 Okay, so the third talk of the session is a rotational kryptonisys of round-reduced kechak by Kabel Moriecki, Joseph Pipsic, and Marian Trevny and Pavel Pipsic in our presence. Hello everyone, thank you for the introduction. This is a joint work with Joseph Pipsic from Australia and my colleague, Marian Trevny, from Warsaw, Poland. And we did analysis, kryptonisys on a round-reduced kechak. There are some similarities between our work and the work that's been given just before by Italy. Here is an outline of the talk. I will skip the brief description of the kechak. I'll only mention a couple of crucial things, because we have already a nice one, we've just heard. Then I give a main idea of rotational kryptonisys. Maybe some people are not familiar with this notion, and then we take a closer look at how it applies to permutation, the main building block of the kechak hash function. Finally, I will show how our analysis leads to pre-mage attacks on pre- and for-round and conclude my work. So this slide, I think we can skip also this one. I guess I should mention that we exploit the same property that's in last step. The hammering weight of constants are very low and we take advantage of this feature. Okay, this was already explained also. So let me give you a few words, what the rotation of kryptonisys is all about. In previous years, it was mentioned a couple of times, but it was formally introduced by Dmitriy Kobratovich and Ivica Nikolich a couple of years ago. The main idea is very simple. We deal here with rotation, I mean normal circular shift. Here's an example, we've got 8-bit words, we're rotated by three positions and we've got another 8-bit word, rotated. What we hope as the attacker is that we get two inputs, one and the other one rotated and hopefully after a couple of operations the rotational relation is still preserved. This is what we are looking for and we hope for. Of course, it doesn't look so great for most cryptographic primitive, but it turns out that for catch-up we can actually use this technique for a couple of runs. Let's take a closer look the basic bitwise operations because in catch-up we all noted that there are only exclusive words, bitwise end, rotations and exploring with constants. Most of these operations preserve rotational relation and I give a simple example here. We've got two inputs, 8-bit inputs and then on the right side the same input but rotated by two and if we explore this two and this two we see that the outputs are also with the same relation. These two ones are by two positions on the right. So we conclude that extra operation preserves rotational relation. The same reasoning can be given for end operation. So it's quite easy and of course rotational operation in a natural way preserves the rotational relation. Here is one 8-bit input and we rotate by seven. Here is the result and the same is calculated there and we see that this and this also that's the same relation that this output is rotated by two. And finally we've got this Yota step, exploring with constants and here things don't look that great. Also I'll give you a simple example. We absorb with constants this gray one and if you look carefully there are two bits which their values are not as they should be. So we call it inversions and we mark it by red color. In general we can say the more ones in the constants and the hamming weight is higher more inversions are introduced and as if they said before it disturbs the symmetry in the state. So here is the same story actually. So let's see how it looks like in terms of catch-up permutation. So we have two states. Actually in this presentation the state is represented in slightly different ways and maybe I should elaborate a bit on this. There are 25 lanes. The lane is 64 bits worth and each lane is in one row. So there are 25 rows and each row is a lane. So it's a bit different graphical representation and what we have here is that this diagram represents the rotational relation between two corresponding states where this state on the right is rotated by some chosen rotation number N. So let's assume for a moment that N is say 10 for this example and this each little square this yellow square represents the XOR if you like between corresponding bits. So this little guide here means that the difference between first bit and the 10 bit because we remember that we rotated by 10 are very cool. And if the color is black the values are opposite and if the color is red the value is unknown. So we can we can track actually how the rotational relations evolve through the rounds and we did this. So we go through the first round and two opposite values appear and then we go through another round and here things starting to look more interesting. Red squares starting appear and let's stop for a moment that and see exactly why the red squares appear. It should not be a surprise that it is because non-linear step guide similar to differential cryptocurrencies when the actual values matters when we have a non-linear step. So here is the same thing we don't know actual values but only the relation are the equal or are the opposite. So after this non-linear step we red squares undesirable for our analysis starting to appear and if we go one more round three rounds there are much more these bad guys and after the fourth round we cannot say nothing useful all squares are red so we cannot say and we probably do one we cannot say anything for certain. So in other words we can say here that we construct a distinguisher rotational distinguisher for three rounds and now I will tell you how we convert this how we use this distinguisher or to be precise a family of distinguisher to mount the three image attacks first on three rounds and then we do some tricks to extend the four round. So our our attack actually it applies for all variants of Kecek proposed as short free candidates but for a moment let's concentrate on Kecek 512. Here are parameters speed rate and capacity and the hash length. So first we we define the message structure first eight lengths namely 512 bits are unknown and so we have to determine this as an attacker plus 62 bits are set to one and we have to consider padding and so the message such a message is padded with two ones giving a block of 576 bits so it's determined by this parameter. So why why such a structure there are two reasons first among these two to the five possible messages there is an average we can expect one greenage of a given hash and secondly with such a structure we we only care about this first five 12 unknown bits because the rest is all zeros or all ones in the in the particular world so no matter if you got all zeros or all ones if you rotate by three by seven by whatever