270 likes | 1.24k Views
Applications of Ramanujan Graphs in Cryptography. Kristin Lauter Microsoft Research Cryptography Group IPAM Expander Graphs and Applications February 12, 2008. joint work. with Denis Charles and Eyal Goren: Cryptographic hash functions from expander graphs , Journal of Cryptology, 2007
E N D
Applications of Ramanujan Graphs in Cryptography Kristin Lauter Microsoft Research Cryptography Group IPAM Expander Graphs and Applications February 12, 2008
joint work with Denis Charles and Eyal Goren: • Cryptographic hash functions from expander graphs, Journal of Cryptology, 2007 • Families of Ramanujan graphs and quaternion algebras, “Groups and Symmetries”, Proceedings of conference in honor of John McKay, 2007
Hash functions • A hash function maps bit strings of some finite length to bit strings of some fixed finite length h : {0,1}n {0,1}m • easy to compute • unkeyed (unkeyed hash functions do not require a secret key to compute the output) • Collision resistant • Uniformly distributed output
Collision-resistance • A hash function h is collision resistant if it is computationally infeasible to find two distinct inputs, x, y, which hash to the same output h(x) = h(y). • A hash function h is preimage resistant if, given any output of h, it is computationally infeasible to find an input, x, which hashes to that output.
Hash functions: Practical applications • Security of most cryptographic protocols • Password verification • Integrity check of received content • Signed hashes • Encryption protocols • Message digest • Microsoft source code (720 uses of MD5)
Background • Crypto04 Rump session: collisions found in the most commonly used hash functions MD4, MD5, … • SHA-0, SHA-1 also under attack • NIST organizes a series of workshops (2005, 2006) and a competition (2007-09) to select new hash functions. Submissions due 2008!
Provable hash function • Goal: to construct efficiently computable collision-resistant hash functions. • It is a provable collision resistant hash function if to compute a collision is to solve some other well-known hard problem, such as factoring or discrete log.
Related work: (provable hashes) • VSH [Contini, Lenstra, Steinfeld, 2005] • ECDLP-based • Zemor-Tillich `94, Hashing with SL2(Z) • Joye-Quisquater, `97, Quisquater `04 • Goldreich, 2000, One-way functions from LPS graphs • …
Hash function from expanders: • k-regular graph G • Each vertex in the graph has a label Input: a bit string • Bit string is divided into blocks • Each block used to determine which edge to follow for the next step in the graph • No backtracking allowed! Output: label of the final vertex of the walk
What kind of graph to use? • Random walks on expander graphs mix rapidly: log(n) steps to a random vertex • Ramanujan graphs are optimal expanders • To find a collision: find two distinct walks of the same length which end at same vertex, which you can easily do if you can find cycles • Are there graphs such that finding collisions is hard? (i.e. finding distinct paths between vertices is hard) • Bad idea: hypercube (routing is easy, can be read off from the labels)
Example: graph of supersingular elliptic curves modulo p (Pizer) • Vertices: supersingular elliptic curves mod p • Curves are defined over GF(p2) • Labeled by j-invariants • E1 : y2 = x3 +a4x+a6 • j(E1)=1728*4a43/(a43+27a62)
Pizer’s graph: vertices • Vertices: maximal orders in a quaternion algebra via E End(E) • # vertices ~ p/12 • p ~ 2256
Pizer’s graph: edges • Edges: degree ℓ isogenies between them • k = ℓ+1 – regular • Graph is Ramanujan (Eichler, Shimura) • Undirected if we assume p == 1 mod 12
Isogenies • The degree of a separable isogeny is the size of its kernel • To construct an ℓ -isogeny from an elliptic curve E to another, take a subgroup-scheme C of size ℓ, and take the quotient E/C. • Formula for the isogeny and equation for E/C were given by Velu.
One step of the walk: (ℓ=2) • E1 : y2 = x3 +a4x+a6 • j(E1)=1728*4a43/(a43+27a62) • 2-torsion point Q = (r, 0) • E2 = E1 /Q (quotient of groups) • E2 : y2 = x3 − (4a4 + 15r2)x + (8a6 − 14r3). • E1 E2 • (x, y) (x +(3r2 + a4)/(x-r), y − (3r2 + a4)y/(x-r)2)
Collision resistance Finding collisions reduces to finding isogenies between elliptic curves: • Finding a collision finding 2 distinct paths between any 2 vertices (or a cycle) • Finding a pre-imagefinding any path between 2 given vertices • O(√p) birthday attack to find a collision
Hard Problems ? • Problem 1. Produce a pair of supersingular elliptic curves, E1 and E2, and two distinct isogenies of degree ℓn between them. • Problem 2. Given E, a supersingular elliptic curve, find an endomorphism f : E E of degree ℓ2n , not the multiplication by ℓn map. • Problem 3. Given two supersingular elliptic curves, find an isogeny of degree ℓn between them.
Hardness • Studied by [Galbraith 99] for ordinary curves • O(sqrt(p)) best known attack • Ensure large girth by putting conditions on the splitting behavior of p in various imaginary quadratic extensions • Proposed as basis for other cryptosystems • Science article, 2008
Other graphs • Vary the isogeny degree • Lubotzky-Phillips-Sarnak graph • random walk is efficient to implement • Hashing bandwidth: 2.2 Mbps, 192-bit prime • Different hard problem for finding collisions • Cycles found: Eurocrypt 2008, Zemor-Tillich • Morgenstern graph, Petit-Quisquater-L. • Higher dimensional analogues
Higher dimensional analogue • G(L,p,ell) • Nodes: Superspecial abelian varieties over algebraic closure of Fp with real multiplication by L, L a totally real field of degree g of strict class number 1, with p unramified in L • A isomorphic to a product of g supersingular elliptic curves, with embedding of OL into endomorphism ring, with principal polarization compatible with embedding of OL • Edges: For a prime ideal ell of OL, not lying over p, edges are defined by isogenies of degree ell (in a technical sense) in OL
Properties of G(L,p,ell) Theorem. If ell lies over l with residue degree f, then • The degree of G(L,p,ell) is lf+1 • The number of vertices is approximately 21-g |ZetaL(-1)|pg • (for g=1, L=Q, approximately p/12 vertices, degree l+1) Choose p such that the graph is undirected. • Then the graph is Ramanujan
Towers (Families) and Questions • For a sequence of totally real fields of strict class number 1 in which p is unramified, we get a tower of Ramanujan graphs (a sequence of embedded graphs) • Other examples: Paley, Terras,… • Question: Construct a nested sequence of graphs Gi (with embeddings which are isometries) such that ni and di go to infinity, the degree di is bounded from above by log(ni)r for some positive r. • GiCayley? • Each graph beats the Ramanujan bound