F p n New Z emor-Tillich Type Hash Functions Over GL 2 Hayley - - PowerPoint PPT Presentation

New Z´ emor-Tillich Type Hash Functions Over GL2

• Fpn

Hayley Tomkins, Monica Nevins, and Hadi Salmasian

University of Ottawa, Canada

June 24, 2019

Hayley Tomkins, Monica Nevins, and Hadi Salmasian New Z´ emor-Tillich Type Hash Functions Over GL2

• Fpn
• 1 / 24

What is a Cayley Hash?

In 1991 Gilles Z´ emor introduced the idea of building hash functions from Cayley graphs of large girth.

Hayley Tomkins, Monica Nevins, and Hadi Salmasian New Z´ emor-Tillich Type Hash Functions Over GL2

• Fpn
• 2 / 24

What is a Cayley Hash?

In 1991 Gilles Z´ emor introduced the idea of building hash functions from Cayley graphs of large girth.

Associated Cayley hash

Given a group G and g1, g2 ∈ G, the associated [Cayley] hash H is the map defined for any message m = m1 . . . mk ∈ {0, 1}∗ by H(m) = H(m1) · · · H(mk) ∈ G where H(0) = g1 and H(1) = g2.

Hayley Tomkins, Monica Nevins, and Hadi Salmasian New Z´ emor-Tillich Type Hash Functions Over GL2

• Fpn
• 2 / 24

What is a Cayley Hash?

In 1991 Gilles Z´ emor introduced the idea of building hash functions from Cayley graphs of large girth.

Associated Cayley hash

Given a group G and g1, g2 ∈ G, the associated [Cayley] hash H is the map defined for any message m = m1 . . . mk ∈ {0, 1}∗ by H(m) = H(m1) · · · H(mk) ∈ G where H(0) = g1 and H(1) = g2.

Small modifications property

Given any collision H(m) = H(m′), min{|m|, |m′|} ≥ n.

Hayley Tomkins, Monica Nevins, and Hadi Salmasian New Z´ emor-Tillich Type Hash Functions Over GL2

• Fpn
• 2 / 24

In Cayley hashes notions such as collision, second preimage, and preimage resistance are able to be restated as mathematical problems that are believed to be hard.

Hayley Tomkins, Monica Nevins, and Hadi Salmasian New Z´ emor-Tillich Type Hash Functions Over GL2

• Fpn
• 3 / 24

In Cayley hashes notions such as collision, second preimage, and preimage resistance are able to be restated as mathematical problems that are believed to be hard. Some examples Z´ emor’s original suggestion was to use g1 = [ 1 1

0 1 ] and g2 = [ 1 0 1 1 ] in

SL2

• Fp
• for p a large prime

Cayley hashes from expander graphs Bromberg et. al. suggested using pairs of the form g1 = [ 1 r

0 1 ] and

g2 = [ 1 0

s 1 ] in SL2

• Fp
• Hayley Tomkins, Monica Nevins, and Hadi Salmasian

New Z´ emor-Tillich Type Hash Functions Over GL2

• Fpn
• 3 / 24

The Z´ emor-Tillich hash function

The Z´ emor-Tillich hash function

The Z´ emor-Tillich hash function is defined as the associated hash function of G = SL2

• F2n

, g1 = [ x 1

1 0 ], and g2 =

x x+1

1 1

• , where x is the

root of the defining polynomial of F2n.

Hayley Tomkins, Monica Nevins, and Hadi Salmasian New Z´ emor-Tillich Type Hash Functions Over GL2

• Fpn
• 4 / 24

The Z´ emor-Tillich hash function

The Z´ emor-Tillich hash function

The Z´ emor-Tillich hash function is defined as the associated hash function of G = SL2

• F2n

, g1 = [ x 1

1 0 ], and g2 =

x x+1

1 1

• , where x is the

root of the defining polynomial of F2n. viably fast tends to uniform distribution

Hayley Tomkins, Monica Nevins, and Hadi Salmasian New Z´ emor-Tillich Type Hash Functions Over GL2

• Fpn
• 4 / 24

The Z´ emor-Tillich hash function

The Z´ emor-Tillich hash function

The Z´ emor-Tillich hash function is defined as the associated hash function of G = SL2

