 Hello everyone, my name is Zhang Xiaohan. I'm one of the co-authors of the paper. The paper is a joint work with Qin Yue, Dr. Cheng, Dr. Pan, Dr. Hu and Dr. Bing. In our presentation, which includes six parts. First of all, we'd like to introduce some background to our work. As we know, the migration to PQC has begun. Just on October 2021, MIST and the Department of Homeland Security created a migration roadmap preparing for a transition to PQC. And the process is expected to be completed in 2030. The current PQC standardization coverage reached the third round. On the finalists, the 90s-based crimes had drawn significant attention. And on the third round list, there are still five out of nine candidates in the 90s-based crimes. Next, we introduce the security assumptions of H. We can roughly divide the security assumptions of 90s-based crimes into two categories. The first is the LWE variant, including FrodoKine, New Hope, Kaibu and Sieber, whose security assumption is responding to LWE problem, RLWE problem, MLWE problem and MLWR problem. The second category is the NTRU variant. And it's including NTRU and NTRU prime. Both of them are based on NTRU assumptions. For 90s-based crimes, there are two flavors, IND-CPA and IND-CPA PQC. The IND-CPA version can be transformed into IND-CPA version using an FO transform. And for IND-CPA version, it does not deny K-reviews. So we want to ask a question, what will happen if K is reused in H? Which is one of the goals of research in our paper. That is, evaluate K-reviews' resonance of these candidates in an issue situation. Secondly, to improve efficiency, there are many authenticated case changes to protocols using CPV version without FO transform. Finally, the set channel information can be used to mount chosen safe attacks against CPV-A secure ones. So the land-owned research focusing on CPV-A secure ones against K-reviews attacks is important and has been actively studied. Just in 2015, Kirkwood and I all proposed the method of K-reviews attack. And the 2018 is a key year. Ding and I all proposed the Kimi-Smash attacks idea. After that, there are many Kimi-Smash attacks on the 90s-based crimes. But there is still an open problem that is, can we find a unified method to evaluate the K-reviews' resonance of these candidates against Kimi-Smash attacks? To respond to the question, we firstly introduced our attacking model in the following part. Before it, we called the DP-Helman K-Exchange protocol firstly. The two parties in the communication jointly generate a sync session key, and the KA is equal to KB, and the structure is symmetric. But on the 90s-based DH-Live K-Exchange, the K breaks through a using or interaction mechanism, which means that one party needs to send additional information to have the other party to agree on a sync session key. Under the understanding, the difference between DP-Helman protocol and the 90s-based DH-Live K-Exchange protocol, we described a framework of CPE-secure time. Firstly, Bob sends a request to Alice, and Alice generates a public KPA and a security ISP. Next, she sends a public KPA to Bob, and Bob generates shared KKB. For Bob, he generates a public KPB and CIFR text C-bar, and he finally sends public KPB and CIFR text C-bar to Alice. We noticed that the C-bar is additional information that we mentioned earlier. Finally, for Alice's encryption part, she uses the secret key ISA to equip the CIFR text C-bar, and she can get the sync session key KA. After that, we introduced our taking model. At the worst, we impersonate Bob, and he sends a request to Alice, and Alice's key generation part behaves normally. We noticed that the Alice's encryption part and key generation part's public KPA and security ISA is reused, and next, she sends her public KPA to anniversary. For anniversary, she generates a shared KKB, and he deliberately starts the public KPB and CIFR text C-bar, instead of randomly generating. Finally, he sends the public KPB, CIFR text C-bar, and the shared KKB together to Alice. The oracle simulates the Alice's encryption part, and he gets the shared KKB and returns 1B to anniversary by comparing whether the KA is equal to KB or not. And anniversary will repeat the process until he collects enough information to recover the Alice's secret key. In KB's match attacks, the precondition of taking is Alice's secret key and public key are reused. And anniversary wants to recover the Alice's secret key by comparing whether shared keys match or not. If the KA is equal to KB, which means match, otherwise, which means mismatch. In the following part, we introduce our basic idea. Now, we can response the previous problem. That is, yes. In the remaining parts, we describe our method in detail. Firstly, we introduce some notations. Recall that the anniversary recovers Alice's secret key one coefficient block by one coefficient block. One coefficient block is either one coefficient or several coefficients of the secret key, I say. And we introduce two sites. The site is including all possible values for one coefficient block. And the corresponding probability site is P0 to Pn minus 1, which is in the deciding order. The summation of h is equal to 1. Next, in our tagging, we can notice that the anniversary will select parameters and h access to a protocol. Finally, he collects a series of 0 and 1 values. For anniversary, he wants to ask a question how to recover a secret key SA with the fewest number of keywords. The problem can be transformed into a coding problem, which is practically solved by constructing a binary recovery tree. And we can use the formula in the top of the slides to calculate the average number of keywords. But there are many binary recovery trees in practical attacks. And we need to find an optimal binary recovery tree. Or we will know or master it using Hoffman coding. So our basic idea is using Hoffman coding to get the low bound of average number of keywords. That is me. Yes. Next, we introduce the Hoffman coding. The basic idea of Hoffman coding is to compare two symbols with the lowest probabilities in each stack. We give an example as the site is assuming that is equal to 0, 1, minus 1, 2, minus 2. And its corresponding site is in the right side. The first step we need to find the two lowest probabilities nodes. That is 2 and minus 2. And we can get a new node and its corresponding probability is 0.125. The second step is that we need to compare