 Thanks for the nice introduction also hello from my side Usually I would say I'm happy to present here, but quite frankly. I'm not as you can see from the Kind of or that list of authors Foukang should have given a presentation However, his visa process was kind of delayed. So we lost our nerves and decided to send me instead Now you have to deal with me and Let's get through it together So why do we look at ripe MD 160? The primary two reasons why we look at it is that it's quite old It's a hash function proposed in 1996 and that it's standardized as part of an ISO international standard It's a hash functions created in 90s. So it Kind of uses the Merkle-Donglet mode of operation with a 160-bit state It has an ARX based step update function which is iterated for 80 steps and To the best of my knowledge, it's not broken yet and it will not be broken after the presentation so Let's go back to the 90s to the Area or time frame where ripe MD has been designed So around the time ripe MD 160 was designed a lot of other hash functions have been designed which share some similarities with each other and If we look at attacks on these 90 hash functions Then we see that we have a set smiley for md4 md5 and the md1 This means that we have practical collisions for them As far as I know for ripe and d128 there are only some theoretical Non-ideal properties on the hash function. This is why I've drawn this math smiley So let's see how it's the state for ripe and d160 As I've told at the beginning ripe and d160 has 80 steps If we look at pre-image attacks at most we can attack 31 steps If we look at collision attacks and just focus on the compression function We can do up to 48 steps when we do not start at the first step of the function And we can do up to 40 steps if we start at the first step and Before this paper for collision attacks on the hash function The best attacks covered 30 out of 80 steps with a rather high Time complexity and in this paper we present collisions for round-reduced versions reduced to 30 and 31 steps We are practical examples and theoretical attacks for 33 and 34 steps As mentioned before ripe and d and almost all Hash functions from the 90s Used the mercury-darmgat constructions Which means that we have chain compression functions. So the interesting part that Distinguishes these hash functions happens in the compression function If We look at md4 md5 show moisture to the compression function kind of looks like this so We it kind of resembles Block cipher with a white state and a large Key schedule, so we have here the message expansion and the state update where the chain value gets updated Together with the feed forward If we look at ripe md The situation gets more complex So basically we have two state update functions and two message Expansions which work at the same state and which are merged together at the end of the compression function As promised ripe md is an ARX function. So within one step One of the five State words is updated Using modular additions Rotations and this bitwise pull-in function which changes here Depending on the current step we are in Also, there is a constant addition and per step one Word of the expanded message is also added to the state So how do we find collisions for ripe md160? Basically the higher lever idea of such a collision attack is almost unchanged Since 2005 and it was introduced by Bang and Yu. So basically We see the collision search as a differential problem. So we Basically search for Message which has a difference and which ends up in a collision and this collision search also follows always the similar steps, so At the first in the first step we search for a suitable differential characteristic those differential characteristic Usually as a dense part at the beginning and the sparse part and we use the freedom as we can choose the message words freely in a collision attack to Find a solution for the dense part and to connect the dense part with the chaining variable and the propagation of the sparse part is done probabilistic Kelly So what do we do now for ripe md160? Since the compression function is a bit more complex How does the differential characteristic look like one option is to Place a dense part in both branches of ripe md This has already been done by Several papers, but here from my point of view the problem is that we have to use the freedom in the message to basically solve the dense part in two branches, so The available degrees of freedom are consumed very rapidly rapidly and typically if we do an attack following this framework we Can only do a semi-free start collisions An other option is to just place the dense part on one branch for instance the right branch Then the freedom in the message word Words are only used to solve the dense part on one side and connect with the chaining value and the rest of the characteristic is propagated or Solve by chance basically This was done in the previous collision attack on round three do strap md and Clearly there is also a certain option to put the dense part on the left In this paper we looked at those two strategies and proposed one where Leftist bars and the right is dense and one where the left is dense and the right is sparse and The one where the left Is dense gives us the better attack, so we will have a closer look at this framework So let's start with the search for differential characteristics basically We've used automatic techniques to search for the non-linear part in the characteristics Which is based on a long series of works which always improved and added new tricks to