Cryptographic Hash Functions from Expander Graphs

Christophe Petit

Based on joint works with Giacomo de Meulenaer, Kristin Lauter, Jean-Jacques Quisquater, Jean-Pierre Tillich, Nicolas Veyrat, Gilles Z´emor

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 1 Cryptographic hash functions...

I Compressing functions: (key, message) → hash value

H : {0, 1}κ × {0, 1}∗ → {0, 1}λ

I Used everywhere in Cryptography:

I Digital signatures

I Message authentication codes

I Commitment

I Pseudo-random number generation

I Entropy extraction

I ...

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 2 I There exist standards (SHA)...

I ... but they are being broken !

Cryptographic hash functions...

I Properties:

I Collision resistance

I Preimage resistance

I Second preimage resistance

I ...

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 3 Cryptographic hash functions...

I Properties:

I Collision resistance

I Preimage resistance

I Second preimage resistance

I ...

I There exist standards (SHA)...

I ... but they are being broken !

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 3 I While expander hashes look like this:

(2(2,,194)95) (2(0, 124)245) (0, 21)43) (2, 290) (0, 306) (1, 64) (0(2,,286)98) (0(2,,91)2) (2, 159)324) (0(1,,14)7) (0(2,,151)21) (1(1,,170)58) (2, 115)252) (2(1, 107), 0) (0, 186) (0, 229) (1(2, 244), 4) (2(1, 175)337) (0(2(1,,302)333)237)44) (2(0, 278), 5) (2(2,,164)90) (2(0, 151)191)200)266) (0(1,,283)19) (2(1(2(0,,293)40)13)60) (0, 145)213) (2, 127)259) (0(2, 110)243) (1(0,,150)87) (2(0,,219)40) (0, 273) (0, 217) (1(2, 274), 3) (2(2(0,,101)23)104)115) (1(2(0(2,,260)146)65)93) (0(1(0(0,,221)277)126)231),272)95) (2(0(1(1,,248),96)254)88) (2(1(2(0,,173),22)281)23) (1(0, 113)332) (2, 279)301) (1, 152)296) (1(1, 153), 6) (2(0,,131)17) (2(1(1(0,,169)252),165)13) (2, 106)183) (0(1,,339)68) (0(2(1,,172)221)159)177) (2(1(0(1,,217)322),227)85) (1(0, 225)330) (2(1(0,,113)171)325)72) (0(2(1, 179)256), 17)66) (1(0,,120)191)109)275) (1(0(0(2,,,285),36)111)81) (0(0,,181)80) (1(0,,202)38) (1(1,,230)18) (2(0, 186)263) (2(0, 224), 6) (0(1,,234)36) (0, 240) (2, 176) (1(1,,213)92) (1(0(2,,24)39)242)288) (1(0(1,,200)299)239)280) (2(1, 185)217) (2(0(1(2,,135)168)134)234) (1, 221)331) (2(1, 332), 5) (2, 208)239) (0(2(1, 118)270)287)309) (1(2, 273)305) (2(0(2(2,,295),47)157)20) (0(1, 266)267) (1(0, 156)258) (1(2(1(1(0,,262)294),31)93),235)69) (2(2,,177)18) (2(1,,338)98) (1(2(1(2,,,183)308)188)39) (2(1(2,,134)203)207)273) (2(0, 307)320) (1, 298)318) (0, 309)340) (0(1,,74)9) (2, 19) (2, 30) (2(0,,335)19) (1, 194)128) (1(2, 38)89) (0(1(2(0,,335)63)73)86) (1(0(1(2,,156)245)189)225) (2, 149)237) (1, 117)205) (0(2,,165)45) (2(0, 316)327) (2(1, 116)261) (1(2, 242)320) (1(0,,41)9) (1(1,,241)29) (0, 269)280) (2(2,,251)61) (1(2(2(0, 329)330), 199)236)150)205) (0(2, 267)318) (1(1(0(2(1,,100)300),17)37)276)288) (0(1,,264)79) (0, 278)329) (2(0(2,,288)308)298)265) (1(0(2,,204)319)232)309) (1(0, 101)143) (0, 114)224) (1(1(0,,,139)227)114)42) (0(0(2,,,167)279)220)72) (0, 157)126) (2, 119)296) (1(0, 292), 2) (1(2,,142)38) (1(2, 211)287) (1(1,,151)74) (0(1,,125)20) (0, 94) (0, 98) (2(1, 102)268) (0, 71)90) (2(1, 84)30) (0(1(0(1,,131)338)20)52) (2(1, 193)340) (1(1,,123)34) (0(2, 262), 8) (1(2(0(1, 236)253)190)331), 228)301) (1(1,,332)59) (0(1(2,,,294)290)323)71) (2(2,,226)76) (2(1, 70)77) (0(0,,318)79) (1(2(0(1,,,272)256)287)82) (1(0(1(0,,115)136)172)297) (0(1,,296)14) (1(0, 179)310) (2(1,,112)13)(1(0(2,,127)282),281)85)(2(2(0,,155)192)111)154) (0(1, 107)324) (0(1,,336)50) (1(0(0(2,,,264),88)242)94) (2(0, 283)338) (1, 35)49) (2(2,,201)88) (0(0,,158)52) (1(2,,271)12) (0(2(2,,,41)63)154)34) (0(2,,195)65) (0(0, 307), 4) (2(0, 232)247) (0, 18)35) (2, 227)238) (0(2(2(1,,142)264)256)339) (1(0, 210)215) (1, 108)(2(2,,129)63) (1, 138)281) (2(1, 240)305) (1(0, 239)333) (1, 249) (2(2,,233)67) (2(0(1,(2(1195)259),,168)56)91)41) (0(1(2,(1163)275)152)222),,188)72) (1(0(0,,,149)270)268)70) (2(0(1(2,,,321)325)80)40) (2(0, 235)319) (0(0,,123)67) (0(2(2,,147)146)289)83) (0(0,,304)30) (2(1,,261)61) (2, 152)327) (2(2, 323), 1) (2(1,,142)71) (1(1,,209)94) (0(1, 194)286) (0(1(0(1,,230)284)225)297) (0(1(2,,124)310)123)257) (2(1,(1(0138)335)(2(1, 39)77),(0(1258)312)(1, 211)320), 122)132) (0(1,,153)60) (0(1(0,(0170)198),,246)48) (2(0, 137)188) (1(0,,112)46) (0, 183)276) (2(2,,300)69) (0(2(1(2, 116)198),,283)50) (2(1,,103)62) (0(1(2,,200)204)197)326) (2(0,,168)73) (2(1,,114)73) (0(1,,119)87) (1(0,,147)31) (2(2,,328)14) (0(1,,174)76) (2(0, 145)321) (2(0,,230)51) (0(1, 112)121) (0, 236)265) (0, 219)316) (0(2,,132)49) (1(1, 184), 1) (1(0(0,,185)291)290)92) (2(1,,267)37) (1(2, 182)210) (1(2,,125)51) (2(0, 229)337) (0, 135)300) (0(1(0,,127)336)206)12) (2(0, 228)270) (0(2, 105)187) (1(1,,154)67) (0, 160)292) (0(1, 193)232) (1(1(2(1,,328),47)249)259)110)144) (0, 284)(2, 166)223) (0(2(1(0, 176)284)130)233), 218)291) (1(0(0(1,,307)144)58)56) (0(0,,311)16) (2, 277)297) (2(0,,247)66) (0(1,,162)53) (1(2, 163)306) (0(0,,108)53)(1, 161) (0, 222)226) (2(1(2(1,,,214)308)302)12) (1(0,(2109)306),(1,(1182)92),(0(1,223)15),(2(2175)238)(1,(0,272)29),,233)99) (0(0,,199)62) (0(2, 122), 6) (0(2, 141)254) (2(2,,118)74) (2(2,,292)54) (1(2,,321)91) (2(0(2(1,,171)189)182)243) (1(2,,140)42) (1(0,,278)59) (0(1, 137)293) (0(0(1(2,,214)27)214)275) (2(1(0(2,,55)81)102)77) (2(0,,179)68) (0, 251)295) (2(1,,,180)99)176)229) (2(1(2(0,,141)317),317)25) (1(2(0(1,,,,195)133)33)89) (1(2(0(1,,,218)250)241)83) (0(1(0,,,271)240)274)44) (2(2,,274)57) (2(0, 215), 1) (0(2(2(1,,255),25)24)70) (2(0(1(0,,,209)83)175)207) (0(2, 196)311) (2(2,,121)60) (1(1(0(2,,,190)46)45)59) (0(2,,257)15) (0(2, 138)220) (0(2(2,,106)325)282)75) (1(2(2(1(1(0,,111)202),27)69)174)301) (1(2(2(0,,104)167)105)293)(2(1(0,,128)248)299)253)(1(2(2(0,,162)212)160)184)(0(2, 128)313) (0, 64)97) (1, 157)(1, 253)266) (0, 129) (1(2,,289)26) (2, 139)150) (1, 42)86) (0, 208)305) (1(0, 199), 8) (1(2,,302)43) (0(2,,235)37) (2(2,,205)44) (1(0(2(1,,,257)161)108)48) (1(0(2,,166)171)147)271) (1(2,,226)22) (1(2, 102)299) (2(1(1(2,,,,244)237)57)11) (0(2(0(2,,,198)218)192)47) (1(0, 269)334) (1(2,,136)62) (1(0(1(2,(0141)202),,118)156)310)22) (2, 148)241) (2(2, 170), 5) (0(1(0(1,(1,101)294)316),89),181)27) (0(1, 187)250) (2, 174)269) (2(0,,334)76) (1(2, 315)186) (2, 337) (0(1, 159)231) (2(1, 144)164) (0(2(1,,324)246)286)54) (0(1, 103)234) (1, 208) (0(1(0(2,,,133)224)24)58) (1(0,,45)7) (2(1,,191)16) (1(2, 187)197) (1(2, 160)216) (1(0, 215)243) (0(2,,285)68) (1(1,,255)78) (2(1(0(2,,,140)11)11)86) (2(0(1,,126)177)124)192) (2(1, 130)180) (0(2,,314)96) (2(0,,190)15) (1(2, 107)291) (0(0,,210)29) (2(1,,304)95) (1(0, 43)75) (1, 105)220) (1(0,,313)34) (1(2, 178)193)206)333) (2(2,,245)303)16)82) (2(2,,213)79) (0(1, 100)155) (2(1, 10)75) (1(1,,28)3) (1(0(0(2, 103)203), 49)66) (1(0, 119)140) (2(1,,110)90) (0, 32) (2, 312) (0(1,,322)26) (0, 84)93) (2(0,,53)0) (2, 120)222) (0, 120)328) (1, 10)21) (0, 117)238) (0(1, 139)173) (0, 250)312) (1(2(1(1,,201),78)334)23) (2(1, 265)204) (0(1, 197)295) (1(0(0(2(1,,,314),61)223)130)46)32) (2(0(1(2(1, ,162)244)145)181)178)247) (1(2(0(2,,,311),48)180)36) (0(1, 113)279) (0(2,,317)87) (0(2, 104), 9) (0(2(1,,260)262)327)96) (2(0(2(1,,,163)82)117)303) (1(0, 137)326) (1, 116)315) (2(0, 28)56) (0(1(0(2,,134)143)185)322) (0(0(1,,,212)57)219)263) (1(0, 148)209) (2(1, 143), 2) (1, 258) (1, 84) (2, 172)329) (0(0,,164)28) (0, 121)166) (2(1(0(1,,184)169)261)55) (1(2(0(0,,135)268)216)55) (0(2(1(2,,248),260)33)33) (2(0,,100)50) (1(2(2,,206)280)158)282) (0(0,,173)85) (1(2, 276)319) (2(0, 196)249) (1(2(1(2,,167)331),339)35) (2(0(1(2,,132)155)158)336) (2(1, 109)212) (0(2, 252), 7) (1(0,,133)78) (1(0(1(2,,,207)228)178)129)51)97) (0(1, 148)304)251)326) (2(0, 203)254) (0, 169)315) (0(0,,81)3) (1, 146) (2(1,,263)25) (0(1(0,,313)201)65)26) (0(2(2,,289)122)80)99) (0, 323) (1(2, 131)285) (2, 231)255) (2(2, 161), 0) (1, 106)216) (2(1, 32)97) (2(1, 314), 8) (2, 125) (0, 54) (2(0,,136)10) (1(2, 246)340) (2(1, 211), 4) (2, 153)165) (2, 31)64) (2, 52) (1, 196) (2(0, 189)277) (0(1, 298)330) (0, 149)303)

