Hash functions and Cayley graphs: The end of the story ? Christophe Petit UCL Crypto Group Ch. Petit - Paris VI - Nov 2010 1 Microelectronics Laboratory
Hash functions H : { 0 , 1 } ∗ → { 0 , 1 } n UCL Crypto Group Ch. Petit - Paris VI - Nov 2010 2 Microelectronics Laboratory
Applications ◮ Message authentication ◮ Entropy extraction codes ◮ Key derivation ◮ Digital signatures techniques ◮ Password storage ◮ ... ◮ Pseudorandom number ◮ ... generation UCL Crypto Group Ch. Petit - Paris VI - Nov 2010 3 Microelectronics Laboratory
Properties ◮ Collision resistance : hard to find m , m ′ such that H ( m ) = H ( m ′ ) ◮ Preimage resistance : given h , hard to find m such that H ( m ) = h ◮ Second preimage resistance : given m , hard to find m ′ such that H ( m ′ ) = h UCL Crypto Group Ch. Petit - Paris VI - Nov 2010 4 Microelectronics Laboratory
Properties ◮ “Pseudo-randomness” ◮ ... UCL Crypto Group Ch. Petit - Paris VI - Nov 2010 5 Microelectronics Laboratory
Constructions “Classical” hash function Hash function based on a Cayley graph UCL Crypto Group Ch. Petit - Paris VI - Nov 2010 6 Microelectronics Laboratory
Outline Introduction Cayley hash functions Security : state of the art The end of the story ? Conclusion UCL Crypto Group Ch. Petit - Paris VI - Nov 2010 7 Microelectronics Laboratory
Outline Introduction Cayley hash functions Security : state of the art The end of the story ? Conclusion UCL Crypto Group Ch. Petit - Paris VI - Nov 2010 8 Microelectronics Laboratory
Hash functions from Cayley graphs ◮ Parameters G a group, and S = { s 0 , ..., s k − 1 } ⊂ G ◮ Write m = m 1 m 2 ... m N with m i ∈ { 0 , ..., k − 1 } Define H ( m ) := s m 1 s m 2 ... s m N UCL Crypto Group Ch. Petit - Paris VI - Nov 2010 9 Microelectronics Laboratory
Hash functions from Cayley graphs ◮ Computation ∼ walk in the Cayley graph ◮ Example : G = ( Z / 8 Z , +), S = { 1 , 2 } 5 4 4 6 3 m = 101 H ( m ) = 0 + 1 + 2 + 1 = 4 7 2 0 0 1 UCL Crypto Group Ch. Petit - Paris VI - Nov 2010 10 Microelectronics Laboratory
Example : Tillich-Z´ emor hash function ◮ p ∈ F 2 [ X ] irreducible of degree n K = F 2 [ X ] / ( p ( X )) ≈ F 2 n ◮ G = SL (2 , K ) 1 0 ) , A 1 = ( X X +1 S = { A 0 = ( X 1 1 ) } 1 ◮ H ( m 1 m 2 ... m N ) := A m 1 A m 2 ... A m N mod p ( X ) UCL Crypto Group Ch. Petit - Paris VI - Nov 2010 11 Microelectronics Laboratory
Hard ( ?) problems ◮ Representation problem : Given G and S = { s 0 , ..., s k − 1 } ⊂ G , find a short product � s m i = 1 ◮ Balance problem : Given G and S = { s 0 , ..., s k − 1 } ⊂ G , find two short products � s m i = � s m ′ i ◮ Factorization problem : Given G , g ∈ G and S = { s 0 , ..., s k − 1 } ⊂ G , find a short product � s m i = g UCL Crypto Group Ch. Petit - Paris VI - Nov 2010 12 Microelectronics Laboratory
