hash functions and cayley graphs: the end of the story · ucl crypto group microelectronics...
TRANSCRIPT
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 1
Hash functions and Cayley graphs:The end of the story ?
Christophe Petit
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 2
Hash functions
H : 0, 1∗→ 0, 1n
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 3
Applications
I Message authenticationcodes
I Digital signatures
I Password storage
I Pseudorandom numbergeneration
I Entropy extraction
I Key derivationtechniques
I ...
I ...
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 4
Properties
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 5
Constructions
“Classical”
hash function
Hash function based on aCayley graph
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 5
Constructions
“Classical”
hash function
Hash function based on aCayley graph
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 5
Constructions
“Classical”
hash function
Hash function based on aCayley graph
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 6
Outline
Introduction
Cayley hash functions
Security : state of the art
The end of the story ?
Conclusion
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 7
Outline
Introduction
Cayley hash functions
Security : state of the art
The end of the story ?
Conclusion
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 8
Hash functions from Cayley graphs
I Parameters G a group, and S = s0, ..., sk−1 ⊂ G
I Write m = m1m2...mN with mi ∈ 0, ..., k − 1Define H(m) := sm1sm2 ...smN
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 8
Hash functions from Cayley graphs
I Parameters G a group, and S = s0, ..., sk−1 ⊂ G
I Write m = m1m2...mN with mi ∈ 0, ..., k − 1Define H(m) := sm1sm2 ...smN
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 9
Hash functions from Cayley graphs
I Computation ∼ walk in the Cayley graph
I Example : G = (Z/8Z,+), S = 1, 2
0 1
2
3
45
6
7
0
m = 101H(m) = 0 + 1 + 2 + 1 = 4
4
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 9
Hash functions from Cayley graphs
I Computation ∼ walk in the Cayley graph
I Example : G = (Z/8Z,+), S = 1, 2
0 1
2
3
45
6
7
0
m = 101H(m) = 0 + 1 + 2 + 1 = 4
4
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 9
Hash functions from Cayley graphs
I Computation ∼ walk in the Cayley graph
I Example : G = (Z/8Z,+), S = 1, 2
0 1
2
3
45
6
7
0
m = 101H(m) = 0 + 1 + 2 + 1 = 4
4
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 9
Hash functions from Cayley graphs
I Computation ∼ walk in the Cayley graph
I Example : G = (Z/8Z,+), S = 1, 2
0 1
2
3
45
6
7
0
m = 101H(m) = 0 + 1 + 2 + 1 = 4
4
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 10
Example : Tillich-Zemor hash function
I p ∈ F2[X ] irreducible of degree nG = SL(2,F2n)S = A0 = ( X 1
1 0 ) ,A1 = ( X X+11 1 )
I H(m1m2...mN) := Am1Am2 ...AmNmod p
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 10
Example : Tillich-Zemor hash function
I p ∈ F2[X ] irreducible of degree nG = SL(2,F2n)S = A0 = ( X 1
1 0 ) ,A1 = ( X X+11 1 )
I H(m1m2...mN) := Am1Am2 ...AmNmod p
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 11
Hard ( ?) problems
I Representation problem :Given G and S = s0, ..., sk−1 ⊂ G ,find a short product
∏smi
= 1
I Balance problem :Given G and S = s0, ..., sk−1 ⊂ G ,find two short products
∏smi
=∏
sm′i
I Factorization problem :Given G , g ∈ G and S = s0, ..., sk−1 ⊂ G ,find a short product
∏smi
= g
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 12
Properties
I Elegant, simple designI Security properties ∼ mathematical problems
I Collisions : find two products∏
smi =∏
sm′iI Preimages : given g ∈ G , find
∏smi = g
I Output distribution ∼ expander properties
I Parallelism H(m||m′) = H(m)H(m′)I Good efficiency
I At least in the case of matrix groups
I Not a random oracle ! but additional heuristics may help
I Issue : find good groups G and generator sets S
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 12
Properties
I Elegant, simple designI Security properties ∼ mathematical problems
I Collisions : find two products∏
smi =∏
sm′iI Preimages : given g ∈ G , find
∏smi = g
I Output distribution ∼ expander properties
I Parallelism H(m||m′) = H(m)H(m′)I Good efficiency
I At least in the case of matrix groups
I Not a random oracle ! but additional heuristics may help
I Issue : find good groups G and generator sets S
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 12
