Connections between graph theory and cryptography

Connections between graph theory and

cryptography

Natalia Tokareva

G2C2: Graphs and Groups, Cycles and Coverings

September, 24–26, 2014. Novosibirsk, Russia
Connections between graph theory and cryptography
Introduction to cryptography

Introduction to cryptography
Connections between graph theory and cryptography
Introduction to cryptography

Terminology
Cryptography is the scientific and practical activity associated
with developing of cryptographic security facilities of information
and also with argumentation of their cryptographic resistance.

Plaintext is a secret message. Often it is a sequence of binary bits.

Ciphertext is an encrypted message.

Encryption is the process of disguising a message in such a way as

to hide its substance (the process of transformation plaintext into
ciphertext by virtue of cipher).

Cipher is a family of invertible mappings from the set of plaintext

sequences to the set of ciphertext sequences. Each mapping
depends on special parameter — a key. Key is removable part of
the cipher.
Connections between graph theory and cryptography
Introduction to cryptography

Terminology
Deciphering is the process of turning a ciphertext back into the
plaintext that realized with known key.

Decryption is the process of receiving the plaintext from ciphertext

without knowing the key.
Connections between graph theory and cryptography
Introduction to cryptography

Terminology

Cryptography is the scientific and practical activity associated

with developing of cryptographic security facilities of information
and also with argumentation of their cryptographic resistance.

Cryptanalysis is the scientific and practical activity of analysis of

cryptographic algorithms with the goal to obtain estimations of
their cryptographic resistance.

Cryptology is the concept combining both cryptography and

cryptanalysis.
Connections between graph theory and cryptography
Introduction to cryptography

Cryptographic goals

1) Confidentiality is a service used to keep the content of

information from all but those authorized to have it.
2) Data integrity is a service which addresses the unauthorized
alteration of data.
3) Authentication is a service related to identification. This
function applies to both entities and information itself. Two
parties entering into a communication should identify each
other.
4) Non-repudiation is a service which prevents an entity from
denying previous commitments or actions.
Connections between graph theory and cryptography
Introduction to cryptography

Types of cryptographic algorithms

• Symmetric algorithms (conventional algorithms) are algorithms
where the encryption key can be calculated from the
decryption key and vice versa.
• Public-key algorithms (asymmetric algorithms) are designed so
that the key used for encryption (public key) is different from
the key used for decryption (private key).
Connections between graph theory and cryptography
Introduction to cryptography

Main principles
Symmetric algorithms are
algorithms in which the
encryption key can be calculated
from the decryption key and vice
versa.
I Usually the encryption key = the decryption key.
I The sender and receiver should agree on a key before secure
communication.
I Security of a symmetric algorithm is guaranteed by the key;
divulging the key means that anyone could encrypt and
decrypt messages. As long as the communication needs to
remain secret, the key should remain secret.
Connections between graph theory and cryptography
Introduction to cryptography

Block and stream ciphers

Symmetric algorithms can be divided into two categories:

1) First type operate on the plaintext of a single bit (or

sometimes byte) at a time; these algorithms are called stream
ciphers.
Examples. A5/1, A2/2, Grain, Trivium, Achterbahn-128/80
and others.
2) Second type operate on the plaintext given by a group of
bits. The groups of bits are called blocks, and the algorithms
are called block ciphers.
Examples. DES, GOST 28147-89, AES, CAST-128, SMS4
and others.
Connections between graph theory and cryptography
Introduction to cryptography

Stream ciphers
A stream cipher generates a pseudorandom sequence of bits
that should be XORed with a binary bit sequence of a plaintext.
Such a sequence is called a gamma.

plaintext ⊕ gamma = ciphertext

The system’s security depends only on the gamma.

