 Cryptography. Thank you Bjorn. So I'd like to take this opportunity. This is my third and last lecture here. I just want to thank the organizers again, thanks to Bjorn and Akshay and Jen for organizing a great summer school and for including me in the program. And thanks to all of you for coming. Just as a reminder, in the first two lectures yesterday, so I introduced super singular isogenic graphs in cryptography. In, for any of you that missed it, I showed this nice picture from Science Magazine from 2008, which we created, which is a picture of a very small super singular isogenic graph. So just so you kind of get this intuition of a very, very messy looking graph that's hard to navigate. And so in the first lecture, we covered both cryptography and kind of some number theory, elliptic curves from a high level and the impending quantum threat and we defined a hash function from super singular isogenic graphs. And then in the second lecture, we actually talked about these graphs from the perspective of expander graphs and the expansion property and the optimal expansion property of being a Ramanujan graph. And then we talked about the application which was key exchange. So being able to do a key exchange using these graphs. So in this lecture, I'd like to focus a little bit on quaternion algebras which I've mentioned why that's relevant. We'll get back to that and repeat that here. And an algorithm for attacking these cryptographic proposals which works in the quaternionic setting and some of the recent work coming out of that direction and then talk about a third application which is signatures. So in each of the three lectures I've attempted to cover like one or more whole branches of mathematics and some applications. So I know it's a lot but hopefully you find some things in each that you find interesting. So first let's go back to why are we gonna talk about quaternions? Well, the reason is because our graph our super singular isogenic graph the vertices are super singular elliptic curves or at least isomorphism classes of super singular elliptic curves. And what is a super singular elliptic curve? Well, one way to define it is that its endomorphism ring is a maximal order in a quaternion algebra and a definite quaternion algebra BP infinity. So I'm gonna talk a little bit about what that quaternion algebra looks like and what these orders look like next in the beginning of this talk. And the reason is because we have this beautiful during's correspondence which allows us to think about the graph instead of having its nodes, our elliptic curves and its edges are isogenes. We can think of its nodes or vertices as being maximal orders in the quaternion algebra by just mapping an elliptic curve to its endomorphism ring. And then instead of isogenes what we have is connecting ideals of certain norm and that's what replaces isogenes of a certain degree in the description of the graphs that I've been focused on yesterday. And as I mentioned yesterday, another fact that we use in cryptography is what is the size of this graph? So if you fix P and you look at super singular elliptic curves in characteristic P, then thinking of the description of the graph in terms of maximal orders in the quaternion algebra BP infinity helps us because we have the Eichler class number which tells us that the number of nodes is roughly P over 12. And that allows us to figure out what size P we should use in order to get certain amount of security because it tells us how big is the graph. Okay, so now let's talk about quaternion algebras. And as you can see, I mean, I don't have time to do a whole core sign quaternion algebras. So just like an elliptic curve case just giving a very, very simplified description of the objects that we're gonna work with. So this definite quaternion algebra which is ramified at P and infinity, BP infinity is the notation we use for this. You can simply think of this as being given by a basis of four elements, one i, j and k, much like the Hamiltonian quaternions. But this time we have that i squared is actually equal to a, j squared is equal to b and k is i, j which is the same as minus j i. And depending on the congruence class of P, we can say, we can give what the choices of a and b should be. So just for the sake of giving you some examples to work with and you'll do some exercises related to these definitions in the next problem session, we're gonna just focus on the case where P is congruent to three mod four where a and b are then minus P and minus one. So if you look at that, I actually think it's kind of interesting. So all the elements in the quaternion algebra will be written in terms of this basis, one i, j and k. And so that just means that I forgot, I have to look and see which one I've picked for which, but i squared is now minus P, j squared is minus one and k squared is also minus P. Okay, so that's the quaternion algebra that we're working in. And so there's a couple of important things about this quaternion algebra. First is that we have an involution. So if you take something written in terms of the basis, if you take x, which is written in terms of its basis, one i, j, k and you just take all of the, all of the basis elements other than one and multiply them by minus one, then you get an involution, so x goes to x star. And that allows us to define both a trace and a norm map. We call, they're usually called reduced trace and reduced norm, but I notice there can be some confusion because people often