 I am Pere Kutush and I'm going to talk about Sheta, Superstition and Recription from Torture and Attacks, which is joint work with Luca de Veo, Cypriana del Peuge de Saint-Guyem, Pecoboye-Sfouza, Christophe Petit, Javier Silva, and Benjamin Vasilevsky. So currently in this post-quantum competition in the third round, there are 15 candidates, eight finalists and seven alternate candidates and they're based on either lettuces, codes, multivariate schemes, isogenes, hash functions, or multi-parity computation. And there's only one isogenic-based candidate, which is an encryption scheme, Cyc, which has the advantage that it has small keys. It has a disadvantage that it has poor efficiency compared to other candidates. It's usually an order of magnitude slower than, for example, lattices. Cyc is based on SIVH, which was discovered in 2011. And many isogenic-based protocols have been discovered since, but not too many encryption schemes. So it's a natural problem to build new encryption schemes based on different problems. So our main contribution is SHERTA, which is a public key encryption scheme based on an injective trapdoor one-way function, which is actually inspired by an attack against SIVH variants called torsion point attacks, which were initially discovered by Petit at 2017 Asia Crypt. Our other main contribution is something that we also proposed concrete parameter sets for SHERTA, and we also present the first implementation. And we also, finally, we also introduce a new hardness assumption called the Uber isogenic assumption, which actually encompasses all isogenic-based assumptions used in practice. So let me give a brief introduction to isogenic-based crypto. So let's E, B, and O occur, which has the F find equation, Y squared equals XQ plus AX plus B. And the points over a finite field FQ form an additive group where a scalar multiplication, so multiplying a point by N is the analog of exponentiation in this group. And finally, the EM is called the N-torsion subgroup. So the subgroup of elements whose order is a divisor of N and as an abstract group, is a divisor morphic to Z over NZ squared. An isogenic is a rational map between two elliptic curves, E and F, which sends the point of infinity of E to the point of infinity of F. So in particular, it's also a group morphism. And an isogenic is separable. If the degree of this map is just equal to the cardinality of the kernel. Finally, if you have an isogenic between E and F, then you also have an isogenic between F and E called dual isogenic with the property. But if you compose that with your original isogenic, you just get multiplication by the degree. Let me give a brief example over F11. So the first curve E is Y squared equals XQ plus X and F is Y squared equals XQ minus 4X. And this map phi goes from E to F and is an isogenic in them. And the actual map is now drawn by these red dotted lines. And as you can see, the kernel is actually generated by that red point. And it has cardinality too. It consists of that red point and the point of infinity. So this is a degree two map and it's analogous to the squaring in the star. If an isogenic goes from E to E, then it is called an endomorphism. And endomorphism is a curve for the ring under addition and composition. Let me give some examples. So one example is just multiplication by N. So taking the point P and back to N times P. Another example is when the curve is defined over FP, then you can map X, Y to X to the P, Y to the P. And this is called a Frobenius endomorphism. The structure of the endomorphism allows us to classify curves into two categories. So if the endomorphism ring of an optic curve over a finite field is commutative, and in particular an order in a quadratic imaginary field then it is called ordinary. And when the endomorphism ring is non-commutative, actually in particular a maximum order in a containing algebra then it is called super singular. And in this talk we will focus on super singularities. So now let me briefly recall SIDH, super singularisogenic DT-halman, which is a key exchange between Alice and Bob. And now we have S-parameters two integers N, A and NB, which are co-prime and smooth. And now Alice chooses a secretisogenic FIA of degree NA which goes from E0 to EA and Bob chooses a secretisogenic FIA of degree NB which goes from E0 to EB. And their goal is to compute the push forward isogenes which should result in the same curve EAB, EBA. So in particular the kernel of FIA was generated by A and the kernel of EB is generated by B then you want the shared curve to be corresponding to the subgroup generated by A and B. But if you only publish EA and EB then there's no real way of actually arriving at the same shared curve. So to make this happen you also need to publish a torsion point of images. So Alice also publishes FIA, PB, FIA, QB where PB and QB generate the B torsion and also Bob publishes FIA, BPA, FIA, QA where PA and QA generate an A torsion. So the hardness of this problem is dependent on the computational super-singularisogenic TSI problem which one is given to curves E0 and EA and we know that there's a degree NA isogenic between them and the goal is to find the special isogenic. However, in SIDH as you can see more information is given so you're not only given E0 and EA and the degree NA you're also given FIA, PB, FIA, QB. So you also know the secret isogenic on the NB torsion. So we'll dub this the CSSI and PB. For the morning in the case of SIDH, E0 is fixed and has no one in the morphism ring. And then underlying all these problems is the most natural number theory problem which is the endomorphism ring