New Zémor-Tillich Type Hash Functions Over GL₂ (𝔽_pⁿ)

Theorem 1

(Free Generators Theorem)Letpbe a prime and letd ∈ ℕ₀be such thatd > 0 ifp = 2. Choose anya, b, c, ã, b̃ ∈ 𝔽_p((x)), f, f̃ ∈ 𝔽_p((x))^×, such that

1. d([u], [v]) > 1pd+1for each pair of [u], [v] in {[a : c], [1 : b], [1: ã], [1: b̃]}, and

2. min {∣f∣, ∣f⁻¹∣} ≤ 1p2d+1, and min{∣f̃∣, ∣f̃⁻¹∣} ≤ 1p2d+1.

Then the matrices

generate a free group in PGL₂(𝔽_p((x))). In particular, any inverse images ofAandBin GL₂(𝔽_p((x))) also generate a free group.

Note that this last statement follows because PGL₂(𝔽_p((x))) = GL₂(𝔽_p((x)))/Z where Z is the subgroup of invertible scalar matrices.

Notation

Given a prime p, we define 𝔖_p to be the set of pairs of matrices S = (Ã, B̃) such that Ã, B̃ ∈ M_2×2(𝔽_p[x]) are preimages of the matrices A, B in PGL₂(𝔽_p((x))) described by Theorem 1. Further, we write 𝔖 when p is clear from context. We take ℌ to be the set of all hash functions constructed from Theorem 1 using the construction presented in Section 1.

Proposition 9

For every distinct pair of bitstringsm ∈ {0, 1}^ℓandm′ ∈ {0, 1}^ℓ′where 0 ≤ ℓ, ℓ′ < n/δ, we haveH(m) ≠ H(m′).

Proof

Let M and M′ be the respective products yielding H(m) and H(m′) in M_2×2(𝔽_p[x]) before they are projected into GL₂(𝔽_q), so that π(M) = H(m) and π(M′) = H(m′). We see the entries of M are of degree at most ℓδ and the entries of M′ are of degree at most ℓ′δ. Since ℓ,ℓ′ < n/δ, we know that each of the entries of M and M′ has degree less than n = deg(r_n(x)), and therefore π(M) = π(M′) ∈ GL₂(𝔽_q) if and only if M = M′ ∈ M_2×2(𝔽_p[x]).

We know that M, M′ ∈ 〈A, B〉, and by our hypothesis that A, B generate a free monoid in M_2×2(𝔽_p[x]). This implies that M ≠ M′ since m and m′ are distinct. Thus it is impossible that π(M) = π(M′) in GL₂(𝔽_q).□

We in fact have a stronger property for the sets of generators we have produced. Recall that each k in 𝔽_q is the image of a unique polynomial in 𝔽_p[x] of degree less than n; let the degree be denoted deg(k).

Proposition 10

Suppose (A, B) ∈ 𝔖. Then for every distinct pair of bitstringsm ∈ {0, 1}^ℓandm′ ∈ {0, 1}^ℓ′where 0 ≤ ℓ, {ℓ′} < n/δ, we have thatH(m) ≠ kH(m′) for anyk ∈ 𝔽_qsuch that (deg(k) + ℓ′δ) < n. In particular, H(m) ≠ kIfor anyk ∈ 𝔽_q, whence as elements of GL₂(𝔽_q), π(A) andπ(B) have order at leastn/δ.

Proof

Notice that since (A, B) are in 𝔖, their images in PGL₂(𝔽_p((x))) generate a free subgroup of PGL₂(𝔽_p((x))). This implies that M ≠ gM′ for any g ∈ 𝔽_p((x)).

Suppose that π(M) = kπ(M′) in GL₂(𝔽_q) for some k ∈ 𝔽_q. Viewing k as its inverse image in 𝔽_p[x] of lowest degree, we then have that M = kM′+r_n(x) T for some T ∈ M_2×2(𝔽_p[x]). By our hypothesis we know that deg(k) + deg(M′) < n, so deg(kM′) < n. Since the entries of M each also have degree less than n, this implies T = 0, thus M = kM′, which is a contradiction.

Finally, note that if one takes m′ to be the identity string, we have ℓ′ = 0, so deg k < n for any k ∈ 𝔽_q. The last assertion of the proposition follows.□

We interpret these propositions concretely for the case of our generators in Table 1.