...from expander graphs

I Current hash functions look like this:

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 4 ...from expander graphs

I Current hash functions look like this:

I While expander hashes look like this:

(2(2,,194)95) (2(0, 124)245) (0, 21)43) (2, 290) (0, 306) (1, 64) (0(2,,286)98) (0(2,,91)2) (2, 159)324) (0(1,,14)7) (0(2,,151)21) (1(1,,170)58) (2, 115)252) (2(1, 107), 0) (0, 186) (0, 229) (1(2, 244), 4) (2(1, 175)337) (0(2(1,,302)333)237)44) (2(0, 278), 5) (2(2,,164)90) (2(0, 151)191)200)266) (0(1,,283)19) (2(1(2(0,,293)40)13)60) (0, 145)213) (2, 127)259) (0(2, 110)243) (1(0,,150)87) (2(0,,219)40) (0, 273) (0, 217) (1(2, 274), 3) (2(2(0,,101)23)104)115) (1(2(0(2,,260)146)65)93) (0(1(0(0,,221)277)126)231),272)95) (2(0(1(1,,248),96)254)88) (2(1(2(0,,173),22)281)23) (1(0, 113)332) (2, 279)301) (1, 152)296) (1(1, 153), 6) (2(0,,131)17) (2(1(1(0,,169)252),165)13) (2, 106)183) (0(1,,339)68) (0(2(1,,172)221)159)177) (2(1(0(1,,217)322),227)85) (1(0, 225)330) (2(1(0,,113)171)325)72) (0(2(1, 179)256), 17)66) (1(0,,120)191)109)275) (1(0(0(2,,,285),36)111)81) (0(0,,181)80) (1(0,,202)38) (1(1,,230)18) (2(0, 186)263) (2(0, 224), 6) (0(1,,234)36) (0, 240) (2, 176) (1(1,,213)92) (1(0(2,,24)39)242)288) (1(0(1,,200)299)239)280) (2(1, 185)217) (2(0(1(2,,135)168)134)234) (1, 221)331) (2(1, 332), 5) (2, 208)239) (0(2(1, 118)270)287)309) (1(2, 273)305) (2(0(2(2,,295),47)157)20) (0(1, 266)267) (1(0, 156)258) (1(2(1(1(0,,262)294),31)93),235)69) (2(2,,177)18) (2(1,,338)98) (1(2(1(2,,,183)308)188)39) (2(1(2,,134)203)207)273) (2(0, 307)320) (1, 298)318) (0, 309)340) (0(1,,74)9) (2, 19) (2, 30) (2(0,,335)19) (1, 194)128) (1(2, 38)89) (0(1(2(0,,335)73)63)86) (1(0(1(2,,156)245)189)225) (2, 149)237) (1, 117)205) (0(2,,165)45) (2(0, 316)327) (2(1, 116)261) (1(2, 242)320) (1(0,,41)9) (1(1,,241)29) (0, 269)280) (2(2,,251)61) (1(2(2(0, 329)330), 199)236)150)205) (0(2, 267)318) (1(1(0(2(1,,100)300),17)37)276)288) (0(1,,264)79) (0, 278)329) (2(0(2,,288)308)298)265) (1(0(2,,204)319)232)309) (1(0, 101)143) (0, 114)224) (1(1(0,,,139)227)114)42) (0(0(2,,,167)279)220)72) (0, 157)126) (2, 119)296) (1(0, 292), 2) (1(2,,142)38) (1(2, 211)287) (1(1,,151)74) (0(1,,125)20) (0, 94) (0, 98) (2(1, 102)268) (0, 71)90) (2(1, 84)30) (0(1(0(1,,131)338)20)52) (2(1, 193)340) (1(1,,123)34) (0(2, 262), 8) (1(2(0(1, 236)253)190)331), 228)301) (1(1,,332)59) (0(1(2,,,294)290)323)71) (2(2,,226)76) (2(1, 70)77) (0(0,,318)79) (1(2(0(1,,,272)256)287)82) (1(0(1(0,,115)136)172)297) (0(1,,296)14) (1(0, 179)310) (2(1,,112)13)(1(0(2,,127)282),281)85)(2(2(0,,155)192)111)154) (0(1, 107)324) (0(1,,336)50) (1(0(0(2,,,264),88)242)94) (2(0, 283)338) (1, 35)49) (2(2,,201)88) (0(0,,158)52) (1(2,,271)12) (0(2(2,,,41)63)154)34) (0(2,,195)65) (0(0, 307), 4) (2(0, 232)247) (0, 18)35) (2, 227)238) (0(2(2(1,,142)264)339)256) (1(0, 210)215) (1, 108)(2(2,,129)63) (1, 138)281) (2(1, 240)305) (1(0, 239)333) (1, 249) (2(2,,233)67) (2(0(1,(2(1195)259),,168)56)91)41) (0(1(2,(1163)275)152)222),,188)72) (1(0(0,,,149)270)268)70) (2(0(1(2,,,321)325)80)40) (2(0, 235)319) (0(0,,123)67) (0(2(2,,147)146)289)83) (0(0,,304)30) (2(1,,261)61) (2, 152)327) (2(2, 323), 1) (2(1,,142)71) (1(1,,209)94) (0(1, 194)286) (0(1(0(1,,230)284)225)297) (0(1(2,,124)310)123)257) (2(1,(1(0138)335)(2(1, 39)77),(0(1258)312)(1, 211)320), 122)132) (0(1,,153)60) (0(1(0,(0170)198),,246)48) (2(0, 137)188) (1(0,,112)46) (0, 183)276) (2(2,,300)69) (0(2(1(2, 116)198),,283)50) (2(1,,103)62) (0(1(2,,200)204)197)326) (2(0,,168)73) (2(1,,114)73) (0(1,,119)87) (1(0,,147)31) (2(2,,328)14) (0(1,,174)76) (2(0, 145)321) (2(0,,230)51) (0(1, 112)121) (0, 236)265) (0, 219)316) (0(2,,132)49) (1(1, 184), 1) (1(0(0,,185)291)290)92) (2(1,,267)37) (1(2, 182)210) (1(2,,125)51) (2(0, 229)337) (0, 135)300) (0(1(0,,127)336)206)12) (2(0, 228)270) (0(2, 105)187) (1(1,,154)67) (0, 160)292) (0(1, 193)232) (1(1(2(1,,328),47)249)259)110)144) (0, 284)(2, 166)223) (0(2(1(0, 176)284)130)233), 218)291) (1(0(0(1,,307)144)58)56) (0(0,,311)16) (2, 277)297) (2(0,,247)66) (0(1,,162)53) (1(2, 163)306) (0(0,,108)53)(1, 161) (0, 222)226) (2(1(2(1,,,214)308)302)12) (1(0,(2109)306),(1,(1182)92),(0(1,223)15),(2(2175)238)(1,(0,272)29),,233)99) (0(0,,199)62) (0(2, 122), 6) (0(2, 141)254) (2(2,,118)74) (2(2,,292)54) (1(2,,321)91) (2(0(2(1,,171)189)182)243) (1(2,,140)42) (1(0,,278)59) (0(1, 137)293) (0(0(1(2,,214)27)214)275) (2(1(0(2,,55)81)102)77) (2(0,,179)68) (0, 251)295) (2(1,,,180)99)176)229) (2(1(2(0,,141)317),317)25) (1(2(0(1,,,,195)133)33)89) (1(2(0(1,,,218)250)241)83) (0(1(0,,,271)240)274)44) (2(2,,274)57) (2(0, 215), 1) (0(2(2(1,,255),25)24)70) (2(0(1(0,,,209)83)175)207) (0(2, 196)311) (2(2,,121)60) (1(1(0(2,,,190)46)45)59) (0(2,,257)15) (0(2, 138)220) (0(2(2,,106)325)282)75) (1(2(2(1(1(0,,111)202),27)69)174)301) (1(2(2(0,,104)167)105)293)(2(1(0,,128)248)299)253)(1(2(2(0,,162)212)160)184)(0(2, 128)313) (0, 64)97) (1, 157)(1, 253)266) (0, 129) (1(2,,289)26) (2, 139)150) (1, 42)86) (0, 208)305) (1(0, 199), 8) (1(2,,302)43) (0(2,,235)37) (2(2,,205)44) (1(0(2(1,,,257)161)108)48) (1(0(2,,166)171)147)271) (1(2,,226)22) (1(2, 102)299) (2(1(1(2,,,,244)237)57)11) (0(2(0(2,,,198)218)192)47) (1(0, 269)334) (1(2,,136)62) (1(0(1(2,(0141)202),,118)156)310)22) (2, 148)241) (2(2, 170), 5) (0(1(0(1,(1,101)294)316),89),181)27) (0(1, 187)250) (2, 174)269) (2(0,,334)76) (1(2, 315)186) (2, 337) (0(1, 159)231) (2(1, 144)164) (0(2(1,,324)246)286)54) (0(1, 103)234) (1, 208) (0(1(0(2,,,133)224)24)58) (1(0,,45)7) (2(1,,191)16) (1(2, 187)197) (1(2, 160)216) (1(0, 215)243) (0(2,,285)68) (1(1,,255)78) (2(1(0(2,,,140)11)11)86) (2(0(1,,126)177)124)192) (2(1, 130)180) (0(2,,314)96) (2(0,,190)15) (1(2, 107)291) (0(0,,210)29) (2(1,,304)95) (1(0, 43)75) (1, 105)220) (1(0,,313)34) (1(2, 178)193)206)333) (2(2,,245)303)16)82) (2(2,,213)79) (0(1, 100)155) (2(1, 10)75) (1(1,,28)3) (1(0(0(2, 103)203), 49)66) (1(0, 119)140) (2(1,,110)90) (0, 32) (2, 312) (0(1,,322)26) (0, 84)93) (2(0,,53)0) (2, 120)222) (0, 120)328) (1, 10)21) (0, 117)238) (0(1, 139)173) (0, 250)312) (1(2(1(1,,201),78)334)23) (2(1, 204)265) (0(1, 197)295) (1(0(0(2(1,,,314),61)223)130)46)32) (2(0(1(2(1, ,162)244)145)181)178)247) (1(2(0(2,,,311),48)180)36) (0(1, 113)279) (0(2,,317)87) (0(2, 104), 9) (0(2(1,,260)262)327)96) (2(0(2(1,,,163)82)117)303) (1(0, 137)326) (1, 116)315) (2(0, 28)56) (0(1(0(2,,134)143)185)322) (0(0(1,,,212)57)219)263) (1(0, 148)209) (2(1, 143), 2) (1, 258) (1, 84) (2, 172)329) (0(0,,164)28) (0, 121)166) (2(1(0(1,,184)169)261)55) (1(2(0(0,,135)268)216)55) (0(2(1(2,,248),260)33)33) (2(0,,100)50) (1(2(2,,206)280)158)282) (0(0,,173)85) (1(2, 276)319) (2(0, 196)249) (1(2(1(2,,167)331),339)35) (2(0(1(2,,132)155)158)336) (2(1, 109)212) (0(2, 252), 7) (1(0,,133)78) (1(0(1(2,,,207)228)178)129)51)97) (0(1, 148)304)251)326) (2(0, 203)254) (0, 169)315) (0(0,,81)3) (1, 146) (2(1,,263)25) (0(1(0,,313)201)65)26) (0(2(2,,289)122)80)99) (0, 323) (1(2, 131)285) (2, 231)255) (2(2, 161), 0) (1, 106)216) (2(1, 32)97) (2(1, 314), 8) (2, 125) (0, 54) (2(0,,136)10) (1(2, 246)340) (2(1, 211), 4) (2, 153)165) (2, 31)64) (2, 52) (1, 196) (2(0, 189)277) (0(1, 298)330) (0, 149)303)

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 4 Outline

I Introduction

I Cryptographic background

I Expander hashes

I Cayley hashes

I Generic attacks

I Known instances

I Conclusion

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 5 Outline

I Introduction

I Cryptographic background

I Hash functions

I Security proofs in Cryptography

I Expander hashes

I Cayley hashes

I Generic attacks

I Known instances

I Conclusion

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 6 Outline

I Introduction

I Cryptographic background

I Hash functions

I Security proofs in Cryptography

I Expander hashes

I Cayley hashes

I Generic attacks

I Known instances

I Conclusion

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 7 Cryptographic hash functions

H : {0, 1}κ × {0, 1}∗ → {0, 1}λ

I Main properties: 0 I Collision resistance: given k, hard to ﬁnd m, m such that H(k, m) = H(k, m0)

I Second preimage resistance: given k and m, hard to ﬁnd m0 6= m such that H(k, m) = H(k, m0)

I Preimage resistance: given k and the value H(k, m) for some m, hard to ﬁnd m0 such that H(k, m) = H(k, m0)

(We often omit k in the following) (λ ≥ 160 in practice)

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 8 Cryptographic hash functions were compared to Swiss army knifes because of their multiple uses

Figure 1: A hash function is used as a Swiss army knife

Cryptographic hash functions

I Further properties:

I XOR resistance, ADD resistance, non-multiplicativity ...

