hash functions and cayley graphs the end of the story
play

Hash functions and Cayley graphs: The end of the story ? Christophe - PowerPoint PPT Presentation

Feb 08, 2023 •320 likes •786 views

Hash functions and Cayley graphs: The end of the story ? Christophe Petit UCL Crypto Group Ch. Petit - Paris VI - Nov 2010 1 Microelectronics Laboratory Hash functions H : { 0 , 1 } { 0 , 1 } n UCL Crypto Group Ch. Petit - Paris VI

  1. Hash functions and Cayley graphs: The end of the story ? Christophe Petit UCL Crypto Group Ch. Petit - Paris VI - Nov 2010 1 Microelectronics Laboratory

  2. Hash functions H : { 0 , 1 } ∗ → { 0 , 1 } n UCL Crypto Group Ch. Petit - Paris VI - Nov 2010 2 Microelectronics Laboratory

  3. Applications ◮ Message authentication ◮ Entropy extraction codes ◮ Key derivation ◮ Digital signatures techniques ◮ Password storage ◮ ... ◮ Pseudorandom number ◮ ... generation UCL Crypto Group Ch. Petit - Paris VI - Nov 2010 3 Microelectronics Laboratory

  4. Properties ◮ Collision resistance : hard to find m , m ′ such that H ( m ) = H ( m ′ ) ◮ Preimage resistance : given h , hard to find m such that H ( m ) = h ◮ Second preimage resistance : given m , hard to find m ′ such that H ( m ′ ) = h UCL Crypto Group Ch. Petit - Paris VI - Nov 2010 4 Microelectronics Laboratory

  5. Properties ◮ “Pseudo-randomness” ◮ ... UCL Crypto Group Ch. Petit - Paris VI - Nov 2010 5 Microelectronics Laboratory

  6. Constructions “Classical” hash function Hash function based on a Cayley graph UCL Crypto Group Ch. Petit - Paris VI - Nov 2010 6 Microelectronics Laboratory

  7. Outline Introduction Cayley hash functions Security : state of the art The end of the story ? Conclusion UCL Crypto Group Ch. Petit - Paris VI - Nov 2010 7 Microelectronics Laboratory

  8. Outline Introduction Cayley hash functions Security : state of the art The end of the story ? Conclusion UCL Crypto Group Ch. Petit - Paris VI - Nov 2010 8 Microelectronics Laboratory

  9. Hash functions from Cayley graphs ◮ Parameters G a group, and S = { s 0 , ..., s k − 1 } ⊂ G ◮ Write m = m 1 m 2 ... m N with m i ∈ { 0 , ..., k − 1 } Define H ( m ) := s m 1 s m 2 ... s m N UCL Crypto Group Ch. Petit - Paris VI - Nov 2010 9 Microelectronics Laboratory

  10. Hash functions from Cayley graphs ◮ Computation ∼ walk in the Cayley graph ◮ Example : G = ( Z / 8 Z , +), S = { 1 , 2 } 5 4 4 6 3 m = 101 H ( m ) = 0 + 1 + 2 + 1 = 4 7 2 0 0 1 UCL Crypto Group Ch. Petit - Paris VI - Nov 2010 10 Microelectronics Laboratory

  11. Example : Tillich-Z´ emor hash function ◮ p ∈ F 2 [ X ] irreducible of degree n K = F 2 [ X ] / ( p ( X )) ≈ F 2 n ◮ G = SL (2 , K ) 1 0 ) , A 1 = ( X X +1 S = { A 0 = ( X 1 1 ) } 1 ◮ H ( m 1 m 2 ... m N ) := A m 1 A m 2 ... A m N mod p ( X ) UCL Crypto Group Ch. Petit - Paris VI - Nov 2010 11 Microelectronics Laboratory

