 Hi, I am Dorin Riepe and I will give you a brief overview of our new paper Password Authenticated Key Exchange from Group Actions. This is joint work with Michelle Abdalla, Thorsten Eisenhofer, Ike Kils and Sabrina Kunzweiler. At the same time, you can follow our chat and read a bit more about the story behind the paper. So let's start. We use Group Actions as a building block and more concretely the framework of cryptographic group actions, which is an abstraction that is very close to the classical Diffie-Hellman setting. Various constructions were already proposed, for example public key encryption, signatures and oblivious transfer. The most interesting instantiation of group actions is given by the commutative, super singular, isogenic Diffie-Hellman protocol, or short C site, which is believed to be post-quantum secure. So the final goal is to construct a password-authenticated key exchange protocol or short PAKE. Such a protocol allows two parties to agree on a session key based only on the knowledge of a short low entropy string, for example a password. So here we have Alice and Bob, who both know the password, and after they exchanged some messages, they will be able to compute a shared session key. When we talk about the security of PAKE, we consider an adversary, Mallory, who might try to impersonate Bob towards Alice. Of course Mallory can always guess a password, then interact with Alice and see if the guess was correct. This is what we call an online dictionary attack, and this should be the best attack against each PAKE protocol. Since passwords are basically used everywhere, PAKE is a nice tool for practical applications. After an official selection process by the CFRG, two protocols will now also be standardized. One of the winners, CPACE, builds up on the simple password exponential key exchange, short speak, which is also our starting point. In short speak, the two parties perform a Diffie-Hellman key exchange, where the password is used to hash to a generator of the group. Unfortunately this approach does not work in the seaside setting, since we don't know how to hash into super-singularisotomy graphs. So our next idea was to use a bit-by-bit approach using a CRS of two elements. Each bit of the password would then determine which CRS element will be used for a group-action Diffie-Hellman key exchange. However, it turns out that this is also insufficient, and this is due to the fact that the elliptic curves used in seaside provide additional structure, namely the twists. Using twists, one can break the assumption underlying our protocol, and it also directly translates to an offline dictionary attack. In our paper, we finally present two different protocols which both solve this issue. The first uses a commitment so that the party sending the first message needs to choose the message in advance and commit to it, so that the other party cannot use this information to perform the attack we identified before. In the second protocol, both parties compute different combinations or cross terms of the Diffie-Hellman values, which ensures that they really need to know the secret. We prove security of the first protocol based on the GAP CDH assumption for group actions, and the second uses a new assumption which we call strong, square and burst Diffie-Hellman. One advantage of this is that the protocol can still be executed in one round. We also show how to optimize the protocols so that they are significantly more efficient than the only known previous constructions for seaside, which use oblivious transfer. If you want to know more details about our new protocols, I'll give a longer talk at Crypto on Tuesday, or just have a look at the e-print version of our paper. Finally, I also want to thank Luca De Feo for the panel with the twists.