f p n new z
play

F p n New Z emor-Tillich Type Hash Functions Over GL 2 Hayley - PowerPoint PPT Presentation

F p n New Z emor-Tillich Type Hash Functions Over GL 2 Hayley Tomkins, Monica Nevins, and Hadi Salmasian University of Ottawa, Canada June 24, 2019 Hayley Tomkins, Monica Nevins, and Hadi Salmasian New Z emor-Tillich Type Hash


  1. � F p n � New Z´ emor-Tillich Type Hash Functions Over GL 2 Hayley Tomkins, Monica Nevins, and Hadi Salmasian University of Ottawa, Canada June 24, 2019 Hayley Tomkins, Monica Nevins, and Hadi Salmasian New Z´ emor-Tillich Type Hash Functions Over GL 2 � � 1 / 24 F pn

  2. What is a Cayley Hash? In 1991 Gilles Z´ emor introduced the idea of building hash functions from Cayley graphs of large girth. Hayley Tomkins, Monica Nevins, and Hadi Salmasian New Z´ emor-Tillich Type Hash Functions Over GL 2 � � 2 / 24 F pn

  3. What is a Cayley Hash? In 1991 Gilles Z´ emor introduced the idea of building hash functions from Cayley graphs of large girth. Associated Cayley hash Given a group G and g 1 , g 2 ∈ G , the associated [Cayley] hash H is the map defined for any message m = m 1 . . . m k ∈ { 0 , 1 } ∗ by H ( m ) = H ( m 1 ) · · · H ( m k ) ∈ G where H (0) = g 1 and H (1) = g 2 . Hayley Tomkins, Monica Nevins, and Hadi Salmasian New Z´ emor-Tillich Type Hash Functions Over GL 2 � � 2 / 24 F pn

  4. What is a Cayley Hash? In 1991 Gilles Z´ emor introduced the idea of building hash functions from Cayley graphs of large girth. Associated Cayley hash Given a group G and g 1 , g 2 ∈ G , the associated [Cayley] hash H is the map defined for any message m = m 1 . . . m k ∈ { 0 , 1 } ∗ by H ( m ) = H ( m 1 ) · · · H ( m k ) ∈ G where H (0) = g 1 and H (1) = g 2 . Small modifications property Given any collision H ( m ) = H ( m ′ ), min {| m | , | m ′ |} ≥ n . Hayley Tomkins, Monica Nevins, and Hadi Salmasian New Z´ emor-Tillich Type Hash Functions Over GL 2 � � 2 / 24 F pn

  5. In Cayley hashes notions such as collision, second preimage, and preimage resistance are able to be restated as mathematical problems that are believed to be hard. Hayley Tomkins, Monica Nevins, and Hadi Salmasian New Z´ emor-Tillich Type Hash Functions Over GL 2 � � 3 / 24 F pn

  6. In Cayley hashes notions such as collision, second preimage, and preimage resistance are able to be restated as mathematical problems that are believed to be hard. Some examples emor’s original suggestion was to use g 1 = [ 1 1 0 1 ] and g 2 = [ 1 0 Z´ 1 1 ] in � � F p for p a large prime SL 2 Cayley hashes from expander graphs Bromberg et. al. suggested using pairs of the form g 1 = [ 1 r 0 1 ] and g 2 = [ 1 0 � � s 1 ] in SL 2 F p Hayley Tomkins, Monica Nevins, and Hadi Salmasian New Z´ emor-Tillich Type Hash Functions Over GL 2 � � 3 / 24 F pn

  7. The Z´ emor-Tillich hash function The Z´ emor-Tillich hash function The Z´ emor-Tillich hash function is defined as the associated hash � x x +1 � F 2 n � , g 1 = [ x 1 � function of G = SL 2 1 0 ], and g 2 = , where x is the 1 1 root of the defining polynomial of F 2 n . Hayley Tomkins, Monica Nevins, and Hadi Salmasian New Z´ emor-Tillich Type Hash Functions Over GL 2 � � 4 / 24 F pn