I PRF, random oracle, ...

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 9 Cryptographic hash functions

I Further properties:

I XOR resistance, ADD resistance, non-multiplicativity ...

I PRF, random oracle, ...

Cryptographic hash functions were compared to Swiss army knifes because of their multiple uses

Figure 1: A hash function is used as a Swiss army knife

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 9

1 Outline

I Introduction

I Cryptographic background

I Hash functions

I Security proofs in Cryptography

I Expander hashes

I Cayley hashes

I Generic attacks

I Known instances

I Conclusion

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 10 Security proofs in Cryptography

I Proof by reduction:

if some cryptographic property can be broken, then some (mathematical) problem can be solved

The security of the algorithm reduces to the hardness of the problem

I This lessens design and evaluation eﬀort

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 11 I Some algorithms are also used because they “are very strong”, “behave like random”, “have no weakness”

I AES

I (Until recently) SHA

Building blocks

I Some mathematical problems are very hard:

I Integer factorization problem (IFP)

I Discrete logarithm problem (DLP)

I Elliptic curve DLP (ECDLP)

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 12 Building blocks

I Some mathematical problems are very hard:

I Integer factorization problem (IFP)

I Discrete logarithm problem (DLP)

I Elliptic curve DLP (ECDLP)

I Some algorithms are also used because they “are very strong”, “behave like random”, “have no weakness”

I AES

I (Until recently) SHA

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 12 I Algorithms + Some are well-studied... − ... but not outside their initial purpose + No apparent weakness... − ... but “heuristic security”: there may be hidden weaknesses, structure is badly understood

Comparison of building blocks

I Mathematical problems + The adversary’s goal is clearly captured + Some problems have been very well-studied... + ... including outside the community − Cannot prove everything − Math. structure induces side-weaknesses

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 13 Comparison of building blocks

I Algorithms + Some are well-studied... − ... but not outside their initial purpose + No apparent weakness... − ... but “heuristic security”: there may be hidden weaknesses, structure is badly understood

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 13 Expander hashes

I The security of standard hash functions is mainly heuristic

I In expander hashes, collision resistance relies on (not so classical) mathematical problems

