 Hi, everyone. Thank you for attending my talk. I'm going to be presenting Seed on Spaces, a new algebraic concept, and their application to construct publicly cryptosystems. Before we begin, I must apologize that I am not from this community. So please accept my apology if I explain too much detail, things that you find trivial, or skip things that you do not find trivial. And in any case, I'll be happy to take any questions off my head. A moment of legacy. Chimon Seedon was a Hungarian mathematician that died in the time of death in 1941. He was an academic brother of Paul Erdisch. And other than this very short Wikipedia entry, his legacy includes Seedon sets. These are sets of positive integers, such that for any two pairs in the set, if there are sums coincide, then they must be the same pair. In words, if one is given a sum, one can identify the elements which constitute the sum. The questions in this area of study is how large T can be, the size of the set, of course, with respect to the range m. Clearly, all sums fit within the range of 2m, and therefore 2m has to be as large as the number of different sums. And respective constructions do exist way back from Paul Erdisch's time. In this talk, we're going to discuss crypto applications of Seedon spaces that can be seen as a multiplicative and linear algebraic variant of Seedon sets. A few words about how the research of Seedon spaces came about. In the early 2000s, the hot topic in the coding theory community was network coding. This topic discusses information transmission in networks from multiple sources to multiple things. And the surprising result there is that linearly combining packets in intermediate nodes can achieve the capacity of the network. This results in interest in so-called subspace codes. A subspace code is a set of subspaces of the extension field FQ to the n, or the base field FQ, such that any two have low dimensional intersection. They are used for error correction in network coding. This observation ignited an influx of research about subspace codes, which included cyclic subspace codes. These are subspace codes with an additional field structure, meaning that their construction exploits the structure of the extension field, and not just its structure as a vector space. And that's where me and my collaborators show up. They can be constructed from so-called Seedon space, which we haven't seen the definition of yet. This brings us to this paper, where we show that the same Seedon spaces that were used in this research are also applicable to construct a public key critical systems. Without further ado, the Seedon space is a subspace of the extension field over the base field, such that take any two pairs of elements and multiply them if you get the same result of the multiplication, then these pairs must be identical up to a constant multiple from the base field. In other words, given the product, one can determine the elements uniquely up to a multiplication by a scale. Where is the scalar coming from? Since you can always squeeze any scalar lambda non-zero from the base field here and still get the same product. Similar question, what is the largest k, which is the dimension of the Seedon space, with respect to n of a subspace that has this property? Similar counting arguments show that n has to be at least 2k, give or take. And respective construction was given by me and my collaborators a few years ago with n equals 2k. I will only remark that a Seedon space is not something unique. There are plenty of those, and a rough balance here to the domain here. Why should they be applicable to cryptography? Intuitively, for A and B in a Seedon space, B, to factor the product to the constituent elements, one must know V. A different mean, V would result in a different factorization. So the idea here is Alice choosing a secret Seedon space publishes something that enables the sender to compute products but still keeps V private. The sender will then encrypt its message, A and B, to the ciphertext, A B, without knowing V. Alice would then be able to factor A B to A and B, since she knows V. But Eve will not be able to do that. In what follows, we show that this can be done not only with Bob, not knowing V, but even without knowing that there is any extension field in this key. The question is, which V should Alice use? Which Seedon space? And the answer is literally any, as long as she knows some efficient factorization number. We naturally use the construction that we had in the paper way back, when, which is rather simple omitting something in calities. The construction is as follows. Take any gamma, which does not lie in the intermediate field f u to the k, where n equals 2k. And take the simple construction of all elements of the form u plus u to the q gamma, where u is in the intermediate field. In a nutshell, this works since one in gamma are linearly independent over the intermediate field. And therefore, the product of two elements from this V, which have this form for some u and v in the intermediate field, can be described as a linear combination of one and gamma. The coefficients in this linear combinations are from the intermediate field, and can be rather easily extracted. This gives us an efficient factorization algorithm for products in Vs in CDOM spaces V that were constructed according to our construction. The challenge here, I repeat, is to enable Alice to publish something which enables a sender to compute products in V, but does not expose V. The idea that we use is as follows. Fix some basis V1 through Vk for your CDOM space V and observe that for every two elements A, B in it, they can of course be represented as a linear combination of those V1 through Vk over the base field. However, when we compute the product between these linear combination, move it to vector form, then move it to a matrix form, we see that the so-called multiplication table here arises. This probably doesn't come as a great surprise to many of you that already know that multiplication in finite field is technically the bilinear form. Therefore, our idea here is to publish the multiplication table V of a secret CDOM space without revealing its identity. This happens as follows. The parameters of the system are Q, the base field size Vk, the dimension of the CDOM space, and here would be just 2k. Alice begins by choosing construction for the extension field and a basis. The construction of some CDOM space again will be random and a respective basis. Then Alice will construct the so-called multiplication table of V, which is this basis transpose times itself. This is a K by K matrix over the extension field that's Q to the n. And as such, it can be represented as a linear combination of some matrices times the basis elements beta one through beta. These matrices over here are K by K matrices over FQ. These matrices will be precisely the public key which Alice published. When Bob wants to send something to Alice, it will map its message into two vectors of length K over FQ. And send the bilinear product of these elements by the matrix M. Moving on, when Alice receives this cycle text, she uses the secret basis of the extension field to compute the following linear combination. It equals this expression where you can see that the expression here inside the parenthesis is simply the multiplication table of the secret CDOM space V. As such, this linear combination is simply a product between two elements in the secret CDOM space V. Therefore, these two elements can be extracted from which Alice can extract the precise vectors A1 to BK and B1 to BK, which is Bob's message. Let's think about the hardness of this. If one thing that she sees is the public key, i.e., the matrices M1 to MN, which compose the multiplication