Hash functions and Cayley graphs: The end of the...
Transcript of Hash functions and Cayley graphs: The end of the...
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - Montreal WCSC - April 2010 1
Hash functions and Cayley graphs:The end of the story ?
Christophe Petit
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - Montreal WCSC - April 2010 2
Hash functions
H : {0, 1}∗→ {0, 1}n
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - Montreal WCSC - April 2010 3
Applications
I Message authenticationcodes
I Digital signatures
I Password storage
I Pseudorandom numbergeneration
I Entropy extraction
I Key derivationtechniques
I ...
I ...
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - Montreal WCSC - April 2010 4
Properties
I Collision resistance :hard to find m,m′ such that H(m) = H(m′)
I Preimage resistance :given h, hard to find m such that H(m) = h
I Second preimage resistance :given m, hard to find m′ such that H(m′) = h
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - Montreal WCSC - April 2010 5
Properties
I “Pseudo-randomness”I ...
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - Montreal WCSC - April 2010 5
Properties
I “Pseudo-randomness”I ...
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - Montreal WCSC - April 2010 6
Constructions
“Classical”
hash function
Hash function based on aCayley graph
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - Montreal WCSC - April 2010 6
Constructions
“Classical”
hash function
Hash function based on aCayley graph
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - Montreal WCSC - April 2010 6
Constructions
“Classical”
hash function
Hash function based on aCayley graph
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - Montreal WCSC - April 2010 7
Outline
Introduction
Cayley hash functions
Security : state of the art
The end of the story ?
Conclusion
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - Montreal WCSC - April 2010 8
Outline
Introduction
Cayley hash functions
Security : state of the art
The end of the story ?
Conclusion
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - Montreal WCSC - April 2010 9
Hash functions from Cayley graphs
I Parameters G a group, and S = {s0, ..., sk−1} ⊂ G
I Write m = m1m2...mN with mi ∈ {0, ..., k − 1}Define
H(m) := sm1sm2 ...smN
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - Montreal WCSC - April 2010 9
Hash functions from Cayley graphs
I Parameters G a group, and S = {s0, ..., sk−1} ⊂ G
I Write m = m1m2...mN with mi ∈ {0, ..., k − 1}Define
H(m) := sm1sm2 ...smN
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - Montreal WCSC - April 2010 10
Hash functions from Cayley graphs
I Computation ∼ walk in the Cayley graph
I Example : G = (Z/8Z,+), S = {1, 2}
0 1
2
3
45
6
7
0
m = 101H(m) = 0 + 1 + 2 + 1 = 4
4
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - Montreal WCSC - April 2010 10
Hash functions from Cayley graphs
I Computation ∼ walk in the Cayley graph
I Example : G = (Z/8Z,+), S = {1, 2}
0 1
2
3
45
6
7
0
m = 101H(m) = 0 + 1 + 2 + 1 = 4
4
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - Montreal WCSC - April 2010 10
Hash functions from Cayley graphs
I Computation ∼ walk in the Cayley graph
I Example : G = (Z/8Z,+), S = {1, 2}
0 1
2
3
45
6
7
0
m = 101H(m) = 0 + 1 + 2 + 1 = 4
4
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - Montreal WCSC - April 2010 10
Hash functions from Cayley graphs
I Computation ∼ walk in the Cayley graph
I Example : G = (Z/8Z,+), S = {1, 2}
0 1
2
3
45
6
7
0
m = 101H(m) = 0 + 1 + 2 + 1 = 4
4
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - Montreal WCSC - April 2010 11
Example : Tillich-Zemor hash function
I p ∈ F2[X ] irreducible of degree nK = F2[X ]/(p(X )) ≈ F2n
I G = SL(2,K )S = {A0 = ( X 1
