Hash functions based on products in non-Abelian groups Jean-Pierre - - PowerPoint PPT Presentation

Hash functions based on products in non-Abelian groups

Jean-Pierre Tillich and Gilles Zémor INRIA, Équipe SECRET Bordeaux Mathematics Institute ENSTA, April the 3rd

Hash functions from graphs

Take a large graph G, (e.g. 21000 vertices), regular of small degree ∆.

• Input text ∈ {0, 1, . . . , ∆ − 2}∗ −

→ non-backtracking walk from fixed vertex

• hashed value −

→ endpoint. 1/28

hashed value ∆

2/28

Collisions=cycles

hashed value ∆

3/28

Hash functions from expander graphs

◮ Graph should be easy to describe. ◮ No short cycles. ◮ Suggestion (Charles, Goren, Lauter 06): use known expander graphs. Advantage: rapidly-mixing property. Distribution of hashed values is almost uniform for short O(log #{vertices}) uniform inputs. 4/28

A particular choice

In particular: use the Lubotzky, Phillips, Sarnak (LPS) Ramanu- jan graphs.

• Strength of the function rests on supposed difficulty of finding

explicit short cycles.

• History of the large graph hashing strategy: later on.

5/28

Cayley graphs

Graph G is a Cayley graph. Vertices are elements of a group G and x ← → y is an edge iff y = xs for s in a fixed set S (of generators). Note: this definition implies that S−1 = S. 6/28

LPS graphs

Specifically: p large prime, ℓ small prime ≡ 1 mod 4, ◮ G = a group of 2 × 2 matrices, elements in Fp, ◮ generator set S made up of the matrices S = a + ιb c + ιd −c + ιd a − ιb

• where ι2 = −1 in Fp and a, b, c, d integers such that

     detS = a2 + b2 + c2 + d2 = ℓ a > 0, a ≡ 1 (mod 2) b ≡ c ≡ d ≡ (mod 2) 7/28

The LPS Ramanujan graphs (2)

Identify matrices obtained from each other through multiplica- tion by λ ∈ Fp. S generates a subgroup G of PGL2(Fp), (isomor- phic to PSL2(Fp)), and S = S−1. |S| = ℓ + 1. This is the graph Xℓ,p.

• #Vertices = p(p2 − 1)/2,
• degree ∆ = ℓ + 1.

8/28

Facts

• no small cycles: smallest has length 2

3 log∆−1 |G|

• good expansion properties.

9/28

The LPS Ramanujan graphs (3)

Example, ℓ = 5: S1 = 1 2 −2 1

• S2 =

1 + 2ι 1 − 2ι

• S3 =

1 2ι 2ι 1

• S4 =

1 −2ι −2ι 1

• S5 =

1 − 2ι 1 + 2ι

• S6 =

1 −2 2 1

• We have: S = S−1.

S1S6 = 1 2 −2 1 1 −2 2 1

• = 5

1 1

• =

1 1

• in G

10/28

Computing the hashed value

Input text of length t is put into 1−1 correspondence with prod- uct G1G2 . . . Gt such that Gi ∈ S, GiGi+1 = 1. 11/28

Looking for collisions

A collision is equivalent to a short cycle in the graph Xℓ,p, i.e. a string G1G2 . . . Gt of elements of S such that GiGi+1 = 1 and

t

• i=1

Gi = 1 in G. 12/28

The idea of the attack

Lift the graph Xℓ,p to the Cayley graph generated by the matri- ces M(a, b, c, d) = a + ib c + id −c + id a − ib

• where i ∈ C and (as before)

     detS = a2 + b2 + c2 + d2 = ℓ a > 0, a ≡ 1 (mod 2) b ≡ c ≡ d ≡ (mod 2) 13/28

The universal cover of Xℓ,p

The set of products of M(a, b, c, d)’s (lifted generators of S) is Ω = a + ib c + id −c + id a − ib

