 Hello, my name is Hiroshio Nuki. The title of my talk is Rhetical Isogenies on Mongolian Cubs. This is a joint work with Tomoki Moriya. First, I give a nova view of our work. Isogeny-based cryptography is one of the candidates for post-contempt cryptography. An advantage of Isogeny-based cryptography is the small keys and ciphertext. On the other hand, the computation of Isogeny-based cryptography is relatively slow because of Isogeny computation. So, speeding up Isogeny computation is important. Rhetical Isogenies are one of the techniques speeding up Isogeny computation. These are formulas computing repeating Isogeny of the same degree. Rhetical Isogenies were proposed by Kastrik, Deku and Berkotlen at Asia Crypt 2020. They constructed Rhetical Isogenies on a tight normal forms, which are forms of elliptic curves. In this work, we constructed Rhetical Isogenies of degrees 3 and 4 on Mongolian curves. Our formulas reduce the cost of transformations between curves in some protocols. In addition, we proved a conjecture left by OPEN by CDV 2020. I introduced some mathematics for my talk. An elliptic curve is a smooth algebraic curve of genus 1. An elliptic curve has an Averian group structure. I mean that we can define an addition on points on an elliptic curve. There are many forms of elliptic curves. In Isogeny-based cryptography, we often use Mongolian curves, which are defined by this equation. The reason why we use Mongolian curves is that these curves have efficient formulas for scalar multiplications and Isogenies. An Isogeny is a non-generational homomorphism between elliptic curves. Rhet phi B is an Isogeny from E to E prime. Then, we can define the degree of phi and denote it by dig phi. There is an Isogeny with the inverse direction called the dualisogeny. The dualisogeny of phi is denoted by a phi hat. A phi hat is a map from E prime to E, and the degree of phi hat is the same as that of phi. Here is an example of an Isogeny of degree 2. Rhet E B is an elliptic curve over a field k, and n is an integer for prime to the characteristic of k. Then, there is a one-to-one correspondence between the set of subgroups of E of order n and the set of Isogeny of degree n from E. In this correspondence, a subgroup G corresponds to an Isogeny with kernel G. We denote this Isogeny by phi G and its codomain by E over G. In this work, we only consider the case that G is cyclic, which is a case appearing in Isogeny-based cryptography. In other words, we consider a subgroup generated by a point P on the analytic curve. Given an elliptic curve E and points P and Q on E, the Isogeny phi P is computable efficiently. The meaning of computing phi P is computing the image of Q under phi P and its codomain E over P. On the other hand, given E and E over P, computing P is considered to be hard even by a quantum computer. Isogeny-based cryptography is based on this assumption. I introduce two Isogeny-based protocols, Seaside and Seasurf. Seaside is a Diffie-Hellman-type key exchange protocol which was proposed by a Catholic rung, Martindale, Pony and Renes at Asia Crypt 2018. I don't explain the detail of Seaside. The important things for my talk are that Seaside uses elliptic curves and Isogeny defined over a prime field FB. Where P is a prime congruent to 3 mod 8. And Seaside uses only Isogeny's odd degrees. Seasurf is a variant of Seaside which was proposed by a Catholic and Deku at BQ Crypto 2020. Seasurf uses a prime congruent to 7 mod 8 and also uses Isogeny of degree 2 and 4. Now, I introduce radical Isogeny's. Let E be an elliptic curve over a field K and a integer complying to the characteristic of K. And P a point on E of order n. A radical Isogeny is a formula of a map between elliptic curves and a point on net of order n. A pair E and B corresponds to E over P and P prime. P prime satisfying the group generated by phi hat of P prime is equal to the group generated by P. I'll explain the meaning of this condition in the next slide. The theory of radical Isogeny says that one can choose a form of E over P and P prime defined over K of an nth root of rho. Where rho is the state pairing of P and negative P. If you don't know what the state pairing is, it's not a problem. The important thing here is that the value rho can be efficiently computed by E and P. This is an image over radical Isogeny. Given E and P, radical Isogeny computes E over P and P prime. The condition on P prime in the previous slide said that the Isogeny with kernel generated by P is not the dear Isogeny of the Isogeny with kernel generated by P. In other words, the Isogeny with kernel generated by P prime has a forward direction. And there are n Isogeny's with such directions. The number n is corresponding to the number of choices of an nth root of rho. CDB 2020 uses forms of electric curves such that P and P prime are 00. Here are such forms. In the case n equals 3, the curve is defined by this equation. And in the case n is greater than 3, they use state normal form, the curve defined by this form, where the questions B and C satisfy a relation depending on n. There are examples of radical Isogeny's. For n equals 3, the questions of the codomain are represented as this and this. Where alpha is a cube root of negative a3. This is the case that n equals 4. Here alpha is a fourth root of negative b. This is a computing flow in radical Isogeny's of degree 3. First, given an electric curve, we compute a point