(2(2,,194)95) (2(0, 124)245) (0, 21)43) (2, 290) (0, 306) (1, 64) (0(2,,286)98) (0(2,,91)2) (2, 159)324) (0(1,,14)7) (0(2,,151)21) (1(1,,170)58) (2, 115)252) (2(1, 107), 0) (0, 186) (0, 229) (1(2, 244), 4) (2(1, 175)337) (0(2(1,,302)333)237)44) (2(0, 278), 5) (2(2,,164)90) (2(0, 151)191)200)266) (0(1,,283)19) (2(1(2(0,,293)40)13)60) (0, 145)213) (2, 127)259) (0(2, 110)243) (1(0,,150)87) (2(0,,219)40) (0, 273) (0, 217) (1(2, 274), 3) (2(2(0,,101)23)104)115) (1(2(0(2,,260)146)65)93) (0(1(0(0,,221)277)126)231),272)95) (2(0(1(1,,248),96)254)88) (2(1(2(0,,173),22)281)23) (1(0, 113)332) (2, 279)301) (1, 152)296) (1(1, 153), 6) (2(0,,131)17) (2(1(1(0,,169)252),165)13) (2, 106)183) (0(1,,339)68) (0(2(1,,172)221)159)177) (2(1(0(1,,217)322),227)85) (1(0, 225)330) (2(1(0,,113)171)325)72) (0(2(1, 179)256), 17)66) (1(0,,120)191)109)275) (1(0(0(2,,,285),36)111)81) (0(0,,181)80) (1(0,,202)38) (1(1,,230)18) (2(0, 186)263) (2(0, 224), 6) (0(1,,234)36) (0, 240) (2, 176) (1(1,,213)92) (1(0(2,,24)39)242)288) (1(0(1,,200)299)239)280) (2(1, 185)217) (2(0(1(2,,135)168)134)234) (1, 221)331) (2(1, 332), 5) (2, 208)239) (0(2(1, 118)270)287)309) (1(2, 273)305) (2(0(2(2,,295),47)157)20) (0(1, 266)267) (1(0, 156)258) (1(2(1(1(0,,262)294),93)31),235)69) (2(2,,177)18) (2(1,,338)98) (1(2(1(2,,,183)308)188)39) (2(1(2,,134)203)207)273) (2(0, 307)320) (1, 298)318) (0, 309)340) (0(1,,74)9) (2, 19) (2, 30) (2(0,,335)19) (1, 194)128) (1(2, 38)89) (0(1(2(0,,335)73)63)86) (1(0(1(2,,156)245)189)225) (2, 149)237) (1, 117)205) (0(2,,165)45) (2(0, 316)327) (2(1, 116)261) (1(2, 242)320) (1(0,,41)9) (1(1,,241)29) (0, 269)280) (2(2,,251)61) (1(2(2(0, 329)330), 199)236)150)205) (0(2, 267)318) (1(1(0(2(1,,100)300),17)37)276)288) (0(1,,264)79) (0, 278)329) (2(0(2,,288)308)298)265) (1(0(2,,204)319)232)309) (1(0, 101)143) (0, 114)224) (1(1(0,,,139)227)114)42) (0(0(2,,,167)279)220)72) (0, 157)126) (2, 119)296) (1(0, 292), 2) (1(2,,142)38) (1(2, 211)287) (1(1,,151)74) (0(1,,125)20) (0, 94) (0, 98) (2(1, 102)268) (0, 71)90) (2(1, 84)30) (0(1(0(1,,131)338)20)52) (2(1, 193)340) (1(1,,123)34) (0(2, 262), 8) (1(2(0(1, 236)253)190)331), 228)301) (1(1,,332)59) (0(1(2,,,294)290)323)71) (2(2,,226)76) (2(1, 70)77) (0(0,,318)79) (1(2(0(1,,,272)256)287)82) (1(0(1(0,,115)136)172)297) (0(1,,296)14) (1(0, 179)310) (2(1,,112)13)(1(0(2,,127)282),281)85)(2(2(0,,155)192)111)154) (0(1, 107)324) (0(1,,336)50) (1(0(0(2,,,264),88)242)94) (2(0, 283)338) (1, 35)49) (2(2,,201)88) (0(0,,158)52) (1(2,,271)12) (0(2(2,,,41)63)154)34) (0(2,,195)65) (0(0, 307), 4) (2(0, 232)247) (0, 18)35) (2, 227)238) (0(2(2(1,,142)264)256)339) (1(0, 210)215) (1, 108)(2(2,,129)63) (1, 138)281) (2(1, 240)305) (1(0, 239)333) (1, 249) (2(2,,233)67) (2(0(1,(2(1195)259),,168)56)91)41) (0(1(2,(1163)275)152)222),,188)72) (1(0(0,,,149)270)268)70) (2(0(1(2,,,321)325)80)40) (2(0, 235)319) (0(0,,123)67) (0(2(2,,147)146)289)83) (0(0,,304)30) (2(1,,261)61) (2, 152)327) (2(2, 323), 1) (2(1,,142)71) (1(1,,209)94) (0(1, 194)286) (0(1(0(1,,230)284)225)297) (0(1(2,,124)310)123)257) (2(1,(1(0138)335)(2(1, 39)77),(0(1258)312)(1, 211)320), 122)132) (0(1,,153)60) (0(1(0,(0170)198),,246)48) (2(0, 137)188) (1(0,,112)46) (0, 183)276) (2(2,,300)69) (0(2(1(2, 116)198),,283)50) (2(1,,103)62) (0(1(2,,200)204)197)326) (2(0,,168)73) (2(1,,114)73) (0(1,,119)87) (1(0,,147)31) (2(2,,328)14) (0(1,,174)76) (2(0, 145)321) (2(0,,230)51) (0(1, 121)112) (0, 236)265) (0, 219)316) (0(2,,132)49) (1(1, 184), 1) (1(0(0,,185)291)290)92) (2(1,,267)37) (1(2, 182)210) (1(2,,125)51) (2(0, 229)337) (0, 135)300) (0(1(0,,127)336)206)12) (2(0, 228)270) (0(2, 105)187) (1(1,,154)67) (0, 160)292) (0(1, 193)232) (1(1(2(1,,328),47)249)259)110)144) (0, 284)(2, 166)223) (0(2(1(0, 176)284)130)233), 218)291) (1(0(0(1,,307)144)58)56) (0(0,,311)16) (2, 277)297) (2(0,,247)66) (0(1,,162)53) (1(2, 163)306) (0(0,,108)53)(1, 161) (0, 222)226) (2(1(2(1,,,214)308)302)12) (1(0,(2109)306),(1,(1182)92),(0(1,223)15),(2(2175)238)(1,(0,272)29),,233)99) (0(0,,199)62) (0(2, 122), 6) (0(2, 141)254) (2(2,,118)74) (2(2,,292)54) (1(2,,321)91) (2(0(2(1,,171)189)182)243) (1(2,,140)42) (1(0,,278)59) (0(1, 137)293) (0(0(1(2,,214)27)214)275) (2(1(0(2,,55)81)102)77) (2(0,,179)68) (0, 251)295) (2(1,,,180)99)176)229) (2(1(2(0,,141)317),317)25) (1(2(0(1,,,,195)133)33)89) (1(2(0(1,,,218)250)241)83) (0(1(0,,,271)240)274)44) (2(2,,274)57) (2(0, 215), 1) (0(2(2(1,,255),25)24)70) (2(0(1(0,,,209)83)175)207) (0(2, 196)311) (2(2,,121)60) (1(1(0(2,,,190)46)45)59) (0(2,,257)15) (0(2, 