hash functions and cayley graphs: the end of the story · ucl crypto group microelectronics...

UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 1

Hash functions and Cayley graphs:The end of the story ?

Christophe Petit

Hash functions

H : 0, 1∗→ 0, 1n

Applications

I Message authenticationcodes

I Digital signatures

I Password storage

I Pseudorandom numbergeneration

I Entropy extraction

I Key derivationtechniques

Properties

Constructions

“Classical”

hash function

Hash function based on aCayley graph

Constructions

“Classical”

hash function

Constructions

“Classical”

hash function

Outline

Introduction

Cayley hash functions

Security : state of the art

The end of the story ?

Conclusion

Outline

Introduction

Conclusion

Hash functions from Cayley graphs

I Parameters G a group, and S = s0, ..., sk−1 ⊂ G

I Write m = m1m2...mN with mi ∈ 0, ..., k − 1Define H(m) := sm1sm2 ...smN

I Parameters G a group, and S = s0, ..., sk−1 ⊂ G

I Write m = m1m2...mN with mi ∈ 0, ..., k − 1Define H(m) := sm1sm2 ...smN

I Computation ∼ walk in the Cayley graph

I Example : G = (Z/8Z,+), S = 1, 2

m = 101H(m) = 0 + 1 + 2 + 1 = 4

I Example : G = (Z/8Z,+), S = 1, 2

m = 101H(m) = 0 + 1 + 2 + 1 = 4

I Example : G = (Z/8Z,+), S = 1, 2

m = 101H(m) = 0 + 1 + 2 + 1 = 4

I Example : G = (Z/8Z,+), S = 1, 2

m = 101H(m) = 0 + 1 + 2 + 1 = 4

Example : Tillich-Zemor hash function

I p ∈ F2[X ] irreducible of degree nG = SL(2,F2n)S = A0 = ( X 1

1 0 ) ,A1 = ( X X+11 1 )

I H(m1m2...mN) := Am1Am2 ...AmNmod p

Example : Tillich-Zemor hash function

I p ∈ F2[X ] irreducible of degree nG = SL(2,F2n)S = A0 = ( X 1

1 0 ) ,A1 = ( X X+11 1 )

I H(m1m2...mN) := Am1Am2 ...AmNmod p

Hard ( ?) problems

I Representation problem :Given G and S = s0, ..., sk−1 ⊂ G ,find a short product

∏smi

I Balance problem :Given G and S = s0, ..., sk−1 ⊂ G ,find two short products

∏smi

sm′i

I Factorization problem :Given G , g ∈ G and S = s0, ..., sk−1 ⊂ G ,find a short product

∏smi

Properties

I Elegant, simple designI Security properties ∼ mathematical problems

I Collisions : find two products∏

smi =∏

sm′iI Preimages : given g ∈ G , find

∏smi = g

I Output distribution ∼ expander properties

I Parallelism H(m||m′) = H(m)H(m′)I Good efficiency

I At least in the case of matrix groups

I Not a random oracle ! but additional heuristics may help

I Issue : find good groups G and generator sets S

Properties

smi =∏

∏smi = g

Properties

smi =∏

∏smi = g

Properties

smi =∏

∏smi = g

A few proposals

Zemor [Z91]

p primeG = SL(2,Fp)S = ( 1 1

0 1 ) , ( 1 01 1 )

Tillich-Zemor [TZ94]

p ∈ F2[X ] irreducibleG = SL(2,F2n)S = ( X 1

1 0 ) , ( X X+11 1 )

LPS [CGL09]

p primeG = PSL(2,Fp)S as inLubotsky-Philips-Sarnak’sRamanujan graphs

Morgenstern [PLQ07]

p ∈ F2[X ] irreducibleG = PSL(2,F2n)S as in Morgenstern’sRamanujan graphs

A few proposals

Zemor [Z91]

0 1 ) , ( 1 01 1 )

1 0 ) , ( X X+11 1 )

LPS [CGL09]

Morgenstern [PLQ07]

A few proposals

Zemor [Z91]

0 1 ) , ( 1 01 1 )

1 0 ) , ( X X+11 1 )

LPS [CGL09]

