 Hello, everyone. I'm Le He from Tsinghua University. One of the authors of the paper improved primary attacks on foreign ketchup 224-256. This paper has been published in TOSC Volume 2021, Issue 1. On behalf of all the authors, in this video, I will give about 20 minutes presentation to explain our work in this paper. As the title indicates, the analysis object of this paper is foreign low-capacity ketchup and the attack type is limited to pre-image attack. Moreover, we focus on linear analysis, which is commonly used in pre-image fields. We improve the linear analysis by a technology named freedom reuse strategy, which will be mainly discussed in this video. This strategy works for partial linearization part and it can be directly applied in any full linear structure. Then we choose the currently best linear structure for low-capacity ketchup proposed in LS-19. As a result, reduce the attack complexity by factors of 2 to the power of 15 and 2 to the power of 21. An important note is the complexity here and even in the whole video refer to gas times instead of ketchup running. We just neglect the cost of solving the linear exchange system in total counting. This page briefly summarizes some related work in pre-image fields of wrong-reduced ketchup. Firstly, in MS-13, the authors provide pre-image attacks with SAT server. This kind of attack can outperform exotic search in ketchup reduced to 3 rounds. Then the authors further apply the rotational creep analysis in MP-13. This kind of attack even works in foreign high-capacity ketchup. As far as we know, this is the only work that provides pre-image creep analysis on foreign ketchup 512 since linear analysis can hardly deal with it. In GLS-16, a two-round full linear structure of ketchup run function is proposed. This structure can be directly applied in three-round ketchup while attacks for four-round ketchup still requires another process of partial linearization. In LS-19, the authors develop the linear structure via an allocated model. This model works extremely well in three-round ketchup and even helps in providing the first practical pre-image for three-round ketchup 224. However, their partial linearization strategy for foreign ketchup is still inefficient. Our work directly inherits this developed model and just makes efforts in partial linearization. The complexities of pre-image attacks on foreign ketchup 224-256 are summarized in this table. From the comparison, we can see that for foreign ketchup, an efficient partial linearization strategy can even bring more gains than a developed linear structure. So, partial linearization is indeed a major problem. Before getting into the main part, we first learned some preliminaries of ketchup about calculating, output, and some important notations. As we all know, ketchup was the winner of Sha Sui competition and finally standardized in 2015. The designers adopted a new proposed iterative construction named sponge. In this video, we will now present the execution of general sponge. For more details, please refer to the ketchup reference. We only focus on a certain case that its iterative core, ketchup affirmation is executed only twice, as shown in the figure below. This is exactly the attack model we use in this paper. As for the ketchup affirmation, it runs on a 1600-bit inner state. The inner state can be organized as a 5 times 5 times 64 cuboid and each bit is indexed by a triple x, y, z, where x and y vary from 0 to 4 and z varies from 0 to 63. According to the ketchup reference, the cuboid can be cut into different parts named rows, columns, lengths, or slices under certain x or y or z, as shown in the figure. Then, each execution of ketchup f consists of 24 rounds of round function r and each r includes five steps, theta, row, pi, chi, iota. We understand that not all listeners are familiar with the ketchup function, so we fade the concrete formulas out and try to highlight the properties of those steps. Well, theta is a diffusion layer by the sum operation among 11 bits, row is an inland rotation permutation, pi is an in-slice swap permutation, chi is a 5-bit quadratic xbox which is the only nonlinear step in ketchup f, and iota is a constant sum layer which can be ignored in linear analysis. After finishing all ketchup executions, the digest is output from the first L bits of the final state. The counting order is z, x, and finally y. The directions are given in the figure. We set this page here just to emphasize that, in ketchup 224, digest from the fourth line corresponds to z from 0 to 31. The last part of preliminaries is quite important because it involves the meanings of those annotations we use in this paper. Resulting these annotations, those construction figures of linear structure or freedom of strategy might be hard to understand. First, we need to mark the execution status of a middle state. We use a capital quiz letter with the superscree to denote the state exactly after the corresponding step. Here alpha is among theta, row, pi, chi, iota, and i starts from 1. We pronounce it alpha i, for example pi third, which means the state after the third pi step is the last linear state in the linear structure. In particular, iota zeros denotes the initial state after absorbing the message block. Then we can further denote one bit from a certain state with a triple index in