 Hello, everyone, the title of this work is Algebraic Meet in a Middle Attack on Low MC, and Fu Kangliu. This is a joint work with Sato Nusaka, Gao Liwang, Willi Meir, and Takanori Isube. Low MC is a very famous block cipher. It was proposed at Eurocrypt 2015, and is designed to be MPC, FHE, and ZK friendly. A notable feature of Low MC is that its parameters can be chosen in a flexible way, including its affine layers. The key schedule function and the number of S-boxes per round. In this work, we focus on the cryptanalysis of Low MC, and the previous results can be classified into four types, and we focus on the third type, where two children play a test, where two children play a test, and a cypher test pairs can be obtained. The attacks in this setting are related to the security proof of the picnic signature scheme, and we improve the attack in this setting by proposing a new technique called Algebraic Meet in a Middle Attack. To understand our attack, it is necessary to first understand the difference in numeration attack. Its general idea is very simple. First compute the improved and output difference, delta 0 and delta r, according to the plane test pairs and cypher test pairs. Then at step two, pre-compute and store all possible delta i computed from delta 0, and at step three, again we compute delta i, but from delta r, and for each compute delta i, find a match from the pre-computed table. Once a match is found, the trail from delta 0 to delta r is determined, and the key can be computed from the trail. So this is an illustration of the original difference in numeration attack framework. It's a simple Meet in a Middle Attack, so according to the above description, so the memory complexity is very high and exponential, and it is exponential in R1. To reduce the memory complexity, in crypto 2021, Algebraic method was proposed, so different from the previous attack, for a given challenge delta r 0 plus delta r 1, instead of trying to find a match from a huge pre-computed table, the attacker tries to solve a linear equation system to recover the different transitions in the middle R1 rounds. However, the maximum value of R1 is limited in this attack. So there are some problems left. First, how to further reduce the memory complexity of the original difference in numeration attack, and second, how to further extend R1 by using additional memory based on their attacks, based on the techniques proposed at crypto 2021. So motivated by the two problems, we proposed the deeper Meet in a Middle Attack. The idea is very simple, so different from the previous Meet in a Middle Structures, instead of storing many values in a table, we store many linear equations in a table, and for a given challenge, we try to find a linear equation system that can be matched from the challenge, that can be matched with the challenge. So in this way, it's obvious that we can reduce the memory complexity, because some values are computed by solving a linear equation system. So this is our new attack framework, and for the middle R1 rounds, there will be two phases, offline phase and online phase. As the offline phase, we compute some information, and as the online phase, for any given challenge that R0 plus R1, we use the pre-computed information to retrieve the corresponding linear equation system to recover the different transitions in the whole middle R1 rounds. With this technique, the security margins of LoM C are significantly reduced, as can be seen from the last column of this table. Similarly, for the backdoor cipher LoM C and V2, the security margins are also significantly reduced. In summary, we propose new algebraic attacks on LoM C, and the attacks are highly related to the feature of the partial linear layer. At last, we want to mention an interesting problem. Can we further improve the attack? For example, can we extend R2? That's all. Thank you.