Morgenstern [PLQ07]

A few proposals

Zemor [Z91]

0 1 ) , ( 1 01 1 )

1 0 ) , ( X X+11 1 )

LPS [CGL09]

Morgenstern [PLQ07]

Outline

Introduction

Conclusion

Many angles of attacks

Exhaustive searchBirthday attacks

MulticollisionsMeet-in-the-middle

Trapdoor attacks

MalleabilitySubgroup attacks Lifting attacks

Euclidean algorithm

Trapdoor attacks

Euclidean algorithm

Trapdoor attacks

Euclidean algorithm

Trapdoor attacks

MalleabilitySubgroup attacks

Lifting attacksEuclidean algorithm

Trapdoor attacks

Euclidean algorithm

Trapdoor attacks

Euclidean algorithm

Subgroup attacks

I Assume G = G0 ⊃ G1 ⊃ G2... ⊃ GN = 1

Subgroup attacks

I Assume G = G0 ⊃ G1 ⊃ G2... ⊃ GN = 1and |Gi |/|Gi+1| “small”

I Preimage of 1I Random products of s0 and s1

to get two elements s ′0 and s ′1 of G1

I Random products of s ′0 and s ′1to get two elements s ′′0 and s ′′1 of G2

I = second preimage attackI H(m) = 1⇒ H(m′||m) = H(m′)H(m) = H(m′)

Subgroup attacks

I Assume G = G0 ⊃ G1 ⊃ G2... ⊃ GN = 1I More generally, the attack works

if “going from Gi to Gi+1 is easy”Ex. : if Gi/Gi+1 is Abelian and DLP easy in it

I [SGGB00] : subgroup attack on Tillich-Zemor when n iscomposite

I [PQTZ09] : generic subgroup attacks on Tillich-Zemorand variants that “remove easy quotients”

Subgroup attacks

Trapdoor attacks

I Choose the parameterssuch that you know acollision

I [SGGB00] againstTillich-Zemor

I Can be prevented easily

I Sometimes useful ! [CP]

Trapdoor attacks

Lifting attacks

I Very succesful approach !

I Principle : lift the representation problem to some ringwhere it is easier to solve

I Define the lifted set appropriatelyI Find a way to lift elementsI Solve the problems in the lifted set

Lifting attacks

I Very succesful approach !

I Principle : lift the representation problem to some ringwhere it is easier to solve

I Define the lifted set appropriatelyI Find a way to lift elementsI Solve the problems in the lifted set

Lifting attacks : Zemor

I , M < s0, s1 > Ω ⊂ SL(2,Z)

I ,M < s0, s1 > SL(2,Fp)

I , M < s0, s1 > Ω ⊂ SL(2,Z)

< s0, s1 >

SL(2,Fp)

I , M < s0, s1 >oo o/ o/ o/ Ω ⊂ SL(2,Z)

< s0, s1 >

SL(2,Fp)

I , M < s0, s1 >oo o/ o/ o/ Ω ⊂ SL(2,Z)

< s0, s1 >oo o/ o/ o/

SL(2,Fp)

Lifting attacks : Zemor [TZ94]

I Zemor G = SL(2,Fp), S = ( 1 10 1 ) , ( 1 0

1 1 ) :Given ( a b

c d ) ∈ SL(2,Fp)

1. Find(A BC D

)∈ SL(2,Z+) such that(

A BC D

)=(a bc d

)mod p

2. Factor(A BC D

)as a product of ( 1 1

0 1 ) and ( 1 01 1 )

with Euclidean algorithm :

If A ≥ B, apply Euclidean algorithm to (A,B)else apply Euclidean algorithm to (C ,D)

Indeed :I ai−1 = qiai + ai+1

⇒( ai−2ai−1

)=(1 qi−1

) (1qi 1

)( aiai+1 )

I(1 q0 1

)= ( 1 1

0 1 )q

and(1 0q 1

)= ( 1 0

1 1 )q

I Zemor G = SL(2,Fp), S = ( 1 10 1 ) , ( 1 0

1 1 ) :Given ( a b

c d ) ∈ SL(2,Fp)

