 Hello everyone. The topic of this talk is a functional graph-based generic attack on hash combiners. First recall the security requirements for hash functions. The collision resistance that is it should be difficult to find two distinct messages have the same message digest. And pre-image resistance for given target value it should be difficult to find the message that have the digest equals to this value and secondary image resistance for given message it should be difficult to find another message have the digest equals to this data of them. So for ideal hash function we could expect the security for collision resistance be two to the n divided by two because of the birthday attack and two to the n for pre-image and secondary image resistance. So we usually build the hash function use iterative construction. A classical one is the Mokodangat construction. For given message it first paint some padding bit and the message lines so that the lines is divided by B and it split the message into blocks of B bits and then use those message blocks to update an internal state with an identical compression function. Note that the last message block is encoded with the message lines and this is the so-called the lines strengthening. So among the rest of approach to build a secure hash function there is one use the so-called combiner and that is to combine multiple unrelated hash function in such a way that the resulting function could provide the security amplification of security robustness. That's just the combiner is more secure than its underlying hash function. Oh it is secure as long as at least one of the underlying hash function is secure. So two classical hash combiner are the concatenation combiner and the XOR combiner. The former precise the same message under the two hash function in parallel and output the concatenate of the two n-bit hash digest so that the output is of two n-bit and later output the XOR of the two n-bit hash digest so the result is of n-bit. Besides the parallel combiner there are also cascade combiner such as hash twice and deeper hash. The former sequentially precise the same message under the two hash function by replacing the IV of the second hash function with the final state of the first hash function and the zipper did very similar however it precise the message block in a reverse order under the second hash function. There are two research lines on the security of hash combiner. The first is the generic attack which could provide a upper bound on the security and the second is on security proof which provided the lower bound and this talk mainly focused on the generic attacks. Before 2004 people expect that the concatenate of two n-bit ideal hash function could behave like a two n-bit hash function and the XOR of two n-bit ideal hash function could behave like an ideal n-bit hash function. However in 2004 drugs invented a highly influential tool named drugs multi-collision. By iteratively generate the collision use birthday attack k-tams one could get two to the k messages that maps the start state to the final state. So directly used in drugs multi-collision one can launch the collision attack on concatenation combiner with two to the n divided by two computations and two to the n computations for pre-image attack. So that results show that the concatenate of two hash function cannot provide much higher security than a single hash function. That is as long as at the least one of the hash function is of iterative. So the next year Gaussian snare invented another kind of multi-collision known as the expandable message use a very similar process. However the the message lengths are carefully chosen lines so that the two to the n messages of length cover the whole appropriate range. So use this expandable message when Gaussian snare launch a second pre-image attack on the MD hash function. The key is that the expandable message can overcome the length strengthening in MD. So this is the security stage of the MD hash in 2005. This stage maintains for almost for 10 years until recently several attacks show that the hash combiner cannot provide the expected security. The most relative one denies the second free image attack on concatenation combiner and they also improve the pre-image attack on XOR combiner. So a primary attack second free image attack on concatenation combiner extends from Gaussian snare attack will not work efficiently because of two problems. The first year starts one have to build a message a site of message that are expandable and collision for both of the two hash functions. And the second problem is that one have to efficiently map the final state of the expandable message to a pair of internal states at the same office site. So this is actually of two and bit. So to overcome the first problem denier combine the expandable message with drunk's multi-collision and cascade several basic models of proper truth and lies. It could build a site of message that is expandable and collision for both of the two hash functions. And then to solve the second problem denier use the functional graph. The functional graph of random mapping is a director graph whose nodes are from this range and the h are from the pre-image to the image. So suppose that from a random nodes X zero by iterative it use the random mapping f before n times and almost the square root of n times iteration we will find a collision and the value will collide with a before evaluate value. We say this collision is an alpha node and the pairs connect to a cycle. And when starting from all possible points we will find those passes confluence into trees. And these trees graphed on cycles and form components and several components formed the whole functional graph. So properties of functional graph has been well studied a long time ago. And those properties for example expect number of cyclic nodes, the maximum cycle lines etc. have been well known. And those properties have also been widely explored to launch a variety of attacks on hash-based mics. Denier found that those properties can also be used to launch efficient attacks on hash-combiner. So to use the functional graph we first fix an arbitrary message into the compression functions and turn them into n random mappings. And Denier found that those nodes located deep in the functional graph have good properties. The first is that we