 Okay. Okay, so the second talk of this session is a collision attack on up to five rounds of Chart 3 using generalized internal differentials by Itaï Nour, Aldo Kerman and Adi Shamir and Itaï will give the talk. Okay, thank you very much for the introduction. Okay, so I think you all know by now that Ketchak was selected as the new Chart 3. And I will first describe to you how Ketchak is built but I will only concentrate on the parts that are relevant to this talk. So Ketchak officially supports the hash sizes N of 224, 256, 384 and 512 bits and the hash function is built using the sponge construction. So basically we have a state which is divided into two parts. So the first part is of our bits, the second part is of C bits. The state is initialized to zero. And in our attack we have only one message block so I will now describe to you the whole sponge construction. So basically what we do is we absorb the message block into the our bits so the message block is of size our bits. And then we apply some function F and finally we truncate the first N bits of state and send them to the output. So this is basically the sponge construction applied only to one message block. Okay so in the case of Ketchak F is a permutation that works on a state of 1600 bits so this is the size of the state. And the value of C is equal to 2N which leaves R to be 1600 minus 2N. Okay so the internal state of Ketchak like I said it is of size 1600 bits. It can be viewed as a 5 by 5 by 64 bit cube as shown here. But we will usually use another representation as a 5 by 5 matrix for each cell. It is of size 64 bits. Okay in the direction of the Z axis. Okay so what about the function F? So the function F has 24 rounds. Okay but each round consists of which we denote by R consists of five mappings. So the first three mappings of Ketchak are linear and we will denote their composition by the letter L. Okay we will refer to L as a half round sometimes where the composition of the two other Chi and Iota mappings make up the other half. Okay so I will not describe to you exactly how L is built because the exact details are not very relevant for this talk. Okay and then Chi is the only non-linear mapping of Ketchak. It can be viewed as an S-box layer which applies the same 5 to 5 bit S-box to the 320 rounds of the state independently. But again this is not very important. You don't really need to remember this for this talk. Just remember that it is the only non-linear component of Ketchak. Okay and finally Iota adds low hamming weight round constant to the state. Okay and one important thing that I already noted but you should remember that the state is initialized to zero before we are absorbing it with the first message call. Okay so in this work we will be interested in collision attacks on reduced versions of Ketchak. So what are the previous results in this area? So first this paper which appeared in 2012 showed collisions in two rounds of Ketchak 224 and 256. And then at FSC last year we improved this result too far. So we have collisions on four rounds of Ketchak 224 and 256. However up to this work there are no published collision attacks on the larger versions of Ketchak. Ketchak 388, Ketchak 384 and Ketchak 512. Okay so what we do in this work? So these are the previous results and you can see there are no previous collision attacks on the large versions of Ketchak. So in this work we published the first three round collision attack on Ketchak 512 which is practical. For Ketchak 384 we also have a three round practical collision attack. And for four rounds of Ketchak 384 we have a collision attack which is faster than the birthday count by a factor of 2 to the 45. And then finally for Ketchak 256 we have a five round collision attack which is faster than the birthday count by a factor of 2 to the 13. Okay so we increased the number of rounds which can be attacked from 4 to 5 for this Ketchak version. Okay so let's get into a bit more detail. So all of our attacks are based on the well-known property of the Ketchak mappings which was described in the Ketchak reference document. Okay and it is called the translation invariance property which states that four out of the five internal mappings of Ketchak, basically all of the mappings of Ketchak are translation invariant in the direction of the Z axis which to remind you is of length 64. Okay in other words what does it mean for a mapping to be translation invariant in the direction of the Z axis? It means that basically if one state is a rotation of another state with respect to the Z axis, then if we applied to any of the first four Ketchak mappings the property is maintained. So if we look at it in a schematic way, okay so what does it mean to rotate a state in the direction of the Z axis? So if this is a Ketchak state and this is represented as a five by five matrix where each such cell is a length, then we basically rotate each line by the same number of bits, i, okay and we rotate each of the lines so that's what it means to rotate a state. Okay and this property leads us to look at a special type of state which we call symmetric state. What is a symmetric state? A symmetric state is a state which is rotation invariant in the direction of the Z axis by some rotation index i. Now if we want i not to be trivial, trivial value is 64 then i has to divide 64 which means that i is either 1, 2, 4, 8, 16 or 32. Okay in order to get kind of a picture of what symmetric states look like then we will define another naming convention which is called a consecutive slice set. So let's see an example what is a consecutive slice set, it is very simple. So assume that i equals 16 and in this case the state is split into four consecutive slice sets or CSS in short. So this is again a scheme of the symmetric state which shows the values of the first consecutive slice set. So basically we look at each line and take the first 16 bits in each line. Okay so this is the first consecutive slice set and then the second consecutive slice set we take the second sequence of 16 bits and so forth. So we have four such consecutive slice sets. Okay and basically in symmetric states all consecutive slice sets are equal. Okay so if again in our example i equals 16 then each 64 bit plane is basically composed of four repetition of just 16 