just say trace and norm in the quaternion algebra. So for example, in this case when P is congruent to three mod four, if you have some element written in terms of that basis that I described where i squared was minus P and j squared was minus one, then the norm of an element, the reduced norm of the element, I'm sorry, I'll probably usually forget to say reduced norm, say norm, adding to the confusion. But the norm is just of an element c plus dj plus fi plus gij is just c squared plus d squared plus P times f squared plus g squared. Okay, so now that's just an abstract, little bit of background in the quaternion algebra that we're gonna be working in, but now think about it in the cryptographic setting. P is huge, right? So what that means is that generically, elements in this quaternion algebra have enormous norm. And if they have small norm, well, very interesting. That means only c and d could have contributed to this norm if the norm is small compared to P. So that means you're actually in a commutative suborder of the quaternion algebra, which is kind of interesting. So it's actually this fact that this was the intuition that allowed us, might work with at Yalgorin, to prove bounds on primes of bad reduction for genus two CM curves. So that's why it's one of my favorite facts to talk about. But so when P is large, elements of small norm come from a commutative quadratic suborder. So another reason for mentioning that fact is that the quaternion algebra is rank four and we're representing elements in it with this basis with four coefficients. But the fact is that there's a lot of quadratic subfields that sit inside of this quaternion algebra. And so that, we'll come back to that fact when we're thinking about the graph again. So another important fact which I've already alluded to is that this norm map on the quaternions actually corresponds to the degree map on endomorphisms. So in this, during correspondence, where an endomorphism ring for an elliptic curve corresponds to a maximal order in the quaternion algebra, an endomorphism in there, the degree of that endomorphism actually is equal to the norm of the element that it corresponds to under this correspondence. So, and that's another fact that we use very heavily. Okay, so just some very brief high level, background on quaternion orders and ideals because there's some things that are nonintuitive here if you're used to just the commutative side of things with number fields and number rings and ideals. So a fractional ideal in the quaternions is really just a rank for lattice. And then the norm of the ideal is gonna be the z-module generated by reduced norms of elements of that lattice. And then an order is actually a fractional ideal which is also a subring. So the ideal themselves are not necessarily subrings and in fact, if you look at integral elements which are elements which have their reduced norm in, the reduced norm and trace in z, integral elements do not even necessarily form a ring. So you can already see there's a couple of things that are a little different here from when you're working in number fields. So an important concept that I need to define is the right order of a fractional ideal. So if you have a fractional ideal I, then the right order we're gonna call it O sub R. So I'm often gonna be using this script O for an order. O sub R is the elements in BP infinity such that if you multiply the ideal on the right by that element that you still end up staying within the ideal. So I times alpha is actually contained in I. And so I know these are a lot of definitions and a lot of things and luckily, Yana has designed a lot of nice exercises to kind of go over these things and get a little practice and a little bit of familiarity if you're not already. But the reason that I need to define these things is because I need to explain what is a connecting ideal. So because this is very key for the definition of the graph on this side of things. So given two maximal orders, a connecting ideal, maximal orders are let's call them O one and O two. So connecting ideal I has the property that it's right order is O one and it's left order is O two. Left order is defined analogously to right order where you just multiply on the left instead of the right. So what that means is that you can actually think of instead of thinking of the set of maximal orders in the cotrion algebra, you can also think of it as fixing one maximal order and then think of all the connecting ideals that represent getting to the other maximal orders. So in that sense, you can think of it as like a kind of a class group where you've got a fixed reference point which is one initial maximal order and now you have all the left ideals, all of the possible left ideals of that order and their right orders give you all of the rest of the maximal orders. So now like we're reducing to thinking of our graph in this new way where all the nodes are these orders and the connectors are these ideals. And you can actually compute these ideals, these connecting ideals. So way back in the last century, like in the end of the 1990s, David Cole already implemented these things in Magma and the Magma software package. And so you can actually compute all of these maximal orders and these connecting ideals and now it's in Sage, although I'm not exactly sure who has written it. And just as a little bit of a warning, I mean, with the development of Sage over time, there have been times when some of these functions were not