the subscript. We pronounce it alpha i, x, y, z. For example, chi fourth zero zero zero to chi fourth four zero thirty one corresponds to the output of four one ketchup 224. Here we inverse the last iota step before searching the pre-image. We may also use star symbol to denote a part of a certain state. The star symbol here means all legal values. For example, pi third star y z is a five-bit row, pi third x star z is a five-bit column, pi third x y star is a 64-bit length, and pi third star star z is a five times five slice. Column sum is significant value in theta steps. We use symbol s to denote the column sum so that we can simplify some calculating formulas. This symbol is marked by a certain state with xz, which denotes the sum of corresponding five-bit column. Now we can start our improved linear analysis of ketchup. First of all, we should expand how linear analysis works in ketchup-run function. It is self-evident that the core of linear analysis is to construct linear relations between input bits and output bits. Suppose we have input m, output o, and we may need some linked variables l to connect input and output. We set some conditions in m to linearize parts of l, and then set conditions in l to linearize part of o. There is also another way where we start from l, linearizing forwards and backwards. Here we only focus on the direct linearization. As long as we linearize any bit in o, we successfully construct a linear root from the encryption function. Then we can satisfy some conditions in linearized output bits, and each condition brings a gain of 2 to the power of 1. All these conditions above compose a linear equation system, which corresponds to a 0-1 matrix. Actually, the linear equation system may have no solution or multiple solutions. Here we remain again that we neglect the cost of solving it. We are only concerned with the number of solutions in total for matching the entire output. For the analysis of ketchup since it becomes a bit different, in linear analysis of ketchup, I mean present linear analysis, l becomes a full linear state, and o becomes the output of last part step. In other words, we can construct a losing root since l is not partially chosen, and o is not digested. Under this analysis, from m to l, we need to design a linear structure, and from l to o, we need to perform a partial linearization. We better reduce those equations in mml so that we can set more equations in o, because the total number of equations is limited by the length of m. Moreover, since the linear root doesn't pass through the last quadratic x box, one equation in o may not bring a gain of 2 to the power of 1. After constructing the linear root, gain analysis will be further required. Therefore, the improved linear analysis of ketchup consists of three parts, linear structure, partial linearization, and gain analysis. First about linear structure, we have stated that we inherit this part from LS-19, where a two-round linear structure with 194 degrees of freedom left is designed by an allocating model. In this video, we just simply introduced the principle of this structure. For more details, please refer to the original paper. To construct a linear structure, we must let the linear root pass through chi, which is the only nonlinear step in ketchup app. It is easily known that chi keeps linear when the input doesn't contain neighboring variables. For example, if only zero yz and two yz are variables, all five bits outputs can keep linear. Under this law, the linear root can easily pass through the first chi step. Then we must deal with linear generation to avoid neighboring variables appearing in the next chi. We need to choose proper constants to prevent generation in chi, and fix column sounds to prevent diffusion in theta. As for rho and pi, these two are B2B permutations and will not generate new variables. This figure shows the two-round linear structure for ketchup 256. The structure for ketchup 224 is just similar. Here, each square represents a 64-bit length. The initial state contains 10 variable lengths, leaving 15 constant lengths. Among those constant lengths, 8 lengths are restricted because they are out of the range of message block, as marked by the diagonals. The linear structure starts with 320 column sound equations to prevent diffusion in the first set-step. Here RC is short for random count, which supports a random space for searching the pre-image. The constants of the first chi step are all fixed by the form of variable 0, variable 0, 1, so that the first chi step will not generate new variables. Similarly, in the second set-step, 128 equations are set to prevent diffusion. Finally, the linear root passes through the second chi step and reaches pi third. It can be proven that the rank of equation matrix is only 446, returning 2 degrees of freedom. Thus, this two-round structure leaves 194 degrees of freedom. Actually, to meet those constants of 0 and 1 in the first chi step, the lengths in the initial state must satisfy specific conditions. However, some conditions only involve restricted parts and cannot be satisfied by setting the message. For this reason, an allocating model is applied to generate a qualified inner state. It should be noted that the complexity of matching such conditions is much smaller than searching the pre-image, so we omit this part