  12. Hard ( ?) problems ◮ Representation problem : Given G and S = { s 0 , ..., s k − 1 } ⊂ G , find a short product � s m i = 1 ◮ Balance problem : Given G and S = { s 0 , ..., s k − 1 } ⊂ G , find two short products � s m i = � s m ′ i ◮ Factorization problem : Given G , g ∈ G and S = { s 0 , ..., s k − 1 } ⊂ G , find a short product � s m i = g UCL Crypto Group Ch. Petit - Paris VI - Nov 2010 12 Microelectronics Laboratory

  13. Babai’s conjecture [ BS92 ] For any non-Abelian finite simple group G, there is a constant c such that for all generator sets S, the diameter of the Cayley graph arising from G and S is smaller than (log | G | ) c . ◮ Well-studied conjecture, limited results so far ◮ Very few parameters have constructive proofs ◮ Solving the factorization problem for G and S ∼ constructive proof of Babai’s conjecture for G and S UCL Crypto Group Ch. Petit - Paris VI - Nov 2010 13 Microelectronics Laboratory

  14. Cayley hash functions : properties ◮ Elegant, simple design ◮ Security properties ∼ mathematical problems ◮ Collisions ∼ balance problem ◮ Preimages ∼ factorization problem ∼ constructive proof of Babai’s conjecture ◮ Output distribution ∼ expander properties ◮ Parallelism H ( m || m ′ ) = H ( m ) H ( m ′ ) ◮ Good efficiency, at least for matrix groups ◮ Not a random oracle ! but additional heuristics may help ◮ Issue : find good groups G and generator sets S UCL Crypto Group Ch. Petit - Paris VI - Nov 2010 14 Microelectronics Laboratory

  15. A few proposals Z´ emor [Z91] Tillich-Z´ emor [TZ94] p prime p ∈ F 2 [ X ] irreducible G = SL (2 , F p ) G = SL (2 , F 2 n ) S = { ( 1 1 0 1 ) , ( 1 0 S = { ( X 1 1 0 ) , ( X X +1 1 1 ) } 1 ) } 1 LPS [CGL09] Morgenstern [PLQ07] p prime p ∈ F 2 [ X ] irreducible G = PSL (2 , F p ) G = PSL (2 , F 2 n ) S as in S as in Morgenstern’s Lubotsky-Philips-Sarnak’s Ramanujan graphs Ramanujan graphs UCL Crypto Group Ch. Petit - Paris VI - Nov 2010 15 Microelectronics Laboratory

  16. Outline Introduction Cayley hash functions Security : state of the art The end of the story ? Conclusion UCL Crypto Group Ch. Petit - Paris VI - Nov 2010 16 Microelectronics Laboratory

  17. Many angles of attacks Exhaustive search Birthday attacks Multicollisions Meet-in-the-middle Trapdoor attacks Malleability Subgroup attacks Lifting attacks Euclidean algorithm Babai’s conjecture UCL Crypto Group Ch. Petit - Paris VI - Nov 2010 17 Microelectronics Laboratory

  18. Subgroup attacks ◮ Assume G = G 0 ⊃ G 1 ⊃ G 2 ... ⊃ G N = { 1 } UCL Crypto Group Ch. Petit - Paris VI - Nov 2010 18 Microelectronics Laboratory

  19. Subgroup attacks ◮ Assume G = G 0 ⊃ G 1 ⊃ G 2 ... ⊃ G N = { 1 } and | G i | / | G i +1 | “small” ◮ Preimage of 1 ◮ Random products of s 0 and s 1 to get two elements s ′ 0 and s ′ 1 of G 1 ◮ Random products of s ′ 0 and s ′ 1 to get two elements s ′′ 0 and s ′′ 1 of G 2 ◮ ... ◮ = second preimage attack ◮ H ( m ) = 1 ⇒ H ( m ′ || m ) = H ( m ′ ) H ( m ) = H ( m ′ ) UCL Crypto Group Ch. Petit - Paris VI - Nov 2010 19 Microelectronics Laboratory

