 Hi everyone, so this is an overview of a paper with Barmanic named type-reimage resistance of the sponge construction. So we focus on the sponge used for rashing purposes based on the permutation. The sponge operates on a state of size B bits and it is split into two parts. The first one is called the outer part. It comprises orbit and it determines the rate at which message blocks are absorbed and the digest is extracted. Then we have the inner part. It comprises C bits, C is called the capacity and this is a security parameter of the sponge. We will restrict ourselves to the case where the digest size is fixed to N bits and we denote by L the number of required squeeze call in order to extract the digest. There are several tweaks to this construction and here we focus on two of them which were introduced in the context of photoskin. The first one allows to have a first message block which is larger with a size denoted by r prime prime and in the second tweak the digest is extracted with a rate r prime which is larger than r. Now we are interested by the probable security guarantees of the sponge. To do that we place ourselves in the ideal primitive model meaning that the permutation is assumed to be simple uniformly at random. Now in order to argue that we have a good hash function there are three classical security requirements mainly pre-image, second pre-image and collision resistance. Unfortunately these security requirements are not strong enough for some applications. Consider for example the Merkle dam guard construction based on an ideal compression function. Even if it is pre-image, second pre-image and collision resistance it is exposed to length extension attacks which can be a problem in some concrete schemes. In fact there exists the stronger security properties which is called indifferentiability. In short it is a distinguishing game where the adversary must differentiate between a random Merkle and the construction based on the public primitive. It has been shown among other that indifferentiability implies security of pre-image, second pre-image and collision. Now going back to the sponge construction it has been shown to be indifferentiable with a bound of form q over 2 to the c over 2. Concretely it tells us that in order to be able to differentiate the sponge from a random Merkle one needs at least two to the c over two queries and below this number of queries any attack on the sponge cannot be easier than the same attack on the random Merkle. This is what we can see on this table where for the classical security properties the security bound is the sum of two terms. The first one comes from indifferentiability while the second one is the success probability of a generic attack on the random Merkle. Now we can compare the security bound against the best known attack. So for indifferentiability, collision and second pre-image this is clear that the security bound matches the best known attack and the non-generic parts of the attack exploit in the collision of the sponge and this is the key idea. Now for pre-image the best known attack is essentially the same one as second pre-image but varies an extra step of cost two to the n minus r prime. This step was not required in the case of second pre-image because the knowledge of one first pre-image gave us access to intermediate state within the sponge and it saved some work in the attack cost. On the other side the security bound of second pre-image and pre-image are the same. Therefore when the cost of this extra step is larger than the cost of finding in a collision there is therefore a gap between the security bound and the best known attack. And in this work we proved a tighter security bound for pre-image resistance which shows in particular optimality of the best known attack. In fact this bound was already believed to be true but there was no proof for that. Our bond can improve the state of your pre-image security resistance of scheme that output the digest in multiple rounds and this is the case for some lightweight crypto scheme where we have small primitives and small rates. So on this table we have several lightweight schemes and the comparison between the old security bond and the new security bond. A large part of these schemes are candidates of the niche lightweight crypto competition and in particular there are two finalists Asconhash and Photon Beetle Ash. For the case of Asconhash the security bond shows an improvement of 50% in the exponent. So that's it for this presentation. I hope that you enjoyed it and thank you for your attention.