 Hi, thank you for watching this video. I'm Haoyang. I'm going to introduce our paper, improved mid-in the middle-premium attacks against AS hashing mode. This is a joint work with Zhenzhen, Lin, Jian, and Wenyin. At the beginning, I will introduce some background of our work. When designing a hash function, Merkle Damgar construction is a very common method used in practice. This construction breaks the input message into blocks of fixed size and then process them one at a time with a compression function, each time combining a block of the input with the output of the previous run. Many popular hash functions are built with this construction, such as MD5, SHA1, and SHA2. However, instead of designing a new hash function from scratch, there is another choice of converting an existing block cipher to compression function and then to hash function using such as the Merkle Damgar construction. We call this method block cipher hashing mode. This method is relatively simple and the new design will enjoy both inherited security and proper performance from the underlying block cipher. The most important part of the block cipher hashing mode is how to build compression function from block cipher. Among many modes, there are three popular constructions used in practice. They are dm-mode, mp-mode, and mmo-mode. For example, in the dm-mode, the previous chaining value hi-1 is used as the plaintext input to the block cipher while the block of message is used as key input. Then, the output of the block cipher is xord to the hi-1 to generate the next chaining value hi. The pre-major attack against the hash function is to find the message whose digest equals to the given value. The mid-in-middle pre-major tag is to split the compression function into two sub-functions. The one computed in the forward direction is called forward chunk, while the one computed backward is called backward chunk. The chunk separation satisfies a requirement that a part of the input message only affects one chunk and another part only affects the other chunk. The bits of the message affecting only one chunk are called neutral bits. In this picture, the blue sub-key bits are neutral bits for the forward chunk while the red ones are for the backward chunk. In this way, the two chunks can be computed independently and this allows the attacker to monitor mid-in-middle attack. In addition to the basic concept, several techniques have been proposed to extend the attack framework. The splice and cut technique regards that the first and the last steps can be spliced to be consecutive steps by the fit-forward mechanism. So any step can be the start point or the matching point of the mid-in-middle attack. For the second technique, initial structure is a few consecutive steps including at least two neutral words, where steps after the initial structure can be computed independently of one neutral word and the steps before can be computed independently of the other neutral word. This technique enables one to skip several steps at the beginning of chunks. The next is partial matching. In the primary mid-in-middle approach, the final phase of the attack involves the four-state matching between the two states, while the partial matching only checks one or several words between the two states. In this way, the required independent computations can be expanded by more steps. The last technique is the multi-target scenario. Instead of only one target, the attacker can introduce more targets in an attack, which can directly provide additional freedoms to one chunk without influencing the other one. Following the above framework of the mid-in-middle-premise attack, Sasaki proposed an attack on the hashing modes based on the 7-round AES. Different from previous mid-in-middle-premise attacks on other hash functions, neutral words in this attack are not chosen from the message. This is because of the fast diffusion of the AES case schedule, as flipping any bits in a sub-case will affect all other sub-case. So it is difficult to split the sub-case into two parts, and each one affects only one chunk. Due to this fact, the key input is fixed to pre-chosen constant values. The neutral words instead are chosen from a part of the internal state. In terms of the complexity of finalization at the matching stage, we notice that the freedom degrees of the forward and backward chunk are not balanced in this attack. Specifically, the freedom degrees of the forward chunk are much less than one of the backward chunk. So if we can improve the freedom degrees of the forward chunk, the attack will be accordingly improved, and this is what we did in this paper. In the next, I will explain our improved mid-in-middle-premise attacks on 7-round AES hashing mode. The picture here is an overview of our attack on 7-round AES 128. The main difference of our attack from Sasaki's attack is that we introduced neutral bytes from the case schedule rather than fixing the key input. It is also important to note that these neutral bytes in the case schedule are only used for the forward chunk, none is used for the backward chunk, as you can see at the rightmost column of this figure. This enables us to avoid separating the key bytes in every sub-key generated by the key schedule and in the meantime to exploit freedom from the key to balance the computations of forward and backward. In the following, I will explain the attack in detail. The first one is the initial structure which is highlighted with a green background in this figure. In the initial structure, we define the neutral bytes for both forward and backward. Firstly, the neutral bytes for forward are the blue cells. They are initialized at the two bytes 0 and 5 of the internal state 12 and also the first column of the sub-key k4. In the meantime, the remaining three columns of k4 is said to be constant values, then all the other sub-keys can be determined accordingly. Now we have freedom degrees of six bytes for choosing the forward neutral bytes. However, in order to limit the impact of these neutral bytes