 Hello, I am Amit Kumar Chauhan. I am presenting our work, Quantum Restart Collision Attacks on Double Block Length Hacing with Round Reduced AES-256. This is a joint work with Abhishek Kumar and Sumitra Sanath. Haze functions are an important and ubiquitous cryptographic building blocks that are used in designing message authentication codes, signature schemes, etc. In post-quantum era, many public key schemes that use Haze functions are proven to be secure in the quantum random oracle model. Recently, few works have also been studied, have also studied the dedicated attack on the block cipher-based Haze functions, such as workflow, glow-stall in various quantum attack settings. Further, double block length-hacing is a voluptuous method for constructing a compression function with a two-and-bit output from a bit block cipher. For example, tandem-dm, abhaze-dm, hero state function, etc. In this work, we study dedicated quantum collision attacks on hero state compression functions. Hero state design a digital compression function f that makes two poles two-and-bit block cipher-e that produces the output as follows. f or input h0, h1, m outputs b0, b1. Using the function f0 and m1, where the functions f0 and m1 are defined as f0 on input h0, h1, m equal to e of h0, jor with h0, where h1 continents and m1 is the key input to the block cipher. Similarly, we define f1. How to find collision on SCF? So, just recall the fact from the Channadall paper in 2014. Suppose that a collision for f0 is caused by the pair h0, h1, m and h0, jor, delta h0, h1, m. Further, assume that delta h0 equal to c, then a collision for f1 is also caused by the same pair. So, using the same fact, the goal of finding collision for SCF reduces to finding collision on r0, for which we can proceed as follows. So, first, find a colliding pair of inputs. Secondly, output the pair only if delta h0 equal to c, otherwise return to step one and repeat the process. So, what are the method to find collisions? So, for a concrete hash function h, the generic collision time attack complexity is big O of 2 to the power n by 2 using per day bound. A dedicated collision attack is valid only if t less than 2 to the power n by 2. The dedicated methods to find collisions generally consider differential capital analysis to find collisions. For example, MD5, Warpool, Hirose, etc. The idea behind is to build a differential trail so that non-zero input differential delta n can propagate to a zero output differential delta out with a high probability. Typically, differential trails for hash functions consist of two parts, control part and uncontrolled part. Control part in which complex trail is efficiently satisfied by using degrees of freedom. Secondly, uncontrolled part where trail is satisfied probabilistically. Usually, controlled part is satisfied with negligible cost. So, the attack complexity is mainly dominated by the trail probability p of the uncontrolled part. So, the attack is valid if and only if t is equal to 1 by 2. If and only if t greater than 2 to the power minus n by 2. Next, we discuss the quantum capital analysis and quantum settings. So, there are two kind of quantum attack models. One is Q1 model, another is Q2 model. In Q1 model, adversary is allowed to make classical queries plus he has also given the power of quantum computer. In Q2 model, adversary is allowed to make quantum queries plus he has also given the power of quantum computers. In general, Q1 model is more practical than Q2 model because for block cipher it is hard to make quantum superposition queries to the online encryption oracle for the hash function. We can make quantum superposition queries to the hash functions offline. So, how to define quantum superposition queries? So, let f be a Boolean function. So, the superposition oracle of f is the unity transformation uf that x on n plus 1 qubit system which sends a standard basis vector xy to xy over fx. As a linear operator, uf x on superposition states as uf on the summation of over all the x, ax, vector x, vector 0 equal to the sum over all the x, ax, x, vector x and vector x. So, we can efficiently implement uf in the quantum circuit model as long as there exists an efficient classical circuit that concludes it. Quantum random access memories, QRAM can also be seen as the quantum analog of the classical RAM. Given a list of classical data L with vectors at size of length m, the QRAM for L can be modelled as a unity transformation such that uQRAM on input address register and output register y maps to input register address register i and output register y is your xy. Similarly, on the quantum superposition x, we can define the xn of unity transformation uQRAM. However, there are some problems of QQRAM. It is unknown how a working QRAM can be built or at least in case of large QRAMs. Secondly, a QRAM of size