 the focus of this talk. So essentially, second pre-image resistance, and we are given an arbitrary input message M, and our goal is to find another message M prime that maps to the same value under the hash function. So when we model the hash function as an ideal function, then the actual, the concrete security for these three requirements are 2 to the N divided by 2 for collision resistance, essentially because of the birthday paradox, and 2 to the N for pre-image and second pre-image resistance. Now, assume that we have two hash functions of size and bits, and moreover, assume that we want to obtain more security than just provided by each one of these hash functions. So kind of a natural way to achieve this is to concatenate these two hash functions. So what we do is define what is known as the concatenation combiner, which is defined as follows. On the message M, you simply concatenate the outputs of these two hash functions, and we obtain a new hash function of size 2 and bits. Now, this is a very well-known construction that has been analyzed a lot and actually has been used in practice at least until a few years ago. Okay, so assuming that these two hash functions, H1 and H2, are ideal and unrelated, then you kind of would expect them to provide security that is similar to a two-end-bit hash function as given here. Okay, now in practice, we don't like to implement hash functions on arbitrary input length. So what we do is we define the compression function, which is a function that maps, that compresses an, sorry, a fixed input size into a smaller output size. So more formally, we define this small h function on input n bits, which we call the state and the other part of the input of b bits, which we call the message block size, and the output would be of n bits. Now, a standard way to build a hash function from this compression function is known as the Miracle Damgard construction. Again, very widely used in practice in SHA-1, SHA-2, and so on. So the main idea very, very quickly is as follows. So we take the message m, we append some padding, and then append the message length in bits, such that the total message length would be divisible by b, which is the message block size. And then we divide the padded message into blocks of size b. And then we set this initial state x0 to be some fixed IV. And we simply feed into this compression function, the message blocks one after the other, until we finish processing the message. And then we output this final state xl as the output of the hash function. Okay, so in this work, I will be interested in the security of Miracle Damgard construction, assuming that these compression functions are ideal or modeled as a random oracle. And I'm going to focus on the security of the concatenation combiner of Miracle Damgard hash functions. Now, in 2003, I'll say up to 2003, essentially Miracle Damgard, as far as we knew, as far as what was publicly known, Miracle Damgard behaved exactly like an ideal hash function. And moreover, the concatenation of Miracle Damgard hash functions behave like a concatenation of ideal hash functions. However, in 2004, in a very well-known result, Antoine Jou showed that, in fact, the concatenation combiner of Miracle Damgard hash functions was not much stronger than a single hash function. In fact, this result was more general than what I just mentioned, but this is essentially what we care about in this work. So this was in 2004. And a year later, in 2005, Kelsey and Schneer showed that, in fact, a Miracle Damgard hash function itself was not ideal. So what they did is they presented the second pre-image attack on this construction, which is faster than two to the end. So I'm going to review very quickly this attack because it actually... I'm going to use this later in this talk. So assume we are given a pattern message, M1, M2, up to ML message blocks, and we want to find another M prime such that H of M prime is equal to H of M. So the first thing we do is we just compute the intermediate states that are generated by evaluating the message blocks. And now we're going to start from this IV, and we're going to input some message blocks M prime. And our goal would be to hit one of these XIs, one of these targets. So how much work do we need until we hit one of these targets? Essentially, each one of these targets is N bits, and then we have L targets. So each target, sorry, each trial with this M prime succeeds with probability about L divided by two to the end. So we expect to succeed after about two to the end divided by L trials. And after we succeed, we can try to concatenate to this M prime the remainder, actually the suffix of the input message so that the computation will be the same, and we can hope to get the same output. So we get this second pre-image. However, this does not really work because it is foiled by the Miracle Dumb Guard message length padding, right? So we have now two messages, but their length is not the same. So at the end, what will be appended is a different value, so we won't get the same output. So how can we solve this? What Kelsey and Schneider did is build what is known as an expandable message so we can visualize it like a spring. So we start from the IV, we have the spring, and then it ends at some message X, and we essentially apply the same thing. We hit the target, and once we hit the target, then the spring can expand, and we can actually get these two messages, which are different, and have the same length, and actually have the same output, and the total complexity will be about two to the end divided by L. Okay, so this was in 