Connections between graph theory and cryptography
Introduction to cryptography

Block ciphers

The plaintext is divided into block of bits (typical block sizes are
64, 128, 256). Then all blocks are separately encrypted by a cipher
that is a some mapping F depending on a secret key.
Connections between graph theory and cryptography
Introduction to cryptography

Connections to graph theory

Modern cryptography is highly connected with discrete
mathematics. Many cryptographic algorithms such as RSA,
ElGamal, elliptic curve methods, symmetric ciphers AES, CAST,
Grain, several stream ciphers, hash functions, statistical methods of
cryptanalysis, cryptographic protocols, etc. are directly based on
mathematical results.
In this talk we discuss connections between cryptographic methods
and graph theory. We consider such topics as:
• sparse graphs, social networks and mobile security systems;
• hash functions, expander and random graphs;
• cycles of large period and linear recurrent sequences;
• cryptographic Boolean functions and graphs;
• metrical properties of Cayley graphs and bent functions.
Connections between graph theory and cryptography
Introduction to cryptography

Sparse graphs, social networks and mobile security systems

Connections between graph theory and cryptography
Sparse graphs, social networks and mobile security systems

Sparse graphs, social networks and mobile security systems

Connections between graph theory and cryptography
Sparse graphs, social networks and mobile security systems

Sparse graphs, social networks and mobile security systems

Connections between graph theory and cryptography
Sparse graphs, social networks and mobile security systems

Sparse graphs, social networks and mobile security systems

Connections between graph theory and cryptography
Sparse graphs, social networks and mobile security systems

A sparse graph is a graph in which the number of edges is much

less than the possible number of edges.
A.Lee, I.Streinu (2008), L.Theran (2009) defined a sparse graph
like this. A graph is (k,`)-sparse if every nonempty subgraph with n
vertices has at most kn − ` edges. A graph is (k,`)-tight if it’s
(k,`)-sparse and has exactly kn − ` edges.
Some details:
• trees are exactly the (1,1)-tight graphs;
• forests are exactly the (1,1)-sparse graphs;
• the facts that any planar graph with n vertices has at most
3n − 6 edges, and that any subgraph of a planar graph is planar,
together imply that the planar graphs are (3,6)-sparse. However,
not every (3,6)-sparse graph is planar;
• I.Streinu and L.Theran showed that testing (k,`)-sparsity may be
performed in polynomial time when k and ` are integers and
0 6 ` < 2k.
Connections between graph theory and cryptography
Sparse graphs, social networks and mobile security systems

A problem for a mathematician. Studying sparse graphs

L.Lovász mentions in his paper “Graph homomorphisms: Open
problems” (2008) the following problem:
“Problem 42. Suppose that instead of exploring the neighborhood
of a single random node, we could select two random nodes and
test simple quantities associated with them, like distance,
maximum flow, electrical resistance. What information can be
gained by such tests? Is there a “complete” set of tests that would
give enough information to determine the global structure of the
graph to a reasonable accuracy?”
Connections between graph theory and cryptography
Sparse graphs, social networks and mobile security systems

A problem for a mathematician. In the paper “Extremal results

in sparse pseudorandom graphs” D.Conlon, J.Fox, Y.Zhao discuss
several problems for sparse graphs.
For instance, analog of regularity lemma for sparse graphs was
proven by Y.Kohayakawa (1997) and by V.Rödl; analog of counting
lemma is still not proven.
Regularity lemma. “Roughly speaking, it says that the vertex set
of every graph can be partitioned into a bounded number of parts
so that the induced bipartite graph between almost all pairs of
parts is pseudorandom.”
Counting lemma. “Roughly speaking, it says that the number of
embeddings of a fixed graph H into a pseudorandom graph G can
be estimated by pretending that G were a genuine random graph.”
Connections between graph theory and cryptography
Hash functions, expander and random graphs

Hash functions, expander and random graphs

Connections between graph theory and cryptography
Hash functions, expander and random graphs

Hash functions and sparse graphs

A hash function is an arbitrary function that can be used to map
digital data of any size to digital data of a fixed size.
Slight differences in input data have to produce big differences in
output data. Difficulties in finding of an preimage and a collision.
Connections between graph theory and cryptography
Hash functions, expander and random graphs

Hash functions and sparse graphs

Usually hash functions are constructed by steps.