Properties
I Elegant, simple designI Security properties ∼ mathematical problems
I Collisions : find two products∏
smi =∏
sm′iI Preimages : given g ∈ G , find
∏smi = g
I Output distribution ∼ expander properties
I Parallelism H(m||m′) = H(m)H(m′)I Good efficiency
I At least in the case of matrix groups
I Not a random oracle ! but additional heuristics may help
I Issue : find good groups G and generator sets S
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 12
Properties
I Elegant, simple designI Security properties ∼ mathematical problems
I Collisions : find two products∏
smi =∏
sm′iI Preimages : given g ∈ G , find
∏smi = g
I Output distribution ∼ expander properties
I Parallelism H(m||m′) = H(m)H(m′)I Good efficiency
I At least in the case of matrix groups
I Not a random oracle ! but additional heuristics may help
I Issue : find good groups G and generator sets S
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 13
A few proposals
Zemor [Z91]
p primeG = SL(2,Fp)S = ( 1 1
0 1 ) , ( 1 01 1 )
Tillich-Zemor [TZ94]
p ∈ F2[X ] irreducibleG = SL(2,F2n)S = ( X 1
1 0 ) , ( X X+11 1 )
LPS [CGL09]
p primeG = PSL(2,Fp)S as inLubotsky-Philips-Sarnak’sRamanujan graphs
Morgenstern [PLQ07]
p ∈ F2[X ] irreducibleG = PSL(2,F2n)S as in Morgenstern’sRamanujan graphs
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 13
A few proposals
Zemor [Z91]
p primeG = SL(2,Fp)S = ( 1 1
0 1 ) , ( 1 01 1 )
Tillich-Zemor [TZ94]
p ∈ F2[X ] irreducibleG = SL(2,F2n)S = ( X 1
1 0 ) , ( X X+11 1 )
LPS [CGL09]
p primeG = PSL(2,Fp)S as inLubotsky-Philips-Sarnak’sRamanujan graphs
Morgenstern [PLQ07]
p ∈ F2[X ] irreducibleG = PSL(2,F2n)S as in Morgenstern’sRamanujan graphs
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 13
A few proposals
Zemor [Z91]
p primeG = SL(2,Fp)S = ( 1 1
0 1 ) , ( 1 01 1 )
Tillich-Zemor [TZ94]
p ∈ F2[X ] irreducibleG = SL(2,F2n)S = ( X 1
1 0 ) , ( X X+11 1 )
LPS [CGL09]
p primeG = PSL(2,Fp)S as inLubotsky-Philips-Sarnak’sRamanujan graphs
Morgenstern [PLQ07]
p ∈ F2[X ] irreducibleG = PSL(2,F2n)S as in Morgenstern’sRamanujan graphs
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 13
A few proposals
Zemor [Z91]
p primeG = SL(2,Fp)S = ( 1 1
0 1 ) , ( 1 01 1 )
Tillich-Zemor [TZ94]
p ∈ F2[X ] irreducibleG = SL(2,F2n)S = ( X 1
1 0 ) , ( X X+11 1 )
LPS [CGL09]
p primeG = PSL(2,Fp)S as inLubotsky-Philips-Sarnak’sRamanujan graphs
Morgenstern [PLQ07]
p ∈ F2[X ] irreducibleG = PSL(2,F2n)S as in Morgenstern’sRamanujan graphs
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 14
Outline
Introduction
Cayley hash functions
Security : state of the art
The end of the story ?
Conclusion
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 15
Many angles of attacks
Exhaustive searchBirthday attacks
MulticollisionsMeet-in-the-middle
Trapdoor attacks
MalleabilitySubgroup attacks Lifting attacks
Euclidean algorithm
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 15
Many angles of attacks
Exhaustive searchBirthday attacks
MulticollisionsMeet-in-the-middle
Trapdoor attacks
MalleabilitySubgroup attacks Lifting attacks
Euclidean algorithm
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 15
Many angles of attacks
Exhaustive searchBirthday attacks
MulticollisionsMeet-in-the-middle
Trapdoor attacks
MalleabilitySubgroup attacks Lifting attacks
Euclidean algorithm
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 15
Many angles of attacks
Exhaustive searchBirthday attacks
MulticollisionsMeet-in-the-middle
Trapdoor attacks
MalleabilitySubgroup attacks
Lifting attacksEuclidean algorithm
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 15
Many angles of attacks
Exhaustive searchBirthday attacks
MulticollisionsMeet-in-the-middle
Trapdoor attacks
MalleabilitySubgroup attacks Lifting attacks
Euclidean algorithm
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 15
Many angles of attacks
Exhaustive searchBirthday attacks
MulticollisionsMeet-in-the-middle
Trapdoor attacks
MalleabilitySubgroup attacks Lifting attacks
Euclidean algorithm
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 16
Subgroup attacks
I Assume G = G0 ⊃ G1 ⊃ G2... ⊃ GN = 1
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 17
Subgroup attacks
I Assume G = G0 ⊃ G1 ⊃ G2... ⊃ GN = 1and |Gi |/|Gi+1| “small”
I Preimage of 1I Random products of s0 and s1
to get two elements s ′0 and s ′1 of G1
I Random products of s ′0 and s ′1to get two elements s ′′0 and s ′′1 of G2
I ...