Babai’s conjecture [ BS92 ] For any non-Abelian finite simple group G, there is a constant c such that for all generator sets S, the diameter of the Cayley graph arising from G and S is smaller than (log | G | ) c . ◮ Well-studied conjecture, limited results so far ◮ Very few parameters have constructive proofs ◮ Solving the factorization problem for G and S ∼ constructive proof of Babai’s conjecture for G and S UCL Crypto Group Ch. Petit - Paris VI - Nov 2010 13 Microelectronics Laboratory
Cayley hash functions : properties ◮ Elegant, simple design ◮ Security properties ∼ mathematical problems ◮ Collisions ∼ balance problem ◮ Preimages ∼ factorization problem ∼ constructive proof of Babai’s conjecture ◮ Output distribution ∼ expander properties ◮ Parallelism H ( m || m ′ ) = H ( m ) H ( m ′ ) ◮ Good efficiency, at least for matrix groups ◮ Not a random oracle ! but additional heuristics may help ◮ Issue : find good groups G and generator sets S UCL Crypto Group Ch. Petit - Paris VI - Nov 2010 14 Microelectronics Laboratory
A few proposals Z´ emor [Z91] Tillich-Z´ emor [TZ94] p prime p ∈ F 2 [ X ] irreducible G = SL (2 , F p ) G = SL (2 , F 2 n ) S = { ( 1 1 0 1 ) , ( 1 0 S = { ( X 1 1 0 ) , ( X X +1 1 1 ) } 1 ) } 1 LPS [CGL09] Morgenstern [PLQ07] p prime p ∈ F 2 [ X ] irreducible G = PSL (2 , F p ) G = PSL (2 , F 2 n ) S as in S as in Morgenstern’s Lubotsky-Philips-Sarnak’s Ramanujan graphs Ramanujan graphs UCL Crypto Group Ch. Petit - Paris VI - Nov 2010 15 Microelectronics Laboratory
Outline Introduction Cayley hash functions Security : state of the art The end of the story ? Conclusion UCL Crypto Group Ch. Petit - Paris VI - Nov 2010 16 Microelectronics Laboratory
Many angles of attacks Exhaustive search Birthday attacks Multicollisions Meet-in-the-middle Trapdoor attacks Malleability Subgroup attacks Lifting attacks Euclidean algorithm Babai’s conjecture UCL Crypto Group Ch. Petit - Paris VI - Nov 2010 17 Microelectronics Laboratory
Subgroup attacks ◮ Assume G = G 0 ⊃ G 1 ⊃ G 2 ... ⊃ G N = { 1 } UCL Crypto Group Ch. Petit - Paris VI - Nov 2010 18 Microelectronics Laboratory
Subgroup attacks ◮ Assume G = G 0 ⊃ G 1 ⊃ G 2 ... ⊃ G N = { 1 } and | G i | / | G i +1 | “small” ◮ Preimage of 1 ◮ Random products of s 0 and s 1 to get two elements s ′ 0 and s ′ 1 of G 1 ◮ Random products of s ′ 0 and s ′ 1 to get two elements s ′′ 0 and s ′′ 1 of G 2 ◮ ... ◮ = second preimage attack ◮ H ( m ) = 1 ⇒ H ( m ′ || m ) = H ( m ′ ) H ( m ) = H ( m ′ ) UCL Crypto Group Ch. Petit - Paris VI - Nov 2010 19 Microelectronics Laboratory
Subgroup attacks ◮ Assume G = G 0 ⊃ G 1 ⊃ G 2 ... ⊃ G N = { 1 } ◮ More generally, the attack works if “going from G i to G i +1 is easy” Ex. : if G i / G i +1 is Abelian and DLP easy in it ◮ [SGGB00] : subgroup attack on Tillich-Z´ emor when n is composite ◮ [PQTZ09] : generic subgroup attacks on Tillich-Z´ emor and variants that “remove easy quotients” UCL Crypto Group Ch. Petit - Paris VI - Nov 2010 20 Microelectronics Laboratory