problem that one is given a curve E and one has to find it's in the morphism ring. Now we'll be free recall of a torsion point to the XR and give applications up. So a torsion point to CACS, you want to solve the CSSIT problem and the endomorphism ring of E0 is known. So you want to exploit this fact in a meaningful fashion and the main idea is the following. So one is looking for an isogenic FIA between E0 and EA and then one can look at specific types of endomorphisms of the target curve EA which are of the form ZA plus FIA and an endomorphism from E0 and then FIA dual. And the main idea here is that if you take the endomorphism theta in E0 in a good fashion then this specific endomorphism of EA will be computable, namely find an integer D and theta in NB0 such that the degree of this endomorphism psi is NB square because then there's a not too hard way of actually computing psi knowing FIA, PB, FIA, QB. So even though you don't know FIA, FIA and you don't know FIA hat, you know how it acts on the NB torsion and this gives enough information to actually recompute psi if psi has degree NB square. And then once psi is known, then there's an easy way of recomputing the dual of FIA namely intersecting the kernel of psi minus D with the N8 torsion of E2, modulo some conditions, some small conditions of theta. So essentially breaking the SSIT problem reduces to finding D and theta such that the degree of this D plus FIA, theta, FIA hat is equal to NB square. And when the starting curve has J invariance 1728, this leads to a very particular norm equation, D square plus NA square times C square plus D times B square plus A square equals NB square. And we know that this has, we know, we can compute a solution when NB is bigger than P times NA. This has no impact on psi or SIDH because in SIDH, NA and NB are roughly the same size and they're both roughly a square root of P. So that's still secure. However, there is a more interesting approach, namely, so of course the previous norm equation stands if you fix X0 to be 1728. What happens if you want to design specific backdoor curves where you can solve this problem in a more general fashion? So namely, instead of choosing E0 first and then finding the endomorphism second, you somehow find the endomorphism first and then find the curve afterwards, which in some sense doesn't make too much sense on the elliptic curve side, but then you're working with what's perfectly makes sense. And this leaves a more generic norm equation, D-square plus NA-square N equals NB-square, which you can solve whenever NB is bigger than NA-square because essentially you solve it modulo NA-square and then hope that the resulting N has the property that Z-squared of minus N is embedded in the quaternion algebra. And if that is the case, then after a few iterations, this can be done easily. So if Z-squared of minus N is in the quaternion algebra, then you can try to look for a specific maximum order that contains Z-squared of minus N and that E0 will be the backdoor curve. And then if you know this endomorphism theta in NB-zero such that Z theta is just isomorphic to Z-squared of minus N that breaks the CSSIP problem. Okay, so the shaitan one-way function, one has a disinteger D, N, NA, and NB and the solution to D-square plus NA-square N equals NB-square. And the public description is the starting curve E0, which contains this quadratic order Z-squared of minus N, P and Q, which generate the NB torsion. And of course one has to note that you only know that this Z-squared of minus N is contained in NB-zero. You don't actually know the embedding. The trapdoor, the function itself, you take an isogeny of degree NA from E0 to EA and the output of the function is EA plus the images of the torsion points P and Q under phi A. And then the trapdoor information is just this theta which is contained in the endomorphism ring E0 such that Z theta is isomorphic to Z-squared of minus N. And inverting the one-way function is just applying the torsion point attack against the CSSIP problem. The inversion problem is just the CSSIP problem plus the knowledge that you know that Z-squared of minus N is actually embedded in the endomorphism ring E0. So now we are ready to give the details on parameter choices and implement. Okay, thank you very much, Peter, for this introduction of the Shetha trapdoor one-way function. And now we are going to focus on the concrete instantiations of our scheme. And first, I'm going to give briefly to you the key generation procedure because this is not something that Peter introduced to you but the key generation algorithm has a big impact on the selection of parameters. So our goal is to compute the curve E0 with this embedding of a special quadratic order Z-squared of minus N inside it's on the morphism ring. And so how do we do that? Well, the answer is that we're going to use the day-ring correspondence. Unfortunately, we don't have the time in this video to introduce to you the nice details of this very interesting mathematical theory. The main idea is that these correspondents give you a way to interpret super-single elliptic curves and isogenes as lattices inside a quaternion algebra whose definition only depends on the prime characteristic P. So more concretely, this means that elliptic curves are going to correspond to a maximum order of this quaternion algebra and isogenes are equivalent to ideals, both are types of lattices and I'm not going to be giving any more detail then. So what we need to start this, to be using this day-ring correspondence for our algorithm is a starting curve F0 with a special on the morphism ring F0 which