivno vsezivno, da je tudi tudi tudi vsezivno. Kaj je tudi tudi vsezivno, je to tudi vsezivno, kaj je tudi vsezivno, je to počet, ali je tudi vsezivno, ki je bilion, vsezivno je bilion. Operacije, modulo, naturalne nje, bilion, vsezivno, in vsega logaritm. Elypti kurs, ok, ja imam zelo, in kriptim vsega bankovala kripti kurs, kaj je nekaj. In, da ne zelo, da nešto reče vsega je zelo, in da je kript analizis, zelo, da je zelo, da je zelo, da je zelo, da je zelo, da je zelo, da je zelo, da je zelo, da je zelo, da je zelo, da je zelo, da je zelo, in tudi, da v zelo je bilo matematika, in je to tako hreč, da je tudi tako hreč, nekaj nekaj čečki, ki je inalizirana, nekaj nekaj matematikov, ki je vse inalizirana na matematikovih tajovih vsega. In nekaj ne kaj ne zelo, da se vsega. Vse vidimo, da se vsega svega zelo, da ECDLP je nekaj nekaj generični. And, of course, the very hot to day assertion that quantum computer break everything classical. So, basically, we have these options I am aware that they are a few more but they are just in the beginning. I'm talking about options that we introduced and began to be studied at least ten or more years ago. So, there are a billion options. DLP or say, there are lattice based crypto, which I put somewhere in the middle because when you multiply matrix by vector, is it a billion or non-a billion, more tending to a billion in my view, but I put it here in the middle. And there is, there are building blocks from non-a billion groups or non-a billion mathematical structures. This is relatively new approach. It was not considered very thoroughly. In fact, it was considered very little. If you count how many papers, how many people worked on it, very little. Okay. So I will talk about the non-a billion option and I claim it must be explored because we are in great lack of difficult, computationally hard mathematical problems to build upon them cryptography. This is also the case in complexity theory where people start looking at non-a billion questions in order to try to extract hard problems. Okay, so if you want to test to check whether you can use non-a billion groups for cryptography, you also need the good general cryptanalytic tools to assess the security of such proposals. So here we will talk about general cryptanalytic method that I introduced I call it algebraic span cryptanalysis. You will see why later. This method was able to cryptanalize in a very convincing way, essentially all classic, classic if I can say so, proposals for non-a billion group cryptography or key exchange protocols, but not all, but a good number, the main ones. So, first let us talk about conjugation. Conjugation in non-a billion groups. So, g will always be a non-a billion group, means elements do not commute, ac is not equal to ca, and we denote by a to the power c the conjugate of a by c, just this c inverse ac, this is called conjugation. Conjugation is an isomorphism, it means that it commutes with every group theoretic operation, like multiplication here, you can put it inside, you can put it instead of the, you can swap between it and inversion. So if you invert and then conjugate, it's like conjugating and then inverting. Recall a to the c means this. So it behaves much like exponentiation, but here a and c are both group elements, and this a to the c means conjugation, not exponentiation. So, but this is probably justifies the notation. Now, if there is a word in the, in variables, for example, this is an example of a word in variables, you can plug in the variables elements from the group. So for example, if you plug in conjugates of elements, you can take the conjugate, conjugator outside and you will get the same result because of these two things. So conjugation go outside of inversion and outside of multiplication. So in the end it will be completely outside of the word. That's a basic property of conjugation in general. Okay, so now I will introduce you a key exchange that was introduced long ago and it's very interesting because it's completely different than the earlier ideas of key exchanges. It uses the fact that the group is non abelian in a very, very nice way. So Alice, we have Alice and Bob, each of them picks a word in the variables x1 to xk, like we saw before, like x1, x5 inverse, et cetera, some random word, secret. Red always means secret, green means public, known. Okay, and there is some non abelian group and there are some subgroups of these groups generated each by some elements. Everything here is public. Now, what Alice does, she takes her word in the variables and plugs in the generators a1 to ak and she gets an element in this generated group, just an element in this group. Let's call it a. Bob does the same, he plugs in these public elements and gets b. So because the words are not known, the resulting elements are also secret. They are known only to Alice and Bob respectively. Now, what do they send in the air? So Alice sends the generators for this group conjugated by the secret element. The result of the conjugation is sent. So this is like in a green box. You can see the result of the computation, you don't see what is a. And similarly Bob sends the conjugates of these elements. So this is it. How do they compute the shared key and why is it called the commutator key exchange? Let's see. So Alice knows a and she knows the secret word v. So she can plug in these elements because they are public in the air. Now we already said that you can take the b outside, you can take the conjugator outside. So let's see what happens. When you look at this, you take the conjugator outside, you get v of this, which is just a. So you get a inverse a to the b. You can write