1 0 ) ,A1 = ( X X+11 1 )}
I H(m1m2...mN) := Am1Am2 ...AmNmod p(X )
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - Montreal WCSC - April 2010 11
Example : Tillich-Zemor hash function
I p ∈ F2[X ] irreducible of degree nK = F2[X ]/(p(X )) ≈ F2n
I G = SL(2,K )S = {A0 = ( X 1
1 0 ) ,A1 = ( X X+11 1 )}
I H(m1m2...mN) := Am1Am2 ...AmNmod p(X )
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - Montreal WCSC - April 2010 12
Hard ( ?) problems
I Representation problem :Given G and S = {s0, ..., sk−1} ⊂ G ,find a short product
∏smi
= 1
I Balance problem :Given G and S = {s0, ..., sk−1} ⊂ G ,find two short products
∏smi
=∏
sm′i
I Factorization problem :Given G , g ∈ G and S = {s0, ..., sk−1} ⊂ G ,find a short product
∏smi
= g
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - Montreal WCSC - April 2010 13
Properties
I Elegant, simple designI Security properties ∼ mathematical problems
I Collisions ∼ balance problemI Preimages ∼ factorization problemI Output distribution ∼ expander properties
I Parallelism H(m||m′) = H(m)H(m′)I Good efficiency
I At least in the case of matrix groups
I Not a random oracle ! but additional heuristics may help
I Issue : find good groups G and generator sets S
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - Montreal WCSC - April 2010 13
Properties
I Elegant, simple designI Security properties ∼ mathematical problems
I Collisions ∼ balance problemI Preimages ∼ factorization problemI Output distribution ∼ expander properties
I Parallelism H(m||m′) = H(m)H(m′)I Good efficiency
I At least in the case of matrix groups
I Not a random oracle ! but additional heuristics may help
I Issue : find good groups G and generator sets S
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - Montreal WCSC - April 2010 13
Properties
I Elegant, simple designI Security properties ∼ mathematical problems
I Collisions ∼ balance problemI Preimages ∼ factorization problemI Output distribution ∼ expander properties
I Parallelism H(m||m′) = H(m)H(m′)I Good efficiency
I At least in the case of matrix groups
I Not a random oracle ! but additional heuristics may help
I Issue : find good groups G and generator sets S
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - Montreal WCSC - April 2010 13
Properties
I Elegant, simple designI Security properties ∼ mathematical problems
I Collisions ∼ balance problemI Preimages ∼ factorization problemI Output distribution ∼ expander properties
I Parallelism H(m||m′) = H(m)H(m′)I Good efficiency
I At least in the case of matrix groups
I Not a random oracle ! but additional heuristics may help
I Issue : find good groups G and generator sets S
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - Montreal WCSC - April 2010 14
A few proposals
Zemor [Z91]
p primeG = SL(2,Fp)S = {( 1 1
0 1 ) , ( 1 01 1 )}
Tillich-Zemor [TZ94]
p ∈ F2[X ] irreducibleG = SL(2,F2n)S = {( X 1
1 0 ) , ( X X+11 1 )}
LPS [CGL09]
p primeG = PSL(2,Fp)S as inLubotsky-Philips-Sarnak’sRamanujan graphs
Morgenstern [PLQ07]
p ∈ F2[X ] irreducibleG = PSL(2,F2n)S as in Morgenstern’sRamanujan graphs
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - Montreal WCSC - April 2010 14
A few proposals
Zemor [Z91]
p primeG = SL(2,Fp)S = {( 1 1
0 1 ) , ( 1 01 1 )}
Tillich-Zemor [TZ94]
p ∈ F2[X ] irreducibleG = SL(2,F2n)S = {( X 1
1 0 ) , ( X X+11 1 )}
LPS [CGL09]
p primeG = PSL(2,Fp)S as inLubotsky-Philips-Sarnak’sRamanujan graphs
Morgenstern [PLQ07]
p ∈ F2[X ] irreducibleG = PSL(2,F2n)S as in Morgenstern’sRamanujan graphs
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - Montreal WCSC - April 2010 14
A few proposals
Zemor [Z91]
p primeG = SL(2,Fp)S = {( 1 1
0 1 ) , ( 1 01 1 )}
Tillich-Zemor [TZ94]
p ∈ F2[X ] irreducibleG = SL(2,F2n)S = {( X 1
1 0 ) , ( X X+11 1 )}
LPS [CGL09]
