Post on 31-Dec-2015
description
Somos Sequences and Cryptographic Applications
Richard Schroeppel
Hilarie Orman
R. Wm. Gosper
Diffie-Hellman with Iterated Functions
We can think of ga mod p as the iteration of g*g mod p
Over elliptic curves, iterate point addition P+P to nP
How about iterating something non-commutative, like SHA-1(SHA-1...(c))?
Hashing for Diffie-Hellman?
Alice computes SHA-1A(c) = H(A)
Bob computes SHA-1B(c) = H(B)
Each computes SHA-1A+B(c) = H(A+B)
Nice, but not secure!
An eavesdropper can try H(A+1), H(A+2), ... in linear time
We need giant steps in linear time
What's a Somos Sequence? Non-linear recurrences
Somos 4an = (an-1an-3 + a2
n-2) / an-4
1,1,1,1,2,3,7,23,59,314,1529, ...Somos 5bn = (bn-1bn-4 + bn-2 bn-3) / bn-5
1,1,1,1,1,2,3,5,11,37,83,274, ...Somos 6cn = (cn-2cn-5 + cn-2cn-4 + c2
n-3)/cn-6
1,1,1,1,1,1,3,5,9,23,75,421, ...
Apparent Mysteries ...
There's a quotient in the formulas, how come the values are integers?
Somos 8 and beyond are not!
Are these equivalent to some previously known sequences?
Can you do anything interesting with them?
Let's interpret them over finite fields
Correspondences
Somos4 can be mapped to points on a particular elliptic curve
y2 - y = x3 - x, P = (1, 0) and Q = (-1, 0)
P+KQ Somos4(K)
Somos 6 and Somos 7 may be equivalent to hyperelliptic curves
Somos 8 and beyond ... non-algebraic???
The Magic Determinant
Da
u, v, wx, y, z( )
au-xau+x au-yau+y au-zau+z
av-xav+x av-yav+y av-zav+z
aw-xaw+x aw-yaw+y aw-zaw+z
= 0
Proven for Somos 4"Obvious" for sin(u-x), etc.Conjectured for ai-j = ϑt(i-j, q) ai+j = ϑs(i+j, q)
Elliptic Divisibility Sequence (EDS)
s0 = 0, s1 = 1
sm+nsm-n = sm+1sm-1sn2 - sn+1sn-1sm
2
m | n => sm | sn
Somos 4 is the absolute values of the odd numbered terms of an EDS with s2 = 1, s3 = -1, s4 = 1
Near Addition Formula for Somos4
Derived from the magic determinantu = k+1, v = 0, w =1x = k-1, y = 0 , z = 1
a2k = 2akak+13 + ak-1akak+2
2
- ak-1ak+12ak+2 - ak
2ak+1ak+2
This is our Diffie-Hellman "giant step"NB, normally DH goes from k to k2 for the "giant step", but Somos is secure for k -> 2k !! (as we will show)
Somos Step-by-1 Needs Extra State
{an-3 an-2 an-1 an} -> an+1 uses an+1 = (anan-2 + a2
n-1) / an-3
{a2n-3 a2n-2 a2n-1 a2n} -> a2n+1
Alice and Bob and Somos4 over F[p]
Alice chooses A from [1, p-1]Alice calculates Somos4(A) mod p
Uses doubling formula and step-by-one formula
Bob does the same with BAlice sends {Somos4(A) }= {SA-3, SA-2, SA-1, SA } to Bob
Bob sends {Somos4(B)} = {SB} to Alice
Alice steps SB to SB+A mod pUses double and step-by-one
Bob steps SA to SA+B
Somos4 Giant Steps
Somos4(2A) can be computed from Somos4(A) with a "few" operationsSomos(A+B) can be computed from Somos4(A) and B in about log(B) operationsBut, stepping Somos4(A) without knowing B would take about B guessesThe giant steps make it secure
Example
Alice has {SB} from Bob
Her secret A is 105
{SB} -> {SB+1}
{{SB}, {SB+1}} -> {{SB+3} {SB+4}} ->
{{SB+6} {SB+7}} -> {{SB+13} {SB+14}} ->
{{SB+26} {SB+27}} -> {{SB+52} {SB+53}} ->
SB+105 !
Somos4 & Elliptic Curves
Curve: Y(Y-1) = X(X-1)(X+1)Point: P = (0,0)Multiples KP: O, (0,0), (1,0), (-1,1), (2,3),
(1/4,5/8), (6,-14), (-5/9,-8/27), (21/25,69/125), (-20/49,435/343), …
KP = (XK,YK)
= ( -SK-1SK+1/SK2, SK-2SK-1SK+3/SK
3 )
SK = 0, 1, 1, -1, 1, 2, -1, -3, -5, 7, -4, -23, 29, 59, …
What’s SK?SK is a Somos4 with different initialization.
S1,2,3,4,… = 1, 1, -1, 1, …
SK-2SK+2 = SK-1SK+1 + SK2 like Somos4
SK-2SK+3 + SK-1SK+2 + SKSK+1 = 0 also
AK-2AK+3 + AK-1AK+2 = 5AKAK+1 for Somos4
Somos4 is essentially the odd terms of SK: AK = (-1)K S2K-3
Proof Overview
Verify KP formula by induction on K: Check 1P and 2P. Check that P + KP = (K+1)P using the
formula for KP = {mess of SK+n}, the elliptic curve point addition formula, and the algebra relations for SKSK+n.
Verify Somos4-SK relationship by induction on K: Check first four values, and prove K K+1
using the recurrence relations. Mess of algebra.
Multiplicity of the Map: Somos4 vs. Elliptic Curve
Mod Q, the elliptic curve has period ~Q.Mod Q, Somos4 has period ~Q2, a multiple of
the elliptic curve period.
SK can be recovered from a few consecutive Somos values. So we can go from Somos to elliptic curve points. In fact, the X coordinate of (2K-3)P is 1 – AK-1AK+1/AK
2.This will work mod Q as well.But going the other way mod Q is impossible,
because roughly Q different Somos values map to the same elliptic curve point.