Transcript eg2008 7054

Applications of Ramanujan
Graphs in Cryptography
Kristin Lauter
Microsoft Research Cryptography Group
IPAM Expander Graphs and Applications
February 12, 2008
joint work
with Denis Charles and Eyal Goren:
1. Cryptographic hash functions from
expander graphs, Journal of Cryptology, 2007
2. Families of Ramanujan graphs and
quaternion algebras, “Groups and Symmetries”,
Proceedings of conference in honor of John McKay, 2007
Hash functions





A hash function maps bit strings of some
finite length to bit strings of some fixed finite
length
h : {0,1}n  {0,1}m
easy to compute
unkeyed (unkeyed hash functions do not
require a secret key to compute the output)
Collision resistant
Uniformly distributed output
Collision-resistance


A hash function h is collision resistant if it is
computationally infeasible to find two distinct
inputs, x, y, which hash to the same output
h(x) = h(y).
A hash function h is preimage resistant if,
given any output of h, it is computationally
infeasible to find an input, x, which hashes to
that output.
Hash functions: Practical applications







Security of most cryptographic protocols
Password verification
Integrity check of received content
Signed hashes
Encryption protocols
Message digest
Microsoft source code (720 uses of MD5)
Background



Crypto04 Rump session: collisions found in
the most commonly used hash functions
MD4, MD5, …
SHA-0, SHA-1 also under attack
NIST organizes a series of workshops (2005,
2006) and a competition (2007-09) to select
new hash functions. Submissions due 2008!
Provable hash function


Goal: to construct efficiently computable
collision-resistant hash functions.
It is a provable collision resistant hash
function if to compute a collision is to solve
some other well-known hard problem, such
as factoring or discrete log.
Related work: (provable hashes)






VSH [Contini, Lenstra, Steinfeld, 2005]
ECDLP-based
Zemor-Tillich `94, Hashing with SL2(Z)
Joye-Quisquater, `97, Quisquater `04
Goldreich, 2000, One-way functions from
LPS graphs
…
Hash function from expanders:
k-regular graph G
 Each vertex in the graph has a label
Input: a bit string
 Bit string is divided into blocks
 Each block used to determine which edge to
follow for the next step in the graph
 No backtracking allowed!
Output: label of the final vertex of the walk

What kind of graph to use?





Random walks on expander graphs mix rapidly:
log(n) steps to a random vertex
Ramanujan graphs are optimal expanders
To find a collision: find two distinct walks of the same
length which end at same vertex, which you can
easily do if you can find cycles
Are there graphs such that finding collisions is hard?
(i.e. finding distinct paths between vertices is hard)
Bad idea: hypercube (routing is easy, can be read off
from the labels)
Example: graph of supersingular
elliptic curves modulo p (Pizer)





Vertices: supersingular elliptic curves mod p
Curves are defined over GF(p2)
Labeled by j-invariants
E1 : y2 = x3 +a4x+a6
j(E1)=1728*4a43/(a43+27a62)
Pizer’s graph: vertices



Vertices: maximal orders in a quaternion
algebra via E  End(E)
# vertices ~ p/12
p ~ 2256
Pizer’s graph: edges




Edges: degree ℓ isogenies between them
k = ℓ+1 – regular
Graph is Ramanujan (Eichler, Shimura)
Undirected if we assume p == 1 mod 12
Isogenies



The degree of a separable isogeny is the
size of its kernel
To construct an ℓ -isogeny from an elliptic
curve E to another, take a subgroup-scheme
C of size ℓ, and take the quotient E/C.
Formula for the isogeny and equation for E/C
were given by Velu.
One step of the walk: (ℓ=2)







E1 : y2 = x3 +a4x+a6
j(E1)=1728*4a43/(a43+27a62)
2-torsion point Q = (r, 0)
E2 = E1 /Q (quotient of groups)
E2 : y2 = x3 − (4a4 + 15r2)x + (8a6 − 14r3).
E1  E2
(x, y)  (x +(3r2 + a4)/(x-r), y − (3r2 + a4)y/(x-r)2)
Collision resistance
Finding collisions reduces to finding isogenies
between elliptic curves:
 Finding a collision finding 2 distinct paths
between any 2 vertices (or a cycle)
 Finding a pre-imagefinding any path
between 2 given vertices
 O(√p) birthday attack to find a collision
Hard Problems ?



Problem 1. Produce a pair of supersingular
elliptic curves, E1 and E2, and two distinct
isogenies of degree ℓn between them.
Problem 2. Given E, a supersingular elliptic
curve, find an endomorphism f : E  E of degree
ℓ2n , not the multiplication by ℓn map.
Problem 3. Given two supersingular elliptic
curves, find an isogeny of degree ℓn between
them.
Hardness





Studied by [Galbraith 99] for ordinary curves
O(sqrt(p)) best known attack
Ensure large girth by putting conditions on
the splitting behavior of p in various
imaginary quadratic extensions
Proposed as basis for other cryptosystems
Science article, 2008
Other graphs


Vary the isogeny degree
Lubotzky-Phillips-Sarnak graph
–
–
–
–


random walk is efficient to implement
Hashing bandwidth: 2.2 Mbps, 192-bit prime
Different hard problem for finding collisions
Cycles found: Eurocrypt 2008, Zemor-Tillich
Morgenstern graph, Petit-Quisquater-L.
Higher dimensional analogues
Higher dimensional analogue




G(L,p,ell)
Nodes: Superspecial abelian varieties over algebraic closure of
Fp with real multiplication by L, L a totally real field of degree g
of strict class number 1, with p unramified in L
A isomorphic to a product of g supersingular elliptic curves, with
embedding of OL into endomorphism ring, with principal
polarization compatible with embedding of OL
Edges: For a prime ideal ell of OL, not lying over p, edges are
defined by isogenies of degree ell (in a technical sense) in OL
Properties of G(L,p,ell)
Theorem. If ell lies over l with residue degree f, then
 The degree of G(L,p,ell) is lf+1
 The number of vertices is approximately 21-g |ZetaL(-1)|pg
 (for g=1, L=Q, approximately p/12 vertices, degree l+1)
Choose p such that the graph is undirected.
 Then the graph is Ramanujan
Towers (Families) and Questions



For a sequence of totally real fields of strict class number 1 in
which p is unramified, we get a tower of Ramanujan graphs (a
sequence of embedded graphs)
Other examples: Paley, Terras,…
Question: Construct a nested sequence of graphs Gi (with
embeddings which are isometries) such that ni and di go to
infinity, the degree di is bounded from above by log(ni)r for some
positive r.
–
–
Gi Cayley?
Each graph beats the Ramanujan bound