1 / 17

Somos Sequences and Cryptographic Applications

Somos Sequences and Cryptographic Applications. Richard Schroeppel Hilarie Orman R. Wm. Gosper. Diffie-Hellman with Iterated Functions. We can think of g a mod p as the iteration of g*g mod p Over elliptic curves, iterate point addition P+P to nP

massaro
Download Presentation

Somos Sequences and Cryptographic Applications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Somos Sequences and Cryptographic Applications Richard Schroeppel Hilarie Orman R. Wm. Gosper

  2. Diffie-Hellman with Iterated Functions • We can think of ga mod p as the iteration of g*g mod p • Over elliptic curves, iterate point addition P+P to nP • How about iterating something non-commutative, like SHA-1(SHA-1...(c))?

  3. Hashing for Diffie-Hellman? • Alice computes SHA-1A(c) = H(A) • Bob computes SHA-1B(c) = H(B) • Each computes SHA-1A+B(c) = H(A+B) • Nice, but not secure! • An eavesdropper can try H(A+1), H(A+2), ... in linear time • We need giant steps in linear time

  4. What's a Somos Sequence? Non-linear recurrences • Somos 4an = (an-1an-3 + a2n-2) / an-41,1,1,1,2,3,7,23,59,314,1529, ... • Somos 5bn = (bn-1bn-4 + bn-2 bn-3) / bn-51,1,1,1,1,2,3,5,11,37,83,274, ... • Somos 6cn = (cn-2cn-5 + cn-2cn-4 + c2n-3)/cn-61,1,1,1,1,1,3,5,9,23,75,421, ...

  5. Apparent Mysteries ... • There's a quotient in the formulas, how come the values are integers? • Somos 8 and beyond are not! • Are these equivalent to some previously known sequences? • Can you do anything interesting with them? • Let's interpret them over finite fields

  6. Correspondences • Somos4 can be mapped to points on a particular elliptic curve • y2 - y = x3 - x, P = (1, 0) and Q = (-1, 0) • P+KQ  Somos4(K) • Somos 6 and Somos 7 may be equivalent to hyperelliptic curves • Somos 8 and beyond ... non-algebraic???

  7. The Magic Determinant au-xau+x au-yau+y au-zau+z av-xav+x av-yav+y av-zav+z aw-xaw+x aw-yaw+y aw-zaw+z ( ) u, v, w x, y, z Da  = 0 Proven for Somos 4 "Obvious" for sin(u-x), etc. Conjectured for ai-j = ϑt(i-j, q) ai+j = ϑs(i+j, q)

  8. Elliptic Divisibility Sequence (EDS) • s0 = 0, s1 = 1 • sm+nsm-n = sm+1sm-1sn2 - sn+1sn-1sm2 • m | n => sm | sn • Somos 4 is the absolute values of the odd numbered terms of an EDS with s2 = 1, s3 = -1, s4 = 1

  9. Near Addition Formula for Somos4 • Derived from the magic determinant • u = k+1, v = 0, w =1 • x = k-1, y = 0 , z = 1 • a2k = 2akak+13 + ak-1akak+22 - ak-1ak+12ak+2 - ak2ak+1ak+2 • This is our Diffie-Hellman "giant step" • NB, normally DH goes from k to k2 for the "giant step", but Somos is secure for k -> 2k !! (as we will show)

  10. Somos Step-by-1 Needs Extra State • {an-3 an-2 an-1 an} -> an+1 uses an+1 = (anan-2 + a2n-1) / an-3 • {a2n-3 a2n-2 a2n-1 a2n} -> a2n+1

  11. Alice and Bob and Somos4 over F[p] • Alice chooses A from [1, p-1] • Alice calculates Somos4(A) mod p • Uses doubling formula and step-by-one formula • Bob does the same with B • Alice sends {Somos4(A) }= {SA-3, SA-2, SA-1, SA } to Bob • Bob sends {Somos4(B)} = {SB} to Alice • Alice steps SB to SB+A mod p • Uses double and step-by-one • Bob steps SA to SA+B

  12. Somos4 Giant Steps • Somos4(2A) can be computed from Somos4(A) with a "few" operations • Somos(A+B) can be computed from Somos4(A) and B in about log(B) operations • But, stepping Somos4(A) without knowing B would take about B guesses • The giant steps make it secure

  13. Example • Alice has {SB} from Bob • Her secret A is 105 • {SB} -> {SB+1} • {{SB}, {SB+1}} -> {{SB+3} {SB+4}} -> • {{SB+6} {SB+7}} -> {{SB+13} {SB+14}} -> • {{SB+26} {SB+27}} -> {{SB+52} {SB+53}} -> • SB+105 !

  14. Somos4 & Elliptic Curves Curve: Y(Y-1) = X(X-1)(X+1) Point: P = (0,0) Multiples KP: O, (0,0), (1,0), (-1,1), (2,3), (1/4,5/8), (6,-14), (-5/9,-8/27), (21/25,69/125), (-20/49,435/343), … KP = (XK,YK) = ( -SK-1SK+1/SK2, SK-2SK-1SK+3/SK3 ) SK = 0, 1, 1, -1, 1, 2, -1, -3, -5, 7, -4, -23, 29, 59, …

  15. What’s SK? SK is a Somos4 with different initialization. S1,2,3,4,… = 1, 1, -1, 1, … SK-2SK+2 = SK-1SK+1 + SK2 like Somos4 SK-2SK+3 + SK-1SK+2 + SKSK+1 = 0 also AK-2AK+3 + AK-1AK+2 = 5AKAK+1 for Somos4 Somos4 is essentially the odd terms of SK: AK = (-1)K S2K-3

  16. Proof Overview Verify KP formula by induction on K: Check 1P and 2P. Check that P + KP = (K+1)P using the formula for KP = {mess of SK+n}, the elliptic curve point addition formula, and the algebra relations for SKSK+n. Verify Somos4-SK relationship by induction on K: Check first four values, and prove K  K+1 using the recurrence relations. Mess of algebra.

  17. Multiplicity of the Map: Somos4 vs. Elliptic Curve Mod Q, the elliptic curve has period ~Q. Mod Q, Somos4 has period ~Q2, a multiple of the elliptic curve period. SK can be recovered from a few consecutive Somos values. So we can go from Somos to elliptic curve points. In fact, the X coordinate of (2K-3)P is 1 – AK-1AK+1/AK2. This will work mod Q as well. But going the other way mod Q is impossible, because roughly Q different Somos values map to the same elliptic curve point.

More Related