actually working in Sage. So hopefully they're working now, but so they were originally implemented in Magma by David Cole. And so you can compute these connecting ideals. For example, you can see in the reference of Kierschmer and Voight, which I have the list of some of the Quaternion references is in the end of this slide. You can see there's an explicit way to compute this connecting ideal. Okay, so now just to review again during correspondence. So specifically it's a correspondence between these super singular elliptic curves over FP bar up to isomorphism with the maximal order, which is the endomorphism ring of the elliptic curve up to conjugation. And so in terms of the label, I told you we had really nice labels over on the elliptic curve side. We can label elliptic curves with their J invariant, but we actually don't have such a nice label over on the maximal order side. So you can give a basis of a maximal order, but then you need to have a way, like if you're actually gonna use this in a cryptographic setting, you need to have a way of testing whether a basis, two different bases that are given to you whether they actually correspond to the same order. And that was one of our problems also in generalizing this to higher dimensions and using super special orders. So now the correspondence for the edges is as I said, any left ideal I of O will correspond to an isogyny, and that isogyny will have the property that the elliptic curve that you land on, call it E sub I, will have, its endomorphism will be the right order of that ideal I. And so another way to see the correspondence is is that that isogyny is actually defined by, and again, remember all our isogynies are separable because we always take degree, which is co-prime to the characteristic. And so the isogyny is actually determined by its kernel. And so its kernel is given by all the points on the original elliptic curve E, such that all of the elements of this ideal, which are endomorphisms, kill P. So it's all the points killed by the endomorphisms in I. And so this is the during correspondence. If the degree were not co-primed to the characteristic, this would be significantly uglier, but we're just in that case for now. So we have a one to one correspondence in this case when the degree is co-primed to P. And as I said, the right order of I will be the endomorphism ring of E sub I. Okay, so let's look again at our kind of running example here. So if P is congruent to three mod four, and we're gonna take the elliptic curve E sub zero, which is y squared equals x cubed plus x is super singular in this case when P is congruent to three mod four with J invariant 1728. So this E zero is gonna be important for us. Somebody asked after my first lecture, how do you decide what starting point to use for the walk for either the hash function or the key exchange or whatever? And I said to my chagrin that most often we use one of these starting points. In fact, E zero like 1728. And I feel and others feel that this, there may be a disadvantage from the security point of view of doing this, but we have not really figured out any specific weakness based on this yet or not that I know of anyway. So we have this E zero as a special point in this graph anyway. It's literally the starting point usually for a lot of these protocols. So what's special about this E zero? Well, look at the equation y squared equals x cubed plus x. It's particularly simple, right? You can actually see what the extra endomorphisms are because you can take, so when you're working on elliptic curves over Fp, you always have the Frobanius endomorphism. So you always have this rank two Z module and inside the endomorphism ring. But first the super singular case, you have extras. And in this case, we have that you can send a point x comma y on the elliptic curve to minus x comma Iy where I is the usual square root of minus one. So that gives you an extra endomorphism and these two endomorphisms together generate this rank four Z module, which is non-commutative. So generated by one phi pi and pi phi. So I'll just mention a little bit of an issue. In this field, there's a lot of people working in isogenic based cryptography now. And one thing that happens is that we often talk about being able to compute the endomorphism ring explicitly computed like meaning explicit during correspondence, not just that there exists a correspondence but given an elliptic curve, a super singular elliptic curve, what is its endomorphism ring? But that's actually not really very well-defined. And so in one of our papers with Christophe Petit and Kirsten Eisenrager and Sean Hallgren and Travis Morrison, we actually explain like there's actually three different things you could mean by that when you say compute the endomorphism ring. So here you see an endomorphism ring, which is presented in terms of explicit endomorphisms. And on previous slides, I was giving you this description of the quaternion algebra in terms of a quaternionic basis. So you could mean compute it actually as a maximal order, which is kind of what's implied in the during correspondence. And so it's not really even, it's not at all the same thing to be able to compute these things. And in fact, in this case for E0, it's a really, really nice case because we have O0, the maximal order, given in terms of its presentation in the quaternion algebra. So it has a basis one i, one plus k over two, i plus j over two, but it also has this presentation in terms of actual