 Tako, imam o Šavan. Šavan je vsega hrstvena, je vsega nsa v 1995. Zelo je več obrženja in pravdu se održiva, z kaj je održiva 160 biti. In je tudi bila, da je to pošlično zelo, tudi treba vsega, vsega vsega vsega, koližnje, prejmičje, in vsega prejmičje. V Kripto 2005, Wang, Yin, and Yu še, da režim odgleda, je nekaj idej, je zelo nekaj idej, je zelo zelo veliko, ali še však je zelo zelo zelo zelo, in je je beliv prejmič režim. Prejmič režim je, da smo se zelo izvori, da smo zelo zelo zelo zelo zelo, z gdašveno radečo od vzajmova vsej netoče, ko v rasa ovo z radeči trajali drugi vzajmova vzajmi nadi. Načal tvojeosrde kot je vse najegre, ki se sem za Agajovje Prihne in je tudi izgleda svoj prejmik. Počet na odničen svoj prejmik, v svačnji kripe Dekanjev in Drechtbergera, smo z njiž vradi 44 prihjev in še tudi od jelžov, and brute force only one year later at Crypto again. Aoki and Sasaki presented an attack on 48 steps, and the results now that we can obtain in this paper, they work up to 57 steps. And for previously considered variants, we have faster attacks about 2 to the 10 times faster. It's clearly an improvement over previous attacks, but just to be clear, this is still kind of academic competition because full shawan has 80 steps. So if the competition goes on like it started in the last four years, then we will see previous attacks on full shawan at Crypto 2020. But then we will all be using a shasri. In fact, our starting point technically was the attack by Aoki and Sasaki. And they used meat in the middle attack framework that they developed in a series of papers and which resulted in the first pre-mage attack on MD5. But MD5 and shawan are significantly different in their message expansion. And the translation of the techniques from MD5 to shawan resulted in quite a complicated attack. This attack here by Aoki and Sasaki. And we could not see how to extend it. But finally, the reason for our new results or the technical contribution is not any new fancy technique, but just another perspective in general on these meat in the middle pre-mage attacks. And this perspective is based on differential cryptocurrencies. And in particular for shawan, this perspective is very natural, so it includes all the techniques by Aoki and Sasaki and just facilitates a lot finding concrete attack parameters resulting to these new attacks. So let's see how it works. At the example of shawan. Shawan is a Merkley-Darmgard construction with a Davis-Mayer compression function. A message is padded, then cut into blocks of 512 bits and each block is processed separately by always the same compression function. And this compression function is built from a block cipher using a plaintext feed forward. If we consider one block message, and this is what we do in this talk, then saying that M is a pre-image of H is the same as saying that the initial value, which is specified by shawan, is encrypted to the hash value minus the IV. So by this block cipher here. So what we have is kind of a key recovery problem. And the idea is to separate this block cipher E into two parts, E1 and E2, and then to check whether M, just a randomly chosen message, is a pre-image by computing E1 in the forward direction, E2 in the backward direction and just check whether we have a match here in the middle. The difficulty with this is that we cannot separate the message into two separate parts, an input to E1 and an input to E2. If you could do this, then the classical meeting in the middle attack would apply that I think was first observed by Defiant Helmle in 77 and which is the reason that we don't use double this but triple this. So this does not work here because we cannot separate this message input. Instead, we try to find a differential, a message difference and then an output difference such that these two computations give the same result for all messages that we try. You can think of this capital delta 1 as a correction of the small delta 1 here that we apply to the message. Already here you can see this is quite a strong assumption that such a differential exists for all messages, meaning that this in differential terms is probability 1 differential on the whole state and we will have to extend this later. The same thing we need for the backward direction, a delta 2 differential and then the principle of the attack is as follows. We pick a message and we do these four computations. Two computations in forward direction, two computations in the backward direction. Note here that this is the delta 2 differential that holds for e2 and this is the delta 1 differential that holds for e1 so these two computations and these two computations will not be the same in general. And now here if we have a match or if we meet on the top then it is clear m is the preimage. It's a bit more complicated if we meet here but by definition of the delta 1 differential we can just add here the difference to the message and correct it with the capital delta 1. We have still the same computation. The two capital delta 1 cancel out and what we see is that m plus delta 1 is a differential. And it works in the same way for the other two. And as a result what we have done now is we have tested four messages at the cost of only two computations of e. One computation of e1 and one computation of e2 is equivalent to one computation of e. So this is the speedup that we can obtain. In general we will choose more differentials in both directions two to the d differentials. They are a linear subspace of messages and then this allows us to compute two to the 2d message at the cost of only two to the d. And this is the source of speedup of the attack. So now as I said the critical part is do such differentials exist. And for Shawan they exist they exist like this if e1 and e2 only compute 15 steps. So in total we can attack 30 steps. To attack more steps we have to lower the assumptions on these differentials and in differential cryptanalysis it's very natural what you have to do. You have to allow for probabilistic differentials and for trancated differences. Both are very common concepts in differential cryptanalysis that we just use here for meeting the middle attacks. This means that we allow the differential to hold only for many m, not for all and we match here only or we require equality only on a certain subset of pits and not on the whole state. The same way in the backward direction and then during the matching procedure during the attack we only compare this subset of pits this introduces errors two type of errors we can miss actual parameters that must be compensated by testing more messages and we can have false positives that means that we have to retest our positives and both things increase complexity and you have to trade these two errors to find optimal attack parameters. Just very quickly for sha1 it seems to be the hard part to find these differentials but for sha1 in fact it's not that difficult because this gf2 linear message expansion facilitates things a lot. So without going into the details because this message expansion is linear you can find some relatively a relatively small set of obvious candidate message differences delta1 and delta2 just by linear algebra and the corresponding correcting output differences you can find them by linearizing the step transformations this is a common technique in differential collision attacks and among all these candidates you can do a simple experimental search to find the best one which gives you the attack parameters for all our attacks the whole set of attack parameters so this differential is given in the e-print version of the paper there is a small technicality if you want that you premeage that you are supposed to find should have a correct padding then this imposes a restriction on the choice of your message differences and this increases complexity but for this also there is a nice idea in the paper instead of finding a one block premeage you can find a trick with a two block premeage and you can avoid this complication and as a result you can find almost at the same cost you can find a correctly padded two block premeage and you can find a one block premeage without padding to summarize this is illustration of our results the pluses here are the one block premeage without padding the bullets are the two block premeage with the correct padding so what we want and this here for comparison this is the Aoki Sasaki result it was the best result before thank you for your attention