  20. Subgroup attacks ◮ Assume G = G 0 ⊃ G 1 ⊃ G 2 ... ⊃ G N = { 1 } ◮ More generally, the attack works if “going from G i to G i +1 is easy” Ex. : if G i / G i +1 is Abelian and DLP easy in it ◮ [SGGB00] : subgroup attack on Tillich-Z´ emor when n is composite ◮ [PQTZ09] : generic subgroup attacks on Tillich-Z´ emor and variants that “remove easy quotients” UCL Crypto Group Ch. Petit - Paris VI - Nov 2010 20 Microelectronics Laboratory

  21. Trapdoor attacks ◮ Choose the parameters such that you know a collision ◮ [SGGB00] against Tillich-Z´ emor ◮ Can be prevented easily ◮ Sometimes useful ! [CP10] UCL Crypto Group Ch. Petit - Paris VI - Nov 2010 21 Microelectronics Laboratory

  22. Lifting attacks ◮ Very succesful approach ! ◮ Principle : lift the representation problem to some ring where it is easier to solve ◮ Define the lifted set appropriately ◮ Find a way to lift elements ◮ Solve the problems in the lifted set UCL Crypto Group Ch. Petit - Paris VI - Nov 2010 22 Microelectronics Laboratory

  23. Lifting attacks : Z´ emor [ TZ94 ] ◮ Z´ emor G = SL (2 , F p ), S = { ( 1 1 0 1 ) , ( 1 0 1 1 ) } ◮ Given ( a b c d ) ∈ SL (2 , F p ) � A B � 1. Lifting : Find ∈ SL (2 , Z + ) such that C D � A B � a b � � = mod p C D c d � A B � as a product of ( 1 1 0 1 ) and ( 1 0 2. Solving : Factor 1 1 ) C D with Euclidean algorithm : If A ≥ B , apply Euclidean algorithm to ( A , B ) else apply Euclidean algorithm to ( C , D ) Indeed : ◮ a i − 1 = q i a i + a i +1 � a i − 2 � 1 q i − 1 � � 1 ( a i � � ⇔ = a i +1 ) a i − 1 q i 1 1 ◮ � 1 q � 1 0 0 1 ) q and 1 1 ) q � � = ( 1 1 = ( 1 0 q 1 0 1 UCL Crypto Group Ch. Petit - Paris VI - Nov 2010 23 Microelectronics Laboratory

  24. Lifting attacks : LPS ◮ LPS : G = PSL (2 , F p ) and S as in LPS Ramanujan graphs ◮ Lift from PSL (2 , F p ) to SL (2 , Z [ i ]) Here � lifts of generators � � SL (2 , Z [ i ]) Very small subset, but well structured [LPS88] ◮ 2nd preimages [TZ08] ∼ finding λ, w , x , y , z , e such that ( λ + wp ) 2 + 4( xp ) 2 + 4( yp ) 2 + 4( zp ) 2 = ℓ e UCL Crypto Group Ch. Petit - Paris VI - Nov 2010 24 Microelectronics Laboratory

  25. Lifting and subgroup attacks together ◮ Preimages against LPS [PLQ08] ∼ finding λ, w , x , y , z , e such that ( A λ + wp ) 2 + ( B λ + xp ) 2 + ( C λ + yp ) 2 + ( D λ + zp ) 2 = ℓ 2 k Apparently hard but instead we can ◮ Lift diagonal matrices ( A λ + wp ) 2 + ( B λ + xp ) 2 + ( yp ) 2 + ( zp ) 2 = ℓ 2 k ◮ Combine diagonal matrices and generators ◮ Similar attacks for Morgenstern [PLQ08] UCL Crypto Group Ch. Petit - Paris VI - Nov 2010 25 Microelectronics Laboratory

