hash functions and cayley graphs the end of the story
play

Hash functions and Cayley graphs: The end of the story ? Christophe - PowerPoint PPT Presentation

Feb 08, 2023 •320 likes •786 views

Hash functions and Cayley graphs: The end of the story ? Christophe Petit UCL Crypto Group Ch. Petit - Paris VI - Nov 2010 1 Microelectronics Laboratory Hash functions H : { 0 , 1 } { 0 , 1 } n UCL Crypto Group Ch. Petit - Paris VI

  1. Hash functions and Cayley graphs: The end of the story ? Christophe Petit UCL Crypto Group Ch. Petit - Paris VI - Nov 2010 1 Microelectronics Laboratory

  2. Hash functions H : { 0 , 1 } ∗ → { 0 , 1 } n UCL Crypto Group Ch. Petit - Paris VI - Nov 2010 2 Microelectronics Laboratory

  3. Applications ◮ Message authentication ◮ Entropy extraction codes ◮ Key derivation ◮ Digital signatures techniques ◮ Password storage ◮ ... ◮ Pseudorandom number ◮ ... generation UCL Crypto Group Ch. Petit - Paris VI - Nov 2010 3 Microelectronics Laboratory

  4. Properties ◮ Collision resistance : hard to find m , m ′ such that H ( m ) = H ( m ′ ) ◮ Preimage resistance : given h , hard to find m such that H ( m ) = h ◮ Second preimage resistance : given m , hard to find m ′ such that H ( m ′ ) = h UCL Crypto Group Ch. Petit - Paris VI - Nov 2010 4 Microelectronics Laboratory

  5. Properties ◮ “Pseudo-randomness” ◮ ... UCL Crypto Group Ch. Petit - Paris VI - Nov 2010 5 Microelectronics Laboratory

  6. Constructions “Classical” hash function Hash function based on a Cayley graph UCL Crypto Group Ch. Petit - Paris VI - Nov 2010 6 Microelectronics Laboratory

  7. Outline Introduction Cayley hash functions Security : state of the art The end of the story ? Conclusion UCL Crypto Group Ch. Petit - Paris VI - Nov 2010 7 Microelectronics Laboratory

  8. Outline Introduction Cayley hash functions Security : state of the art The end of the story ? Conclusion UCL Crypto Group Ch. Petit - Paris VI - Nov 2010 8 Microelectronics Laboratory

  9. Hash functions from Cayley graphs ◮ Parameters G a group, and S = { s 0 , ..., s k − 1 } ⊂ G ◮ Write m = m 1 m 2 ... m N with m i ∈ { 0 , ..., k − 1 } Define H ( m ) := s m 1 s m 2 ... s m N UCL Crypto Group Ch. Petit - Paris VI - Nov 2010 9 Microelectronics Laboratory

  10. Hash functions from Cayley graphs ◮ Computation ∼ walk in the Cayley graph ◮ Example : G = ( Z / 8 Z , +), S = { 1 , 2 } 5 4 4 6 3 m = 101 H ( m ) = 0 + 1 + 2 + 1 = 4 7 2 0 0 1 UCL Crypto Group Ch. Petit - Paris VI - Nov 2010 10 Microelectronics Laboratory

  11. Example : Tillich-Z´ emor hash function ◮ p ∈ F 2 [ X ] irreducible of degree n K = F 2 [ X ] / ( p ( X )) ≈ F 2 n ◮ G = SL (2 , K ) 1 0 ) , A 1 = ( X X +1 S = { A 0 = ( X 1 1 ) } 1 ◮ H ( m 1 m 2 ... m N ) := A m 1 A m 2 ... A m N mod p ( X ) UCL Crypto Group Ch. Petit - Paris VI - Nov 2010 11 Microelectronics Laboratory