1. Find(A BC D

A BC D

)=(a bc d

)mod p

2. Factor(A BC D

0 1 ) and ( 1 01 1 )

⇒( ai−2ai−1

)=(1 qi−1

) (1qi 1

)( aiai+1 )

I(1 q0 1

)= ( 1 1

0 1 )q

and(1 0q 1

)= ( 1 0

1 1 )q

I Zemor G = SL(2,Fp), S = ( 1 10 1 ) , ( 1 0

1 1 ) :Given ( a b

c d ) ∈ SL(2,Fp)

1. Find(A BC D

A BC D

)=(a bc d

)mod p

2. Factor(A BC D

0 1 ) and ( 1 01 1 )

⇒( ai−2ai−1

)=(1 qi−1

) (1qi 1

)( aiai+1 )

I(1 q0 1

)= ( 1 1

0 1 )q

and(1 0q 1

)= ( 1 0

1 1 )q

I Zemor G = SL(2,Fp), S = ( 1 10 1 ) , ( 1 0

1 1 ) :Given ( a b

c d ) ∈ SL(2,Fp)

1. Find(A BC D

A BC D

)=(a bc d

)mod p

2. Factor(A BC D

0 1 ) and ( 1 01 1 )

⇒( ai−2ai−1

)=(1 qi−1

) (1qi 1

)( aiai+1 )

I(1 q0 1

)= ( 1 1

0 1 )q

and(1 0q 1

)= ( 1 0

1 1 )q

I Zemor G = SL(2,Fp), S = ( 1 10 1 ) , ( 1 0

1 1 ) :Given ( a b

c d ) ∈ SL(2,Fp)

1. Find(A BC D

A BC D

)=(a bc d

)mod p

2. Factor(A BC D

0 1 ) and ( 1 01 1 )

⇒( ai−2ai−1

)=(1 qi−1

) (1qi 1

)( aiai+1 )

I(1 q0 1

)= ( 1 1

0 1 )q

and(1 0q 1

)= ( 1 0

1 1 )q

Lifting attacks : LPS

I LPS : G = PSL(2,Fp) and S as in LPSRamanujan graphs

I Lift from PSL(2,Fp) to SL(2,Z[i ])Here 〈lifts of generators〉 ( SL(2,Z[i ])but this set is well structured [LPS88]

I 2nd preimages [TZ08]

∼ finding λ,w , x , y , z , e such that(λ + wp)2 + 4(xp)2 + 4(yp)2 + 4(zp)2 = l e

Lifting attacks : LPS & Morgenstern

I Preimages [PLQ08]

∼ finding λ,w , x , y , z , e such that(Aλ+ wp)2 + (Bλ+ xp)2 + (Cλ+ yp)2 + (Dλ+ zp)2 = l2k

Apparently hard but instead we canI Lift diagonal matrices

(Aλ+ wp)2 + (Bλ+ xp)2 + (yp)2 + (zp)2 = l2k

I Combine diagonal matrices and generators

I Similar attacks for Morgenstern [PLQ08]

I Preimages [PLQ08]

(Aλ+ wp)2 + (Bλ+ xp)2 + (yp)2 + (zp)2 = l2k

I Preimages [PLQ08]

(Aλ+ wp)2 + (Bλ+ xp)2 + (yp)2 + (zp)2 = l2k

Collisions for Tillich-Zemor [GIMS09]

I Tillich-Zemor G = SL(2,F2n), S = ( X 11 0 ) , ( X X+1

I Change generators S ′ = ( X 11 0 ) , ( X+1 1

I(a bc d

)∈ 〈S ′〉 ⇒ when applying Euclidean algorithm to

(a, b), all the quotients are X or X + 1

Apply [MS87] to a = p to get m = m1...mn such thatH(m) = ( 0 b

Build a palindrome m = mn...m2m1m1m2...mn

Observe collision

A′0H(m)A′0 = A′1H(m)A′1.

1 0 )I(a bc d

Apply [MS87] to a = p to get m = m1...mn such thatH(m) = ( 0 b

Build a palindrome m = mn...m2m1m1m2...mn

Observe collision

A′0H(m)A′0 = A′1H(m)A′1.

