Hash functions and Cayley graphs: The end of the story ? Christophe - - PowerPoint PPT Presentation
Hash functions and Cayley graphs: The end of the story ? Christophe Petit UCL Crypto Group Ch. Petit - Paris VI - Nov 2010 1 Microelectronics Laboratory Hash functions H : { 0 , 1 } { 0 , 1 } n UCL Crypto Group Ch. Petit - Paris VI
UCL Crypto Group
Microelectronics Laboratory
1
Christophe Petit
UCL Crypto Group
Microelectronics Laboratory
2
UCL Crypto Group
Microelectronics Laboratory
3
◮ Message authentication
codes
◮ Digital signatures ◮ Password storage ◮ Pseudorandom number
generation
◮ Entropy extraction ◮ Key derivation
techniques
◮ ... ◮ ...
UCL Crypto Group
Microelectronics Laboratory
4
◮ Collision resistance :
hard to find m, m′ such that H(m) = H(m′)
◮ Preimage resistance :
given h, hard to find m such that H(m) = h
◮ Second preimage resistance :
given m, hard to find m′ such that H(m′) = h
UCL Crypto Group
Microelectronics Laboratory
5
◮ “Pseudo-randomness” ◮ ...
UCL Crypto Group
Microelectronics Laboratory
6
“Classical” hash function Hash function based on a Cayley graph
UCL Crypto Group
Microelectronics Laboratory
7
Introduction Cayley hash functions Security : state of the art The end of the story ? Conclusion
UCL Crypto Group
Microelectronics Laboratory
8
Introduction Cayley hash functions Security : state of the art The end of the story ? Conclusion
UCL Crypto Group
Microelectronics Laboratory
9
◮ Parameters G a group, and S = {s0, ..., sk−1} ⊂ G ◮ Write m = m1m2...mN with mi ∈ {0, ..., k − 1}
Define H(m) := sm1sm2...smN
UCL Crypto Group
Microelectronics Laboratory
10
◮ Computation ∼ walk in the Cayley graph ◮ Example : G = (Z/8Z, +), S = {1, 2}
1 2 3 4 5 6 7 m = 101 H(m) = 0 + 1 + 2 + 1 = 4 4
UCL Crypto Group
Microelectronics Laboratory
11
◮ p ∈ F2[X] irreducible of degree n
K = F2[X]/(p(X)) ≈ F2n
◮ G = SL(2, K)
S = {A0 = ( X 1
1 0 ) , A1 = ( X X+1 1 1 )}
◮ H(m1m2...mN) := Am1Am2...AmN mod p(X)
UCL Crypto Group
Microelectronics Laboratory
12
◮ Representation problem :
Given G and S = {s0, ..., sk−1} ⊂ G, find a short product smi = 1
◮ Balance problem :
Given G and S = {s0, ..., sk−1} ⊂ G, find two short products smi = sm′
i ◮ Factorization problem :
Given G, g ∈ G and S = {s0, ..., sk−1} ⊂ G, find a short product smi = g
UCL Crypto Group
Microelectronics Laboratory
13
For any non-Abelian finite simple group G, there is a constant c such that for all generator sets S, the diameter of the Cayley graph arising from G and S is smaller than (log |G|)c.