• F2n

, g1 = [ x 1

1 0 ], and g2 =

x x+1

1 1

• , where x is the

root of the defining polynomial of F2n. viably fast tends to uniform distribution

Attacks

small order attacks (Charnes and Piepryzk, Steinwandt et. al. ) Geiselmann’s embedding attack Grassl et. al’s palindrome attack

Hayley Tomkins, Monica Nevins, and Hadi Salmasian New Z´ emor-Tillich Type Hash Functions Over GL2

• Fpn
• 4 / 24

Our contribution

Our hash function construction: Let A, B ∈ M2×2

• Fp[x]
• and set D

to be

• M ∈ M2×2
• Fp[x]
• | rn ∤ det(M)
• . Define the projection map

πrn : D − → GL2

• Fq
• to be the map taking entries of a matrix to their projection in Fq under

the quotient by rn. We then construct a hash function H by taking the associated hash for g1 = πrn(A) and g2 = πrn(B) and G = GL2

• Fpn

.

Hayley Tomkins, Monica Nevins, and Hadi Salmasian New Z´ emor-Tillich Type Hash Functions Over GL2

• Fpn
• 5 / 24

Our contribution

Our hash function construction: Let A, B ∈ M2×2

• Fp[x]
• and set D

to be

• M ∈ M2×2
• Fp[x]
• | rn ∤ det(M)
• . Define the projection map

πrn : D − → GL2

• Fq
• to be the map taking entries of a matrix to their projection in Fq under

the quotient by rn. We then construct a hash function H by taking the associated hash for g1 = πrn(A) and g2 = πrn(B) and G = GL2

• Fpn

.

Our idea:

Use freeness to retain the small modifications property.

Hayley Tomkins, Monica Nevins, and Hadi Salmasian New Z´ emor-Tillich Type Hash Functions Over GL2

• Fpn
• 5 / 24

The field of formal Laurent series over Fp

The elements of Fp((x)) are series of the form g(x) =

∞

• k=m

gkxk for gi ∈ Fp and m ∈ Z.

Hayley Tomkins, Monica Nevins, and Hadi Salmasian New Z´ emor-Tillich Type Hash Functions Over GL2

• Fpn
• 6 / 24

The field of formal Laurent series over Fp

The elements of Fp((x)) are series of the form g(x) =

∞

• k=m

gkxk for gi ∈ Fp and m ∈ Z. PGL2

• Fp((x))
• Hayley Tomkins, Monica Nevins, and Hadi Salmasian

New Z´ emor-Tillich Type Hash Functions Over GL2

• Fpn
• 6 / 24

The field of formal Laurent series over Fp

The elements of Fp((x)) are series of the form g(x) =

∞

• k=m

gkxk for gi ∈ Fp and m ∈ Z. PGL2

• Fp((x))
• GL2
• Fp((x))
• Hayley Tomkins, Monica Nevins, and Hadi Salmasian

New Z´ emor-Tillich Type Hash Functions Over GL2

• Fpn
• 6 / 24

The field of formal Laurent series over Fp

The elements of Fp((x)) are series of the form g(x) =

∞

• k=m

gkxk for gi ∈ Fp and m ∈ Z. PGL2

• Fp((x))
• GL2
• Fp((x))
• P1

Hayley Tomkins, Monica Nevins, and Hadi Salmasian New Z´ emor-Tillich Type Hash Functions Over GL2

• Fpn
• 6 / 24

Free Generators Theorem

Free Generators Theorem (T. 2018)

Let p be a prime and let d ∈ N0. Suppose there exist a, b, c, ˜ a, ˜ b ∈ Fp((x)), f , ˜ f ∈ Fp((x))×, such that Ξ1, Ξ2 and Ξ3 hold (see next slide). Then the matrices A = ab − cf a(f − 1) cb(1 − f ) abf − c

• and B =

˜ b − ˜ a˜ f ˜ f − 1 ˜ a˜ b(1 − ˜ f ) ˜ b˜ f − ˜ a

• (1)

generate a free group in PGL2

• Fp((x))
• . In particular, any inverse images
• f A, B in GL2
• Fp((x))
• also generate a free group.