is isomorphic to the maximum order O0 which we know. And in fact, for this special curve, we also require that we can evaluate the on the morphisms of this curve efficiently. You can show that you can find such a curve for every prime P, but there are only a few of them and most of the other super-singular curves, we don't know what their on the morphism ring looks like and how to evaluate them on both. So this is really a special case, but we know that it exists. Once we have done that, here is the algorithm that we're going to use. So the idea is that we start by finding an element theta of norm N and trace zero inside the quaternion algebra. So this is done by solving basically a quadratic equations. And with that, we obtain an element theta such that Z of theta is isomorphic to Z square root of minus N. Then we can find a maximum order O that is containing this element theta and this will give under the del ring correspondence the curve E zero that we are looking for and the embedding is going to be obtained through this theta. So now how do we do to find E zero? Well, we are going to use ideals. In particular, we are going to compute a connecting ideal I between O zero, so the special maximum order and the O, the order that we just computed. And under the del ring correspondence, we know that this gives an isogenic from F zero to E zero. So if we can compute this isogenic, then the answer to a problem O zero is going to be the codomain of this isogenic. And so this last step is actually the bottleneck in the computation because apart from that, all the other operations are done over the part in algebra with linear algebra and quadratic norm equations, which we know how to do efficiency. So the hard step is the last one, which was only recently introduced in the context of isogenic based cryptography. And I won't get into the detail because the algorithm is quite complicated. Remember that this translation from Quatinian to isogenic is the hard part. So now that we have that in mind, we can go to the parameter selection. So a generic principle that we have to remember that if we want isogenic computations to be efficient, we first need the degree to be smooth and also to have the kernel defined over FPK, where K is small. And this is equivalent to saying that the degree must divide P to the K minus one. So now that we have that, we see that the goal will be to find a prime P such that P to the K minus one has a lot of smooth factor. And the size of this smooth factor depends on the scheme we want to build. So in our case, here are the requirements. First for encryption decryption, we have these degrees N, A and N, B. And if you remember about what Peter said earlier, these are the values that we are going to use. These are the degree of the isogenic we need to compute for the problem one way function. So this could be the path involved in the encryption and decryption. And we have bound N, B, bigger than N squared we also need that these two degrees must be co-prime. Then for the key generation, we need other parameters T and L to the E, which I did not introduce, but you have to believe me, we need them. And you also have to believe me that we have the very complicated constraints on P that T must be bigger than P to the three divided by two. And the fact that T must be bigger than P in particular is what is going to make the selection parameter complicated. Because basically we cannot find a value of T and then, sorry, we cannot fix a value of T and then find a P such that, for instance, P to the square minus one is going to be divided by T. So we must go the other way around, which is select several possible primes until we find one with a suitable T. Okay, and of course, with that method, the factors in T are still going to be quite big as you're going to see next. So now in terms of security, we need NA to be quite big to avoid meeting the middle attacks and also P to be big to avoid generic on the morphism in computation. And you can see from the torsional requirement book that with those two constraints, this also gives us a bound on the values of N, B on the size of N, V and T. So here are all what we need to know about the parameters and basically to choose them, we have two strategies. Other, either we choose faster encryption and decryption but slower generation. And so for that, the idea is to choose optimal degrees for NA and NB. So in this case, it would be powers of twos and threes. And so we can do that and have them define over FB square. But the problem is that in that case, T is going to be defined over a field expansion of degree maybe like a few hundreds. And even if that's polynomial, a technically polynomial, it's still in practice very big. And so in the end, we would end up with a key generation which would probably be impractical. So the other possibility which is what we choose to do for our implementation is rather to start with finding a good prime P with a good torsion points, T torsion points. And then to choose NA and NB among these available torsion. And with that strategy, we get that all the torsion points are defined over FB square with which give us a reasonable key generation which of course, since the factors in NA and NB are going to be a lot bigger than two and three, the encryption and decryption mechanism are going to be a lot slower. So we did this for 128 bits of security and we obtained a 400 bit prime P of this form with the following factors. And you can see for instance that there are a lot of very big factors in NB which is what is going to slow down the computation and the decryption mechanism in particular. And