Connections between graph theory and cryptography
Hash functions, expander and random graphs

Expander graphs and hash functions

Sparse graphs are used for constructing cryptographically resistant

hash functions.
An expander graph is a sparse graph that has strong connectivity
properties, quantified using vertex, edge or spectral expansion.
Informally, expander graphs are graphs in which the neighbor set of
any “not too large” subset of vertices contains many new vertices.
Application for constructing hash functions: the input to the hash
function is used as directions for walking around a graph, and the
ending vertex is the output of the hash function.
Connections between graph theory and cryptography
Hash functions, expander and random graphs

An idea...

“Nel mezzo del cammin di nostra vita,

mi ritrovai per una selva oscura,
che’ la diritta via era smarrita.”

“When I had journeyed half of our life’s way,

I found myself within a shadowed forest,
for I had lost the path that does not stray.”

Dante Alighieri “The Divine Comedy”

After even several steps in an expander graph you don’t know where
are you... It’s good for crypto since provides a very good mixing.
Connections between graph theory and cryptography
Hash functions, expander and random graphs

An example from the series of Ramanujan graphs

Connections between graph theory and cryptography
Hash functions, expander and random graphs

Examples of hash functions based on expander graphs

D.Charles, E.Goren, K.Lauter “Cryptographic hash functions from

expander graphs” (2007).
They proposed constructing provable collision resistant
hash functions from expander graphs in which finding
cycles is hard. As examples, they have investigated two
specific families of optimal expander graphs for provable
collision resistant hash function constructions: the
families of Ramanujan graphs constructed by
Lubotzky-Phillips-Sarnak and Pizer respectively.
Connections between graph theory and cryptography
Hash functions, expander and random graphs

Hash functions and random graphs

Let f be a random function defined on M = {0, 1, 2, . . . , N − 1},
namely f : M → M.
A random graph is an oriented graph associated to f :
Vertices: 0, 1, 2, . . . N − 1;
Edges: x → f (x).
In cryptography we can meet a random graph as the state graph of
a some stream generator or as the graph of a hash function.

Here is the Linear Feedback Shift Register (LFSR).

Connections between graph theory and cryptography
Hash functions, expander and random graphs
Connections between graph theory and cryptography
Hash functions, expander and random graphs

A problem for a cryptographer: How to find a preimage?

I. e. for a given y to find some x, such that f (x) = y ?
A problem for a cryptographer: How to find a collision?
I. e. distinct numbers x, x 0 such that f (x) = f (x 0 )?
There is an algorithm of Floyd: using two pointers (one runs at
normal speed, another at double speed, until they collide).
When the path has n vertices and the tail is short, algorithm of
Floyd requires about 3n steps. When the cycle is short, the fast
pointer can traverse it many times without noticing.
Using additional memory it is possible to overcome these difficulties.
A problem for a mathematician: To propose distinct (effective?)
algorithms for finding collisions in pseudorandom graphs.
Connections between graph theory and cryptography
Hash functions, expander and random graphs

Cycles of large period and linear recurrent sequences

Connections between graph theory and cryptography
Cycles of large period and linear recurrent sequences

Cycles of large period and linear recurrent sequences

Linear recurrent sequences (LRS) form the most famous base for
pseudo-random generators.
LRS is produced by Linear feedback shift register (LFSR).
LFSR and its generalization is widely used as a component in a
stream cipher (for instance, A5/1, Grain, they will be considered
later) and pseudo-random generators.
LFSR can produce a sequence with a good minimal period from
the small initial state and its generalizations allow to sufficiently
increase linear complexity of the output sequence.
Such sequences have good statistical properties.
Connections between graph theory and cryptography
Cycles of large period and linear recurrent sequences