bit value. So we have A1, A1, A1, A1, A1, D1, D1 and so forth. Okay so it is very, you can see the large degree of symmetry and this is why we call it symmetric state. Okay so why are we looking at such symmetric states because the translation invariance property that I previously presented implies the following property of symmetric states. Symmetric states we made symmetric after applying them any of the first four operations of ketchup. So basically if we start with a symmetric state and we apply it to any of the first four ketchup mappings then we end up with another symmetric state. Okay which is of course not necessarily equal but it is also symmetric. Okay however the first mapping, the iota mapping of ketchup destroys the symmetry. Okay so the perfect symmetry of the state is destroyed. Nevertheless we can use the following very basic idea in order to try to attack the ketchup, the ketchup hash functions or rather the reduced version of ketchup. Okay so here is a very basic overview of our attack. So what we do is we pick a single block message such that the initial state of ketchup is symmetric. Now remember that the ketchup state is initialized to zero which is a symmetric value and as a result we can indeed pick such a single block message. Okay and then of course the state will remain symmetric after the first four mappings of the ketchup permutation. However as I told you the symmetry will be destroyed by the fifth mapping however since the fifth mapping basically adds a very low hamming weight constant to the state the symmetry will be only slightly perturbed and not completely destroyed by the fifth mapping. Okay the diffusion of ketchup is sufficiently slow such that the state will remain somewhat close to symmetric in the first few rounds. So now the question is how do we exploit such states which are close to being symmetric in order to attack the round reduced versions of ketchup. So one of the main observations in this paper which is very simple is the following observation is that the output, the effective output size for symmetric messages is reduced. Okay because we know that the final state after the first few rounds is close to being symmetric so the effective output size is indeed reduced. And we exploit this in a very natural attack which we call the squeeze attack in order to attack the hash function. And we call it the squeeze attack because basically what we do is we force a larger than expected number of inputs to squeeze into a relatively small subset of all possible outputs in which collisions are much more likely than for the entire output of the hash function. Okay so schematically the picture is like this so this left circle represents all ketchup outputs and if we try to evaluate an arbitrary output then it will be mapped, sorry this represents all ketchup input and inputs and if we try to evaluate an arbitrary input it will be mapped to an arbitrary output on the right. However if we try to evaluate a symmetric input from this left small circle here then it will be mapped with relatively high probability into this right small circle here. Okay so this is basically and this is the cycles that we are looking at in the squeeze attack in order to find collisions with better complexity than generic collision. So basically if a member of the input set is mapped with probability p to the output set which is of size d then in order to find a collision we need to find about a square root of d inputs that are mapped to this small output circle and then the complexity of the collision attack in order to find one collision will be one over p times the square root of d. Okay now of course in order to for the attack to be efficient we want p to be large as possible and we want d the size of the set here to be as small as possible. Okay also in the remaining few minutes I will explain to you exactly how we not exactly but in general terms how we compute this output subset and how we compute the probability p. Okay so this is what I will concentrate on in the next few minutes. Okay so we will use a very general framework that we call subset query analysis which is used by a lot of previous query analysis work. So basically our goal is to find what we call a subset characteristic in order to track the evolution of subset to the internal state of the catchup query system. And this is done by associating a triplet which is composed of the input subset and output subset and a transition probability to each internal operation of the catchup state. That is how we track the evolution of the subsets that we are interested in throughout the catchup mapping and we can use it to analyze the squeeze attack. And in particular what we will do is we will use the internal differential crypt analysis which was introduced by Tomapy Rai at crypt 2010 in the analysis of the hash function Grosso. So in standard differential crypt analysis what we have is we consider message pairs which make up a pair of states and consider the evolution of the differences between the states. Okay this is what we are all used to however in internal differential crypt analysis we have only a single message and we divide it into parts and we are tracking the difference between the parts of a single state. Okay so that is the difference to what we are used to and in this work we generalized the framework that was introduced by Tomapy Rai in several ways. So first it was previously shown to be applicable to hash functions that are built using separate data path. However catchup has only one data path and we actually show that we can use the framework even in this case. Second the differences that were previously considered were between two parts of the state whereas we consider more complex differential relations between multiple parts of the state. Okay we consider four, eight, sixteen and so forth. Most of our texts consider more parts of the state than two and we consider indeed more complex differential relations. Okay so let's see exactly what types of relations we are looking at. So as I told you in symmetric state all consecutive slides sets are equal and then states which are almost symmetric. So the differences between the first CSS and the other CSS which we denote by delta one, delta two, delta three again we are looking at a specific case