Presentation is loading. Please wait.

Presentation is loading. Please wait.

Applications of Ramanujan Graphs in Cryptography Kristin Lauter Microsoft Research Cryptography Group IPAM Expander Graphs and Applications February 12,

Published byPrudence Gordon Modified over 8 years ago

Similar presentations

Presentation on theme: "Applications of Ramanujan Graphs in Cryptography Kristin Lauter Microsoft Research Cryptography Group IPAM Expander Graphs and Applications February 12,"— Presentation transcript:

1 Applications of Ramanujan Graphs in Cryptography Kristin Lauter Microsoft Research Cryptography Group IPAM Expander Graphs and Applications February 12, 2008

2 joint work with Denis Charles and Eyal Goren: 1. Cryptographic hash functions from expander graphs, Journal of Cryptology, 2007 2. Families of Ramanujan graphs and quaternion algebras, “Groups and Symmetries”, Proceedings of conference in honor of John McKay, 2007

3 Hash functions A hash function maps bit strings of some finite length to bit strings of some fixed finite length h : {0,1} n  {0,1} m easy to compute unkeyed (unkeyed hash functions do not require a secret key to compute the output) Collision resistant Uniformly distributed output

4 Collision-resistance A hash function h is collision resistant if it is computationally infeasible to find two distinct inputs, x, y, which hash to the same output h(x) = h(y). A hash function h is preimage resistant if, given any output of h, it is computationally infeasible to find an input, x, which hashes to that output.

5 Hash functions: Practical applications Security of most cryptographic protocols Password verification Integrity check of received content Signed hashes Encryption protocols Message digest Microsoft source code (720 uses of MD5)

6 Background Crypto04 Rump session: collisions found in the most commonly used hash functions MD4, MD5, … SHA-0, SHA-1 also under attack NIST organizes a series of workshops (2005, 2006) and a competition (2007-09) to select new hash functions. Submissions due 2008!

7 Provable hash function Goal: to construct efficiently computable collision-resistant hash functions. It is a provable collision resistant hash function if to compute a collision is to solve some other well-known hard problem, such as factoring or discrete log.

8 Related work: (provable hashes) VSH [Contini, Lenstra, Steinfeld, 2005] ECDLP-based Zemor-Tillich `94, Hashing with SL 2 (Z) Joye-Quisquater, `97, Quisquater `04 Goldreich, 2000, One-way functions from LPS graphs …

9 Hash function from expanders: k-regular graph G Each vertex in the graph has a label Input: a bit string Bit string is divided into blocks Each block used to determine which edge to follow for the next step in the graph No backtracking allowed! Output: label of the final vertex of the walk

10 What kind of graph to use? Random walks on expander graphs mix rapidly: log(n) steps to a random vertex Ramanujan graphs are optimal expanders To find a collision: find two distinct walks of the same length which end at same vertex, which you can easily do if you can find cycles Are there graphs such that finding collisions is hard? (i.e. finding distinct paths between vertices is hard) Bad idea: hypercube (routing is easy, can be read off from the labels)

11 Example: graph of supersingular elliptic curves modulo p (Pizer) Vertices: supersingular elliptic curves mod p Curves are defined over GF(p 2 ) Labeled by j-invariants E 1 : y 2 = x 3 +a 4 x+a 6 j(E 1 )=1728*4a 4 3 /(a 4 3 +27a 6 2 )

12 Pizer’s graph: vertices Vertices: maximal orders in a quaternion algebra via E  End(E) # vertices ~ p/12 p ~ 2 256

13 Pizer’s graph: edges Edges: degree ℓ isogenies between them k = ℓ+1 – regular Graph is Ramanujan (Eichler, Shimura) Undirected if we assume p == 1 mod 12

14 Isogenies The degree of a separable isogeny is the size of its kernel To construct an ℓ -isogeny from an elliptic curve E to another, take a subgroup-scheme C of size ℓ, and take the quotient E/C. Formula for the isogeny and equation for E/C were given by Velu.

15

16 One step of the walk: (ℓ=2) E 1 : y 2 = x 3 +a 4 x+a 6 j(E 1 )=1728*4a 4 3 /(a 4 3 +27a 6 2 ) 2-torsion point Q = (r, 0) E 2 = E 1 /Q (quotient of groups) E 2 : y 2 = x 3 − (4a 4 + 15r 2 )x + (8a 6 − 14r 3 ). E 1  E 2 (x, y)  (x +(3r 2 + a 4 )/(x-r), y − (3r 2 + a 4 )y/(x-r) 2 )

17 Collision resistance Finding collisions reduces to finding isogenies between elliptic curves: Finding a collision  finding 2 distinct paths between any 2 vertices (or a cycle) Finding a pre-image  finding any path between 2 given vertices O(√p) birthday attack to find a collision

18 Hard Problems ? Problem 1. Produce a pair of supersingular elliptic curves, E 1 and E 2, and two distinct isogenies of degree ℓ n between them. Problem 2. Given E, a supersingular elliptic curve, find an endomorphism f : E  E of degree ℓ 2n, not the multiplication by ℓ n map. Problem 3. Given two supersingular elliptic curves, find an isogeny of degree ℓ n between them.