Linear recurrent sequences

u = (u0 , u1 , u2 , . . .), ui ∈ Z2 is an infinite binary sequence.
An infinite sequence u is called linear recurrent (LRS), if for some
a0 , . . . , an−1 ∈ Z2 it is right
ui+n = a0 ui ⊕ . . . ⊕ an−1 ui+n−1 ∀i ∈ N0 .
The expression above is also called linear recurrence relation of
order n. Note that a linear recurrent sequence can be produced by
linear recurrence relations of different orders.
The following polynomial is called a characteristic polynomial of the
sequence u: c(λ) = λn ⊕ an−1 λn−1 ⊕ . . . ⊕ a1 λ ⊕ a0 .
I Minimal polynomial of a LRS is its characteristic polynomial of
the minimal degree. Denote it by µu (λ).
I Linear complexity of a LRS is the degree of its minimal
polynomial. Denote it by `(u).
Note that the minimal polynomial of a LRS is unique.
Connections between graph theory and cryptography
Cycles of large period and linear recurrent sequences

A sequence u is called
I ultimately periodic, if for some natural numbers T and s it
holds ui+T = ui , i ∈ N0 , i ≥ s.
I periodic, if s = 0.
The number T is called period. Minimal possible period is called
the minimal period and denoted by per (u).
The minimal period of a sequence divides any its period.
It is known that any LRS u is periodic and per (u) ≤ 2`(u) − 1,
where `(u) is linear complexity of u.
A problem for a cryptographer: How to construct LRS such that
for any initial values u0 , u1 , . . . , un−1 the sequence u has high linear
complexity and period? Large cycles of the state graph?
The same for several more complicated generators?
Connections between graph theory and cryptography
Cycles of large period and linear recurrent sequences

x1
LFSR1

x2
LFSR2
gamma h

xn
LFSRn

Combining model
Connections between graph theory and cryptography
Cycles of large period and linear recurrent sequences

LFSR
x1 x2 xn

gamma

Filtering model
Connections between graph theory and cryptography
Cycles of large period and linear recurrent sequences

A problem for a mathematician:

How to construct a function f : M → M, M = {0, 1, 2, . . . , N − 1},
under several conditions, such that its associated graph has large
cycles with short tails.
Connections between graph theory and cryptography
Cryptographic Boolean functions and graphs

Cryptographic Boolean functions and graphs

Connections between graph theory and cryptography
Cryptographic Boolean functions and graphs

Nonlinearity

Nonlinearity of a Boolean function f in n variables is the value Nf

that is equal to the Hamming distance between function f and the
set An of all affine functions in n variables, i.e. Nf = dist(f , An ).
For arbitrary Boolean function f in n variables there is an upper
bound for nonlinearity Nf 6 2n−1 − 2(n/2)−1 .
A Boolean function is called maximal nonlinear if its nonlinearity
achieves the maximum possible value. When n is even this value
equals 2n−1 − 2(n/2)−1 and such function is called bent.

Bent functions if used for constructing S-boxes in block ciphers

make them extremely resistant to linear cryptanalysis. Examples:
DES, CAST, AES...
Connections between graph theory and cryptography
Cryptographic Boolean functions and graphs

Bent functions

There is an approach to classification of bent functions proposed by

A. Bernasconi, B. Codenotti, J. M. VanderKam (1999).
Let f be a Boolean function in n variables. Denote by supp(f ) its
support, i. e. the set of all binary vectors of length n on which
function f takes the value 1. Consider the Cayley graph
Gf = G (Zn2 , supp(f )) of a Boolean function f . All vectors of length
n are vertices of the graph. There is an edge between two vertices
x and y if vector x ⊕ y belongs to supp(f ).
A regular graph G is called strongly regular if there exist
nonnegative integers λ, µ such that for any vertices x, y the
number of vertices incident to x and y both is equal to λ or µ and
it depends on the presence or absence of the edge between x and y .
Connections between graph theory and cryptography
Cryptographic Boolean functions and graphs

