 I will talk about adventure in crypto-darkmeta attacks and fix for weak sugar random functions. This is a joint work with Jeong Ik-cheon, Jeong Won Kim, and Jisun Kim. The outline consists of background, artwork, attack and fix of weak PR app, and border works. Sugar random function, informally, looks like a random function, and it has a lot of applications, HMAG, digital signature, and indistinguishability approximation, and block cyber ATC. And this is an important tool in the construction of cryptographic primitives. Mathematical definition of sugar random function is a deterministic keyed function. It takes input X and produce output and key embedded inside. Sugar random function needs to be efficiently computable, and its input and output behavior is computationally indistinguishable from truly random function. We will focus on a particular relaxation of sugar random function, namely weak sugar random function. weak PR app is the same PR app except the adversary does not get to make adaptive queries, and the adversary only gets to see uniform random evaluation of the PR app. I will talk about brief status of sugar random function. Linium and Sonisen present a quasi-polynomial time learning algorithm for learning AC0 circuit, and the classic results by Kretnov give a candidate weak PR app with quasi-polynomial time security. And a nice construction by Benny and Pavel shows weak PR app which is step 3. Now move to a larger complexity class with the mode p gate where p is prime. Karmacino Adele shows that no strong PR app is better than quasi-polynomial security, and Biola constructs strong PR app with quasi-polynomial time security. And Akapia Adele construction gives a weak PR app candidate that can be computed in step 3 with ACC class. In general, ACC zero with general mode m gate, Bonad proposed a weak PR app that can plausibly have exponential security, and simple extension of their construction gave a strong PR app that can be implemented by step 3 circuit in ACC zero. Our target is a weak PR app which has exponential security. The paper is Exploring CryptoDarkmeta. Exploring CryptoDarkmeta's weak PR app candidates have many contributions. First, it is a very simple construction. They only mix linear computations over different modes and they have low depth circuit complexity. They are first proposed step 2 weak PR app candidates and also they are first proposed step 3 strong PR app candidates. Finally, they have a plausibly exponential security. In the landscape of cryptography, we have these nice mathematical assumptions. But they want to make simple construction and they find Moodle's mixing technique by exploring CryptoDarkmeta. And now we adventure CryptoDarkmeta. This work introduced a new direct statistical attack using conditional probability and applied the attack to Darkmeta's weak PR app candidates and breaking an alternative weak PR app candidates suggested parameter with exponentially many samples and also breaking a new weak PR app candidates suggested parameter with succulent metrics and exponentially many samples. At first, we will introduce Darkmeta's new weak PR app candidates. Before the weak PR app, define the map. The map is the function map that takes an envis input and simply compute the sum model 3. And the secret key is a matrix A which is chosen uniformly at random from M by M matrix. weak PR app is very simple. They multiply A and input X in model 2 and apply the function map. They suggest parameter N is 256. They also propose alternative weak PR app candidate for two-party computation. The secret key is M bit vector and also input is M bit vector. Input X is M bit vector. Then compute inner product input X and secret key K and then sum up model 2 of the result and model 3 of the result and then compute model 2. This is very simple construction. And also they suggest parameter N is 384. Their parameter selection is based on BKW attack. BKW attack is an attack for NPM problem and this attack recommend N is 384 for 128-bit security with 2 to the power of 60-bit memory. However, BKW attack do not seem to apply to new weak PR app candidate. So they recommend N is 256 with analysis of low-degree rational functions. Our intuition is also very simple. We observe that weak PR app then if inner product input X and secret key K has 012 model 6 then weak PR app produce 0. Also if inner product X and K has 3451 in model 6 then weak PR app produce 1. We think that input of weak PR app can be considered as model 6 but X is uniformly chosen and bit not uniform in just 6 space then it may give statistical weakness. Assume that inner product X and K is sum of X1, X2, XH where H is the number of ones of secret key K. Then the output of weak PR app is determined by the number of one out of X1, X2, XH. Our key idea is sum of combination. We define app which input N and T and is sum the combination skipped by T. When T is 2 or 3 we can easily compute the value then how about K? We can present the value of app by T's root of unity. When app is divided by 2 to the power of N it has difference