o n can be simulated with the quantum circuit of size we go off and that is size of QRAM equivalent to the number of qubits in the circuit attached with a small QRAM or even without QRAM are actually more practical. Next, we discuss Grover's algorithm which we use extensively in our work. So, given a search space of 2 to the power n element and a Boolean function f, the goal is to find x as that. In the classical setting, we need about 2 to the power n step. While in the quantum setting, Grover's algorithm needs about square root of 2 to the power n Grover addresses. So, the problem is to observe that there are these delta x and delta y such that p equal to probability of e k of f, so we think of e k of f0 delta x equal to delta y. So, one can find such an x using Grover's algorithm in a square root of 1 by p time with quantum computers. Classically, one can find such an x in 1 by p times. So, therefore, we can have a quadrative speed of 4 diffuser-geoptera which is in the quantum setting. In the quantum setting, this has a capital N as the attack is valid if and only if t equal to square root of 1 by p. In case of generic methods, for example, BST, the time and query complexity is 2 to the power n by 3, but the number of qubits required is very, very large, 2 to the power n by 3. In this setting, attack is valid if p greater than 2 to the power minus 2 n by 3. Now, we discuss our results. So, we apply a quantum version of rebound attack to find collisions on herosase compression function when the underlying block cipher is instantiated with AES-256. Our rebound attack covers stand-out of SCF AES-256 in the quantum attack setting. Our dedicated quantum collision attacks are actually faster than generic quantum collision attacks even when a small quorum or no quorum is available. But our attacks are also valid in the setting of time space trade-offs. We also propose a MILP-based method to systematically explore different ways for rebound attacks with multiple inbound phases. Rebound attack is based on defensive cryptolysis. It divides the cipher into three parts, outbound phase one inbound and outbound phase two. In inbound phase, we perform a match in the middle to generate the starting points. In the outbound phase, from the starting point, we compute forward and backward directions in the outbound phases. We also remark that if the probability of the outbound phase is p1 has to get at least 1 by p starting points in the inbound phase, then p greater than 2 to the power minus n by 2. The assumption here is that delta x equal to different delta x in the inbound phase propagates to delta 0 with probability p1 and output different delta y in the inbound phase propagates to delta 0 with probability p2. The delta 0 is matched with probability p0. Therefore, the defensive probability of the trail becomes p1 into p2 into p0. We can use this idea of rebound attack to find collisions. So, we fixed delta x and delta y, then where delta x propagates to delta 0 with probability p1 and delta y propagates to delta 0 with probability p2. We then compute x and f dash from delta x and y and y dash from delta y that satisfy this inbound differential and then we compute m from x c from y m dash from f dash and c dash from y. And finally, check if m your m dash equal to c j c dash in the outbound phase. Classically, we need to try about 1 by p outpants to have a match. But in quantum starting, we need to try 1 over square root of p outpants. So, here is this 10-out differential trail for A is 256. So, here this round 3, round 4, we have inbound phase 1. In round 6 and 7, we have inbound phase 2. In round 5, we connect these two inbound phases. And from this delta x is 7, we move to round 10 with probability 2 to the power minus 16. From delta z3, we move to round 1 with probability 2 to the power minus 16. And we also have the probability of 8-wide cancellation in x and the root of 2, which is 2 to the power minus 64. So, the overall probability of the differential trail is 2 to the power minus 96. We then use this trail to mount rebound attack on A is 256. That returns a pair of colliding inputs h0, h1, m and h0, j0, delta h0, h1, m. We also need a condition delta h0 equal to c to have a complete attack on A is 256. Where we consider c has 8 non-zero bytes at some particular positions and this can be achieved with probability 2 to the power minus 64. Therefore, the overall complexity of the attack is 2 to the power 160. Now, we give the quantum collision attack using rebound procedure. In our attack, the rebound attack has multiple inbound phases. So, for the first inbound differential, delta in 1, delta out 1 with the input output difference. The second inbound differential, the input output difference where it is denoted by delta in 2, delta out 2. We then define a Boolean function for the full inbound differential