 Hello everyone, in this slide, I will talk about the quantum-clear attacks on ES like hashing, slow quantum random access memory. This is a joint work of Xiao Yangdong, Su Weisun, Dan Pingshi, Fei Gao, and Xiao Yunwang. This talk has repass first, I will do some reviews on quantum characteristics and settings. Suppose we are attacking a block cipher, we have two models, Q1 model and Q2 model. In Q1 model, one collects queries in classical ways online and do the computations offline on quantum computers. In Q2 model, one collects quantum superposition queries. For block cipher, it is hard to make superposition queries on an online oracle, therefore Q1 model is more practical. However, for hash functions, there is no K in the oracle, hence we can limit it in quantum circuit and make the position queries with easy. In this paper, we are talking about quantum-clear attacks on hash functions. Therefore, we have to understand the generic clear attacks on hash functions in different settings. Currently, there are three settings. The first setting is that we have small computers and large quran. In this setting, we have the best generic quantum attack with BHT algorithm. The time capacity and the size of quran are both 2-2 and device array. In the second setting, we have S quantum or classical computers. The best algorithm is parallel row algorithm with this time capacity compact. The third setting is that we have small quantum computers and large classical memory. The best generic attack is given by CnH algorithm. The most important feature of quantum computation is that we can make superposition queries on quantum oracle. Given a blank function f, the superposition oracle f is the unitary transformation of Uf, sending y to y plus fx. Uf can act on a superposition state linearly. That's like this. Given a search space of 2-2n elements, say there is only one x that makes fx equal to 1, we are finding the x. In classical settings, we require about 2-2n, and in quantum settings, growth algorithm needs only square root of that complexity. Quantum random access memory is the quantum analog of the classical random access memory. It can pick out the superposition states from the superposition addresses. However, it is unknown how quran is built. A quran of size n can be simulated by n qubits, hence quran is very impenetrable and attacks with low quran is more practical. AS light hushing is built on AS-like block surface. The most popular way to build compression functions are DM, MMO, and MP constructions. In this paper, we focus on MMO and MP constructions. Rebound attack is introduced by Mendo at FSE 2009. It has two phases by dividing the server into two paths, inbound path and outbound path. Inbound path uses a merge in the middle method to generate starting points. Outbound path is to compute in both sides. If the probability of the outbound path is pr, then we have to collect one-divide pr starting points in the inbound phase. Here is an example. On the fourth round, we have to collect 220 starting points to get a clear. Later, Geopart and Payment introduced the superbox technique to improve the rebound attack. It covers two S-box layers in the inbound phase with a 2232 memory complex. At Eurocrypt 2020, Osalamada and Sasaki converged the rebound attack into a quantum one. In classical setting, we have to collect one-divide pr starting points to perform the attack. In order to be better than burst attack, one-divide pr has to be smaller than 22 and divide 2. However, Osalamada and Sasaki found that in quantum setting, we are applying a rule algorithm to reduce the time complexity to square root of one. Therefore, to be better than DHT, pr has to be larger than 22-2n. They claim that DHT that cannot be used in classical rebound attack may work in quantum setting. Moreover, they convert the superbox technique into quantum one. They found a new trial to perform the quantum rebound attack. They achieve two attacks. The first is with large QRAM and the second is without QRAM. They claim that their attacks are no better than CNS attack than when large classic memory is available. The complexity of CNS is about 2251. In this paper, we replaced the full super-sbox with non-full super-sbox technique. With non-full super-sbox technique, we only need to traverse the first byte, who be, to find a pair that conforms to the targeted differential. We also use the rule algorithm to accelerate it. Therefore, we get new trial to perform the quantum cleaner attacks. In this part, the non-full super-sbox technique is applied. The outbound probability is also 22-18. Note that there are only 2256 that point provided by 13 and 13 out. However, we need 2218 to generate the cleaner attacks. We need additional degrees of freedom, which can be achieved by a two-block method to provide enough freedom degrees. At last, we give quantum attacks without QRAM, which is much better than the CNS cleaner attacks. We also applied our algorithm to Grotto. For Grotto 512, we find new paths, inbound paths. To perform the attacks, at last, we give 4-round and 5-round classical attacks, which is better than previous 3-round attacks. Also, we convert the rebound attack into quantum attacks. In QModel 1, we need 2216 quantum memory. In the second model, we don't need QRAM, and the time complexity is better than CNS attack. In addition, we also attack Grotto 256. Thank you very much.