 So our final talk will be on McLeese and Niederheider crypto systems that resist quantum Fourier sampling attacks by Hanging Christopher Moore and Alexander Russell. Hanging will be the speaker. Okay, so since I'm the last speaker I should be given extra time. And so this is a good news for cryptography, but it's also a bad news for quantum computing. And our work is on post-quantum cryptography. So we have known that almost all common crypto systems such as RSA, elliptical algrammas are broken by source algorithm for factorization and discrete logarithm. And this motivates the quest for post-quantum crypto system, which are classical crypto system that will remain secure even if and when quantum computers are built. And know that this is different from quantum cryptography, which require quantum facility. And so there has been a few candidates for post-quantum crypto system such as Lattice Bay Public Key Crypto System, a coal-based crypto system, which is the sub-breakup of this talk, and also has Bay's or multi-variate crypto system or even secret key crypto system. And as a birthday remark in 2009 that this system are believed to resist both classical computers and quantum computers. And one of the main reasons for this belief is that nobody has figured out how to apply source algorithm to break this system. And in this talk, we give the first rigorous evidence for the resistance of one of these candidates again, quantum attack. In particular, we show that some merciless and needle-rider system resist exactly the natural analog of source algorithm. So let's look at how source algorithm works. So we know that to break our RSA crypto system, we can reduce it to internal factorization. Then so reduce internal factorization to what we now call hidden subgroup problem and over a cyclic group. Then he just apply quantum Fourier sampling over the cyclic group. And similarly, to break Algamar or elliptical system, we can reduce it to discrete logarithm. Then source also reduce discrete logarithm to another hidden subgroup problem. But this time it's over a product of two identical cyclic group, which is also an abelian group. And then he's apply quantum Fourier sampling method over the product group to solve the given hidden subgroup problem. So the analog of source algorithm would be to reduce to the some hidden subgroup problem and apply quantum Fourier sampling. And so now let me go over what is the hidden subgroup problem? This is very important problem in quantum computing due to source algorithm. And so now given a finite group G, the hidden subgroup problem on G, we take a black box function as an input and this function is promised to distinguish the left coset of some hidden subgroup of the group G. What does that mean? That means that F is constant in each left coset, but this thing in different left cosets. In another word, if you consider the function as a way to give a color to each group element, then two elements have the same color if and only if they belong to the same left coset. And the task of this problem is to recover such a hidden group of G. And recall that in source algorithms, the group G are abelian, but there are also there are also other interesting problems that can be reduced to a hidden subgroup problem, but over non-abelian group which are more challenging to solve than in the abelian case. For example, the unique shortest vector problem in lattice can be reduced to the hidden subgroup problem over the dihedral group and another example is the graph isomorphism, which can be reduced to the hidden subgroup problem over the symmetric group where the hidden subgroup is very small. It's either trivial group or a group of other two. So now the quantum phrase sampling is a standard method to solve the hidden subgroup problem. And this is also the major paradigm to design quantum algorithms. And so in this method, we start with a uniform superposition over the group G. Then the first step is to apply the input function to obtain a random coset state. Here a coset state is a uniform superposition over the coset. And then we apply quantum Fourier transform that will turn the coset state into the block diagonal matrix where each block is its block belongs to an irreducible representation of the group G. Then we measure the left coset under some Fourier basic. And so there are two forms of quantum Fourier sampling here. In the weak form we only observe the irreducible representation. That is the block that it falls into. But in the strong form after we observe the irreducible representation, we also observe the matrix indices. But here we only focus on the column because measuring the the row just gives no information. It just gives a uniform distribution. Okay, so that's all for the materials on quantum computing. And now let's get back to the Merckles and Needle Rider crypto system. So in this system, the private keys consist of three matrices. The first one we call M, which is a K by N matrix over some few, some finite field that contains FQ. And the second one is a N by N permutation matrix, which is chosen at random. And the last one is K by K invertible matrix over the base field FQ, which is also chosen at random. Then the public matrix