Corollary 11

Suppose A and B are from Table 1. If m and m′ are bitstrings in {0, 1}^* such that H(m) = H(m′) then at least one of m, m′ has length at least n/max{deg(f), deg(f̃)}.

Proposition 12

Let (A, B) ∈ 𝔖_pand letW(A, B) ∈ {A, A⁻¹, B, B⁻¹}^*be a nontrivial word. Then there exists a choice of irreducibler_n(x) ∈ 𝔽_p[x] of degreensuch that

for anyk ∈ Fq×when 𝔽_q = 𝔽_p[x]/〈r_n(x)〉.

Proof

Define ϕ : = det(AB) ∈ 𝔽_p[x]. Let 𝔽_p[x]_1/ϕ be the localization of 𝔽_p[x] at ϕ, that is 𝔽_p[x]_1/ϕ = {g/ϕ^ℓ ∣ g ∈ 𝔽_p[x], ℓ ≥ 0}.

Since 1detA=detBϕ, we have 1detA ∈ 𝔽_p[x]_1/ϕ. Similarly 1detB ∈ 𝔽_p[x]_1/ϕ. As well, we note that 𝔽_p[x]_1/ϕ is contained in the fraction field 𝔽_p(x) and thus in 𝔽_p((x)). Consequently, we have that A, B ∈ GL₂(𝔽_p[x]_1/ϕ) ⊆ GL₂(𝔽_p((x))), allowing us to work in a group setting rather than in the monoid M_2×2(𝔽_p[x]).

For any irreducible polynomial r ∈ 𝔽_p[x], we define the ideal

and, assuming r ∤ ϕ, let 𝔭_1/ϕ be the localization of 𝔭 at ϕ, that is the ideal of 𝔽_p[x]_1/ϕ defined by 𝔭_1/ϕ = {rg/ϕ^ℓ ∣ g ∈ 𝔽_p[x], ℓ ≥ 0} ⊆ 𝔽_p[x]_1/ϕ.

Further, our quotient map 𝔽_p[x] → 𝔽_q extends naturally to another surjective map ψ_r: 𝔽_p[x]_1/ϕ → 𝔽_q induced by x ↦ ξ where ξ is a root of r.

The kernel of ψ_r is 𝔭_1/ϕ. Thus by the first isomorphism theorem we have

Further, we observe that the natural images of A and B ∈ GL₂(𝔽_p[x]_1/ϕ) under this homomorphism are π_r(A) and π_r(B) respectively.

Since A, B ∈ 𝔖, the images of A, B in PGL₂(𝔽_p((x))) generate a free group. This implies that no nontrivial word in {A, B, A⁻¹, B⁻¹} can be I or any scalar multiple kI of I for any k ∈ 𝔽_p((x)). We thus observe that W(π_r(A), π_r(B)) = kI in GL₂(𝔽_q) for some k ∈ Fq× if and only if, viewing k as an element of 𝔽_p[x] ⊂ 𝔽_p[x]_1/ϕ,

for some α, β, γ, δ ∈ 𝔽_p[x]_1/ϕ such that ψ_r(α) = ψ_r(δ) = ψ_r(β) = ψ_r(γ) = 0, and not all of α, β, γ, δ are the zero polynomial.

Hence it suffices to choose r_n(x) ∈ 𝔽_p[x] such that at least one of ψ_rn(α), ψ_rn(δ), ψ_rn(β), ψ_rn(γ) is nonzero. For instance, one could choose r_n(x) relatively prime to one choice of nonzero α, β, γ, or δ.□

We note that r_n(x) could also be chosen to simultaneously satisfy the last line of the above proof for each of multiple choices of words, thus allowing us to avoid any finite collection of pre-chosen relations.

Theorem 13

Letpbe a prime andq = pⁿ. Each subgroup of PSL₂(𝔽_q) is isomorphic to one of the following groups:

1. a dihedral group or one of its subgroups;

2. a groupK of order q(q − 1)/dwhered = gcd(2, q − 1) and any Sylowp-subgroup ofKis normal inK, or its subgroups;

3. the symmetric group on four elementsS₄, or the alternating group on four or five elements, A₄orA₅;

4. PSL₂(𝔽_p^ℓ) or PGL₂(𝔽_p^ℓ) for someℓ ∣ n, where PGL₂(𝔽_p^ℓ) is embedded into PSL₂(𝔽_q) as described in [30, Theorem 6.25 part (x)].