endomorphisms that act on points on the curve. So beware of this kind of point of confusion. But this makes E0 particularly useful for the attacks that I'm about to explain. So the first thing I'd like to explain is what's now called the KLPT algorithm, which was our paper from ANTS 2014 with David Cole, Christophe Petit and Tignol. And so this algorithm is an algorithm which allows us to find paths in the quaternionic version of this graph. So now instead of SIG graph, we've got the quaternion version of it. And so instead of two elliptic curves that you wanna find a path between, you've got two maximal orders. So O1 and O2, and you want to find a connecting ideal of L power norm where L is the small prime that we've picked to be the degree of the isogenes and to be the norm of the ideals. So you wanna find a connecting ideal of L power norm. And so the algorithm, the KLPT algorithm for this is, so we're gonna use O0. And we're gonna use the fact that we know the endomorphism ring for O0. And so we're gonna find a connecting ideal between O0 and O1, one of our points, and we're gonna find a connecting ideal between O0 and O2. And so we're gonna do this step one twice. So for the first run through, we find the connecting ideal between O0 and O1. And then what we actually need to do is to find an equivalent ideal of norm L to the N. And so we do this by, if we have an element alpha of the ideal, we can replace by the ideal times gamma where gamma is the involution applied to that element alpha over N, where N is the norm of I. And what we need is we need to find an alpha which is norm prime to N. And for that part, we actually search through this box. Trying to solve the norm equation using Cornacius algorithm. So I think that this is a little bit diving into the weeds here, but I was asked about whether we could make this algorithm deterministic. And right now this is the step which is not deterministic where we're looking for a solution to the norm equation using Cornacius algorithm. And so then, I'm not going through all the details here, but basically use strong approximation to find an equivalent ideal with L power norm. So as you can see, this is diving into the quaternions and really using a lot of information and facts that we have about quaternion and quaternion ideals, but it's doable in practice and it works and it's efficient. And we have like heuristic analysis of the running time, but so we can, repeat this step for connecting O0 to O2 and then we can concatenate the two paths. So this shows that in practice, you really can solve this path finding problem in the quaternionic version of the graph. So what that means is that, essentially, I haven't exactly proved everything, but I've tried to explain to you the idea behind the statement that the hard problem in super singular isogenic graphs is basically equivalent to being able to compute these endomorphism rings. So the number theoretic algorithm, so in the second lecture, I described generic algorithms for attacking the path finding problem. That is you would just start from your two endpoints and you would just randomly walk around the graph until you, the two paths hit each other. So the kind of more number theoretic approach to attacking is to use this during correspondence, if it were explicit, and then use the KLPT algorithm to find the path and then pull it back. So, luckily for the security of the cryptosystems like psych based on the hardness of these problems, computing endomorphism rings is very hard. So I think one of the first attempts to understand the hardness or the problem of computing endomorphisms of super singular elliptic curves was in David Cole's thesis in 1996. And their idea there was just kind of randomly walk around to find cycles in the graph and then try those cycles. If you start from E and you get a cycle and you come back to E, then that's actually an endomorphism. So that's an exponential algorithm. So in 2003, concurrently with Cervinho in some joint work with McMurdy, we gave another exponential algorithm for computing endomorphisms, which is again, really horrible. So when I say exponential, I mean exponential in P. So that is really bad. So compute the number of, so what you can do on one side is to compute the number of norm N elements in a particular maximal order and, because you know what the norm equation is, and then you can compare that with the number of isogenes of degree N, which are endomorphisms. So you kind of build up this correspondence where you can match up an endomorphism ring for a specific elliptic curve with a maximal order. But this is again, it's a really horrible algorithm. It's an exponential time algorithm. But it uses that correspondence between degree of isogenes and norm, reduced norm of elements in the quaternion. So anyway, there's been a lot of recent work on this equivalence between the, so one of the more recent papers by Benjamin Woslowski is actually called the super singular isogeny path and endomorphism ring problems are equivalent. So you can see right in the title of it. And it's a more rigorous version of our paper from Eurocrypt from, I think, 2018 with Eisenrager, Halgren, Morrison and Petit, which showed that result as well heuristically. And then there's been some more work coming out of actually a win four project that was led by Kirsten Eisenrager, which goes towards trying to continue to understand the hardness of computing endomorphism rings. So I put the references in here in case