p primeG = PSL(2,Fp)S as inLubotsky-Philips-Sarnak’sRamanujan graphs
Morgenstern [PLQ07]
p ∈ F2[X ] irreducibleG = PSL(2,F2n)S as in Morgenstern’sRamanujan graphs
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - Montreal WCSC - April 2010 14
A few proposals
Zemor [Z91]
p primeG = SL(2,Fp)S = {( 1 1
0 1 ) , ( 1 01 1 )}
Tillich-Zemor [TZ94]
p ∈ F2[X ] irreducibleG = SL(2,F2n)S = {( X 1
1 0 ) , ( X X+11 1 )}
LPS [CGL09]
p primeG = PSL(2,Fp)S as inLubotsky-Philips-Sarnak’sRamanujan graphs
Morgenstern [PLQ07]
p ∈ F2[X ] irreducibleG = PSL(2,F2n)S as in Morgenstern’sRamanujan graphs
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - Montreal WCSC - April 2010 15
Outline
Introduction
Cayley hash functions
Security : state of the art
The end of the story ?
Conclusion
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - Montreal WCSC - April 2010 16
Many angles of attacks
Exhaustive searchBirthday attacks
MulticollisionsMeet-in-the-middle
Trapdoor attacks
MalleabilitySubgroup attacks Lifting attacks
Euclidean algorithm
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - Montreal WCSC - April 2010 16
Many angles of attacks
Exhaustive searchBirthday attacks
MulticollisionsMeet-in-the-middle
Trapdoor attacks
MalleabilitySubgroup attacks Lifting attacks
Euclidean algorithm
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - Montreal WCSC - April 2010 16
Many angles of attacks
Exhaustive searchBirthday attacks
MulticollisionsMeet-in-the-middle
Trapdoor attacks
MalleabilitySubgroup attacks Lifting attacks
Euclidean algorithm
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - Montreal WCSC - April 2010 16
Many angles of attacks
Exhaustive searchBirthday attacks
MulticollisionsMeet-in-the-middle
Trapdoor attacks
MalleabilitySubgroup attacks
Lifting attacksEuclidean algorithm
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - Montreal WCSC - April 2010 16
Many angles of attacks
Exhaustive searchBirthday attacks
MulticollisionsMeet-in-the-middle
Trapdoor attacks
MalleabilitySubgroup attacks Lifting attacks
Euclidean algorithm
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - Montreal WCSC - April 2010 16
Many angles of attacks
Exhaustive searchBirthday attacks
MulticollisionsMeet-in-the-middle
Trapdoor attacks
MalleabilitySubgroup attacks Lifting attacks
Euclidean algorithm
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - Montreal WCSC - April 2010 17
Subgroup attacks
I Assume G = G0 ⊃ G1 ⊃ G2... ⊃ GN = {1}
I If |Gi |/|Gi+1| small⇒ preimages of 1 ⇒ 2nd preimage attack
I See [SGGB00,PQTZ09] against Tillich-Zemor
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - Montreal WCSC - April 2010 17
Subgroup attacks
I Assume G = G0 ⊃ G1 ⊃ G2... ⊃ GN = {1}
I If |Gi |/|Gi+1| small⇒ preimages of 1
⇒ 2nd preimage attack
I See [SGGB00,PQTZ09] against Tillich-Zemor
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - Montreal WCSC - April 2010 17
Subgroup attacks
I Assume G = G0 ⊃ G1 ⊃ G2... ⊃ GN = {1}
I If |Gi |/|Gi+1| small or if DLP easy in |Gi |/|Gi+1|⇒ preimages of 1
⇒ 2nd preimage attack
I See [SGGB00,PQTZ09] against Tillich-Zemor
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - Montreal WCSC - April 2010 17
Subgroup attacks
I Assume G = G0 ⊃ G1 ⊃ G2... ⊃ GN = {1}
I If |Gi |/|Gi+1| small or if DLP easy in |Gi |/|Gi+1|⇒ preimages of 1 ⇒ 2nd preimage attack
I See [SGGB00,PQTZ09] against Tillich-Zemor
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - Montreal WCSC - April 2010 17
Subgroup attacks
I Assume G = G0 ⊃ G1 ⊃ G2... ⊃ GN = {1}
I If |Gi |/|Gi+1| small or if DLP easy in |Gi |/|Gi+1|⇒ preimages of 1 ⇒ 2nd preimage attack
I See [SGGB00,PQTZ09] against Tillich-Zemor
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - Montreal WCSC - April 2010 18
Lifting attacks
I Very succesful approach !