  12. Hard ( ?) problems ◮ Representation problem : Given G and S = { s 0 , ..., s k − 1 } ⊂ G , find a short product � s m i = 1 ◮ Balance problem : Given G and S = { s 0 , ..., s k − 1 } ⊂ G , find two short products � s m i = � s m ′ i ◮ Factorization problem : Given G , g ∈ G and S = { s 0 , ..., s k − 1 } ⊂ G , find a short product � s m i = g UCL Crypto Group Ch. Petit - Paris VI - Nov 2010 12 Microelectronics Laboratory

  13. Babai’s conjecture [ BS92 ] For any non-Abelian finite simple group G, there is a constant c such that for all generator sets S, the diameter of the Cayley graph arising from G and S is smaller than (log | G | ) c . ◮ Well-studied conjecture, limited results so far ◮ Very few parameters have constructive proofs ◮ Solving the factorization problem for G and S ∼ constructive proof of Babai’s conjecture for G and S UCL Crypto Group Ch. Petit - Paris VI - Nov 2010 13 Microelectronics Laboratory

  14. Cayley hash functions : properties ◮ Elegant, simple design ◮ Security properties ∼ mathematical problems ◮ Collisions ∼ balance problem ◮ Preimages ∼ factorization problem ∼ constructive proof of Babai’s conjecture ◮ Output distribution ∼ expander properties ◮ Parallelism H ( m || m ′ ) = H ( m ) H ( m ′ ) ◮ Good efficiency, at least for matrix groups ◮ Not a random oracle ! but additional heuristics may help ◮ Issue : find good groups G and generator sets S UCL Crypto Group Ch. Petit - Paris VI - Nov 2010 14 Microelectronics Laboratory

  15. A few proposals Z´ emor [Z91] Tillich-Z´ emor [TZ94] p prime p ∈ F 2 [ X ] irreducible G = SL (2 , F p ) G = SL (2 , F 2 n ) S = { ( 1 1 0 1 ) , ( 1 0 S = { ( X 1 1 0 ) , ( X X +1 1 1 ) } 1 ) } 1 LPS [CGL09] Morgenstern [PLQ07] p prime p ∈ F 2 [ X ] irreducible G = PSL (2 , F p ) G = PSL (2 , F 2 n ) S as in S as in Morgenstern’s Lubotsky-Philips-Sarnak’s Ramanujan graphs Ramanujan graphs UCL Crypto Group Ch. Petit - Paris VI - Nov 2010 15 Microelectronics Laboratory

  16. Outline Introduction Cayley hash functions Security : state of the art The end of the story ? Conclusion UCL Crypto Group Ch. Petit - Paris VI - Nov 2010 16 Microelectronics Laboratory

  17. Many angles of attacks Exhaustive search Birthday attacks Multicollisions Meet-in-the-middle Trapdoor attacks Malleability Subgroup attacks Lifting attacks Euclidean algorithm Babai’s conjecture UCL Crypto Group Ch. Petit - Paris VI - Nov 2010 17 Microelectronics Laboratory

  18. Subgroup attacks ◮ Assume G = G 0 ⊃ G 1 ⊃ G 2 ... ⊃ G N = { 1 } UCL Crypto Group Ch. Petit - Paris VI - Nov 2010 18 Microelectronics Laboratory

  19. Subgroup attacks ◮ Assume G = G 0 ⊃ G 1 ⊃ G 2 ... ⊃ G N = { 1 } and | G i | / | G i +1 | “small” ◮ Preimage of 1 ◮ Random products of s 0 and s 1 to get two elements s ′ 0 and s ′ 1 of G 1 ◮ Random products of s ′ 0 and s ′ 1 to get two elements s ′′ 0 and s ′′ 1 of G 2 ◮ ... ◮ = second preimage attack ◮ H ( m ) = 1 ⇒ H ( m ′ || m ) = H ( m ′ ) H ( m ) = H ( m ′ ) UCL Crypto Group Ch. Petit - Paris VI - Nov 2010 19 Microelectronics Laboratory