so with that in mind, we get that the key generation. So we made an implementation in C and we get that the key generation takes 10 hours. The encryption takes 4.6 seconds in average and then the decryption is 10.6 minutes in average. And so that will conclude this brief introduction of our implementation and I'm going to switch to the last part of the talk which is about this Uber isogenic assumption. So the base of the Uber isogenic assumption are quality orders and then links with super singular electric curves. In particular, we can define the two following sets. So first we have FO which are the sets of embeddings from O to the endomorphizing of super singular electric curves. And then we have EO which is the set of curves admitting such an embedding. And there is a very nice mathematical property that says that we have actually a group action from the class group of O which is a Navillian group. So we have a Navillian group action. So on the class group, on this set of embeddings, okay? And I write this operation star and under this notation, I'm actually hiding some isogenic computation which is why this framework is actually part of isogenic base photography. And so the idea to use that with super singular electric curve was first introduced by Kastrik and Al in 2018 with the seaside scheme. And so they instantiate this group action in the specific case where O is this curve of minus P because in that case, the embedding is actually very easy to compute and it is induced by the Frobenius morphism. And so yeah, and the goal of seaside was to define a key exchange from this group action idea. So now that I've introduced to you this notation, I can state the Uber isogenic problem which is always parameterized by some quadratic order O. And so the idea of this problem is that given E0 and Utah zero, so correct embedding and a curve in the set E0, but here given without the embedding, this is important. The goal is to find an ideal A that is sending E0 Utah zero to E Utah where Utah is a correct embedding from O to the endomorphism ring of P. And the best generic algorithm to solve this problem depends is linear in the size of E0. And in general, we don't know much about this set but it is conjectured to have exponential size in most cases. And the only generic property that we have on it is that it is smaller than the set F0 which is roughly equal to the class number which is roughly equal to the square root of the discriminant. But yeah, in most cases it is conjectured to be exponentially hard. And this is why the hardness of the OULP is what we call the Uber isogenic assumption. So now let me illustrate to you the interest of this new problem by showing the links with this problem between this problem and various protocols and security problems in isogenic based protocol. So of course, the first obvious starting point is CSIDE. Even the formulation of CSIDE and the formulation of OULP, it is no surprise that the Z square root of minus P, ULP is actually equivalent to the CSIDE key recovery problem. A lot more or less obvious link is between the Uber isogenic problem and the SIDH scheme, okay? We actually realize, and in fact, this property is also what analyzed the dash and point attacks that Petter presented you earlier, that if E0 is embedded with a quadratic order O0, then the existence of phi A between E0 and EA imply that EA is embedded, the underwarsening of EA is embedded with Z plus NA times O0. So this is a new quadratic order. And with that, we see that if we can, we can actually prove that if we can break the Z plus NA O0 ULP, then we can break the SIDH key recovery problem. We actually have the same thing about SHETA, okay? So once again, we take this N solution of the quadratic equation, and then by design, we know that the public key curve E0 is contained inside EZ square root of minus N. And so if we can break the ULP problem for this quadratic order, then we can recover SHETA keys. And finally, and most importantly, maybe, if we select a quadratic order O such that every curve, every super singular curve is contained inside this set O0, E0, then you can actually show that breaking the OUIP allows you to break the generic CSSI problem. And so this is very strong because it means really that the Uber isogenic assumption is related to one of the most generic isogenic based problem. And so yeah, I'll conclude my talk on this Uber isogenic assumption now. And just let me conclude briefly by saying that we have introduced a new post quantum inscription scheme whose mechanism is inspired by the terms of torsion point tax on SIDH. We have made an implementation of this and we saw that the efficiencies to all those of magnitude below SIDH. But we have a new security problems which may introduce nice security versus efficiency traders. We have also introduced a new generic isogenic assumption for isogenic based photography. And here are a few open questions and directions for future work. So we need to explore the other traders or parameters and maybe try to see if we can make the key generation efficient while getting the fastest possible encryption and date encryption. It would be very nice to have a comparison with SIDH in this setting. We also need to understand better the OUIP and as I mentioned, in particular, we need to study the set EO and its cardinal to get a good estimation on the complexity. And finally, we need to study more the SETA security which is based on several new problems which are different from the OUIP that I mentioned. And so I thank you for watching this video and please have a look at the full E-Print version for more details.