it explicitly. This is a to the b. And then you can similarly express it in a way that Bob can compute. And the shared key is the commutator of a and b. This is called the commutator. Okay, sorry, maybe leave it a little. So this is the system. Now let us say a few words about how to get linear equations from conjugations. So we will always assume that g is a group of matrices. Why? Because in all practical cases, there are ways to represent the group in some sense as a group of matrices. I will avoid all these technicalities and just assume outright that g is a group of matrices, n by n matrices over a finite field. So now the elements are matrices. And we are given, let's assume that we are given an element like this. Someone took an own element b and conjugated it by a secret element a and we know the result. Let's call it c for here. So we know c. Now we can write explicitly. b to the a formally is the conjugate of b. We can move a to the other side. And this is a known matrix. The entries are known. And here the entries are also known. So if we look at the entries of the matrix a and think of them as variables, we get linear equations on the entries of the secret matrix a. So we have linear equations on the secret. Of course, they will not give us the secret because, for example, zero is a solution. And a is not non-zero, it's invertible. But anyway, you get linear equations, which is a good thing. Now if you take a random solution with high probability, it will be invertible. This is essentially, this follows from the famous words, cipelema. So let's take a solution of this system of equations. Let's write it explicitly. Solution means that times this is equal to b times itself. So this is it. Let's put a back here and back here. It means that you can, by solving linear equations, obtain an invertible solution a tilde, which will behave like red a. This is always possible. So that's the heart of the idea of the basic. That's the key idea of, let's say, in a simple case. Now what are algebraic spans? So this is our setting and we know that we can find, given b to the a, we can find some a tilde, which does the same job. But a tilde is, okay. Not necessarily an element of the group g. Here red a is in g. A tilde is not necessarily in the group g. It's very hard to force this because this is not a linear constraint. What we can force is that a tilde is in the span, in the algebraic span of the group g. Look, g is a group of matrices. You can take the linear span, all linear combinations of elements of the group g. These are just matrices. And you get many matrices, not necessarily invertible, but some vector space. So membership in a vector space is a linear constraint. So you can actually solve these linear equations together with this constraint. And then you guarantee that a tilde is maybe not in g, but it is in the algebra generated by g. This is what you can do. And you can do it efficiently. You can compute the algebra generated by g efficiently. So given the group, given the generators for the group g, you can compute by just multiplying and doing Gauss elimination all the time until you get nothing new. So what is algebraic span cryptanalysis in a nutshell? It uses these ideas. So the general setting is that we are given subgroups, some groups of matrices, so subgroups of this group, and there are secret elements g1 to gk inside these groups. And we have linear equations on the entries of these secret matrices. And we need to find some function of these secret matrices. Let's say the shared key, for example. This is the most general problem in this setting. So instead of solving the linear equations subject to this membership, which is infeasible because these are not linear constraints, what we will do, we will solve the equation subject to the linear constraints. That we force g1, we cannot force it into the group g1, but we can force it into the algebraic span of g1. So this is what we do. We just solve subject to these relaxed constraints. And then this is the funny part. Then we pray or prove, if we can, that every solution that we can find, every solution to the linear equations that satisfies these constraints, actually when we plug it to f, we get the same as if we found the correct solution and plugged it in. Even though these elements not necessarily are in the groups, now I will show you that in the algebraic eraser this is the case, in the commutator, sorry, key exchange protocol. What happened there is that we were given elements, a was the out award in a1 to ak, so it's in this group. b was generated by an element of this group because it was generated by award in b1 to bk. These were given, a and b are secret. And we are given, so this is the setting, we are given the conjugates of the generators, like this, and we want to find the commutator. This is the shared key. That was the situation. So solving linear equations, we can obtain elements of the algebraic spans of these groups. Okay, so not of these groups. We want them to be in these groups, but we cannot. We force them to be in the algebraic span of these groups. These are linear constraints, together with this system of linear equations. So altogether this is a system of linear equations, we solve it, and we find elements a tilde and b tilde. We can do it just linear, just Gauss elimination in the end. It's just Gauss elimination. So because a tilde is generated by a1 to ak, this is a linear combination of products. This is the algebra, okay? And conjugation commutes with all the operations. Also it commutes with addition. What happens is that, when you, let's see, a tilde is some, think about the product, for example. So when you