 So let me run this presentation about the initial symbol and the model to operate in CMATIS games over primitives. The motivation of this work requires a design of CMATIS communities over primitives that are efficient in the third application, like a multi-party computation, full-in-off equation, or zero-nation. Now depending on the application we target, we need a different CMATIS community, like for example, in some cases we have a function, in some cases we have a software, or in some cases we have an image function. However, all these applications have some things in common, in particular the fact that this application usually works over primitives, where P is a large prime integer. So using these for the two-rebar model and two-rebar model, one out of the three-physics is quite a bit bigger. Now to the size of this prime, the only area of the CMATIS community that we design for being efficient in this application cannot be pre-contributed and stored as look-up tables. These are quite different from traditional schemes, like a gas or gas rocket, in such case the S-box is usually fine over a small binary feed, like over 8 feet or 5 feet, so the S-box can be potentially pre-contributed as look-up tables. Here it's very easy to understand that, till the size of the prime, this absolutely is not possible. This means that the CMATIS community designed for this kind of application, in particular the only area of the CMATIS community has a simple algebraic expression, must have a simple algebraic expression, because the non-linear layer must be complete, on the file. For example, in many cases these non-linear layers are just polymers. Now in this paper, we consider that it is possible to set up a permutation over a prime feed, which are defined in a real-action symbol or demolute to paragraph. And besides presenting many permutations over a prime feed defined in this way, we also realize the security of CMATIS community that are instantiated via such non-linear layer. In particular, we propose a generic attack on a CMATIS community whose non-linear layer is defined in a real-action symbol and what it will do later. And we propose a complete attack, a complete brainage attack on this function in Raleigh, which has been recently proposed on event. So the first part of this presentation, in this first part of this presentation, I'm going to present several permutations that we proposed in the paper that are set up in a real-action symbol or demolute to paragraph. And in the second part of this presentation, I'm going to present a part that I just mentioned. First of all, let me recall what the real-action symbol is. So we have, so we have b that is a prime integer, we assume that b is at least 3. The real-action symbol is that it's defined as a function from fb into minus 1, 0 or 1. So fb is the, the v's of integer will be. And the real-action symbol is drawn at 0, which is equal to 0. And that is minus 1 if the e-button is a non-quadratical symbol, modulo p. So if x is equal to 0, it's equal to the square for each z in fb. And that is 1 if the input is a quadratical symbol, modulo p. So it means that it is the y such that x is equal to y square. The real-action symbol can also be defined as a power map where the exponent is b minus 1, 0. Now the real-action symbol has many properties. I just recall a few of them. First of all, if we have x and y which are equal to modulo p, then the real-action symbol of x is equal to the real-action symbol of y. And second and most important for the following, the real-action symbol of the product is equal to the power map of the real-action symbol. Now the first function that we're going to present is this one. We have x input and the function return x to the power of d times alpha plus the real-action symbol of x. It is possible to prove that this function is invertible if these two assumptions are satisfied. So first of all, d is a positive integer which is co-prime with b minus 1. Second, alpha square minus 1 is a product irreceivable modulo p which also means that the real-action symbol of alpha minus 1 is equal to the real-action symbol of alpha plus 1. Just to give an example, if b is equal to 1 modulo 4 we can just fix alpha equal to 0. Now, why this function is invertible? Well, let's say that y is the output of this function. It's easy to know that y is equal to 0 even though if the input is equal to 0. If this is not the case, let's compute the real-action symbol of the output. Now, when you see the properties of the real-action symbol, the real-action symbol of the product is equal to the product of the real-action symbol. Now, b is an integer, so the real-action symbol of x to the power of t is just equal to the real-action symbol of x. Here we have the real-action symbol of alpha plus the real-action symbol of x. If x is equal to x times 0, this quantity is either minus 1 or 1, but we don't care because by assumption the real-action symbol of alpha minus 1 is equal to the real-action symbol of alpha plus 1. Now, we can easily invert this function. So the inverse is given by this expression, where the power map is invertible due to this condition. Okay, so I just say that if alpha is equal to 0, then this permutation is invertible, only in the case in which b is equal to 1, model 4. We can miss