  20. Subgroup attacks ◮ Assume G = G 0 ⊃ G 1 ⊃ G 2 ... ⊃ G N = { 1 } ◮ More generally, the attack works if “going from G i to G i +1 is easy” Ex. : if G i / G i +1 is Abelian and DLP easy in it ◮ [SGGB00] : subgroup attack on Tillich-Z´ emor when n is composite ◮ [PQTZ09] : generic subgroup attacks on Tillich-Z´ emor and variants that “remove easy quotients” UCL Crypto Group Ch. Petit - Paris VI - Nov 2010 20 Microelectronics Laboratory

  21. Trapdoor attacks ◮ Choose the parameters such that you know a collision ◮ [SGGB00] against Tillich-Z´ emor ◮ Can be prevented easily ◮ Sometimes useful ! [CP10] UCL Crypto Group Ch. Petit - Paris VI - Nov 2010 21 Microelectronics Laboratory

  22. Lifting attacks ◮ Very succesful approach ! ◮ Principle : lift the representation problem to some ring where it is easier to solve ◮ Define the lifted set appropriately ◮ Find a way to lift elements ◮ Solve the problems in the lifted set UCL Crypto Group Ch. Petit - Paris VI - Nov 2010 22 Microelectronics Laboratory

  23. Lifting attacks : Z´ emor [ TZ94 ] ◮ Z´ emor G = SL (2 , F p ), S = { ( 1 1 0 1 ) , ( 1 0 1 1 ) } ◮ Given ( a b c d ) ∈ SL (2 , F p ) � A B � 1. Lifting : Find ∈ SL (2 , Z + ) such that C D � A B � a b � � = mod p C D c d � A B � as a product of ( 1 1 0 1 ) and ( 1 0 2. Solving : Factor 1 1 ) C D with Euclidean algorithm : If A ≥ B , apply Euclidean algorithm to ( A , B ) else apply Euclidean algorithm to ( C , D ) Indeed : ◮ a i − 1 = q i a i + a i +1 � a i − 2 � 1 q i − 1 � � 1 ( a i � � ⇔ = a i +1 ) a i − 1 q i 1 1 ◮ � 1 q � 1 0 0 1 ) q and 1 1 ) q � � = ( 1 1 = ( 1 0 q 1 0 1 UCL Crypto Group Ch. Petit - Paris VI - Nov 2010 23 Microelectronics Laboratory

  24. Lifting attacks : LPS ◮ LPS : G = PSL (2 , F p ) and S as in LPS Ramanujan graphs ◮ Lift from PSL (2 , F p ) to SL (2 , Z [ i ]) Here � lifts of generators � � SL (2 , Z [ i ]) Very small subset, but well structured [LPS88] ◮ 2nd preimages [TZ08] ∼ finding λ, w , x , y , z , e such that ( λ + wp ) 2 + 4( xp ) 2 + 4( yp ) 2 + 4( zp ) 2 = ℓ e UCL Crypto Group Ch. Petit - Paris VI - Nov 2010 24 Microelectronics Laboratory

  25. Lifting and subgroup attacks together ◮ Preimages against LPS [PLQ08] ∼ finding λ, w , x , y , z , e such that ( A λ + wp ) 2 + ( B λ + xp ) 2 + ( C λ + yp ) 2 + ( D λ + zp ) 2 = ℓ 2 k Apparently hard but instead we can ◮ Lift diagonal matrices ( A λ + wp ) 2 + ( B λ + xp ) 2 + ( yp ) 2 + ( zp ) 2 = ℓ 2 k ◮ Combine diagonal matrices and generators ◮ Similar attacks for Morgenstern [PLQ08] UCL Crypto Group Ch. Petit - Paris VI - Nov 2010 25 Microelectronics Laboratory

