Rubik's for Cryptographers 0.2cm0.2cmBabai's conjecture ...

Christophe Petit - LMS CS Colloquium - November 2019 1

Rubik’s for Cryptographers

Babai’s conjecture, cryptographic hash functions

and quantum gates

Christophe Petit

University of Birmingham


Cryptography


“Proving” security

Attack on your cryptographic constructionw�Solution to some “hard” computational problem


Main “hard problems” in use today

I Integer factorisationLet n be an integer. Compute its prime factors.

I Discrete logarithm problem (DLP)Let p be a prime and let G be a subgroup of F∗p.Given g ∈ G and h ∈ 〈g〉, find x such that h = g x .

I Elliptic curve discrete logarithm problem (ECDLP)Let K be a finite field, let E be an elliptic curve over K .Let P ∈ E (K ) and Q ∈ 〈P〉. Find x such that Q = xP .


The threat of quantum computers


Main post-quantum “hard problem” candidates

I Finding short vectors in lattices

I Decoding linear codes

I Solving systems of multivariate polynomial equations

I Computing isogenies between elliptic curves

I . . .


What about group theory problems?


Outline

Introduction

Rubik’s: a candidate hard problem from group theory

Cryptographic applications: hash functions and beyond

Bonus application: building efficient quantum circuits

Conclusion


Outline

Introduction




Conclusion


Rubik’s cube is too easy . . .

. . . but generalizations might be hard:

Given a non abelian finite group G ,a generator set S and a group element h,compute a “short” factorisation h =

∏si∈S si .


Is this problem hard enough?

I Rubik’s cube case is not

I What about the general case?I Has it been studied before?I Connections to well-known hard problems?I Can we build good (efficient and secure) crypto from it?


Babai’s conjecture [BS92]

For any non abelian finite simple group G and any S ,every element of G admits a “short” factorization(shorter than (log |G |)c for an absolute constant c).

I Recently attracted mathematicians Bourgain, Gamburd,Green, Helfgott, Kantor, Lubotzky, Tao,. . .

I Rubik’s generalization ∼ constructive proofof Babai’s conjecture


Status of Babai’s conjecture

I Proved for all groups of Lie type and bounded rank,but the proofs are non constructive

I Constructive proofs also exist forI almost all generating sets in symmetric/alternate groupsI specific generating sets in SL(m,K )

I Rubik’s generalisation still plausibly hard for genericgenerator sets in matrix groups (no constructive proof)


A graph-theoretical perspective

I For any group G and generator set S , one can associatethe Cayley graph G = (V ,E ) where

I V = {vg | g ∈ G}I (vg1 , vg2) ∈ E ⇔ vg2v

−1g1 ∈ S

I Example : G = (Z/8Z,+), S = {1, 2}

0 1

2

3

45

6

7


A graph-theoretical perspective (2)

I Babai’s conjecture: Cayley graphs of simple non abeliangroups have small diameters(there exist short paths between any pair of vertices)

I Rubik’s generalization: given two vertices, computea short path between them


Outline

Introduction




Conclusion


Cryptographic hash functions

H : {0, 1}∗ → {0, 1}n

I Message authenticationcodes

I Digital signatures

I Password storage

I Pseudorandom numbergeneration

I Entropy extraction

I Key derivationtechniques

I ...

I ...


Hash function application: authenticating

communications with LMS website


Hash functions main security requirements

H : {0, 1}∗ → {0, 1}n

I Preimage resistance:given h, hard to find m such that H(m) = h

I Collision resistance:hard to find m,m′ such that H(m) = H(m′)

I Second preimage resistance:given m, hard to find m′ such that H(m′) = h

I + uniform output distribution, “random oracle”


Typical hash function construction


Hash functions from Rubik’s generalization


Hash functions from Rubik’s generalization

I Let G be a non-abelian group and S := {s0, ..., sk−1} ⊂ G

I Write m = m1m2...mN with mi ∈ {0, ..., k − 1}.Define

H(m) := sm1sm2 ...smN


Toy example: G = (Z/8Z,+), S = {1, 2}

0 1

2

3

45

6

7

0

m = 101H(m) = 0 + 1 + 2 + 1 = 4

4

(actual parameters should use G non abelian, much larger)