In [27, Lemma 5.3.6] the following lemma is proven using the theory of Sylow subgroups.

Lemma 14

LetKbe as in (b) of Theorem 13. Then up to conjugationKlies inside the Borel subgroup

Consider now the images [π(A)] and [π(B)] of our hash function generators in PGL₂(𝔽_q). We show that the subgroup they generate contains PSL₂(𝔽_q), and so has index at most 2 in PGL₂(𝔽_q).

Proposition 15

Let (A, B) ∈ 𝔖 andδ = max{degA, degB}. Assume that at least one of the following holds:

1. forf′ is a primitive root of 𝔽_q, nis odd andn/δ > 5 or

2. nis prime andn/δ > p(p² − 1).

Then PSL₂(𝔽_q) ⊆ 〈[π(A)], [π(B)]〉.

Proof

To simplify notation, we write Π(A) for [π(A)] ∈ PGL₂(𝔽_q) and Π(B) for [π(B)] ∈ PGL₂(𝔽_q). We note that p(p² − 1) > 5 holds for all choices of p, so we can assume n/δ > 5.

Let G = PSL₂(𝔽_q) ∩ 〈Π(A), Π(B)〉. We determine if G = PSL₂(𝔽_q), by ruling out all possible proper subgroups of PSL₂(𝔽_q) as presented in Theorem 13.

1. We notice that the group 〈Π(A)², Π(B)²〉 is a subgroup of G. Thus, if G is a dihedral group, or a subgroup of a dihedral group, then so is 〈Π(A)², Π(B)²〉. In particular, this means 〈Π(A)², Π(B)²〉 is either dihedral or cyclic. As n/δ > 4, Proposition 10 gives that (Π(A)²)² ≠ I and (Π(B)²)²) ≠ I, so this subgroup is not dihedral, since neither generator has order two.

   To see that 〈Π(A)², Π(B)²〉 is not cyclic, suppose, that Π(A)²Π(B)² = Π(B)²Π(A)². Then, we know that π(A)²π(B)² = kπ(B)²π(A)² in GL₂(𝔽_q). Notice the determinants of π(A)²π(B)² and π(B)²π(A)² are equal, so k = ± 1 ∈ 𝔽_q must hold. Since n/δ > 4 and deg(k) = 0, Proposition 10 implies that π(A)²π(B)² ≠ kπ(B)²π(A)² for k = ± 1, so this is a contradiction. Therefore, Π(A)² and Π(B)² do not commute, so this subgroup is in particular not cyclic. So G cannot fall under case (a).

2. Suppose now that G ⊆ K as in case (b). By Lemma 14, we know that K is contained in P𝔅P⁻¹ for some P ∈ PSL₂(𝔽_q). Since K is conjugate to a subgroup of 𝔅, the upper triangular matrices, all elements share a common eigenvector. By construction, A and B have different eigenvectors, respectively [a : c], [1 : b] and [1 : ã], [1: b̃]. Since δ < n, we know that a, b, c, ã, b̃ all must have entries of degree less than n. Thus, when we quotient by r_n(x), the eigenvectors remain distinct. As a consequence G cannot be isomorphic to a subgroup of K.

3. We note that any element in A₄ or S₄ has order at most 4, while any element in A₅ has order at most 5. In particular if 〈Π(A), Π(B)〉 were a subgroup of one of these, either Π(A)⁴ = I or Π(A)⁵ = I must hold. Thus, using Proposition 10, G cannot be in case (c) since n/δ > 5.

4. To show that G is not a subgroup of the form PSL₂(𝔽_p^ℓ) or PGL₂(𝔽_p^ℓ), for some ℓ ∣ n, we suggest two methods that are each sufficient on their own.

   First, suppose that either f or f′ is a primitive root of 𝔽_q and that n is odd. We suppose without loss of generality that f is a primitive root. We recall that by construction (see Lemma 5) there is a P ∈ PGL₂(𝔽_q) such that

   Π(A)=P100fP−1∈PGL2(Fq).

   Thus, since f is a primitive root, Π(A) has order pⁿ − 1.