I Principle : lift the representation problem to some ringwhere it is easier to solve
I Define the lifted set appropriatelyI Find a way to lift elementsI Solve the problems in the lifted set
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - Montreal WCSC - April 2010 18
Lifting attacks
I Very succesful approach !
I Principle : lift the representation problem to some ringwhere it is easier to solve
I Define the lifted set appropriatelyI Find a way to lift elementsI Solve the problems in the lifted set
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - Montreal WCSC - April 2010 19
Lifting attacks : Zemor [TZ94]
I Zemor G = SL(2,Fp), S = {( 1 10 1 ) , ( 1 0
1 1 )}I Given ( a b
c d ) ∈ SL(2,Fp)
1. Lifting : Find(A BC D
)∈ SL(2,Z+) such that(
A BC D
)=(a bc d
)mod p
2. Solving : Factor(A BC D
)as a product of ( 1 1
0 1 ) and ( 1 01 1 )
with Euclidean algorithm :
If A ≥ B, apply Euclidean algorithm to (A,B)else apply Euclidean algorithm to (C ,D)
I Indeed :I ai−1 = qiai + ai+1
⇔( ai−2ai−1
)=(1 qi−1
1
) (1qi 1
)( aiai+1 )
I(1 q0 1
)= ( 1 1
0 1 )q
and(1 0q 1
)= ( 1 0
1 1 )q
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - Montreal WCSC - April 2010 19
Lifting attacks : Zemor [TZ94]
I Zemor G = SL(2,Fp), S = {( 1 10 1 ) , ( 1 0
1 1 )}I Given ( a b
c d ) ∈ SL(2,Fp)
1. Lifting : Find(A BC D
)∈ SL(2,Z+) such that(
A BC D
)=(a bc d
)mod p
2. Solving : Factor(A BC D
)as a product of ( 1 1
0 1 ) and ( 1 01 1 )
with Euclidean algorithm :
If A ≥ B, apply Euclidean algorithm to (A,B)else apply Euclidean algorithm to (C ,D)
I Indeed :I ai−1 = qiai + ai+1
⇔( ai−2ai−1
)=(1 qi−1
1
) (1qi 1
)( aiai+1 )
I(1 q0 1
)= ( 1 1
0 1 )q
and(1 0q 1
)= ( 1 0
1 1 )q
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - Montreal WCSC - April 2010 19
Lifting attacks : Zemor [TZ94]
I Zemor G = SL(2,Fp), S = {( 1 10 1 ) , ( 1 0
1 1 )}I Given ( a b
c d ) ∈ SL(2,Fp)
1. Lifting : Find(A BC D
)∈ SL(2,Z+) such that(
A BC D
)=(a bc d
)mod p
2. Solving : Factor(A BC D
)as a product of ( 1 1
0 1 ) and ( 1 01 1 )
with Euclidean algorithm :
If A ≥ B, apply Euclidean algorithm to (A,B)else apply Euclidean algorithm to (C ,D)
I Indeed :I ai−1 = qiai + ai+1
⇔( ai−2ai−1
)=(1 qi−1
1
) (1qi 1
)( aiai+1 )
I(1 q0 1
)= ( 1 1
0 1 )q
and(1 0q 1
)= ( 1 0
1 1 )q
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - Montreal WCSC - April 2010 19
Lifting attacks : Zemor [TZ94]
I Zemor G = SL(2,Fp), S = {( 1 10 1 ) , ( 1 0
1 1 )}I Given ( a b
c d ) ∈ SL(2,Fp)
1. Lifting : Find(A BC D
)∈ SL(2,Z+) such that(
A BC D
)=(a bc d
)mod p
2. Solving : Factor(A BC D
)as a product of ( 1 1
0 1 ) and ( 1 01 1 )
with Euclidean algorithm :
If A ≥ B, apply Euclidean algorithm to (A,B)else apply Euclidean algorithm to (C ,D)
I Indeed :I ai−1 = qiai + ai+1
⇔( ai−2ai−1
)=(1 qi−1
1
) (1qi 1
)( aiai+1 )
I(1 q0 1
)= ( 1 1
0 1 )q
and(1 0q 1
)= ( 1 0
1 1 )q
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - Montreal WCSC - April 2010 20