  8. The Z´ emor-Tillich hash function The Z´ emor-Tillich hash function The Z´ emor-Tillich hash function is defined as the associated hash � x x +1 � F 2 n � , g 1 = [ x 1 � function of G = SL 2 1 0 ], and g 2 = , where x is the 1 1 root of the defining polynomial of F 2 n . viably fast tends to uniform distribution Hayley Tomkins, Monica Nevins, and Hadi Salmasian New Z´ emor-Tillich Type Hash Functions Over GL 2 � � 4 / 24 F pn

  9. The Z´ emor-Tillich hash function The Z´ emor-Tillich hash function The Z´ emor-Tillich hash function is defined as the associated hash � x x +1 � F 2 n � , g 1 = [ x 1 � function of G = SL 2 1 0 ], and g 2 = , where x is the 1 1 root of the defining polynomial of F 2 n . viably fast tends to uniform distribution Attacks small order attacks (Charnes and Piepryzk, Steinwandt et. al. ) Geiselmann’s embedding attack Grassl et. al’s palindrome attack Hayley Tomkins, Monica Nevins, and Hadi Salmasian New Z´ emor-Tillich Type Hash Functions Over GL 2 � � 4 / 24 F pn

  10. Our contribution � � Our hash function construction: Let A, B ∈ M 2 × 2 F p [ x ] and set D � � � � to be M ∈ M 2 × 2 F p [ x ] | r n ∤ det( M ) . Define the projection map � � π r n : D − → GL 2 F q to be the map taking entries of a matrix to their projection in F q under the quotient by � r n � . We then construct a hash function H by taking the � F p n � associated hash for g 1 = π r n ( A ) and g 2 = π r n ( B ) and G = GL 2 . Hayley Tomkins, Monica Nevins, and Hadi Salmasian New Z´ emor-Tillich Type Hash Functions Over GL 2 � � 5 / 24 F pn

  11. Our contribution � � Our hash function construction: Let A, B ∈ M 2 × 2 F p [ x ] and set D � � � � to be M ∈ M 2 × 2 F p [ x ] | r n ∤ det( M ) . Define the projection map � � π r n : D − → GL 2 F q to be the map taking entries of a matrix to their projection in F q under the quotient by � r n � . We then construct a hash function H by taking the � F p n � associated hash for g 1 = π r n ( A ) and g 2 = π r n ( B ) and G = GL 2 . Our idea: Use freeness to retain the small modifications property. Hayley Tomkins, Monica Nevins, and Hadi Salmasian New Z´ emor-Tillich Type Hash Functions Over GL 2 � � 5 / 24 F pn

  12. The field of formal Laurent series over F p The elements of F p (( x )) are series of the form ∞ � g k x k g ( x ) = k = m for g i ∈ F p and m ∈ Z . Hayley Tomkins, Monica Nevins, and Hadi Salmasian New Z´ emor-Tillich Type Hash Functions Over GL 2 � � 6 / 24 F pn

  13. The field of formal Laurent series over F p The elements of F p (( x )) are series of the form ∞ � g k x k g ( x ) = k = m for g i ∈ F p and m ∈ Z . � � F p (( x )) PGL 2 Hayley Tomkins, Monica Nevins, and Hadi Salmasian New Z´ emor-Tillich Type Hash Functions Over GL 2 � � 6 / 24 F pn

  14. The field of formal Laurent series over F p The elements of F p (( x )) are series of the form ∞ � g k x k g ( x ) = k = m for g i ∈ F p and m ∈ Z . � � F p (( x )) PGL 2 � � GL 2 F p (( x )) Hayley Tomkins, Monica Nevins, and Hadi Salmasian New Z´ emor-Tillich Type Hash Functions Over GL 2 � � 6 / 24 F pn

