170 likes | 246 Vues
Somos Sequences and Cryptographic Applications. Richard Schroeppel Hilarie Orman R. Wm. Gosper. Diffie-Hellman with Iterated Functions. We can think of g a mod p as the iteration of g*g mod p Over elliptic curves, iterate point addition P+P to nP
E N D
Somos Sequences and Cryptographic Applications Richard Schroeppel Hilarie Orman R. Wm. Gosper
Diffie-Hellman with Iterated Functions • We can think of ga mod p as the iteration of g*g mod p • Over elliptic curves, iterate point addition P+P to nP • How about iterating something non-commutative, like SHA-1(SHA-1...(c))?
Hashing for Diffie-Hellman? • Alice computes SHA-1A(c) = H(A) • Bob computes SHA-1B(c) = H(B) • Each computes SHA-1A+B(c) = H(A+B) • Nice, but not secure! • An eavesdropper can try H(A+1), H(A+2), ... in linear time • We need giant steps in linear time
What's a Somos Sequence? Non-linear recurrences • Somos 4an = (an-1an-3 + a2n-2) / an-41,1,1,1,2,3,7,23,59,314,1529, ... • Somos 5bn = (bn-1bn-4 + bn-2 bn-3) / bn-51,1,1,1,1,2,3,5,11,37,83,274, ... • Somos 6cn = (cn-2cn-5 + cn-2cn-4 + c2n-3)/cn-61,1,1,1,1,1,3,5,9,23,75,421, ...
Apparent Mysteries ... • There's a quotient in the formulas, how come the values are integers? • Somos 8 and beyond are not! • Are these equivalent to some previously known sequences? • Can you do anything interesting with them? • Let's interpret them over finite fields
Correspondences • Somos4 can be mapped to points on a particular elliptic curve • y2 - y = x3 - x, P = (1, 0) and Q = (-1, 0) • P+KQ Somos4(K) • Somos 6 and Somos 7 may be equivalent to hyperelliptic curves • Somos 8 and beyond ... non-algebraic???
The Magic Determinant au-xau+x au-yau+y au-zau+z av-xav+x av-yav+y av-zav+z aw-xaw+x aw-yaw+y aw-zaw+z ( ) u, v, w x, y, z Da = 0 Proven for Somos 4 "Obvious" for sin(u-x), etc. Conjectured for ai-j = ϑt(i-j, q) ai+j = ϑs(i+j, q)
Elliptic Divisibility Sequence (EDS) • s0 = 0, s1 = 1 • sm+nsm-n = sm+1sm-1sn2 - sn+1sn-1sm2 • m | n => sm | sn • Somos 4 is the absolute values of the odd numbered terms of an EDS with s2 = 1, s3 = -1, s4 = 1
Near Addition Formula for Somos4 • Derived from the magic determinant • u = k+1, v = 0, w =1 • x = k-1, y = 0 , z = 1 • a2k = 2akak+13 + ak-1akak+22 - ak-1ak+12ak+2 - ak2ak+1ak+2 • This is our Diffie-Hellman "giant step" • NB, normally DH goes from k to k2 for the "giant step", but Somos is secure for k -> 2k !! (as we will show)
Somos Step-by-1 Needs Extra State • {an-3 an-2 an-1 an} -> an+1 uses an+1 = (anan-2 + a2n-1) / an-3 • {a2n-3 a2n-2 a2n-1 a2n} -> a2n+1
Alice and Bob and Somos4 over F[p] • Alice chooses A from [1, p-1] • Alice calculates Somos4(A) mod p • Uses doubling formula and step-by-one formula • Bob does the same with B • Alice sends {Somos4(A) }= {SA-3, SA-2, SA-1, SA } to Bob • Bob sends {Somos4(B)} = {SB} to Alice • Alice steps SB to SB+A mod p • Uses double and step-by-one • Bob steps SA to SA+B
Somos4 Giant Steps • Somos4(2A) can be computed from Somos4(A) with a "few" operations • Somos(A+B) can be computed from Somos4(A) and B in about log(B) operations • But, stepping Somos4(A) without knowing B would take about B guesses • The giant steps make it secure
Example • Alice has {SB} from Bob • Her secret A is 105 • {SB} -> {SB+1} • {{SB}, {SB+1}} -> {{SB+3} {SB+4}} -> • {{SB+6} {SB+7}} -> {{SB+13} {SB+14}} -> • {{SB+26} {SB+27}} -> {{SB+52} {SB+53}} -> • SB+105 !
Somos4 & Elliptic Curves Curve: Y(Y-1) = X(X-1)(X+1) Point: P = (0,0) Multiples KP: O, (0,0), (1,0), (-1,1), (2,3), (1/4,5/8), (6,-14), (-5/9,-8/27), (21/25,69/125), (-20/49,435/343), … KP = (XK,YK) = ( -SK-1SK+1/SK2, SK-2SK-1SK+3/SK3 ) SK = 0, 1, 1, -1, 1, 2, -1, -3, -5, 7, -4, -23, 29, 59, …
What’s SK? SK is a Somos4 with different initialization. S1,2,3,4,… = 1, 1, -1, 1, … SK-2SK+2 = SK-1SK+1 + SK2 like Somos4 SK-2SK+3 + SK-1SK+2 + SKSK+1 = 0 also AK-2AK+3 + AK-1AK+2 = 5AKAK+1 for Somos4 Somos4 is essentially the odd terms of SK: AK = (-1)K S2K-3
Proof Overview Verify KP formula by induction on K: Check 1P and 2P. Check that P + KP = (K+1)P using the formula for KP = {mess of SK+n}, the elliptic curve point addition formula, and the algebra relations for SKSK+n. Verify Somos4-SK relationship by induction on K: Check first four values, and prove K K+1 using the recurrence relations. Mess of algebra.
Multiplicity of the Map: Somos4 vs. Elliptic Curve Mod Q, the elliptic curve has period ~Q. Mod Q, Somos4 has period ~Q2, a multiple of the elliptic curve period. SK can be recovered from a few consecutive Somos values. So we can go from Somos to elliptic curve points. In fact, the X coordinate of (2K-3)P is 1 – AK-1AK+1/AK2. This will work mod Q as well. But going the other way mod Q is impossible, because roughly Q different Somos values map to the same elliptic curve point.