table of the CDOM space. Yet she does not know the basis of the CDOM space nor the basis of the extension field which are used in this expression. She also sees the Cypher text, meaning the bilinear product of the message by the matrices in line. Therefore, she needs to solve this by linear set of equations, which has N variables and N equations. This is the reason that we categorize this cryptosystem as a multivariate. Multivariate cryptosystems are normally broken by MinRank attack in either one of two formulations, the kernel formulation and the minor formulation, which we'll discuss briefly. In this paper, we prove that both formulations succeed only with very small probabilities, specifically exponentially small in the size of the plain text. We support these experiments, we support these findings with experiments and discuss several specialized things. I would like to disclaim, we're not claiming any breakthrough in post quantum cryptography here. We have hardness proofs for attacks of this form, which are quite common, but we do not have a hardness proof of the CDOM cryptosystems in general. So Eve sees these matrices that were constructed as such, where this is the multiplication table of the CDOM space. Observe that this multiplication table is simply a rank one matrix over the extension. Therefore, to extract the private key from the public key, Eve needs to find a rank one linear combination of the MIs where the coefficients come from the extension. This will allow her to find the basis of the CDOM space and therefore to break the system. Stated formally, given the public key, one needs to find the beta eyes in the extension field, such the respective rank of this target matrix is one. This is a min rank problem with a few notable differences. Those MIs are over the base field where the coefficients are over the extension. Normally, in mean rank, these are the same field. The solution beta eye should be a basis to an extension field and the resulting VI should spend some CDOM space. It is unclear to us what can be done if this system is solved and the solution does not satisfy these requirements. Nevertheless, we focus on finding any solution not necessarily which satisfies these extra conditions. In its first formulation, the idea is that any vector in the target matrix gives rise to this system of linear equations, linear in the lambda eyes. Since there are K, which is N over two linear equations here and N lambda eyes, if we manage to find meaning to guess two or more such use, we get the system with the potential to pin down the exact solution lambda eye. However, this is not feasible. The kernel here, I remind you, is over the extension field. Therefore, if you choose U at random, the probability that this U in the kernel is exponentially small in the size of the extension field. Therefore, it is unlikely that this guess will work even if you only want to find one and nevertheless, if you need to find two. You might see this cheat and guess a vector in the base field rather than the extension field, which is doomed to fail and this thing over here is a one line proof. In the minor formulation of the min-rank attack, we observe that if the rank of the target matrix is indeed one, it implies that all two by two minors, meaning all determinants of two by two matrices should be zero. This provides setting all the two by two minors to zero provides a quadratic system in the lambda eyes. This system is usually solved via linearization, meaning every pair of lambda eye lambda j is replaced by a single variable z i j. And then we build the resulting coefficient matrix called it omega, which is now over fq. This coefficient matrix corresponds to a linear system about n square variables and n to the fourth equations. We know that the dimension of this kernel is at least one. This is simply since the system is solved, the secret basis solution to the system does give you a solution to the linear system. If the dimension of the kernel here is at most one, we can find it. We'll find a solution, arrange it in a matrix, it will be an n by n matrix. This would be provably a rank one matrix. We're going to find this rank one decomposition and output its elements, the elements of the respective vector as our solution. However, if the dimension of the kernel here happens to be more than one, we're essentially stuck because we are left with another bin rank problem. Once we've found the kernel of omega, inside that kernel, we need to find the respective z, which is a rank one. This is technically the same problem as we began. In most random instances, linearization works in the minor formulation and the dimension of the kernel would indeed be one. In all instances resulting from seed on critical system, we have the dimension of the kernel omega equals two n. To put it more formally, we have verified experimentally for any value of q and every value of k, that the dimension of the kernel is two n. We have been able to partially explain that mathematically and we show that for every q and k, the dimension of the resulting kernel of omega is at least n. Meaning there is no straightforward forward way to solve the minor formulation of min rank problem via linearization. A few words about the proof outline. What we prove is that in the minor formulation of min rank, there are at least n linearly independent vectors in the kernel of omega. What we do in the proof is that we take the multiplication table of the entire secret field fq to the n, which gives rise to these matrices behind. In some sources in the literature, this is called the multiplication tensor of the fq. And up to some changes basis, we show that some vectorization of the i is in the kernel of omega. An interesting fact we observed is that when we doing sort of the secondary attack, meaning we try to find a rank one matrix in the kernel of omega, perhaps this is solvable by linearization. We find once again that the same vectors are also in the kernel. This also happens in your third time that you do this in the fourth time and so on. I find this to be a very interesting phenomenon. We were able to explain that mathematically, but we're not sure exactly what's the bigger picture. Different attacks we implemented. We tried to apply Robin-Base's algorithm on a generic main rank. And as expected, it was exponential. We also applied several Robin-Base's algorithm to find an equivalent seed on space which performed the worst out of all attacks. Our code is available in GitHub if any of you is interested. For future work, all right, two venues, one of them is the attack system, probably by exploiting the structure of seed on space. We really don't know how. Another thing which we weren't very able to do is to analyze the big security of the system. Another venue which we have a few suggestions is to strengthen the system. First of all, to understand where these extra in dimensions in the kernel are coming from. Second is to use a generalization of seed on space. That's called R seed on space. In an R seed on space, you have unique R products instead of unique pairwise products. In other words, a seed on space is a two seed on space. Some constructions are known in the same paper that we have a few years ago. Another thing that will strengthen the system is instead of using one-dimensional multiplication table, we can use a two or three or whatever dimension multiplication table. Meaning instead of publishing VV transposed, we publish UU transposed plus VV transposed, meaning the additions of two different multiplication tables. This would result in an attack which is trialing instead of bilayer and therefore the resulting system will be more difficult. Thank you for your attention and I'll be happy to take any questions.