• (a, b, c, d) ∈ Ew for some w > 0
• where Ew is the set of 4-tuples (a, b, c, d) ∈ Z4 such that

     a2 + b2 + c2 + d2 = ℓw a > 0, a ≡ 1 (mod 2) b ≡ c ≡ d ≡ (mod 2). 14/28

Factoring in Ω

Factoring in Ω is easy. If M = G1G2 . . . Gt, find Gt by finding the unique (lifted) generator S ∈ S such that MS has entries in Z[i] divisible by ℓ ! Then Gt = S−1. 15/28

Lifting the identity

Finding a collision is now reduced to lifting the identity element in G to a matrix of Ω with reasonable length w. Means find a + ib c + id −c + id a − ib

• such that the integers a, b, c, d satisfy

     a2 + b2 + c2 + d2 = ℓw a > 0, a ≡ 1 (mod 2) b ≡ c ≡ d ≡ (mod 2) and b, c, d, multiples of p. 16/28

Lifting the identity (2)

set b = 2px, c = 2py, d = 2pz. The search for solutions of a2 + b2 + c2 + d2 = ℓw becomes a2 + 4p2(x2 + y2 + z2) = ℓ2k and (ℓk − a)(ℓk + a) = 4p2(x2 + y2 + z2). Set a = ℓk − 2mp2, arbitrary m (in practice m = 1, 2). We get x2 + y2 + z2 = m(ℓk − mp2). Solve through taking random z, check whether right hand side −z2 is sum of two squares. 17/28

When is a number a sum of two squares ?

Proposition 1. A number is expressible as a sum of two squares if and only if its prime factors congruent to 3 modulo 4 occur with an even exponent. 18/28

Solving x2 + y2 = N

Proposition 2. Let N be a prime congruent to 1 modulo 4, R be a square root of −1 modulo N and ξ

def

= R

• N. Let pi

qi be the conver-

gents associated to the continued fraction expansion of ξ. Let n be the unique integer such that qn < √ N < qn+1. We have q2

n + (qnR − pnN)2 = N.

19/28

fast computation of collisions

Complexity is proportional to number of random choices of z to get a sum of two squares. In practice: polynomial in log p. Overall complexity polynomial in log p. 20/28

An example of an attack

◮ p = 10100 + 949 (first prime p > 10100 such that p = 1 mod 4). ◮ ℓ = 5. G1 = 1 2 −2 1

• G2 =

1 + 2i 1 − 2i

• G3 =

1 2i 2i 1

• G4 =

1 −2i −2i 1

• G5 =

1 − 2i 1 + 2i

• G6 =

1 −2 2 1

• 21/28

First step

Finding a, b, c, d satisfying          a2 + b2 + c2 + d2 = ℓk a > 0, a ≡ 1 (mod 2) b ≡ c ≡ d ≡ (mod 2p) b2 + c2 + d2 = (1) 22/28

First step

◮ We choose k to be the first integer larger than log5(2p2). We

• btain k = 287. We then compute 5k − p2 which is of the form

4u with u odd. ◮ . . . , The first 24 values σ(1), σ(2), . . . , σ(24) of σ are 2, 4, 2, 3, 3, 3, 3, 1, 1, 4, 1, 5, 5, 5, 5, 1, 5, 1, 1, 1, 4, 1, 4, 6, and the remaining 550 values are given by the following array: 23/28