you're interested. So that's one approach, is to try to compute endomorphism rings and that would be one way to attack the problem. So there are a few kind of newer attack strategies that I've been involved in. Actually in the problem session at the Silverberg conference a few years ago, I co-organized a group to work on this problem and we spent several years working together and wrote this paper, Adventures in Super-Singular Land, which is in honor of Alice Silverberg and her birthday. And in that paper actually, and so one of the interesting things there is that before that work, I always thought about the Super-Singular Isogyny graph like the picture from Science Magazine that I showed you, right? Just this really messy graph no orientation, how do you find your way around? But after that paper, I realized, of course, there's this evolution which we studied and the spine of the graph. So what we called the spine is really the FP points in the graph. So when you look at that evolution, the evolution will fix the FP graph so it'll take a J invariant to its conjugate. And if the elliptic curve is defined over FP squared, then it takes the elliptic curve to a different elliptic curve. But if the elliptic curve is defined over FP, then the J invariant is in FP and it's fixed by this evolution. So now we have a graph which looks a little different, that it has an evolution on it and the fixed points of the evolution are the points that are defined over FP. And so in that paper, Adventures in Super-Singularland, we did a lot of experimentation and there's a lot of interesting data and results there. For example, how hard is it to navigate to a point on the spine if you're in some random place on the graph? But another thing that we investigated there is that if you think of the volcanoes that come from the ordinary graphs, so I haven't talked about this topic in this set of lectures. So I apologize for bringing in something that's not really very well explained here. But if you look at elliptic curves which are ordinary over FP and they have CM by a particular field, K, let's call it, there's a volcano associated with all of the different possible kind of suborders of the ring of integers of K, which correspond to the endomorphism rings of all kinds of elliptic curves. And there's a rim where all of the elliptic curves have maximal order in K as their endomorphism ring and then there's kind of tentacles that go down and that's why it's for the elliptic curves that have suborders as their ring of integers. So that's why it's called a volcano. And volcanoes are much easier to navigate of course than the super-singular isogenic graph because there's kind of a top, there's a rim and then there's branches that go down like a tree. So that's why the problem of working on an ordinary graph is much easier than the super-singular isogenic graph. But what we investigated in this paper is the fact that you can see these volcanoes kind of being embedded from different CM fields that live inside the quaternion algebra. You can see these volcanoes showing up in different places and the interesting thing is is that the way that they embed into this super-singular isogenic graph is very non-trivial. So the three things that can happen is that they can stack on top of each other. They can fold over or they can attach to each other. And so volcanoes are sitting inside the super-singular isogenic graph in a very interesting way which we described completely in that paper. And so I think there's at least Christina Nelson and Yana Sotakova here as co-authors on that paper if you want to talk more about that paper. And then the other paper that I wanted to talk about that goes in a little bit different direction but somewhat related is my Win 5 project co-led by Kate Stang. And Kate Stang is, I'm not gonna say too much because she's gonna be giving a whole talk on this paper next week. But it kind of builds on this idea that if you have an endomorphism that corresponds to the embedding of CM field K into the quaternion algebra. So you actually know an endomorphism, you know a non-trivial, not Frobenius, endomorphism of your elliptic curve. Then you can use the volcanoes that correspond to that CM field embedded into the super-singular isogenic graph and you can use that volcano to actually trace around and find cycles and we can use it to actually find paths by having from two directions both going up to the rim and hitting each other eventually and then getting back to the starting point. So that's another kind of interesting direction but as you can see again it requires the knowledge of some information about the endomorphism. And for that paper besides Kate we also have Mingji Chen here who's a co-author you can talk to. Okay, so finally in the last part of my talk what I wanted to do is to talk about the third application of super-singular isogenic graphs which is these signature schemes. So originally designed by Galbraith, GT and Silva in 2016 and then with the more recent construction in ski sign. So I was saying SQI sign but I guess they say ski sign in 2020. So the setup for ski sign for getting a signature scheme is going to be that we're gonna fix a prime P and the elliptic curve E0 which is the usual one, the special one that I told you about find over Fp with known endomorphism ring O0. And then we're gonna select a D which is an odd smooth number D which is fairly large, so log P bits. And then for the key generation what's gonna happen is that