138)220) (0(2(2,,106)325)282)75) (1(2(2(1(1(0,,111)202),27)69)174)301) (1(2(2(0,,104)167)105)293)(2(1(0,,128)248)299)253)(1(2(2(0,,162)212)160)184)(0(2, 128)313) (0, 64)97) (1, 157)(1, 253)266) (0, 129) (1(2,,289)26) (2, 139)150) (1, 42)86) (0, 208)305) (1(0, 199), 8) (1(2,,302)43) (0(2,,235)37) (2(2,,205)44) (1(0(2(1,,,257)161)108)48) (1(0(2,,166)171)147)271) (1(2,,226)22) (1(2, 102)299) (2(1(1(2,,,,244)237)57)11) (0(2(0(2,,,198)218)192)47) (1(0, 269)334) (1(2,,136)62) (1(0(1(2,(0141)202),,118)156)310)22) (2, 148)241) (2(2, 170), 5) (0(1(0(1,(1,101)294)316),89),181)27) (0(1, 187)250) (2, 174)269) (2(0,,334)76) (1(2, 315)186) (2, 337) (0(1, 159)231) (2(1, 144)164) (0(2(1,,324)246)286)54) (0(1, 103)234) (1, 208) (0(1(0(2,,,133)224)24)58) (1(0,,45)7) (2(1,,191)16) (1(2, 187)197) (1(2, 160)216) (1(0, 215)243) (0(2,,285)68) (1(1,,255)78) (2(1(0(2,,,140)11)11)86) (2(0(1,,126)177)124)192) (2(1, 130)180) (0(2,,314)96) (2(0,,190)15) (1(2, 107)291) (0(0,,210)29) (2(1,,304)95) (1(0, 43)75) (1, 105)220) (1(0,,313)34) (1(2, 178)193)206)333) (2(2,,245)303)16)82) (2(2,,213)79) (0(1, 100)155) (2(1, 75)10) (1(1,,28)3) (1(0(0(2, 103)203), 49)66) (1(0, 119)140) (2(1,,110)90) (0, 32) (2, 312) (0(1,,322)26) (0, 84)93) (2(0,,53)0) (2, 120)222) (0, 120)328) (1, 10)21) (0, 117)238) (0(1, 139)173) (0, 250)312) (1(2(1(1,,201),78)334)23) (2(1, 204)265) (0(1, 197)295) (1(0(0(2(1,,,314),61)223)130)46)32) (2(0(1(2(1, ,162)244)145)181)178)247) (1(2(0(2,,,311),48)180)36) (0(1, 113)279) (0(2,,317)87) (0(2, 104), 9) (0(2(1,,260)262)327)96) (2(0(2(1,,,163)82)117)303) (1(0, 137)326) (1, 116)315) (2(0, 28)56) (0(1(0(2,,134)143)185)322) (0(0(1,,,212)57)219)263) (1(0, 148)209) (2(1, 143), 2) (1, 258) (1, 84) (2, 172)329) (0(0,,164)28) (0, 121)166) (2(1(0(1,,184)169)261)55) (1(2(0(0,,135)268)216)55) (0(2(1(2,,248),260)33)33) (2(0,,100)50) (1(2(2,,206)280)158)282) (0(0,,173)85) (1(2, 276)319) (2(0, 196)249) (1(2(1(2,,167)331),339)35) (2(0(1(2,,132)155)158)336) (2(1, 109)212) (0(2, 252), 7) (1(0,,133)78) (1(0(1(2,,,207)228)178)129)51)97) (0(1, 148)304)251)326) (2(0, 203)254) (0, 169)315) (0(0,,81)3) (1, 146) (2(1,,263)25) (0(1(0,,313)201)65)26) (0(2(2,,289)122)80)99) (0, 323) (1(2, 131)285) (2, 231)255) (2(2, 161), 0) (1, 106)216) (2(1, 32)97) (2(1, 314), 8) (2, 125) (0, 54) (2(0,,136)10) (1(2, 246)340) (2(1, 211), 4) (2, 153)165) (2, 31)64) (2, 52) (1, 196) (2(0, 189)277) (0(1, 298)330) (0, 149)303)

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 14 Outline

I Introduction

I Cryptographic background

I Expander hashes

I Cayley hashes

I Generic attacks

I Known instances

I Conclusion

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 15 4

m = 101

I Given a message m, decompose it into k-digits m = m1m2...mµ

I The digits ﬁx a walk in the graph according to the coloring

I The last vertex is the hash value

Construction for directed graphs

I For a k-regular directed graph, color the edges with k colors, choose an initial vertex 5 4 6 3

7 2 0 1

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 16 4

I The last vertex is the hash value

Construction for directed graphs

I For a k-regular directed graph, color the edges with k colors, choose an initial vertex 5 4 6 3 m = 101 7 2 0 1

I Given a message m, decompose it into k-digits m = m1m2...mµ

I The digits ﬁx a walk in the graph according to the coloring

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 16 Construction for directed graphs

I For a k-regular directed graph, color the edges with k colors, choose an initial vertex 5 4 6 3 m = 101 7 2 0 1

I Given a message m, decompose it into k-digits m = m1m2...mµ

I The digits ﬁx a walk in the graph according to the coloring

I The last vertex is the hash value

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 16 I Given a message m, decompose it into (k − 1)-digits m = m1m2...mµ

I The digits ﬁx a non-backtracking walk in the graph; the last vertex is the hash value

Construction for undirected graphs

I For a k-regular undirected graph, explicitly forbid backtracking (otherwise trivial collisions)

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 17 Construction for undirected graphs

I For a k-regular undirected graph, explicitly forbid backtracking (otherwise trivial collisions)

I Given a message m, decompose it into (k − 1)-digits m = m1m2...mµ

I The digits ﬁx a non-backtracking walk in the graph; the last vertex is the hash value

