 Hello everyone, I'm Dan Pingshi from Institute of Information Engineering, Chinese Academy of Sciences. It is a pleasure to give a talk about automatic search of meeting the middle pre-image attacks on AS like Hashi. This is a joint work with Zhenzhen et al. Firstly, let's start with an introduction of the research background. In this paper, we mainly focus on Hashi functions, which are on the block cipher AS like. These Hashi functions are usually constructed based on comprehensive functions. The pathed messages are partitioned into several blocks, then integrated the compression function over all message blocks. After processing the last message block, output the message digest. The compression function can be constructed from block ciphers. We are at all summarized several UTD modes to convert a block cipher to a compression function. These are some modes commonly used in practice. When the underlying block cipher are AS like, we call the Hashi functions as AS like Hashi. The AS like run function typically consists of four operations. The state is organized into a two-dimensional array of cells. The sub-cells is to apply a non-linear substituting box operation to each cell. The shift rows is to permute the cell positions according to a communication. The mixed columns is to update each column by marking the location of a maximum distance of several matrix. The n-round key is to add a round key into the stage. The image resistance refers to the property that for a given target, it takes a computationally difficult to find a message satisfying this equation. Here H0 is fixed initialization value. Usually we will find a pseudo-create image of a compression function. Then convert the pseudo-create image to pre-image in a general way. This is done by first finding several pseudo-create images and then starting from the real initialization value. Using several random message blocks to get several chaining values. Among these chaining values, we can expect to find a bet. The core is a meeting the middle pseudo-pre-image attacker on its compression function. In the meeting the middle attacker, the computation can be divided into two chunks. The computation chunk in this direction is named as forward chunk and the other is backward chunk. And they were matched at an immediate front. Note that each chunk includes at least one message word that is independent of the other chunk, where these message words are called neutral states. In this figure, denote the neutral states for the forward chunk and the backward chunk by flu MA and red MB respectively. Then the attacker procedure is first to assign arbitrary compatible values to all bytes except those that depend on the neutral states. For all forward neutral states, forward computer to get the candidate values of the matching state. And for all backward neutral states, backward computer to get the candidate values of the matching state. Sorting the two lists, check for a first state match. A digital match technique is applied. Usually check whether there is a partition match on several fields. For the surviving pairs, check for a first state match. Repeat the first procedure several times by changing the values of fixed message words. We can expect to find a first state match. So the attacker complexity is shown in this equation. And in order to obtain a better attack, the minimum of the size of the neutral bytes and the matching bytes should be maximized. The splice and the carton and initial structure techniques are developed. Take the DM model as an example. Computer across the first and the last round is valid. Then through the splice and the cart technique, the starting point can be at an intermediate stage. The initial structure we ever want to skip several rounds at the starting point. Take the AS mix column as an example. The three red cells are chosen as neutral bytes for the backward temple. So there are two to the power of 24 possible values. The three bytes are only in the forward computation. Thus, each output byte will be unknown because all bytes depend on these three red cells. But if we impose the restriction of the equation one, now the three red cells need to constant impact on two cells. Now more bytes can be computed in the forward chunk. Under this condition, there would be two to the power of each possible solutions for the three red cells. The initial structure technique is used to cancel the impact of the neutral cells on the opposite chunk. Assuming the freedom of the neutral spikes. In our model, we will extend the initial structure technique to every possible one. Next, I'd like to give a method of programming the attack with the next integer linear program. The complexity of the attack, many depends on three configurations. First one is the chunk separation. The starting point and the matching point should be determined. We will build an independent model for each chunk separation. That means for each individual model, the starting and the matching points are fixed. And all possible chunk separations will be tried. As I said earlier, our starting point is a state. We will extend the initial structure technique to every possible one. By adding constraints to the neutral cells and consuming degrees to ensure the impact on the opposite chunk. The second one is the neutral cells. The selection and the constraints of the neutral cells will determine the freedom degrees for each chunk. The third one is the cells for matching. And this also depends on the selection of the neutral cells. We will encode the attribute of each cell with zero or one variables and convert the computation rules to several constraints over these variables. Firstly, the attributes of state cells should be encoded according to whether they are determined by the future bits from one or two directions or none. Then the four attributes can be encoded by two zero one variables. The gray cell is encoded by one one, which are constant bytes and annoying in both chunks. The blue cell is encoded by one zero, which are determined by forward and neutral bytes and constants and annoying in the forward chunk. The red cell is encoded by zero one, which are determined by backward neutral bytes and constants and annoying in the backward chunk. The white cell is encoded by zero zero, which are determined by both forward and backward neutral bytes and annoying in both chunks. In the encoding scheme, the blue and gray cells are annoying in the forward chunk, while red and gray cells are annoying in the backward chunk. One cell is annoying in the forward chunk if only for variable x equals one, while the cell is annoying in the backward chunk if only for variable y equals one. Under this encoding scheme, the number of blue cells and the red cells in the starting point can be computed easily in several ways, which are the initial freedom degrees of two chunks. Here I give an example. We can introduce an indicator variable beta for each cell. Let beta equals one if and only if the cell is