this function always invertible by changing the function on e. So this function is seen as before, but now the invertible is guaranteed if this condition is satisfied. So d plus p minus 1 alpha is co-prime with p minus 1. The reason is very simple. Okay, this function is just a power map with this exponent and the e-value of this power map is guaranteed by this condition. Now this function has been proposed for granted, so we are going to study this new formula. At the moment, I just would like to, I like this result that we are proving in the paper. So if p is equal to 1, model 4, then d is always equal to d prime, where d prime is just a positive integer that is co-prime with p minus 1. And this basically follows from this result. If p is equal to 3, model 4, then d is equal to 2 times d prime, where d prime is co-prime with p minus 1. So if p is equal to 1, model 4, then d is always an integer. If p is equal to 3, model 4, then d is always an integer. If you want to guarantee that this function is invertible. Now another function that we propose in the paper is this one. So basically it is a power map, but where the exponent depends on the initial symbol of the e-book. So this function returns 0 if the e-book is equal to 0. It returns x to the power of d plus if the initial symbol of the e-book is equal to 1. And it returns x to the power of d minus if the initial symbol of the e-book is equal to minus 1. This is the algebraic version of this function. And it's very easy to prove that this function is invertible if p plus and d minus are co-prime with p minus 1. The reason it's very simple is that the equation symbol of the e-book is invertible if this equation is not satisfied. Now this function makes sense if p plus is different from d minus. But in such a case, this function can be worth an asymmetric. It can be potentially broken in the section or for the task. And the reason is that depending on the e-book, we are going to compute two different power maps with a different cost. So depending on the cost, we can recover some information about the e-book. Now in the paper we propose other functions that are set up using the initial symbol. So if you are interested, I refer to the paper. We also study the statistical and the algebraic properties of all the functions that we propose in the paper. So I just would like to recall some of these properties for the function that I just proposed. So in this table we have the function that I just mentioned, the condition for the inverted p. Some consideration about the maximum differential for a median, some consideration about the algebraic properties. So let's start with the algebraic properties. The algebraic properties always refer to the polynomial representation of the function. And in all these cases we have that the polynomial representation is first and that the degree of the function is i. It's p minus 1 of plus something. The reason of this is very simple. The initial symbol is a power map. So we can immediately reduce that the polynomial representation is first and the degree is related to the degree of the initial symbol. What about the statistical properties? In this case we have to arise two cases. So let's take this function or any of these three functions and let's fix the differential symbol or let's remove the differential symbol. If the degree of the obtained function is p is 2, then the maximum differential for a median is a constant divided by p. And since p is very large, this means that we have a good maximum differential for a median. If the degree of the obtained function is 1, then the maximum differential for a median is 1 half. And we expect that because for example in this case we have something that is basically linear function. So this is a review for the statistical and the algebraic properties for the function set up in the differential symbol. You guys now consider some permutations set up in the model 2 period. The first one that I'm going to present is very simple, but I think it's very elegant. I think everyone knows that this square map is not a relatively simple model p because x square is equal to minus x to the power of 2. However, we can easily, we can slightly modify this function in order to get something that is invertible. And then it is very simple. If x, if the input is equal to 0, model 2 then we are at x square. If x is equal to 1, model 2 then we are at alpha times x square, where alpha is a number that we consider model p. So the rotation symbol of alpha is equal to minus 1. So the function is x square times alpha to the power of x, model 2. So in this way we get a function that is invertible. Now, I'm going to show why this function is invertible. I think it's quite an interesting example. And in order to do this, we prove that the function is injective. So if f of x is equal to f of y, this implies x is equal to y. Now, we work with a finite phase, so injective implies that the function is injective, so we get invertible. So first of all, we know that the input is equal to 0, even though if the input is equal to 0. So from now on, I assume that the input of this function is different from 0. And now, let's consider this case. Now, let's assume that f of x is equal to alpha times x square, and f of y is equal to y square. So this happens if x