Presentation is loading. Please wait.

Presentation is loading. Please wait.

Somos Sequences and Cryptographic Applications Richard Schroeppel Hilarie Orman R. Wm. Gosper.

Published byEmma Heath Modified over 9 years ago

Similar presentations

Presentation on theme: "Somos Sequences and Cryptographic Applications Richard Schroeppel Hilarie Orman R. Wm. Gosper."— Presentation transcript:

1 Somos Sequences and Cryptographic Applications Richard Schroeppel Hilarie Orman R. Wm. Gosper

2 Diffie-Hellman with Iterated Functions We can think of g a mod p as the iteration of g*g mod p Over elliptic curves, iterate point addition P+P to nP How about iterating something non- commutative, like SHA-1(SHA-1...(c))?

3 Hashing for Diffie-Hellman? Alice computes SHA-1 A (c) = H(A) Bob computes SHA-1 B (c) = H(B) Each computes SHA-1 A+B (c) = H(A+B) Nice, but not secure! An eavesdropper can try H(A+1), H(A+2),... in linear time We need giant steps in linear time

4 What's a Somos Sequence? Non-linear recurrences Somos 4 a n = (a n-1 a n-3 + a 2 n-2 ) / a n-4 1,1,1,1,2,3,7,23,59,314,1529,... Somos 5 b n = (b n-1 b n-4 + b n-2 b n-3 ) / b n-5 1,1,1,1,1,2,3,5,11,37,83,274,... Somos 6 c n = (c n-2 c n-5 + c n-2 c n-4 + c 2 n-3 )/c n-6 1,1,1,1,1,1,3,5,9,23,75,421,...

5 Apparent Mysteries... There's a quotient in the formulas, how come the values are integers? Somos 8 and beyond are not! Are these equivalent to some previously known sequences? Can you do anything interesting with them? Let's interpret them over finite fields

6 Correspondences Somos4 can be mapped to points on a particular elliptic curve y 2 - y = x 3 - x, P = (1, 0) and Q = (-1, 0) P+KQ  Somos4(K) Somos 6 and Somos 7 may be equivalent to hyperelliptic curves Somos 8 and beyond... non-algebraic???

7 The Magic Determinant DaDa u, v, w x, y, z ()  a u-x a u+x a u-y a u+y a u-z a u+z a v-x a v+x a v-y a v+y a v-z a v+z a w-x a w+x a w-y a w+y a w-z a w+z = 0 Proven for Somos 4 "Obvious" for sin(u-x), etc. Conjectured for a i-j = ϑ t (i-j, q) a i+j = ϑ s (i+j, q)

8 Elliptic Divisibility Sequence (EDS) s 0 = 0, s 1 = 1 s m+n s m-n = s m+1 s m-1 s n 2 - s n+1 s n-1 s m 2 m | n => s m | s n Somos 4 is the absolute values of the odd numbered terms of an EDS with s 2 = 1, s 3 = -1, s 4 = 1

9 Near Addition Formula for Somos4 Derived from the magic determinant u = k+1, v = 0, w =1 x = k-1, y = 0, z = 1 a 2k = 2a k a k+1 3 + a k-1 a k a k+2 2 - a k-1 a k+1 2 a k+2 - a k 2 a k+1 a k+2 This is our Diffie-Hellman "giant step" NB, normally DH goes from k to k 2 for the "giant step", but Somos is secure for k -> 2k !! (as we will show)

10 Somos Step-by-1 Needs Extra State {a n-3 a n-2 a n-1 a n } -> a n+1 uses a n+1 = (a n a n-2 + a 2 n-1 ) / a n-3 {a 2n-3 a 2n-2 a 2n-1 a 2n } -> a 2n+1

11 Alice and Bob and Somos4 over F[p] Alice chooses A from [1, p-1] Alice calculates Somos4(A) mod p Uses doubling formula and step-by-one formula Bob does the same with B Alice sends {Somos4(A) }= {S A-3, S A-2, S A-1, S A } to Bob Bob sends {Somos4(B)} = {S B} to Alice Alice steps S B to S B+A mod p Uses double and step-by-one Bob steps S A to S A+B

12 Somos4 Giant Steps Somos4(2A) can be computed from Somos4(A) with a "few" operations Somos(A+B) can be computed from Somos4(A) and B in about log(B) operations But, stepping Somos4(A) without knowing B would take about B guesses The giant steps make it secure

13 Example Alice has {S B } from Bob Her secret A is 105 {S B } -> {S B+1 } {{S B }, {S B+1 }} -> {{S B+3 } {S B+4 }} -> {{S B+6 } {S B+7 }} -> {{S B+13 } {S B+14 }} -> {{S B+26 } {S B+27 }} -> {{S B+52 } {S B+53 }} -> S B+105 !

