 So, this talk is about our recent work on cryptanalysis of Simon and Symec with block size 32 and key size 64 bit. So let me start with a disclaimer in mathematical terms. So Simon implies NSA, does NSA implies backdoors. So a corollary of this disclaimer, backdoor in Simon implies backdoor in Symec. The reason both the ciphers have a similar structure. So if we look at the best known results on these two ciphers till now, they can reach a maximum of 23 rounds out of 32 rounds. So this means the security margin is still 28 percent. So how to improve it? So we introduce new property of block ciphers called correlated sequences. So consider n bit block cipher with mn bit master key. So for t rounds of cipher, we can consider it as a keyed sequence of length t. So if you consider the round, it is basically a composition of two functions, one is non-linear and another is linear and this requires majority of the computations. So the goal is given a keyed sequence and another key which is not equal to k obtain another sequence of the same length by computing the non-linear function at most t times. So more formally we say two sequences are sigma t correlated, if one can be obtained from another by computing the non-linear function exactly sigma times. So this is our main result on these two block ciphers. So we can theoretically construct one eight correlated sequences for both these two ciphers. So that means if we want output of these two ciphers after six rounds, we need to compute this f only this many times compared to the naive approach which requires this. So we use these sequences for six forward rounds, six backward rounds and do partial encryption just for 12 rounds. So the overall time complexity is limited by this term for 25 rounds. For 27 round attack, we use the property of key scheduling algorithm and one round differential simultaneously and we can push the attack from 25 to 27 rounds with the same complexities. So what's next? So we saw the security margin from 28 percent to 16 percent. So now if you see the attack technique is generic and it can be applied to any block ciphers. So the only problem here is how to construct such sequences for other ciphers. So thank you.