 Hi everyone, I'm going to present this paper, Simplified Meet and Meet All Modeling for Permutations and New Quantum Attacks, which is an anchor with Mark Stevens. So we're in the context of asymmetric analysis, and we are looking at attacks on cryptographic permutations. And the problem we're trying to solve is finding an input x, which has some relation with the output p of x. For example, you could say x we call p of x, and this would be a fixed point of p. This creates what we call a closed computational path, because now we have constraints between the input and the output. And the way to solve it using the Meet and Meet All technique is to select two subsets of the internal states in this path, one that we call the forward path and the other we call the backward path. And we're going to compute all the possibilities for these states independently, backwards and forwards. And whenever they meet, we're going to try to match these possibilities. And any matching, any pair of matching possibilities are going to give us something that we're going to recompute to check if this is a solution to our problem. So this is probably the idea of the Meet and Meet All attack. Let's take an example for this and how it applies to cryptographic permutives is the hierarchy hash function. So it's more range hash function. So it only hashes inputs of half square bits to 256 bits. And it's defined using a permutation on five square bits, defined using AS operations. And the way it does it is simply take the inputs and go right to the output permutation and truncate this to 256 bits. So for example, finding a pre-image of zero means finding an input X, such as that this truncation is equal to the truncation of the output P of X. This is exactly solving a Meet and Meet All problem on the permutation P. Hierarch F512, the hash function is not used in Sphinx plus hierarch, although it was proposed to be used in digital signatures schemes. But the permutation is used currently in the proposal. So a Meet and Meet All attack isn't really defined by this choice of forward and backward path, which we call the Meet and Meet All characteristic. And of course, we can search for them by hands and there are many techniques applicable. The problem is that this path can become quite complicated, especially for example, like hierarchy. So here is an example. The alternative to finding this by hand is to use an automatic tool. And this is something, this is a more recent idea. So what we're gonna do is we model the space of possible Meet and Meet All characteristics and then we search the best of them and one that gives us an attack using an automatic tool. So what we say is searching for the Meet and Meet All attack becomes a problem of optimization. We want to optimize the attack complexity on the search space, which is the space of acceptable forward and backward path. So at Hierarch F521, a Bayouet ad showed that you could reduce this to an MILP problem mixed with your linear programming. And they had a modeling that allows you to target all AES like hash functions. So all hash functions that use operations like in the AES. But the modeling is very complex. The reason is that it's defined using propagation rules. So there are many rules actually to define for all the different operations that we use. So in our paper, we went into a different direction. We actually restricted our study to permutations. So the difference is that now we don't have any degree of freedom in the key schedule because it's only a permutation. So there is something that simplifies a lot in that. But it turns out that so using this restricted setting could expand this to more than AES like permutations and introduce an MILP model still based on MILP, but which is very simple. And this model will also include a quantum attacks. So we define quantum in the middle attacks and include them as a new optimization goal. All this allows us to find new improved, either improved classical attacks or quantum attacks on several primitives such as reduced from AES and Haraka, of course. So as an example, we can have a look at the attacks on Haraka 512. It's actually already known since your equipment 21 that Haraka 512 is broken. There is a pre-image attack on this hash function which is for an instant time 2D214 instead of 2D256. And it has a memory complexity of 2D128. Now in our paper, we don't reduce this time complexity, but we show that with a different characteristic, we could reduce the memory down to 2D16, which is very small. And with the same characteristic, it becomes also possible to run a quantum attack, which is gonna run in basically the square root of the time complexity with some additional factors. So 2D123, applications of Haraka as a quantum circuit and the same memory complexity. So for the rest of the results, you can find the details in the print version of the paper and the code is available on make it a big note. So thank you for your attention.