 I'll input the full screen. Half-eleventh, right, excellent. And, all right, hello, thank you for the introduction. And so today I'd like to talk to you about the security of super-similar exogenous crypto systems. As mentioned, I'm Yembo T, and let's get back in. So this is a joint work with Steven Garbreth and Christophe Petit, who are both in the audience. So if you're watching on YouTube, you can send us an email if you're here. You can ask us questions after the talk. Today I want to talk to you mainly about this adaptive attack. So we have three results in the paper. And the one that we'll be focusing on most is this adaptive attack. So for more information about the rest, you can look up the paper. So to talk about the adaptive attack, I'm going to need to cover a couple of preliminaries. So we saw in the earlier talk that we have DP Hellman, and I'm going to cover that again. And because I'm talking about super-similar isogenous stuff, I need to cover isogenous and super-similar to curve. And then finally I'll present this key exchange scheme, which is pretty interesting. We'll see. OK, so we have the DP Hellman crypto system, or rather the exchange scheme. So you have a sub-group G, or maybe a larger group, and we're looking at this small little generator. Well, this generator, small G, that would generate big G over here. So what Alice does to try to get a shared secret with Bob is that she picks a secret A. And from what you saw just now, you just raise small G to A, and that's your public key. But you can think of it slightly differently. You can think of picking A as picking a secret homomorphism. So this homomorphism would take any input and return the A power. So you can think of it as a homomorphism. So to get the public key, Alice would take the public parameter small G, put it through her secret homomorphism. I'll give it a hit myself. Secret homomorphism, and she would output G8. So Bob would do something similar on the other side of the protocol, and he would send GB to Alice. So upon receipt of GB, Alice, she needs to derive the shared secret over here. So she would take GB, put it through the secret homomorphism, and then she'll get a shared secret. So this is exactly what you see here. So traditionally, you just raise the power A, but if you switch views a little bit, see as homomorphisms, this is exactly what you do. They are equivalent, and so you can get the shared secret. I'm sure you've noticed by now that the ones in red are secret and the ones in black are public. So are there attacks against this? Yes, of course, she mentioned this as well. We have the small subgroup attacks by Lim and Lee. So this one kind of sets the stage for our adaptive key attack that I'm going to present later on. So we assume that Alice is using a long-term secret. We have this adversary that will play the role of Bob. So she would send public keys which are not honest in some sense. So she would send H instead of GB, and then through the interactions that you saw just now, she will be able to recover some information. So in this case, it's going to be A more R. And with enough interactions, she would be able to recover all of A. So this is the setting we're in. So when you listen to the adaptive attack, you can have this in the background mind as well. So Iosongini, this is a big slide. But we need to talk about this. So first of all, you pick a finite field. You might have an extension. You look at two elliptic curves over the field. Then we say that an isongini between E1 and E2 is a non-constant morphism, which preserves the, I do not remember doing that, but which preserves the point of identity. So in that case, we say that E1 and E2 are isogenous. So fun facts, isonginis are group homomorphisms. So this is great. So on top of maps of curves, we have maps on groups. This is very good. And if phi, so this isongini is separable, then the size of the kernel is going to be determined by the degree of the morphism. So separable is just some conditions on the isongini that I do not want to mention. But for the rest of the talk, isonginis will be separable. So this is going to be the case that we'll be seeing. And this is rather important. I'm going to spend a bit of time on this. So you have an elliptic curve. You pick a finite subgroup. This finite subgroup would determine an isongini and also the target elliptic curve. Sorry. So I'll say this again. You have a finite subgroup. Using this finite subgroup, you can determine the isongini and the target elliptic curve. And you can compute this using an algorithm by value. This is polynomial in the degree of phi. Everyone got that? If not, just rewind on YouTube and you can see this again. OK, so very quickly on super-singular elliptic curves. An elliptic curve is super-singular, not when it's singular, but when some condition holds. So just two fun facts for you now. Super-singular elliptic curves can be defined over fp squared. So this means you only need about four log p bits to define the super-singular elliptic curve. And also, there are many super-singular elliptic curves for cryptographic purposes. So this is all going to save for now. So now we're in the position to discuss the Geodepay or key exchange system. So similar to what we have, we have three steps. We have the setup, we have the key exchange, and then finally we can derive the same set secret. So the setup is a little bit more involved in that you have to choose p of a particular form. So this form is very, very special. You can see it's two to the n times three to the m times some co-factor f, then minus one. Because we're not doing, because this is not based on ECDH, not based on any Diffie-Hellman stuff, this is okay for this to be smooth. We'll see later. So the size of two n and three m are a lot of the same. And then you choose a super-singular elliptic curve over this fp square. And we saw from the fun fact just now, on fact one, I believe, that you can do