 Hello everyone, my name is Fu Kangliu. The title of this talk is new semi-free start clean attack framework for reduced RAP MD-160. This is a joint work with Christoph Dobrenig, Florian Mendel, Takano Isobet, Gaoli Wang, and Zeng Fuchao. As RAP MD-160 belongs to the MD Shahaj family, let me first recall some major break-throughs made in the crypt analysis of MD Shahaj family. In FSE 1996, Doppel team proposed the first practical clean attack on Flor MD-4. About 10 years later, Wang et al. proposed practical clean attacks on Flor RAP MD-4, MD-5, and Shah-0. In addition, Wang et al. also proposed the first theoretical clean attack on Flor Shah-1. In the same year, Bihem also proposed the practical clean attack on Flor Shah-0. After 12 years, in crypto 2017, Stevens et al. proposed the first practical clean attack on Flor Shah-1. As for RAP MD-128, in Eurocrypt 2013, the first Flor round theoretical semi-free start clean attack was achieved. During the crypt analysis of MD Shahaj family, several techniques have been developed. The start from the middle method developed by Doppel team was used to break Flor MD-4. The advanced message modification techniques and modular differential attack have been used by Wang et al. to break many well-known hash functions. The neutral beads and boomerangs are also well-known techniques to accelerate the procedure to find cleans. These two techniques have been extremely used to accelerate the practical clean attack on Flor Shah-1. In Wang et al.'s work, the differential characteristics are deduced by hand. It is quite time-consuming, so automatic tools to search for clean generating differential characteristics have also been developed. In Asiacrypt 2016, the guess-and-determine method was proposed. Then, at Eurocrypt 2017, Stevens et al. independently proposed a meet-in-the-middle method to search for differential characteristics. To apply the guess-and-determine method to the Shah-2 characteristics, Mendo et al. improved the guess-and-determine method. And such a method was further improved in FSE 2014. Although many progress have been met in the cryptanalysis of the harsh functions belonging to the MD Shah harsh family, their progress met in the cryptanalysis of RepMD-160 very slow. In crypto 2019, the practical clean attack on RepMD-160 can only reach up to such one step. The theoretical clean attack can reach up to 34 steps. For the semi-free start clean attacks, if the attacker is allowed to start from an intermediate step, the attack can reach up to 48 steps. If the attacker can only start the attack from the first step before our work, the best attack can only reach up to 36 steps, and it seems difficult to extend such an attack to more steps. So obviously, our attack is a major improvement over the previous attacks. In summary, we can mount a practical semi-free start clean attack on up to 37 steps, and our theoretical semi-free start clean attack can reach up to 40 steps. So from the progress of the cryptanalysis of RepMD-160, we can know that although we have made some progress, it is still far from the full-run clean attack. The reason why it's so difficult to analyze RepMD-160 is mainly due to its two-brunch structure. So we can view RepMD-160 as two-pedal layer branches. At first, the chain variables are copied as the inputs to both branches. After 80 steps of computation, the two branches are again merged to generate a new chain variable. Each branch is very similar to MD-5. However, each branch adopts a different message expansion. Although the step functions used in both branches share the same structure, as the same step, for each branch, the run function, the message word, the run constant, and the location word are all different. These make the two branches almost independent, so it is quite difficult to analyze RepMD-160. After 80 steps of computation, the last five internal states in both branches, together with the previous chain variables, are used to generate a new chain variable, which will be used to proceed the remaining message blocks if there are. If there is no message block left, then they are used to compute the hash value. For such a special structure, the procedure of previous cryptanalysis of RepMD is composed of three steps. Of course, we need to have a differential characteristic at hand at first. So the first step is to fix a solution for the dense part. After this step, some message words will be fixed. Then, at step two, we will use the three message words to merge both branches. Specifically, we will compute backwards from the dense part to ensure the chain variables are the same in both branches. After step two, the message words are all fixed, so we can only verify the left part probabilistically. If the conditions in the remaining probabilistic part do not hold, we have to return to step two or even