Example: Tillich-Zemor hash function [TZ94]

I Let p ∈ F2[X ] be an irreducible polynomial of degree n,let K := F2[X ]/(p(X )) ≈ F2n

I Let G = SL(2,K ) and S = {A0 = ( X 11 0 ) ,A1 = ( X X+1

1 1 )}

I Then H(m1m2...mN) := Am1Am2 ...AmNmod p(X )

I Efficiency:I Only requires a few shifts and additions per message bitI Computation can be parallelized

H(m||m′) = H(m) · H(m′)


Security

I Preimage resistance = Rubik’s generalizationGiven h ∈ G , find m1, ...,mN ∈ {0, ..., k − 1} such that

h =N∏i=1

smi, with N “small”

I 2nd preimage resistance:Given a product of generators, find another product ofgenerators leading to the same value

I Collision resistance:Find two products of generators leading to the same value


Expansion properties ⇒ uniform outputs

I Expander graphs are families of highly connected regulargraphs: ∃c > 0 such that

minS⊂V ,|S|≤|V |/2

|δ(S)||S |

= c .

Useful property: random walks mix quickly

I Cayley graphs tend to be good expanders

I Implies they have small diameter (Babai’s conjecture)I Implies the above hash function has uniform outputs

when inputs long enough


Parameters suggested for the hash function

Zemor [Z91]

p primeG = SL(2,Fp)S = {( 1 1

0 1 ) , ( 1 01 1 )}

Tillich-Zemor [TZ94]

p ∈ F2[X ] irreducibleG = SL(2,F2n)S = {( X 1

1 0 ) , ( X X+11 1 )}

LPS [CGL09]

p primeG = PSL(2,Fp)S as inLubotsky-Philips-Sarnak’sRamanujan graphs

Morgenstern [PLQ07]

p ∈ F2[X ] irreducibleG = PSL(2,F2n)S as in Morgenstern’sRamanujan graphs


Cryptanalysis techniques

I Exhaustive search

I Birthday paradox techniques, meet-in-the-middle

I Subgroup attacks

I Lifting attacks: lift to a ring with unique factorization

I Trapdoor attacks: person who chooses the parameterscan more easily compute collisions and/or preimages


Subgroup attacks

I Assume G = G0 ⊃ G1 ⊃ G2... ⊃ GN = {1}


Subgroup attacks

I Assume G = G0 ⊃ G1 ⊃ G2... ⊃ GN = {1}and |Gi |/|Gi+1| “small”

I Compute factorization of 1:I Compute random products of s0 and s1

to get two elements s ′0 and s ′1 of G1,then proceed recursively

I This gives a second preimage attackI H(m) = 1⇒ H(m′||m) = H(m′)H(m) = H(m′)

I Attack can be extended to a preimage attack

I Attack not efficient for well-chosen groups G


Subgroup attacks on the Rubik’s cube

|G | =1

1212!8!38212


Lifting attacks

I Intuition: factorization easier over infinite groups,often unique, at least the length is leaked

I Principle: lift the factorization problem to some infinitegroup where it is easier to solve

I Define the lifted set appropriatelyI Find a way to lift elementsI Factor elements in the lifted set


Lifting attacks: Zemor’s parameters [TZ94]

I G = SL(2,Fp), S = {( 1 10 1 ) , ( 1 0

1 1 )}I Given ( a b

c d ) ∈ SL(2,Fp)

1. Lifting: find(A BC D

)∈ SL(2,Z+) such that(

A BC D

)=(a bc d

)mod p

2. Solving: factor(A BC D

)as a product of ( 1 1

0 1 ) and ( 1 01 1 )

with Euclidean algorithm:

If A ≥ B, apply Euclidean algorithm to (A,B)else apply Euclidean algorithm to (C ,D)

