Somos Sequences and Cryptographic Applications

Richard Schroeppel

Hilarie Orman

R. Wm. Gosper

Diffie-Hellman with Iterated Functions

We can think of ga mod p as the iteration of g*g mod p

Over elliptic curves, iterate point addition P+P to nP

How about iterating something non-commutative, like SHA-1(SHA-1...(c))?

Hashing for Diffie-Hellman?

Alice computes SHA-1A(c) = H(A)

Bob computes SHA-1B(c) = H(B)

Each computes SHA-1A+B(c) = H(A+B)

Nice, but not secure!

An eavesdropper can try H(A+1), H(A+2), ... in linear time

We need giant steps in linear time

What's a Somos Sequence? Non-linear recurrences

Somos 4an = (an-1an-3 + a2

n-2) / an-4

1,1,1,1,2,3,7,23,59,314,1529, ...Somos 5bn = (bn-1bn-4 + bn-2 bn-3) / bn-5

1,1,1,1,1,2,3,5,11,37,83,274, ...Somos 6cn = (cn-2cn-5 + cn-2cn-4 + c2

n-3)/cn-6

1,1,1,1,1,1,3,5,9,23,75,421, ...

Apparent Mysteries ...

There's a quotient in the formulas, how come the values are integers?

Somos 8 and beyond are not!

Are these equivalent to some previously known sequences?

Can you do anything interesting with them?

Let's interpret them over finite fields

Correspondences

Somos4 can be mapped to points on a particular elliptic curve

y2 - y = x3 - x, P = (1, 0) and Q = (-1, 0)

P+KQ Somos4(K)

Somos 6 and Somos 7 may be equivalent to hyperelliptic curves

Somos 8 and beyond ... non-algebraic???

The Magic Determinant

Da

u, v, wx, y, z( )

au-xau+x au-yau+y au-zau+z

av-xav+x av-yav+y av-zav+z

aw-xaw+x aw-yaw+y aw-zaw+z

= 0

Proven for Somos 4"Obvious" for sin(u-x), etc.Conjectured for ai-j = ϑt(i-j, q) ai+j = ϑs(i+j, q)

Elliptic Divisibility Sequence (EDS)

s0 = 0, s1 = 1

sm+nsm-n = sm+1sm-1sn2 - sn+1sn-1sm

2

m | n => sm | sn

Somos 4 is the absolute values of the odd numbered terms of an EDS with s2 = 1, s3 = -1, s4 = 1

Near Addition Formula for Somos4

Derived from the magic determinantu = k+1, v = 0, w =1x = k-1, y = 0 , z = 1

a2k = 2akak+13 + ak-1akak+2

2

- ak-1ak+12ak+2 - ak

2ak+1ak+2

This is our Diffie-Hellman "giant step"NB, normally DH goes from k to k2 for the "giant step", but Somos is secure for k -> 2k !! (as we will show)

Somos Step-by-1 Needs Extra State

{an-3 an-2 an-1 an} -> an+1 uses an+1 = (anan-2 + a2

n-1) / an-3

{a2n-3 a2n-2 a2n-1 a2n} -> a2n+1

Alice and Bob and Somos4 over F[p]

Alice chooses A from [1, p-1]Alice calculates Somos4(A) mod p

Uses doubling formula and step-by-one formula

Bob does the same with BAlice sends {Somos4(A) }= {SA-3, SA-2, SA-1, SA } to Bob

Bob sends {Somos4(B)} = {SB} to Alice

Alice steps SB to SB+A mod pUses double and step-by-one

Bob steps SA to SA+B

Somos4 Giant Steps

Somos4(2A) can be computed from Somos4(A) with a "few" operationsSomos(A+B) can be computed from Somos4(A) and B in about log(B) operationsBut, stepping Somos4(A) without knowing B would take about B guessesThe giant steps make it secure

Example

Alice has {SB} from Bob

Her secret A is 105

{SB} -> {SB+1}

{{SB}, {SB+1}} -> {{SB+3} {SB+4}} ->

{{SB+6} {SB+7}} -> {{SB+13} {SB+14}} ->

{{SB+26} {SB+27}} -> {{SB+52} {SB+53}} ->

SB+105 !

Somos4 & Elliptic Curves

Curve: Y(Y-1) = X(X-1)(X+1)Point: P = (0,0)Multiples KP: O, (0,0), (1,0), (-1,1), (2,3),

(1/4,5/8), (6,-14), (-5/9,-8/27), (21/25,69/125), (-20/49,435/343), …

KP = (XK,YK)

= ( -SK-1SK+1/SK2, SK-2SK-1SK+3/SK

3 )

SK = 0, 1, 1, -1, 1, 2, -1, -3, -5, 7, -4, -23, 29, 59, …

What’s SK?SK is a Somos4 with different initialization.

S1,2,3,4,… = 1, 1, -1, 1, …

SK-2SK+2 = SK-1SK+1 + SK2 like Somos4

SK-2SK+3 + SK-1SK+2 + SKSK+1 = 0 also

AK-2AK+3 + AK-1AK+2 = 5AKAK+1 for Somos4

Somos4 is essentially the odd terms of SK: AK = (-1)K S2K-3

Proof Overview

Verify KP formula by induction on K: Check 1P and 2P. Check that P + KP = (K+1)P using the

formula for KP = {mess of SK+n}, the elliptic curve point addition formula, and the algebra relations for SKSK+n.

Verify Somos4-SK relationship by induction on K: Check first four values, and prove K K+1

using the recurrence relations. Mess of algebra.

Multiplicity of the Map: Somos4 vs. Elliptic Curve

Mod Q, the elliptic curve has period ~Q.Mod Q, Somos4 has period ~Q2, a multiple of

the elliptic curve period.

SK can be recovered from a few consecutive Somos values. So we can go from Somos to elliptic curve points. In fact, the X coordinate of (2K-3)P is 1 – AK-1AK+1/AK

2.This will work mod Q as well.But going the other way mod Q is impossible,

because roughly Q different Somos values map to the same elliptic curve point.