Mesirov-Sweet algorithm [MS87]

I Study continuous fraction algorithm for power seriesf ∈ F2((X ))

I Which f = ba

have all their partial quotients X or X + 1 ?

I Given a irreducible, [MS87] provides a “good” b

I Equivalently, given a ∈ F2[X ] irreducible,[MS87] gives b ∈ F2[X ] such that all partial quotients ofthe Euclidean algorithm applied to (a, b) are X or X + 1

I The exact quotients are easily recovered

Mesirov-Sweet algorithm [MS87]

I Study continuous fraction algorithm for power seriesf ∈ F2((X ))

I Which f = ba

have all their partial quotients X or X + 1 ?

I Given a irreducible, [MS87] provides a “good” b

I Equivalently, given a ∈ F2[X ] irreducible,[MS87] gives b ∈ F2[X ] such that all partial quotients ofthe Euclidean algorithm applied to (a, b) are X or X + 1

I The exact quotients are easily recovered

1 0 )I(a bc d

I Apply [MS87] to a = p to get m = m1...mn such thatH(m) = ( 0 b

I Build a palindrome m = mn...m2m1m1m2...mn

I Observe collision

A′0H(m)A′0 = A′1H(m)A′1.

1 0 )I(a bc d

I Observe collision

A′0H(m)A′0 = A′1H(m)A′1.

1 0 )I(a bc d

I Observe collision

A′0H(m)A′0 = A′1H(m)A′1.

1 0 )I(a bc d

I Observe collision

A′0H(m)A′0 = A′1H(m)A′1.

I Previous lifting attacks KO on TZ but here :I I is not lifted directly, but instead

(0 bc d

)I 0 lifted first, then whole lift recovered with [MS87]I Palindrome trick allows to

“lift two elements for the price of only one”

Second preimages for Tillich-Zemor [PQ]

I a = p ⇒ H(m) =(0 ee b2

)=(0 11 b2

I H(0m) =(1 X+b2

)and H(m0) =

X+b2 1

)I Both matrices have order 2⇒ H(0m′0m) = H(m0m0) = I

I Preimage of 1 ⇒ second preimages for any message

I a = p ⇒ H(m) =(0 ee b2

)=(0 11 b2

)I H(0m) =

(1 X+b2

)and H(m0) =

X+b2 1

I Both matrices have order 2⇒ H(0m′0m) = H(m0m0) = I

I a = p ⇒ H(m) =(0 ee b2

)=(0 11 b2

)I H(0m) =

(1 X+b2

)and H(m0) =

X+b2 1

I a = p ⇒ H(m) =(0 ee b2

)=(0 11 b2

)I H(0m) =

(1 X+b2

)and H(m0) =

X+b2 1

Preimages for Tillich-Zemor [PQ]

I For any ai = 0 mod p (not just a = p)

H(0m) =(

1 X+b2i0 1

)and H(m0) =

X+b2i 1

I On the other hand :I(A BC D

)= ( 1 0

α 1 )(X 11 0

) (1 β0 1

) (X 11 0

)3 ( 1 0γ 1

(1 0∑αi 1

)=∏( 1 0

βi0 1

)=∏(

1 βi1 0

)⇒ Precompute preimages of

(0 11 b2i +X

)for a set b2i + X forming a basis of F2n/F2

H(0m) =(

1 X+b2i0 1

)and H(m0) =

X+b2i 1

)I On the other hand :

I(A BC D

)= ( 1 0

α 1 )(X 11 0

) (1 β0 1

) (X 11 0

)3 ( 1 0γ 1

(1 0∑αi 1

)=∏( 1 0

βi0 1

)=∏(

1 βi1 0

⇒ Precompute preimages of(

0 11 b2i +X

H(0m) =(

1 X+b2i0 1

)and H(m0) =

X+b2i 1

)I On the other hand :

I(A BC D

)= ( 1 0

α 1 )(X 11 0

) (1 β0 1

) (X 11 0

)3 ( 1 0γ 1

(1 0∑αi 1

)=∏( 1 0

βi0 1

)=∏(

1 βi1 0

)⇒ Precompute preimages of

(0 11 b2i +X

Two precomputing algorithms

1. Apply [MS87] to ai = pqi instead of a = pI [MS87] required a irreducible ; so we extended itI Preimages of length O(n) in probabilistic time O(n4)

