Rubik's for Cryptographers 0.2cm0.2cmBabai's conjecture ...
Transcript of Rubik's for Cryptographers 0.2cm0.2cmBabai's conjecture ...
Christophe Petit - LMS CS Colloquium - November 2019 1
Rubik’s for Cryptographers
Babai’s conjecture, cryptographic hash functions
and quantum gates
Christophe Petit
University of Birmingham
Christophe Petit - LMS CS Colloquium - November 2019 3
“Proving” security
Attack on your cryptographic constructionw�Solution to some “hard” computational problem
Christophe Petit - LMS CS Colloquium - November 2019 4
Main “hard problems” in use today
I Integer factorisationLet n be an integer. Compute its prime factors.
I Discrete logarithm problem (DLP)Let p be a prime and let G be a subgroup of F∗p.Given g ∈ G and h ∈ 〈g〉, find x such that h = g x .
I Elliptic curve discrete logarithm problem (ECDLP)Let K be a finite field, let E be an elliptic curve over K .Let P ∈ E (K ) and Q ∈ 〈P〉. Find x such that Q = xP .
Christophe Petit - LMS CS Colloquium - November 2019 6
Main post-quantum “hard problem” candidates
I Finding short vectors in lattices
I Decoding linear codes
I Solving systems of multivariate polynomial equations
I Computing isogenies between elliptic curves
I . . .
Christophe Petit - LMS CS Colloquium - November 2019 8
Outline
Introduction
Rubik’s: a candidate hard problem from group theory
Cryptographic applications: hash functions and beyond
Bonus application: building efficient quantum circuits
Conclusion
Christophe Petit - LMS CS Colloquium - November 2019 9
Outline
Introduction
Rubik’s: a candidate hard problem from group theory
Cryptographic applications: hash functions and beyond
Bonus application: building efficient quantum circuits
Conclusion
Christophe Petit - LMS CS Colloquium - November 2019 10
Rubik’s cube is too easy . . .
. . . but generalizations might be hard:
Given a non abelian finite group G ,a generator set S and a group element h,compute a “short” factorisation h =
∏si∈S si .
Christophe Petit - LMS CS Colloquium - November 2019 11
Is this problem hard enough?
I Rubik’s cube case is not
I What about the general case?I Has it been studied before?I Connections to well-known hard problems?I Can we build good (efficient and secure) crypto from it?
Christophe Petit - LMS CS Colloquium - November 2019 12
Babai’s conjecture [BS92]
For any non abelian finite simple group G and any S ,every element of G admits a “short” factorization(shorter than (log |G |)c for an absolute constant c).
I Recently attracted mathematicians Bourgain, Gamburd,Green, Helfgott, Kantor, Lubotzky, Tao,. . .
I Rubik’s generalization ∼ constructive proofof Babai’s conjecture
Christophe Petit - LMS CS Colloquium - November 2019 13
Status of Babai’s conjecture
I Proved for all groups of Lie type and bounded rank,but the proofs are non constructive
I Constructive proofs also exist forI almost all generating sets in symmetric/alternate groupsI specific generating sets in SL(m,K )
I Rubik’s generalisation still plausibly hard for genericgenerator sets in matrix groups (no constructive proof)
Christophe Petit - LMS CS Colloquium - November 2019 14
A graph-theoretical perspective
I For any group G and generator set S , one can associatethe Cayley graph G = (V ,E ) where
I V = {vg | g ∈ G}I (vg1 , vg2) ∈ E ⇔ vg2v
−1g1 ∈ S
I Example : G = (Z/8Z,+), S = {1, 2}
0 1
2
3
45
6
7
Christophe Petit - LMS CS Colloquium - November 2019 15
A graph-theoretical perspective (2)
I Babai’s conjecture: Cayley graphs of simple non abeliangroups have small diameters(there exist short paths between any pair of vertices)
I Rubik’s generalization: given two vertices, computea short path between them
Christophe Petit - LMS CS Colloquium - November 2019 16
Outline
Introduction
Rubik’s: a candidate hard problem from group theory
Cryptographic applications: hash functions and beyond
Bonus application: building efficient quantum circuits
Conclusion
Christophe Petit - LMS CS Colloquium - November 2019 17
Cryptographic hash functions
H : {0, 1}∗ → {0, 1}n
I Message authenticationcodes
I Digital signatures
I Password storage
I Pseudorandom numbergeneration
I Entropy extraction
I Key derivationtechniques
I ...
I ...