to one out of T. The difference is determined by the absolute value of 1 plus W out of 2. Which is equal to cosine pi out of T. When T is 6 it is square root 3 out of 2. Now we will talk about our attack for alternative weak PR app candidates. Let H be the number of ones the secret key K. Then we compute conditional probability element J of vector X is zero when the output of weak PR app is zero. If element J of vector K is zero then element J of vector X does not affect the output of weak PR app. Because the output is determined by inner product of input X and secret key K. Therefore the conditional probability is one half. Now if element J of vector K is one the conditional probability is the fraction of sum of combinations. During TDS computation we can get the value of conditional probability and they are biased. Unfortunately when H is 2 modulo 6 the conditional probability is exactly one half. But in this case if we choose two elements of vector X then we get a biased conditional probability. The difference of conditional probability and one half is similar to 1 out of 2 to the power of H.21. The secret key K is drawn uniformly at random from N bit. So we can assume H is N out of 2. Then the difference of conditional probability and one half is similar to 1 out of 2 to the power of N.005. If the number of samples is larger than 2 to the power of 0.21N we show that we can distinguish weak PR candidate samples and uniformly random samples. Therefore N must grow from 384 to 610 to be robust against our attack for 128 bit security with exponentially many samples. Open question if the number of samples is polynomial then prove or disprove the security of weak PR candidate. And now we will introduce our attack for new weak PR candidate. We assume that A matrix A is a circular matrix because a circular matrix key size is reduced N part of 2 to the N. And this is more efficient and the security is considered as the same for randomly chosen A in the paper. Let A be the circular matrix and define function map that takes some N bit input and simply compute the sum model 3. Let H be the number of one out of a base vector of matrix A. Then we observe a new property of the number of one. When we multiply a vector consisting of only one by matrix A then the result is a vector consisting of only H because A is the circular matrix. When we multiply a vector consisting of only one by a vector A times X where X is an input then the result is H times HX where HX is the number of one out of vector X. Thus, if the number of one out of vector X is even then A times X is also even. The parity of the number of one out of A times X is preserved if the number of one out of vector X is even. And now we observe weak PRF which is map of X times X. If we get samples who have even number of ones it may give statistical distance. The number of ones in A times X is even if HX is even. Let Y be a random vector in M bit whose number of ones is even. The following conditional probability is also a fraction of sum of combinations. And the difference of conditional probability and one-third is similar to one out of two to the power of 0.21n and we need a heuristic assumption. 8 times X acts like a random vector Y. If the heuristic assumption holds that the difference of the following conditional probability and one-third is similar to one out of two to the power 0.21n. We verify the assumption by experimental results. Now let's see experimental results. We draw a trend line according to various n. The y-axis is the logarithm of a value p inverse. The logarithm trend line is almost the same as our expectation for several n. So our assumption is valid. Then how to fix to prevent our attack? In alternative weak PRF case just increase the number of ones in secret key k. Our attack only depends on the number of ones in k. So change the distribution of secret keys. Uniform distribution to the vector whose number of ones is 305. And 384 combination 305 is large enough to prevent the brute force attack. So our fix do not have to change n. In new weak PRF case to prevent our attack, we break the circular matrix structure. Choose two random vectors and combine half circular matrix of random vectors. This fixation preserves the advantages of the circular matrix and also prevent our attack. In our experimental results, weak PRFs have similar security when using semicircular matrix and random matrix. In both case, it is significantly safer than circular matrix. First further work is prove or disprove of the security weak PRFs when polynomially many samples are given. Our attack use exponentially many samples so it do not have to change parameters in practical case. But our attack only use the statistical weakness of weak PRFs. Thus if someone combined the algebraic property and our observation, it could be a more effective attack. Second further work is crypto analysis of weak PRF with full random matrix A. Since our method is limited to circular matrix, so find a whole new method for full random case. Thank you for listening my presentation.