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 17 I Finding a preimage is ﬁnding a path starting at the origin and ending at some given vertex. 5 4 6 3

7 2 0 1 ( For Crypto, ≥ 2160 vertices )

Collisions and preimages

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 18 Collisions and preimages

I Finding a preimage is ﬁnding a path starting at the origin and ending at some given vertex. 5 4 6 3

7 2 0 1 ( For Crypto, ≥ 2160 vertices )

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 18 Collisions and preimages

I Finding a collision amounts to ﬁnding two paths starting at the origin and ending at the same vertex. 5 4 6 3

7 2 0 1

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 19 Collisions and preimages

I If the graph is undirected, this amounts to ﬁnding a cycle through the origin. 5 4 6 3

7 2 0 1

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 20 I The minimal “distance” between any collisions is given by the girth of the graph

Girth

I For undirected graphs, the girth is the size of the smallest cycle For directed graphs 5 4 6 3

7 2 0 1

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 21 Girth

I For undirected graphs, the girth is the size of the smallest cycle For directed graphs 5 4 6 3

7 2 0 1

I The minimal “distance” between any collisions is given by the girth of the graph

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 21 I Uniform distribution of outputs iﬀ convergence of random walks iﬀ λ < k

I λ gives the rate of convergence

I Expander graph : λ small √ I Alon-Boppana (undirected graphs): lim inf λ ≥ 2 k − 1 |V |→+∞ √1 I Ramanujan graph family : lim inf|V |→+∞ λ1 = 2 k − 1

Spectral expansion

I λ := maxi6=0 |λi | (λi = eigenvalues of the graph)

I k-regular graphs : λ0 = k ≥ |λi | I k-regular undirected graphs : λ0 = k ≥ λ1 ≥ ... ≥ λn−1 ≥ −k

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 22 √ I Alon-Boppana (undirected graphs): lim inf λ ≥ 2 k − 1 |V |→+∞ √1 I Ramanujan graph family : lim inf|V |→+∞ λ1 = 2 k − 1

Spectral expansion

I λ := maxi6=0 |λi | (λi = eigenvalues of the graph)

I k-regular graphs : λ0 = k ≥ |λi | I k-regular undirected graphs : λ0 = k ≥ λ1 ≥ ... ≥ λn−1 ≥ −k

I Uniform distribution of outputs iﬀ convergence of random walks iﬀ λ < k

I λ gives the rate of convergence

I Expander graph : λ small

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 22 Spectral expansion

I λ := maxi6=0 |λi | (λi = eigenvalues of the graph)

I k-regular graphs : λ0 = k ≥ |λi | I k-regular undirected graphs : λ0 = k ≥ λ1 ≥ ... ≥ λn−1 ≥ −k

I Uniform distribution of outputs iﬀ convergence of random walks iﬀ λ < k

I λ gives the rate of convergence

I Expander graph : λ small √ I Alon-Boppana (undirected graphs): lim inf λ ≥ 2 k − 1 |V |→+∞ √1 I Ramanujan graph family : lim inf|V |→+∞ λ1 = 2 k − 1

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 22 Outline

I Introduction

I Cryptographic background

I Expander hashes

I Cayley hashes

I Generic attacks

I Known instances

I Conclusion

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 23 I Example : G = (Z/8Z, +), S = {1, 2} 5 4 6 3

7 2 0 1

Cayley Graph

I CG,S = (V , E) : for a group G and S ⊂ G, add

I a vertex vg for each g ∈ G

I an edge (vg1 , vg2 ) iﬀ ∃s ∈ S with g2 = g1s

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 24 Cayley Graph

I CG,S = (V , E) : for a group G and S ⊂ G, add

I a vertex vg for each g ∈ G

I an edge (vg1 , vg2 ) iﬀ ∃s ∈ S with g2 = g1s

I Example : G = (Z/8Z, +), S = {1, 2} 5 4 6 3

7 2 0 1

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 24 I Simpliﬁes deﬁnition and study

I Allows parallelism

H(m1||m2) = H(m1)H(m2)

Cayley Hashes

I Cayley hashes: expander hashes built from Cayley graphs

I Example for S = {s0, s1} and initial vertex 1:

H(11001) = s1s1s0s0s1

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 25 Cayley Hashes

I Cayley hashes: expander hashes built from Cayley graphs

I Example for S = {s0, s1} and initial vertex 1:

H(11001) = s1s1s0s0s1

I Simpliﬁes deﬁnition and study

I Allows parallelism

H(m1||m2) = H(m1)H(m2)

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 25 I Given a group G and S = {s1, ...sk } ⊂ G, ﬁnd a product in reduced form

Y ei sθ(i) = 1 1≤i≤N

+ P where ei ∈ Z , θ : {1, ...N} → {1...k} and ei is “small”.

−1 By reduced form, we mean that for each i, sθ(i+1) 6= sθ(i), sθ(i).

Representation problem

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 26 Representation problem

I Given a group G and S = {s1, ...sk } ⊂ G, ﬁnd a product in reduced form

Y ei sθ(i) = 1 1≤i≤N

+ P where ei ∈ Z , θ : {1, ...N} → {1...k} and ei is “small”.

−1 By reduced form, we mean that for each i, sθ(i+1) 6= sθ(i), sθ(i).

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 26 Balance problem

I Find two products

0 Y ei Y ei sθ(i) = sθ0(i) 1≤i≤N 1≤i≤N0

where...

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 27 I Similarly, a factorization problem can be deﬁned, equivalent to ﬁnding preimages

I The hardness of these problems highly depends on G and S ! Of course, G must be non-Abelian

Security of Cayley Hashes

I For Cayley hashes, Solving the representation problem ⇒ Finding collisions ⇒ Solving the balance problem

I Equivalence if the graph is undirected

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 28 I The hardness of these problems highly depends on G and S ! Of course, G must be non-Abelian

Security of Cayley Hashes

I For Cayley hashes, Solving the representation problem ⇒ Finding collisions ⇒ Solving the balance problem

I Equivalence if the graph is undirected

I Similarly, a factorization problem can be deﬁned, equivalent to ﬁnding preimages

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 28 Security of Cayley Hashes

I For Cayley hashes, Solving the representation problem ⇒ Finding collisions ⇒ Solving the balance problem

I Equivalence if the graph is undirected

I Similarly, a factorization problem can be deﬁned, equivalent to ﬁnding preimages

I The hardness of these problems highly depends on G and S ! Of course, G must be non-Abelian

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 28 Cayley hashes : security properties

hash properties graph proper- group properties ties collision cycle / two-paths representation / resistance problem balance problem preimage path-ﬁnding factorization resistance problem problem output expanding Kazhdan distribution properties constant minimal collision girth distance

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 29 Outline

I Introduction

I Cryptographic background

I Expander hashes

I Cayley hashes

I Generic attacks

I Known instances

I Conclusion

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 30 λ/2 I Birthday attack: choose 2 random messages; compute and store their hash values; you are likely to ﬁnd a collision

I Generic; defeated only by taking λ large enough

I Ideal hash functions: best collision attacks have complexity 2λ/2

Birthday collision attacks

I Birthday paradox: among 23 persons, there is a probability > 1/2 that two have a common birthday (out of N=365 days) √ I In general, ≈ N persons are needed

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 31 I Ideal hash functions: best collision attacks have complexity 2λ/2

Birthday collision attacks

I Birthday paradox: among 23 persons, there is a probability > 1/2 that two have a common birthday (out of N=365 days) √ I In general, ≈ N persons are needed

λ/2 I Birthday attack: choose 2 random messages; compute and store their hash values; you are likely to ﬁnd a collision

I Generic; defeated only by taking λ large enough

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 31 Birthday collision attacks

I Birthday paradox: among 23 persons, there is a probability > 1/2 that two have a common birthday (out of N=365 days) √ I In general, ≈ N persons are needed

λ/2 I Birthday attack: choose 2 random messages; compute and store their hash values; you are likely to ﬁnd a collision

I Generic; defeated only by taking λ large enough

I Ideal hash functions: best collision attacks have complexity 2λ/2

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 31 I Ideal hash functions: best preimage attacks have complexity 2λ

Exhaustive search preimage attacks

I Try random messages, or successively try all messages, until you ﬁnd one with the correct hash value λ I Generic; complexity ≈ 2

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 32 Exhaustive search preimage attacks