  26. Lifting attack for Tillich-Z´ emor [ GIMS09 ] ◮ Tillich-Z´ emor G = SL (2 , F 2 n ), S = { ( X 1 1 0 ) , ( X X +1 1 ) } 1 1. Change generators S ′ = { ( X 1 1 0 ) , ( X +1 1 0 ) } 1 ◮ � a b � ∈ � S ′ � ⇒ when applying Euclidean algorithm to c d ( a , b ), all the quotients are X or X + 1 2. Apply [MS87] to p ( X ) to get m = m 1 ... m n such that � p b � H ( m ) = = ( 0 b c d ) mod p ( X ) c d 3. Build the palindrome ˜ m = m n ... m 2 ¯ m 1 ¯ m 1 m 2 ... m n , then A ′ 0 H ( ˜ m ) A ′ 0 = A ′ 1 H ( ˜ m ) A ′ 1 . UCL Crypto Group Ch. Petit - Paris VI - Nov 2010 26 Microelectronics Laboratory

Recommend

Hash Functions Hash Functions 1 Cryptographic Hash Function Crypto hash function h(x) must

Hash Functions Hash Functions 1 Cryptographic Hash Function Crypto hash function h(x) must

Hash Functions Hash Functions 1 Cryptographic Hash Function Crypto hash function h(x) must provide o Compression output length is small o Efficiency h(x) easy to compute for any x o One-way given a value y it is infeasible to find

465 views • 42 slides
Cayley Graphs Isomorphisms Forming Groups Free Groups Examples Relators Ryan Jensen Graphs

Cayley Graphs Isomorphisms Forming Groups Free Groups Examples Relators Ryan Jensen Graphs

Cayley Graphs Ryan Jensen Groups Group Basics Examples Cayley Graphs Isomorphisms Forming Groups Free Groups Examples Relators Ryan Jensen Graphs Cayley Graphs University of Tennessee F 1 F 2 Presentations March 26, 2014 Cayley

708 views • 48 slides
Distance-regular Cayley graphs of abelian groups Stefko Miklavi c University of Primorska

Distance-regular Cayley graphs of abelian groups Stefko Miklavi c University of Primorska

Definition Distance-regular cayley graphs over cyclic groups Distance-regular cayley graphs over dihedral groups Minimal distance-regular Cayley graphs on abelian groups Distance-regular Cayley graphs of abelian groups Stefko

778 views • 30 slides
(username, password) ? x ? ? ? ? but (username,hash(password))

(username, password) ? x ? ? ? ? but (username,hash(password))

Hash Functions - Bart Preneel June 2016 Hash functions X.509 Annex D RIPEMD-160 SHA-3 MDC-2 SHA-256 MD2, MD4, MD5 Introduction to the SHA-512 SHA-1 Design and Cryptanalysis of Cryptographic Hash Functions This is an input to a crypto-

517 views • 10 slides
Hash Pile Ups: Using Collisions to Identify Unknown Hash Functions R. Joshua Tobin and David

Hash Pile Ups: Using Collisions to Identify Unknown Hash Functions R. Joshua Tobin and David

Hash Pile Ups: Using Collisions to Identify Unknown Hash Functions R. Joshua Tobin and David Malone 11 October 2012 Hash Functions We are talking about hash functions for consistent assignment. For example, Hash tables, Network

448 views • 18 slides
Hash Functions Hash Functions Lecture 10 Hash Functions Lecture 10 Before we talk about

Hash Functions Hash Functions Lecture 10 Hash Functions Lecture 10 Before we talk about

Hash Functions Hash Functions Lecture 10 Hash Functions Lecture 10 Before we talk about digital signatures... A Tale of Two Boxes A Tale of Two Boxes Much of today s applied cryptography works with two magic boxes A Tale of Two Boxes

1.68k views • 129 slides
Hash Functions Hash Functions Lecture 10 Hash Functions Lecture 10 Before we talk about

Hash Functions Hash Functions Lecture 10 Hash Functions Lecture 10 Before we talk about

Hash Functions Hash Functions Lecture 10 Hash Functions Lecture 10 Before we talk about digital signatures... A Tale of Two Boxes A Tale of Two Boxes Much of today s applied cryptography works with two magic boxes A Tale of Two Boxes

1.37k views • 120 slides
Cayley Graphs Daniel York University of Puget Sound dsyork@pugetsound.edu 7 May 2019 Cayley