I = second preimage attackI H(m) = 1⇒ H(m′||m) = H(m′)H(m) = H(m′)
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 17
Subgroup attacks
I Assume G = G0 ⊃ G1 ⊃ G2... ⊃ GN = 1and |Gi |/|Gi+1| “small”
I Preimage of 1I Random products of s0 and s1
to get two elements s ′0 and s ′1 of G1
I Random products of s ′0 and s ′1to get two elements s ′′0 and s ′′1 of G2
I ...
I = second preimage attackI H(m) = 1⇒ H(m′||m) = H(m′)H(m) = H(m′)
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 17
Subgroup attacks
I Assume G = G0 ⊃ G1 ⊃ G2... ⊃ GN = 1and |Gi |/|Gi+1| “small”
I Preimage of 1I Random products of s0 and s1
to get two elements s ′0 and s ′1 of G1
I Random products of s ′0 and s ′1to get two elements s ′′0 and s ′′1 of G2
I ...
I = second preimage attackI H(m) = 1⇒ H(m′||m) = H(m′)H(m) = H(m′)
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 18
Subgroup attacks
I Assume G = G0 ⊃ G1 ⊃ G2... ⊃ GN = 1I More generally, the attack works
if “going from Gi to Gi+1 is easy”Ex. : if Gi/Gi+1 is Abelian and DLP easy in it
I [SGGB00] : subgroup attack on Tillich-Zemor when n iscomposite
I [PQTZ09] : generic subgroup attacks on Tillich-Zemorand variants that “remove easy quotients”
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 18
Subgroup attacks
I Assume G = G0 ⊃ G1 ⊃ G2... ⊃ GN = 1I More generally, the attack works
if “going from Gi to Gi+1 is easy”Ex. : if Gi/Gi+1 is Abelian and DLP easy in it
I [SGGB00] : subgroup attack on Tillich-Zemor when n iscomposite
I [PQTZ09] : generic subgroup attacks on Tillich-Zemorand variants that “remove easy quotients”
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 18
Subgroup attacks
I Assume G = G0 ⊃ G1 ⊃ G2... ⊃ GN = 1I More generally, the attack works
if “going from Gi to Gi+1 is easy”Ex. : if Gi/Gi+1 is Abelian and DLP easy in it
I [SGGB00] : subgroup attack on Tillich-Zemor when n iscomposite
I [PQTZ09] : generic subgroup attacks on Tillich-Zemorand variants that “remove easy quotients”
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 19
Trapdoor attacks
I Choose the parameterssuch that you know acollision
I [SGGB00] againstTillich-Zemor
I Can be prevented easily
I Sometimes useful ! [CP]
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 19
Trapdoor attacks
I Choose the parameterssuch that you know acollision
I [SGGB00] againstTillich-Zemor
I Can be prevented easily
I Sometimes useful ! [CP]
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 19
Trapdoor attacks
I Choose the parameterssuch that you know acollision
I [SGGB00] againstTillich-Zemor
I Can be prevented easily
I Sometimes useful ! [CP]
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 20
Lifting attacks
I Very succesful approach !
I Principle : lift the representation problem to some ringwhere it is easier to solve
I Define the lifted set appropriatelyI Find a way to lift elementsI Solve the problems in the lifted set
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 20
Lifting attacks
I Very succesful approach !
I Principle : lift the representation problem to some ringwhere it is easier to solve
I Define the lifted set appropriatelyI Find a way to lift elementsI Solve the problems in the lifted set
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 21
Lifting attacks : Zemor
I , M < s0, s1 > Ω ⊂ SL(2,Z)
I ,M < s0, s1 > SL(2,Fp)
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 21
Lifting attacks : Zemor
I , M < s0, s1 > Ω ⊂ SL(2,Z)
I ,M
OO
< s0, s1 >
OO
SL(2,Fp)
OO
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 21
Lifting attacks : Zemor
I , M < s0, s1 >oo o/ o/ o/ Ω ⊂ SL(2,Z)
I ,M
OO
< s0, s1 >
OO
SL(2,Fp)
OO
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 21
