 Hi, I am Mohsudit Ghoshal, and this is joint work with Kodi Freitag and Ilan Komargotsky. Very broadly, this work is about new pre-producing attacks and limitations for short collisions in the sponsor structure. Hash functions are one of the fundamental primitives of cryptography that have many different applications. Certain applications like password hashing, et cetera, require a hash function to handle different input lengths. However, it is infeasible to design a different hash function for every length. Hence, iterative hashing is used to construct variable input length hash function using fixed input length primitives, the most popular example being the Merkle-Dampgard construction. After some proposed attacks against MD5 and Charles Zero in 2006, NIST started a competition to standardize a new hash construction. And after almost a decade, Ketchak emerged as the winner. The Ketchak family is based on the sponge construction, which is a novel alternative to the Merkle-Dampgard system. Here's a very simplified view of how spawn hashing works. The fundamental primitive in the sponge construction is a permutation pi on R plus C bits. Message M is broken up into blocks of R bits after pairing appropriately. The hash of M with respect to the hash key or the initialization vector IV is computed as follows. An initial state consisting of R zeros concatenated with IV is defined. The first message block is exored to the first R bits of the state and the permutation is applied to it in order to compute the next state. This is done till all the message blocks are consumed. And the first R bits of the final state is the hash of M. One of the most basic properties that any hash function should satisfy is collision resistance. It requires that given a random IV, it is hard to find two different messages that hash to the same value. We are interested in quantifying collision resistance of the sponge construction. And the usual approach is to model pi as a random permutation. One can show that when pi is a random permutation, there is an attack that finds collision using a minimum of 2 power C by 2 and 2 power R by 2 queries. And in fact, this attack is provably optimal. However, in the real world, since pi is typically public, an adversary can do pre-processing on it and it might make its job of finding collisions easier. The scenario of pre-processing attacks are first studied in several different works. For example, in the context of function inversion and collision resistance. Quality et al introduced the auxiliary input random permutation model to capture pre-processing adversaries in the context of random permutations. Here is how the collision resistance game is defined in this model. The adversary A consists of two stages, A1 and A2. The first stage A1 is unbounded and has complete access to the permutation pi. It computes as bits of pre-processing, which is input to the online phase along with the random IV. The online phase can make the queries to the permutation and it's inverse. The adversary wins if the online phase outputs a pair of distinct messages that hash to the same value. We refer to such an adversary A as an ST adversary and we define the advantage parameterized by ST as the maximum probability of an ST adversary winning this game. Quality et al gave a tight characterization of this advantage. However, the attack that they propose which achieves this advantage finds collisions of length nearly. For usual parameter values, collisions this long are not very useful. In addition, short collisions seem harder to find than longer ones. Since we asked the question, can we characterize the hardness of finding B block collisions for sponge? In a series of recent works, this question has been studied for Markov Network. In this work, we give new attacks and prove limitations for finding B block collisions for the sponge construction. Here's a very brief summary of our results. We give a new attack for finding one block collision for the sponge construction that leverages the fact that the adversary can make inverse queries. We also give an attack for other values of B which is inspired by rainbow tables. We prove limitations for best possible attacks for B equals one and two using different techniques. For both B equals one and two, our bounds are not tight which gives rise to several open problems. The two main takeaways of our work are first, the inverse queries are useful in sponge to give new and better attacks. Secondly, shorter collisions are probably harder to find than longer ones for the sponge construction just like Markov Network. For more details, I invite you to our longer talk during crypto and refer you to the full version of our paper on e-print. Thank you.