 Thank you. So very happy to be here and you were great because this is a community that's very focused on practices, right? You can just look at the program, you know, really care about what users do and how they really use cryptography. So if you use Google, we have a paper on the practical moment of Ignis. That's really a practical thing, a practical problem. You can look at all the papers, we have practical in between our maps. Basically, right? We have practical loots traveling, so I guess this means we will start practical life at you, right? Something like this. We have practical universal circuits, we have practical functional encryption and just this week we had We're trying to realize random break. That's really amazing. Users will be super happy about this. So I'd like to talk about something a little bit different, something more theoretical, to go away from all these practical results and question I'm trying to look at is what if we didn't have all those powerful instructions? What if we don't have differential of this case? What can we do? Is there another kind of curriculum that we can do? Other reasons. And of course in order to get to this world, we have to really restrict power of what we can do because of all these construction, we know we are practical, we don't want to get rid of them. We need to learn very soon. We need to know that we can't do anything. So maybe we can call it cryptography, or we select cryptography, but all we can do is just crap. So I'd like you to use the crap model. So there are various ways to define this model. So one way maybe is to just limit the amount of computation you can do, maybe you can do a constant amount of computation. This really changes everything because now a synthetic analysis doesn't mean anything, right? So it's really a completely different model. Another way to do this would be to look at what happens with your house and it's not perfect in terms of leakage, and you know when you cannot really balance this engagement, and what, and when you need different kind of cryptographs. Maybe users also are stupid, they're just using the wrong crypto and you have to look at what they're actually using, how they use it. You have all kinds of security issues, it's become super boring, but they are, you know, it's completely different. And maybe your records don't really exist, and then you have a completely different world. So that's why I'd like to get some completely new kind of crypto. So it should, but of course it's not practical, so it's only a theoretical interest, but maybe we could look at this problem as a practice, you know, just to understand this. Maybe we could have a few papers and maybe we could problem with this crap model, that would be nice. So let me try to give you a taste of this crap model from the crap model. So in the crap model we don't have wrinkles, so if we need something like a normal wrinkle, we're going to use instead a hash function. So it's just a public function, the example is very input, gives you a small output, and what we need to build there is to iterate compression function. But it doesn't really work that well, because what kind of security can we get out of this? So we would like to get at least collision resistance, right? That's like a minimum property, I would expect. But in fact, if you don't have a key, or if you don't have a wrinkle, well, this doesn't exist in any fixed function, it has conditions. So this crap model cannot even do a random work, that's right. In fact, if you think a little bit deeper about different kinds of collision resistance, normal collision resistance is just adding two messages that collide. In fact, in most cases it doesn't really break concrete stuff, because it's not powerful enough. You cannot really control other conditions, but there's a stronger attack, which is chosen prefix collision attacks. And here you have even two prefixes, and you want to turn this into two colliding messages. This actually breaks the certificates, and it's been shown in the 95, and it also breaks our incident protocols, like TLS and design order. So let's see what people actually use in this crap model, so what kind of hash function. The computer one here is a shaman, so it's been designed in 1993 by VNSA, and we know VNSA does great design, right? Don't worry, I'll just explain this afterwards. So it's really a small function, shaman. Well, a few years later there was a slight issue, so we had to look into it. Then there was actually a collision in the original version, and starting to get bad in, I found worse. Then there was a theoretical collision attack, and 12 years later this attack was shown in practice. Yeah, it's quite difficult, right? So what's the current state of shaman? Well, it's not used a lot, it's being phased out, but it's actually still possible to buy a shaman certificate. And it's actually still accepted by some software, like many main clients, and we'll accept it. So if we want to really kick shaman out, I think we have to look at shaman-projected structures. So there's already a person attack, and it looks a little bit like this. What you do is you start from a differential train, and you look at the set of nice linear differences, and then you go through this step to get to this set, and then you're using a collision block, moving a little bit forward, it's going to cancel out. So the important thing is you start from a nice linear train, and then you extend at the front with a nonlinear train to connect from some of its very differences, and then you're able to relax a little bit to train to have a shaman out. And this has been done on shaman by Robert Stevens in 2013, and he needs an attack here as a set of 1,90 possible differences, and this gives an attack to the 77.1, so it's not a huge gap from the generic attack between 2018. So I'd like to show you a lot of different details, but we have some improvements to this attack, we have new techniques to get the better, choose the perfect collision attack in shaman. The first thing is we use a larger set of output differences in the compression function, and then we use a multi-block technique like what was done in 25 earlier, and here it's a little bit different because we always use the same linear train, so it's a bit harder, and then we also use some kind of cluster. So in the end we have an attack which is the complexity between the two the 77 and 79, which is almost practical, much much more than normal.