Lifting attacks : Zemor
I , M < s0, s1 >oo o/ o/ o/ Ω ⊂ SL(2,Z)
I ,M
OO
< s0, s1 >oo o/ o/ o/
OO
SL(2,Fp)
OO
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 22
Lifting attacks : Zemor [TZ94]
I Zemor G = SL(2,Fp), S = ( 1 10 1 ) , ( 1 0
1 1 ) :Given ( a b
c d ) ∈ SL(2,Fp)
1. Find(A BC D
)∈ SL(2,Z+) such that(
A BC D
)=(a bc d
)mod p
2. Factor(A BC D
)as a product of ( 1 1
0 1 ) and ( 1 01 1 )
with Euclidean algorithm :
If A ≥ B, apply Euclidean algorithm to (A,B)else apply Euclidean algorithm to (C ,D)
Indeed :I ai−1 = qiai + ai+1
⇒( ai−2ai−1
)=(1 qi−1
1
) (1qi 1
)( aiai+1 )
I(1 q0 1
)= ( 1 1
0 1 )q
and(1 0q 1
)= ( 1 0
1 1 )q
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 22
Lifting attacks : Zemor [TZ94]
I Zemor G = SL(2,Fp), S = ( 1 10 1 ) , ( 1 0
1 1 ) :Given ( a b
c d ) ∈ SL(2,Fp)
1. Find(A BC D
)∈ SL(2,Z+) such that(
A BC D
)=(a bc d
)mod p
2. Factor(A BC D
)as a product of ( 1 1
0 1 ) and ( 1 01 1 )
with Euclidean algorithm :
If A ≥ B, apply Euclidean algorithm to (A,B)else apply Euclidean algorithm to (C ,D)
Indeed :I ai−1 = qiai + ai+1
⇒( ai−2ai−1
)=(1 qi−1
1
) (1qi 1
)( aiai+1 )
I(1 q0 1
)= ( 1 1
0 1 )q
and(1 0q 1
)= ( 1 0
1 1 )q
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 22
Lifting attacks : Zemor [TZ94]
I Zemor G = SL(2,Fp), S = ( 1 10 1 ) , ( 1 0
1 1 ) :Given ( a b
c d ) ∈ SL(2,Fp)
1. Find(A BC D
)∈ SL(2,Z+) such that(
A BC D
)=(a bc d
)mod p
2. Factor(A BC D
)as a product of ( 1 1
0 1 ) and ( 1 01 1 )
with Euclidean algorithm :
If A ≥ B, apply Euclidean algorithm to (A,B)else apply Euclidean algorithm to (C ,D)
Indeed :I ai−1 = qiai + ai+1
⇒( ai−2ai−1
)=(1 qi−1
1
) (1qi 1
)( aiai+1 )
I(1 q0 1
)= ( 1 1
0 1 )q
and(1 0q 1
)= ( 1 0
1 1 )q
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 22
Lifting attacks : Zemor [TZ94]
I Zemor G = SL(2,Fp), S = ( 1 10 1 ) , ( 1 0
1 1 ) :Given ( a b
c d ) ∈ SL(2,Fp)
1. Find(A BC D
)∈ SL(2,Z+) such that(
A BC D
)=(a bc d
)mod p
2. Factor(A BC D
)as a product of ( 1 1
0 1 ) and ( 1 01 1 )
with Euclidean algorithm :
If A ≥ B, apply Euclidean algorithm to (A,B)else apply Euclidean algorithm to (C ,D)
Indeed :I ai−1 = qiai + ai+1
⇒( ai−2ai−1
)=(1 qi−1
1
) (1qi 1
)( aiai+1 )
I(1 q0 1
)= ( 1 1
0 1 )q
and(1 0q 1
)= ( 1 0
1 1 )q
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 22
Lifting attacks : Zemor [TZ94]
I Zemor G = SL(2,Fp), S = ( 1 10 1 ) , ( 1 0
1 1 ) :Given ( a b
c d ) ∈ SL(2,Fp)
1. Find(A BC D
)∈ SL(2,Z+) such that(
A BC D
)=(a bc d
)mod p
2. Factor(A BC D
)as a product of ( 1 1
0 1 ) and ( 1 01 1 )
with Euclidean algorithm :
If A ≥ B, apply Euclidean algorithm to (A,B)else apply Euclidean algorithm to (C ,D)
Indeed :I ai−1 = qiai + ai+1
⇒( ai−2ai−1
)=(1 qi−1
1
) (1qi 1
)( aiai+1 )
I(1 q0 1
)= ( 1 1
0 1 )q
and(1 0q 1
)= ( 1 0
1 1 )q
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 23
Lifting attacks : LPS
I LPS : G = PSL(2,Fp) and S as in LPSRamanujan graphs
I Lift from PSL(2,Fp) to SL(2,Z[i ])Here 〈lifts of generators〉 ( SL(2,Z[i ])but this set is well structured [LPS88]
I 2nd preimages [TZ08]
∼ finding λ,w , x , y , z , e such that(λ + wp)2 + 4(xp)2 + 4(yp)2 + 4(zp)2 = l e
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 23
Lifting attacks : LPS
I LPS : G = PSL(2,Fp) and S as in LPSRamanujan graphs
I Lift from PSL(2,Fp) to SL(2,Z[i ])Here 〈lifts of generators〉 ( SL(2,Z[i ])but this set is well structured [LPS88]
I 2nd preimages [TZ08]
∼ finding λ,w , x , y , z , e such that(λ + wp)2 + 4(xp)2 + 4(yp)2 + 4(zp)2 = l e
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 23
Lifting attacks : LPS
I LPS : G = PSL(2,Fp) and S as in LPSRamanujan graphs