Lifting attacks : LPS
I LPS : G = PSL(2,Fp) and S as in LPSRamanujan graphs
I Lift from PSL(2,Fp) to SL(2,Z[i ])Here 〈lifts of generators〉 ( SL(2,Z[i ])Very small subset, but well structured [LPS88]
I 2nd preimages [TZ08]
∼ finding λ,w , x , y , z , e such that(λ + wp)2 + 4(xp)2 + 4(yp)2 + 4(zp)2 = `e
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - Montreal WCSC - April 2010 20
Lifting attacks : LPS
I LPS : G = PSL(2,Fp) and S as in LPSRamanujan graphs
I Lift from PSL(2,Fp) to SL(2,Z[i ])Here 〈lifts of generators〉 ( SL(2,Z[i ])Very small subset, but well structured [LPS88]
I 2nd preimages [TZ08]
∼ finding λ,w , x , y , z , e such that(λ + wp)2 + 4(xp)2 + 4(yp)2 + 4(zp)2 = `e
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - Montreal WCSC - April 2010 20
Lifting attacks : LPS
I LPS : G = PSL(2,Fp) and S as in LPSRamanujan graphs
I Lift from PSL(2,Fp) to SL(2,Z[i ])Here 〈lifts of generators〉 ( SL(2,Z[i ])Very small subset, but well structured [LPS88]
I 2nd preimages [TZ08]
∼ finding λ,w , x , y , z , e such that(λ + wp)2 + 4(xp)2 + 4(yp)2 + 4(zp)2 = `e
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - Montreal WCSC - April 2010 21
Lifting and subgroup attacks together
I Preimages against LPS [PLQ08]
∼ finding λ,w , x , y , z , e such that(Aλ+ wp)2 + (Bλ+ xp)2 + (Cλ+ yp)2 + (Dλ+ zp)2 = `2k
Apparently hard but instead we canI Lift diagonal matrices
(Aλ+ wp)2 + (Bλ+ xp)2 + (yp)2 + (zp)2 = `2k
I Combine diagonal matrices and generators
I Similar attacks for Morgenstern [PLQ08]
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - Montreal WCSC - April 2010 21
Lifting and subgroup attacks together
I Preimages against LPS [PLQ08]
∼ finding λ,w , x , y , z , e such that(Aλ+ wp)2 + (Bλ+ xp)2 + (Cλ+ yp)2 + (Dλ+ zp)2 = `2k
Apparently hard but instead we canI Lift diagonal matrices
(Aλ+ wp)2 + (Bλ+ xp)2 + (yp)2 + (zp)2 = `2k
I Combine diagonal matrices and generators
I Similar attacks for Morgenstern [PLQ08]
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - Montreal WCSC - April 2010 21
Lifting and subgroup attacks together
I Preimages against LPS [PLQ08]
∼ finding λ,w , x , y , z , e such that(Aλ+ wp)2 + (Bλ+ xp)2 + (Cλ+ yp)2 + (Dλ+ zp)2 = `2k
Apparently hard but instead we canI Lift diagonal matrices
(Aλ+ wp)2 + (Bλ+ xp)2 + (yp)2 + (zp)2 = `2k
I Combine diagonal matrices and generators
I Similar attacks for Morgenstern [PLQ08]
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - Montreal WCSC - April 2010 22
Lifting attack for Tillich-Zemor [GIMS09]
I Tillich-Zemor G = SL(2,F2n), S = {( X 11 0 ) , ( X X+1
1 1 )}
1. Change generators S ′ = {( X 11 0 ) , ( X+1 1
1 0 )}I(a bc d
)∈ 〈S ′〉 ⇒ when applying Euclidean algorithm to
(a, b), all the quotients are X or X + 1
2. Apply [MS87] to p(X ) to get m = m1...mn such that
H(m) =(p bc d
)= ( 0 b
c d ) mod p(X )
3. Build the palindrome m = mn...m2m1m1m2...mn, then
A′0H(m)A′0 = A′1H(m)A′1.