  26. Lifting attack for Tillich-Z´ emor [ GIMS09 ] ◮ Tillich-Z´ emor G = SL (2 , F 2 n ), S = { ( X 1 1 0 ) , ( X X +1 1 ) } 1 1. Change generators S ′ = { ( X 1 1 0 ) , ( X +1 1 0 ) } 1 ◮ � a b � ∈ � S ′ � ⇒ when applying Euclidean algorithm to c d ( a , b ), all the quotients are X or X + 1 2. Apply [MS87] to p ( X ) to get m = m 1 ... m n such that � p b � H ( m ) = = ( 0 b c d ) mod p ( X ) c d 3. Build the palindrome ˜ m = m n ... m 2 ¯ m 1 ¯ m 1 m 2 ... m n , then A ′ 0 H ( ˜ m ) A ′ 0 = A ′ 1 H ( ˜ m ) A ′ 1 . UCL Crypto Group Ch. Petit - Paris VI - Nov 2010 26 Microelectronics Laboratory

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Hash Functions Hash Functions 1 Cryptographic Hash Function Crypto hash function h(x) must

Hash Functions Hash Functions 1 Cryptographic Hash Function Crypto hash function h(x) must

Hash Functions Hash Functions 1 Cryptographic Hash Function Crypto hash function h(x) must provide o Compression output length is small o Efficiency h(x) easy to compute for any x o One-way given a value y it is infeasible to find

465 views • 42 slides
Cayley Graphs Isomorphisms Forming Groups Free Groups Examples Relators Ryan Jensen Graphs

Cayley Graphs Isomorphisms Forming Groups Free Groups Examples Relators Ryan Jensen Graphs

Cayley Graphs Ryan Jensen Groups Group Basics Examples Cayley Graphs Isomorphisms Forming Groups Free Groups Examples Relators Ryan Jensen Graphs Cayley Graphs University of Tennessee F 1 F 2 Presentations March 26, 2014 Cayley

708 views • 48 slides
Distance-regular Cayley graphs of abelian groups Stefko Miklavi c University of Primorska

Distance-regular Cayley graphs of abelian groups Stefko Miklavi c University of Primorska

Definition Distance-regular cayley graphs over cyclic groups Distance-regular cayley graphs over dihedral groups Minimal distance-regular Cayley graphs on abelian groups Distance-regular Cayley graphs of abelian groups Stefko

778 views • 30 slides
(username, password) ? x ? ? ? ? but (username,hash(password))

(username, password) ? x ? ? ? ? but (username,hash(password))

Hash Functions - Bart Preneel June 2016 Hash functions X.509 Annex D RIPEMD-160 SHA-3 MDC-2 SHA-256 MD2, MD4, MD5 Introduction to the SHA-512 SHA-1 Design and Cryptanalysis of Cryptographic Hash Functions This is an input to a crypto-

517 views • 10 slides
Hash Pile Ups: Using Collisions to Identify Unknown Hash Functions R. Joshua Tobin and David

Hash Pile Ups: Using Collisions to Identify Unknown Hash Functions R. Joshua Tobin and David

Hash Pile Ups: Using Collisions to Identify Unknown Hash Functions R. Joshua Tobin and David Malone 11 October 2012 Hash Functions We are talking about hash functions for consistent assignment. For example, Hash tables, Network

448 views • 18 slides
Hash Functions Hash Functions Lecture 10 Hash Functions Lecture 10 Before we talk about

Hash Functions Hash Functions Lecture 10 Hash Functions Lecture 10 Before we talk about

Hash Functions Hash Functions Lecture 10 Hash Functions Lecture 10 Before we talk about digital signatures... A Tale of Two Boxes A Tale of Two Boxes Much of today s applied cryptography works with two magic boxes A Tale of Two Boxes

1.68k views • 129 slides
Hash Functions Hash Functions Lecture 10 Hash Functions Lecture 10 Before we talk about

Hash Functions Hash Functions Lecture 10 Hash Functions Lecture 10 Before we talk about

Hash Functions Hash Functions Lecture 10 Hash Functions Lecture 10 Before we talk about digital signatures... A Tale of Two Boxes A Tale of Two Boxes Much of today s applied cryptography works with two magic boxes A Tale of Two Boxes

1.37k views • 120 slides
Cayley Graphs Daniel York University of Puget Sound dsyork@pugetsound.edu 7 May 2019 Cayley

