 Thanks for the introduction. And I'll be speaking about a new public key crypto system via Mercy Numbers. This is joint work with Antho and you, Anupan Prakash, and Mekhlo Santa. OK, so we started studying public key crypto back in 1976, starting with the breakthrough result of DeFi and Hellman. And there were several candidates over these four decades, let's say, about. But more recently, the focus has shifted a little bit to more advanced primitives. And although maybe public key crypto was a very important object of study, maybe in 70s or 80s. So I mean, this is evident from the fact that for lack of company, this talk was put in a session titled Various Topics. In this work, we propose a new public key crypto system that we believe is probably simpler than what was already known. And we also believe that it is secure against quantum attacks. And so this crypto system can be classified in this family, what we call the ring and noise family. So where you have a certain ring, I mean, the key generation algorithm starts with a certain ring, does some operation, then adds probably some small noise. So a lot of crypto systems can be classified in this class. For example, the NTRU crypto system, code-based crypto systems, learning with errors, base crypto systems, so many of them. But we are talking about a different ring here. So the ring that we'll be talking about is the ring of integers modulo, a Mercin prime. And the noise is also different. So the noise function would be hamming weight modulo, this prime. So what are Mercin primes? So these are primes of the form 2 to the N minus 1, where N is also a prime. So these prime numbers were first studied by Marine Mercin, who was a French mathematician. And this is where the name comes from. And he studied them back in the 17th century. And as I mentioned, the main advantage of our crypto system is going to be its simplicity. So I hope I'll be able to convince you during this talk that it's really simple. So again, so the ring would be the ring of integers modulo the Mercin prime, so the prime of the form 2 to the N minus 1. And by rp of x, I'll denote the representation of x in this ring, so it's an integer between 0 to P minus 1. And the hamming weight of x is the number of 1s in the binary representation of x modulo this prime. So modulo this prime, the binary representation has N bits. And hamming weight of x is the number of 1s in this representation. So some important properties before I get to the crypto system, here are some important properties of arithmetic modulo Mercin primes. So it would kind of justify why we are using Mercin primes. So first of all, the hamming weight of the sum of two integers x and y is upper bounded by the hamming weight of x plus the hamming weight of y. Notice that I'm talking about integer addition and not bitwise XOR, so we cannot really conclude this from the triangle inequality, but it is still fairly simple to argue this. We can think of it like basically adding strings of hamming weight one sequentially, so you can prove this by induction. And you can see as a simple example, when you add this one string of hamming weight one to this string, what you'll be doing is basically looking at the first zero. So first of all, you look at the corresponding one in this position and then you look at the first zero before this and then you replace the zero one one one by one zero zero zero. So the hamming weight would typically go down but it can go up by at most one when you do this operation because you're replacing some t minus one zero, t minus one ones and one zero by t minus one zeros and one one. So hamming weight is not going to increase by more than one. So by an induction, we can see that the hamming weight of x plus y is upper bounded by hamming weight of x plus hamming weight of y. The second property is that when you multiply x by a power of two, so x times two to the i, this is basically just a cyclic shift of x because we are doing it modulo two to the n minus one. So two to the n is congruent to one mod two to the n minus one and so two to the n plus i is congruent to two to the i mod two to the n minus one. So which means when you do x times two to the i it's just a cyclic shift of x. So hamming weight of x times two to the i is just the hamming weight of x. And combining these properties one and two, we get the third one, which is that the hamming weight of the product of two strings x and y is upper bounded by the product of the hamming weight of x and the hamming weight of y. And this is because just product can be, so product of hamming weight of x times y. So x times y can be just seen as x. I mean basically adding, let's say the hamming weight of y is some h. So we are adding eight cyclic shifts of y. So sorry, eight cyclic shifts of x. And so using the first property, we get that the hamming weight of x times y is upper bounded by hamming weight of x. Times hamming weight of y. And the fourth property is that when you take the negative of x, the hamming weight just