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - Montreal WCSC - April 2010 22
Lifting attack for Tillich-Zemor [GIMS09]
I Tillich-Zemor G = SL(2,F2n), S = {( X 11 0 ) , ( X X+1
1 1 )}
1. Change generators S ′ = {( X 11 0 ) , ( X+1 1
1 0 )}I(a bc d
)∈ 〈S ′〉 ⇒ when applying Euclidean algorithm to
(a, b), all the quotients are X or X + 1
2. Apply [MS87] to p(X ) to get m = m1...mn such that
H(m) =(p bc d
)= ( 0 b
c d ) mod p(X )
3. Build the palindrome m = mn...m2m1m1m2...mn, then
A′0H(m)A′0 = A′1H(m)A′1.
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - Montreal WCSC - April 2010 22
Lifting attack for Tillich-Zemor [GIMS09]
I Tillich-Zemor G = SL(2,F2n), S = {( X 11 0 ) , ( X X+1
1 1 )}
1. Change generators S ′ = {( X 11 0 ) , ( X+1 1
1 0 )}I(a bc d
)∈ 〈S ′〉 ⇒ when applying Euclidean algorithm to
(a, b), all the quotients are X or X + 1
2. Apply [MS87] to p(X ) to get m = m1...mn such that
H(m) =(p bc d
)= ( 0 b
c d ) mod p(X )
3. Build the palindrome m = mn...m2m1m1m2...mn, then
A′0H(m)A′0 = A′1H(m)A′1.
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - Montreal WCSC - April 2010 23
Preimages for Tillich-Zemor [PQ]
I Preimage algorithm for TZ given some precomputation
I(A BC D
)= ( 1 0
α 1 )(X 11 0
) (1 β0 1
) (X 11 0
)3 ( 1 0γ 1
)
I
(1 0∑αi 1
)=∏( 1 0
αi 1
)I H(m0) =
(1 0
X+b2i 1
)if H(m) =
(0 bici di
)I Precomputing algorithms
1. Obtain new matrices(
0 bici di
)recursively
⇒ deterministic algorithm ; full proof when n is prime
2. Apply (an extension of) [MS87] to ai = pqi
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - Montreal WCSC - April 2010 23
Preimages for Tillich-Zemor [PQ]
I Preimage algorithm for TZ given some precomputation
I(A BC D
)= ( 1 0
α 1 )(X 11 0
) (1 β0 1
) (X 11 0
)3 ( 1 0γ 1
)I
(1 0∑αi 1
)=∏( 1 0
αi 1
)
I H(m0) =(
1 0X+b2i 1
)if H(m) =
(0 bici di
)I Precomputing algorithms
1. Obtain new matrices(
0 bici di
)recursively
⇒ deterministic algorithm ; full proof when n is prime
2. Apply (an extension of) [MS87] to ai = pqi
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - Montreal WCSC - April 2010 23
Preimages for Tillich-Zemor [PQ]
I Preimage algorithm for TZ given some precomputation
I(A BC D
)= ( 1 0
α 1 )(X 11 0
) (1 β0 1
) (X 11 0
)3 ( 1 0γ 1
)I
(1 0∑αi 1
)=∏( 1 0
αi 1
)I H(m0) =
(1 0
X+b2i 1
)if H(m) =
(0 bici di
)
I Precomputing algorithms
1. Obtain new matrices(
0 bici di
)recursively
⇒ deterministic algorithm ; full proof when n is prime
2. Apply (an extension of) [MS87] to ai = pqi
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - Montreal WCSC - April 2010 23
Preimages for Tillich-Zemor [PQ]
I Preimage algorithm for TZ given some precomputation
I(A BC D
)= ( 1 0
α 1 )(X 11 0
) (1 β0 1
) (X 11 0
)3 ( 1 0γ 1
)I
(1 0∑αi 1
)=∏( 1 0
αi 1
)I H(m0) =
(1 0
X+b2i 1
)if H(m) =
(0 bici di
)I Precomputing algorithms