that. And because of our choice, because of the choice of the prime, we have that the two n torsion subgroup and the three m torsion subgroup basically they lie in fp square. So two n torsion means if you raise to the power two n, it goes to the identity. And likewise for three m. So in this case, now that we set all this up, the intuition is that Alice will work in this torsion subgroup and Bob will work in this torsion subgroup. And another fun fact that I'm just gonna say is that the torsion subgroups are basically a product of two cyclic groups. And so therefore we can have linearly dependent points, pA and qA that Alice will work over, pB and qB for Bob, and they will be linearly independent. Okay, so we've seen this picture before, but now it's slightly different with elliptic curves instead of with the generators of the group. So this is in terms of Alice again. So Alice will pick some secret, a1, a2. Okay, so using this secret, she can compute a subgroup which is gonna be generated by this point. So now you have subgroup, what do you do? I'm talking about exorgeny. So therefore we define an exorgeny using the algorithm by Beilu. Okay, so with the subgroup, we can use the algorithm of Beilu to find the exorgeny and also the target curve. So is that it? Well, there's a little bit more. Actually you need to compute, so Alice will need to compute the image of Bob's points under her secret isorgeny. And this will constitute the public key. So Bob will do something likewise and then Alice will receive it. So she would receive this and she does another computation. So now the computation that she does is what you see over here. So she's gonna take the points that Bob sends to her. She's gonna use her secret on those points. So really you can see if the secret, if the public key is maybe slightly changed, you might be able to derive some information on the secret. So this is kind of like an intuition for what we'll see later. So because exorgeny is our group homomorphism, you can rearrange some stuff. And then basically this GA prime, which is this big thing over here, is actually the image of Alice's secret subgroup under Bob's isorgeny. Okay, now because I flashed it on the screen just now, the values formula gives you the target elliptic curve up to isomorphism. So therefore we need to use the J variant as a secret key. So basically EAB is actually this group, this curve over here, and this are called EA and EB, yeah? All right. So the thing is, you would think that to break this crypto system or K exchange, all you need to do is to compute an isorgeny that seems obvious enough, right? So this kind of motivates the DLP equivalent in our case, which is the super singular isorgeny problem. So you're given two isogenous super singular curve and you're trying to recover an isorgeny. But there's a little subtlety here because of all the extra conditions that we imposed on the crypto system. So this is not quite the question we need to ask because there are actually infinitely many isorgenies between two isorgenic elliptic curves over all the times. So what we actually need is for this statement to hold. So let's say we have some isorgeny between E and EA, yeah? To complete the square, we are basically in Alice's shoes right now. So we need to take Bob's public key and then do some operation on it to obtain the shared secret. That's what we want to do. But the problem is that we actually need the curl of five, which is this arbitrary isorgeny we've covered to be in this subgroup over here. So this is like a limiting fact. So for more information, I can't develop this now, but for more information, you should read the paper. Okay, so this motivates a slightly different problem. It's slightly more special, so therefore we call it the special, super singular isorgeny problem. So you're given a special prime, that's important. You have isorgenous elliptic curve, and you also have generated subgroup. And then you need to recover the isorgeny of a certain form, basically of certain degree. And all these little transformations, can we use them to attack it? Because of 10 more minutes, the answer is therefore we can. And actually we're going to attack the generators of the torsion subgroup, which is the auxiliary points you saw over here. These are the auxiliary points that we're going to attack. Okay, so this is the adaptive attack. So we call this is the state that we are in. A dishonest user is going to play the role of Bob. So as you saw, Bob will give malicious or maybe dishonest public keys. So the Orgo model is exactly as what Nadir has described just now. You try to, you send some public key, your pain is basically Alice competes a shared secret, and then you try to communicate, establish some sort of communication. And if the communication goes through, maybe then you have the same set of shared secrets. If not, then you can't communicate or something. So basically you can be kind of obtained one bit of information, is what I'm trying to say. So first of all, we call that Alice has secret scalars A1 and A2, whatever you're trying to recover. So I'm going to show you how we can recover the priority of A2. So first of all, you complete an honest round of the protocol. So just know that this is R. So these are the honest points. R and S are honest points. EB is going to be honestly generated as well. Okay, now in the next round, what you do is that you send EB as before, but this is slightly modified. Now to recover the parity of A2, you query the oracle on this, this tupper over here. And then you can see the subgroup involved in the computation of Alice or the oracle would be this one over here. And if A2 is even, this gets killed. And so therefore we're left with this, the original subgroup, secret subgroup Alice. If not, we have this. So therefore if these two are different, then we have a distinguisher for the parity. And we have a lemma in the paper that shows it. This is indeed