 Welcome to this quick introduction of SRDH proof of knowledge, which is joint work with Luca DeFave, Stephen Galbraith, and Luca Sturberman. So our setting is that we've got an isogenic, a secret isogenic, from one elliptic curve E0 to a second elliptic curve P1. So the isogenic here is our secret key, and the two curves we can reveal publicly and it's assumed that it's difficult to compute the secret key given only those two curves. The natural question then arising is that how do you prove knowledge of such an isogenic if you're only going to give out the two curves? And this has natural applications in signatures, distributed key generation, to prevent adaptive attacks and so on. The original SRDH paper actually included an elegant identification scheme, which looks like this. We've got our secret isogenic phi, we pick a ephemeral psi to a different elliptic curve E2, and then we complete what's called an SRDH square, where we are essentially doing a key exchange with ourselves. And we've both, both these parts commute and arrive at the same elliptic curve E3. We commit to E2 and E3, and then we receive a single bit challenge. Challenge equals zero, we provide the two vertical sides of the square, which are ephemeral and shouldn't reveal anything about the secret. And challenge equals one, we reveal the bottom isogenic here, which again shouldn't reveal anything about a secret, because there's no way to bring this information back to E0. The extractor that's proposed in the original proof of soundness scheme essentially assumes that you can pull back this phi prime from the bottom along the dual of psi to E0 to recover the isogenic phi from E0 to E1. Unfortunately, though, we show in our paper that this proof isn't actually valid with a simple counter example. So we'll start with a random walk from E0 to a curve we'll call E2, we'll take another random walk to another curve E3, followed by a third random walk to a curve E1. So now we're going to give out E1 as our public key and claim that we know an isogenic from E0 to E1. We can answer both challenges here because we've got vertical sides, we've got the horizontal side along the bottom, but will there actually even exist such a phi? Probably not, we've just taken quite a large degree walk. So we probably won't actually have any isogenic of the correct degree between E0 and E1. There's independent work that's also demonstrated other soundness issues for this scheme. In our paper, we also demonstrate that the proof of urbanic and joule suffers from similar soundness issues. So our initial goal was to fix these and propose a secure scheme for proving knowledge of an ESIDH secret key. Unfortunately, as most people here already probably know, there have been some pretty significant attacks on ESIDH since this work was submitted. And so given a ESIDH public key, including the two torsion points, it's actually possible to now recover the secret key in polynomial time, which makes some of our scheme that we propose in our work not as useful as they probably once were. But we will talk about that in our presentation. So we've actually proposed two schemes in our paper. The first is a zero-knowledge proof of knowledge of an isogenic fixed degree, L to the E, some smooth degree isogenic between two curves. It uses ternary challenges and actually doesn't include any information about the two torsion points in ESIDH. It's just knowledge of an isogenic between two curves. So this scheme is actually completely unaffected by the attacks on ESIDH. Our second scheme, though, was designed to prove correctness of the torsion points in an ESIDH key to prevent attacks like the GPST attack. So unfortunately, because this scheme requires giving out torsion points, the polynomial time key recovery attack does apply to this protocol. However, there have been variants of ESIDH proposed since the attacks, hiding the degree or the action on the torsion basis. So it's likely that our second protocol can still be adapted to prove non-trivial statements about ESIDH variants' keys. So we look forward to having you come to our presentation and giving more information about our protocols and the uses thereof. Thank you very much.