 Pierre Alain Fouk and Pierre Cartman and Tomas will give the talk. Thank you for the introduction. So maintenance and middle attacks have been commonly used in symmetric crypto and somehow higher order have been a bit forgotten since the late 90s. So we've tried to come up with a united framework to use these two techniques for mounting pre-image attacks on hash function. So we'll start by basic recalls on hash function and pre-image attacks. Then we'll present the Knell-Volfe and Rovatowicz framework published at crypto 12. And then we will see how we can merge these two, this previous framework with the notion of higher order differential. And then we'll attack the black family and the SHA-1 hash function. First, hash function are basically functions that takes arbitrary length binary word and compress them in fixed length binary word. So hash function are widely used in cryptography and in various schemes such as hash and sign or micro. An interesting aspect that we should want to have with hash function is the evidence effect. So basically if you just change a few bits in the input, you will have completely different outputs. So security notions used to measure security of hash function are roughly the three. So the collisions, the pre-image resistance and the second pre-image resistance. Collisions are the fact of finding two different messages M and M such as they are hash are the same. Pre-image are given a specific hash, try to find a message of that it hashed is precisely the one to choose. And second pre-image is when you take an arbitrary message to hash it and you want to find another method such as it's hashed as a previous one. The security is measured with regards to the complexity of native attacks, which are two over K over two, thanks to the birthday paradox for collisions. Two to the K and two to the K, which is just as a brute force for pre-image and second pre-image. Let's talk a bit about the construction of hash function. When you take a one way compression function, you want to conserve it's security properties through a domain extender and then get a hash function. A common way to achieve that is to use the Merkel-Darmgård scheme, which basically take a big message of whatever length, split it in chunks of equal size with banding if necessary. Then give it to it to your compression function and within IV. Then the result is given as the IV of the compression function as a second run. And then you give the second chunk and et cetera until you get your final hash. To construct compression function, you can use a block cipher. And another common method to get your compression function is to use a Davis-Mayer mode. So you feed your block cipher with your message to hash as the key and you give the IV as a message and you absorb the result with the IV. So finding a pre-image for this cipher will be equivalent to finding a pre-image of H, which is equal to C0, I is the IV, I is the function where the IV is fixed and the key is the message. Let's suppose now that our compression function is splitted in two chunks, F1 and F2. Then during a meeting, the middle attack will basically consist on guessing a key, guessing a message, do a computation in one direction, do the other computation in the other direction and then if you're lucky, if your guess is right to have a match where you have done your split. In 2012 at Crypto, Knilvolf and Rovatowicz as described the united framework to meet in the middle attacks and differential attacks for pre-image search for us function. So basically the framework work as you take two subspaces in direct sum in the space of messages and for the sake of simplicity, we'll assume here that these two subspaces have the same dimension which is N and you will suppose that for every delta 1 in D1, it exists a big delta 1 such that for every message, this equation is fulfilled. It means that delta 1, delta 1 is a message differential of probability 1. You will also require us that the F2 minus 1 function verifies the same property for all the elements of D2 which is again the property of that for every element D2 exists a big delta 2 such that this is a differential, a message differential of probability 1. Now we can wonder what happened if for a specific delta 1, delta 2, M plus delta 1 plus delta 2 is actually a pre-image. Then we'll have this equation thanks to the definition we gave of meeting in the middle. And when using the differential property we impose on D1 and D2, we'll get from that equation this one for every message or for fixed measures, sorry. Then what you do is simply get the delta 1 here and then the delta 2 here and we get this equation. Then we can remark that the left part only depends on delta 2 and the right part only depends on delta 1. So an idea one can have could be to store them in two lists, L1 and L2 which depends on only one parameter. So we get now an algorithm to test the presence of a pre-image which basically is you compute independently the two lists L1 and L2. Then you look up for common element, if you get it you're happy because since what we've just said you will get the fact that M plus delta 1 plus delta 2 is actually a pre-image. If you're not, you're not that happy but what you can say something really interesting is that precisely the affine subspaces here M plus delta 1 plus delta, M plus D1 plus D2 doesn't contain any pre-image. So in terms of complexity you will have, if we call it by C1 and by C2 the cost of one call to the function F1 and one call to the function F2. The computation of the L2 list will cost 2 to the N, C1. I recall that the dimension of the space D2 and space D1 are N. So we have 2 to the N called to make, 2 to the N called to make. This list has a size 2 to the N, this is a size 2 to the N. So you can look up for common element in 2 to the N. Then for a cost of 2 to the N, C1 plus 2 to the N, C2, you can test 2 to the N message to, you can test if, if among 2 to the N message you get a pre-image. So the point is that it's not sufficient because you want, if you want to find a pre-image you will have to test a volume, a total set of cardinality 2 to the K if K is the length of your hash. Therefore you will have to launch again and again and again your algorithm and you have to launch it 2 to the K minus 2 N times. Therefore the final complexity of the attack you mount is 2 to the K minus N multiplied by the cost of one call to the compression function. Let's go back a bit in time and in 94, when independently lie and Knudsen introduce a generalization of differentials which are higher order differential. So let's go back with the previous equation. Let's suppose that for a specific couple delta, delta and for a sufficient set of messages this equation holds. This means that this equation is fulfilled with a certain probability. You will see that delta, delta is a differential. Then if you rewrite it, just taking the f into the other side, you will see that this quantity is a finite difference operator. Then you can rewrite your equation like that. And what you can do with finite differential operator is to compose them and then recursively you can compose any time you want a finite differential