Preimages for Zémor's Cayley hash function
Eilidh McKemmie, Amol Srivastava
TL;DR
The paper shows that, assuming efficient factoring of large integers, Zémor's Cayley hash in $SL_2(p)$ is vulnerable to a post-quantum preimage attack. It extends Tillich–Zémor's collision method by lifting target matrices to integer matrices via a Diophantine construction and then using the Euclidean algorithm to obtain short $A,B$-words, achieving a length $O((\log p)^2)$. The approach reduces the preimage problem to LU-type decompositions and diagonal-factor factoring, with detailed algorithms for unitriangular and diagonal cases and a practical GAP4 implementation. Experimental results support the polylogarithmic-length claim, highlighting a potential security weakness for Cayley hash functions based on $SL_2(p)$ under the stated assumption.
Abstract
In 1991, Zémor proposed a hash function which provides data security using the difficulty of writing a given matrix as a product of generator matrices. Tillich and Zémor subsequently provided an algorithm finding short collisions for this hash function. We extend this collision attack to a stronger preimage attack, under the assumption that we can factor large integers efficiently. The Euclidean algorithm will factor a $2\times 2$ matrix with non-negative integer entries and determinant $1$. This factorization is short if the matrix entries are all roughly the same size. Therefore, to factor a matrix we need only find an integer matrix with the listed properties which is congruent to the target matrix modulo $p$; finding such an integer matrix is equivalent to solving a Diophantine equation. We give an algorithm to solve this equation.