6,2,1,2,3,2,2,3,1,1,1,3,1,2,2,1,2,6,6,6,3,1,5,4,1,

4, 5, 1, 1, 3, 2, 3, 6, 5, 5, 5, 3, 3, 5, 5, 6, 2, 4, 1, 1, 5, 3, 1, 5, 1, 2, 1, 2, 1, 5, 6, 4, 1, 4, 4, 4, 6, 5, 1, 5, 3, 1, 2, 2, 4, 1, 4, 5, 4, 1, 3, 6, 3, 3, 1, 4, 6, 3, 5, 5, 6, 4, 6, 3, 3, 1, 2, 3, 3, 2, 4, 5, 3, 5, 4, 5, 4, 2, 2, 2, 4, 6, 4, 1, 1, 4, 2, 3, 1, 4, 5, 4, 6, 5, 5, 3, 1, 4, 5, 6, 2, 1, 2, 6, 2, 1, 3, 3, 2, 6, 6, 5, 1, 5, 3, 1, 5, 1, 5, 1, 2, 6, 3, 3, 1, 1, 1, 4, 2, 1, 1, 3, 5, 6, 4, 6, 2, 6, 6, 3, 6, 2, 6, 6, 6, 2, 4, 1, 2, 6, 5, 3, 1, 4, 1, 2, 6, 4, 4, 2, 4, 4, 2, 1, 2, 4, 4, 1, 2, 2, 2, 2, 6, 3, 2, 1, 2, 4, 2, 6, 2, 2, 4, 4, 1, 1, 1, 1, 2, 6, 2, 4, 5, 3, 2, 4, 1, 1, 1, 4, 2, 2, 1, 1, 1, 3, 1, 5, 6, 2, 4, 5, 5, 1, 4, 1, 3, 2, 6, 6, 4, 6, 4, 6, 4, 6, 3, 1, 1, 2, 6, 3, 2, 6, 6, 6, 3, 1, 2, 4, 2, 3, 3, 3, 3, 1, 1, 4, 1, 5, 5, 5, 5, 1, 5, 1, 1, 1, 4, 1, 4, 6, 6, 2, 1, 2, 3, 2, 2, 3, 1, 1, 1, 3, 1, 2, 2, 1, 2, 6, 6, 6, 3, 1, 5, 4, 1, 4, 5, 1, 1, 3, 2, 3, 6, 5, 5, 5, 3, 3, 5, 5, 6, 2, 4, 1, 1, 5, 3, 1, 5, 1, 2, 1, 2, 1, 5, 6, 4, 1, 4, 4, 4, 6, 5, 1, 5, 3, 1, 2, 2, 4, 1, 4, 5, 4, 1, 3, 6, 3, 3, 1, 4, 6, 3, 5, 5, 6, 4, 6, 3 3 1 2 3 3 2 4 5 3 5 4 5 4 2 2 2 4 6 4 1 1 4 2 3 24/28

History

A similar scheme (Z. 91) with G = SL2(Fp) and set of genera- tors S consisting of S1 = 1 1 1

• S2 =

1 1 1

• (Graph G is directed).

(Tillich-Z. 93) collisions through lifting the identity to a product

• f S1’s and S2’s in SL2(Z). Then use euclidean algorithm to finish
• factorisation. Problem lies in the (too large) density of the set of

products of S1’s and S2’s in SL2(Z). 25/28

(Bold) comparison with factoring

How does one factor an integer n ? Take a set S = {22, 32, 52, . . . , ℓ2} (set of squares of small primes). Generator set of Cayley graph G over (multiplicative) subgroup of Z/nZ (the invertible squares). Lift random square to a product of elements of S in Z. Finish with Euclidean algorithm. 26/28

Future for Cayley-graph based hashing ?

Goal: defeat density or lifting attacks. Suggestion for LPS-based hashing: throw away some genera-

• tors. For S ∈ S keep either S or S−1 but not both. Keeps part of

the expansion properties. Not rapidly-mixing property but small diameter. 27/28

Other possibilities

Other possibilities: look for other interesting sets of generators

• f SL2() groups with a view to defeating lifting attacks.

(Tillich-Z. 94) G = SL2(F2m) and set of generators S consisting

• f:

S1 = X 1 1

• S2 =

X X + 1 1 1

• For given defining polynomials of F2m, no known method for pro-

ducing short factorisations, i.e. reasonable-length collisions. 28/28