operator. The point is, for instance, when you just take two different operators and you compose them, let's say DADB, you get an operator DAB. When you evaluate it on a message, you will get the first translation with regards to A, the translation regards to B, the translation regards to A, so B, and the translation with regards to M, and the nurse translation, sorry. Then you will ask that the probability of that equation, DAB of FM is equal to a specific delta is fulfilled with a certain probability. You will say that AB, delta is an order to message differential of probability TP. And we will use that to mount attack with a order of differentials. So now we will no longer have two subspaces, but now four, D1, D2, D3, D4. And we will ask for every delta 1, delta 3 in D1, D3 that for every message, this equation is fulfilled, which means in the language we just introduced that, delta 1, delta 3, to zero is an order to message differential of probability one. Here you can notice that we take an output difference of zero, we can do it with non-zero difference, but it will make just the equation a bit longer. So we just, for sake of simplicity, use that case. And once again, we will suppose for the sake of simplicity in the analysis of complexities that all the subspaces have dimension. So we will impose that this equation is also fulfilled for every element D2, D4, the symmetric. And previously, when we were asking for the presence of a prey image, we would say, okay, we want F1 of M plus delta, one plus delta, two is equal to this quantity. Now, we will ask for this equation to be fulfilled. And we again used the property imposed on D1, D2, D4, D3, D4, and we will get that kind of equations. And now what we can see is that here, this quantity depends on three indices, this one, this one, and this one, and these two quantities depend on two indices. So we can have a similar algorithm. We can store all these quantities in six lists. And what we will do is basically compute them independently, like before, look up for D1, D2, D3, D4, that full-fizer previous equation. And then if you're lucky, you get a prey image which is M plus D1 plus D2 plus D3 plus D4. If not, bad luck, but you don't care because you can say also something interesting which is that this big, I think, sub-spaces doesn't contain a prey image. So in terms of complexity again, what you will do is you have to compute all this list. Here, delta three can be chosen among two to the n different elements. And so here, you will have two to the three n called to the function f1 to do. Here, the same and extra. What you will do is if you can compute the lookup I told efficiently and you can in the precise case we are attacking for Sherwin and Blake, you will get this complexity for testing two to the four n messages, which is basically two to the three n of the cost of the hash function, of a call to the hash function. So once again, it's not sufficient if n is not sufficiently big. So what you will do is just to relaunch the world previous algorithm two to the k minus four n times. And at the end, you will get a total complexity of two to the k minus n called to the hash function. So at this point, you can say, okay, if I'm really lucky, I can find lots of differentials. What do I really gain by doing higher order differential attacks? Because you can see here that in the best case what you will gain is a factor of three quarter. Whereas when you do order one differentials, you can gain at most a square root. So you are thinking, okay, it's great, it's more complicated and the results are worse. So what's the point? The point is that if you see differentials as like derivatives in mathematics, you will lower the algebraic degree of the function you are considering. And by using order two differential, you are indeed doing a differential or a function which has a degree which is lower by one of the degree of the function you are interested in. Therefore, you can find the function is somehow have a smoother behavior and you are more likely to find higher probability differential when you're using order or your differential. And for that reason, you can find, if you're lucky, some order two, order three, I don't know what order and differential when for any reason simple order differential doesn't simply exist. So that's the reason why it can be useful. So now let's do fun things and let's break some functions. So show one, I will recall it briefly because Pierre did it in a previous talk. It's part of the MD4 family. It's a hash size is 160 bits so the pre-messacre is some amount of bits. Message block are 512 bit long. It's a block cycle for in Davis mayor mode and the structure is a five branch Eric's fast tail with slender message expansion. Here is the round turn. So the results. We get 62 rounds attacked over 80 with two blocks and a correct padding with complexity which is not trivial but close to the brute force. But the previous results were made by Kneloff and Rovatowicz in 2012. And what we did is on the one hand we get further in the number of fronts but also for the same amount of fronts we lower the complexity by a factor of two. With one blocks and a correct padding we managed to get four rounds further in the attack and for the same amount of fronts we lower by a factor almost four. And in pseudo pre-image which means that you don't, you allow the attacker to choose the IV which allows you to be more flexible in the attack. We managed to attack 64 rounds in pseudo pre-image with a complexity and the previous results still in Kneloff and Rovatowicz paper were 60 rounds. So on the overall the introduction of higher order differential allows us to get further in the attack and to lower the complexity of the rounds previously attacked. We also applied framework to the Blake family, the Blake-Hatch family function, Blake and Blake too. So Blake was a SHA-3 finalist Blake too is a faster version of the function. Both of them were designed for high performances. There are Blake-Hatch two versions which are namely Blake-Hatch two 56 and two 512 which works on 32 and 64 bits words. Blake two are two versions which are Blake-Hatch two B, Blake-Hatch two S which Blake-Hatch two B corresponds to Blake-Hatch five 12 and Blake two S corresponds to Blake two 56. So the right function of Blake and Blake two are not have a similar shape which if you represent the internal state with 64 matrix, it will first operate on rows and columns and then operates on diagonals and you will do that twice to obtain the round. So the results. We've managed to get a bit further in the attack of the Blake function with the IV fixed because the IV is somehow very continuous in Blake. So we gain slightly a quarter of round with a complexity of two 510 but if we attack in pseudo pre-image and we don't care about the initialization, we managed to attack respectively six and a three quarter of rounds on Blake two S and Blake two 56 and we managed to attack seven and a half on Blake five 12 and Blake two B with complexity which are quite close to the to the bridge to the bridge force attack. So it's still really theoretical attacks. That's all folks. Thank you very much.