Somos%20Sequences%20and%20Cryptographic%20Applications

1
Somos Sequences and Cryptographic Applications

• Richard Schroeppel
• Hilarie Orman
• R. Wm. Gosper

2
Diffie-Hellman with Iterated Functions

• We can think of ga mod p as the iteration of gg
  mod p
• Over elliptic curves, iterate point addition PP
  to nP
• How about iterating something non-commutative,
  like SHA-1(SHA-1...(c))?

3
Hashing for Diffie-Hellman?

• Alice computes SHA-1A(c) H(A)
• Bob computes SHA-1B(c) H(B)
• Each computes SHA-1AB(c) H(AB)
• Nice, but not secure!
• An eavesdropper can try H(A1), H(A2), ... in
  linear time
• We need giant steps in linear time

4
What's a Somos Sequence? Non-linear
recurrences

• Somos 4an (an-1an-3 a2n-2) /
  an-41,1,1,1,2,3,7,23,59,314,1529, ...
• Somos 5bn (bn-1bn-4 bn-2 bn-3) /
  bn-51,1,1,1,1,2,3,5,11,37,83,274, ...
• Somos 6cn (cn-2cn-5 cn-2cn-4
  c2n-3)/cn-61,1,1,1,1,1,3,5,9,23,75,421, ...

5
Apparent Mysteries ...

• There's a quotient in the formulas, how come the
  values are integers?
• Somos 8 and beyond are not!
• Are these equivalent to some previously known
  sequences?
• Can you do anything interesting with them?
• Let's interpret them over finite fields

6
Correspondences

• Somos4 can be mapped to points on a particular
  elliptic curve
• y2 - y x3 - x, P (1, 0) and Q (-1, 0)
• PKQ ? Somos4(K)
• Somos 6 and Somos 7 may be equivalent to
  hyperelliptic curves
• Somos 8 and beyond ... non-algebraic???

7
The Magic Determinant
au-xaux au-yauy au-zauz av-xavx av-yavy
av-zavz aw-xawx aw-yawy aw-zawz
(
)
u, v, w x, y, z
Da
?
0
Proven for Somos 4 "Obvious" for sin(u-x),
etc. Conjectured for ai-j ?t(i-j, q)
aij ?s(ij, q)
8
Elliptic Divisibility Sequence (EDS)

• s0 0, s1 1
• smnsm-n sm1sm-1sn2 - sn1sn-1sm2
• m n gt sm sn
• Somos 4 is the absolute values of the odd
  numbered terms of an EDS with s2 1, s3 -1,
  s4 1

9
Near Addition Formula for Somos4

• Derived from the magic determinant
• u k1, v 0, w 1
• x k-1, y 0 , z 1
• a2k 2akak13 ak-1akak22 -
  ak-1ak12ak2 - ak2ak1ak2
• This is our Diffie-Hellman "giant step"
• NB, normally DH goes from k to k2 for the "giant
  step", but Somos is secure for k -gt 2k !! (as
  we will show)

10
Somos Step-by-1 Needs Extra State

• an-3 an-2 an-1 an -gt an1 uses an1 (anan-2
  a2n-1) / an-3
• a2n-3 a2n-2 a2n-1 a2n -gt a2n1

11
Alice and Bob and Somos4 over Fp

• Alice chooses A from 1, p-1
• Alice calculates Somos4(A) mod p
• Uses doubling formula and step-by-one formula
• Bob does the same with B
• Alice sends Somos4(A) SA-3, SA-2, SA-1, SA
  to Bob
• Bob sends Somos4(B) SB to Alice
• Alice steps SB to SBA mod p
• Uses double and step-by-one
• Bob steps SA to SAB

12
Somos4 Giant Steps

• Somos4(2A) can be computed from Somos4(A) with a
  "few" operations
• Somos(AB) can be computed from Somos4(A) and B
  in about log(B) operations
• But, stepping Somos4(A) without knowing B would
  take about B guesses
• The giant steps make it secure

13
Example

• Alice has SB from Bob
• Her secret A is 105
• SB -gt SB1
• SB, SB1 -gt SB3 SB4 -gt
• SB6 SB7 -gt SB13 SB14 -gt
• SB26 SB27 -gt SB52 SB53 -gt
• SB105 !

14
Somos4 Elliptic Curves

• Curve Y(Y-1) X(X-1)(X1)
• Point P (0,0)
• Multiples KP O, (0,0), (1,0), (-1,1), (2,3),
  (1/4,5/8), (6,-14), (-5/9,-8/27), (21/25,69/125),
  (-20/49,435/343),
• KP (XK,YK)
• ( -SK-1SK1/SK2, SK-2SK-1SK3/SK3 )
• SK 0, 1, 1, -1, 1, 2, -1, -3, -5, 7, -4,
  -23, 29, 59,

15
Whats SK?

• SK is a Somos4 with different initialization.
• S1,2,3,4, 1, 1, -1, 1,
• SK-2SK2 SK-1SK1 SK2 like Somos4
• SK-2SK3 SK-1SK2 SKSK1 0 also
• AK-2AK3 AK-1AK2 5AKAK1 for Somos4
• Somos4 is essentially the odd terms of SK
  AK (-1)K S2K-3

16
Proof Overview

• Verify KP formula by induction on K
• Check 1P and 2P.
• Check that P KP (K1)P using the formula
  for KP mess of SKn, the elliptic curve point
  addition formula, and the algebra relations for
  SKSKn.
• Verify Somos4-SK relationship by induction on K
• Check first four values, and prove K ? K1
  using the recurrence relations.
• Mess of algebra.

17
Multiplicity of the Map Somos4 vs. Elliptic
Curve

• Mod Q, the elliptic curve has period Q.
• Mod Q, Somos4 has period Q2, a multiple of the
  elliptic curve period.
• SK can be recovered from a few consecutive Somos
  values. So we can go from Somos to elliptic
  curve points. In fact, the X coordinate of
  (2K-3)P is 1 AK-1AK1/AK2.
• This will work mod Q as well.
• But going the other way mod Q is impossible,
  because roughly Q different Somos values map to
  the same elliptic curve point.