the new node and node minus 1. And we can get another new node. By repeating the process we can collect a Hoffman tree and the Hoffman coding. We propose the theorem 1 to prove our low bounds previously. And the Shannon entropy and the craft liquidity will be used in each. And from our perspective we can use the Hoffman coding's probability to get it. Next, we can give an example to illustrate our low bounds for Kaver 10-24. In 10-24, Kaver 10-24 the security ISA is sampled from centered nominal distribution. And the range of security ISA is from minus 2 to 2. We can get the minimum dIs is equal to 2.125 and the Shannon entropy is equal to 2.03 which is consistent with theorem 1. And we can get the low bounds for Kaver 10-24 is equal to 2,176. The detailed course size for constructing the Hoffman tree for Kaver 10-24 is in the figure. We can summarize it in one sentence in each step. We select two nodes with the lowest probabilities and get a minimum. Using the Hoffman coding we can get other low bounds for other kinds. We list the detailed results in the table. In the fourth part we propose our improved practical attacks. When you draw points like for some times there is still a huge gap between existing attacks and the low bounds such as light saber and photo 640. The gap is 31.05% and 72.19% respectively. In the following part we will show that how to use the Hoffman tree to get us to improve these attacks. Our improved practical attacks is based on Hoffman tree which includes two phases. In phase 1 pre-computation base we will construct a binary recovery tree. In the recovery phase we will determine the secret key according to the binary tree. For pre-computation base we want to construct the binary tree. There is a relationship between our attacking model and the binary recovery tree in the figure. The leaf nodes store all the possible secret key and the non-leaf nodes store the attacking parameters that add all three accesses to Oracle. For each non-leaf node if Oracle returns one it corresponds to the left super tree of the current node. Otherwise it corresponds to the right super tree. There is a detailed process of the phase. On the second phase it is the recovery phase. The add all three starts from the root of the binary recovery tree key and it selects parameters in the nodes and accesses to Oracle. If Oracle returns one he will continue to access to the left super tree of Oracle. Otherwise he accesses to the right super tree of Oracle. He will repeat the process until the current node is a leaf node. Finally he can determine the secret key as in R. There is still the detailed process of the phase. Next we give two examples to illustrate our master. The example one is on Kyberton 24 in the phase one pre-commutation phase. The add all three real size three parameters m, pb and c2 all of them is equal to 0 except for the first position of them. m0 is equal to 1 pb0 is equal to cross rounding q over 32 c 2 0 is equal to h and the add all three we will select different h according to the table and he can construct the binary recovery tree in the right. We can give an example to illustrate the relationship between the table and the recovery tree. If the s0 is equal to 1 the add all three first selects k2 is equal to h and all the call will be to 0 and he continues to select k3 is equal to 9 the article returns 0 also. Next selects k4 is equal to 10 the article will return 1 finally the add all three can become s0 is equal to 1. The other positions of the security s0 are similar. Using the method on Kyber kind they can guide the results on the table and as they can see the success rate for our method is 200% probability. Next we give an example on New Hope 1024 our main idea is constructing a nearly optimal binary third tree which will satisfy the property for each non-leaf nodes the probability of left sub tree and right sub tree should be as equal as possible and the relationship between article returns value and the left tree or right sub tree is same as the half tree our attack on the New Hope kind and we can guess the results on the table the gap between our improved attacks and the low bounce is 1.6 9% and 5.8 6% respectively In the following part we introduce our improved third-channel attacks against MDCC types Firstly we introduce the Ravi et al. work At the Chai 2020 Ravi et al. propose a generic third-channel attack on CCS of the types In the CCS of the types I4 transform which can reject malicious save attacks according to the mechanism of re-infection so our method cannot directly work on it but Ravi et al. can use third-channel information to bypass the I4 transform to make it possible with the CCS of the types On their Ravi's work they attack many concepts of two stages In the Stage 1 they generate two classes in timelapse Gamma 0 and Gamma 1 which is corresponding to the failure and the success of Chaim CCS equiption part In Stage 2 they can collect a wave and distinguish which class W belongs to We can see Gamma 0 is consistent with this match Gamma 1 is consistent with this match So the principle of their work attacking work is seen as our proposed mismatch attack So we can use our method in half of third-channel attack to directly improve their work We can give you an example on Kaver 5-tile The first figure is our experimental equiption and the second figure is tblnleaser for Kaver 5-tile during the Stage 2 the complete matching stage and with our improved third-channel attacks against the MDCC comes we can give the results in the table On Kaver 5-tile we reduce the number of cures by 48.79% and for New Hope we can reduce the number of cures by 76.1% and 88.06% respectively In the final part we illustrate part of experiments Our experimental environment is it and our code is available at the link In the table we list our improved attacks on the legacy-based crimes in the queue and we marked two schemes in group and the exacting in right with family For Frodo 640 and legacy-based we can reduce the number of cures is by 71.99% and 27.93% respectively In the final we conclude our work first we get low bounds for legacy-based crimes and we propose our binary query tree method to optimize the queue's match text against the NDC-PA32 crimes For the model we can use our method in the hub of Z-channel text to optimize the Z-channel text against the NDC-PA32 crimes Here are some references in our presentation That's all, thank you