hash functions and cayley graphs: the end of the story · title: hash functions and cayley graphs:...

UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - Boca Raton - Nov 2010 1

Hash functions and Cayley graphs:The end of the story ?

Christophe Petit


Hash functions

H : {0, 1}∗→ {0, 1}n


Applications

I Message authenticationcodes

I Digital signatures

I Password storage

I Pseudorandom numbergeneration

I Entropy extraction

I Key derivationtechniques

I ...

I ...


Properties

I Collision resistance :hard to find m,m′ such that H(m) = H(m′)

I Preimage resistance :given h, hard to find m such that H(m) = h

I Second preimage resistance :given m, hard to find m′ such that H(m′) = h


Properties

I “Pseudo-randomness”I ...


Constructions

“Classical”

hash function

Hash function based on aCayley graph


Outline

Introduction

Cayley hash functions

Security : state of the art

The end of the story ?

Conclusion


Outline

Introduction




Conclusion


Hash functions from Cayley graphs

I Parameters G a group, and S = {s0, ..., sk−1} ⊂ G

I Write m = m1m2...mN with mi ∈ {0, ..., k − 1}Define

H(m) := sm1sm2 ...smN


Hash functions from Cayley graphs

I Computation ∼ walk in the Cayley graph

I Example : G = (Z/8Z,+), S = {1, 2}

0 1

2

3

45

6

7

0

m = 101H(m) = 0 + 1 + 2 + 1 = 4

4


Example : Tillich-Zemor hash function

I p ∈ F2[X ] irreducible of degree nK = F2[X ]/(p(X )) ≈ F2n

I G = SL(2,K )S = {A0 = ( X 1

1 0 ) ,A1 = ( X X+11 1 )}

I H(m1m2...mN) := Am1Am2 ...AmNmod p(X )


Hard ( ?) problems

I Representation problem :Given G and S = {s0, ..., sk−1} ⊂ G ,find a short product

∏smi

= 1

I Balance problem :Given G and S = {s0, ..., sk−1} ⊂ G ,find two short products

∏smi

=∏

sm′i

I Factorization problem :Given G , g ∈ G and S = {s0, ..., sk−1} ⊂ G ,find a short product

∏smi

= g


Babai’s conjecture [BS92]

For any non-Abelian finite simple group G , there is aconstant c such that for all generator sets S, thediameter of the Cayley graph arising from G and S issmaller than (log |G |)c .

I Well-studied conjecture, limited results so far

I Very few parameters have constructive proofs

I Solving the factorization problem for G and S∼ constructive proof of Babai’s conjecture for G and S


Cayley hash functions : properties

I Elegant, simple designI Security properties ∼ mathematical problems

I Collisions ∼ balance problemI Preimages ∼ factorization problem∼ constructive proof of Babai’s conjecture

I Output distribution ∼ expander properties

I Parallelism H(m||m′) = H(m)H(m′)

I Good efficiency, at least for matrix groups

I Not a random oracle ! but additional heuristics may help

I Issue : find good groups G and generator sets S


A few proposals

Zemor [Z91]

p primeG = SL(2,Fp)S = {( 1 1

0 1 ) , ( 1 01 1 )}

Tillich-Zemor [TZ94]

p ∈ F2[X ] irreducibleG = SL(2,F2n)S = {( X 1

1 0 ) , ( X X+11 1 )}

LPS [CGL09]

p primeG = PSL(2,Fp)S as inLubotsky-Philips-Sarnak’sRamanujan graphs

Morgenstern [PLQ07]

p ∈ F2[X ] irreducibleG = PSL(2,F2n)S as in Morgenstern’sRamanujan graphs


Outline

Introduction




Conclusion


Many angles of attacks

Exhaustive searchBirthday attacks

MulticollisionsMeet-in-the-middle

Trapdoor attacksMalleabilitySubgroup attacks Lifting attacks

Euclidean algorithm

Babai’s conjecture


Subgroup attacks

I Assume G = G0 ⊃ G1 ⊃ G2... ⊃ GN = {1}


Subgroup attacks

I Assume G = G0 ⊃ G1 ⊃ G2... ⊃ GN = {1}and |Gi |/|Gi+1| “small”

I Preimage of 1I Random products of s0 and s1

to get two elements s ′0 and s ′1 of G1

I Random products of s ′0 and s ′1to get two elements s ′′0 and s ′′1 of G2

I ...