Hayley Tomkins, Monica Nevins, and Hadi Salmasian New Z´ emor-Tillich Type Hash Functions Over GL2

• Fpn
• 7 / 24

Conditions of the Free Generators Theorem

Ξ1 : d([u], [v]) >

1 pd+1 for each pair of [u], [v] in

• [a : c], [1 : b], [1 : ˜

a], [1 : ˜ b]

• Ξ2 : min{|f |, |f −1|} ≤

1 p2d+1 , and min{|˜

f |, |˜ f −1| ≤

1 p2d+1 }

Ξ3 : There exists [z] ∈ P1 such that d([z], [u]) >

1 pd+1 for each [u] in

• [a : c], [1 : b], [1 : ˜

a], [1 : ˜ b]

• .

Remark

We can find infinitely many parameters satisfying our theorem for all d ≥ 0 when p is odd, and all d > 0 when p = 2.

Hayley Tomkins, Monica Nevins, and Hadi Salmasian New Z´ emor-Tillich Type Hash Functions Over GL2

• Fpn
• 8 / 24

Some constructions using the Free Generators Theorem

Table: The matrices A and B produced using the Free Generators Theorem for p > 2, d = 0, a = 0, c = 1, f , ˜ f ∈ xFp[x], and given choices of b, ˜ a, and ˜ b. {A, B} A B b ˜ a ˜ b G1(f , ˜ f ) f 1

• ˜

f + 1 1 − ˜ f 1 − ˜ f ˜ f + 1

• 1

−1 G2(f , ˜ f ) f 1

• ˜

f + 1 ˜ f − 1 ˜ f − 1 ˜ f + 1

• −1

1 G3(f , ˜ f )

• f

f − 1 1

• ˜

f ˜ f − 1 1

• 1

−1 G4(f , ˜ f )

• f

f − 1 1

• 1

1 − ˜ f ˜ f

• 1

−1 G5(f , ˜ f )

• f

1 − f 1

• ˜

f 1 − ˜ f 1

• −1

1 G6(f , ˜ f )

• f

1 − f 1

• 1

˜ f − 1 ˜ f

• −1

1

Hayley Tomkins, Monica Nevins, and Hadi Salmasian New Z´ emor-Tillich Type Hash Functions Over GL2

• Fpn
• 9 / 24

Benefits of this method

The Free Generators Theorem provides many choices of g1 and g2 over any characteristic

• ffers a great amount of control of the degrees and form of the

entries in our generators extends to an arbitrary number of generators

Hayley Tomkins, Monica Nevins, and Hadi Salmasian New Z´ emor-Tillich Type Hash Functions Over GL2

• Fpn
• 10 / 24

Benefits of this method

The Free Generators Theorem provides many choices of g1 and g2 over any characteristic

• ffers a great amount of control of the degrees and form of the

entries in our generators extends to an arbitrary number of generators Our approach provides a stronger version of the small modifications property a method to prevent against specific small relations precise conditions on our parameters for generating a large enough set

• f hash values

Hayley Tomkins, Monica Nevins, and Hadi Salmasian New Z´ emor-Tillich Type Hash Functions Over GL2

• Fpn
• 10 / 24

As Cayley hashes, our hash functions are scalable posses the concatenation property, so in particular can be computed in parallel

Hayley Tomkins, Monica Nevins, and Hadi Salmasian New Z´ emor-Tillich Type Hash Functions Over GL2

• Fpn
• 11 / 24

As Cayley hashes, our hash functions are scalable posses the concatenation property, so in particular can be computed in parallel The methods in our theorem can extend to the p-adic field GL2

• Qp
• would work for GLn for other n

yield the potential for a keyed hash function

Hayley Tomkins, Monica Nevins, and Hadi Salmasian New Z´ emor-Tillich Type Hash Functions Over GL2

• Fpn
• 11 / 24

Some Definitions

Note

The following work has been inspired by Breuillard and Gelander’s application of Tits’ Ping-Pong Lemma.

Hayley Tomkins, Monica Nevins, and Hadi Salmasian New Z´ emor-Tillich Type Hash Functions Over GL2

• Fpn
• 12 / 24

Some Definitions

Note

The following work has been inspired by Breuillard and Gelander’s application of Tits’ Ping-Pong Lemma.

Absolute value

If gm = 0, the valuation of g, v(g), is m and the absolute value is |g| = p−v(g) = p−m.