you've got the same the same number so we don't care about the other words the other lanes if you use Kecek nomenclature. So the main the main idea is goes like this we want to find a rotational counterpart and once we get this we just go back we rotate it back and got the greenage and in our in our paper in our analysis we showed that the the effort is below exhaustive surge the effort to find this rotational counterpart and how we do that well the the basic idea goes like this if we take a message we know that there exist 64 rotational counterparts right one rotated by one one another rotated by two by three and so on and finally one rotated by 64 which is an identity function and so in our what we have 64 rotational counterparts and if we choose the random and the chance that we actually choose the rotational counterpart the probability is given here right so after two to the five or six gases we can expect that we hit the rotational counterpart but we don't know which we cannot just check because then we would end up with exhaustive surge so here we have to do something about this and help comes from rotational distinguishes so before before I I give you a main loop of attack in pre-computation we we generate these diagrams please remember that the attacker has access only to the first five hundred twelve pieces the attacker is is given only a hash not the whole state so we generate the these diagrams for each of rotation numbers 64 diagrams and we start in memory actually we are interested only in this yellow and black squares so now let's go to the main loop and I will I will stay for a moment here because that's the that's the main the main part of our work what we do now so guess first in length 512 bits and other bits are fixed to the structure around it on the three rounds catch up and then we ask ourselves do a rotational relation agree with any of 64 distinguishes in other words do we do we choose a rotational counterpart and how do how do we check we we do not run it 64 times on catch up but use already pre-computed distinguishes we check for example let's say that this is a rotational relation distinguisher rotated by one so we check this yellow and black squares and check okay here is okay okay okay then something's wrong then we conclude for sure it is not a rotational counterpart rotated by one and so we go to another one another one and this effort is surely can be neglected because it's just a couple of stars and once rotational relation agreed then there is a good chance that it's actually a rotational counterpart surely there there will be some false positive candidates we call it false positive because the probability that it could pretend that it's rotational counterpart but it's actually not so we have to check but it doesn't change our the complex the attack the workload of the attack is here but I didn't explain this checking special messages here's a little detail I I'm not sure I I should I should dive into this but basically when I said just like every pre-image has 64 possible rotational I'm a bit fine there because if you are careful you know that if some messages all ones so it has only one rotational counterpart I mean itself right if we rotate it by one it's still all ones rotated by those still all ones but we feel that and we can calculate this number precisely that such we call special messages it's only a fraction so it doesn't change our analysis actually this is the number of special messages here's a main loop and checking possible possible the candidates so the complexity of the attack is 2 to the 506 calls 64 times better than the exhaustive such and similarly we can mount the attack for other variants the factor we gain is is about the same so if you remember this this slide with pictures and in the fourth round all squares are red right so we cannot directly extend our attack to four rounds and we we did some trick I have no time to give you full details on it so I encourage to take a look at our paper but the basic idea is that instead of running normal catch up we use a modified version without this yelta step and then there are less black squares and in consequence less or fewer right red squares and we can go nearly the end of the end of four rounds and this is sufficient to mount the attack for four rounds the complexity stays the same here's a title of related works basically there are only two two works one by Dan Bernstein or the best result in terms of rounds is eight rounds but the complexity is just half a bit less than exhaustive search and what is important here and I want to stress that our attack is the first attack with a negligible amount of memory because in in Dan's attack the memory we need is is is quite high and if we compare the attacks for the same number of rounds the complexities are pretty close but the difference is in memory so let's conclude our main result is for pre-image attack 64 times better than the exhaustive search actually we we also mount the four five round distinguisher we enhance our rotational crypto noises with some correlation techniques and it allows us to go one more step I have no time on on this again I encourage you to take a look at our paper and as already I mentioned we take advantage of low humming waves of constants it would be much harder to to mount the attack if there were more ones so there is some insights about Katzak I agree with it and don't matter so maybe now we don't have to worry about as Katzak has 24 rounds but if he wants to use it in constrained environments and make it more faster and use just maybe 10 rounds or 8 rounds then there is a issue we we should you should take into account so thank you for your attention is there any questions you say that you take advantage of the low constants and yes you also take advantage of the zero chain value put right yes yes the biggest both as big as the constants I mean in the chain value as some random bits then probably this would not work yes yes because the I mean it would work but not that's not that's not that's hard do you think that's I mean rotation of criticism be used with rebound attack do you think he would be physical I know rebound attack not that easy and Katzak but do you what do you foresee for this in the paper in conclusions we we we have written that it is a good direction and combine these two techniques your paper on rebound attacks looks promising but but it's quite difficult the techniques or I don't know you want a distinguisher right yeah yeah so will you I'm not sure we can convert this maybe maybe we can also a rotational rebound distinguisher but would be harder to convert it to attacks on the core properties like pre-image and collision okay let's thank the speaker again