becomes n minus hamming weight of x. To see this, notice that when you look at the binary representation of x and the binary representation of minus x, if you add them, so you will get an all one string because all one string is just two to the n minus one in binary representation. So it is just zero mod two to the n minus one. So basically minus x is just going to be the complement of x when you look at it as in binary representation. Okay, so to start with, I'll give a simple encryption scheme, which is just encrypting the string bit by bit. So we are going to just encrypt one bit. So p is the prime two to the n minus one, h is a parameter, which is going to be a bound on the hamming weight. So f and g are two numbers, mod p, with few ones in the binary representation. So they have small hamming weight. And then we take their ratio. So h is f divided by g, modulo p. So the public key is going to be h and the private key is going to be f comma g. And the hard problem that we are going to basically base our cryptosystem on is that given h, it is hard to obtain f and g. Notice that even though f and g have small hamming weight, when you take the ratio, this number would typically look very pseudo random. You will not be able to, it would be difficult to guess f and g from h. And this is the assumption that we are going to make that this is a hard problem. Okay, so here's the encryption scheme. As I said, the public key is h, the secret key is g. And f and g both contain h, at most h ones in the binary representation. So we want to encrypt a single bit. So to encrypt the bit zero, what we do is we take h and we take two small hamming weight strings, a and b, and we compute a times h plus b. To encrypt one, we do the negation. And then the decryption is simply, basically what we are going to do is we're going to multiply g to the ciphertext. And then it's either going to be plus a times f plus b times g or it's going to be minus of a times f plus b times g. And then what we do is we just check the hamming weight of this g times c. If it is small, then we decrypt to zero. If it is large, then we decrypt to one. So here's an explanation for the, sorry, so yeah, so here's the, here's a toy example. So notice that when we have, so the numbers are here written in hexadecimal form. So f and g have small hamming weight. And when we take the ratio, this number looks fairly random. And then the encryption, again, we are taking a and b to be small hamming weight. And then the ciphertext is this. When you multiply g, so this is quite random. I mean this, then you multiply g times c, then you get a low hamming weight string. So you get the hamming weight is small. It's less than half of the maximum hamming weight. So we conclude that the bit that we encrypted was zero. So what is the rational for this? What is the correctness argument? When you do g times a, a h plus b, which is a times f plus b times g, the hamming weight of this by our properties that we stated earlier is h times h plus h times, it is upper bounded by two times h square. So as long as two times h square is smaller than half of n, which means n is bigger than four times h square, we have that the hamming weight of this is less than n over two. And the hamming weight of the negation is larger than n over two. So this implies that we can decrypt correctly. Now, since this version basically just encrypts one bit at a time and so it's quite low, so we want to do something a bit faster, so we now give another version, which is encrypting multiple bits at the same time. Okay, so I'm going to change the public key and private key slightly. So we had h was f divided by g, which we can rewrite as f times minus one over h plus g equal to zero mod p. So this was a pseudo random string, we can think of it like f times r plus g is zero, where r is some pseudo random string that was the public key. And now we are going to have, instead of this big zero, we'll have two random strings r and t, two pseudo random strings r and t, which would satisfy that t is f times r plus g mod p. And r will in fact be uniformly random. All right, so then the encryption procedure is, so we now have the public key is r and t and the private key is f and g. So the encryption procedure, we just compute two numbers c one and c two, which are a times r plus b one and a times t plus b two, where a b one and b two are again small hamming weight numbers. And then for encrypting a message m, we use an error correction code e. So we encode the message as e of m and then we exhort it with c two. So finally the encryption of m is c one concatenated with z. And then the decryption algorithm, what it does is it computes f times c one. And if we ignore this small additional string, then f times c one basically looks like f times r, sorry, a times f times r, and so which is basically a times t if we ignore the small hamming weight additional noise. So what we hope is that this error correction code, the decoding procedure, when you exhort the c two prime with z, then you