different. Okay? Okay, so now we have recovered one bit of A2, which seems like we have a lot more to recover. But we have a lemma in the paper that shows that actually you don't need to recover A1 and A2. You can recover just one side. So if you have the secret key of this form, you can assume that actually it's of one form, one alpha or alpha one. Okay, so for the rest of the presentation, well, when we just this slide, we just assume that secret is one alpha. Okay? So we will inductively recover all the bits of alpha. And so first of all you start with the first bit, which is the parity. And then you query the oracle on this set of, this tuple. You do the same sort of computation and you can get a distinguisher again. And you can inductively do this to recover all the bits. So there's a little bit of subtlety there, missed over here, which can try to circumvent certain counter measures. So the details is in the paper. This is just the basic general idea. So the upshot of this is that static key implementations are vulnerable. So that will include maybe signatures of our encryption. And we are able to recover one bit per hostile interaction, which is as good as what the oracle gives us because each hostile interaction, he gives us one bit and we can recover the one bit of secret. So that's pretty neat. And this defeats the point order and very varying validations by a proposed in some papers. But it's also worthwhile to know that there's another counter measure that is based by Kirkwood as well. And based on the Fuji-Saki-Okamoto transform, but it's a 100% overhead. So you need to compute D.P. Helman once and then do it again to verify, kind of. That's a just brief sketch. Okay, so this is on. I'm gonna talk about adaptive attack. We have two more results. So maybe you can talk about one. I see I have a bit more time. Okay, so this is solving the Quartinian algebra version of the super singular isogenic crypto system. So you have two worlds. You have one with super singular elliptic curves and isogenic. So this forms a category. And then you have another category where you have maximal orders of Quartinian algebras and the morphisms are ideals because this is gonna be non-commutative. You have left and right ideas and all that stuff. So this paper by Koho, Petit, Lauter and Tenyo in 2014, they were able to solve the super singular isogenic problem in the Quartinian world. So can we use that to solve the problem here? That's the question. Well, first of all, there's a subtlety because the isogenic that they found was a little bit too big, seven times too big. So we need to bring it down first. So this is not enough to solve the special super singular isogenic problem. So what we do in our paper is that we followed their techniques. We formed an arbitrary ideal of some degree of some norm. And then we used lattice reduction methods to reduce it and try to recover an element with suitable norm. And using this element and this a lemma in the paper, we are able to recover the correct isogenic. So does this kill the script system? Of course not, cause we're missing one step, right? We actually still need to compute the endomorphism thing. And that is not an easy question. So this result is really kind of like a reduction where we show that the crypto system is at most as hard as computing the endomorphism thing. So you still need to compute the endomorphism thing. If you have any ideas, yeah, you can raise your hand. Okay, this is the last result. And then we can go for lunch. So we have, this is a rough definition. We have all the parameters of the super-singulated to curve, no, super-singular exogenous DP helmet. And then you're given some partial information, which in our case right now, there's just one component of the J-invariant. Cause the J-invariant is described over Fp squared. So you can have one component in Fp and one component purely in Fp squared. So we are given one component. We showed that computing one component, oh no. Computing one component of the J-invariant is as hard as computing the entire J-invariant. So what this means is that once you get your shared secret, it is too long. You can just take one component and use it as your secret key. And there's no loss of security. Okay, so this is my last slide. We have shown an adaptive attack. We have shown some sort of reduction. And we have shown a bit security without. So thank you very much. We have time for questions. With Q, yes you can actually. When I say computing endomorphism rings as hard, it's hard in general, but it can be easy in specific cases. But computing the Hortenant algebra is not too hard. Say again, insoluble. So I think the most common in several isogenes are gonna be from Frobenius, right? Because I think in several isogenes you can, you can always make it, you can always break it down in the separable and the inseparable parts. But I'm not too sure how you can use it. Yeah, this is just a Frobenius. Can you use a Frobenius for anything? I'm not too sure. Haven't looked into that, I'm sorry. Is there any other questions? So actually I have one, maybe. So, I mean, your result on static keys is very important if you want to use the scheme for encryption. And so the proposed countermeasure, as you said, is do Fujisaki Okamoto. So, is this post quantum secure? Which is, what do you mean? I mean, so does the Fujisaki Okamoto transform like preserve security even in the post quantum setting? I mean, it's not obvious actually, so. Yeah, because your quantum avoidance solves a mathematical problem. Because if you do the transform, it seems to me that you're just doing the mathematical problem twice. So, then that would be yes. But if you're... The problem is that the random miracle model is kind of complicated in the quantum setting, I think. Yeah, maybe Chris stops your answer, yes. I'm sorry. Maybe we can talk after this. Anything else? If not, let's thank again all the speakers at the session. And go for lunch.