Cayley Graphs Daniel York University of Puget Sound dsyork@pugetsound.edu 7 May 2019 Cayley

Cayley Graphs and Group Actions Components and Cosets Direct Products Cayley Graphs Daniel York University of Puget Sound dsyork@pugetsound.edu 7 May 2019 Cayley Graphs and Group Actions Components and Cosets Direct Products Overview 1

335 views • 30 slides
Strong Randomness Properties of (Hyper-)Graphs Generated by Simple Hash Functions Martin Aum

Strong Randomness Properties of (Hyper-)Graphs Generated by Simple Hash Functions Martin Aum

Strong Randomness Properties of (Hyper-)Graphs Generated by Simple Hash Functions Martin Aum uller Technische Universit at Ilmenau, Germany AofA15 Strobl, June 8, 2015 Joint work with Martin Dietzfelbinger and Philipp Woelfel. M.

691 views • 56 slides
Hash functions based on products in non-Abelian groups Jean-Pierre Tillich and Gilles Zmor

Hash functions based on products in non-Abelian groups Jean-Pierre Tillich and Gilles Zmor

Hash functions based on products in non-Abelian groups Jean-Pierre Tillich and Gilles Zmor INRIA, quipe SECRET Bordeaux Mathematics Institute ENSTA, April the 3rd Hash functions from graphs Take a large graph G , (e.g. 2 1000 vertices),

452 views • 29 slides
Strongly Regular Cayley Graphs in Rank Two Abelian Groups Ken W. Smith Mt. Pleasant, MI 2015

Strongly Regular Cayley Graphs in Rank Two Abelian Groups Ken W. Smith Mt. Pleasant, MI 2015

Strongly Regular Cayley Graphs in Rank Two Abelian Groups Ken W. Smith Mt. Pleasant, MI 2015 Smith Cayley SRGs 2015 1 / 61 Strongly Regular Cayley Graphs in C p n C p n Strongly regular graphs play a central role in algebraic

1.56k views • 129 slides
Hash Functions and MACs Properties of Cryptographic Hash Functions Introduction to Message

Hash Functions and MACs Properties of Cryptographic Hash Functions Introduction to Message

Cryptography Hash Functions and MACs Introduction to Hash Functions Hash Functions and MACs Properties of Cryptographic Hash Functions Introduction to Message Cryptography Authentication Codes School of Engineering and Technology

338 views • 23 slides
Hash Functions and MACs Properties of Cryptographic Hash Functions Introduction to Message

Hash Functions and MACs Properties of Cryptographic Hash Functions Introduction to Message

Cryptography Hash Functions and MACs Introduction to Hash Functions Hash Functions and MACs Properties of Cryptographic Hash Functions Introduction to Message Cryptography Authentication Codes School of Engineering and Technology

787 views • 23 slides
Outline Hash Functions 1 Iterated Hash Functions CPSC 418/MATH 318 Introduction to Cryptography

Outline Hash Functions 1 Iterated Hash Functions CPSC 418/MATH 318 Introduction to Cryptography

Outline Hash Functions 1 Iterated Hash Functions CPSC 418/MATH 318 Introduction to Cryptography SHA-1 SHA-3 (Keccak) Hash Functions, SHA-3, Message Authentication Codes 2 Sponge Construction Keccak Overview Renate Scheidler Keccak

888 views • 14 slides
Chromatic properties of Cayley graphs Elena Konstantinova Sobolev Institute of Mathematics

Chromatic properties of Cayley graphs Elena Konstantinova Sobolev Institute of Mathematics

Chromatic properties of Cayley graphs Elena Konstantinova Sobolev Institute of Mathematics Novosibirsk State University Mathematical Colloquium, Ljubljana, Slovenia October 2, 2015 Elena Konstantinova Chromatic properties of Cayley graphs

450 views • 25 slides
Semidefinite programming bounds for codes and anticodes in Cayley graphs Frank Vallentin

Semidefinite programming bounds for codes and anticodes in Cayley graphs Frank Vallentin

