 Hi, I'm Peter Kutush. I'm going to present the paper on the isogenic probably torsion point information, which is joint work with the Pachyborey-Svotza, Simulopilip Nets and the Ambulity. So our main contribution is that there's an algorithm for finding the secret isogeny in essentially any SIBH type scheme, given the anamorphism range of the starting and the target curve and utilizing the torsion point information in a meaningful way. The previous to this was only known when the isogenies were particularly short and did not do class 3. Our attacks actually help in analyzing the security of B-side and show that the B-side perverse are tight and they cannot be lowered without breaking the perverse sets. Isogeny miss-crypto is a branch of post-quantum crypto and it's based on the hardness of finding isogeny is between super-seenable decurbs. However, in most cases, isogeny-based systems are based on reductions of this problem. Namely, for example, an SIBH additional torsion point information is provided. Isogeny-based systems have the nice feature that they have small key sizes. So they're a public key cyber text signatures are all small compared to their post-quantum alternatives. So let me present the scheme SIBH. In some detail, so let N1 and N2 be two large numbers. Usually they're powers of two and three, but that's not quite necessary. And the P is N1 times N2 minus one. Sometimes there's also a small co-factor there and the starting curve is defined over a P-square. And then Alice's secret is an isogeny going from E0 to a curve EA and Bob's secret is an isogeny going from E0 to EB. However, just knowing the co-domains of these isogenies is not actually enough to find a common shared secret. So what they do is they reveal extra information namely Alice reveals the action of her isogeny on Bob's torsion generators and Bob does the same with his secret isogeny. And then they both can actually compute the curve E over AB where A corresponds to the secret kernel of Alice and B corresponds to the secret kernel of Bob. And then their shared curve is the discurve AB. So in SIBH, these isogenies are rather short. So since N1 times N2 is roughly P and N1 is roughly the same size as N2, then both are roughly the size square of P. And in general, if you restrict yourself to powers of two and three, you do not expect such short isogenies to exist between two random super single-thick curves. So the main contribution of P side is to use a different type of random set, namely where N1 is roughly and N2 is roughly P. So this is a sheet by choosing a prime, so there's a P square minus one is N1 times N2 times some small co-factor. To make the scheme efficient, one actually has to work with curves and they're twists simultaneously. So twist of a curve is actually a curve that's isomorphic to the curve over the algebraic closure, but not isomorphic to the square. And the main trick here is that you can actually carry out all the computations of the square and you don't have to go to Fp to the fourth in the computation. However, finding parameters for B side is much harder than for SIBH. So you can no longer actually expect N1 and N2 to be a powers of two and three. You can make them smooth numbers, but it's a lot of work and they're much less used than in SIBH. So it's slower than SIBH, but it has some nice features. So for example, keys are much smaller than SIBH. And now let me recall some hard problems in isogenic base cryptos. So we have a pure isogenic problem when it's given two curves and someone has to compute an isogenic between them. Then you have the SSIT problem where not only the two curves are given, but also a degree specify that one, two of them. And you also know the action of the secret isogenic on some portion. And the goal again is to complete the secret isogenic. Finally, you have the endomorphism ring problem, namely one is given a super simple of the curve, find it's an morphism ring. And this endomorphism ring has a very particular structure. So every super simple of the curve has the property that this endomorphism ring is actually a max in whether in a certain protein algebra. And this correspondence was first discovered by Thorning back in the 1930s. And it's a really nice correspondence because for it's a categorical cool answer, many of the notions in the optic curve setting had their counterparts in the fraternity setting. So for example, a super single of the curve we find over FB square corresponds to max in order in the fraternity algebra the ramified of P and infinity. And isogenic going from E1 to E1 corresponds to a left ideal of the first endomorphism which is denoted by one, which is also simultaneously a right ideal of the second endomorphism, two. In particular when theta is a separable endomorphism and this will correspond to a principal ideal of the endomorphism ring. So finally the set of isogenes going from E1 to E2 have some structure and you can add the isogenes between these curves. This is denoted by only E1, E2 and this is actually a rank four Z like this both in the isogening setting. The interesting algorithm property of the Thorning correspondence is that it doesn't have the