return to step one. Different from the previous methods, we will also propose efficient methods to fulfill the differential conditions. This is mainly due to our new observation on the message expansion. To fit with our efficient methods, the differential conditions, the differential characteristic should also have a different pattern. Specifically, we will use the same pattern for the differential characteristic with that used in our crypto paper. Specifically, the message difference is injected at M12. In this way, for the left branch, there will be no difference in the first 12 internal states. For the right branch, there will be no difference in the internal states. To fit with our efficient methods to fulfill conditions, the right branch should be as fast as possible. Therefore, we will construct the differential characteristic on the right branch by hand. Then we use the automatic tools to search for a compatible differential characteristic for the left branch. For the differential characteristic, we can find a general procedure to fulfill the differential conditions. This is mainly from our observation on the message expansion. Specifically, for the left branch, X17 is updated with M7 in the second round. Besides, M7 is used to update the differential characteristic. So, we can imagine the case that all the conditions from X13 to X14 have been set to fight. In this case, changing M7 and computing backwards will have no influence on the internal states of X40. In other words, we can use the degree of freedom of M7 to ensure the conditions on the internal states before X13 on the left branch, and the differential conditions on the right branch. Specifically, the overall attack procedure to find t-step semi-free start cleans can be divided into three steps. The first step is to find a starting point. In other words, we need to find a solution for X13 to Xt to ensure the differential conditions on them hold. Then, according to our observation, we use the degree, we use the free message word M7. In other words, we can equal all values for X12 and the compute M7. Then, we check the conditions on X9, X10, X11 by computing backwards. If the conditions on them hold, we move to step 3. At step 3, we further compute backwards to obtain the changing variables. And then, further compute the internal states on the right branch, and check the conditions on the right branch. If the conditions do not hold, we have to return to step 2. If all values of X12 are being used, we need to return to step 1 to regenerate a new starting point. Therefore, the efficiency to regenerate a new starting point will also have an influence on the whole time complexity. Therefore, it is necessary to come up with an efficient method to regenerate a new starting point. We have two strategies. For strategy 1, we have two steps. The first step is to modify X13, X14 and X15. Then, we update M4, M13 and M1 to keep the internal states from X16 to X35 stay the same. As M4 is changed and X36 is updated with M4, we have to compute X36 to XT and check their conditions. If the number of conditions on X36 to XT are small, it is quite efficient to regenerate a starting point with strategy 1. For strategy 2, it is also composed of three steps. In step 1, we modify X14 and X15. Then, we compute X13 using M4, X14, X15, X16, X17 and X18 and check the conditions on X13. If the conditions hold, then we update M13 and M1 to keep the internal states from X16 to X39 stay the same. If the number of conditions on X13 is small, it is quite efficient to regenerate a starting point with strategy 2. In a word, if there are only a few conditions on X36 to XT, we can use strategy 1 to regenerate a starting point. If there are many conditions on them, we can use strategy 2. So benefiting from our methods to regenerate a starting point, the cost to regenerate a starting point almost has no influence on the whole complexity. We can also compute that the whole complexity is dominated by the right branch. To further make our method efficient, the differential characteristic should be as broad as possible in X13 to X17 to X16 to XT and on the right branch. This is the 36 step differential characteristic we found. Based on this differential characteristic and our methods to fulfill the differential conditions, we can find a practical colliding mesh prepare for 36 steps and we also can find a practical and we can also find a practical colliding mesh prepare for 37 steps of graph MD-160. Compared with the previous framework, the advantage of our new framework is that it is very simple and efficient. In addition, the memory complexity is further reduced. In summary, we achieved practical semi-free start clean on 36 and 37 steps of graph MD-160 and the theoretical semi-free start clean, clean attacks can reach up to 40 steps. That's all. Thank you.