 I apologize in advance. So it's a job work with the HSU and Maria, the ATIS, and so on. And we're dealing with the collision search, and we're motivated by applications in the symmetric crypto. So first, I give some details about the comparative context and then draw a brief state of the art of quantum collision search before presenting or on your algorithm. So where are we? Well, we're studying symmetric cryptography where we have generic attacks, which define the ideal security of our surface. We also have this constant effort of fraternizes, which increases confidence in the permitting we use. However, I would rather focus on generic attacks. So no fraternizes for today. And these generic attacks that we apply, offer, for example, the HSU search, birthday paradox, collision finding, and so forth. As mentioned, the title, we are studying the situation from the point of view of quantum adversary. So someone who has access to an investable universal scalable quantum computer. So we already know that in the asymmetric setting, RSA and HCC can be broken by such a computer. So that yesterday, and this is why there is much work going on on designing new primitives. Symmetric cryptography, the situation is a bit different. So we know that a ruler can speed up a quality factor of any kind of exhaustive search. So this is quantum-generic attacks. But there has been less work on this topic. So the hypothesis is changing, as can be seen from this session. So now we need to focus a bit more on what can be done using quantum computers in cryptanalysis and what other generic attacks could be created. So let's focus on collision search using quantum algorithms. The problem we're studying is the classical region search problem. So we have, let's say, black dot quantum function, which is a hash function. And we hope for a computer to have the same image. In the classical world, this is done in 2 to the 8 of 2. So it's a pre-route of the domain with a polynomial memory using Polarth-Roh method. And we have a related problem, which is multi-target pre-image search. So searching for the pre-image of one target among many. And this can be done using exhaustive search. And what can be done in the quantum saving? So we have Polarth-Roh there. If you want to apply global algorithm to search for collisions, actually, this doesn't help. The time complexity and the correlation complexity is 2 to the n over 2. But we have this algorithm by Grasseur, we have that, which is so other, which gives you a great complexity to the n over 3, which is actually optimal. But they didn't precisely analyze the time and time complexity and qubits used. And we'll go back on this later. Because contrary to the previous talk, we're much more interested in the time complexity and the number of qubits used in the circuit model. So we count the number of quantum gates that we apply, and we count the number of qubits that our circuit is using. This seems to be a rather relevant cost metric for spectrographers. So we also have this last algorithm by Ominiage, which was actually created for the element distinguish problem. It works as well with 2 to the n over 3 queries, qubits, and time, and it's optimal as well. So in short, the situation seems rather subtle. The collision lower bound has been reached. But these available quantum algorithms have become on the downside. It's that if we want to work before the classical bound, we need more than a little number of qubits. And actually, having that many qubits could be as hard as having a large distributed quantum computer. Since you can use qubits as well for storing memory or for computing. And this large quantum memory, we would like to reduce it, or even to get rid of it. There was a challenge asked by the government for better quantum time quantum memory trade-offs for these problems. And this is what we're dealing with. So we are restricting the number of qubits available to what seems to us a more reasonable quantum computer. So it's a phenomenal number of qubits. This is what Grover's algorithm used, actually. So we have these limited resources. And we are focusing on the theoretical algorithm than on implementation details. So no error correcting codes, for example, only the circuit model. So this is our results. So we have a new line here. We're able to improve on the classical 2-2-2-2 with a suboptimal number of qubits. But do you think this one is a number of qubits? So a very small number of qubits. And there is also a small amount of classical memory that I have to explain later. But I'm keeping it there. So now let's see how to do it. OK. First, we need a tool, Grover's search, classical 1. So you have access to an efficiently computable test function. So this is an oracle that will pay you whether a state is good or bad. The capitation is for quantum states. So basically ket x represents the string x. And this oracle is implemented, since it is an efficient function, as a quantum unitary that acts not only on states but also on superpositions of states, since it's a linear operator. So we're looking for an x such that f of x equals 1. It's a good state. And we know that if there is only one solution and we want to do the n, we get 1 in time to do the n over 2. So quality improvement of the classical 1. And there are 2-2-2 solutions. We get the superposition of all of them in time to do the n minus t over 2. OK. So this is the first tool we need. Grover is used as a subroutine in Brassar, we have a TAPS agreement in 1988. And this works in two states. So it's so material, actually. First, we need to perform a number of arbitrary classical queries to the finite age. And then we need to search for a collision on one of these queries. So the oracle for good states is there. He takes basically whether we found the collision. And the number of queries is 2 to the n over 3 for the initial list, so for the first step. And the second step, since we have 2 to the n over 3 solutions, we have the same number of queries. So everything is fine from this point of view. But while we're implementing this oracle, we need, of course, to query the function age in superposition. But age is, let's say, a hash function whose their function is public. So we can query this. No problem in this first step. And then we need to answer a query of the form, does this element appear in the list? Where this element is in superposition, because the function