Christophe Petit - LMS CS Colloquium - November 2019 18
Hash function application: authenticating
communications with LMS website
Christophe Petit - LMS CS Colloquium - November 2019 19
Hash functions main security requirements
H : {0, 1}∗ → {0, 1}n
I Preimage resistance:given h, hard to find m such that H(m) = h
I Collision resistance:hard to find m,m′ such that H(m) = H(m′)
I Second preimage resistance:given m, hard to find m′ such that H(m′) = h
I + uniform output distribution, “random oracle”
Christophe Petit - LMS CS Colloquium - November 2019 22
Hash functions from Rubik’s generalization
I Let G be a non-abelian group and S := {s0, ..., sk−1} ⊂ G
I Write m = m1m2...mN with mi ∈ {0, ..., k − 1}.Define
H(m) := sm1sm2 ...smN
Christophe Petit - LMS CS Colloquium - November 2019 23
Toy example: G = (Z/8Z,+), S = {1, 2}
0 1
2
3
45
6
7
0
m = 101H(m) = 0 + 1 + 2 + 1 = 4
4
(actual parameters should use G non abelian, much larger)
Christophe Petit - LMS CS Colloquium - November 2019 24
Example: Tillich-Zemor hash function [TZ94]
I Let p ∈ F2[X ] be an irreducible polynomial of degree n,let K := F2[X ]/(p(X )) ≈ F2n
I Let G = SL(2,K ) and S = {A0 = ( X 11 0 ) ,A1 = ( X X+1
1 1 )}
I Then H(m1m2...mN) := Am1Am2 ...AmNmod p(X )
I Efficiency:I Only requires a few shifts and additions per message bitI Computation can be parallelized
H(m||m′) = H(m) · H(m′)
Christophe Petit - LMS CS Colloquium - November 2019 25
Security
I Preimage resistance = Rubik’s generalizationGiven h ∈ G , find m1, ...,mN ∈ {0, ..., k − 1} such that
h =N∏i=1
smi, with N “small”
I 2nd preimage resistance:Given a product of generators, find another product ofgenerators leading to the same value
I Collision resistance:Find two products of generators leading to the same value
Christophe Petit - LMS CS Colloquium - November 2019 26
Expansion properties ⇒ uniform outputs
I Expander graphs are families of highly connected regulargraphs: ∃c > 0 such that
minS⊂V ,|S|≤|V |/2
|δ(S)||S |
= c .
Useful property: random walks mix quickly
I Cayley graphs tend to be good expanders
I Implies they have small diameter (Babai’s conjecture)I Implies the above hash function has uniform outputs
when inputs long enough
Christophe Petit - LMS CS Colloquium - November 2019 27
Parameters suggested for the hash function
Zemor [Z91]
p primeG = SL(2,Fp)S = {( 1 1
0 1 ) , ( 1 01 1 )}
Tillich-Zemor [TZ94]
p ∈ F2[X ] irreducibleG = SL(2,F2n)S = {( X 1
1 0 ) , ( X X+11 1 )}
LPS [CGL09]
p primeG = PSL(2,Fp)S as inLubotsky-Philips-Sarnak’sRamanujan graphs
Morgenstern [PLQ07]
p ∈ F2[X ] irreducibleG = PSL(2,F2n)S as in Morgenstern’sRamanujan graphs
Christophe Petit - LMS CS Colloquium - November 2019 28
Cryptanalysis techniques
I Exhaustive search
I Birthday paradox techniques, meet-in-the-middle
I Subgroup attacks
I Lifting attacks: lift to a ring with unique factorization
I Trapdoor attacks: person who chooses the parameterscan more easily compute collisions and/or preimages
Christophe Petit - LMS CS Colloquium - November 2019 29
Subgroup attacks
I Assume G = G0 ⊃ G1 ⊃ G2... ⊃ GN = {1}
Christophe Petit - LMS CS Colloquium - November 2019 30
Subgroup attacks
I Assume G = G0 ⊃ G1 ⊃ G2... ⊃ GN = {1}and |Gi |/|Gi+1| “small”
I Compute factorization of 1:I Compute random products of s0 and s1
to get two elements s ′0 and s ′1 of G1,then proceed recursively
I This gives a second preimage attackI H(m) = 1⇒ H(m′||m) = H(m′)H(m) = H(m′)
I Attack can be extended to a preimage attack
I Attack not efficient for well-chosen groups G
Christophe Petit - LMS CS Colloquium - November 2019 31
Subgroup attacks on the Rubik’s cube
|G | =1
1212!8!38212
Christophe Petit - LMS CS Colloquium - November 2019 32
Lifting attacks
I Intuition: factorization easier over infinite groups,often unique, at least the length is leaked
I Principle: lift the factorization problem to some infinitegroup where it is easier to solve
I Define the lifted set appropriatelyI Find a way to lift elementsI Factor elements in the lifted set
Christophe Petit - LMS CS Colloquium - November 2019 33
Lifting attacks: Zemor’s parameters [TZ94]
I G = SL(2,Fp), S = {( 1 10 1 ) , ( 1 0
1 1 )}I Given ( a b
c d ) ∈ SL(2,Fp)
1. Lifting: find(A BC D
)∈ SL(2,Z+) such that(
A BC D
)=(a bc d
)mod p
2. Solving: factor(A BC D
)as a product of ( 1 1
0 1 ) and ( 1 01 1 )
with Euclidean algorithm:
If A ≥ B, apply Euclidean algorithm to (A,B)else apply Euclidean algorithm to (C ,D)
Indeed:I ai−1 = qiai + ai+1
⇔( ai−2ai−1
)=(1 qi−1
1
) (1qi 1
)( aiai+1 )
I(1 q0 1
)= ( 1 1
0 1 )q
and(1 0q 1
)= ( 1 0
1 1 )q
Christophe Petit - LMS CS Colloquium - November 2019 34
Solution to LPS case (sketch)
I Let G = PSL(2,Fp) and S = {s ∈ G | det(s) = `}I Given h ∈ G , find a small factorization h =
∏si∈S si
1. Solve the problem for diagonal matrices(A+Bi 0
0 A−Bi)
where i2 = 1. This amounts to solving a norm equation(Aλ+ wp)2 + (Bλ+ xp)2 + (yp)2 + (zp)2 = `e
2. Reduce general case to diagonal case(M1 M2M3 M4
)= λ ( 1 0
0 α ) s1(1 00 β1
)s1(1 00 β2
)s1 ( 1 0
0 ω )
I Note Babai’s conjecture holds: diameter ≈ 2 log` |G |
Christophe Petit - LMS CS Colloquium - November 2019 35
Is this hash function design secure?