   Suppose that G ≤ slant PGL₂(𝔽_p^ℓ) for some ℓ ∣ n. Noting that ∣PGL₂(𝔽_p^ℓ)∣ = p^ℓ(p^2ℓ − 1), we have Π(A)^{pℓ(p2ℓ−1)} = 1, so pⁿ − 1 ∣ p^ℓ(p^2ℓ − 1). We note that gcd(pⁿ − 1, pⁿ) = 1, so gcd(pⁿ − 1, p^ℓ) = 1 must hold, thus pⁿ − 1∣(p^2ℓ − 1).

   In particular, this implies that pⁿ − 1 ∣ gcd(pⁿ − 1, p^2ℓ − 1). We note that gcd(pⁿ − 1, p^2ℓ − 1) = p^gcd(n,2ℓ) − 1 = p^gcd(n,ℓ) − 1 since n is odd. Combining these, we have pⁿ − 1 ∣ p^gcd(n,ℓ) − 1, so in particular gcd(ℓ, n) ≥ n. Since ℓ ∣ n, this implies gcd(ℓ, n) = n, so n = ℓ must hold. So G does not fall under case (d).

   Suppose now instead that n is prime, and n/δ > p(p² − 1), noting neither f nor f̃ is now required to be a primitive root. Since n is prime, the only possible subgroups in (d) are those for ℓ = 1, that is PGL₂(𝔽_p) and PSL₂(𝔽_p). Note that ∣PGL₂(𝔽_p)∣ = p(p² − 1), and ∣PSL₂(𝔽_p)∣ = p(p² − 1) if p = 2 and p(p² − 1)/2 if p is odd. Thus in particular Π(A)^p(p2−1) = I, so by Proposition 10, if n/δ > p(p² − 1) case (d) cannot hold.□

   To further ensure that [π(A)] and [π(B)] generate all of PGL₂(𝔽_q), we state the following as a corollary of [27, Lemma 2.2.3].

Proposition 16

LetAandBbe matrices in PGL₂(𝔽_q) such that, as in Proposition 15, PSL₂(𝔽_q) ⊆ 〈[π(A)], [π(B)]〉. If either det(π(A)) or det(π(B)) is not a square in 𝔽_q, then 〈[π(A)], [π(B)]〉 = PGL₂(𝔽_q).

Under the hypotheses of Propositions 15 and 16, the subgroup GL₂(𝔽_q) generated by π(A) and π(B) has order at least ∣PGL₂(𝔽_q)∣ = q(q² − 1), since it is the preimage under a quotient map; for individual choices of generators, one could use ad-hoc techniques to verify if the group generated was all of GL₂(𝔽_q).

We note that the two alternative hypotheses of Proposition 15 are in practice very reasonable. For instance, we already would like to choose n, δ, such that n/δ is much larger than 5 so that our small modifications property given by Proposition 9 is practical. As well, choosing n to be prime has already been suggested to prevent against the small order attack proposed in [19].

Further, the hypothesis in Proposition 16 that one of α = det(π(A)) or β = det(π(B)) is not a square in 𝔽_q is satisfied when p is odd if α = det(π(A)) and β = det(π(B)) are primitive roots. Namely, suppose that p is odd and α ≡ γ² for some γ ∈ 𝔽_q. Since γ ∈ Fq×, we know γ^q−1 = 1. It follows then that αq−12=(γ2)q−12=1, so ord(α)∣ q−12, so α cannot be a primitive root.

Choosing π(A) and π(B) such that det(π(A)) and det(π(B)) are primitive roots is useful for another reason. Namely, we want to ensure π(A) and π(B) have large enough order to prevent small collisions of the form π(A)^ord(π(A)) = I and π(B)^ord(π(B)) = I, as well as Charnes and Pieprzyk’s short relations attack [5]. In [31], Abdukhalikov and Kim suggest A and B should be of order of at least q − 1 to prevent against these collisions. For our hash functions, we observe that if det(π(A)) is a primitive root then we necessarily have ord(π(A)) ≥ q − 1, (and the analogous statement is true for π(B)).

Though finding a primitive root of small degree is not straightforward for a general case of finite field, we note that the maximum degree of such a primitive root is bounded [32]. Further, certain choices of r_n(x) could make this easier. For example, many packages, such as GAP [33] and Magma [34], use Conway polynomials for r_n(x), which guarantee that x itself is indeed a primitive root.