1 / 29

Cryptography on weak BSS model of computation

Cryptography on weak BSS model of computation. Ilir Çapuni ilir@cs.bu.edu. Tripling an angle with ruler and compass. 3X. X. If x is an angle, then we define f ( x ) : = 3x. Can we invert this function using the same tools?. Algebra: “ NO ”

medwin
Download Presentation

Cryptography on weak BSS model of computation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cryptography on weak BSS model of computation Ilir Çapuni ilir@cs.bu.edu

  2. Tripling an angle with ruler and compass 3X X If x is an angle, then we define f(x):= 3x

  3. Can we invert this function using the same tools? • Algebra: “NO” • Important assumption: we are working with straightedge and compass with infinite precision

  4. Identification using this function • Initialization phase • Alice generates a secret angle XA, computes YA =3 * XA and publishes YA • Protocol • Alice generates an angle S, and sends a copy of the it’s triple value R to Bob • Bob tosses a coin and sends a response to Alice • If Bob said “head” Alice will send a copy of S and Bob will verify if 3S=R • If Bob said “tail” Alice will send a copy of S+XAand Bob will check if YA+R == 3*(S + XA)

  5. The structure • Introduction of BSS model of computation • Algebra recap • Auxiliary results • Cryptography with ruler and compass

  6. Input space Lin. map. I State space Input node 1 Program is a finite directed graph Computation node Shifting node Legend Branch node xl=0 otherwise Output nodeN Polynomial (rational) function Lin. map. O Output space

  7. What if R= Z2 ? Input space Lin. map. I State space Input node 1 Program is a finite directed graph Computation node Shifting node Branch node xl=0 otherwise Output nodeN Lin. map. O Output space … we have a Turing machine!

  8. Some facts • BSS model provides a framework for algorithms of Numerical Analysis • Gives new perspective and adds additional (algebraic) flavor to P vsNP question • In the weak BSS model, there is unconditional separation between these two classes

  9. Discrepancies of this model • Overly realistic • Cheating • … and a couple of other problems

  10. 735,661.59 euros worthproblem + 2 more59.6 million Serbian dinars Solve 1, get 2 for free!!! • Is P = NP ? • Is PR = NPR ? • Is PC = NPC ? • Transfer results • Theorem. PC = NPC if and only if PK = NPK where K is any algebraically closed field of characteristic 0 (say algebraic numbers) • Theorem. If PC = NPC thenBPP contains NP

  11. Talk progress • Introduction of BSS model of computation • Algebra recap • Auxiliary results • Cryptography with ruler and compass

  12. Algebraic preliminaries • Element t is algebraic over the field F if it is a root of a polynomial over F[X] • F(t) is the intersection of all fields containing F and t • F(t)/Fcould be viewed as a vector space over F • The dimension of this vector space is the degree of the extension

  13. Some previous work • All parties start with 0 and 1 and can perform finitely many operations +, -, * and / • Parties can sample real numbers from [0,1] • State of knowledge of each party is the field that he/she can generate

  14. Talk progress • Introduction of BSS model of computation • Algebra recap • Definitions and auxiliary results • Cryptography with ruler and compass

  15. Algebraic one-way functions • Easy to compute, but hard to invert • Alice samples a real number rand computes r2 • It is impossible to deduce r from r2 with infinite precision in finitely many steps P [ Q (t1, t2, …, tn, r2)  Q( r ) = Q] =1

  16. PK Encryption • Alice samples a real number SK then she computes PK which is in Q (SK) • m is a real number that Bob wants to send to Alice and c is its encryption using PK • We have

  17. Who knows what? Q(PK), Q(SK), Q(SK,c) Q(PK), Q(PK,c), Q(PK,m) c, PK Q(PK), Q(PK,c)

  18. Results • PKE is not possible since Q(PK,m)=Q(PK,c) • Secure signature schemes are impossible • Secret key exchange is impossible

  19. Talk progress • Introduction of BSS model of computation • Algebra recap • Auxiliary results • Cryptography with ruler and compass

  20. Constructability • OA is a unit segment in complex plane O(0,0), A(0,1) • Point M(x,y) is constructible if it can be constructed in finitely many steps using ruler and compass from OA

  21. Axioms of constructability • Points O and A are constructible • If B and C are constructible, then segment BC and the line defined by them are constructible • Circle with constructible center and radius is constructible • Intersection of 2 constructible rays is a constructible point • Intersection of 2 constructible circles are constructible points • Intersections of constructible circle and constructible ray are constructible points

  22. Algebraic facts • Set of all constructible points on Cis called Pitaghorean plane • If M(x,y) is constructible, then x and y are constructible real numbers • The set of all constructible real numbers is a subfield of the field of real numbers

  23. Computing vs constructing • If K=Q(S), S = set of coordinates of the points from the set which contains at least O and A • Every line has an equation of the form • Every circle has an equation

  24. Facts • Theorem: If M(x,y) is constructible in one step, then K(x,y) = K or to a quadratic extension of K • Theorem:a) For every constructible point M(x,y) there exists a finite sequence of subfieldsKi, i=0,1,…, m each of which is quadratic extension of the previous one such thatK0=K, and Km subset of R and x,y are elements of Km b) x and y are algebraic overK and their degrees over K are powers of 2 c) Every point with coordinates in K or any of its quadratic extensions is constructible

  25. Computational model • We use BSS model over the field of complex numbers • Each party can sample random points from unit circle • Each party can also toss a coin • The state of knowledge of each party is the field he/she can generate

  26. Is our computational system complete? Input space State space Input node 1 Program is a finite directed graph Computation node -10 Computation node Sqrt(-10) If -10=0 xl=0 otherwise Output nodeN Output space

  27. PK Encryption • Euclid before publishing his Elements has sampled a point SK=(SKx,SKy) and then he has computed PK=(PKx,PKy) and published in page 655 of the XIV book • Archimedes wants to send him a secret point M(x,y). Using Euclid’s PK he computes the ciphertext C(xc, yc). • Archimedes sends this point to Euclid

  28. But… • Using previous results over the field K, we will have • Malicious Romans that have copied C, enumerate all points and using encryption machine PK and X they obtain some Cx. • If C=Cx then M=X

  29. So • We have given a partial answer to Rivest, Shamir and Burmester’s question if the secure encryption could be performed with the ruler and compass • In the weak algebraic model, where operations are done with ruler and compass with infinite precision, “algebraic OWFs” exist, ZK identification protocols do exist… but, secure PK encryption is impossible

More Related