could easily get a large of large size of those deep iterated. The second is that these deep iterates have a relatively high probability to be reached when starting from a random nodes. So in Denier's second free image attack after build the simultaneous expandable message instead of directly match this pair of final states to a state of the internal states at the same offset in the original computation, it uses the deep iterator to make the connection efficient. The first property of deep iterates makes it efficient to find a pair of them to match the internal states at the same offset. The second property of deep iterates makes it efficient to find a common message fragment that maps the final state of the simultaneous expandable message to the pair of deep iterates. So the key is that you find a pair of starting nodes in the two functional graphs that could reach the pair of deep iterates at a common distance. That techniques can also be used to improve the pre-image attack on XOR combiner. So the optimal complexity of this tend to be this. So based on Denier's attack, we further improve the pre-image attack on the XOR combiner and we propose the first second pre-image attack on the deeper hash. So we find that when you use the cyclic nodes as the target nodes, it will bring some more advantage. That is because it is easy to locate the largest cycles in the functional graph and collect all of the cyclic nodes and get the cycle lines by repeating the cycle search algorithm several times. And furthermore, it is effortless to loop around the cycles to correct the distance pairs when trying to reach a pair of deep iterates. Most specifically, suppose that from a random state and after D1 iteration of F1, we could reach a cyclic node. And if we know the cycle length of L1, then we know for any i after D1 plus i times L1 iteration of F1, this XR will always reach the cyclic nodes that you see for YR and YBAR. So we know that as long as there exists a pair of integers such that the distance pairs equals to the pairs between multiple cycle lines, then we know there exists a common distance for XR and YR reach the pair of target nodes at a common distance. So we refer this as the correctable distance pairs. So now the pre-image attack on XR combiner goes as follows. First, build the expandable message and then get the two random mappings and locate the largest cycles, collect all of the cyclic nodes, and this is done independently for the two random mappings. And from this two sites of independent cyclic nodes, we find some triples, XBAR, YBAR, and MBAR, where MBAR is a message fragment encoded with the length of the pre-image and maps the XBAR and YBAR to states whose sum equals to the given target value. Then we launch a look ahead procedure to developing more nodes and recall their distance to those target nodes to make the next steps more efficient. So then we start from the final state of the simultaneous expandable message to enumerate a message block to find a pair of starting nodes in the two functional graphs such that they reach a pair of target nodes at a distance that could be correctable. And then we choose from the simultaneous expandable message with a message fragment of proper length to concatenate those message fragments together and get the pre-image of the way. And these techniques can also be used to launch a second pre-image attack on Zeperhush. So we first find and denounce the simultaneous expandable message to make it adapt to Zeperhush. We place this structure in the middle of the two computation paths. So carefully choosing length for the second pre-image is encoded in the structure in advance. And we build it sequentially because only after we finish the processing the first path we can start the processing the second path. And then the pre-image attack on Zeperhush goes as follows. First I get the two random mappings F1 and F2 and locate the largest cycles and get a pair of cyclic nodes X bar and Y bar. We refer them as the target nodes. And then length they look ahead through the serial and start from the two target nodes. We build two independent drunks multi-collision and then start from the final state of the first drunk multi-collision. We build a simultaneous expandable message across the two hash function and add a node in the second path. And then start from the final state of the second drunks multi-collision. We try to map it, use a message block to an internal state of the original computation chain in the second path. And immediately we could map the states in the first path to a state XTO. And then we exploit messages in the second drunks multi-collision to map XTO to a site of studying nodes in the functional graph of F1 to and compute their distance towards the target nodes and store together in table T1. And then we utilize the messages in the first drunks multi-collision to map the YTO to a site of studying nodes in the functional graph of the F2 and compute their distance towards the target nodes Y bar. And then we make a match between T1 and T2 to find a pair of studying nodes in the two functional graphs that they could reach the pair of target nodes at a common distance. And the prefix of the second preimage has determined. And then from the simultaneous expandable message, we choose the surface of the second preimage with proper lines. And concatenate those message fragments, we get a value second preimage. Note that in the upper hash, it feeds the message lines in the middle of the two computation. So we could optimize the computation complexity by choosing a message lines for the second preimage. And it processes the message blocks in a reverse order so that we could build the two independent drunks multi-collision to make it possible to launch a meeting in the middle procedure in the SQL. So now let's summarize the current stature of hash combiners in the following two table. From this two table, this contains the upper bound and the lower bound. From these two table, we could see the upper bound and the lower bound is very close for some combiners. So however, from the straight off curves between the message lines and the attack complexity, we can say that for short messages the upper bound and the lower the gap between the upper bound and the lower bound is still very huge. So that might be for the future work. Thank you for your attention.