1. Obtain new matrices(
0 bici di
)recursively
⇒ deterministic algorithm ; full proof when n is prime
2. Apply (an extension of) [MS87] to ai = pqi
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - Montreal WCSC - April 2010 23
Preimages for Tillich-Zemor [PQ]
I Preimage algorithm for TZ given some precomputation
I(A BC D
)= ( 1 0
α 1 )(X 11 0
) (1 β0 1
) (X 11 0
)3 ( 1 0γ 1
)I
(1 0∑αi 1
)=∏( 1 0
αi 1
)I H(m0) =
(1 0
X+b2i 1
)if H(m) =
(0 bici di
)I Precomputing algorithms
1. Obtain new matrices(
0 bici di
)recursively
⇒ deterministic algorithm ; full proof when n is prime
2. Apply (an extension of) [MS87] to ai = pqi
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - Montreal WCSC - April 2010 24
Outline
Introduction
Cayley hash functions
Security : state of the art
The end of the story ?
Conclusion
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - Montreal WCSC - April 2010 25
The end of the story ?
I Collision & preimages for Zemor, Tillich-Zemor, LPS,Morgenstern
I The end of the story ?
I No ! (not yet ?)
I For most groups/ generators, we do not know if theproblems can be solved
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - Montreal WCSC - April 2010 25
The end of the story ?
I Collision & preimages for Zemor, Tillich-Zemor, LPS,Morgenstern
I The end of the story ?
I No ! (not yet ?)
I For most groups/ generators, we do not know if theproblems can be solved
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - Montreal WCSC - April 2010 26
Rubik’s for cryptanalysts
Let A,B generating SL(2,F2n). Let M ∈ SL(2,F2n).How to write I or M as a short product of A and B ?
1. Modify A and B to get“Euclidean algorithm matrices”A′ =
(t1 11 0
), B ′ =
(t2 11 0
)2. Find a message hashing to some ( 0 b
c d )([MS87] only for t1 = X and t2 = X + 1 )
3. Build a preimage attack from this message
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - Montreal WCSC - April 2010 26
Rubik’s for cryptanalysts
Let A,B generating SL(2,F2n). Let M ∈ SL(2,F2n).How to write I or M as a short product of A and B ?
1. Modify A and B to get“Euclidean algorithm matrices”A′ =
(t1 11 0
), B ′ =
(t2 11 0
)2. Find a message hashing to some ( 0 b
c d )Extend [MS87] ?([MS87] only for t1 = X and t2 = X + 1 )
3. Build a preimage attack from this message
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - Montreal WCSC - April 2010 26
Rubik’s for cryptanalysts
Let A,B generating SL(2,F2n). Let M ∈ SL(2,F2n).How to write I or M as a short product of A and B ?
1. Modify A and B to get“Euclidean algorithm matrices”A′ =
(t1 11 0
), B ′ =
(t2 11 0
)2. Find a message hashing to some ( 0 b
c d )Extend [MS87] ?([MS87] only for t1 = X and t2 = X + 1 )
3. Build a preimage attack from this message
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - Montreal WCSC - April 2010 27
The end of the story ?