is equal to 1, model 2, and y is equal to 0, model 2. But now, this is to assert that this equality narrows, because on the right-hand side we have a square model p, and on the left-hand side we have a number that we consider model p. Remember that alpha is a number that we consider. So this situation can never occur. And this means that if f of x is equal to alpha y, then x model 2 is equal to y model 2. Now, let's denote z, this model, which is either 0 or 1, doesn't make any difference. So f of x is equal to f of y, implies this equality. So alpha to the power of z times x square is equal to alpha to the power of z times y square, which means that x is equal to plus or minus y. But now, if x is equal to 0, model p, model 2, then minus x, which is equal to p minus x, is equal to 1, model 2. Again, this is not possible because this equality implies that x model 2 is equal to 1, model 2. And so this implies that the function is effective and so on. Now, what about the h-by properties of this function? Well, in the paper, we prove that the linear representation of this function is given by this polynomial, where we have this function that is not function, so you can observe that the exponents are just all integer, plus a single monomial of degree 2, where the coefficient of this monomial is 1 plus alpha divided by 2. Now, as you can observe, this function can be potentially dense and could be of maximum degree. So we consider several values of alpha and we try to evaluate the density of this function for these different values of alpha. For example, this is an example for alpha equal to minus 1. So this density is sufficient, this is equal to 0, so we have another function. Here we have several values of p that we test, and here we have the number of monomials. So in blue, we have the expected number of monomials for another function, and in red, the real number, the complete number of monomials of this function. And this, as you can observe, the two lines are very close, and by accident we checked that the function is basically always of maximum degree. So the difficulties of this function are quite nice. But let's analyze this case alpha equal to minus 1 in what it is. So in this case, the function is invertible if p is equal to 3 mod 4, and recently said we need that minus 1 is a non-parallel theory of mod p. So in this case, we have the function minus 1 to the power of x mod 2 times x square. But what I want to emphasize is that in this particular case, we don't have to complete the mod 2 operator. So this function is just minus 1 to the power of x times x square. And this different representation could be easier to compute in some applications. Moreover, if we slightly change this function, we are something that is always invertible. So if you consider the function minus 1 to the power of x square times x, then this function is always invertible. And the reason is very simple. You just take the output of this function, the square of this output is equal to the square of the input, which means that x is equal to minus 1 to the power of y square times y. And again, we can slightly define this function. For example, we can start this function, so minus 1 to the power of x square times x to the power of d, which is invertible if d is 4 prime with 3 minus 1. As before, let us have a quick look about the underlying and statistical properties of this function. In this case, if you consider the energy of the properties, we have that all these three functions are tensed and using a maximum degree. So with respect to the functions that we have here, we have that energy of properties because in this case, the functions are tensed. But I remember that in the last case, the functions were sparse. Regarding the maximum differential probability, we have seen the result before. If we are going to replace the model 2 operator, then if the resulting function is every one, then the maximum differential probability is basically one. If the equation is at least two, then the maximum differential probability is a constant divided by p, where again, this p is very large. So in general, we get those good statistical properties. So we have several permutations over at p, which have good statistical properties and good algebraic properties. So we can see that if we set up as many permutations, we can see that if we want these permutations, we could achieve good security. Over at p is a problem, and if I follow it, the number of possible values of the equation symbol for the model 2 operator is very, very small compared to the size of p. For example, the equation symbol returns just free output minus 1, 0, 1, which basically is just minus 1 and 1 because theorem occurs in it on your equation with theorem. And the model 2 operator is just 0 or 1. So we have to output from there to p possible e, but where on p is very large. So how can we potentially break primitive set up with this function? Well, the idea is to fix all the equation symbol and the model 2 operator. If the algebraic representation of the scheme is low degree, we can potentially try to break this in the algebraic complex. In more details, let's consider a symmetry primitive, which could be a Cypher, a pf, an h function, or whatever. We think it's all possible to change symbol and the model 2 function