of complexity in total content. After linearizing state pi third, we can continue on partial linearization. First, we need to understand the effect of one constant in pi third. Each constant in the 1600-bit inner state can linearize two neighboring bits on its left. Like the example in the figure, the constant of pi third 3 1g can linearize chi third 1 1g and chi third 2 1g. Then, since the torque bit in pi fourth comes from the sum of 11 bits in chi third, and among these bits, only two are neighboring, it is easily known that the partial linearization of a single bit requires at least 10 constants, as shown in the figure. This is indeed the most efficient strategy for a single bit. Yet for multiple bits, this strategy is apparently inefficient because it weighs almost half of those linearized bits in chi third. Actually, those wasted bits can be utilized by simply adding one constant, as shown in the figure. By adding such a constant, we can draw another group of 11 linearized bits and find the richer target in pi fourth. A restriction of this two-bit strategy is the locations of two targets are relatively fixed. For example, if the first bit is pi fourth 10z plus 44, the second bit must be pi fourth 20z plus 43. The numbers here are decided by the offset of real step. Based on this two-bit strategy, we finally adopt a freedom real strategy that makes full use of those linearized bits in chi third. With the chosen starting column, each term we let one column coincide with the column of the previous term, which means we can get two linearized bits by adding only six constants. Yet the restrictions of this strategy becomes even stricter because the locations of all linearized bits are directly determined by the starting column. This table shows a comparison between old strategy and freedom real strategy. Within identically 194 degrees of freedom, the old strategy sets 10 times n constants for n linearized bits, and practically 170 for 17, while the freedom real strategy sets 5 parts 6 times n constants for 2 times n linearized bits, practically 123 for 56. The efficiency gap is quite apparent. An advantage of old strategy is that the location of each linearized bits can be arbitrarily chosen. Such attackers can choose the site that linearly matches the digest with the gain of almost 2 to the power of 1. Yet under freedom real strategy, the location of each linearized bit is relatively fixed, thus there is a gain loss since some bits may not linearly match the digest. The gain may be 2 to the power of 1, 2 to the power of 0.5, or even no gain. These conclusions will be further argued in gain analysis part. Now we expand the principle and effect of freedom real strategy, which is the main technology we use in this paper. Yet our question is, if we spend 173 degrees of freedom in setting constants, how can we get again over 2 to the power of 21? Actually we propose another technology named zero coefficient to reduce cost. By using this technology, we find and construct 11 linear dependent bit pairs, so that those constants only cost 162 degrees of freedom. To expand the principle of zero coefficient, we first record the two-round linear structure. We have constructed a linear route from chi-zero to pi-third, and we are about to set several constants in pi-third to perform partial linearization. One step backwards, each bit in pi-third corresponds to the sum of 11 bits in chi-second, in the form of two columns and one solitary bit. Although we paint chi-second or yellow, actually some of the lengths may be constants or variables depending on the input of step chi. Now let's consider a special case of a bit pair in the same column of chi-second. It is found that if the two solitary bits are both constants, then no matter what the two columns are, the corresponding bits in theta-third become linear dependent because their components are just the same. This zero coefficient pair finally reaches pi-third, and in this case we can set two constants by spending only one degree of freedom. This is the key idea of zero coefficient. Of course, these two constants cannot be set randomly. They must be equal or contrary according to the linear relation. As for the construction of zero coefficient pairs, we need to meet some restrictions to ensure the constant attribute of corresponding bits, and the constant attribute is decided by related bits of the x-box input. To fix the input bits, we even need to trace back to the column sum in chi-first. Notice that setting column sum will not cause degrees of freedom because column sums belong to the B-towel of equation system A times x equal to B. This table shows the details of all 11 zero coefficient B pairs on the starting column, pi-third, four-star Z. From the table we can see that these bit pairs can be constructed without contradictions. So far we have finished a partial linearization part of our improving analysis for low-capacity chart. By spending 162 degrees of freedom, we can linearize 56 bits in pi-fourths. Yet because of the last long linear chi-step, those bits in pi-fourths may not linearly match the digest, so we still need to perform a gain analysis to calculate the expected gain of those linear speeds. In gain analysis part, we adopt a bit-recovering model to select effective equations. Usually, the number of effective equations is larger than