 Hello everyone, I'm Zhang Lianhua from Tinghua University. I'm so honored to be here and I will show our people. Meet in the middle attacks in this state. Care recover, collision, and pre-image attacks. Firstly, I will introduce some backgrounds. Then I will explain automatic MITM care recover attacks and the application of skinning. Next, I will describe exploiting non-linearly constrained neutrons in MITM attacks. And finally, I will introduce the MITM-based collision attacks. So first, let's take a look at the three south states meeting the middle attack. The attack consists of two parts. In the MITM stage, we freed out some wrong key candidates and reduced the case base. In the key testing stage, we tested the surviving key candidates in a broad force manner. Like the picture shows, if we assume the block size is m bits and the key size is l bits. And we assume the key can split into three independent key, k1, k2, and k3. Some m bits information of a state can be partially computed along the forward direction by f1p without knowing k2. And the same m bits can also be computed along the backward direction by inverse of f2c without knowing k1. Therefore, we will get 22l-m key candidates remained. Then, we tested the surviving key candidates using some pen test cyber test pairs to follow the correct key in key testing stage. And the total commutation can be expressed by this formula. At Eurocraft 2021, the MITM pre-image attacks on AS light hashing were thoroughly modeled as constrained optimization problems, which was solved with LILP technicals by Paul Etel. Next, I will introduce the formal description of the MITM technical. Like the picture shows, state SCNC and state SKSE are the starting state. The adding states are E plus and E minus. In the forward commutation, the path starts from SCNC and SKSE leading to E plus. And in the backward commutation, the path starting from SCNC and SKSE leading to E minus. Partial match is between the E plus and the E minus. Moreover, the sales of starting states are partitioned into different subsets with different meanings. Newt word or for the forward commutation are denoted as the red as the blue sale. Newt word or the backward commutation are denoted by red sale. And no constants are denoted by gray sale. Besides, there will be unknown words in both the forward and backward charts. Denoted by red sale, but noted by white sale. The number of blue sales in the starting state is the initial screen of freedom for the forward commutation. And it is defined as lambda plus. Similarly, we use lambda minus defines the number of red sales in the starting state In forward and backward commutation, the DOF will be consumed. We use sigma plus and sigma minus to represent the accumulated DOF consumed in forward and backward charts respectively. Therefore, the remaining degree of freedom of forward and backward commutation, DOF plus and DOF minus can be computed easily. In addition, the degree of match is denoted by DOM. So the objective function is to maximize the minimal view of DOF plus DOF minus and DOM. Next, let me introduce our automatic MITM carry cover attacks. Because our app is to recover key, we need distinguish whether the DOF is front key and the consumed DOF is front key or not. Therefore, we divide the lambda plus and the sigma plus to two parts. In the MITM carry cover attack, the forward key space must be tested, and we must identify the unicode secret key. Besides, in the key recover attack, we prefer not to exhaust the forward code work of the targeted cipher. Therefore, the degree of freedom from SKE cannot be depleted. While the degree of freedom from SEMC should be used up, and there is at least one green seal in the planned test state, just conditions can be represented by equations like this. Next, I will show how we use our MITM carry cover attack of skinning. Let's briefly recall the structure of skinning. Like the picture shows, skinning faces on the tweaking framework. We apply our method of skinning in 3N. The version with an N-bit block size, a 3N-bit key, and a 0-bit tweaking. In each round, the state is updated with five operations, sub-sales and customs, and round tweaking, shift loads and max columns. And the key register is arranged into three 4x4 squares, in note as TQ1, TQ2, and TQ3 respectively. Then I will show how to build the MITM model for funding MITM attacks of skinning in 3N. Objective function, the objective function is to maximize the minimal field of DOF plus, DOF minus, and DOM. For the starting states, we have to know the number of group and the red fields. So we introduce alpha and beta for each field in the starting states. Alpha equals 1 if and only if the field is blue, while beta equals 1 if and only if the field is red. Then we can compute the number of blue fields by adding all the fields of alpha. And also we can compute the number of red fields by adding all the fields of beta. So we can use alpha and beta to represent the lambda en-thin plus, lambda