 Okay, good morning everyone. My name is Xiao Sun and it's my pleasure to give a presentation here. My topic today is pre-image attacks on round radius keycharts via an allocating approach. And this work is done with my PhD, Ting Li. And this talk will contain five paths. In the first path, we will introduce the background and our main contributions. And in the second path, we will talk about the structure of keycharts. And in the third path, we will give a brief review of our previous work, which is important to our work in this talk. And in the last two paths, we will take the third round keychart 224 as an example to illustrate our basic and improved method. So let's see the overview. There are three types of attacks on hash function, pre-image attack, collision attack, and the second pre-image attack. Our work focuses on the pre-image attack. That is, given a digest H, we need to send a message M such that H equals to hash M. And this is a short introduction to the keychart algorithm, which is the most important algorithm as present, hash function as present. And after MD5-1, SHA-1 was written and NIST holds the SHA-3 competition. And there are 64 algorithms that were submitted. And four years later, keychart 1 and three years later, it becomes SHA-3 officially. SHA-3 and keychart has many different instances, different in the length of the output digest. Our work focuses on the instances with digest of 224 and 256. This is a short summary of our work. We present a multi-block pre-image attack model, and this is the first time of multi-block method applied to the keychart algorithm and the standard keychart algorithm. And so we provide the best theoretical complexity on three and four-round keychart 224 and 256. And we also give a first practical, the first practical pre-image attack on three-round keychart 224. And here are the detailed results. We improved the previous best results by using this multi-model method. And we can see from the table that the instances of three-round, the improvements on the instances of three-round are significant. And here is a practical attack. We successfully found a second pre-image for the message 1 in practical time, and our codes are publicly available at GitHub. Now let's talk about the structure of keychart. The keychart algorithm uses the famous subordinate construction. It absorbs messages that are sublating to blocks and squeeze the digest. Generally, a state of the keychart is represented as a cube, and the standard version contains 24 runs, and each run consists of five operations. The first operation is state operation. It is linear and diffuse the bits. And the second one is the row operation. It rotates the bits along the lines. It is also linear. And the third, the linear operation is pi. It is a permutation in the slices. And the fourth operation is the only nonlinear operation, chi. And the last one, as a constant to the first line, which is used to break the symmetric along the lines. And this is the keychart. The keychart team also holds a grand chic ripdope pre-image and collision context to encourage the study of keychart. And the instances in this challenge are weaker. And their theoretical complexity is only 2 power 80. And this is the current status of the challenge. Only one full run instance is broken, but there are many lower runs are unbroken. And our names are here. We found a pre-image in five days with eight GPU casts. And this work is done in the summer of 2017. But it is still the last challenge that has been broken. And in the next part, we will talk about the tag on this challenge, because it motivates our multi-mode, multi-block mode. And this is the third part, brief review of our pre-workhold. Basically, the pre-image problem equals to solving a polynomial system, which usually has multiple solutions. And the challenges with lower runs are solved by the set solver directly. And the instance of hair runs with larger states can be broken by the linearization of the structure of keychart. And for the three-round challenge, with small states, the previous linearization method does not work. So we also use some algebraic techniques. And the key step of this work is that we do not linearize all the five output bits of the kind operation. Instead, we linearize parts of the bits from the structure of keychart. And we linearize the other bits using algebraic operations. And the details of what this work is omitted here, we only show the pipeline. At the beginning, we set two rows of the initial state to be variable. And the others are set to zero. And in order to avoid the diffusion brought by the operation state, we also assume the sum of the columns to be constants. And this is the first round. The yellow boxes means these bits. The yellow boxes means these bits are linear with respect to the unknowns. And the gray ones and white ones are constants. We can see that in the end of the first round, all bits are linear. Similarly, we also assume the sum of the columns as constants in the second round. And in the end of the second round, we notice that there are several blue boxes, meaning these bits are quadratic bits with respect to the unknowns. And in each slice, there are files. And these file quadratic bits will be diffused to all the bits after the operation state. And from the other direction, we can construct 80 quadratic polynomials from the given digest. And now we get a quadratic polynomial system. Because in this attack, because the degrees of the freedom is very small, so we have to solve this quadratic polynomial using algebraic techniques. And the total complexity is to power 45. And it can be done in practical time. This is our previous work. It motivates the multi-block. And next, let's see a basic attack on the third round, key track 224. This is our previous attack. We notice that in the end of the second forward round, there are five quadratic bits in each slice. And these quadratic bits will be disturbed to all the bits. And we have to construct quadratic polynomials, and this is hard to solve. So a natural idea is that if we want to improve this attack, we'd better to linearize all the bits in the end of the second round and at a lower cost of degree of freedom. So the question is, why these quadratic bits are generated? And the problem comes from the request that the bits in the capacity must be zero. And they cannot be set to other values or unknowns. So this is our motivation. If we want to linearize two rounds at a lower cost, we must break the limits from the capacity. And this leads to