f. For full inbound differential f such that f232 cross f248 cross f248 cross f232 to f. In a way such that f outputs 1 if and only if the starting points computed from the input output difference. And in the inbound phase, full phase the backward and forward output differential. If f outputs 1, we can show 2 such that SCF pole adds, where h0 and h0 dash are obtained from the starting point. And h1, m is obtained from the keys derived from connecting rounds in inbound phases 1 and 2. By applying Grover's algorithm with the quantum or equal uf for f, we can find a collision with approximately pi by 4 into square root of 2 to the power 1, 60 square h. To estimate the overall complexity of the attack, we need to find the exact complexity incurred by the implementation of uf. So, how to implement the quantum or equal uf? We define a function ti that computes the actual input output data pair, restructing the different cells of each xbox as y accessing the pre-computed utility that is stored in qf. So, here in the algorithm in the implementation of uf, the input is this delta n1 delta n2 delta h1 delta h2, vector y. And output is basically y is updated with y0f on input output differences. So, we perform the inbound phase 1 for i equal to 0 to 15 in the defensive delta h3 delta w4 and compute the corresponding differential. Then we run di which gives the output x4 i comma x4 i jord delta x4 i. Similarly, in the inbound phase 2, we get the output x7 i comma x7 i jord delta x7 i. We then compute delta x5 from delta w4 and delta y6 from delta z6. We connect these inbound phases 1 and 2 in round 5. So, we run di4 each delta x5 to select the corresponding differential delta y5. We compute delta x6 from delta y5. Then for j belonging to the positions 8, 9 and 15, we run di on input delta x6 j comma delta y6 j. If delta x6 and delta y6 are compatible, then we return the x6 i comma x6 i jord delta xi as the output. And further we output x5 i comma x5 i jord delta x5 i corresponding output. We then compute the bytes of the x5. We also compute the bytes of k4 from the corresponding bytes of w4 and x5. Following the other details of the algorithm, we finally compute the round keys k0, k1 and so on k10. We now create starting bytes from the input output differences. First, we set x4 as x40 to x415, x4 dash as x40, jord delta x40 to x415, jord delta x415. Similarly, we set x7 and x7 dash. Now, if x4 and x4 dash fulfills the backward output differential, then we set 1 bit flag as 1, otherwise 0. If x7 and x7 dash fulfills the forward forward differential, then we set 1 bit flag, flag to x1, otherwise we set flag to 0. If both flag 1 and flag 2 is 1, then we update the output resistor ag by your 1, otherwise y remains invariant. For the complicity analysis of the attack, first the complicity of the computation of the anode ES is approximated by 200 xbox computation. Secondly, the complicity of one axis to the theorem that is towards the table of input output differential is equivalent to one xbox computation. One xbox evaluation further required 2 to the power minus 6.6 for the anode ES to the computation. Overall, by counting the xbox evaluations, the complicity of uf is 2 to the power 5.46, the anode ES to the computation. This x requires 5 by 4 into the root of 4 by 2 to the power 1 to be equated to uf. The complicity of finding the collection is approximately 2 to the power 80.5.11, 10 double LES 2 to the power 8.1. In summary, we have considered two attack models. One is Q first we have Q attack, that is with quran and Q second we have Q attack setting without quran. So, we just discussed the 10 on a tag in queue first setting where the time complexity to go 85.1. And the queue run size it to do 16 which is required to store that it is stable. In the queue 2 setting we do not use any queue run rather we accessibility using Grover's algorithm. So, the complexity, time complexity of that edge is increased little bit and it becomes 2 by 86.11. And in the TSTO setting if we have a quantum computer of size available as available then we can have the tag with some complexity by 8.61 over square root of s by 2 to the power of 4. If we apply the cnsl quantum generally on all the rounds then the time complexity to do power 102.4. In conclusion the classical security of primitive does not imply quantum security. It also implies that different settings with the low probability in the classical setting can still be meaningful for quantum computers. We improved collision attacks for SCF AS256 to 10 rounds in the quantum setting while in the classical setting there exist a 9 and the attack up to 9 rounds. As a future work finding more useful differentiators with low probabilities in various other kind of attack techniques can be an interesting problem to investigate in the quantum setting. Thank you for your attention.