I Zemor and Tillich-Zemor parameters very special
+ Small generators chosen for efficiency− Lifting easier as lifting set is dense
I LPS and Morgensterm parameters very special
+ High symmetry for Ramanujan property− Lifting easier, lifting set described by simple equations
I Small changes to these parameters defeat the attacks,and Rubik’s generalization still plausibly hard in general
Christophe Petit - LMS CS Colloquium - November 2019 36
Another cryptographic application
I WalnutDSA is a signature scheme based on braid groups
I WalnutDSA had damaging malleability properties:given several valid signatures on random messages,one can produce a valid signature on any other messageby solving a specific instance of the Rubik’s problem
I Specific instance involved could be solved in practice;this gave the first attack on WalnutDSA
Christophe Petit - LMS CS Colloquium - November 2019 37
Instance solved in WalnutDSA attack
I Group G is a subgroup of GL(n,Fq)
I Generator set contains random group elements(one per valid signature received)
I Target element is another random element in the group
I Attack is a subgroup attack(note GL(k ,Fq) is a subgroup of GL(k ,Fq) for all k)
Christophe Petit - LMS CS Colloquium - November 2019 38
Outline
Introduction
Rubik’s: a candidate hard problem from group theory
Cryptographic applications: hash functions and beyond
Bonus application: building efficient quantum circuits
Conclusion
Christophe Petit - LMS CS Colloquium - November 2019 39
Unitary quantum gates
I In quantum computation, information stored into qbits:each qbit is a superposition of 0 and 1
|q〉 = α|0〉+ β|1〉
with α, β ∈ C and α2 + β2 = 1
I By the laws of physics, all operations on quantum qbitsmust be reversible(
α β)−→
(α′ β′
)= U
(α β
)for U ∈ U(2,C) unitary
Christophe Petit - LMS CS Colloquium - November 2019 40
Rubik’s problem in quantum context
I Suppose you have physical realizations for a restricted setof quantum gates S = {s1, . . . , sk} ⊂ U(2,C), and youneed to perform another operation h ∈ U(2,C)
I Solution: combine your elementary quantum gatesto build a good approximation of your target
h ≈∏si∈S
si
Christophe Petit - LMS CS Colloquium - November 2019 41
Candidate quantum gate sets (single qbit)
I Typical gate set: Clifford + T gates
X =
(0 11 0
), Y =
(0 −ii 0
), Z =
(1 00 −1
)
H =1√2
(1 11 −1
), T =
(1 0
0 eiπ4
)
I More recently, LPS gates and variants suggested
Christophe Petit - LMS CS Colloquium - November 2019 42
Example: LPS Ramanujan graphs
I G = PSL(2,Fp) and S = {s ∈ G | det s = `}
I Hash function cryptanalysis: given h ∈ PSL(2,Fp),find h =
∏1√`smi
such that h = h mod p
I Quantum circuit design: given h ∈ U(2,C),find h =
∏1√`smi
such that ||h − h||� small
I Same problem with different norms: p-adic vs diamond
I Algorithms to solve both problems are also very similar
Christophe Petit - LMS CS Colloquium - November 2019 43
Outline
Introduction
Rubik’s: a candidate hard problem from group theory
Cryptographic applications: hash functions and beyond
Bonus application: building efficient quantum circuits
Conclusion
Christophe Petit - LMS CS Colloquium - November 2019 44
Conclusion
I Babai’s conjecture: any non abelian simple group elementhas a small factorisation in any set of generators
I Equivalently, Cayley graphs have small diameters
I Most proofs are combinatorics, non constructive
I Hardness of constructive version underlies the securityof a family of cryptographic hash functions
I A similar problem appears in quantum gate design,solved with similar techniques
I Many interesting open problems with lots of applications!