I Lift from PSL(2,Fp) to SL(2,Z[i ])Here 〈lifts of generators〉 ( SL(2,Z[i ])but this set is well structured [LPS88]
I 2nd preimages [TZ08]
∼ finding λ,w , x , y , z , e such that(λ + wp)2 + 4(xp)2 + 4(yp)2 + 4(zp)2 = l e
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 24
Lifting attacks : LPS & Morgenstern
I Preimages [PLQ08]
∼ finding λ,w , x , y , z , e such that(Aλ+ wp)2 + (Bλ+ xp)2 + (Cλ+ yp)2 + (Dλ+ zp)2 = l2k
Apparently hard but instead we canI Lift diagonal matrices
(Aλ+ wp)2 + (Bλ+ xp)2 + (yp)2 + (zp)2 = l2k
I Combine diagonal matrices and generators
I Similar attacks for Morgenstern [PLQ08]
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 24
Lifting attacks : LPS & Morgenstern
I Preimages [PLQ08]
∼ finding λ,w , x , y , z , e such that(Aλ+ wp)2 + (Bλ+ xp)2 + (Cλ+ yp)2 + (Dλ+ zp)2 = l2k
Apparently hard but instead we canI Lift diagonal matrices
(Aλ+ wp)2 + (Bλ+ xp)2 + (yp)2 + (zp)2 = l2k
I Combine diagonal matrices and generators
I Similar attacks for Morgenstern [PLQ08]
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 24
Lifting attacks : LPS & Morgenstern
I Preimages [PLQ08]
∼ finding λ,w , x , y , z , e such that(Aλ+ wp)2 + (Bλ+ xp)2 + (Cλ+ yp)2 + (Dλ+ zp)2 = l2k
Apparently hard but instead we canI Lift diagonal matrices
(Aλ+ wp)2 + (Bλ+ xp)2 + (yp)2 + (zp)2 = l2k
I Combine diagonal matrices and generators
I Similar attacks for Morgenstern [PLQ08]
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 25
Collisions for Tillich-Zemor [GIMS09]
I Tillich-Zemor G = SL(2,F2n), S = ( X 11 0 ) , ( X X+1
1 1 )
I Change generators S ′ = ( X 11 0 ) , ( X+1 1
1 0 )
I(a bc d
)∈ 〈S ′〉 ⇒ when applying Euclidean algorithm to
(a, b), all the quotients are X or X + 1
Apply [MS87] to a = p to get m = m1...mn such thatH(m) = ( 0 b
c d )
Build a palindrome m = mn...m2m1m1m2...mn
Observe collision
A′0H(m)A′0 = A′1H(m)A′1.
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 25
Collisions for Tillich-Zemor [GIMS09]
I Tillich-Zemor G = SL(2,F2n), S = ( X 11 0 ) , ( X X+1
1 1 )
I Change generators S ′ = ( X 11 0 ) , ( X+1 1
1 0 )I(a bc d
)∈ 〈S ′〉 ⇒ when applying Euclidean algorithm to
(a, b), all the quotients are X or X + 1
Apply [MS87] to a = p to get m = m1...mn such thatH(m) = ( 0 b
c d )
Build a palindrome m = mn...m2m1m1m2...mn
Observe collision
A′0H(m)A′0 = A′1H(m)A′1.
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 26
Mesirov-Sweet algorithm [MS87]
I Study continuous fraction algorithm for power seriesf ∈ F2((X ))
I Which f = ba
have all their partial quotients X or X + 1 ?
I Given a irreducible, [MS87] provides a “good” b
I Equivalently, given a ∈ F2[X ] irreducible,[MS87] gives b ∈ F2[X ] such that all partial quotients ofthe Euclidean algorithm applied to (a, b) are X or X + 1
I The exact quotients are easily recovered
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 26
Mesirov-Sweet algorithm [MS87]
I Study continuous fraction algorithm for power seriesf ∈ F2((X ))
I Which f = ba
have all their partial quotients X or X + 1 ?
I Given a irreducible, [MS87] provides a “good” b
I Equivalently, given a ∈ F2[X ] irreducible,[MS87] gives b ∈ F2[X ] such that all partial quotients ofthe Euclidean algorithm applied to (a, b) are X or X + 1
I The exact quotients are easily recovered
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 27
Collisions for Tillich-Zemor [GIMS09]
I Tillich-Zemor G = SL(2,F2n), S = ( X 11 0 ) , ( X X+1
1 1 )
I Change generators S ′ = ( X 11 0 ) , ( X+1 1
1 0 )I(a bc d
)∈ 〈S ′〉 ⇒ when applying Euclidean algorithm to
(a, b), all the quotients are X or X + 1
I Apply [MS87] to a = p to get m = m1...mn such thatH(m) = ( 0 b
c d )
I Build a palindrome m = mn...m2m1m1m2...mn
I Observe collision
A′0H(m)A′0 = A′1H(m)A′1.