the number of degrees of freedom left, so it requires another process of freedom return to make up the lack of freedom. This table displays the details of all 56 linear speeds on the starting column, pi-third, four-star Z. It is concluded that those speeds are distributed in 38 rows, which can be divided into three classes according to the number of linear speeds they contain. Our bit-recovering model also works differently in three classes. In rows containing one bit, the principle is quite simple. For a certain output, if one bit is identical in all possible inputs, it is regarded as a recovered bit and we can set an effective equation on it. The gain of such equation is 2 to the power of one because it compresses the whole space into half size with all qualified cases conserved. When the analysis object is catch up to 234, since it becomes a bit complicated because an uncertain bit may cover three out of four cases, which brings the gain of only 2 to the power of 0.5, as shown in the example. Though it is also an effective equation, we better give priority to those equations that can bring a gain of 2 to the power of one since the space for equation setting is limited. Then in rows containing two bits, it depends on the number of recovered bits. If there are two recovered bits, the gain is of course 2 to the power of two. If there are one recovered bit and one uncertain bit, the gain may be 2 to the power of one or 2 to the power of 0.5. If two bits are both uncertain, we can still set effective equations on the sum of two bits, as shown in the examples. Similarly for catch up to 224, the equation may only cover three out of four cases. Though we have multiple choices in this situation, no single equation can bring again over 2 to the power of 0.5. As for rows containing three bits, this situation is quite complicated. Unfortunately, we only need to analyze a specific case for catch up 256. In this case, pi force 40z will never be recovered, so it is quite similar to the case of rows containing two bits. Though three bits are all uncertain, we can still set effective equations on the sum of two bits, as shown in the example. It is concluded that this kind of rule can always bring a gain of 2 to the power of two. We have explained how to set effective equations on linear space in pi force. The number of effective equations depends on the locations of linear speeds and the digits we are about to match. Yet in some good cases, the number of effective equations may exceed degrees of freedom. Besides making full use of freedom, we can also perform freedom return to fetch more space. The principle of freedom return is quite simple. Recall that in freedom return strategy, each turn we add one column and one solitary constant to linearize two bits. Actually, the solitary constant corresponds to one of the two linear speeds. If we find no effective equations can be set on such kind of bits, we can return the freedom by deleting the equations of setting solitary constants. Since we linearize 56 bits in pi force, 28 of them may return freedom. Among these bits, 6 have been bound in zero coefficient pairs and cannot apply freedom return. This table summarizes the situations of freedom return for remaining 22 bits under starting column pi third 40z. It is concluded that 7 degrees of freedom can be returned in average. Finally, by carefully calculating the probability of each combination, we get the analysis results as below. For 4 and ketchup 256, it is theoretically concluded that 34.5 effective equations can be set in average under starting column pi third 40z. Here z shows a characteristic of rotational symmetry varying from 0 to 63. Yet for certain digits, there must be a best starting column that brings the greatest gain. We also run an experimental test and it is concluded that for about 74.5% of random digits, the total gain can reach 2 to the power of 38. For 4 and ketchup 224, it is theoretically concluded that 38 effective equations can be set in average under starting column pi third 406, which is exactly the best starting column. Yet the total gain is 2 to the power of 32, since some of the equations cannot bring a gain of 2 to the power of 1. The experimental result shows that for about 61.3% of random digits, the total gain can reach 2 to the power of 32. For more details, such as distribution table, gain list and calculating process, please refer to the original paper. So far, we have displayed all the contents we need to expand about our work and now let us make a summary. In this paper, we provide improperly attacks on 4 random ketchup 224 slash 256 through linear analysis. The proofing analysis consists of three parts as listed below. About linear structure, we inherit this part from LS19, which is a two round structure with 194 degrees of freedom left. Our main improvements are reflected in partial linearization part. We adopt a freedom use strategy where multiple bits can be linearized by some common constants. In addition, through the technology of zero coefficient, the cost of setting constants can be further decreased. In final gain analysis, by applying bit recovering and freedom return, it is concluded that the total gain of our improved prima text can reach 2 to the power of 32 and 2 to the power of 38 respectively. That's all about our presentation. Thank you for listening.