Semidefinite programming bounds for codes and anticodes in Cayley graphs Frank Vallentin (Universit at zu K oln) Semidefinite Programming and Graph Algorithms Workshop ICERM February 12, 2014 Theory Codes and anticodes in Cayley graphs

271 views • 25 slides
Beta Presentation Automatic Resume Verification The Capstone Experience Team Yello Giorgio

Beta Presentation Automatic Resume Verification The Capstone Experience Team Yello Giorgio

Beta Presentation Automatic Resume Verification The Capstone Experience Team Yello Giorgio Maroki Wan Kim Nathaniel Hagan Brandon Burt Ryan Nagy Department of Computer Science and Engineering Michigan State University Fall 2017 From

399 views • 12 slides
CRYPTOCURRENCIES When life is light years ahead of the law Advocate Vicky Milner Rob Dudley 12

CRYPTOCURRENCIES When life is light years ahead of the law Advocate Vicky Milner Rob Dudley 12

CALLINGTON CHAMBERS CRYPTOCURRENCIES When life is light years ahead of the law Advocate Vicky Milner Rob Dudley 12 June 2018 CALLINGTON Introductions CHAMBERS Advocate Vicky Milner, Callington Chambers Rob Dudley, CTO, Global

564 views • 38 slides
Information Security and Privacy Board Background and current status Use of Hashing Algorithms

Information Security and Privacy Board Background and current status Use of Hashing Algorithms

Information Security and Privacy Board Background and current status Use of Hashing Algorithms in the U.S. Federal Personal Identity Verification Program Biometrics Storage Format Selection for the U.S. Federal Personal Identity

258 views • 14 slides
Town of Southborough PILOT Update February 8, 2011 PILOT The Massachusetts State

Town of Southborough PILOT Update February 8, 2011 PILOT The Massachusetts State

Town of Southborough PILOT Update February 8, 2011 PILOT The Massachusetts State Constitution, written in 1780, empowered the legislature to promote the arts, sciences, and natural history of our country by granting reasonable

582 views • 35 slides
What's new in MySQL 5.5? Performance/Scale Unleashed Mikael Ronstrm Senior MySQL Architect The

What's new in MySQL 5.5? Performance/Scale Unleashed Mikael Ronstrm Senior MySQL Architect The

<Insert Picture Here> What's new in MySQL 5.5? Performance/Scale Unleashed Mikael Ronstrm Senior MySQL Architect The preceding is intended to outline our general product direction. It is intended for information purposes only, and may

710 views • 38 slides
G oteborg, 12 May 2004 Corrections, 16 May 2004 Title: The cost of iterator validity

G oteborg, 12 May 2004 Corrections, 16 May 2004 Title: The cost of iterator validity

G oteborg, 12 May 2004 Corrections, 16 May 2004 Title: The cost of iterator validity Speaker: Jyrki Katajainen University of Copenhagen These slides are available at http://www.cphstl.dk/ . Performance Engineering Laboratory c 1

582 views • 25 slides
Scalable Hashing-Based Network Discovery Tara Safavi , Chandra Sripada, Danai Koutra University

Scalable Hashing-Based Network Discovery Tara Safavi , Chandra Sripada, Danai Koutra University

Scalable Hashing-Based Network Discovery Tara Safavi , Chandra Sripada, Danai Koutra University of Michigan, Ann Arbor Networks are everywhere. Airport connections Internet routing Paper citations but are not always directly observed

642 views • 38 slides
State Management for Hash-Based Signatures David McGrew, Panos Kampanakis, Scott Fluhrer,

State Management for Hash-Based Signatures David McGrew, Panos Kampanakis, Scott Fluhrer,

State Management for Hash-Based Signatures David McGrew, Panos Kampanakis, Scott Fluhrer, Stefan-Lukas Gazdag , Denis Butin, Johannes Buchmann {mcgrew,pkampana,sfmuhrer}@cisco.com stefan-lukas_gazdag@genua.eu

701 views • 28 slides

More recommend