◮ Well-studied conjecture, limited results so far ◮ Very few parameters have constructive proofs ◮ Solving the factorization problem for G and S
∼ constructive proof of Babai’s conjecture for G and S
UCL Crypto Group
Microelectronics Laboratory
14
◮ Elegant, simple design ◮ Security properties ∼ mathematical problems ◮ Collisions ∼ balance problem ◮ Preimages ∼ factorization problem
∼ constructive proof of Babai’s conjecture
◮ Output distribution ∼ expander properties ◮ Parallelism H(m||m′) = H(m)H(m′) ◮ Good efficiency, at least for matrix groups ◮ Not a random oracle ! but additional heuristics may help ◮ Issue : find good groups G and generator sets S
UCL Crypto Group
Microelectronics Laboratory
15
Z´ emor [Z91] p prime G = SL(2, Fp) S = {( 1 1
0 1 ) , ( 1 0 1 1 )}
Tillich-Z´ emor [TZ94] p ∈ F2[X] irreducible G = SL(2, F2n) S = {( X 1
1 0 ) , ( X X+1 1 1 )}
LPS [CGL09] p prime G = PSL(2, Fp) S as in Lubotsky-Philips-Sarnak’s Ramanujan graphs Morgenstern [PLQ07] p ∈ F2[X] irreducible G = PSL(2, F2n) S as in Morgenstern’s Ramanujan graphs
UCL Crypto Group
Microelectronics Laboratory
16
Introduction Cayley hash functions Security : state of the art The end of the story ? Conclusion
UCL Crypto Group
Microelectronics Laboratory
17
Exhaustive search Birthday attacks Multicollisions Meet-in-the-middle Trapdoor attacks Malleability Subgroup attacks Lifting attacks Euclidean algorithm Babai’s conjecture
UCL Crypto Group
Microelectronics Laboratory
18
◮ Assume G = G0 ⊃ G1 ⊃ G2... ⊃ GN = {1}
UCL Crypto Group
Microelectronics Laboratory
19
◮ Assume G = G0 ⊃ G1 ⊃ G2... ⊃ GN = {1}
and |Gi|/|Gi+1| “small”
◮ Preimage of 1 ◮ Random products of s0 and s1
to get two elements s′
0 and s′ 1 of G1
◮ Random products of s′
0 and s′ 1
to get two elements s′′
0 and s′′ 1 of G2
◮ ... ◮ = second preimage attack ◮ H(m) = 1 ⇒ H(m′||m) = H(m′)H(m) = H(m′)
UCL Crypto Group
Microelectronics Laboratory
20
◮ Assume G = G0 ⊃ G1 ⊃ G2... ⊃ GN = {1} ◮ More generally, the attack works
if “going from Gi to Gi+1 is easy”
◮ [SGGB00] : subgroup attack on Tillich-Z´
emor when n is composite
◮ [PQTZ09] : generic subgroup attacks on Tillich-Z´
emor and variants that “remove easy quotients”
UCL Crypto Group
Microelectronics Laboratory
21
◮ Choose the parameters
such that you know a collision
◮ [SGGB00] against
Tillich-Z´ emor
◮ Can be prevented easily ◮ Sometimes useful ! [CP10]
UCL Crypto Group
Microelectronics Laboratory
22
◮ Very succesful approach ! ◮ Principle : lift the representation problem to some ring
where it is easier to solve
◮ Define the lifted set appropriately ◮ Find a way to lift elements ◮ Solve the problems in the lifted set
UCL Crypto Group
Microelectronics Laboratory
23
◮ Z´
emor G = SL(2, Fp), S = {( 1 1
0 1 ) , ( 1 0 1 1 )}
◮ Given ( a b
c d ) ∈ SL(2, Fp)
A B
C D
A B
C D
a b
c d
A B
C D
0 1 ) and ( 1 0 1 1 )
with Euclidean algorithm :
If A ≥ B, apply Euclidean algorithm to (A, B) else apply Euclidean algorithm to (C, D)
Indeed :
◮ ai−1 = qiai + ai+1
⇔ ai−2
ai−1
1 qi−1
1
1
qi 1
ai+1 )
◮ 1 q
0 1
0 1 )q and
1 0
q 1
1 1 )q
UCL Crypto Group
Microelectronics Laboratory
24
◮ LPS : G = PSL(2, Fp) and S as in LPS
Ramanujan graphs
◮ Lift from PSL(2, Fp) to SL(2, Z[i])
Here lifts of generators SL(2, Z[i]) Very small subset, but well structured [LPS88]
◮ 2nd preimages [TZ08]
∼ finding λ, w, x, y, z, e such that (λ + wp)2 + 4(xp)2 + 4(yp)2 + 4(zp)2 = ℓe
UCL Crypto Group
Microelectronics Laboratory
25
◮ Preimages against LPS [PLQ08]
∼ finding λ, w, x, y, z, e such that
(Aλ + wp)2 + (Bλ + xp)2 + (Cλ + yp)2 + (Dλ + zp)2 = ℓ2k
Apparently hard but instead we can
◮ Lift diagonal matrices
(Aλ + wp)2 + (Bλ + xp)2 + (yp)2 + (zp)2 = ℓ2k
◮ Combine diagonal matrices and generators ◮ Similar attacks for Morgenstern [PLQ08]
UCL Crypto Group
Microelectronics Laboratory
26
◮ Tillich-Z´
emor G = SL(2, F2n), S = {( X 1
1 0 ) , ( X X+1 1 1 )}
1 0 ) , ( X+1 1 1 0 )}
◮ a b
c d
(a, b), all the quotients are X or X + 1
H(m) = p b
c d
c d ) mod p(X)
m = mn...m2 ¯ m1 ¯ m1m2...mn, then A′
0H( ˜
m)A′
0 = A′ 1H( ˜
m)A′
1.