conjugate by a, it will go into the product, so it will conjugate the generators. Let's see, they are here. And therefore we can replace the red b in the generator level with the blue b. And when you do this, you go outside again and you get that a tilde to the red b is equal to a tilde to the blue b. It's the same thing. And similarly you get something for b. And now you can go here and do the computation and it works like magic. It is actually, it finds the correct key. I do the, I take the commutator of the solutions of the secret elements and it turns out to be the commutator, the secret key. The commutator of the red elements. How could it be there outside the group and the result is in the group? Why? Because we can prove it. We can prove it. Yeah. Proof is something strong, yeah. So let's take a look at this. So this is just conjugation of a tilde. This we know from here that it is this. Now let's write it explicitly. Now you can rephrase and because this is equal to b to the a and you rephrase and that's correct. So very simple. It looks like a trivial cryptanalysis and this is the, this is the cryptosystem, the key exchange protocol that survived longest among the non-abelian key exchange protocols. This solution is relatively recent. Okay. And sort of trivial. Now, this, there was before, I found before this method, before I found algebraic span cryptanalysis. I used a much more complicated method to cryptanalize this key exchange protocol. So having yet another method is not so interesting if it's not general. In fact, this method, the algebraic span method, it applied to all major cryptosystems, key exchange protocols, suggested before it was introduced. So for example, I will show without details because of lack of time, but I also did not plan to give details. This is much more complicated. We found the first cryptanalysis of a certain key exchange protocol that no one had in clue how to cryptanalize it. In any method, heuristic, ad hoc, provable, whatever, our, these cryptanalysis are provable. They work in the worst case. You cannot foil them by changing the distribution. In fact, we solve complexity theoretic problems. So this is why you cannot foil them. So this is a picture. Nice picture. We don't need to read it of a so-called triple decomposition key exchange protocol. And basically the idea without reading it is that you take, there is some group and there are pairs of subgroups that commute element wise. And then you start sending in the air products of secret elements. Now, it is not a big problem when you have a product of two secret elements. This is not a quadratic, does not give you quadratic equations because you can move one element to the other side of the equation and get linear equations. The problem is here. This is why it's called triple decomposition. Here if you move one of the variables to the other side, you still have something quadratic on the other side. And this is why no one succeeded to break it. The key here was that you can still use algebraic span cryptanalysis. Well, if you ignore these two bits of information, the cryptanalysis failed. We actually implemented it. Kenny Patterson all the time asks if we implemented it. We implemented it, it failed. You need to make use of these triple products. So how to do it? You look at the product, for example, this one, you know that if you take this, which is a known element and multiply it by the group generated by x1 and v1. These are the groups containing these secret elements. It sort of swallows and you get that this affine subspace of matrices actually has only x2 on the outside. This is swallowed inside. And then you can use this as a linear equation. You can say that x2 belongs to the corresponding affine space. If you want to see, if you insist to see how it looks, such an equation I will show you. But don't say that I didn't warn you. Okay? So you basically do such a computation and the constraints will look something like this, that x2 tilde belongs to the algebraic span of A2 times this. But this is a known space. Let's look, it appears somewhere. This is equal to this. So this is known, this is known. This is just a shift of a linear space. So it's an affine space, basically. So you get a set of linear equations with very delicate proof. You are done with the time. Okay, so we are running out of time. Yes, so you can get the shared key. So I will just put here the slide of the final comments. And may I have one minute of comments, something to say something, because this is sort of a special field in cryptography. So I think it deserves in this audience to say something. So the methods apply also to other schemes, as I said before, but not to all of them. And this is not the end of non-Abelian cryptography in the sense that it does not apply to some known cryptosystems. There are many problems that you can try it with other things. I assumed that the group can be represented as a group of matrices. This is not always the case. And when new systems emerge, the application becomes more and more difficult. So there is a lot of room there to try and push further and understand what's going on. Why is it not, why is it thus far we have some negative experience with this field, is because not much effort was put in coming up with good cryptosystems. Just there are not enough people who are well equipped, both with knowledge of non-Abelian groups and cryptology. So what the message is that we need patience and tolerance somehow to let this field develop in some pace that maybe eventually it will help us finding some good building stones for cryptography. Thank you. We have no time for questions, so please thank you.