is the product of SMP. So here we use P to permute the columns of M, and we use S to scramble the row of M. So S can be called the scrambler. And let me clarify the difference between these two systems. In the Merckles system, the larger field, it's just equal to the base field. So L equal to 1, and M is the generator matrix of some linear code over the base field FQ, and it has length N and dimension K. But in the Needle Rider system, the larger field can be larger than the base field. And M is the parity check matrix of some linear code over the finite field FQ, and it also has length N. And we know that in terms of security, this Merckles system is equivalent to the, sorry, this Needle Rider system, is equivalent to the Merckles system that use the same code, as long as the dimension of the code is exactly equal to N minus LK. And in the original Merckles system, they use classical binary copper codes in which KQ is equal to 2. And in the Needle Rider system, the original system use the rational copper codes, which is the same as generalized Resolomon codes. So the securities of these two systems has draw great attention in the literature. Basically, there are two types of attacks on this system. The first time is decoding attacks. So you have seen one of such attacks in the previous talk, but this talk we focus on another time, which is attacks on the private key. That is to recover the the hidden SMP from the public matrix M star. And in general, the these two systems are still considered classically secure if they use the classical copper code. However, they could be broken if they use a rational copper code, because in those case, there was an efficient classical attack that can decompose at SMP into SNMP. So now we want to look at the quantum security of these two systems. And we want to consider the attack on the private keys that want to recover the hidden scrambler and the permutation. So here, we also assume that the attacker already know the hidden matrix M, and we call this a problem scrambler permutation problem. And that's a natural reduction from the scrambler permutation problem to the hidden subgroup problem. But over with product, this is really complicated non-abelian group. And in this case, the hidden subgroup is characterized by the column rank of the matrix M, and also by the automorphism group of the matrix M. And here the automorphism group of the matrix M is defined as the set of all permutation on the column of the matrix M that can fix M under some scrambler. And so the question is, can this hidden subgroup problem be solved by strong quantum food sampling? And so we give the answer that strong quantum food sampling just gives knowledgeable information about the hidden scrambler and permutation. If the matrix M is good, which means it has a large column rank, it's automorphism group is small and the minimal degree of its automorphism group is large. So here the minimal degree of the automorphism group is the minimal number of points that moved by a non-identity permutation in the automorphism group. Okay, so now the next question is we want to know if there are matrixes M that satisfy all of these conditions. And the answer is yes. And so we show that the matrix M of this form are the good ones. So in particular, in particular, these are the generator matrixes of rational copper codes over the large field and they are also the parity check matrix of some classical copper code, but over the over the subfield FQ. And so this implies that the Merckley system with rational copper code and the needle writer system with classical copper code are proven to be, to resist the natural analogue of source of quantum food sampling attack. And in general, any Merckley's or needle writer system that use a linear code with good matrix, a good generator or parity check matrix also resist the natural analogue of source algorithm. And but know that this result neither rules out are the quantum or classical attack, nor it violates any harness assumption. So, but the moral here is that while quantum computing has been proven to be so powerful that it can break the RSA and Algama, but it's still not strong enough to break the private key of the Merckley's and needle writer system. And so this indicates that in order to break these two systems by quantum computers, the attacker needs new ideas. And so that's all for the talk. I think that's also the open question that followed the talk. And so, so the first natural question is if you want to know if there are linear codes that possess good generator matrix or parity check matrix and the other top for question is to know if this system also resist stronger quantum attack such as the multi-register quantum food sampling attack. And we know that Holgren at all in 2006 has shown some related result, which showed that the subgroup of order to also require highly entangled measurement of medical set state. And now we want to know if this result also holds for the subgroup of order larger than two, because in the case of Merckley's and needle writer system, the size of the subgroup can be much larger. So now this is the real the end of the talk. So we have time for questions. So let's thank the speaker again.