 Thank you. So I'm very happy to be here at Eurocrypt because this is a community that's very focused on printography in practice, right? You can just look at the program, you know, really care about what users do and how they really use printography. So a few years ago, we had a paper on the practical movement of Ignax. That's really a practical thing, a practical problem. You can look at all the papers, we have a practical one in our maps. Basically, right? We have practical loopstraps. I guess this means we will start practical by FHE, right? Something like this. We have practical universal circuits. We have practical functional functions. Just this week, we're trying to realize random rate. That's really amazing. Users will be super happy about this. So, I'd like to talk about a little bit different, to go to something more theoretical, to go away from all these practical results. And the question I'm trying to look at is what if we didn't have all those powerful instructions? What if we don't have a differential of this equation? What can we do? Is there another kind of printable to get rid of? Are there other reasons? And of course, in order to get to this world, we have to really restrict our life, what we can do, because all this construction, we know we are practical, so if we want to get rid of them, we need a very, very small model. We can't do anything. So maybe we can call it cryptography, because it's like cryptography, but all we can do is just crap. So, I'd like to use the cram model. So there are various ways to define this model. So one way maybe is to just limit the amount of computation you can do, maybe you can do constant computation. And this really changes everything. There's now a synthetic analysis of mean energy, right? So it's really a completely different model. Another way to do this would be to look at what happens with your hardware. It's not perfect in terms of leakage, and you know, maybe you cannot really balance this engagement. Then what? Then maybe you need a different kind of crypto, right? Maybe users also are stupid. They're just using the wrong crypto, and you have to look at what they're actually using, how they use it. You have all kinds of security issues. It's become super boring, but they are not. Completely different. And maybe your records don't really exist, and then you have a completely different world. So that's why I like to use it. So it's a completely new kind of crypto, but of course it's not practical. So it's on your theoretical interests, but maybe you could look at those problems as well, just to understand what's happening. Maybe you could have a few papers and you could look at the problem with this crap model. That would be nice. So let me try to give you a taste of this crap model from cram. So in the crap model, we don't have records, so if we need something like a random record, we're going to use instead hash function. So it's just a public function. The example is very input. It gives you a small output, and when we do build them, it's to iterate a compression function. But it doesn't really work that well, because what kind of security can we get from this? So we would like to get this collision resistance, right? That's the minimum property we'd expect. But in fact, if you don't have a key, or if you don't have an oracle, well this doesn't exist. Any fixed function, it has conditions. So this crap model is really shitty. You cannot even do a random work. In fact, if you dig a little bit deeper about different kinds of collision resistance, normal collision resistance is just like two messages that collide. But in fact, in most cases it doesn't really break concrete stuff, because it's not powerful enough You cannot really control other collisions, but there's a stronger element, which is chosen prefixes of collision attacks. And here you have given two prefixes, so you want to turn these into two colliding messages. This actually breaks the certificates, and it's been shown in 1995. And it also breaks our new system protocols like TLS and DSEC. So let's see what people actually use in this crap model, so what kind of hash function. The concrete one is a shaman, so it's been designed in 1993 by DSEC, and we go to DSEC, it was great design, right? So we're going to just explain this complex. So it's really a strong shaman. Well, a few years later there was a slight issue, so we had 22 different bits, but it was actually a collision in the original version. It's not going to get bad anymore, I thought it was worse. Then there was a theoretical collision attack. And 12 years later this attack was shown in practice. So what's the current state of shaman? Well, it's not used a lot to be raised up, but it's actually still possible to buy a shaman certificate. And it's actually still accepted by some software, and when you make clients, they will accept it. So if we want to really kick shaman out, I think we have to look at chosen prefixes. So there are already pros and cons, and it looks a little bit like this. So you start from a differential trade, and you look at the set of nice and good differences, and then you go with very little stuff to get into this set, and then you do the collision block, and because of a few forward it's going to cancel out. So the important thing is you start from a nice linear trade, and then you extend at the front with a nonlinear trade to connect from some arbitrary difference, and at the output you relax a little bit from the trade to have several options. And this has been done on Chawan by Baro Stephens in 2013, and in this attack he has a set of 1.92 possible differences, and this gives an attack to the 77.1, so it's not a huge gap from the generic attack between 2018. So I'd like to show you a lot of different details, but we have some improvements to this attack, we have new techniques to get the better chosen prefixes for this attack in Chawan. The first thing is we use a larger set of output differences in the compression function, and then we use multi-block techniques like what was done in 1905 earlier, and here it's a little bit different because we've always used the same linear trade, so it's a bit harder, and then we also use some linear classroom. And in the end we have an attack which is the complexities between the 60.7 and 79, so it's almost practical, much more than a normal collision block.