I = second preimage attackI H(m) = 1⇒ H(m′||m) = H(m′)H(m) = H(m′)


Subgroup attacks

I Assume G = G0 ⊃ G1 ⊃ G2... ⊃ GN = {1}I More generally, the attack works

if “going from Gi to Gi+1 is easy”Ex. : if Gi/Gi+1 is Abelian and DLP easy in it

I [SGGB00] : subgroup attack on Tillich-Zemor when n iscomposite

I [PQTZ09] : generic subgroup attacks on Tillich-Zemorand variants that “remove easy quotients”


Trapdoor attacks

I Choose the parameterssuch that you know acollision

I [SGGB00] againstTillich-Zemor

I Can be prevented easily

I Sometimes useful ! [CP10]


Lifting attacks

I Very succesful approach !

I Principle : lift the representation problem to some ringwhere it is easier to solve

I Define the lifted set appropriatelyI Find a way to lift elementsI Solve the problems in the lifted set


Lifting attacks : Zemor [TZ94]

I Zemor G = SL(2,Fp), S = {( 1 10 1 ) , ( 1 0

1 1 )}I Given ( a b

c d ) ∈ SL(2,Fp)

1. Lifting : Find(

A BC D

)∈ SL(2,Z+) such that(

A BC D

)=(

a bc d

)mod p

2. Solving : Factor(

A BC D

)as a product of ( 1 1

0 1 ) and ( 1 01 1 )

with Euclidean algorithm :

If A ≥ B, apply Euclidean algorithm to (A,B)else apply Euclidean algorithm to (C ,D)

Indeed :I ai−1 = qiai + ai+1

⇔( ai−2

ai−1

)=(

1 qi−1

1

) (1qi 1

)( ai

ai+1 )I(

1 q0 1

)= ( 1 1

0 1 )q

and(

1 0q 1

)= ( 1 0

1 1 )q


Lifting attacks : LPS

I LPS : G = PSL(2,Fp) and S as in LPSRamanujan graphs

I Lift from PSL(2,Fp) to SL(2,Z[i ])Here 〈lifts of generators〉 ( SL(2,Z[i ])Very small subset, but well structured [LPS88]

I 2nd preimages [TZ08]

∼ finding λ,w , x , y , z , e such that(λ + wp)2 + 4(xp)2 + 4(yp)2 + 4(zp)2 = `e


Lifting and subgroup attacks together

I Preimages against LPS [PLQ08]

∼ finding λ,w , x , y , z , e such that(Aλ+ wp)2 + (Bλ+ xp)2 + (Cλ+ yp)2 + (Dλ+ zp)2 = `2k

Apparently hard but instead we canI Lift diagonal matrices

(Aλ+ wp)2 + (Bλ+ xp)2 + (yp)2 + (zp)2 = `2k

I Combine diagonal matrices and generators

I Similar attacks for Morgenstern [PLQ08]


Lifting attack for Tillich-Zemor [GIMS09]

I Tillich-Zemor G = SL(2,F2n), S = {( X 11 0 ) , ( X X+1

1 1 )}

1. Change generators S ′ = {( X 11 0 ) , ( X+1 1

1 0 )}I(

a bc d

)∈ 〈S ′〉 ⇒ when applying Euclidean algorithm to

(a, b), all the quotients are X or X + 1

2. Apply [MS87] to p(X ) to get m = m1...mn such that

H(m) =(

p bc d

)= ( 0 b

c d ) mod p(X )

3. Build the palindrome m = mn...m2m1m1m2...mn, then

A′0H(m)A′0 = A′1H(m)A′1.


Preimages for Tillich-Zemor [PQ10]

I Preimage algorithm for TZ given some precomputation

I(

A BC D

)= ( 1 0

α 1 )(

X 11 0

) (1 β0 1

) (X 11 0

)3 ( 1 0γ 1

)I

(1 0∑αi 1

)=∏( 1 0

αi 1

)I H(m0) =

(1 0

X+b2i 1

)if H(m) =

(0 bici di

)I Precomputing algorithms

1. Obtain new matrices(

0 bici di

)recursively

⇒ deterministic algorithm ; full proof when n is prime

2. Apply (an extension of) [MS87] to ai = pqi


Progress on Babai’s conjecture

For any non-Abelian finite simple group G , there is aconstant c such that for all generator sets S, thediameter of the Cayley graph arising from G and S issmaller than (log |G |)c .

I Non constructive resultsI Conjecture true for SL(2,Fp) and SL(3,Fp) [H05,H10]I True for almost any pair of generators in the symmetric

group [BH05]


Progress on Babai’s conjecture

I Constructive resultsI Symmetric group : ∃ 2 generators such that the

diameter is O(n log n) [BHKLS90]I SL(2,K ) : ∃ 2 or 3 generators such that the diameter is

O(log |K |) [BHKLS90]I SL(m,Fp) with m > 2 : ∃ 2 generators such that the

diameter is O(m2 log p) [KR05]I All these results (and others) are optimal


Outline

Introduction




Conclusion


Hard ( ?) problems

I Representation problem : (second preimages)Given G and S = {s0, ..., sk−1} ⊂ G ,find a short product

∏smi

= 1

I Balance problem : (collisions)Given G and S = {s0, ..., sk−1} ⊂ G ,find two short products

∏smi

=∏

sm′i

I Factorization problem : (preimages)Given G , g ∈ G and S = {s0, ..., sk−1} ⊂ G ,find a short product

∏smi

= g



I Collision & preimages for Zemor, Tillich-Zemor, LPS,Morgenstern

I Other insecure instances from research on Babai’sconjecture

I The end of the story ?