  15. The field of formal Laurent series over F p The elements of F p (( x )) are series of the form ∞ � g k x k g ( x ) = k = m for g i ∈ F p and m ∈ Z . � � F p (( x )) PGL 2 � � GL 2 F p (( x )) P 1 Hayley Tomkins, Monica Nevins, and Hadi Salmasian New Z´ emor-Tillich Type Hash Functions Over GL 2 � � 6 / 24 F pn

  16. Free Generators Theorem Free Generators Theorem (T. 2018) Let p be a prime and let d ∈ N 0 . Suppose there exist a , ˜ b ∈ F p (( x )), f , ˜ f ∈ F p (( x )) × , such that Ξ 1 , Ξ 2 and Ξ 3 hold (see a , b , c , ˜ next slide). Then the matrices � ab − cf � ˜ a ˜ ˜ � � a ( f − 1) b − ˜ f f − 1 A = and B = (1) a ˜ b (1 − ˜ b ˜ ˜ cb (1 − f ) abf − c ˜ f ) f − ˜ a � � generate a free group in PGL 2 F p (( x )) . In particular, any inverse images � � of A , B in GL 2 F p (( x )) also generate a free group. Hayley Tomkins, Monica Nevins, and Hadi Salmasian New Z´ emor-Tillich Type Hash Functions Over GL 2 � � 7 / 24 F pn

  17. Conditions of the Free Generators Theorem 1 Ξ 1 : d ([ u ] , [ v ]) > p d +1 for each pair of [ u ] , [ v ] in a ] , [1 : ˜ � � [ a : c ] , [1 : b ] , [1 : ˜ b ] p 2 d +1 , and min {| ˜ f | , | ˜ Ξ 2 : min {| f | , | f − 1 |} ≤ 1 f − 1 | ≤ 1 p 2 d +1 } Ξ 3 : There exists [ z ] ∈ P 1 such that d ([ z ] , [ u ]) > 1 p d +1 for each [ u ] in a ] , [1 : ˜ � � [ a : c ] , [1 : b ] , [1 : ˜ b ] . Remark We can find infinitely many parameters satisfying our theorem for all d ≥ 0 when p is odd, and all d > 0 when p = 2. Hayley Tomkins, Monica Nevins, and Hadi Salmasian New Z´ emor-Tillich Type Hash Functions Over GL 2 � � 8 / 24 F pn

  18. Some constructions using the Free Generators Theorem Table: The matrices A and B produced using the Free Generators Theorem for p > 2, d = 0, a = 0, c = 1, f , ˜ a , and ˜ f ∈ x F p [ x ], and given choices of b , ˜ b . ˜ { A , B } A B b a ˜ b � ˜ 1 − ˜ � f � � 0 f + 1 f G 1 ( f , ˜ f ) 0 1 − 1 1 − ˜ ˜ 0 1 f f + 1 � ˜ ˜ � f � � 0 f + 1 f − 1 G 2 ( f , ˜ f ) 0 − 1 1 ˜ ˜ 0 1 f − 1 f + 1 � ˜ ˜ � � � f 0 f f − 1 G 3 ( f , ˜ f ) 1 − 1 0 f − 1 1 0 1 1 − ˜ � � � 1 � f 0 f G 4 ( f , ˜ f ) 1 0 − 1 ˜ f − 1 1 0 f � ˜ 1 − ˜ � f 0 � � f f G 5 ( f , ˜ f ) − 1 1 0 1 − f 1 0 1 ˜ � � � 1 � f 0 f − 1 G 6 ( f , ˜ f ) − 1 0 1 ˜ 1 − f 1 0 f Hayley Tomkins, Monica Nevins, and Hadi Salmasian New Z´ emor-Tillich Type Hash Functions Over GL 2 � � 9 / 24 F pn

  19. Benefits of this method The Free Generators Theorem provides many choices of g 1 and g 2 over any characteristic offers a great amount of control of the degrees and form of the entries in our generators extends to an arbitrary number of generators Hayley Tomkins, Monica Nevins, and Hadi Salmasian New Z´ emor-Tillich Type Hash Functions Over GL 2 � � 10 / 24 F pn

Recommend


More recommend