Bent functions

Theorem. A Boolean function f is bent if and only if the graph

Cayley Gf is strongly regular and λ = µ.
Namely, graph Cayley Gf of a bent function f in n variables is
n n
strongly regular with (2n , 2n−1 ± 2 2 −1 , λ = µ = 2n−2 ± 2 2 −1 ).
A problem for a mathematician: Propose new constructions of
strongly regular graphs on 2n vertices with λ = µ.
Connections between graph theory and cryptography
Cryptographic Boolean functions and graphs

Graph of minimal distances of bent functions

Let GBn be the graph on bent functions in n variables as vertices
with edges between functions that are on the minimal possible
distance 2n/2 each other.
Nikolay Kolomeec studies such a graph in his PhD. He proved that
Qn/2
• Degrees of a vertex from GBn is not more than 2n/2 i=1 (2i + 1).
• Since for every even n > 14 there are found non weakly normal
bent functions (A.Canteaut, et al. 2006), graph GBn is not
connected if n > 14. It is proven (N.Kolomeec, 2014) that GBn is
connected for n = 2, 4, 6.
A concrete problem for a mathematician: Is the graph GBn
connected / disconnected if 8 6 n 6 12?
A problem for a mathematician: Let GBn0 be the graph obtained
from GBn after elimination of all pendant vertices (corresp. to non
weakly normal bent func.s). Is GBn0 connected for all even n > 2?
Connections between graph theory and cryptography
Cryptographic Boolean functions and graphs

Graph classification of bent functions

In 2012 E.P.Korsakova obtained the graph classification of bent

functions in 6 variables.
Graph of a quadratic function:
Vertices — variables xi ;
Edges — pairs (i, j) when xi xj can be found in ANF of f .
Quadratic Boolean functions are graph equivalent if their graphs
are isomorphic.
Connections between graph theory and cryptography
Cryptographic Boolean functions and graphs

Bent functions in 4 variables (O.Rothaus, 1976):

№ Type Graph
r r

1 1111 r r
r r

2 2211 r r
r r

3 3221 r r
r r
r @r
@
4 3333

E.P.Korsakova (2013) has proved that there are 44 graph

nonequivalent quadratic bent functions in 6 variables (and 37
types).
Connections between graph theory and cryptography
Cryptographic Boolean functions and graphs

r r

r Ar

A

1 111111 100000000100001 r r
r r

r Ar

A

2 221111 100001000100001 r r
r r

r Ar

A

r r



3 222211 100001000100101
r r r r

A
r Ar r
Ar

A



110001000100001
4 322111
100001001100001
r r r r
r r r r

A
r Ar r Ar

A



100001001100101
r r
r r




5 322221
110001000100101
Connections between graph theory and cryptography
Cryptographic Boolean functions and graphs

r r r r
r Ar
r Ar

A
A


101011000100100
Ar r
r r

A


6 332211
100001000110101
r r r r
r Ar
r Ar

A
A


100011001110100
Ar r
Ar r

A
A

7 332222
101011000100101
r r

r A Ar

A A

8 333111 100001010110001 r AAr

r r

r Ar

A

r r



9 333221 100001001100111
r r r r

Q

Q
r Ar 
r Ar
Q A A
QQ


 Q
110011100100100
Ar r
r r
A

10 333311
111001100100001
Connections between graph theory and cryptography
Cryptographic Boolean functions and graphs

r r r r

Q

AA
r Ar 

r A Ar
Q A


 Q
110011100100101
Ar r
Ar Ar

A
A A

11 333322
110011010100101
r r

QQA

r QAr
12 422211 100001101100001 r r
r r r r
Q
QQA
r Ar
r QAr

QA

Q


100001101100101
r r
r r



13 432221  
100001100100111
r r

QQA

r QAr

14 433211 100001101100011 r r

r r

A

r
 Ar
Ar r

A

15 433222 111011000100101
Connections between graph theory and cryptography
Cryptographic Boolean functions and graphs