I Try random messages, or successively try all messages, until you ﬁnd one with the correct hash value λ I Generic; complexity ≈ 2

I Ideal hash functions: best preimage attacks have complexity 2λ

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 32 λ/2 I Complexity 2

I Possible because each step can be inverted

“Meet-in-the-middle” preimage attacks

I Idea: v λ/2 0 I Compute 2 hash values “forward” from the initial point λ/2 I Compute 2 “hash values” “backward” from the targeted hash

value middle values I By the birthday paradox, likely to ﬁnd a collision “in the middle”

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 33

1 “Meet-in-the-middle” preimage attacks

I Idea: v λ/2 0 I Compute 2 hash values “forward” from the initial point λ/2 I Compute 2 “hash values” “backward” from the targeted hash

value middle values I By the birthday paradox, likely to ﬁnd a collision “in the middle” λ/2 I Complexity 2

I Possible because each step can be vt inverted

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 33

1 λ/2 I Iterated hash functions: t-collisions in time log2 t2 [Joux04]: λ/2 0 I Time 2 for (m1, m1) starting at v0 and ending at the same vertex v1 λ/2 0 I Time 2 for (m2, m2) starting at v1 and ending at the same vertex v2

I → 4 colliding messages with twice the time of 2 I In general, t colliding messages with log2 t times the time of 2

Multicollision attacks

I Multicollision: tuple of messages (m1, m2, ..., mt ) with the same hash value

I Ideal hash function: ﬁnding a t-collision should take time about 2λ

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 34 I In general, t colliding messages with log2 t times the time of 2

Multicollision attacks

I Multicollision: tuple of messages (m1, m2, ..., mt ) with the same hash value

I Ideal hash function: ﬁnding a t-collision should take time about 2λ λ/2 I Iterated hash functions: t-collisions in time log2 t2 [Joux04]: λ/2 0 I Time 2 for (m1, m1) starting at v0 and ending at the same vertex v1 λ/2 0 I Time 2 for (m2, m2) starting at v1 and ending at the same vertex v2

I → 4 colliding messages with twice the time of 2

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 34 Multicollision attacks

I Multicollision: tuple of messages (m1, m2, ..., mt ) with the same hash value

I → 4 colliding messages with twice the time of 2 I In general, t colliding messages with log2 t times the time of 2

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 34 I Likely unpractical if |G| large: message sizes larger than internet’s size

Trivial collision attack for Cayley hashes

I Idea: ord(si ) I si = 1 for any si ∈ S I This gives a trivial collision with void message

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 35 Trivial collision attack for Cayley hashes

I Idea: ord(si ) I si = 1 for any si ∈ S I This gives a trivial collision with void message

I Likely unpractical if |G| large: message sizes larger than internet’s size

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 35 Subgroup attacks

I Suppose there are group elements with small order 1. Get m such that H(m) has small order r 2. Repeat m r times to get H(m||...||m) = 1

I For large |G|, the ﬁrst step is likely to be hard...

I ... unless we cheat in the parameters’ choice (trapdoor attack)

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 36 Subgroup attacks

I Suppose there is a subgroup tower sequence G = G0 ⊃ G1 ⊃ G2 ⊃ ... ⊃ GN = {I } such that |Gi−1|/|Gi | ≤ B for all i

I Generate random messages mi , compute their hash values hi and write them hi = gi xi where gi ∈ G1, store (mi , xi ) I Generate random messages mj , compute their “backward” hash values hj and write them hj = yj gj where gj ∈ G1, store (m , y −1) j j√ −1 I After B of each, likely that xi = yj for some i, j, hence H(mi ||mj ) ∈ G1 I Repeat and try to reach G2...

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 37 Subgroup attacks

√ I Complexity 2 B

I Defeated if |Gi−1|/|Gi | large enough for any subgroup tower sequence

I Sometimes more eﬃcient jumps from Gi to Gi+1

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 38 I In expander hashes, the adversary may cheat in choosing

I the initial vertex

I the graph parameters to help himself to ﬁnd collisions

I (Not a collision/preimage attack)

Trapdoor attacks

I Trapdoor: information that helps performing some task otherwise very hard (e.g. computing collisions)

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 39 Trapdoor attacks

I Trapdoor: information that helps performing some task otherwise very hard (e.g. computing collisions)

I In expander hashes, the adversary may cheat in choosing

I the initial vertex

I the graph parameters to help himself to ﬁnd collisions

I (Not a collision/preimage attack)

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 39 I Not a collision/preimage attack

I Problematic in some applications (e.g. digital signature)

I Useful in others (parallelism, [QJ97],...)

Malleability

I Malleability: 0 I Cayley hashes: for any m, m

H(m||m0) = H(m)H(m0)

0 0 I In general: given H(m) and m , easy to compute H(m||m )...

I ... even if m itself cannot be computed from H(m)!

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 40 I Problematic in some applications (e.g. digital signature)

I Useful in others (parallelism, [QJ97],...)

Malleability

I Malleability: 0 I Cayley hashes: for any m, m

H(m||m0) = H(m)H(m0)

0 0 I In general: given H(m) and m , easy to compute H(m||m )...

I ... even if m itself cannot be computed from H(m)!

I Not a collision/preimage attack

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 40 I Useful in others (parallelism, [QJ97],...)

Malleability

I Malleability: 0 I Cayley hashes: for any m, m

H(m||m0) = H(m)H(m0)

0 0 I In general: given H(m) and m , easy to compute H(m||m )...

I ... even if m itself cannot be computed from H(m)!

I Not a collision/preimage attack

I Problematic in some applications (e.g. digital signature)

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 40 Malleability

I Malleability: 0 I Cayley hashes: for any m, m

H(m||m0) = H(m)H(m0)

0 0 I In general: given H(m) and m , easy to compute H(m||m )...

I ... even if m itself cannot be computed from H(m)!

I Not a collision/preimage attack

I Problematic in some applications (e.g. digital signature)

I Useful in others (parallelism, [QJ97],...)

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 40 Outline

I Introduction

I Cryptographic background

I Expander hashes

I Cayley hashes

I Generic attacks

I Known instances

I Conclusion

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 41 Z´emor’s ﬁrst proposal

I Construction : [Z´em91,Z´em94]

I Let K = Fp, for p a large prime I Take G = SL(2, K),

1 1 1 0 S = {s0 = ( 0 1 ) , s1 = ( 1 1 )}

1 0 Take v0 = ( 0 1 )

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 42 I Trivially extends to a preimage attack

I Z´emor’s ﬁrst proposal broken !

Z´emor’s ﬁrst proposal

I Collision “lifting” attack [TZ93]

I Find a lift of the identity: a matrix M ∈ SL(2, Z) with M = I mod p I Solve the factorization problem in SL(2, Z) with a variant of the Euclidean algorithm

I Very eﬃcient algorithm

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 43 Z´emor’s ﬁrst proposal

I Collision “lifting” attack [TZ93]

I Find a lift of the identity: a matrix M ∈ SL(2, Z) with M = I mod p I Solve the factorization problem in SL(2, Z) with a variant of the Euclidean algorithm

I Very eﬃcient algorithm

I Trivially extends to a preimage attack

I Z´emor’s ﬁrst proposal broken !

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 43 ∼ I Take G = SL(2, K) = PSL(2, K),

X 1 XX +1 S = s0 = 1 0 , s1 = 1 1

1 0 Take v0 = ( 0 1 )

I Reasonably eﬃcient (binary ﬁelds arithmetic)

The Z´emor-Tillich hash function (ZT)

I Construction :

I Let Pn(X ) ∈ F2[X ] irreducible, degree n ∈ [130, 170] Let K = F2[X ]/(Pn(X ))

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 44 I Reasonably eﬃcient (binary ﬁelds arithmetic)

The Z´emor-Tillich hash function (ZT)

I Construction :

I Let Pn(X ) ∈ F2[X ] irreducible, degree n ∈ [130, 170] Let K = F2[X ]/(Pn(X )) ∼ I Take G = SL(2, K) = PSL(2, K),

X 1 XX +1 S = s0 = 1 0 , s1 = 1 1

1 0 Take v0 = ( 0 1 )

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 44 The Z´emor-Tillich hash function (ZT)

I Construction :

I Let Pn(X ) ∈ F2[X ] irreducible, degree n ∈ [130, 170] Let K = F2[X ]/(Pn(X )) ∼ I Take G = SL(2, K) = PSL(2, K),

X 1 XX +1 S = s0 = 1 0 , s1 = 1 1

1 0 Take v0 = ( 0 1 )

I Reasonably eﬃcient (binary ﬁelds arithmetic)

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 44 I ... but fundamentally unbroken since 1994

The Z´emor-Tillich hash function (ZT)

I Partial cryptanalysis...