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 27
Collisions for Tillich-Zemor [GIMS09]
I Tillich-Zemor G = SL(2,F2n), S = ( X 11 0 ) , ( X X+1
1 1 )
I Change generators S ′ = ( X 11 0 ) , ( X+1 1
1 0 )I(a bc d
)∈ 〈S ′〉 ⇒ when applying Euclidean algorithm to
(a, b), all the quotients are X or X + 1
I Apply [MS87] to a = p to get m = m1...mn such thatH(m) = ( 0 b
c d )
I Build a palindrome m = mn...m2m1m1m2...mn
I Observe collision
A′0H(m)A′0 = A′1H(m)A′1.
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 27
Collisions for Tillich-Zemor [GIMS09]
I Tillich-Zemor G = SL(2,F2n), S = ( X 11 0 ) , ( X X+1
1 1 )
I Change generators S ′ = ( X 11 0 ) , ( X+1 1
1 0 )I(a bc d
)∈ 〈S ′〉 ⇒ when applying Euclidean algorithm to
(a, b), all the quotients are X or X + 1
I Apply [MS87] to a = p to get m = m1...mn such thatH(m) = ( 0 b
c d )
I Build a palindrome m = mn...m2m1m1m2...mn
I Observe collision
A′0H(m)A′0 = A′1H(m)A′1.
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 27
Collisions for Tillich-Zemor [GIMS09]
I Tillich-Zemor G = SL(2,F2n), S = ( X 11 0 ) , ( X X+1
1 1 )
I Change generators S ′ = ( X 11 0 ) , ( X+1 1
1 0 )I(a bc d
)∈ 〈S ′〉 ⇒ when applying Euclidean algorithm to
(a, b), all the quotients are X or X + 1
I Apply [MS87] to a = p to get m = m1...mn such thatH(m) = ( 0 b
c d )
I Build a palindrome m = mn...m2m1m1m2...mn
I Observe collision
A′0H(m)A′0 = A′1H(m)A′1.
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 28
Collisions for Tillich-Zemor [GIMS09]
I Previous lifting attacks KO on TZ but here :I I is not lifted directly, but instead
(0 bc d
)I 0 lifted first, then whole lift recovered with [MS87]I Palindrome trick allows to
“lift two elements for the price of only one”
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 29
Second preimages for Tillich-Zemor [PQ]
I a = p ⇒ H(m) =(0 ee b2
)=(0 11 b2
)
I H(0m) =(1 X+b2
0 1
)and H(m0) =
(1 0
X+b2 1
)I Both matrices have order 2⇒ H(0m′0m) = H(m0m0) = I
I Preimage of 1 ⇒ second preimages for any message
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 29
Second preimages for Tillich-Zemor [PQ]
I a = p ⇒ H(m) =(0 ee b2
)=(0 11 b2
)I H(0m) =
(1 X+b2
0 1
)and H(m0) =
(1 0
X+b2 1
)
I Both matrices have order 2⇒ H(0m′0m) = H(m0m0) = I
I Preimage of 1 ⇒ second preimages for any message
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 29
Second preimages for Tillich-Zemor [PQ]
I a = p ⇒ H(m) =(0 ee b2
)=(0 11 b2
)I H(0m) =
(1 X+b2
0 1
)and H(m0) =
(1 0
X+b2 1
)I Both matrices have order 2⇒ H(0m′0m) = H(m0m0) = I
I Preimage of 1 ⇒ second preimages for any message
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 29
Second preimages for Tillich-Zemor [PQ]
I a = p ⇒ H(m) =(0 ee b2
)=(0 11 b2
)I H(0m) =
(1 X+b2
0 1
)and H(m0) =
(1 0
X+b2 1
)I Both matrices have order 2⇒ H(0m′0m) = H(m0m0) = I
I Preimage of 1 ⇒ second preimages for any message
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 30
Preimages for Tillich-Zemor [PQ]
I For any ai = 0 mod p (not just a = p)
H(0m) =(
1 X+b2i0 1
)and H(m0) =
(1 0
X+b2i 1
)
I On the other hand :I(A BC D
)= ( 1 0
α 1 )(X 11 0
) (1 β0 1
) (X 11 0
)3 ( 1 0γ 1
)I
(1 0∑αi 1
)=∏( 1 0
αi 1
)and
(1∑
βi0 1
)=∏(
1 βi1 0
)⇒ Precompute preimages of
(0 11 b2i +X
)for a set b2i + X forming a basis of F2n/F2
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 30
Preimages for Tillich-Zemor [PQ]
I For any ai = 0 mod p (not just a = p)
H(0m) =(
1 X+b2i0 1
)and H(m0) =
(1 0
X+b2i 1
)I On the other hand :
I(A BC D
)= ( 1 0
α 1 )(X 11 0
) (1 β0 1
) (X 11 0
)3 ( 1 0γ 1
)I
(1 0∑αi 1
)=∏( 1 0
αi 1
)and
(1∑
βi0 1
)=∏(
1 βi1 0
)
⇒ Precompute preimages of(
0 11 b2i +X
)for a set b2i + X forming a basis of F2n/F2
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 30
Preimages for Tillich-Zemor [PQ]
I For any ai = 0 mod p (not just a = p)
H(0m) =(
1 X+b2i0 1
)and H(m0) =
(1 0
X+b2i 1
)I On the other hand :
I(A BC D
)= ( 1 0
α 1 )(X 11 0
) (1 β0 1
) (X 11 0
)3 ( 1 0γ 1
)I
(1 0∑αi 1
)=∏( 1 0
αi 1
)and
(1∑
βi0 1
)=∏(
1 βi1 0
)⇒ Precompute preimages of