2005. So we have this second pre-image attack, and now I'm going to move on to this work. So actually this remained the state of the art with respect to this construction, and I would say in the last 10 years or so, but now I'm going to show you something, some improvement. So actually I'm going to show you that this value is not optimal. So we can compute the second pre-image for the concatenation of MiracleDomGuard hash functions in less than two to the end time, but that's given that the input message is sufficiently long. And this is, I would say, a bit surprising, because if you would look back, I would say, a bit more than 10 years ago, then we thought that MiracleDomGuard hash function behaved like an ideal hash function, but now this shows that in fact not only MiracleDomGuard is not ideal, but in fact the concatenation of two MiracleDomGuard hash functions is still not as strong as an ideal hash function. Okay, so in this sense this is a bit surprising, I would say. Okay, so what are we trying to do? So we're trying to find a second pre-image for this concatenation combiner. Essentially we're trying to find two different messages, m and m prime, such that h1 of m prime equals h1 of m and h2 of m prime equals h2 of m. Okay, so we're trying to simultaneously hit two targets, h1 of m and h2 of m, and we want to do this faster than two to the end. Okay, so let's try a very natural approach that is very similar to what Kelsey and Schneyer did. So assume that we're given our padded message with blocks m1 to ml, so we can look at these two hash functions and evaluate the states generated by a computation of the messages. So we have these x-eyes and y-eyes, and now we actually do something very similar to before we start from IV1, IV2, we build these springs that ended x and y, and now we're trying to hit this xi, yi target with some arbitrary message blocks m prime. So this looks very simple and it actually works. The problem is that this is not efficient. Why is it not efficient? Because now each target has two n bits, right? So now every trial succeeds with probability l divided by two to the two n. Okay, so now the attack will succeed after two to the two n divided by l, and this will be larger than two to the n, given that the message size is smaller than two to the n. Of course, if the message size is at least two to the n, then just generating the states will take more than two to the n time. So the conclusion would be that this standard approach does not work. It's not efficient. So we're going to have to use some different approach. Okay, so the different approach will be as follows. So what we're going to do is actually select a single target, xi, yi, that will be actually much more, much easier to hit than the other targets. And we're going to hit it not just with a single message block. We're going to hit it with a specially crafted message that will denote by w1 up to wj. So just to simplify notation, I'm going to define this generalized compression function h star, which will be defined on this state x and the concatenation of wi up to wj. It will just be defined as applying h to this initial state x with w1, then w2 up to wj. Okay, so this is just to ease notation. And using this notation, so the picture is as follows. So we have our states xi's and yi's. We have the special target xi, yi that we want to hit. And here, we start from x and y. And we feed in this wi to wj to both hash functions. And we want to hit this xi, yi using these generalized compression functions h1 star and h2 star. Okay, so this is the picture. So now, of course, I need to tell you how to select this target and how do we actually craft this message. So in order to do that, I'm going to take one step backwards and I'm going to go back to the level of a single hash function. So what we'll do is as follows. So assume we have this compression function. So let us fix this message block to zero. Okay, so this essentially defines a function which we'll call f and essentially f of x equals equals h on input x and a fixed message block of zero. So it's easy to see that f of x is a mapping from n to n bits. And this function f actually can be used to define a graph where the nodes of the graph are the states and there is an edge from x to y if f of x equals y. And of course, because this f is a mapping on n bits, then this f can be iterated many times and actually we'll be interested in the states that are obtained after applying f many times. So we start from x and we'll be interested in the states that appear here on the right. Okay, so let us fix some parameter d and we'll define what we call a deep iterate to be a node which is of depth at least d in the graph. So we'll be interested in these blue nodes here. Okay, after this definition, let's go back to our original problem and we'll look at our two compression functions, h1 and h2. And let us define f1 of x to be h1 of x with fixed input 0 and f2 of y to be h2 of y with input 0. Okay, so now I'm going to tell you exactly how I'm going to pick the single target. I told you that we pick a single target for the attack and I'm going to pick the single target as well. So I want the xi to be a deep iterate and f1 and I want yi to be a deep iterate and f2. Okay, so this is essentially the target that I'm going to try to hit. Okay, so what I'm actually trying to do now given this target is as follows. So we want an efficient algorithm that given arbitrary states x and y and deep iterates x prime and y prime finds this w1 up to wj such that essentially the valuation of h1 star and h2 star on this wi up to wj hits this