of order 3 and the questions a1 and a3 from the point. Next, we compute the questions a1 prime and a3 prime of the codomain e prime of the Isogeny's with kernel generated by 00 on e by the radical Isogeny formula. The questions of the codomain of the Isogeny with kernel generated by 00 on e prime can be computed in the same way and so on. An advantage of this computing method is that we only need to generate a point of order n of the first Isogeny. There is no computation for the kernels of intermediate Isogeny's. This accelerates Isogeny's of small degrees in C-Side and C-Saf. Especially C-Saf because C-Saf uses the degree 4. Then, how to choose a radical alpha in C-Side and C-Saf? The answer is that we should choose alpha in a prime field fp in these protocols. There is the unique nth root in fp if n is co-prime to p-1 and if n is odd degree used in C-Side and C-Saf, it is the case. So, in this case, we can determine the choice of alpha. To apply radical Isogeny's to C-Saf, we need to transform our curve computed by radical Isogeny's to a Montgomery curve for generating the first kernel and computing higher degree Isogeny's. These computations are more efficient on Montgomery curves. In the case n equal to 4, there are two false roots in a prime field fp, so we need to determine which one corresponds to an Isogeny used in C-Saf. The choice is conjectured by CDB 2020 but not proven. In this work, we constructed radical Isogeny's of degrees 3 and 4 on Montgomery curves. This reduces the cost of transformations. In addition, we proved the conjecture on n equal to 4. Before I explain our work, we recall Montgomery curves. A Montgomery curve is an elliptic curve defined by this equation. We call the question A and the Montgomery question of this curve. Here are some important properties of Montgomery curves. The order of the point 00 is 2. A point whose excordionate is 1 or negative 1 is a half of 00. We denote the 4-cyclic group generated by a point of excordionate 1 by ce4. Let t be the excordionate of a point of order 3, then the Montgomery question is given by this. So, a Montgomery curve is determined by the excordionate of a point of order 3 on net. Now I introduce our contributions. The first is a radical Isogeny formula of degree 3. A pair of a Montgomery curve and a point of order 3 on net is represented by the excordionate of the point of order 3 t. So, there is a radical Isogeny between such t's. Indeed, we proved this theorem. Let e t be a pair of a Montgomery curve and a point of order 3 on net. And phi be an Isogeny with kernel generated by a point of excordionate t. Let t' be the excordionate of a point of order 3 on the codomain of phi that satisfies this condition. Remember that this condition comes from the direction of the Isogeny with kernel generated by a point of excordionate t'. Then t' is computed by this. The pair alpha is the cube root of this. The next is a formula for degree 4. The Montgomery coefficient naturally determines a four-cyclic subgroup on the Montgomery curve. So, there is a radical Isogeny between Montgomery questions. Let e be a Montgomery curve with question a. And phi be an Isogeny of a kernel C e4 that satisfies this condition. And let a prime be the Montgomery coefficient of the codomain of phi and define small a and small a prime as this and this. Then small a prime is computed by this. Where alpha is a force root of small a. Here is a comparison between the original radical Isogeny's and others. In the original, first we transform a Montgomery curve a.m. to attach normal form e.t. Next, we compute radical Isogeny's repeatedly. Finally, we transform again the resulting curve e.t.n to a Montgomery curve e.m.n. And this work, there is no transformation, but we need some computation for values used in radical Isogeny's. This cost is much smaller than the transformations in the original. This is the cost of the original and our radical Isogeny's in C-saf. Here e stands for exponentiation, m multiplication, a addition, and i inversion. In C-saf, a radical is computed by an exponentiation whose exponent is about p. So the cost of e is approximately 1.5 log p.m. In degree 3, CDB 2020 needs exponentiation for transformations. On the other hand, our formula doesn't need exponentiation for recovering the question. In degree 4, CDB 2020 doesn't need exponentiation but inversion for transformations. Our formula doesn't need either for recovering the question. Next, I explain our second contribution, which is about a choice of a false root in C-saf. We proved that in radical Isogeny of degree 4 on Montgomery curve, we can compute the Isogeny used in C-saf by taking a radical alpha as this. By using an isomorphism between a Montgomery curve and a tight normal form, we can prove the conjecture on radical Isogeny of degree 4 from this theorem. Indeed, we proved this. In the radical Isogeny of degree 4 on tight normal forms, we can compute the Isogeny used in C-saf by taking a radical alpha as this. This is a conjecture by CDB 2020. Finally, I conclude my talk. We constructed radical Isogeny of degree 3 and 4 on Montgomery curves. Our formulas slightly improved the efficiency of C-saf using radical Isogeny. We proved the conjecture on degree 4 left as open by CDB 2020. One of the future work is searching other applications of radical Isogeny. For example, random works in Isogeny growth could be a candidate. That's all. Thank you for watching.