19 Hardness Studied by [Galbraith 99] for ordinary curves O(sqrt(p)) best known attack Ensure large girth by putting conditions on the splitting behavior of p in various imaginary quadratic extensions Proposed as basis for other cryptosystems Science article, 2008

20 Other graphs Vary the isogeny degree Lubotzky-Phillips-Sarnak graph – random walk is efficient to implement – Hashing bandwidth: 2.2 Mbps, 192-bit prime – Different hard problem for finding collisions – Cycles found: Eurocrypt 2008, Zemor-Tillich Morgenstern graph, Petit-Quisquater-L. Higher dimensional analogues

21 Higher dimensional analogue G(L,p,ell) Nodes: Superspecial abelian varieties over algebraic closure of F p with real multiplication by L, L a totally real field of degree g of strict class number 1, with p unramified in L A isomorphic to a product of g supersingular elliptic curves, with embedding of O L into endomorphism ring, with principal polarization compatible with embedding of O L Edges: For a prime ideal ell of O L, not lying over p, edges are defined by isogenies of degree ell (in a technical sense) in O L

22 Properties of G(L,p,ell) Theorem. If ell lies over l with residue degree f, then The degree of G(L,p,ell) is l f +1 The number of vertices is approximately 2 1-g |Zeta L (-1)|p g (for g=1, L=Q, approximately p/12 vertices, degree l+1) Choose p such that the graph is undirected. Then the graph is Ramanujan

23 Towers (Families) and Questions For a sequence of totally real fields of strict class number 1 in which p is unramified, we get a tower of Ramanujan graphs (a sequence of embedded graphs) Other examples: Paley, Terras,… Question: Construct a nested sequence of graphs G i (with embeddings which are isometries) such that n i and d i go to infinity, the degree d i is bounded from above by log(n i ) r for some positive r. – G i Cayley? – Each graph beats the Ramanujan bound

Download ppt "Applications of Ramanujan Graphs in Cryptography Kristin Lauter Microsoft Research Cryptography Group IPAM Expander Graphs and Applications February 12,"

Similar presentations

Asymptotically Optimal Communication for Torus- Based Cryptography David Woodruff MIT Joint work with Marten van Dijk Philips/MIT.

Asymptotically Optimal Communication for Torus- Based Cryptography David Woodruff MIT Joint work with Marten van Dijk Philips/MIT.
Signatures for Network Coding Denis Charles Kamal Jain Kristin Lauter Microsoft Research.

Signatures for Network Coding Denis Charles Kamal Jain Kristin Lauter Microsoft Research.
An Introduction to Pairing Based Cryptography Dustin Moody October 31, 2008.

An Introduction to Pairing Based Cryptography Dustin Moody October 31, 2008.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Notation Intro. Number Theory Online Cryptography Course Dan Boneh

Notation Intro. Number Theory Online Cryptography Course Dan Boneh
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Arithmetic Intersection of CM points with the reducible locus on the Siegel moduli space Kristin Lauter, Microsoft Research joint work with Eyal Goren,

Arithmetic Intersection of CM points with the reducible locus on the Siegel moduli space Kristin Lauter, Microsoft Research joint work with Eyal Goren,
Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.

Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.
CSE331: Introduction to Networks and Security Lecture 21 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 21 Fall 2002.
Chapter 4  Hash Functions 1 Overview  Cryptographic hash functions are functions that: o Map an arbitrary-length (but finite) input to a fixed-size output.

Chapter 4  Hash Functions 1 Overview  Cryptographic hash functions are functions that: o Map an arbitrary-length (but finite) input to a fixed-size output.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS 591 – Wireless & Network Security Lecture.

Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS 591 – Wireless & Network Security Lecture.
Introduction to Modern Cryptography Lecture 5 Number Theory: 1. Quadratic residues. 2. The discrete log problem. Intro to Public Key Cryptography Diffie.

Introduction to Modern Cryptography Lecture 5 Number Theory: 1. Quadratic residues. 2. The discrete log problem. Intro to Public Key Cryptography Diffie.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.

Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
EXPANDER GRAPHS Properties & Applications. Things to cover ! Definitions Properties Combinatorial, Spectral properties Constructions “Explicit” constructions.

EXPANDER GRAPHS Properties & Applications. Things to cover ! Definitions Properties Combinatorial, Spectral properties Constructions “Explicit” constructions.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
CS470, A.SelcukHash Functions1 Cryptographic Hash Functions CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukHash Functions1 Cryptographic Hash Functions CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Hash Functions Nathanael Paul Oct. 9, 2002. Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)

Hash Functions Nathanael Paul Oct. 9, Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
CS526Topic 5: Hash Functions and Message Authentication 1 Computer Security CS 526 Topic 5 Cryptography: Cryptographic Hash Functions And Message Authentication.

CS526Topic 5: Hash Functions and Message Authentication 1 Computer Security CS 526 Topic 5 Cryptography: Cryptographic Hash Functions And Message Authentication.

Similar presentations

Ads by Google