and we construct a system of equation for such fixed values. In the system of equation, the variable could be, for example, the key for the Cypher, could be the equation for the h function or whatever. If the system of equation is low degree, we can potentially try to solve it via some h product techniques, like for example, optimization, internal basis, or group binding technique. And given the solution, we check if the final solution satisfies the system or the model 2 function that we fix in the first table. If this is the case, then we find the solution of the system. So we find, for example, the key for the equation match, depending on the equation view. If not, we just repeat the present. So that's it, yeah. And let's have a concrete example of this factor and the example that we'd like to write it, that we consider, the variable is pranay. Pranay is a sponge-esh function, which is instantiated via an interactive implementation over FB2DAN, where the function is defined in its way. So we have constant addition. The linear layer is defined as the modification via the NPS matrix. And the FB2DAN is defined as a product between x to the power of d and the initial symbol of the input. The variable at d must be chosen such that this function is a variable. So in this case, we would think of all the initial symbol. We consider the system of equation that creates input of the hash with the output of the hash, and we try to solve this system of equation if the solution satisfies all the initial symbol that we form, our brainage. Now in one particular case, we have an hash value in FB, and we look for our brainage of this form. So x will get related with x prime, where x prime is 6. So the system of equation is actually just one equation in one variable that links the input with the output of the sponge. For solving this equation, we can just use a work-finding approach whose host is proportional to the degree of the equation that we want to solve. And in such a case, the degree of the equation is c to the power of r, where r is the number of rounds, and d is the degree of the defined source. So this is one in the d. So before presenting, our side would like to point out that a single attack strategy has been proposed by a current designer. But there is a difference. In our case, we possibly have a single equation that links the input and the output. So we have a single variable, a single equation, but in general, my brain. In case of the designer, they work over a round level, which means they have many equations, they have many variables, but each one of these equations is really clean. So in such a case, you are forced to use, for example, a generalized approach, which is, as you can see, a more expensive, even if all these equations are loaded equally. So let's have a look at our completed side. So let's consider the planning. The target is the security level of 128 p. And where p is to the power of 256 p. These are different instances of predict. So p is the equivalent of the S-box, for example, 2, 3, 5, and so on. And n is the number of words that compose the state. This is the number of rounds proposed by the designer already with the security matching. And these are the number of rounds that we are able to attack using the attack that we just proposed. And this is our accommodation for the number of rounds with the same security matching proposed by the designer. This number of rounds includes both the attack that we proposed here and some other observation that we made in the data regarding the S-box. So as you can observe, if t and n are large, then we can break quite many more rounds than the ones proposed by the designer. For example, if t is equal to 2 and n is equal to 12, then we can just break one round. But if t is equal to 5 and n is equal to 8, we can break four more rounds by the insurance six. And so here you can see that the remaining number of rounds, in some cases, they have an increment of 100% or even more. Okay, so to summarize, in this paper, we proposed a certain presentation where we applied this with a simple, algebraic expression that has set up the integration of new bold and about the dual operator. Just to point out that these dual operators are not defined by the private feed. So the private feed allows for new idea, new direction of research. So I think it's a really interesting approach. The result of our analysis is shown that, yeah, so we can set up new functions using approach that are not possible over binding, but we should be careful when using such functions because new attacks are also possible. So this is interesting, I think. And then finally, we would like to leave an open problem for future research. So in this paper, we just proposed several lines of notation and because of the security of our theme, we succeeded with this presentation set up with additional symbol or new dual operator. But we actually never considered the efficiency of these functions or of a primitive setup with essentially one of the functions proposed in this paper. So as an open problem, this would be really interesting if such as the medic committee could be combated in multi-part computation or zero-managed applications. That's all from my side. Thank you very much for your attention and I hope to see you in the next.