Cayley Graphs Daniel York University of Puget Sound dsyork@pugetsound.edu 7 May 2019 Cayley

Cayley Graphs and Group Actions Components and Cosets Direct Products Cayley Graphs Daniel York University of Puget Sound dsyork@pugetsound.edu 7 May 2019 Cayley Graphs and Group Actions Components and Cosets Direct Products Overview 1

335 views • 30 slides
Strong Randomness Properties of (Hyper-)Graphs Generated by Simple Hash Functions Martin Aum

Strong Randomness Properties of (Hyper-)Graphs Generated by Simple Hash Functions Martin Aum

Strong Randomness Properties of (Hyper-)Graphs Generated by Simple Hash Functions Martin Aum uller Technische Universit at Ilmenau, Germany AofA15 Strobl, June 8, 2015 Joint work with Martin Dietzfelbinger and Philipp Woelfel. M.

691 views • 56 slides
Hash functions based on products in non-Abelian groups Jean-Pierre Tillich and Gilles Zmor

Hash functions based on products in non-Abelian groups Jean-Pierre Tillich and Gilles Zmor

Hash functions based on products in non-Abelian groups Jean-Pierre Tillich and Gilles Zmor INRIA, quipe SECRET Bordeaux Mathematics Institute ENSTA, April the 3rd Hash functions from graphs Take a large graph G , (e.g. 2 1000 vertices),

452 views • 29 slides
Strongly Regular Cayley Graphs in Rank Two Abelian Groups Ken W. Smith Mt. Pleasant, MI 2015

Strongly Regular Cayley Graphs in Rank Two Abelian Groups Ken W. Smith Mt. Pleasant, MI 2015

Strongly Regular Cayley Graphs in Rank Two Abelian Groups Ken W. Smith Mt. Pleasant, MI 2015 Smith Cayley SRGs 2015 1 / 61 Strongly Regular Cayley Graphs in C p n C p n Strongly regular graphs play a central role in algebraic

1.56k views • 129 slides
Hash Functions and MACs Properties of Cryptographic Hash Functions Introduction to Message

Hash Functions and MACs Properties of Cryptographic Hash Functions Introduction to Message

Cryptography Hash Functions and MACs Introduction to Hash Functions Hash Functions and MACs Properties of Cryptographic Hash Functions Introduction to Message Cryptography Authentication Codes School of Engineering and Technology

338 views • 23 slides
Hash Functions and MACs Properties of Cryptographic Hash Functions Introduction to Message

Hash Functions and MACs Properties of Cryptographic Hash Functions Introduction to Message

Cryptography Hash Functions and MACs Introduction to Hash Functions Hash Functions and MACs Properties of Cryptographic Hash Functions Introduction to Message Cryptography Authentication Codes School of Engineering and Technology

787 views • 23 slides
Outline Hash Functions 1 Iterated Hash Functions CPSC 418/MATH 318 Introduction to Cryptography

Outline Hash Functions 1 Iterated Hash Functions CPSC 418/MATH 318 Introduction to Cryptography

Outline Hash Functions 1 Iterated Hash Functions CPSC 418/MATH 318 Introduction to Cryptography SHA-1 SHA-3 (Keccak) Hash Functions, SHA-3, Message Authentication Codes 2 Sponge Construction Keccak Overview Renate Scheidler Keccak

888 views • 14 slides
Chromatic properties of Cayley graphs Elena Konstantinova Sobolev Institute of Mathematics

Chromatic properties of Cayley graphs Elena Konstantinova Sobolev Institute of Mathematics

Chromatic properties of Cayley graphs Elena Konstantinova Sobolev Institute of Mathematics Novosibirsk State University Mathematical Colloquium, Ljubljana, Slovenia October 2, 2015 Elena Konstantinova Chromatic properties of Cayley graphs

450 views • 25 slides
Semidefinite programming bounds for codes and anticodes in Cayley graphs Frank Vallentin