14 Somos4 & Elliptic Curves Curve: Y(Y-1) = X(X-1)(X+1) Point: P = (0,0) Multiples KP: O, (0,0), (1,0), (-1,1), (2,3), (1/4,5/8), (6,-14), (-5/9,-8/27), (21/25,69/125), (-20/49,435/343), … KP = (X K,Y K ) = ( -S K-1 S K+1 /S K 2, S K-2 S K-1 S K+3 /S K 3 ) S K = 0, 1, 1, -1, 1, 2, -1, -3, -5, 7, -4, -23, 29, 59, …

15 What’s S K ? S K is a Somos4 with different initialization. S 1,2,3,4,… = 1, 1, -1, 1, … S K-2 S K+2 = S K-1 S K+1 + S K 2 like Somos4 S K-2 S K+3 + S K-1 S K+2 + S K S K+1 = 0 also A K-2 A K+3 + A K-1 A K+2 = 5A K A K+1 for Somos4 Somos4 is essentially the odd terms of S K : A K = (-1) K S 2K-3

16 Proof Overview Verify KP formula by induction on K: Check 1P and 2P. Check that P + KP = (K+1)P using the formula for KP = {mess of S K+n }, the elliptic curve point addition formula, and the algebra relations for S K S K+n. Verify Somos4-S K relationship by induction on K: Check first four values, and prove K  K+1 using the recurrence relations. Mess of algebra.

17 Multiplicity of the Map: Somos4 vs. Elliptic Curve Mod Q, the elliptic curve has period ~Q. Mod Q, Somos4 has period ~Q 2, a multiple of the elliptic curve period. S K can be recovered from a few consecutive Somos values. So we can go from Somos to elliptic curve points. In fact, the X coordinate of (2K-3)P is 1 – A K-1 A K+1 /A K 2. This will work mod Q as well. But going the other way mod Q is impossible, because roughly Q different Somos values map to the same elliptic curve point.

Download ppt "Somos Sequences and Cryptographic Applications Richard Schroeppel Hilarie Orman R. Wm. Gosper."

Similar presentations

1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.

1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.
Cannonballs, Donuts, and Secrets

Cannonballs, Donuts, and Secrets
1 390-Elliptic Curves and Elliptic Curve Cryptography Michael Karls.

1 390-Elliptic Curves and Elliptic Curve Cryptography Michael Karls.
Lecture 8: Lattices and Elliptic Curves

Lecture 8: Lattices and Elliptic Curves
What is Elliptic Curve Cryptography?

What is Elliptic Curve Cryptography?
7. Asymmetric encryption-

7. Asymmetric encryption-
Elliptic curve arithmetic and applications to cryptography By Uros Abaz Supervised by Dr. Shaun Cooper and Dr. Andre Barczak.

Elliptic curve arithmetic and applications to cryptography By Uros Abaz Supervised by Dr. Shaun Cooper and Dr. Andre Barczak.
15-251 Great Theoretical Ideas in Computer Science.

Great Theoretical Ideas in Computer Science.
YSLInformation Security -- Public-Key Cryptography1 Elliptic Curve Cryptography (ECC) For the same length of keys, faster than RSA For the same degree.

YSLInformation Security -- Public-Key Cryptography1 Elliptic Curve Cryptography (ECC) For the same length of keys, faster than RSA For the same degree.
20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Electronic Payment Systems 20-763 Lecture 6 Epayment Security II.

ELECTRONIC PAYMENT SYSTEMSFALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 6 Epayment Security II.
1 Chapter 5 Hashes and Message Digests Instructor: 孫宏民 Room: EECS 6402, Tel:03-5742968, Fax : 886-3-572-3694.

1 Chapter 5 Hashes and Message Digests Instructor: 孫宏民 Room: EECS 6402, Tel: , Fax :
CNS2010handout 8 :: introduction to number theory1 computer and network security matt barrie.

CNS2010handout 8 :: introduction to number theory1 computer and network security matt barrie.
Elliptic Curve Cryptography (ECC) Mustafa Demirhan Bhaskar Anepu Ajit Kunjal.

Elliptic Curve Cryptography (ECC) Mustafa Demirhan Bhaskar Anepu Ajit Kunjal.
20-751 ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT © 2002 MICHAEL I. SHAMOS Cryptographic Security.

ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT © 2002 MICHAEL I. SHAMOS Cryptographic Security.
Windows Core Security1© 2006 Microsoft Corp Cryptography: Helping Number Theorists Bring Home the Bacon Since 1977 Dan Shumow SDE Windows Core Security.

Windows Core Security1© 2006 Microsoft Corp Cryptography: Helping Number Theorists Bring Home the Bacon Since 1977 Dan Shumow SDE Windows Core Security.
Practical Aspects of Modern Cryptography Josh Benaloh & Brian LaMacchia.

Practical Aspects of Modern Cryptography Josh Benaloh & Brian LaMacchia.
Announcements: 1. HW6 due now 2. HW7 posted Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman, ElGamal Hash Functions.

Announcements: 1. HW6 due now 2. HW7 posted Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman, ElGamal Hash Functions.
Discrete Log 1 Discrete Log. Discrete Log 2 Discrete Logarithm  Discrete log problem:  Given p, g and g a (mod p), determine a o This would break Diffie-Hellman.

Discrete Log 1 Discrete Log. Discrete Log 2 Discrete Logarithm  Discrete log problem:  Given p, g and g a (mod p), determine a o This would break Diffie-Hellman.
Hidden pairings and trapdoor DDH groups Alexander W. Dent Joint work with Steven D. Galbraith.

Hidden pairings and trapdoor DDH groups Alexander W. Dent Joint work with Steven D. Galbraith.
Dr. Lo’ai Tawalbeh Fall 2005 Chapter 10 – Key Management; Other Public Key Cryptosystems Dr. Lo’ai Tawalbeh Computer Engineering Department Jordan University.

Dr. Lo’ai Tawalbeh Fall 2005 Chapter 10 – Key Management; Other Public Key Cryptosystems Dr. Lo’ai Tawalbeh Computer Engineering Department Jordan University.

Similar presentations

Ads by Google