same difficulty in both directions. So actually computing the endomorphism ring of super singleity curve is supposed to be hard so they're only exponential time algorithms for this fact. But if one is given a maximum order then one can actually compute the corresponding elliptic curve in polynomial time. So now I will give you a brief discussion how the reduction from endomorphism confrontation class of any computation works. So actually in the correspondence setting finding a connecting ideal is easy. However, if you want to translate into an isogening setting you need one of the smooth norm and this is exactly what the algorithm of Coel, Autor, Pt, and Piñol abbreviated KLPT does. So it takes the connecting ideal and computes the integral and ideal of the smooth norm. And so this is a heuristic polynomial time algorithm and recently was shown by Veselowski that you can actually remove the underlying heuristic and replace it with something much more standard namely the generalized real-life processes. So how does the general reduction work? So now suppose that I know the endomorphism ring of both curves how can I compute an isogen between them? So I compute the connecting ideal then I compute the integral and ideal of the smooth norm using KLPT and then there's a generic procedure how to translate a connecting ideal to an isogen. So however, in SIVH type schemes which is SIVH or B side or any variation of SIVH you have one particular secret isogening that's your secret. So it's not a priori clear that if you know an isogening between the two curves, you can actually also compute the secret isogening. And the first results in this reaction was by Gabbard, Petitianian, who showed that in SIVH you can actually find the secret isogening polynomial time if the endomorphism rings of the zero and the arrow. And the key gradient is that is this again, this fact that in SIVH isogenes are short on the sense. So namely how does this all go to work? So you compute the connecting ideal, you don't need to smooth it out just any connecting ideal too. Then you find the shortest vector that's connected by the parallel and then with a really, really large probability which will actually be just the secret isogening in SIVH. So this uses the fact that usually if you just have two curves then the smallest element in this lattice will have one more of the spirit of P which is no longer the case. For example, in B-side or maybe other variants where the isogenes might be longer. So this attack doesn't apply to those variants. So our main goal was actually to generalize this algorithm to be able to handle arbitrary large isogenes. So the previous algorithm didn't use the torsion point information at all just the fact that the isogen is particularly short. You'll be using the torsion point information much more in a meaningful way here. So again, we start with an LLL reduced basis of the connecting ideal, which we denote by WI. And then these have isogenic counterparts which we'll denote by Phi I. And then we'll be looking for the Phi as a linear combination of these isogenes. So this is sum of I X, I Phi I and we're looking for the XI. So we know, we can evaluate the Phi on the N2 version so you know what Phi P is. So we evaluate both sides here of this equation on PQ. And then, so now we have four equations and we have four variables. But the system is not linear. However, it can be turned into a linear system namely by using pairings and solving discrete logarithms. Solving discrete logarithms in this context is not hard because usually N2 is the smooths. Plus, if not, but in most applications N2 has to be smooth, but if not, then you can invoke the fact and use a quantum algorithm for solving algorithms. And then, so you actually have now a system for equations for variables, module one two and you can retrieve the XI module one two here. So there are actually a lot of unanswered questions with this approach. The first one is how to evaluate the Phi I. So those Phi I, they correspond to some abstract opinions which are a corresponding LLL basis of the quantum ideal. So there's no guarantee that they're normally smooth. So how can you actually evaluate this Phi I efficiently? The second one is, it's clear that the system of linear equations has a solution because there is a correct XI, for instance. But why is this a solution unique? And the third one is, okay, so I know the XI module one two, how does this help me in finding Phi? So first, how we evaluate one smooths degree exogenous between two curves of order and work is summary. So the key ingredient is actually an algorithm by Poetier-Lauter which deal with the special case where you have a curve of known endomorphism ring and you want to evaluate an endomorphism that might not have a smooth degree. So the key idea there is essentially, you can represent it as a linear combination of endomorphisms, which are evaluatable. And then you just evaluate those and then use them on your combination to evaluate the most smooth degree one. And we'll be reducing to this fact. So at JI, the left ideal corresponding to these five and the main ideas is to use KLPT to compute an equivalent ideal