on the backward computations starting from state 11, we set the constant that the impact of these neutral bytes on the three bytes 5, 6, 7 in state 11 should be constant values. So in the end, we have freedom degrees of 24 bits for the forward computation. The neutral bytes for backward are those red cells. It is initialized in the 12 red cells of state 19 which constrain that after the following mixed column transformation, their impact on the blue cells of state 20 should be constant values. As a result, those blue cells of state 20 can be computed forward without any interference of the backward neutral bytes. In the end, there are 32-bit freedom degrees for the backward computation. After defining the initial structure, we need to separate the chunks such that they can compute it independently as long as possible. Firstly, all the sub-key states belong to the forward chunk. For the internal state, the forward chunk includes states 20 to 28, and in the last round, we omit the mixed column of transformation. Then the final state 28 can be spliced to the first state 0. Because of the omission of last round mixed columns, the forward chunk can be further extended to round 7. For the backward chunk, it includes states 8 to 11, and the computation starts from state 11 in the backward direction. After the chunk separation, we need to find a match at the meeting point of these two chunks. The states for matching is highlighted in the yellow background. At first, we want to introduce the property of the AES mixed columns. Since the matrix used in the mixed columns is an MDS matrix, any 4 bytes of the input and output will determine a unique solution. So, given more than 4 random bytes of the input and output, there is a high probability that they cannot match through the mixed columns. As a result, when x out of the 8 input and output bytes of the mixed columns are known, there is a filter of x-4 bytes. In this round, since the mixed column is a linear operation, we can move the addition of a K2 before the mixed columns. Then we need to find a partial match through the mixed columns between this act or some state and state 8. As we can see, the first, third and fourth columns of these two states all have 5 known bytes, so each column will provide an 8-bit filter and 24-bit filter in total. The idea of introducing neutral bytes from the K also applies to AES 192 and AES 256. Compared to AES 128, the case schedules of AES 192 and 256 have relatively slow diffusion, so it is possible to select more neutral bytes to add more freedom degrees to the forward chunk. In this slide, I only show the part of the tag that is different from the previous attack. The neutral bytes for forward includes the first column of state 17 and the first column of K4, which is constant that their impact on the first column of state 16 is constant value. And the freedom degrees are 32-bits. The neutral bytes for backward are the same as that of AES 128, which also have freedom degrees of 32-bits. Because of the slow diffusion of the case schedule, the state of case 3 will be constant values, which results that state 8 will be fully known in the backward chunk. So the 4 columns for the match will totally provide a 64-bit filter. We also apply this attack to KASU BC because it has exactly the same encryption algorithm and case schedule as that of AES 128, except for an additional tweak addition. For the forward neutral bytes, instead of K, we introduce neutral bytes from the first two bytes of the subtweets. Together with the neutral byte in state 12, we have a 24-bit freedom degrees for the forward chunk. The neutral bytes for backward is also the same as the previous attack. It has a 32-bit freedom degrees. At the matching point, the 4 columns will provide a 32-bit filter. Notice that the freedom degrees for the forward computation is less than the one of the backward and also the filtering speeds for the match. So to improve the attack, multiple targets can be introduced to increase the freedom degrees of the forward chunk. In the following, I will show that the neutral bytes from the case states can be used to extend the both attacks to 8 rounds for the first time. The basic idea of the extension is that we add one more round to the backward chunk based on the previous seven-round attacks. The template of this attack is shown in this picture. In order to obtain such an attack, basically we have three constraints on the case schedule. Firstly, the forward neutral byte should have constant impact on the first state of the backward chunk so that the first round of the backward chunk can be computed deterministically. Secondly, at most one column of case 3 can be the forward neutral byte. Otherwise, there will be more than one unknown byte in each column of state 8, which will invalidate the matching process. Lastly, neutral bytes in case 5 should not overlap with the backward neutral bytes. The neutral byte's position in this figure could be changed in a real attack, as long as it follows this basic pattern. Since the case schedule of AES-256 has a slow diffusion, it is able to satisfy the both three constraints. As a result, the forward neutral bytes could have at most 40 base freedom degrees, and the freedom degrees for the backward and the filtering power are both 32 bits. Finally, the extension also applies to AES-192. The neutral byte for forward includes one byte in state 16 and one column in K5. Unlike the constraint mentioned just now, we relax the constraint on the third byte of state 15 because this unknown byte will have no influence in the following backward computation. The rest configuration is similar to the previous attack. This is the summary of the attacks in our paper. All the attacks mentioned above are pseudo-premise attacks. The column time 1 in this table shows the corresponding time complexity. In order to convert these attacks to pre-image or second pre-image attacks, additional procedure is required, and time 2 is overall time complexity. That's all. Thank you for watching this video.