this techniques and the high-level idea of these automated techniques is basically a guess and determine attack which means that we Start from a certain starting point and then we do guesses on the pit conditions then we propagate information of this guest other pit conditions and if we have Contradiction we backtrack and try to solve this issue So I think from this description you might not know what I mean, so let's do an example So we exercised through the rest of the presentation by the example of the 30-step collision attack so what do you see here is basically the 30 state words or the respective state words which gets updated in each step of the left branch Then here we have the state words which gets updated in a respective step on the right branch and here we have the differential description of the 16 message words we use in Reipende and So per word we have 32 bit conditions and each symbol here presents a Bear of bits So a dash means that in the differential description that this pair of bits has to be equal So there's no difference which means that this pair of bits can take the values 00 or 1 1 If we have a 1 then we mean that those pair of bits has to value 1 if it has a 0 those pair of bits has to value 0 With a u and an n differences are symbolized One is the one zero pair and the other one is the different bear the Zero one pair and the question mark means that we have not refined the condition yet So every assignment of the pair of bits is still possible So From the starting point on we are now searching for a differential characteristic. So how does this work? Let's fast forward to the end of the search kind of So what we do in a guess and determine search we have here are still a lot of question marks and undefined bit pairs of bits And we guess some of these bit conditions for instance We guess here this question mark to a dash and then we propagate the information and see how we can refine Other bit conditions since every bit is connected via functions in Reipende And we see that we can propagate a bunch of information then we guess a next bit for instance here this question mark and Then we propagate again Then we guess another bit and Then we propagate again and what you can see here is that for this guess we have a contradiction. So This differential characteristic does not work out So we have to backtrack which means we have to go back to a state where we didn't have or couldn't Notice the contradiction and try to resolve it So in this case here instead of guessing dash we guess an x which means a difference and Then we propagate again the effects then we guess the last question mark propagate again To end up with our differential characteristic Now in the next step we have to search for Bear of message words which follow this characteristics This is done in four steps and the first step we Find a solution for the dense part of the differential characteristics by consuming the degrees of freedom in the red message words here In the second step we then compute one step forward by guessing m3 then we aim to connect The dense part from the beginning in step three and in step four We see if the conditions of the rest of the characteristics are fulfilled So let's start with step one. So basically what we do here is we refine the conditions more and compute the corresponding message word to this refinement. So we do it and we consume more degrees of freedom until we have Determined our starting point from Word 11 to 23 If we take a closer look here, we see that for the connection then we might have a problem since The degrees of freedom and certain and and then are already used So we have to find a solution for this for the later connecting step and the first part of the solution is that We compute the solution set of x9 x10 Which fulfills this equation for the state word x14 with the given m13 So then we are at step two. Basically, we just guess The word m3 and compute one step forward Then we Start the connection phase and try to connect from the beginning How do we do this? We? Randomly choose those three message words and then we can After we've chosen those message words we can compute till step eight Then we have to connect Which basically means that we calculate this variable With the help of the equation involving the message word and then And here we find the solution for x9 x10 with word xor. Yes Okay where the xor corresponds to this variable and if we found such a Solution we can compute the message words m8 and 9 and 11 and 12 and I'm 14 and achieve Connection so basically will fill in here a solution Which gives us the rest of the five not determined message message words and then We can attempt to Propagate the rest of the characteristics and see if we have a contradiction or if it works out and Since this is a staged example it works out and gives us the Solution for the 30 step collision But usually it doesn't work out what we do then then you go to step two again and Try for another choice of those message message words There's a follow-up work Which is presented at FSE 2020 and hopefully this time it will be presented by for Kang so thank you for your attention Thank you very much. Is there any questions? It's Semi-free start collisions. Basically. I already had them in the table. I can show you the results If you don't want to go to FSE for some reason basically Do these techniques apply to other hash functions as well? The high-level strategy. Yes, but there's is there more examples for these these parallel hash functions Not that I know. Okay. Thank you Okay, thank you