gray. This rule will restrict the three variables to a subset of f2 to the power of three. The subset can be described by a system of linear inequalities by using the convex form computation method. x equals one if and only for the cell is gray or blue, and y equals one if and only for the cell is gray or red. Thus, the initial freedom degrees can be computed in these two equations. Then we should add constraints over these variables according to the basic rules of attribute propagation. Rules of two directions are different. Since the meanings of red and blue cells are due for the forward and backward computations, in the following, I only describe attribute propagation rules in the backward chunk computation. As our model is based on cells, the sub-cells do not change the attribute and the shift rules will promote the attributes according to the computation. XOR operation can consume opposite freedom degrees to reduce the impacts. Thus, a new variable sigma should be introduced for each XOR operation to count the consumed degrees. This figure shows the XOR rule for propagation through the XOR operation in the backward computation. And the opposite blue freedom degrees can be consumed. For example, the two blue bytes are unknown in the backward computation. If one blue freedom degree is consumed, the two blue bytes can lead to constant impact on the output cell. This rule will restrict these variables to a subset of f2 to the power of 7, which can be described by a system of linear inequalities by using the convex XOR computation method. According to whether they are white or red or blue cells, the rule of propagation through the fixed column matrix can be divided into five cases. If there is at least one white cell in the input column, all the output cells are unknown and white. If all the input cells are gray, then all output cells are gray. In case two, assume there are blue cells but no white cells and no red cells in the input column. If we do not add any restrictions, all output cells should be blue. But add new constraints by consuming the blue freedom degrees will lead to constant impact on several bytes. Then each output cell would be blue or gray. Moreover, the consumed degrees should be less than the number of blue cells in the input column. And this condition should be fulfilled in case four. The red cells can be obtained through consuming blue degrees to cancel the impact on red cells. Otherwise, the byte is white and unknown because it is determined by blue and red cells. Case five is obvious. In order to distinguish the five cases, we would introduce three indicator variables. Let mu equals one and only if there are white bytes, this will restrict the variables to a subset of f2 to the power of nine. And the constraints can be generated by using the convex form computation method. In a similar way, bx is used to determine whether there are red cells. When there are no white cells, if x equals to zero, the byte is red. According to the values of x variables in the input column, we can determine whether there are red cells. Define bx equals one if and only if each x equals one. And there are no red cells if bx equals one. Omega y is used to determine whether there are blue cells. And the definition are similar to that of bx. Now with the help of the three indicator variables, we can convert the five cases into constraints by a conditional modeling approach. The first two constraints are obvious. When mu equals one, case one can be described by equation two. And other cases naturally satisfy equation two, when mu equals zero. According to the observation, when mu equals zero, each x in the output column equals bx. Thus, the constraint of equation three are generated. Other cases naturally satisfy this equation. Now we only need to give the necessary constants over these output y variables. In case three and case five, if omega y equals one, each y in the output column equals one. Thus, the final constraint of the last equation is generated. In case two and case four, when omega y equals zero, y may equal one because blue freedom degrees are consumed. And the number of blue cells in the input column should be larger than the number of the output known bytes. This is achieved by this constraint. The second term is the number of the blue cells in the input column. The third term is the number of known bytes in the output column. And in order to make sure other cases naturally satisfy this constraint, the first term is added. Now, these constraints can be described by the propagation through big column. At the case two and four, freedom degrees will be consumed to cancel the impact on red or gray cells. If blue degrees can be consumed, the consumed degrees are number of known output bytes. And it can be described by this constraint where data is a indicator variable such that data equals zero if blue degrees can be consumed. Now, we have considered all operations. One may attempt to apply XOR rule and the big column rule separately. This approach is valid but misses important propagation schemes that may lead to better attacks. For example, considering the input columns shown in this figure, applying the XOR rule results in white cells after the XOR operation. Subsequently, applying the big column rule, we will end up with a full column of white cells. However, if we model the XOR and the big column operations as a whole, as shown in this equation, and we can still restrict the values of blue cells to cancel the impact on some gray cells, then some gray cells will be preserved. Thus, we model the XOR and the big column operations as a whole in the backward trunk. And the XOR mix column rule and the mix column rule are similar. The main difference is to compute the input blue degrees. So I will only explain the first equation. As I said earlier, either the state or the key is blue. A blue freedom degree can be provided. Thus, we will introduce four variable TOI. TOI equals one if either the state or the key is blue. Then the sum of TOI is the input blue freedom degrees. Thus, this constraint is obtained. Note that in order to make sure that other cases naturally satisfy this constraint, the first two terms are added. Finally, in order to find a valid attack, there should be at least one byte can be used to match. Note that apart from directly matching values of common words, any determined relations between words in the states at the matching point can be exploited to filter out mismatched computations. For AS mix column, if the number of the known bytes in both trunks are larger than 5, the matching can be performed. To minimize the time complexity of the attack, the minimum of the size of the neutral bytes and the matching bytes should be maximized. With the presented TOI, we evaluated the security of hash functions built on AS like ciphers. For all targets, input attacks are identified. In particular, our TOI found the first pre-image attacks on 8-round AS-128 hash modes. Thanks for your attention.