age is called as a quantum variable. And this is easy if you have 2 to the n over 3 quantum memory, so qubits, to store the whole list, because you're going to use a quantum round model, for example, and ask superposition membership query in little time. But if you haven't, because we're restricted the number of qubits, if you haven't any quantum data structure, this cannot be done. So how are we going to do it? There is a way, but it's different. Actually, there is always this way you can do. You haven't any quantum data structure to hold the list. So we're going to check against all elements in linear time, in the size of the list, sequentially. So ask if it's the first one, or the second one, and go all through the list, without holding any data and memory at one point. And this takes much more time than before. And this makes the cost much higher than before. So if you haven't any quantum data structure, actually the cost of the mass of random tasks algorithm becomes much higher. It becomes even higher than the classical one. So it's not helpful. Because each time we compute an iteration, we need to query this superposition to the list. And each time we query this, we need to do the n over 3 computations to go all through the list. So we're going to improve on that. And we need two ideas to do this. The first one is to use a distinguish points method. And the second one is to adapt the size of the list. We don't need it to be 2 to the anniversary. In the end, we balance the cost, and we hopefully obtain what I claimed earlier. So let's take an arbitrary definition of distinguish points. So all x's with image starts with a prefix of zeros. And what we can do now is build a list of distinguish points only. And then when we search, search for equation, but only among the distinguish points. So we are making the Grover, transforming the Grover subroutine into an integer application, where we first have to build the serve space, which is a space of distinguish points. And then I need to iteration of Grover test. Membership to our list. So we also have two steps here. First, building a list, and second, looking for a collision of this list. Well, now that we have done that, we actually don't need the list to be of this size anymore. So let's drop the end of our free. We take a list of distinguish points of the time we want. First, we build the list. So we need a list for each point to Grover search. And then we need to search for a collision on this list. So collision that will, of course, happen on distinguish points. So we build the serve space of distinguish points. We perform or sequential membership queries to this. And we write this into an integer application. So this is how it works, and this is how you can summarize it in natural language. So now we need to optimize those two parameters. And check that I'm not mistaken. So here all day, we take this of size, let's say, to the end of our five, and the prefix of size, to end of our five. So distinguish points will be points having a prefix of to end of our five zeros, with image as a prefix of to end of our five zeros. And the whole time of this procedure, first step and second step becomes to the end of our five. And the qubits that we use in this procedure are polynomial number for the first step and the second step, not more than Grover's algorithm. And there is something else coming, of course, because between the first step and the second step, we need to store that list of distinguish points we are working with. And that list has size to the end of our five. So somewhere we need the classical memory, of size to the end of our five elements. But to the end of our five is hopefully low for practical applications. There is also a way to make this algorithm run in parallel, so if you have not only one quantum processor but multiple quantum processors, so if you take n equals 128, and we have a range where we can still outperform the classical parallelization. And this, of course, has also a slightly better parallelization overhead than Grover's algorithm, which parallelization is not very well. Actually, the reality problem of multi-tagging pre-image search can be attacked in the same way. So here we gave beforehand the list of targets, and we're looking for the pre-image of one of these targets. Actually, we look for some x such that h of x is in this list. So what we need to do is only search among distinguish points with the same method. So we take that there is a cost of the t, which will spoon through the whole list of targets to select the distinguish points. And then we perform the same search operation as before. The lowest complexity achievable with this method, since we are counting these cells here, is two to the three end of the set. OK, so now we know that with a quantum computer and only a written number of qubits, so a restricted quantum computer, we can search for a collision on hash functions due to the two end of the five and for pre-image in this time. And we can give concrete parameters for it. For example, if you have a n equals 160 bits, classical collision search would take time to do the 80. And with this algorithm, what the time becomes to do the 64. And there is this classical list that needs to be stored anyway. But it takes only 100 gigabytes. This is very similar for multi-target pre-image search. Now the applications in photography, because we can think now to multi-user setting, for example, where this is an instance of multi-target pre-image search, where basically you have created the same message using lots of different keys. And you're looking for one of the keys. So this is an instance of the same problem that you can attack with this quantum algorithm. So what do we do? Basically, we can not know that we can accelerate collision search in a quantum setting, even with a restricted quantum memory. So I put it on your quantum memory as an overall algorithm. The question is now, are we doomed to say at least two n over five experiments? Or can we reach the level of 2 to the n over 3 using perhaps more advanced techniques? We looked on quantum walks. But for example, quantum walks use large amounts of quantum memory, so they weren't of any help so far. We also planned using this algorithm as a building block for more intricate quantum attacks. And perhaps also use similar methods to reduce quantum memory requirements for other types of attacks. Thank you.