just for as an example of high equals sixteen so we have four consecutive slides sets. So these differences are a flow hamming weight. Okay what we do is we basically group all states with the fixed value of delta one, delta two, delta three and to what we call an internal difference set. Okay and another way which will be slightly more convenient for us to define this internal difference set is the following. So as soon we are given a state U then we can define an internal difference set as follows. So you add to U all vectors W mod two where W is symmetric. And you can see that the differences between the CSS are specified by our initial vector U which we call the representative state of the internal difference set. So this is some kind of a coset that we are looking at. Okay so we define the weight of the internal difference to be the weight of a state V of the lowest hamming weight in this internal difference set. So a natural special internal difference set that we will be looking at is the zero internal difference which contains all symmetric state. And it has a weight of zero simply because it contains the all zero state which is of course symmetric. Okay so in order to devise a tag we want to construct internal differential characteristics for the catch up permutation. Okay so in the paper what we do is we describe how to track the evolution of internal difference of the set through the catch up permutation. So I do not have time of course to describe to you all the tools that we use. But for example like I told you before we know that any symmetric state that is chosen from the zero self difference remains symmetric after applying the first four catch up permutation. Okay and in addition in the paper we develop tools that allow us to construct internal differential characteristics for the first few catch up rounds. Now again I do not have time to elaborate on how we do this but I will show you just a very very simple example in the next slide. So this is a one and a half round example so I should explain to you how to interpret this. So this is a catch up state. So you can see that it is composed of a five by five matrix where each such a cell is a lane, is a 64 bit lane which is written in hexadecimal and the line here means that the value is zero. So you can see that this is actually the zero state. Now this is a representative state of the zero self difference which means that the characteristic begins with a symmetric state. So we begin with a symmetric state and then we apply the round function and then we know that after the first four mappings the zero internal difference will be mapped to itself. However the symmetry is destroyed by the last mapping iota. So you can see there is one value here. So the one is basically the iota constant which was added to the state and now this state represents an internal difference which is what we call almost symmetric. And then this asymmetry then starts to diffuse through the catch up permutation by this L mapping. Okay you can see this state is still as a large degree of symmetry but you can see that it's having weight is large. Okay this is a very simple characteristic which has probability of one. Of course in the paper we show that we present more complicated characteristics and if you want to take a look then read in the paper. Okay so this was a 1.5 example and in the paper we show how we can use them in our squeeze attack in order to attack the round reduced versions of catch up. So I will just show you an example of actual collisions that we were able to find. So like I said we have some practical attacks. Okay so for three round catch up 512 we chose a rotation index i equals 4 so we have our two messages and you can see that each 64.3 or laying in the message is a 16 repetition of a 4-bit word. Okay so there is a lot of symmetry here and the output collides on this value. You can see that there is also a large amount of symmetry in this output. Okay now one thing to notice is that actually the hamming distance of the messages is quite large. Okay this is to be contrasted with standard differential attacks where the hamming distance is usually small and we track it through the state of the hash function. Okay and this is just to show you that we are using a different type of attack than we are usually used to because simply we can say that these messages collided by chance. So we applied the birthday bomb which was applied to a smaller subset than usual. Okay similarly we have a three round collision attack for catch up 384. Okay so just to conclude we presented the first collision attacks on the round reduced catch up 384 and catch up 512. All of them are practical indeed we showed some collisions and for catch up 256 we increased the number of rounds that could be attacked for 4-5. Of course we are still very very far from attacking the full 24 rounds of catch up. And finally a future work item which will be very interesting to define better internal differential characteristics for catch up or to prove that they do not exist. Thank you very much for your attention. We have time for a quick question. Okay one question actually when I look at the squeeze attack I think it's also very similar to what was done for Cubash. You know there are symmetric states and why it cannot be applied to Cubash because the initial value is not like 0 so it's not symmetric in the beginning. So would you say actually since the list is currently trying to standardize the catch up perhaps shouldn't we try to modify the initial value and put something else because then it would make the attack much harder? In some sense yes for the larger versions of catch up yes but interestingly for catch up 256 the attack does not depend on the initial value because we have enough degrees of freedom in order to obtain symmetric states anyway. But if this list is worth about this attacks on 3 or 4 rounds then it can change it. But again we are very far from attacking the high function so I don't really, I mean if you're not using that few rounds then I don't think at this point there is anything to worry about. Or perhaps puts like your Utah which is more the main way so that's more... Yeah that's another possible thing but again I'm really not really sure that's necessary. So let's thank the speaker again.