我是林晓恩,清华大学今天我会介绍一篇文章《三转刷牌》的三转刷牌有两百二十二十五十六的设计我的演绩包括四个部分调整专业的问题运动方法和结构第一部分我会展示调整专业的问题包括运动方法和结构第二部分我会展示调整业的问题运动方法和结构的问题第三部分我会展示两种设计调整业的问题调整业的问题调整业的问题调整业的问题调整业的问题还有调整业的问题调整业的问题调整业的问题调整业的问题这段讲究完成了我们做了这件事情用心向结基 같은国事 weeks山洋它有些材料,例如,能量能力,能量能力,能量能力,和能量能力.在這篇文章,我們主要 focus on the second one,能量能力,能量能力 means for a given digest we want to find a message such that its output is the given digest.Pre-image resistance means it is hard to get the pre-image.To attack our analysis, we try to make it outperform exhaustive such in finding the pre-image.Kachak, which is chosen as secure hash algorithm standard, is an important hash function.Kachak adopts the sponge construction.It absorbs the message by every R bitsand squeezes the inner state to get the digest.After absorbing a message block,the inner state is confused with Kachak F permutation.The inner state of Kachak F has B bits,which contains R bits rate and C bits capacitywhere C is twice as many as N.In this paper,we mainly focus on Kachak hash functionwith parameters B equals to 1600and N equals to 224 or 256.The 1600 bits inner statecan also be represented as 2564-bit lengthor 645 x 5 slices.Kachak F permutation consists of 24 roundsof round function.Due to the high security of Kachak,we focus on the Kachak hash functionwhich is reduced to three roundsin this paper.Each round consists of five operationssetter,row,py,ky, iotter.In the first step,every bit is added with two columns.In the second and third step,it confuses the inner state in each length or slice.These three steps are all linear operations.The first step is the only nonlinear operationin Kachak F permutationwhere every row is transformed by a quadratic S box.The last step is adding a round constantin the first length.Then,related work.In 2016,Guo et al.put forward a techniquenamed linear structure.The main idea is thatby setting some bits as constantsand adding some linear equations,the first two and a half rounds will be linear.Accordingly,part of the digest can be restrictedby adding some linear equations.After that,the message can be obtainedby solving linear equationsand the prime image will be obtainedif the rest bits of output digest are satisfied.Some details are shown on the picture.The inner state is denotedby the squares of five rowsor five columns.Each square represents a lengththat is 64 bit.The white square meansthe 64 bits are all zeros.The black square meansthe 64 bits are all ones.The grey square meanssome of the 64 bits are onesand the others are zeros.The yellow square meansevery bit of the 64 bitsis a linear combination of variables.Besides,Guo et al.set some restrictionson the first roundand the second roundbefore set operationsby adding some linear equationsso that the sum of each columnwill be constant.According to the operationsof k-track f permutation,the inner statewill be developedas the picture shows.After that,the rest degree of freedomwill be used to restrictsome output bitsto match the digest.As a result,we can get pre-imageby solving linear equationsand check the digest repeatedlyuntil all the output bits are matched.In 2019,Le et al.put forward a new linear structure.The new linear structurehas more variablesand there are more degrees of freedom left.However,the studying inner stateis not legalif there is only one message blockinvolved in this linear structure.To meet the restrictionsof the studying inner state,they add another message block before.And a two-block modelnamedallocating approachis proposed.In the first stage,they use gua et al.linear structureto get an inner statemeeting the restrictions.Based on this inner state,they use the new linear structurewhich has more degrees of freedomto get the pre-imagewithin lower complexities.Not thatthere is a tradeoffbetween the two stages.The complicity of solvingthe second message blockis lower than thatof solving the first message block.By meeting fewer restrictions,the complicity of the first message blockcan be decreasedwhile the complicityof the second message blockwill increase.To sum up,there are two kinds of linear structure.Gua et al's linear structurecan be usedas the first message block,but it has fewer degrees of freedom.The et al's linear structurehas more degrees of freedom,but it needs to meet some extra restrictionsin the studying inner state.And the more restrictionsthe studying inner state means,the more degrees of freedomwill be left.Next,methodology.In this part,I will introduce two techniquesproposed in this paperto improve the pre-image attacks.Specifically,these two techniquesimproves the first stageof the previous pre-image attacks.One techniqueis its rating strategyin the et al'stwo block model.Many degrees of freedomin the second stageare underusedbecause of theunsatisfied restrictions.However,the first stagedoesn't have enough degrees of freedomto provide a better inner state.In fact,the linear structureused in the second message blockis able to provide more degrees of freedom.Therefore,we extend the first stageto more than one message block.In other words,we don't spend the degrees of freedomin the second message blockmatching the output bits directly,but we spend themrestricting more restrictionsas the first message block does.With a good studying inner state,it is faster and more likelyto generate a better inner state.Iteratively,more and more restrictionswill be satisfied.After a good enough inner stateis found,we constructthe last message blockmatching the target output bitsas they do in the second stage.And we can getthe entire pre-image eventually.This strategycan be used in boththree-round catch-upwith parameters of 224and 256.It improvesthe first stageof the previous workby using multi-message blocksinstead ofone-message block.Using this strategy,the inner state will be optimizedgraduallyand reach a good enough inner stateeventually.Another techniqueis five-for-three strategy.The proposeof the first stage is thatthe inner statecan meet as many restrictionsas possible.In previous work,they spend everyfour degrees of freedomin meeting two restrictionsin both two parametersof catch-up.However,when applyingto three-round catch-upwith parametersof 256,it is possibleto spend every five degreesof freedommeeting three restrictions.The linear equationsare shown as follows.In the previous strategy,they add two linear equationsto fix two bitsto arbitrary constants.After that,four bitswill be linearizedand two linear equationscan be addedto meet two restrictions.Not thatthe freedomof arbitrary constantsis underused.And by observation,we find thatif we fix the two constantsto both one,an extra linear equationcan be addedto meet the third restriction.Therefore,it constructsa five-four-three strategy.This strategycan only be usedin parameterof 256.When restrictingthe inner statein the first stage,it spendsevery five degreesof freedomsatisfying three restrictions,which is moreefficientthan the previous work.As a result,more degrees of freedomwill be saved.The table shows thatthe five-four-three strategyhas a big advantagethan four-four-two strategyin finding a good inner state.The experimental resultsof finding a good inner stateare shown as follows.We can find thatthe inner stateis getting better and better.At last,we find an inner statemeeting 171 restrictions.Last,conclusion.In this paper,we proposed two techniquesnameditwriting strategyand a five-four-three strategy.Itwriting strategyuses multi-message blocksto provide a better inner statewith more degrees of freedom.Five-four-three strategycan satisfy more restrictionswithin the same degrees of freedom.As a result,the complexity of pre-image attackson three-round catch-upwith parameters of 224 or 256can be decreasedto the 32 or 65 power of two.However,it is noted thatour techniquesare still far fromthreatening the securityof other catch-up variantson more rounds.