 Hello everyone, I am Lukas and in this video I am going to give you a brief overview of the paper Simons algorithm and symmetric crypto, generalizations and automized applications which is joint work with Federico Canale and Gregor Leannia. First of all I want to give you a quick reminder on Simons quantum algorithm which solves a problem called Simons problem. For Simons problem we are given a function f that maps n bits to n bits and we are promised that f has a unique period s that means that f of x is equal to f of y if f only if x, x or y is either 0 or the secret period s. Our goal is to find s. In the classical world this is a hard problem in that sense that you need at least about 2 to the n over 2 queries to f to find s. But in the quantum world you can use Simons algorithm and Simons algorithm only needs big o of n quantum queries to f and then some basic linear algebra to find s. So why do we care about Simons algorithm? Well in 2010 and in 2012 Cuvacardo and Ory presented attacks against a 3 round feiste and the Ebenmansoor construction. Here I explain the attack against Ebenmansoor. The Ebenmansoor construction consists of 2 secret keys k0 and k1 and a public permutation p. To encrypt x we add k0, apply the permutation and then add a second key k1. In the classical world we can prove that this is a secure block cipher. But now consider the function f which is simply the encryption of x or the public permutation of x. Notice that if we add k0 to the input of f the output of f does not change. In other words k0 is a period of f. Hence we can use Simons algorithm to find k0 and once we know k0 finding k1 is easy and therefore O of n quantum queries to the encryption e are enough to completely break the Ebenmansoor construction. As we have just seen a periodic function with a period that depends for example on a secret of a construction can be turned into a quantum attack that only needs a polynomial amount of quantum queries to the construction. Unfortunately not all constructions are as simple as Ebenmansoor and searching for such periodic functions quickly gets cumbersome. Therefore our first contribution is an algorithm to automatically search for periodic functions. The idea is rather simple. We enumerate all sensible candidate functions and then instantiate them with a small rock size to check whether there is a period. By sensible we mean functions that can be represented as circuits that make use of for example XOR, the encryption or internal round functions of the construction. One such circuit is depicted on the right side of the slide. This was found using a sage implementation of our algorithm and leads to a new quantum attack on the 5 round Fysel fk construction with an internal permutation. Notice that a full attack actually needs two functions that are called f4 and f5 in our paper and that the period of f4 is used as a constant in f5. Using our automatic search we found even more attacks, most importantly on two misty constructions and the 4 round Fysel fk construction without a restriction at the internal round function must be a permutation. These constructions were studied before but only distinguishes similar to the original one against 3 round Fysel by Kuvacablen and Mori were found. With these, key recovery is still possible using the Grover-Mitt-Simon idea, however then a polynomial amount of quantum queries is not enough anymore. In contrast to that, our attacks directly rely on Simon's algorithm to recover the keys with only a polynomial number of quantum queries. Our second contribution is a negative result on generalizations of Simon's algorithm and the Fourier transform by considering non-standard Hadamard matrices. We can show that in order to find new cryptographically relevant properties it is better to focus on the standard Hadamard matrix because with non-standard Hadamard matrices we cannot capture linear invariant properties. This is formalized in the given theory. If this video sparked some interest in our work, the full version of our paper is available on e-print. An implementation of our search algorithm can be found on GitHub. If you have any questions, do not hesitate to contact us. Thank you.