UCL Crypto Group
Microelectronics Laboratory
27
◮ Preimage algorithm for TZ given some precomputation ◮ A B
C D
α 1 )
X 1
1 0
1 β
0 1
X 1
1 0
3 1 0
γ 1
αi 1
αi 1
m0) =
X+b2
i 1
ci di
ci di
⇒ deterministic algorithm ; full proof when n is prime
UCL Crypto Group
Microelectronics Laboratory
28
For any non-Abelian finite simple group G, there is a constant c such that for all generator sets S, the diameter of the Cayley graph arising from G and S is smaller than (log |G|)c.
◮ Non constructive results ◮ Conjecture true for SL(2, Fp) and SL(3, Fp) [H05,H10] ◮ True for almost any pair of generators in the symmetric
group [BH05]
UCL Crypto Group
Microelectronics Laboratory
29
◮ Constructive results ◮ Symmetric group : ∃ 2 generators such that the
diameter is O(n log n) [BHKLS90]
◮ SL(2, K) : ∃ 2 or 3 generators such that the diameter is
O(log |K|) [BHKLS90]
◮ SL(m, Fp) with m > 2 : ∃ 2 generators such that the
diameter is O(m2 log p) [KR05]
◮ All these results (and others) are optimal, but they use
particular generators
UCL Crypto Group
Microelectronics Laboratory
30
Introduction Cayley hash functions Security : state of the art The end of the story ? Conclusion
UCL Crypto Group
Microelectronics Laboratory
31
◮ Representation problem : (second preimages)
Given G and S = {s0, ..., sk−1} ⊂ G, find a short product smi = 1
◮ Balance problem : (collisions)
Given G and S = {s0, ..., sk−1} ⊂ G, find two short products smi = sm′
i ◮ Factorization problem : (preimages)
Given G, g ∈ G and S = {s0, ..., sk−1} ⊂ G, find a short product smi = g
UCL Crypto Group
Microelectronics Laboratory
32
◮ Collision & preimages for Z´
emor, Tillich-Z´ emor, LPS, Morgenstern
◮ Other insecure instances from research on Babai’s
conjecture
◮ The end of the story ? ◮ No ! (not yet ?) ◮ For most groups/ generators, we do not know if the
problems can be solved
UCL Crypto Group
Microelectronics Laboratory
33
◮ Choose G to prevent subgroup attacks ◮ Choose S to prevent lifting attacks ? ◮ Avoid “small” parameters and symmetry ◮ Next challenge : SL(2, F2n)
UCL Crypto Group
Microelectronics Laboratory
34
Let A, B generating SL(2, F2n). Let M ∈ SL(2, F2n). How to write I or M as a short product of A and B ?
solution for A′, B′ ⇒ solution for A′, B′
UCL Crypto Group
Microelectronics Laboratory
35
◮ A, B symmetric ◮ A diagonal and B symmetric ◮ A =
t1 1
1
t2 1
1
matrices
◮ More than two generators : S = {( t 1
1 ) |t ∈ F}
where F is a vector subspace of F2n/F2
UCL Crypto Group
Microelectronics Laboratory
36
◮ Tillich-Z´
emor generators
◮ ...