2. Obtain new matrices(

0 11 b2i +X

)recursively from the one

obtained from [GIMS09]

I Preimages of length O(n2) in deterministic time O(n3)I Full proof when n is prime

Two precomputing algorithms

1. Apply [MS87] to ai = pqi instead of a = pI [MS87] required a irreducible ; so we extended itI Preimages of length O(n) in probabilistic time O(n4)

2. Obtain new matrices(

0 11 b2i +X

)recursively from the one

obtained from [GIMS09]

I Preimages of length O(n2) in deterministic time O(n3)I Full proof when n is prime

Outline

Introduction

Conclusion

I Collision & preimages for Zemor, Tillich-Zemor, LPS,Morgenstern

I The end of the story ?

I Not yet !

I For most groups/ generators, we do not know if theproblems can be solved

I Collision & preimages for Zemor, Tillich-Zemor, LPS,Morgenstern

I The end of the story ?

I Not yet !

I For most groups/ generators, we do not know if theproblems can be solved

I Choose G to prevent subgroup attacks

I Choose S to prevent lifting attacks ?

I Avoid “small” parameters and symmetry

Hard ( ?) problems

I Representation problem : (second preimages)Given G and S = s0, ..., sk−1 ⊂ G ,find a short product

∏smi

I Balance problem : (collisions)Given G and S = s0, ..., sk−1 ⊂ G ,find two short products

∏smi

sm′i

I Factorization problem : (preimages)Given G , g ∈ G and S = s0, ..., sk−1 ⊂ G ,find a short product

∏smi

Partial results for SL(2,F2n)

Let A,B generating SL(2,F2n)

I Subgroup attacks of [PQTZ09]

I Wlog, A and B symmetric hence palyndrome trick applies

I Wlog, A =(X+X−1 X

)and B symmetric

I Wlog, A =(

w w+1w+1 w

)an orthogonal “rotation” matrix

and B =(λ

λ−1

)a diagonal “extension” matrix

I Wlog, A = ( s 11 ) and B = ( t 1

1 ) “Euclidean algorithm”matrices

I Further reductions using field isomorphisms

)and B symmetric

I Wlog, A =(

w w+1w+1 w

and B =(λ

λ−1

I Wlog, A = ( s 11 ) and B = ( t 1

)and B symmetric

I Wlog, A =(

w w+1w+1 w

and B =(λ

λ−1

I Wlog, A = ( s 11 ) and B = ( t 1

)and B symmetric

I Wlog, A =(

w w+1w+1 w

and B =(λ

λ−1

I Wlog, A = ( s 11 ) and B = ( t 1

)and B symmetric

I Wlog, A =(

w w+1w+1 w

and B =(λ

λ−1

I Wlog, A = ( s 11 ) and B = ( t 1

)and B symmetric

I Wlog, A =(

w w+1w+1 w

and B =(λ

λ−1

I Wlog, A = ( s 11 ) and B = ( t 1

)and B symmetric

I Wlog, A =(

w w+1w+1 w

and B =(λ

λ−1

I Wlog, A = ( s 11 ) and B = ( t 1

I For A =(X+X−1 X

)and B symmetric :

Preimage algorithm if we can find m such that( 1 1 )H(m) = ( 0 q )

I For A = ( s 11 ) and B = ( t 1

1 )Preimage algorithm if we can find m such that( 1 0 )H(m) = ( 0 q )Extensions of [MS87] to larger quotients ? (ongoing work)

I For A =(X+X−1 X

)and B symmetric :

Preimage algorithm if we can find m such that( 1 1 )H(m) = ( 0 q )

I For A = ( s 11 ) and B = ( t 1

1 )Preimage algorithm if we can find m such that( 1 0 )H(m) = ( 0 q )Extensions of [MS87] to larger quotients ? (ongoing work)

Other groups

I ? ? ?

hash functions and cayley graphs: the end of the story · ucl crypto group microelectronics...

Documents