I Choose G to prevent subgroup attacks
I Choose S to prevent lifting attacks ?
I Avoid “small” parameters and symmetry
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - Montreal WCSC - April 2010 28
Related problems
I Graph theoryI Expander graphsI Diameter of Cayley graphs, Babai’s conjecture
I Euclidean algorithmI Clear for Zemor and Tillich-ZemorI Implicit in LPS, Morgenstern
(Diophantine equations solved via Lagrange)
I CryptographyI Alternative to DL, ECDL and factoring ?I Stream cipher theory
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - Montreal WCSC - April 2010 28
Related problems
I Graph theoryI Expander graphsI Diameter of Cayley graphs, Babai’s conjecture
I Euclidean algorithmI Clear for Zemor and Tillich-ZemorI Implicit in LPS, Morgenstern
(Diophantine equations solved via Lagrange)
I CryptographyI Alternative to DL, ECDL and factoring ?I Stream cipher theory
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - Montreal WCSC - April 2010 28
Related problems
I Graph theoryI Expander graphsI Diameter of Cayley graphs, Babai’s conjecture
I Euclidean algorithmI Clear for Zemor and Tillich-ZemorI Implicit in LPS, Morgenstern
(Diophantine equations solved via Lagrange)
I CryptographyI Alternative to DL, ECDL and factoring ?I Stream cipher theory
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - Montreal WCSC - April 2010 29
Outline
Introduction
Cayley hash functions
Security : state of the art
The end of the story ?
Conclusion
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - Montreal WCSC - April 2010 30
Conclusion
I Elegant design, nice properties
I Zemor, LPS, Morgenstern, Tillich-Zemor broken
I Security of other / generic instances ?
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - Montreal WCSC - April 2010 30
Conclusion
I Elegant design, nice properties
I Zemor, LPS, Morgenstern, Tillich-Zemor broken
I Security of other / generic instances ?
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - Montreal WCSC - April 2010 30
Conclusion
I Elegant design, nice properties
I Zemor, LPS, Morgenstern, Tillich-Zemor broken
I Security of other / generic instances ?
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - Montreal WCSC - April 2010 31
References
I [Z91] G Zemor, Hash functions and graphs with largegirths
I [TZ94] JP Tillich & G Zemor, Group-theoretic hashfunctions
I [CGL09] D Charles, E Goren, K Lauter, Cryptographichash functions from expander graphs
I [PLQ07] C Petit, K Lauter, JJ Quisquater, CayleyHashes : A Class of Efficient Graph-based Hash Functions
I [SGGB00] R Steinwandt, M Grassl, W Geiselmann, TBeth, Weaknesses in the SL2(F n
2 ) Hashing Scheme
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - Montreal WCSC - April 2010 32
References
I [PQTZ09] C Petit, JJ Quisquater, JP Tillich, G Zemor,Hard and easy Components of Collision Search in theZemor-Tillich Hash Function : New Instances andReduced Variants with equivalent Security
I [LPS88] A Lubotzky, R Phillips, P Sarnak, RamanujanGraphs
I [TZ08] JP Tillich, G Zemor, Collisions for the LPSExpander Graph Hash Function
I [PLQ08] C Petit, K Lauter, JJ Quisquater, FullCryptanalysis of LPS and Morgenstern Hash Functions
UCL Crypto GroupMicroelectronics Laboratory Ch. Petit - Montreal WCSC - April 2010 33
References
I [GIMS09] M Grassl, I Ilic, S Magliveras, R Steinwandt,Cryptanalysis of the Tillich-Zemor hash function
I [MS87] JP Mesirov, MM Sweet, Continued fractionexpansions of rational expressions with irreducibledenominators in characteristic 2
I [PQ] C Petit, JJ Quisquater, Preimage algorithms for theTillich-Zemor hash function