should get back m. I'll just justify this correctness in a moment. Okay, so here's the analysis of decryption. So c two was a times t plus b two, which is a times f times r plus ag plus b two if you do the calculation. And c two prime is f times c one, which is a times f times r plus b one f. So when you do the hamming weight of c two exerts c two prime, which was basically the error that we added to the message in the end. This is just hamming weight, hamming distance. So this is just using the triangle inequality. It's the hamming distance from c two to a times f r plus the hamming distance of c two prime with a times f r. And so just because these were small, these were strings of small hamming weight. So we conclude that this hamming weight as, so these two hamming distances are small. Actually you need to do a little bit of work to show this, but it works out. And then we can decode using the decoding procedure since this error is small. So we can decode using the decoding procedure. We flip, we flipped a few bits. We can decode to recover back the message. We can use different error correction codes for this, but I mean, we can, since this, since these strings were chosen randomly, so we can assume this, if you assume this heuristic, which we tested actually, that the error is well distributed, then this allows us to use this much simpler repetition code. So we can just repeat every bit of the message several times. And then, so that would be our error correction code. And then just do the majority decoding. Okay, so now, how do we get chosen Cypher text attack security? So we want to get this key encapsulation mechanism. Bob, so Bob won't, Bob has Alice's public key. He wants to use this encapsulation procedure to get a shared secret key. And to send a Cypher text to Alice, who using her secret key decapsulates it to get the shared secret key. So you wanna modify this such that if there is any active attack, so if there is an adversary who, let's say, sends its invalid Cypher text, then the decapsulation algorithm should output bottom. So this is what we want. And what we do is we start with a random seed, S, and we initialize a pseudo random generator using S. So this we can do using a random oracle, so assuming the random oracle model. And then we produce a pseudo random shared secret from this seed S. And we run the basic encryption procedure of S, where we, the randomness that we need for the encryption, which is A, B1, B2, is also generated from S. So the procedure is completely deterministic given the seed S. And then we output C1, Z. And the decapsulation procedure, it basically runs the same decryption algorithm that we earlier had with C1, Z. And then we obtain the seed S from the decapsulation and then we re-encapsulate from the seed. And we compare with the, with the encapsulate, with C1, Z. If we get the same answer, then we output the shared secret that we obtain from the seed, otherwise output bottom. So it, I mean in the random oracle model, we can show that this actually achieves CCA security. And the parameters that we recommend for this cryptosystem are, we choose N as 756839. So this is a Mercin prime. And the low hamming weight parameter, 8 is 256. And we encode 256 bits. So this is something that we implemented actually. So with two 348 repetition encoding, which means that each bit is repeated these many times. Okay, so to prove the security, we need a hardness assumption. So the hardness assumption that we are making is that this particular problem, if you look at two uniformly random strings, R1 and R2, and then you look at two low, three low hamming weight strings, A, B1 and B2, then you look at these four strings, R1, R2, AR1 plus B1 and AR2 plus B2. So these four strings look like a uniformly random tuple. So this is the assumption that we are making. What are the best known attacks for this? Well, the trivial one is, we can just try to guess one of F or G. So that takes time and choose age. And it's using some recent results. So this basically appeared after our first, after the first version of our paper came, went online. So this, the best classical attack runs in time. I mean, it takes time two to the two H times something. So it's at least, it's larger than two to the two H. And then, so you can just use Grover's algorithm to get a quantum algorithm which runs in time two to the H under some assumption. So that's the best attacks that we have so far. And since it's a pretty simple scheme, I mean, it's easy to understand. So the hope is that it would be easier to kind of look at cryptanalytic attacks for this one. And maybe since it, since in particular this assumption has a little bit of a similar flavor to LWE. So maybe attacks, if we get attacks for this one, maybe that gives us some ideas for learning with errors. And another direction for future work is of course, again, because it's simple, maybe we can come up with ideas to improve the efficiency without really compromising on the security. So that's all. Thank you very much.