I Generic issues of Cayley hashes

I Invertibility for short messages [SGGB00]

I Trapdoor attacks on Pn(X ) [CP94,AK98,SGGB00]

I Projection to ﬁnite ﬁelds [G96]

I Subgroup attacks for composite n [SGGB00] n/2 I Generic collision and preimage subgroup attacks in time 2 (instead of 23n/2 and 23n for birthday and exhaustive) [PQTZ09]

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 45 The Z´emor-Tillich hash function (ZT)

I Partial cryptanalysis...

I Generic issues of Cayley hashes

I Invertibility for short messages [SGGB00]

I Trapdoor attacks on Pn(X ) [CP94,AK98,SGGB00]

I Projection to ﬁnite ﬁelds [G96]

I Subgroup attacks for composite n [SGGB00] n/2 I Generic collision and preimage subgroup attacks in time 2 (instead of 23n/2 and 23n for birthday and exhaustive) [PQTZ09]

I ... but fundamentally unbroken since 1994

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 45 LPS and Morgenstern hash functions

I Construction : use LPS Ramanujan graphs [LPS88, CGL07] l I Let l small prime, p large prime, p ≡ l ≡ 1 mod 4, p = 1 Let i such that i2 = −1 mod p I Let G = PSL(2, Fp), Let S = {sj , j = 1...l + 1}, where αj + iβj γj + iδj sj = , j = 0, ..., l; −γj + iδj αj − iβj

and (αj , βj , γj , δj ) are all the integer solutions of α2 + β2 + γ2 + δ2 = l, with α > 0 and β, γ, δ

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 46 I Collision lifting attack [TZ08]

I Find a matrix M ∈ Ω ⊂ SL(2, Z[i]) with M = I mod p: this amounts to solving a diophantine equation

I Factorization in Ω is unique hence easy

I Very eﬃcient

I Extension to preimage attack [PLQ08]

I Extension to collision and preimage for Morgenstern hash [PLQ08]

I Both functions repaired by modifying S

LPS and Morgenstern hash functions

I Extension to Morgenstern Ramanujan graphs [PLQ07]

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 47 I Extension to preimage attack [PLQ08]

I Extension to collision and preimage for Morgenstern hash [PLQ08]

I Both functions repaired by modifying S

LPS and Morgenstern hash functions

I Extension to Morgenstern Ramanujan graphs [PLQ07]

I Collision lifting attack [TZ08]

I Find a matrix M ∈ Ω ⊂ SL(2, Z[i]) with M = I mod p: this amounts to solving a diophantine equation

I Factorization in Ω is unique hence easy

I Very eﬃcient

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 47 I Both functions repaired by modifying S

LPS and Morgenstern hash functions

I Extension to Morgenstern Ramanujan graphs [PLQ07]

I Collision lifting attack [TZ08]

I Find a matrix M ∈ Ω ⊂ SL(2, Z[i]) with M = I mod p: this amounts to solving a diophantine equation

I Factorization in Ω is unique hence easy

I Very eﬃcient

I Extension to preimage attack [PLQ08]

I Extension to collision and preimage for Morgenstern hash [PLQ08]

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 47 LPS and Morgenstern hash functions

I Extension to Morgenstern Ramanujan graphs [PLQ07]

I Collision lifting attack [TZ08]

I Find a matrix M ∈ Ω ⊂ SL(2, Z[i]) with M = I mod p: this amounts to solving a diophantine equation

I Factorization in Ω is unique hence easy

I Very eﬃcient

I Extension to preimage attack [PLQ08]

I Extension to collision and preimage for Morgenstern hash [PLQ08]

I Both functions repaired by modifying S

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 47 I Not broken so far, but

I Very slow

I No guarantee on the girth in general

The Pizer hash function

I Use Pizer’s Ramanujan graphs [P90,CGL07]

I (Not Cayley)

I Vertices are supersingular elliptic curves

I Edges are isogenies of ﬁxed degree

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 48 The Pizer hash function

I Use Pizer’s Ramanujan graphs [P90,CGL07]

I (Not Cayley)

I Vertices are supersingular elliptic curves

I Edges are isogenies of ﬁxed degree

I Not broken so far, but

I Very slow

I No guarantee on the girth in general

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 48 I Projective ZT: [PQTZ09]

I For an initial vector (a0, b0) part of the key, returns the projective point [a : b] if the vectorial ZT returns (a, b)

I “Nearly” as secure as the vectorial version

Vectorial and projective Z´emor-Tillich

I Vectorial ZT: [PQTZ09]

I For an initial vector (a0, b0) part of the key,

vec HZT (m) = (a0, b0)HZT (m)

I Just as secure as the original ZT

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 49 Vectorial and projective Z´emor-Tillich

I Vectorial ZT: [PQTZ09]

I For an initial vector (a0, b0) part of the key,

vec HZT (m) = (a0, b0)HZT (m)

I Just as secure as the original ZT

I Projective ZT: [PQTZ09]

I For an initial vector (a0, b0) part of the key, returns the projective point [a : b] if the vectorial ZT returns (a, b)

I “Nearly” as secure as the vectorial version

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 49 I Also more eﬃcient:

I Always for vectorial version

I Always but on short messages for projective version

Vectorial and projective Z´emor-Tillich

I (Nearly) as secure as the original version

I Reduced output sizes: ≈ 3n bits → ≈ 2n and ≈ n bits

I Keep hard components of the representation problem; remove easy components

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 50 Vectorial and projective Z´emor-Tillich

I (Nearly) as secure as the original version

I Reduced output sizes: ≈ 3n bits → ≈ 2n and ≈ n bits

I Keep hard components of the representation problem; remove easy components

I Also more eﬃcient:

I Always for vectorial version

I Always but on short messages for projective version

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 50 I Idea of ZesT: [PVQ08,PdMQTVZ09]

I Use vectorial and projective ZT as building blocks

I Add heuristic design to remove main weaknesses

I Take all existing attacks into account

ZesT: an all-purpose hash function based on Z´emor-Tillich

I ZT is appealing: security proof for collision resistance, graph and group perspectives, parallelism, good eﬃciency...

I ZT has important issues: malleability, invertibility on short messages, suboptimal collision and preimage resistances

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 51 ZesT: an all-purpose hash function based on Z´emor-Tillich

I ZT is appealing: security proof for collision resistance, graph and group perspectives, parallelism, good eﬃciency...

I ZT has important issues: malleability, invertibility on short messages, suboptimal collision and preimage resistances

I Idea of ZesT: [PVQ08,PdMQTVZ09]

I Use vectorial and projective ZT as building blocks

I Add heuristic design to remove main weaknesses

I Take all existing attacks into account

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 51 ZesT: an all-purpose hash function based on Z´emor-Tillich

I Collision resistance reduces to the representation problem of ZT

I Weaknesses of ZT are removed

I Ultra-lightweight ASIC implementations

I Throughput comparable to SHA on FPGA

I (Currently) 4 to 10 times as slow as SHA in software

I Parallelism

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 52 Outline

I Introduction

I Cryptographic background

I Expander hashes

I Cayley hashes

I Generic attacks

I Known instances

I Conclusion

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 53 Conclusion

I Today:

I Z´emor’s ﬁrst proposal broken

I ZT unbroken since 1994

I LPS, Morgenstern hashes broken (and repaired)

I Pizer hash unbroken

I Vectorial and projective ZT as secure as ZT

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 54 Conclusion

I Elegant, clear, simple design

I Provable security, stated as graphs and groups properties

I May be very eﬃcient in software and hardware

I Parallelism (Cayley hashes)

I Main design issues (malleability,...) can be removed with additional design

I Ramanujan property not so beneﬁc after all

I Underlying hard problems should be further studied

I Very interesting design !

UCL Crypto Group Microelectronics Laboratory LGG seminars - Feb 2009 55