(0 11 b2i +X
)for a set b2i + X forming a basis of F2n/F2
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 31
Two precomputing algorithms
1. Apply [MS87] to ai = pqi instead of a = pI [MS87] required a irreducible ; so we extended itI Preimages of length O(n) in probabilistic time O(n4)
2. Obtain new matrices(
0 11 b2i +X
)recursively from the one
obtained from [GIMS09]
I Preimages of length O(n2) in deterministic time O(n3)I Full proof when n is prime
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 31
Two precomputing algorithms
1. Apply [MS87] to ai = pqi instead of a = pI [MS87] required a irreducible ; so we extended itI Preimages of length O(n) in probabilistic time O(n4)
2. Obtain new matrices(
0 11 b2i +X
)recursively from the one
obtained from [GIMS09]
I Preimages of length O(n2) in deterministic time O(n3)I Full proof when n is prime
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 32
Outline
Introduction
Cayley hash functions
Security : state of the art
The end of the story ?
Conclusion
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 33
The end of the story ?
I Collision & preimages for Zemor, Tillich-Zemor, LPS,Morgenstern
I The end of the story ?
I Not yet !
I For most groups/ generators, we do not know if theproblems can be solved
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 33
The end of the story ?
I Collision & preimages for Zemor, Tillich-Zemor, LPS,Morgenstern
I The end of the story ?
I Not yet !
I For most groups/ generators, we do not know if theproblems can be solved
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 34
The end of the story ?
I Choose G to prevent subgroup attacks
I Choose S to prevent lifting attacks ?
I Avoid “small” parameters and symmetry
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 35
Hard ( ?) problems
I Representation problem : (second preimages)Given G and S = s0, ..., sk−1 ⊂ G ,find a short product
∏smi
= 1
I Balance problem : (collisions)Given G and S = s0, ..., sk−1 ⊂ G ,find two short products
∏smi
=∏
sm′i
I Factorization problem : (preimages)Given G , g ∈ G and S = s0, ..., sk−1 ⊂ G ,find a short product
∏smi
= g
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 36
Partial results for SL(2,F2n)
Let A,B generating SL(2,F2n)
I Subgroup attacks of [PQTZ09]
I Wlog, A and B symmetric hence palyndrome trick applies
I Wlog, A =(X+X−1 X
X X
)and B symmetric
I Wlog, A =(
w w+1w+1 w
)an orthogonal “rotation” matrix
and B =(λ
λ−1
)a diagonal “extension” matrix
I Wlog, A = ( s 11 ) and B = ( t 1
1 ) “Euclidean algorithm”matrices
I Further reductions using field isomorphisms
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 36
Partial results for SL(2,F2n)
Let A,B generating SL(2,F2n)
I Subgroup attacks of [PQTZ09]
I Wlog, A and B symmetric hence palyndrome trick applies
I Wlog, A =(X+X−1 X
X X
)and B symmetric
I Wlog, A =(
w w+1w+1 w
)an orthogonal “rotation” matrix
and B =(λ
λ−1
)a diagonal “extension” matrix
I Wlog, A = ( s 11 ) and B = ( t 1
1 ) “Euclidean algorithm”matrices
I Further reductions using field isomorphisms
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 36
Partial results for SL(2,F2n)
Let A,B generating SL(2,F2n)
I Subgroup attacks of [PQTZ09]
I Wlog, A and B symmetric hence palyndrome trick applies
I Wlog, A =(X+X−1 X
X X
)and B symmetric
I Wlog, A =(
w w+1w+1 w
)an orthogonal “rotation” matrix
and B =(λ
λ−1
)a diagonal “extension” matrix
I Wlog, A = ( s 11 ) and B = ( t 1
1 ) “Euclidean algorithm”matrices
I Further reductions using field isomorphisms
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 36
Partial results for SL(2,F2n)
Let A,B generating SL(2,F2n)
I Subgroup attacks of [PQTZ09]
I Wlog, A and B symmetric hence palyndrome trick applies
I Wlog, A =(X+X−1 X
X X
)and B symmetric
I Wlog, A =(
w w+1w+1 w
)an orthogonal “rotation” matrix
and B =(λ
λ−1
)a diagonal “extension” matrix
I Wlog, A = ( s 11 ) and B = ( t 1
1 ) “Euclidean algorithm”matrices
I Further reductions using field isomorphisms
