3 research outputs found
Navigating in the Cayley graph of and applications to hashing
Cayley hash functions are based on a simple idea of using a pair of
(semi)group elements, and , to hash the 0 and 1 bit, respectively, and
then to hash an arbitrary bit string in the natural way, by using
multiplication of elements in the (semi)group. In this paper, we focus on
hashing with matrices over . Since there are many known pairs
of matrices over that generate a free monoid, this yields
numerous pairs of matrices over , for a sufficiently large prime , that
are candidates for collision-resistant hashing. However, this trick can
"backfire", and lifting matrix entries to may facilitate finding a
collision. This "lifting attack" was successfully used by Tillich and Z\'emor
in the special case where two matrices and generate (as a monoid) the
whole monoid . However, in this paper we show that the situation
with other, "similar", pairs of matrices from is different, and the
"lifting attack" can (in some cases) produce collisions in the group generated
by and , but not in the positive monoid. Therefore, we argue that for
these pairs of matrices, there are no known attacks at this time that would
affect security of the corresponding hash functions. We also give explicit
lower bounds on the length of collisions for hash functions corresponding to
some particular pairs of matrices from .Comment: 10 page
New Constructions of Collapsing Hashes
Collapsing is a post-quantum strengthening of collision resistance, needed to lift many classical results to the quantum setting. Unfortunately, the only existing standard-model proofs of collapsing hashes require LWE. We construct the first collapsing hashes from the quantum hardness of any one of the following problems:
- LPN in a variety of low noise or high-hardness regimes, essentially matching what is known for collision resistance from LPN.
- Finding cycles on exponentially-large expander graphs, such as those arising from isogenies on elliptic curves.
- The optimal hardness of finding collisions in *any* hash function.
- The *polynomial* hardness of finding collisions, assuming a certain plausible regularity condition on the hash.
As an immediate corollary, we obtain the first statistically hiding post-quantum commitments and post-quantum succinct arguments (of knowledge) under the same assumptions. Our results are obtained by a general theorem which shows how to construct a collapsing hash from a post-quantum collision-resistant hash function , regardless of whether or not itself is collapsing, assuming satisfies a certain regularity condition we call semi-regularity