K between all one and all two. So the main component here in the isogenic setting is to following. So you have an isogenic phi I that might not have smooth form but going from E1 to E2, then from E2 to E1 you compute the smooth degree isogenic using KLPT. And then if you compose that through, you get an endomorphism of the first curve which you can evaluate using particular and then essentially you just have to cut off the part of the smooth one and then you'll get the evaluation of the phi I. So this is exactly what we do here on the client side. So you compute the product of JI with the conjugate of K since it's just K and the corresponding to the dual of the isogenic which will be a principle ideal since it's a separable isogenic first curve. And then the main component here again is that you can evaluate these T to I now and then you can evaluate the phi K as well because it has some music. And then you have to multiply with the inverse of M because when you cut off you added multiplication by M there. So that's why it is crucial that the norm of M is called prime two and two for this to work. Okay, so now we can evaluate most music. So I do this, why is the solution unique? So even though there are many different non isomorphic maximum orders in the portfolio algebra B infinity, they all share one common thing, namely if you reduce them modulo and two, you always get the same thing. It will be isomorphic to the two times the matrix use modulo and two. Furthermore, so the main ingredient now is this fact and another fact, if you take two curves, there's always an isogenic between them, whose degree is actually co-prime to M two. Which means that if you represent the action of that isogenic with some fixed basis, you get an invertible matrix. So now if you want to get a specific action for the M two version, which is again represented by a matrix, two times two matrix, then what you do is you take this M psi and then you pre-compose it with M psi inverse times that particular action, which you do have because the endomorphism ring would you want to contains all the matrices. So now you can actually get any type of action for the end of the version. Furthermore, you'll get each action once because you only have two to the four possibilities as an action because every isogenic is a linear combination of these five I and what only matters is the residue class of the XI modulo M two. So you only have M two to the four choices, you'll get them, each of them. So there's only one particular choice for the M two. Okay, and now if you know these XI modulo M two, how does it help in finding five? So the main idea is if you use LLL has a feature that if you have a short vector in the lattice, it is actually, if you write it in this basis, the coefficients corresponding to the basis vector also relatively short. And this ensures that using this fact, you can actually prove that certain conditions are satisfied, which is that M one over M two is smaller than D over 16, where D is the shortest isogenic between the curves, that you can recover the XI as integers as well because you can show that XI will just be an interval minus M two over two and M two over two. And there's only one residue there. So every residue modulo M two only appears once there. So if you know the XI modulo M two, you know as an integer as well. And this condition M one over M two being smaller than D over 16 is not very restrictive because you can actually assume that M two is bigger than one since you're attacking a case chain, you're attacking the shorter one. What that is actually even tells even more that you don't even really need to utilize all the portion information. As usual, D in general is roughly scarred. So this essentially works for any SIDH type scheme. Interestingly, if you never use the fact that M one is smooth. So of course, if you want the isogenic as a rational map, you needed one to be smooth, but what this algorithm actually does is returns a linear combination of these five I. So you can retrieve this linear combination even if the isogenic is not a smooth degree. So to summarize, we generalize the GPSA effect much longer class of SIDH type schemes utilizing the portion frame information. Furthermore, it provides an algorithm for evaluating non-smooth degree isogenes between two curves of known anamorphism rates, which might be of interest. So finally, this work provides an attack on B side, which is more efficient than the middle. Not in terms of running time, it has the same running time, but it's completely memory-free compared to the middle algorithms, which need exponential memory. And it is actually asymptotomy much faster than for B side. So it doesn't lead to an attack on B side because B side printers were actually chosen very carefully to avoid these types of packs, but it shows that you cannot lower B side printers, which is an important fact because B side, if you can choose smaller primes for B side, then the efficiency of B side gains a lot as you can choose N1 and N2 to be much smoother. And the primal is so much smaller. But this attack shows that this would be very awesome. Thank you much for your attention.