Semidefinite programming bounds for codes and anticodes in Cayley graphs Frank Vallentin

Semidefinite programming bounds for codes and anticodes in Cayley graphs Frank Vallentin (Universit at zu K oln) Semidefinite Programming and Graph Algorithms Workshop ICERM February 12, 2014 Theory Codes and anticodes in Cayley graphs

271 views • 25 slides
Cryptographic Hash Functions Signatures Requirements MD5 and SHA CSS441: Security and

Cryptographic Hash Functions Signatures Requirements MD5 and SHA CSS441: Security and

CSS441 Hash Functions Hash Functions Authentication Cryptographic Hash Functions Signatures Requirements MD5 and SHA CSS441: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by

1.04k views • 24 slides
References Cryptographic Hash Functions Hash Functions, Chapter 11 of Understanding

References Cryptographic Hash Functions Hash Functions, Chapter 11 of Understanding

References Cryptographic Hash Functions Hash Functions, Chapter 11 of Understanding Cryptography by Paar & Pelzl. & Mathematical Cryptography , by Keijo Ruohonen, http://math.tut.fi/~ruohonen/MC.pdf , pages 9899. Signature

255 views • 10 slides
Overview Hash Functions On Building Hash Functions From Multivariate Quadratic Equations

Overview Hash Functions On Building Hash Functions From Multivariate Quadratic Equations

Overview Hash Functions On Building Hash Functions From Multivariate Quadratic Equations Multivariate quadratic equations Olivier Billet, Thomas Peyrin, and Matt Robshaw Hash functions and multivariate quadratic equations Orange Labs

299 views • 3 slides
Hash Functions in Action Hash Functions in Action Lecture 12 Hash Functions Hash Functions

Hash Functions in Action Hash Functions in Action Lecture 12 Hash Functions Hash Functions

Hash Functions in Action Hash Functions in Action Lecture 12 Hash Functions Hash Functions Main syntactic feature: Variable input length to fixed length output Hash Functions Main syntactic feature: Variable input length to fixed length

1.85k views • 147 slides
Hash Functions in Action Hash Functions in Action Lecture 11 Hash Functions Hash Functions

Hash Functions in Action Hash Functions in Action Lecture 11 Hash Functions Hash Functions

Hash Functions in Action Hash Functions in Action Lecture 11 Hash Functions Hash Functions Main syntactic feature: Variable input length to fixed length output Hash Functions Main syntactic feature: Variable input length to fixed length

1.76k views • 147 slides
Minimum Number of Multiplications of U Hash Functions Mridul Nandi Indian Statistical

Minimum Number of Multiplications of U Hash Functions Mridul Nandi Indian Statistical

Minimum Number of Multiplications of U Hash Functions Mridul Nandi Indian Statistical Institute, Kolkata mridul@isical.ac.in March 4, FSE-2014, London Mridul Nandi U hash and Multiplication Authentication: The Popular Story 1 Alice and

1.01k views • 53 slides
HASH FUNCTIONS 1 / 62 What is a hash function? By a hash function we usually mean a map h : D

HASH FUNCTIONS 1 / 62 What is a hash function? By a hash function we usually mean a map h : D

HASH FUNCTIONS 1 / 62 What is a hash function? By a hash function we usually mean a map h : D { 0 , 1 } n that is compressing, meaning | D | > 2 n . E.g. D = { 0 , 1 } 2 64 is the set of all strings of length at most 2 64 . h n MD4

1.13k views • 78 slides
1 Simple Hash Functions Requirements for Hash Functions 1. can be applied to any sized message M

1 Simple Hash Functions Requirements for Hash Functions 1. can be applied to any sized message M

CPE 542: CRYPTOGRAPHY & NETWORK SECURITY Using Symmetric Ciphers for MACs can use any block cipher chaining mode and use final block as a MAC Chapter 12 Hash Algorithms Data Authentication Algorithm (DAA) is a widely used MAC

305 views • 5 slides

More recommend