the prover is gonna take a random isogenic walk from E0 landing up at EA and the prover will make EA public and keep the isogenic itself secret. So this should look familiar to you that's like the first stage for Alice or Bob when they're doing a key exchange. They start from some known elliptic curve and they take their secret isogenic walk and they make the landing point, the ending point public but they keep the isogenic secret private. Okay and so then here is how you can create an identification protocol from this. So what's gonna happen is the prover in addition to having this secret isogenic and the public key corresponding to it is also is going to generate a random or well I guess it's not send sends it to the the commitment is this secret isogenic doesn't necessarily send it to the verifier but just makes it public. And then the challenge is gonna be the verifier sends a cyclic isogenic from the ending point of the secret walk and that cyclic isogenic will have degree D and the verifier is gonna send that challenge to the prover and then the response is that the let me just show you the picture here. So let me see if I can get my cursor. So starting from E0 the public point tau was the secret isogenic and then we're gonna have this commitment which is a different isogenic fee to E1 a different elliptic curve that's sent from the prover to the verifier then the verifier is gonna send this challenge isogenic fee which goes from E1 to some other elliptic curve E2 and so now in order to respond what the prover is doing is basically proving that she knows this tau by taking the dual isogenic of tau and starting from EA taking the dual going up to E0 and composing with these two she can come up with this isogenic sigma which is the composition of these three so that's this formula here sigma is fee composed with psi composed with tau dual which goes from EA to E2 and it has the right properties which is that it'll have degree D and such that fee dual composed with sigma is cyclic so the verifier can then check did the prover provide an isogenic from EA to E2 and does it have the right properties so that's how you can create kind of an identification scheme which is a building block for a signature scheme from these graphs and again you can see that it relies on the hardness of given E like in this picture given EA and E0 can you find a path between E0 and EA okay so then what I wanted to conclude with a little bit of information about what else has been going on in this field so we proposed super single isogenic graphs more than 15 years ago in 2005 and not much was happening until the proposal for key exchange with Zhao Defeo Plute and the advent of the search for post-quantum crypto schemes so when it was realized that this could be a post-quantum assumption but so as you can see from some of the results I've described in the meantime there was always those of us like myself interested in hardness of computing the endomorphism ring and these related problems and also describing some of the kind of number theoretic analogs of these graphs so but there's been a lot of other graphs that have also been considered so I wanted to just give a few pointers to some references for work in that direction so of course one of the first things is you can vary the isogenic degree and as you see already in the key exchange you use isogenic degrees which are two or three but you can use even larger degrees so in our original proposal for cryptographic hash functions from expander graphs we also proposed using Lubotsky-Philip Sarnak graphs which are also Ramanujan graphs that have optimal expansion properties so we thought oh these could be good and they're much more efficient to implement because the LPS graphs are actually just the vertices are just elements of SL2FP so they're just two by two matrices with elements with their entries in FP that satisfy certain properties and those are actually Cayley graphs so the connectors, the edges are just obtained by multiplying on one side by a fixed set of basically L plus one different matrices that satisfy certain properties and that's how you can move around the graph it's just a Cayley graph you multiply on the right by these generators of the Cayley graph so that was a really nice idea because wow that's really efficient to implement compared to implementing elliptic curves and J-invariants and isogenies and stuff but here's the problem this was pretty interesting so in 2008 already in Eurocrypt 2008 Xemar and Tillich produced a way to find cycles in this graph and it was kind of analogous there had been hash functions defined based on other Cayley graphs that usually they use kind of the basic strategy for those attacks on the other Cayley graphs had been that you kind of lift the elements so they're not, you've got two by two matrices and the entries are in FP but you lift the elements to Z and then you use kind of like a Euclidean algorithm to attack them and Xemar and Tillich were quite familiar with that and they had that in their mind and they were able to make that work to find cycles in the LPS graph and so that was pretty quick and made it so very unlikely to wanna use LPS graphs for hash functions and in fact, following on that right away in joint work with Christophe Petit and Jean-Jacques Quiscaté we were able to extend their idea to actually find pre-images in these graphs which is, if you remember, finding pre-images is the same idea as finding paths so you have a starting point