Indeed:I ai−1 = qiai + ai+1

⇔( ai−2ai−1

)=(1 qi−1

1

) (1qi 1

)( aiai+1 )

I(1 q0 1

)= ( 1 1

0 1 )q

and(1 0q 1

)= ( 1 0

1 1 )q


Solution to LPS case (sketch)

I Let G = PSL(2,Fp) and S = {s ∈ G | det(s) = `}I Given h ∈ G , find a small factorization h =

∏si∈S si

1. Solve the problem for diagonal matrices(A+Bi 0

0 A−Bi)

where i2 = 1. This amounts to solving a norm equation(Aλ+ wp)2 + (Bλ+ xp)2 + (yp)2 + (zp)2 = `e

2. Reduce general case to diagonal case(M1 M2M3 M4

)= λ ( 1 0

0 α ) s1(1 00 β1

)s1(1 00 β2

)s1 ( 1 0

0 ω )

I Note Babai’s conjecture holds: diameter ≈ 2 log` |G |


Is this hash function design secure?

I Zemor and Tillich-Zemor parameters very special

+ Small generators chosen for efficiency− Lifting easier as lifting set is dense

I LPS and Morgensterm parameters very special

+ High symmetry for Ramanujan property− Lifting easier, lifting set described by simple equations

I Small changes to these parameters defeat the attacks,and Rubik’s generalization still plausibly hard in general


Another cryptographic application

I WalnutDSA is a signature scheme based on braid groups

I WalnutDSA had damaging malleability properties:given several valid signatures on random messages,one can produce a valid signature on any other messageby solving a specific instance of the Rubik’s problem

I Specific instance involved could be solved in practice;this gave the first attack on WalnutDSA


Instance solved in WalnutDSA attack

I Group G is a subgroup of GL(n,Fq)

I Generator set contains random group elements(one per valid signature received)

I Target element is another random element in the group

I Attack is a subgroup attack(note GL(k ,Fq) is a subgroup of GL(k ,Fq) for all k)


Outline

Introduction




Conclusion


Unitary quantum gates

I In quantum computation, information stored into qbits:each qbit is a superposition of 0 and 1

|q〉 = α|0〉+ β|1〉

with α, β ∈ C and α2 + β2 = 1

I By the laws of physics, all operations on quantum qbitsmust be reversible(

α β)−→

(α′ β′

)= U

(α β

)for U ∈ U(2,C) unitary


Rubik’s problem in quantum context

I Suppose you have physical realizations for a restricted setof quantum gates S = {s1, . . . , sk} ⊂ U(2,C), and youneed to perform another operation h ∈ U(2,C)

I Solution: combine your elementary quantum gatesto build a good approximation of your target

h ≈∏si∈S

si


Candidate quantum gate sets (single qbit)

I Typical gate set: Clifford + T gates

X =

(0 11 0

), Y =

(0 −ii 0

), Z =

(1 00 −1

)

H =1√2

(1 11 −1

), T =

(1 0

0 eiπ4

)

I More recently, LPS gates and variants suggested


Example: LPS Ramanujan graphs

I G = PSL(2,Fp) and S = {s ∈ G | det s = `}

I Hash function cryptanalysis: given h ∈ PSL(2,Fp),find h =

∏1√`smi

such that h = h mod p

I Quantum circuit design: given h ∈ U(2,C),find h =

∏1√`smi

such that ||h − h||� small

I Same problem with different norms: p-adic vs diamond

I Algorithms to solve both problems are also very similar


Outline

Introduction




Conclusion


Conclusion

I Babai’s conjecture: any non abelian simple group elementhas a small factorisation in any set of generators

I Equivalently, Cayley graphs have small diameters

I Most proofs are combinatorics, non constructive

I Hardness of constructive version underlies the securityof a family of cryptographic hash functions

I A similar problem appears in quantum gate design,solved with similar techniques

I Many interesting open problems with lots of applications!


Thanks!

I Questions?

Rubik's for Cryptographers 0.2cm0.2cmBabai's conjecture ...

Documents