r r

Q

r Ar
QQA

Ar r
A
16 433321 111011100100001
r r

A

r
 Ar
A 
Ar r



17 433332 110011000110111
r r

QQA

r QAr

r r



18 443221 100001101100111 
r r

Q

r Ar
QQA

Ar r

A

19 443311 111011100100100
r r

AA

r A Ar

Ar Ar

A A

20 443322 110011010110101
Connections between graph theory and cryptography
Cryptographic Boolean functions and graphs

r r

QQ

r
Q Ar

A

r

r




21 443331 100001100111111 
r r

A

r
 Ar
Ar r

A

22 443333 111011001110101
r r
A
 r Ar
Q 
rQr



23 444332 011101001110111 Q 
r r

QQ

r
Q Ar

A

r

r




24 444431 100001101111111 
r r

Q

r Ar
A
QQ

Ar r

A

25 444433 111011101110101
Connections between graph theory and cryptography
Cryptographic Boolean functions and graphs

r r

Q

r AQQ Ar
A A

26 522221 100001111100001 r ArA

r r

Q

r AQQ Ar
A A

r AAr



27 533221 100001111100101
r r



r
Ar

A


r


 r



28 533322 110001000111111
r r



r
Ar

A

Q 
r Qr




29 533333 110101001111110
Q
r r

Q

r A
QQ Ar
A
A

r
Ar


A

30 543321 100001111111100
Connections between graph theory and cryptography
Cryptographic Boolean functions and graphs

r r



r
Ar

A

Q
Ar

Qr

A Q

31 544322 110111000111101
r r



r
Ar

A

Q 
r Qr




32 544432 111101000111111
Q
r r

Q

r A
QQ Ar
A
A

r

Ar


A

33 544441 100001111111111 
r r

Q 

r
QQ Ar

A


r

r




34 553333 111001100111111 
r r

QA

r A
QQ Ar

A


35 554433 111001111111011 r

Ar

A
Connections between graph theory and cryptography
Cryptographic Boolean functions and graphs

r r

QA

r A
QQ Ar

A

Q 
r Ar


A

36 555443 111101111111110 Q

Q
r r

QA

r A
QQ Ar

A

Q 
Ar Ar

A Q
A

37 555555 111111111111111
Q

Based on this classification E.P.Korsakova has obtained several

ideas for iterative constructions of bent functions.
Connections between graph theory and cryptography
Cryptographic Boolean functions and graphs

r r r r
r r r r r
r r = + r r = +
r r r r r r r r
r r r r

r r r r
r r r r r

r Ar = r
Ar =

A
A
+ +
r r r r r r r r
r r r r

r r r r

A r r
A r r r

r
 Ar = + r

Ar = +
r r r r r r r r
r r r r

r r r r

Q
 r r
Q
A r r r

r Ar = @ r Ar = @
A
QQ
 +
QQ +
r @r r r r @r r r
r r r r



Connections between graph theory and cryptography
Cryptographic Boolean functions and graphs

r r r r
r r r r r r r
r r = + r r = + @

r r r r QQ
r r r @r
r r

 r Qr

r r r r
r r r r r r r
r
Ar = r Ar =

A
A
+
+ @

r r r r QQ
r r r @r
r r
r Qr

r r r r

A r r r
A r r r r
r

Ar = + r


 Ar = + @

r r r r QQ
r r r @r
r r
r Qr

r r r r

Q A r r r
Q
A r r r r
r QAr = @ r Ar
Q
+
QQ
QQ
= r @r + r @r


r @r r r
@ @

r r
r Qr



Connections between graph theory and cryptography
Cryptographic Boolean functions and graphs

Thank you!