a multi-block approach naturally. But a key step is that the multi-block approach must have a lower complexity compared to the one block attack. And so the constraints on the middle state must be weak. And the middle state is just the output of the first block and the initial state of the second block. So how weak? From the capacity, there are 448 constraints. And from the digest, we have 224 constraints. So the constraints on the middle state must be smaller than the minimal one. And only in this case, the multi-block attack can outperform the one block attack. And another case is that the middle state should also make the system easier to solve. So we start this way and see which middle state should be used. And this is the ideal case, that if we set the initial state like this, two rows are set to unknowns, and row 1 and row 3 are set to 0, and the last row are set to 1. We can prove that with this setting, we can linearize all the bits at the end of the second round, and we can obtain the best degree of freedom after two forward rounds. So this is the ideal case. But so the state A can survive the middle state. But if we require the output of the first block to meet the state A, we must have 448 constraints. This is too expensive. So I think in this, we change our target. We realize that to get the equivalent effect in the end of the second round, it surfaces to meet the state B. This is a bit easier because we can choose the values of the sums of the columns during the theta operation. And this is our main theory of this work. It proves that if the base in the state A prime satisfies the following two constraints, then we will obtain the state B after the theta operation. By this theorem, we do not require the base in the capacity of the A prime equals to 1, 0 to 0, strictly. Instead, we only require the differences between different rows. That is, by this theorem, we only require the base in the second row and the fourth row are equal, and the last row adjusts their complements. As many of the base in the A prime state can be adjusted by the second method block, so we do not, particularly for the first three columns in the last row. So in our attack, we only need to care about the last two columns of the last two rows. So next, let's see how many constraints are needed for the three round key track 3, 2, 2, 4. And the answer is only 130, one from the padding and two times 64 from the differences and one from the last row. Clearly, the number 130 is smaller enough, and it can also make the system easier to solve. So the following procedures are not difficult. For the first method block, we use Guo Liu Song's method and construct the linear system. The complexity is 2 power 66. This is for the first block, and for the second block, the complexity is 2 power 31, because all beats are linear before the operation in the third round. So put them together, 2 power 66 from block 1 and 2 power 31 from block 2, and all complexity is 2 power 66, dominated by the first block. This is better than the previous better result given by Guo Liu Song. But we notice that the complexity of the first block is much higher than the second one. So we can improve this attack by decreasing the complexity of the first block and increasing the complexity of the second block. Therefore, remember the 130 equations constructed on the middle states? We can require them whole partially, and this will balance the complexity between the two blocks, and this leads to our improved attack. As we have the required not all equations hold at the same time, we can compute the theoretical probabilities when M equations hold out of 129. Here not the 130, because one equation is not important. And the right column shows the theoretical result. We can see that if we want all the equations hold, the probability is very low. But the probability will increase, obviously, even if we only require one equation not hold. And in the middle column is the practical probability we obtained from the experiments, and we constructed systems and solved for the first message blocks. And the left column shows the number of solutions we have obtained. From this table we can see that the theoretical probability matches very well. And there are three first message blocks when M truth is different values. So the last question is how can we deal with the effect caused by the non-hold equation? And generally a non-hold equation will lead to one mutant bit in state B. There are two types of the mutant bits in state B shown in the figure. In the left, one bit in the state B becomes one where it is supposed to be zero. This is type one, and this is a type two, which is just the opposite. And these mutant bits are not difficult to resolve. And basically it costs two power k operations to deal with k mutant bits. And this will increase the complexity of the second block. Now let's see the overall complexity. First the theoretical one. C i refers to the complexity of the block i. And M is the number of the holding equations. From this table we can see that when the number M increases, C i increases and C 2 decreases. And we can obtain the best attack when M equals to 120. And this is the practical complexity. We also obtain the best attack when M equals to 122. And in this table, because we stop our program after we find the first second message block, so the practical complexity is a bit higher than the theoretical one. And our codes are publicly available as GitHub. And this is a toy example to find the second pre-image for the message one. And this is a padded message and this is digits. And there are two other second pre-images when M equals to 121, the 22 and 123. And last, this is a short summary. In this talk, we present a multi-block pre-image attack model and provide the best theoretical complexity on three-round and four-round K-track 224 and 256. And we give the first practical pre-image attack on three-round K-track 224. And these are the detailed results. Thanks for your attention. Thank you very much. Are there questions? Yes. What happens with the larger versions of K-track 384, 512, can you get improved attacks but which are not practical or your improvements do not work at all for the larger versions? Larger state? 384 or 512? We tried but it's not worked because the base in the capacity is too much. We cannot improve the current theorem to get a better constraint on the middle state but we are still trained. But at the moment you don't have even a better theoretical attack. More questions? No, then let's thank the speaker again.