Hayley Tomkins, Monica Nevins, and Hadi Salmasian New Z´ emor-Tillich Type Hash Functions Over GL2

• Fpn
• 12 / 24

Some Definitions

Note

The following work has been inspired by Breuillard and Gelander’s application of Tits’ Ping-Pong Lemma.

Absolute value

If gm = 0, the valuation of g, v(g), is m and the absolute value is |g| = p−v(g) = p−m.

Distance

Let [u], [v] ∈ P1 be such that [u] = [u1 : u2] and [v] = [v1 : v2]. Then the distance between [u] and [v] is d([u], [v]) = ||u ∧ v|| ||u|| ||v|| = |u1v2 − u2v1| max{|u1|, |u2|} max{|v1|, |v2|}.

Hayley Tomkins, Monica Nevins, and Hadi Salmasian New Z´ emor-Tillich Type Hash Functions Over GL2

• Fpn
• 12 / 24

Neighbourhoods in P1

For [u] ∈ P1 we define N

• [u],

1 pd+1

• to be the closed neighbourhood of

radius

1 pd+1 .

Hayley Tomkins, Monica Nevins, and Hadi Salmasian New Z´ emor-Tillich Type Hash Functions Over GL2

• Fpn
• 13 / 24

Neighbourhoods in P1

For [u] ∈ P1 we define N

• [u],

1 pd+1

• to be the closed neighbourhood of

radius

1 pd+1 .

Proposition

For each d ∈ N0 there exist pd(p + 1) disjoint neighbourhoods of radius

1 pd+1 such that for any point [u] ∈ P1, N

• [u],

1 pd+1

• is precisely one of

these neighbourhoods. They are

1 for each (a0, a1, ..., ad) ∈ Fd+1

p

, {[1 : a0 + a1x + . . . + adxd + r] | r ∈ xd+1O}, and

2 for each (0, a1, ..., ad) ∈ Fd+1

p

, {[a1x + . . . + adxd + r : 1] | r ∈ xd+1O}.

Hayley Tomkins, Monica Nevins, and Hadi Salmasian New Z´ emor-Tillich Type Hash Functions Over GL2

• Fpn
• 13 / 24

[a : c] [1 : b] [1 : ˜ a] [1 : ˜ b] [z] N[a:c] N[1:b] N[1:˜

a]

N[1:˜

b]

Figure: A visual representation of the

1 pd+1 -neighbourhoods of the eigenvectors of

A and B and the point [z]. Conditions Ξ1 and Ξ3 of Theorem 1 ensure these neigbourhoods are disjoint and the point [z] must lie outside each neighbourhood.

Hayley Tomkins, Monica Nevins, and Hadi Salmasian New Z´ emor-Tillich Type Hash Functions Over GL2

• Fpn
• 14 / 24

Ping-Pong Lemma (Jacques Tits, 1972)

Given two cyclic groups A and B, acting on P1 with associated disjoint sets PA and PB in P1 with the property for any g ∈ A, g : P1 \ PA → PA and for any g ∈ B, g : P1 \ PB → PB Then, any nontrivial word w in {A, B} must necessarily map a point

• utside of PA ∪ PB to either PA or PB, and thus cannot be identity.

Hayley Tomkins, Monica Nevins, and Hadi Salmasian New Z´ emor-Tillich Type Hash Functions Over GL2

• Fpn
• 15 / 24

Consider the action of the word A2B−1A5B4 on [z]

[z]

Hayley Tomkins, Monica Nevins, and Hadi Salmasian New Z´ emor-Tillich Type Hash Functions Over GL2

• Fpn
• 16 / 24

B4 maps [z] to PB

B4 · [z]

Hayley Tomkins, Monica Nevins, and Hadi Salmasian New Z´ emor-Tillich Type Hash Functions Over GL2

• Fpn
• 17 / 24

A5 maps B4 · [z] to PA

A5B4 · [z]

Hayley Tomkins, Monica Nevins, and Hadi Salmasian New Z´ emor-Tillich Type Hash Functions Over GL2

• Fpn
• 18 / 24

B−1 maps A5B4 · [z] to PB

B−1A5B4 · [z]