Trapdoor attacks ◮ Choose the parameters such that you know a collision ◮ [SGGB00] against Tillich-Z´ emor ◮ Can be prevented easily ◮ Sometimes useful ! [CP10] UCL Crypto Group Ch. Petit - Paris VI - Nov 2010 21 Microelectronics Laboratory
Lifting attacks ◮ Very succesful approach ! ◮ Principle : lift the representation problem to some ring where it is easier to solve ◮ Define the lifted set appropriately ◮ Find a way to lift elements ◮ Solve the problems in the lifted set UCL Crypto Group Ch. Petit - Paris VI - Nov 2010 22 Microelectronics Laboratory
Lifting attacks : Z´ emor [ TZ94 ] ◮ Z´ emor G = SL (2 , F p ), S = { ( 1 1 0 1 ) , ( 1 0 1 1 ) } ◮ Given ( a b c d ) ∈ SL (2 , F p ) � A B � 1. Lifting : Find ∈ SL (2 , Z + ) such that C D � A B � a b � � = mod p C D c d � A B � as a product of ( 1 1 0 1 ) and ( 1 0 2. Solving : Factor 1 1 ) C D with Euclidean algorithm : If A ≥ B , apply Euclidean algorithm to ( A , B ) else apply Euclidean algorithm to ( C , D ) Indeed : ◮ a i − 1 = q i a i + a i +1 � a i − 2 � 1 q i − 1 � � 1 ( a i � � ⇔ = a i +1 ) a i − 1 q i 1 1 ◮ � 1 q � 1 0 0 1 ) q and 1 1 ) q � � = ( 1 1 = ( 1 0 q 1 0 1 UCL Crypto Group Ch. Petit - Paris VI - Nov 2010 23 Microelectronics Laboratory
Lifting attacks : LPS ◮ LPS : G = PSL (2 , F p ) and S as in LPS Ramanujan graphs ◮ Lift from PSL (2 , F p ) to SL (2 , Z [ i ]) Here � lifts of generators � � SL (2 , Z [ i ]) Very small subset, but well structured [LPS88] ◮ 2nd preimages [TZ08] ∼ finding λ, w , x , y , z , e such that ( λ + wp ) 2 + 4( xp ) 2 + 4( yp ) 2 + 4( zp ) 2 = ℓ e UCL Crypto Group Ch. Petit - Paris VI - Nov 2010 24 Microelectronics Laboratory
Lifting and subgroup attacks together ◮ Preimages against LPS [PLQ08] ∼ finding λ, w , x , y , z , e such that ( A λ + wp ) 2 + ( B λ + xp ) 2 + ( C λ + yp ) 2 + ( D λ + zp ) 2 = ℓ 2 k Apparently hard but instead we can ◮ Lift diagonal matrices ( A λ + wp ) 2 + ( B λ + xp ) 2 + ( yp ) 2 + ( zp ) 2 = ℓ 2 k ◮ Combine diagonal matrices and generators ◮ Similar attacks for Morgenstern [PLQ08] UCL Crypto Group Ch. Petit - Paris VI - Nov 2010 25 Microelectronics Laboratory
Lifting attack for Tillich-Z´ emor [ GIMS09 ] ◮ Tillich-Z´ emor G = SL (2 , F 2 n ), S = { ( X 1 1 0 ) , ( X X +1 1 ) } 1 1. Change generators S ′ = { ( X 1 1 0 ) , ( X +1 1 0 ) } 1 ◮ � a b � ∈ � S ′ � ⇒ when applying Euclidean algorithm to c d ( a , b ), all the quotients are X or X + 1 2. Apply [MS87] to p ( X ) to get m = m 1 ... m n such that � p b � H ( m ) = = ( 0 b c d ) mod p ( X ) c d 3. Build the palindrome ˜ m = m n ... m 2 ¯ m 1 ¯ m 1 m 2 ... m n , then A ′ 0 H ( ˜ m ) A ′ 0 = A ′ 1 H ( ˜ m ) A ′ 1 . UCL Crypto Group Ch. Petit - Paris VI - Nov 2010 26 Microelectronics Laboratory
Recommend
More recommend