that everybody knows and now you're given some ending point for the hash function and finding a pre-image means just what did you put into the hash function so that you landed up at that point and that means you found the path between them so a really interesting note and this is an intersection of two very, very different fields coming together here in a very interesting way is that our path finding algorithm for LPS graphs first of all, that had been, Lubotsky was at a conference at IPAM in 2008 where he had invited me to speak on this algorithm and he said that he was very pleased because this path finding algorithm this path finding problem had been open for several decades for finding being able to find paths in LPS graphs and in fact, the approach that we used Peter Sarnaak has recently realized is actually the same algorithm as the fairly well-known Ross-Sellinger algorithm for efficient quantum arithmetic so you might think, oh wow, this sounds really weird but it's not that weird because for any of you that, I don't know if any of you heard Christelle's talk on quantum arithmetic but in the quantum setting you have a certain set of gates that you use for operations like the Clifford gates or the T gates and these are just two by two matrices and so to move around, like to model quantum arithmetic really means just to apply these gates successively and so when you want to do a certain computation what you really need to, like a real computation that we're used to doing with normal classical computers you have to model that computation in terms of these Q gates or T gates sorry T gates and Clifford gates and so what you're really doing is finding a path in some sense in this graph which is whose steps are given by multiplying by these two by two matrices so it's actually a very, very similar problem and the algorithm that they came up with is later is almost the same algorithm as our path finding algorithm for LPS graphs so that was just a little aside but I thought it might be of interest to some people so I wanted to mention it but there's other graphs that have been tried the Morgenstern graph, the higher dimensional analogs in dimension two and above that I mentioned with Charles and Gorin and then more recently adding level structure to the elliptic curves and looking at that graph so Sarah Arpin has just finished her PhD and her paper is available called adding level structure to super single elliptic curve isogenic graphs. Okay and then aside from the different graphs that have been considered there's a whole community of people working on actually the crypto side of these isogenic based systems so alternate graphs and protocols coming from for example the C side proposal dimension two analogs proposed by a range of people including the one by Florid and Smith which I mentioned in my earlier lecture. Other signature schemes which I didn't describe here attacks which use some of the auxiliary information such as using the torsion points that are known and then some of the work I talked about with trying to use the graph structure to attack. Okay so at this point I'm finished with everything that I wanted to say in this series of lectures. I'd be happy to take more questions. I really enjoyed talking with all of you and I hope you got an idea of one of the proposals for post quantum cryptography which is these kind of huge messy looking super singular isogenic graphs which draw on all kinds of beautiful mathematics ranging from elliptic curves to quaternion algebras to Ramanujan graphs. So it's really a fruitful area to work in and there's a lot of work to be done so I hope you've learned something from this and that you will hopefully enjoy working in this area. Thank you. Okay are there questions? Yeah sorry I didn't say that. So actually I have to dig back into my memory it's been a while since I've thought about this. So you have like over any number of field you have like the central simple algebras so if they're let me see if this is the right one so if they're ramified if when you tensor you get the sorry if you tensor and you get just the matrix algebra then they're un-ramified but if you get the different central simple algebra then they're ramified sorry. Yeah that's a very interesting point I'm always whenever I give this talk I'm always waiting for somebody to ask that question. So did everyone hear the question? Okay so you know I say like the two isogenic graph is three regular and if there's no backtracking you have only two choices after you've taken one step but how do you decide the first step? So that's basically the question. So there has to be there are different proposals that you could make and I'm embarrassed to say I'm not sure which one they have taken for psych for example but I mean I guess when you do if it's not the hash function no you still have the same problem for psych yeah the same problem for book. So you have to throw one of them out and there's different deterministic ways to do it and possibly there are bad ways to do it. I'm not sure if anyone has shown that there's any bad choices for how to do it. Yana do you know how they do it? Sorry to put you on the spot. You already have specified yeah great. So I'm not sure if everyone heard that but so instead of starting at the starting point of 1728 you already take one step and you start at that point and so you can't go backwards now. Thanks Yana. Any other questions? More questions? Okay, let's thank Kristin and Roger again. Thank you.