x prime and y prime. Okay, so how does the algorithm work? Well, I think by now it's quite intuitive that what we're trying to do, the form of the message that I will construct is as follows. So this w1 I'm going to fix to some arbitrary, not to fix it, but rather to vary to be some arbitrary block and then I'm going to append a chain of zeros. Okay, this is the form of the messages that I'm going to apply to try to hit the target. Okay, and during the computation of this message, I'm going to store all the encountered state and I'm going to stop once I collide with the previously encountered state because this actually will allow me to perform some look ahead procedure. Okay, so let's see an example. So assume we have this deep iterates x prime and y prime and we have our compression function h1 and h2. We start from x and y. We pick some value for w1, say b1 and we evaluate the compression function. We get x1 and y1 and now we just want to append zeros and see what happens. Okay, so let's start from here. Let's append zero meaning apply f1 until we reach a previously encountered state and then we stop and similarly we do the same on the bottom hash function. Okay, so you can see that this trial essentially didn't succeed because we're trying to hit x prime and y prime and so I'm going to repeat this until I succeed by selecting different values for this b1. Okay, so essentially this is the picture that I showed you before so the first trial didn't succeed but now I can select a new value for this first message block. Let's try b2. So now in b2 you can see that this one didn't succeed. That cycle, this one, this trial here also didn't reach x prime because it hit the previously evaluated value but now that once I hit this value here I can stop because I already know that this trial failed. Okay, so now with b3 for example you can see here that we actually hit x prime and y prime but this is not quite right because we hit them with a different message okay because here we appended four zeros and here six and we actually need to hit them simultaneously with the same message. Okay and finally we were lucky with before we hit them with the suffix of five zeros and once again you can see that I can actually stop the evaluation here because if I know that this node here is at distance three from x prime then once I hit it then I know this node is off distance four and this is off distance five. Okay, so we actually can use some look ahead procedure here to optimize the algorithm and in fact this is exactly why this algorithm is more efficient than standard algorithms that you would think about. Okay, so to conclude I showed that the concatenation of two miracle down guard hash function is in fact weaker than a single ideal hash function. So in particular I described a second pre-image attack that is faster than two to the n. Now I didn't have, I didn't really have a lot of time to get into complexity evaluations and so forth but there is a trade-off between the input length of the message and the complexity of the attack and in fact the attack will only be faster than two to the n for messages which are longer than two to the two n divided by seven and the optimal complexity of the attack is going to be two to the three n divided by four. Obviously these attacks are essentially not practical because in practice we're using quite large values of n which are at least 160 but I think they still give some insights about security of hash functions. Finally what we did is actually we used a new application of random mappings and a crypt analysis of concatenation of the concatenated hash function and but in fact we can use them to improve crypt analysis of other well-known hash function combiners and we can use them to for example to improve the best known attack on another well-known combiner which is the XOR combiner. There we get the pre-image attack which is faster than what was previously known. Okay thank you very much. Any questions? So this is a fun result. I wanted to ask how did you, one thing I missed from your presentation, how did you know which of the intermediate states were deep iterates? Okay so I actually didn't describe that explicitly but what we do is we compute many deep iterates offline and just see which ones we just match them. There is no I would say smart way to do this. You do this just by brute force. That's why actually we need long messages because we need them to match. We need a lot of states such that one of them will be a deep iterate. And did you implement this for small cases? Yeah for 32 bits. Yeah. Let's go. Thank you. Any other question? When you look at the iterates of the two mappings you enter into a cycle if the message length is bigger than two to then over two and with good probability the two cycle lengths are going to be relatively prime so is there a way how to use this in order to automatically get the expendable message by if you get into the two cycles in the wrong way you continue until you get to the same desired points along the cycle. Yeah yeah that's what you're doing. No no that's not what I'm doing. I'm not doing that but it is actually possible also to use the cycle structure in order to to get these attacks but the according to my calculations this will not give better a better attack so I actually thought about this but I don't think it will give an improvement. Thanks. Any other question? Okay if there are no other questions let's thank it again and I think there will be I think in eight minutes or something like this there will be the tutorial so if you need to go to the restroom this is your