 The tag presents collision attacks around reduce the K check using non for Xbox linearization The talk is divided into five parts the first part briefly reviews the background the second part Provides an overview of our collision attacks part three elaborate on non for Xbox linearization part four Introduces GPU implementations the last part summarizes the results okay hash functions are an important a part so in an important type of Primitives used in crypto systems The most widely used hash functions are the shop family The first member of this family is Sha Wen However, is theoretical collision attacks were found in 2005 Well is real collisions were found early this year, which is another crypto paper to develop a new Cryptographic hash function next opened a public a competition in 2007 the competition received dozens of sub-mations after years of evaluation Kachay was selected as the winner and standardized in 2015 K-check adopts the sponge construction the sponge construction as a framework for constructing hash functions from permutations It uses a b-bit underlying permutation F There are two parameters better rate R capacity C the sum of R and C is B K-check takes in a message M and output a digest of DBs Before processing the message is pilot and then split it into our bid blocks It's a block is XR to the first our base before applying the permutation F K-check itself has four versions K-check in and can be 224 256 384 512 Sha three has six versions including two extendable all the port hash functions Shake in and can be 128 256 To promote the crypto analysis against the K-check the designers launched the challenges with regarding into collision attacks and a pre-image attacks where Versions of lower security levels were proposed These versions were denoted by K-check RC and not D. D is the digest size The underlying permutation used in K-check is called K-check F It has an internal state of 1,600 B's Which can be seen as a five times five array of 64 bit lengths as it raised 24 runs It's round consists of five steps theta row pi chi and Utah Chi is the only nonlinear operation Before in the introduction of these steps. Let's review some notations defined by the designers Look at the figure on the right suppose it is the internal state the yellow part is called a slice and The purple part is called a lane a column and the blue part is called a lane And the sky blue part is called a row Sita has two columns to the current bait So it's all the bird baits depends on 11 input of it Mmm, if each column has even parity then the Sita acts as the identity In this case, we say the state is in the current parity kernel CP corner for short Pi step is lane over rotations Pi step is the permutation on lanes Chi step applies a five bit S-box to each row From the algae break expression It can be seen the algae break a degree of Chi is two, which is quite low You don't you don't as a round the constant to the first lane to destroy symmetry Suppose the internal state is a To five times five array then the round function can be described in this way keep in mind Chi is the only nonlinear operation and We define the composition of theta row pi to be L Yuda in this talk is omitted since it plays no essential role in our attacks The major contribution of our work is that we propose two practical collision attacks and Increase the number of rumps attacked to six Part two an overview of our attacks Our collision attacks have two stages the connecting stage and the brute force searching stage in the connecting stage one constructs an another one-round connector and Gets a subspace of messages by passing the first in our one rounds in The brute force searching stage One tries to find a colliding pair following the later and not to run the differential trail by brute force suppose the and not to run the differential trail has input difference that as I and Output difference that as oh then the nr1 round connector is a procedure Which produces message pairs and to and one such that the difference after nr1 runs is Exactly that I si at FSE 2012 dinner dangle man and Shamir proposed the one round connectors The one round connector is constructed by processing linear equations In the one round connector Two major properties of the icebergs are used Property one given the output difference the set of possible input difference Contains at least five two dimensional spine a fine subspace Property two given the input output differences the solution sets forms an affine subspace This is an example for property two Suppose that both the inputs output differences are zero one then the ddd entry is eight the solution set V forms an Three-dimensional affine subspace, which can be defined by these two equations Based on these two properties the one round connector proceeds in two phases Suppose the input difference output difference of chi Beta i alpha i then in the difference of phase one fans a subspace of input difference beta zero and In the value phase by fixing beta zero One obtains a subspace of input value that lead to data si at Euroquip to 17 child at all Extended the one round connectors to two round connectors by fully linearizing the first round Let's show how to linearize one s box by confining the input to the set of V V contains four elements Which can be defined by these three equations These three equations Then the s box is equivalent to the following linear my being However, there are limitations of current techniques First of all each five bits active s box allows an affine subspace solution of dimension at most the two Consequently for linearization of two rounds is impossible Seems three over five degree of freedom is lost in each round of a linearization So it is also impossible to construct three round connectors To overcome these limitations. We follow these two directions for improvements first we try to save degrees of freedom by a logging non active s boxes and partial linearization second We develop a faster implementations of KTAC for finding better differential trails as well as Submitting up the brute force stage Seems finding differential trails and the brute force searching are most time consuming in the attacks part three non for s box linearization in the construction of two round connectors once the differences alpha i beta i are fixed an Equation system over the input value of chi can be constructed Respectively for the first chi and the second chi using the property to of the s box here em is the equation system over the input value of of the first chi EZ is the equation system of the input value of the second chi from EZ an Equivalent system you why can be derived since between they and the Y is the linear mapping L To construct a two round connector these two equation system em and you why should be merged Fully linearizing the first round as a means to this end However, it is not necessary to do so seems some base of Y may not Involved maybe not involved in UI Before moving on let's introduce some notations Let you be a flag vector where UI is one if why I is involved in UI otherwise UI is zero Let capital U be a vector of five base values if capital UI is not zero then The base of Y marked by UI should be linearized But that is to say for the base which are not marked by UI. There is no need to linearize them We have two observations Observation one for a non-active S box if UI is zero then it does not require any linearization if UI belongs to set T Then at least one equation should be added to em to Linearize the output of base marked by UI otherwise at least the two equations are required This table Shows the number of linear equations required for linearizing certain number of output base Observation two for an active S box if the data T entry is eight Then four out of five output base are already linear if the input is chosen from the solution set for example, if the input output differences are Zero zero one then the DDT entry is eight If the input is chosen from the solution set then the algae break Expression of the S box are reduced to this as can be seen Why one is the only non-linear bit If why one is not involved in the equation system UI then two equations are enough for the linearization This table summarizes the two observations as can be seen there are many cases Where less than three equations are used So compared with Four S box linearization where at least the three equations are used None for S box linearization consumes consume less degrees of freedom From the table, it is also learned that None for non-active S boxes probably have advantage over active S boxes However, if there are more non-active S boxes, it would be harder to construct connectors But once the connector is Constructed is constructed successfully Solution sets with higher dimension would be obtained for the brute force searching stage What we do is we Find the best the number of non-active S boxes by experiment Another technique for saving degrees of a freedom is called adaptive connectors Adaptive connectors at those ones where some degree of freedom that's linearized the non-linear layer are reused For example, suppose we want to linearize the output of it y0 by fixing the value of x1 Here x1 can be fixed it to Either one or zero if we fix it to zero this time we can fix it to one next time so the one bit free degree of a freedom can be reused and That's not consumed By combining techniques of none for S box linearization and adaptive connectors We could extend the two round connectors to three round connectors For faster implementations we turn to GPU We develop a two versions version one for finding differential trails version two for Finding real collisions this table shows that benchmark of our Implementation of a check in CUDA the experiments show that GTX 1070 GPU can be 256 times faster than a CPU core With our GPU implementations we find a better differential trails as Laced it in this table here the blue numbers affects the execution time of connectors and The purple numbers determines the time complexity for the brute force searching stage In the end we find a two practical collision attacks one for the five round Kachak 224 And the other is a six round instance of Kachak collision challenges This table shows the current status of the Kachak collision challenges in summary We developed the two types of techniques For saving degrees of a freedom one is none for S box linearization The other is adaptive connectors We also developed the GPU implementations of Kachak, which gain better computing capacity over CPU implementations The main results are three round connectors and the two new practical collision attacks Thank you for your attention