 Good. So contrary to what you might expect from the title, this will not be a funny talk. You might say, Chris, why would I expect that? The title is also not funny. So I would not argue with you. So we're all here on the seaside, but this talk is on a different seaside. And since it's not funny, we'll start with the conclusions. So the main punchline is that Seaside 512 gives you relatively little quantum security beyond what is coming from the cost of quantumally evaluating it on a uniform superposition. So in particular, for example, key recovery costs about 2 to the 16 such evaluations if you have about a terabit of quantumly accessible classical memory. So that's ordinary memory that's in your laptop, but you can query in the superposition. And I'll say a little bit more about that later. And so when you run the numbers on this, assuming that the evaluation costs not much more than for the best case, the best case distribution, which is a plausible assumption, we think, breaking Seaside 512 costs a fair bit less than 2 to the 64 T gates, and therefore falls well short of the claimed NIST Category 1 quantum security level. Okay. So let's unpack this a little bit. If I get the clicker going. Good. Okay. So Seaside was proposed at Asia Crypt last year. It's an isogenic-based so-called post-quantum commutative group action that follows in the framework of Covene's from 97. The central object is this group action involving an abelian group G and a set Z, and the action takes an element from each of those and returns an element of Z. Note that this has nothing to do with other isogenic-based cryptography like SIDH, which use non-abelian groups and don't involve group action. So all we have to, the only thing we have to say today is about Seaside. This killer app for this group action is a Diffie-Hulman style key exchange. So you have a public parameter Z, and then each party chooses a secret group element, applies the group action with that element and Z, and that becomes their public key, and then they can each compute a common shared key in a very much Diffie-Hulman style. What makes Seaside particularly attractive is its efficiency profile. So you have small keys, pretty fast key exchange for parameters that were claimed to have the NIST category one security, which is that it should be as hard as AES key search to break. Oh, and these must be old slides. That's 2 to the 170 divided by max depth logical quantum gates. There's also signature proposals which have attractive communication. So the main way that people have considered attacking Seaside quantumly is to do Seaside key recovery that is given the public key, find the secret key or equivalent, and it was shown in 2010 that this actually reduces to a hidden shift problem on the group, and in fact that problem had been considered all the way back in 2003 by Cooperburg. There's three main ingredients to the algorithms. First, there's an oracle that outputs these random labeled quantum states by evaluating the action on those uniform superposition. Then there's some kind of sieve algorithm which combines these labeled states in a way to generate more favorable states. And then once the states become very favorable, you apply some kind of measurement to recover information about the hidden shift. And there's three classes of sieve algorithms. The first is Cooperburg's original, which gives you 2 to the order N oracle calls and qubits. Regev improved the amount of space down to polynomial, but increased the number of oracle calls that were required. And then interestingly, Cooperburg gave a follow up algorithm, which gets you back to 2 to the order Ruden oracle calls and classical bits of RAM, which is quantumly accessible. It means you can query it in superposition, even the RAM is holding classical bits. Cooperburg called this the collimation sieve or CCIV for short, and it subsumes the prior two algorithms and offers more algorithmic tradeoffs, which we will exploit. So that's all asymptotic stuff, but what about concrete security? So the prior estimates for seaside 512 come from costing the oracle, which was done in Eurocrypt this year. And they gave a cost for evaluating on a somewhat non-uniform superposition, but there's been recent work to expect a similar cost for uniform superposition. We're not concerned with the cost of the oracle too much. We won't address that in this work, but we're looking at the sieve cost. So the original seaside paper used Regev's low space algorithm to estimate about 2 to the 62 oracle calls. And that's where that's what allowed them to set the parameters as they did, thinking for aiming for nest level one. This work from the last year went back to Cooperburg's original algorithm and dramatically reduced the number of oracle calls to about to the 32, but then quite a few qubits are required for that. So what about the third algorithm, Cooperburg's one that improves the previous two? Well, it turns out there was no prior work looking at that. So that's where we come in, and we look at this. So we're going to improve practically Cooperburg's quantum algorithm, seaside algorithm, and analyze it in the context of seaside parameters. This is a summary of the various improvements. I just want to emphasize the final item, which is that we give code and actually run simulations of this quantum algorithm. It's actually pseudo-classical. You can simulate almost all of it and then just fake one little part of it and actually run the thing on a regular computer. And we run it on group orders all the way up to the real seaside group order. And here are the final results. The number of oracle calls can be brought down to something like two to the 14 with completely reasonable amounts of classical memory. Moreover, the memory can be accessed quantumly with existing methods using quantum computation that's much lower than the rest of the attack. So this is kind of the takeaway point. I will jump back to the final conclusions. The paper is available on ePrint, and you can download the code and run it very easily at this location.