Hayley Tomkins, Monica Nevins, and Hadi Salmasian New Z´ emor-Tillich Type Hash Functions Over GL2

• Fpn
• 19 / 24

A2 maps B−1A5B4 · [z] to PB

A2B−1A5B4 · [z]

Hayley Tomkins, Monica Nevins, and Hadi Salmasian New Z´ emor-Tillich Type Hash Functions Over GL2

• Fpn
• 20 / 24

[a : c] [1 : b] [z] A : → [a : c] [1 : b] [z] A−1 : →

Figure: A visual representation of the action of A and the action of A−1 on P1. We see that A maps P1 \ N[1:b] to N[a:c] and A−1 maps P1 \ N[a:c] to N[1:b].

Hayley Tomkins, Monica Nevins, and Hadi Salmasian New Z´ emor-Tillich Type Hash Functions Over GL2

• Fpn
• 21 / 24

[a : c] [1 : b] [z] A : → [a : c] [1 : b] [z] A−1 : →

Figure: A visual representation of the action of A and the action of A−1 on P1. We see that A maps P1 \ N[1:b] to N[a:c] and A−1 maps P1 \ N[a:c] to N[1:b].

We choose PA = N[a:c] ∪ N[1:b] and PB = N[1:˜

a] ∪ N[1:˜ b] and let [z] be a

point outside of PA or PB. This gives that A maps P1 \ PA to PA.

Hayley Tomkins, Monica Nevins, and Hadi Salmasian New Z´ emor-Tillich Type Hash Functions Over GL2

• Fpn
• 21 / 24

Final Remarks

potential issues from the introduction of the determinant are fixed by padding or choosing det(A) = det(B)

• ur hash function constructions are resistant to attacks on the

Z´ emor-Tillich hash function

Hayley Tomkins, Monica Nevins, and Hadi Salmasian New Z´ emor-Tillich Type Hash Functions Over GL2

• Fpn
• 22 / 24

Final Remarks

potential issues from the introduction of the determinant are fixed by padding or choosing det(A) = det(B)

• ur hash function constructions are resistant to attacks on the

Z´ emor-Tillich hash function

Thank you!

Hayley Tomkins, Monica Nevins, and Hadi Salmasian New Z´ emor-Tillich Type Hash Functions Over GL2

• Fpn
• 22 / 24

References

• G. Z´
• emor. Hash functions and graphs with large girths. In Advances

in Cryptology EUROCRYPT91, pages 508-511. Springer (1991).

• L. Bromberg, V. Shpilrain, and A. Vdovina. Navigating in the Cayley

graph of SL2

• Fp
• and applications to hashing. Semigroup forum,

94(2) 314-324 (2017). J.P. Tillich and G. Z´

• emor. Hashing with SL2. In Annual International

Cryptology Conference, pages 40-49. Springer, 1994.

• C. Charnes and J. Pieprzyk. Attacking the SL2 hashing scheme. In

Advances in Cryptology ASIACRYPR’94, pages 322-330 (1995).

• R. Steinwandt, M. Grassl, W. Geiselmann, and T. Beth. Weaknesses

in the SL2

• F2n

hashing scheme. In Annual International Cryptology Conference pages 287-299. Springer (2000).

Hayley Tomkins, Monica Nevins, and Hadi Salmasian New Z´ emor-Tillich Type Hash Functions Over GL2

• Fpn
• 23 / 24

• W. Geiselmann. A note on the hash function of Tillich and Z´
• emor. In

Cryptography and coding (Cirencester, 1995), Lecture Notes in

• Comput. Sci., vol. 1025, pages 257-263. Springer, Berlin (1995).
• M. Grassl, I. Ili´

c, S. Magliveras, and R. Steinwandt. Cryptanalysis of the Tillich-Z´ emor Hash Function. Journal of Cryptology, 24(1):148-156, 2011.

• J. Tits. Free subgroups in linear groups. Journal of Algebra,

20(2):250-270, 1972.

• E. Breuillard and T. Gelander. On dense free subgroups of Lie groups.

Journal of Algebra, 261(2):448-467, 2003.

Hayley Tomkins, Monica Nevins, and Hadi Salmasian New Z´ emor-Tillich Type Hash Functions Over GL2

• Fpn
• 24 / 24