k-thin plus, lambda en-thin minus, lambda k-thin minus like this. For the ending states, we assume this matching only happens as the max columns. So each column of the ending states E plus and E minus are linked by the emcee operation. We can enumerate all possible patterns and convert these local constraints into linear incortices using the conventional computation method. In computation passes, we build rules for XOR, ART, and emcee. I do not describe the rules in detail here, because the time is limited. Besides, we should add the constraints which we mentioned earlier. Solving the model, we identify a 23 round MITM carry curve attack of skinny end 3M. As shown in the figure, the starting states are Y1 and the 3 twin key inverse Tk1 to 1, Tk2 to 1, Tk3 to 1. The matching process happens as the emcee operation between Z12 and X13. There are three blue cells and three red cells in states as k-thin. So lambda k-thin minus equals 3 and lambda k-thin plus equals 3, too. It consumes two cells in the forward computation. Hence, we can get DOF minus equals 1. In the same way, we also can get DOF plus equals 1. At the main point, we have DOM from the first two columns of Z12 and X13. This is the algorithm of 23 round carry curve attack. We do not discuss the details here. Using the same method, we also analyze focus skinny. A summary of skinny and focus skinny is shown in the table. Our attack is the first 23 round single carry attack on skinny 128, 384, and skinny 64, 192. And the memory needed in our attacks is so small. Next, I will introduce another part. Exploiting nonlinearly straight neutral words in MITM attacks. In MITM attack of skinny, we have to solve two systems of recursions in order to compute the allowable bills for the neutral words. In the attack of skinny and previous MITM pre-major attacks, the two systems of recursions are linear, so it is easy to derive the solution. However, we encounter many MITM attacks with nonlinear constrained neutral words, and there is no efficient method for solving them. We present a table-based technical to solve the problem. So, algorithm should scale. Moreover, we can apply the technical to the MITM pre-major attack and the time complexity if not in quest. We apply the algorithm to crystal 256 and sentence hash. Pre-major attack on 6th round of growth transformation of crystal 256 is shown in figure. Without giving more details, I only show the time complexity is 22240, and the memory complexity is about 22152. Similarly, the 6th round MITM attack at the tiny hash is shown here. The time complexity and memory complexity is 22208 and 2248. Finally, I will introduce the last part of our paper, MITM best collision attacks. We call an algorithm a t0 partial target pre-image if it can produce a message, whose hash field is a random element in a given subspace. Suppose that there is an algorithm that can produce a different t0 partial target pre-image. Then we expect to find a collision by running the algorithm 22 times h minus t of two times to identify a collision on the hash field. Given an MITM characteristic, the framework for collision is described in the following algorithm. We do not describe the algorithm in details as we will. According to our analysis, we finally get the time complexity of the attack at like this. So in the model, we need to maximize the minimum view of d0f plus minus t of two, d of minus minus t of two, m minus t of two, and t of two. To determine the degree of match, we consider two situations according to the position where the matching happens. If the matching point is placed as a last round, we found in this case, we can ignore the coloring information of t. If the matching point is not as a last round, the XOR of the target t can happen in the forward computation or in the backward computation. The yellow cells are pre-fixed constants. Like the figure shows, we found that we can regard the yellow cells as gray cells in the rules of XOR. We apply the automatic model of MITM collision attack to whirlpool and get a sixth round MITM attack as shown in the figure. The time complexity is about 2 to 248. And the memory complexity is about 2 to 248. In addition, we also apply our method to GRUSTO and found a sixth round collision attack on GRUSTO 256 and a sixth round collision attack on GRUSTO 512. The collision attack on the sixth round GRUSTO 258 is shown here. The time complexity is 2 to 124. And the memory complexity is 2 to 124. This figure is a collision attack on each round GRUSTO 512. The time complexity is 2 to 248. And the memory complexity is 2 to 248. Summary of the results is shown in the table. We have proved the pre-image attack on round GRUSTO 256 and its output transformation by one round. For collision attacks, the first six round classical collision attack on whirlpool is provided. So we give the first six round collision attack on GRUSTO 248, 58 and GRUSTO 512, respectively. If you are interested in our paper, we come to read it. And that's all. Thank you.