UCL Crypto Group
Microelectronics Laboratory
37
◮ Depends on Step 1 and Step 3 ◮ Birthday searches : 2n/2 cost ◮ Extension of [MS87] to other partial quotients ? ◮ Can also be the following :
Solve f (w1, ..., wN) = 0 for wi ∈ F, where f is affine in each variable and F is a vector subspace of F2n/F2
◮ Algebraic cryptanalysis ? Generalized birthday attacks ?
UCL Crypto Group
Microelectronics Laboratory
38
◮ Same problem in different groups ?
UCL Crypto Group
Microelectronics Laboratory
39
◮ Graph theory ◮ Expander graphs ◮ Diameter of Cayley graphs, Babai’s conjecture ◮ Euclidean algorithm ◮ Clear for Z´
emor and Tillich-Z´ emor
◮ Implicit in LPS, Morgenstern
(Diophantine equations solved via Lagrange)
◮ Cryptography ◮ Alternative to DL, ECDL and factoring ? ◮ Stream cipher theory
UCL Crypto Group
Microelectronics Laboratory
40
Introduction Cayley hash functions Security : state of the art The end of the story ? Conclusion
UCL Crypto Group
Microelectronics Laboratory
41
◮ Elegant design, nice properties ◮ Z´
emor, LPS, Morgenstern, Tillich-Z´ emor broken
◮ Security of other / generic instances ?
UCL Crypto Group
Microelectronics Laboratory
42
◮ [B92] L Babai, A Seress, On the diameter of permutation
groups
◮ [Z91] G Z´
emor, Hash functions and graphs with large girths
◮ [TZ94] JP Tillich & G Z´
emor, Group-theoretic hash functions
◮ [CGL09] D Charles, E Goren, K Lauter, Cryptographic
hash functions from expander graphs
◮ [PLQ07] C Petit, K Lauter, JJ Quisquater, Cayley
Hashes : A Class of Efficient Graph-based Hash Functions
UCL Crypto Group
Microelectronics Laboratory
43
◮ [SGGB00] R Steinwandt, M Grassl, W Geiselmann, T
Beth, Weaknesses in the SL2(F n
2 ) Hashing Scheme
◮ [PQTZ09] C Petit, JJ Quisquater, JP Tillich, G Z´
emor, Hard and easy Components of Collision Search in the Z´ emor-Tillich Hash Function : New Instances and Reduced Variants with equivalent Security
◮ [CP10] J Cathalo, C Petit, One-time trapdoor one-way
functions
◮ [LPS88] A Lubotzky, R Phillips, P Sarnak, Ramanujan
Graphs
UCL Crypto Group
Microelectronics Laboratory
44
◮ [TZ08] JP Tillich, G Z´
emor, Collisions for the LPS Expander Graph Hash Function
◮ [PLQ08] C Petit, K Lauter, JJ Quisquater, Full
Cryptanalysis of LPS and Morgenstern Hash Functions
◮ [GIMS09] M Grassl, I Ilic, S Magliveras, R Steinwandt,
Cryptanalysis of the Tillich-Z´ emor hash function
◮ [MS87] JP Mesirov, MM Sweet, Continued fraction
expansions of rational expressions with irreducible denominators in characteristic 2
◮ [PQ10] C Petit, JJ Quisquater, Preimage algorithms for
the Tillich-Z´ emor hash function
UCL Crypto Group
Microelectronics Laboratory
45
◮ [BHKLS90] L Babai, G Hetyei, W Kantor, A Lubotzky, A
Seress, On the diameter of finite groups
◮ [KR05] M Kassabov, T Riley, Diameters of Cayley graphs
◮ [H05] H Helfgott, Growth and generation in SL2(Z/pZ) ◮ [H10] H Helfgott, Growth and generation in SL3(Z/pZ) ◮ [BH05] L Babai, T Hayes, Near-independence of
permutations and an almost sure polynomial bound on the diameter of the symmetric group