I No ! (not yet ?)

I For most groups/ generators, we do not know if theproblems can be solved



I Choose G to prevent subgroup attacks

I Choose S to prevent lifting attacks ?

I Avoid “small” parameters and symmetry

I Next challenge : SL(2,F2n)


Rubik’s for cryptanalysts

Let A,B generating SL(2,F2n). Let M ∈ SL(2,F2n).How to write I or M as a short product of A and B ?

1. Change the generators s.t.solution for A′,B ′ ⇒ solution for A′,B ′

2. Find a message with some nice property

3. Build a preimage attack from this message


Step 1

I A,B symmetric

I A diagonal and B symmetric

I A =(

t1 11

)and B =

(t2 11

)“Euclidean algorithm”

matrices

I More than two generators : S = {( t 11 ) |t ∈ F}

where F is a vector subspace of F2n/F2


Step 3

I Tillich-Zemor generators

I One matrix with (1, 1) as eigenvector

I ...


Step 2

I Depends on Step 1 and Step 3

I Birthday searches : 2n/2 cost

I Extension of [MS87] to other partial quotients ?

I Can also be the following :

Solve f (w1, ...,wN) = 0 for wi ∈ F ,where f is affine in each variable and F is a vectorsubspace of F2n/F2

I Algebraic cryptanalysis ? Generalized birthday attacks ?



I Same problem in different groups ?


Related problems

I Graph theoryI Expander graphsI Diameter of Cayley graphs, Babai’s conjecture

I Euclidean algorithmI Clear for Zemor and Tillich-ZemorI Implicit in LPS, Morgenstern

(Diophantine equations solved via Lagrange)

I CryptographyI Alternative to DL, ECDL and factoring ?I Stream cipher theory


Outline

Introduction




Conclusion


Conclusion

I Elegant design, nice properties

I Zemor, LPS, Morgenstern, Tillich-Zemor broken

I Security of other / generic instances ?


References

I [B92] L Babai, A Seress, On the diameter of permutationgroups

I [Z91] G Zemor, Hash functions and graphs with largegirths

I [TZ94] JP Tillich & G Zemor, Group-theoretic hashfunctions

I [CGL09] D Charles, E Goren, K Lauter, Cryptographichash functions from expander graphs

I [PLQ07] C Petit, K Lauter, JJ Quisquater, CayleyHashes : A Class of Efficient Graph-based Hash Functions


References

I [SGGB00] R Steinwandt, M Grassl, W Geiselmann, TBeth, Weaknesses in the SL2(F n

2 ) Hashing Scheme

I [PQTZ09] C Petit, JJ Quisquater, JP Tillich, G Zemor,Hard and easy Components of Collision Search in theZemor-Tillich Hash Function : New Instances andReduced Variants with equivalent Security

I [CP10] J Cathalo, C Petit, One-time trapdoor one-wayfunctions

I [LPS88] A Lubotzky, R Phillips, P Sarnak, RamanujanGraphs


References

I [TZ08] JP Tillich, G Zemor, Collisions for the LPSExpander Graph Hash Function

I [PLQ08] C Petit, K Lauter, JJ Quisquater, FullCryptanalysis of LPS and Morgenstern Hash Functions

I [GIMS09] M Grassl, I Ilic, S Magliveras, R Steinwandt,Cryptanalysis of the Tillich-Zemor hash function

I [MS87] JP Mesirov, MM Sweet, Continued fractionexpansions of rational expressions with irreducibledenominators in characteristic 2

I [PQ10] C Petit, JJ Quisquater, Preimage algorithms forthe Tillich-Zemor hash function


References

I [BHKLS90] L Babai, G Hetyei, W Kantor, A Lubotzky, ASeress, On the diameter of finite groups

I [KR05] M Kassabov, T Riley, Diameters of Cayley graphsof Chevalley groups

I [H05] H Helfgott, Growth and generation in SL2(Z/pZ )

I [H10] H Helfgott, Growth and generation in SL3(Z/pZ )

I [BH05] L Babai, T Hayes, Near-independence ofpermutations and an almost sure polynomial bound onthe diameter of the symmetric group

hash functions and cayley graphs: the end of the story · title: hash functions and cayley graphs:...

Documents