Preimages for Z\'emor's Cayley hash function

TL;DR

This paper extends collision attacks on Zémor's Cayley hash function to preimage attacks by leveraging integer factorization and Diophantine equations, assuming efficient large integer factorization.

Contribution

It introduces a novel preimage attack method on Zémor's hash function using matrix factorization and Diophantine equations, expanding the scope of cryptanalysis for this hash.

Findings

Extended collision attack to preimage attack

Developed an algorithm to solve related Diophantine equations

Assumed efficient large integer factorization for the attack

Abstract

In 1991, Z\'emor proposed a hash function which provides data security using the difficulty of writing a given matrix as a product of generator matrices. Tillich and Z\'emor subsequently provided an algorithm finding short collisions for this hash function. We extend this collision attack to a stronger preimage attack, under the assumption that we can factor large integers efficiently. The Euclidean algorithm will factor a $2\times 2$ matrix with non-negative integer entries and determinant $1$. This factorization is short if the matrix entries are all roughly the same size. Therefore, to factor a matrix we need only find an integer matrix with the listed properties which is congruent to the target matrix modulo $p$; finding such an integer matrix is equivalent to solving a Diophantine equation. We give an algorithm to solve this equation.