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 36
Partial results for SL(2,F2n)
Let A,B generating SL(2,F2n)
I Subgroup attacks of [PQTZ09]
I Wlog, A and B symmetric hence palyndrome trick applies
I Wlog, A =(X+X−1 X
X X
)and B symmetric
I Wlog, A =(
w w+1w+1 w
)an orthogonal “rotation” matrix
and B =(λ
λ−1
)a diagonal “extension” matrix
I Wlog, A = ( s 11 ) and B = ( t 1
1 ) “Euclidean algorithm”matrices
I Further reductions using field isomorphisms
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 36
Partial results for SL(2,F2n)
Let A,B generating SL(2,F2n)
I Subgroup attacks of [PQTZ09]
I Wlog, A and B symmetric hence palyndrome trick applies
I Wlog, A =(X+X−1 X
X X
)and B symmetric
I Wlog, A =(
w w+1w+1 w
)an orthogonal “rotation” matrix
and B =(λ
λ−1
)a diagonal “extension” matrix
I Wlog, A = ( s 11 ) and B = ( t 1
1 ) “Euclidean algorithm”matrices
I Further reductions using field isomorphisms
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 36
Partial results for SL(2,F2n)
Let A,B generating SL(2,F2n)
I Subgroup attacks of [PQTZ09]
I Wlog, A and B symmetric hence palyndrome trick applies
I Wlog, A =(X+X−1 X
X X
)and B symmetric
I Wlog, A =(
w w+1w+1 w
)an orthogonal “rotation” matrix
and B =(λ
λ−1
)a diagonal “extension” matrix
I Wlog, A = ( s 11 ) and B = ( t 1
1 ) “Euclidean algorithm”matrices
I Further reductions using field isomorphisms
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 37
Partial results for SL(2,F2n)
I For A =(X+X−1 X
X X
)and B symmetric :
Preimage algorithm if we can find m such that( 1 1 )H(m) = ( 0 q )
I For A = ( s 11 ) and B = ( t 1
1 )Preimage algorithm if we can find m such that( 1 0 )H(m) = ( 0 q )Extensions of [MS87] to larger quotients ? (ongoing work)
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 37
Partial results for SL(2,F2n)
I For A =(X+X−1 X
X X
)and B symmetric :
Preimage algorithm if we can find m such that( 1 1 )H(m) = ( 0 q )
I For A = ( s 11 ) and B = ( t 1
1 )Preimage algorithm if we can find m such that( 1 0 )H(m) = ( 0 q )Extensions of [MS87] to larger quotients ? (ongoing work)
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 38
Other groups
I ? ? ?
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 39
Related problems
I Graph theoryI Expander graphsI Diameter of Cayley graphs, Babai’s conjecture
I Euclidean algorithmI Clear for Zemor and Tillich-ZemorI Implicit in LPS, Morgenstern
(Diophantine equations solved via Lagrange)
I CryptographyI Alternative to DL, ECDL and factoring ?I Stream cipher theory
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 39
Related problems
I Graph theoryI Expander graphsI Diameter of Cayley graphs, Babai’s conjecture
I Euclidean algorithmI Clear for Zemor and Tillich-ZemorI Implicit in LPS, Morgenstern
(Diophantine equations solved via Lagrange)
I CryptographyI Alternative to DL, ECDL and factoring ?I Stream cipher theory
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 39
Related problems
I Graph theoryI Expander graphsI Diameter of Cayley graphs, Babai’s conjecture
I Euclidean algorithmI Clear for Zemor and Tillich-ZemorI Implicit in LPS, Morgenstern
(Diophantine equations solved via Lagrange)
I CryptographyI Alternative to DL, ECDL and factoring ?I Stream cipher theory
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 40
Outline
Introduction
Cayley hash functions
Security : state of the art
The end of the story ?
Conclusion
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 41
Conclusion
I Elegant design, nice properties
I Zemor, LPS, Morgenstern, Tillich-Zemor broken
I Security of other / generic instances ?
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 41
Conclusion
I Elegant design, nice properties
I Zemor, LPS, Morgenstern, Tillich-Zemor broken
I Security of other / generic instances ?
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - MSR - March 2010 41
Conclusion
I Elegant design, nice properties
I Zemor, LPS, Morgenstern, Tillich-Zemor broken
I Security of other / generic instances ?