cryptography on weak bss model of computation l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Cryptography on weak BSS model of computation PowerPoint Presentation
Download Presentation
Cryptography on weak BSS model of computation

Loading in 2 Seconds...

play fullscreen
1 / 29

Cryptography on weak BSS model of computation - PowerPoint PPT Presentation


  • 267 Views
  • Uploaded on

Cryptography on weak BSS model of computation. Ilir Çapuni ilir@cs.bu.edu. Tripling an angle with ruler and compass. 3X. X. If x is an angle, then we define f ( x ) : = 3x. Can we invert this function using the same tools?. Algebra: “ NO ”

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Cryptography on weak BSS model of computation' - medwin


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
tripling an angle with ruler and compass
Tripling an angle with ruler and compass

3X

X

If x is an angle, then we define f(x):= 3x

can we invert this function using the same tools
Can we invert this function using the same tools?
  • Algebra: “NO”
  • Important assumption: we are working with straightedge and compass with infinite precision
identification using this function
Identification using this function
  • Initialization phase
    • Alice generates a secret angle XA, computes YA =3 * XA and publishes YA
  • Protocol
    • Alice generates an angle S, and sends a copy of the it’s triple value R to Bob
    • Bob tosses a coin and sends a response to Alice
    • If Bob said “head” Alice will send a copy of S and Bob will verify if 3S=R
    • If Bob said “tail” Alice will send a copy of S+XAand Bob will check if YA+R == 3*(S + XA)
the structure
The structure
  • Introduction of BSS model of computation
  • Algebra recap
  • Auxiliary results
  • Cryptography with ruler and compass
slide6

Input space

Lin. map. I

State space

Input node 1

Program is a finite directed graph

Computation node

Shifting node

Legend

Branch node

xl=0

otherwise

Output nodeN

Polynomial (rational) function

Lin. map. O

Output space

what if r z 2
What if R= Z2 ?

Input space

Lin. map. I

State space

Input node 1

Program is a finite directed graph

Computation node

Shifting node

Branch node

xl=0

otherwise

Output nodeN

Lin. map. O

Output space

… we have a Turing machine!

some facts
Some facts
  • BSS model provides a framework for algorithms of Numerical Analysis
  • Gives new perspective and adds additional (algebraic) flavor to P vsNP question
    • In the weak BSS model, there is unconditional separation between these two classes
discrepancies of this model
Discrepancies of this model
  • Overly realistic
  • Cheating
  • … and a couple of other problems
735 661 59 euros worth problem 2 more 59 6 million serbian dinars
735,661.59 euros worthproblem + 2 more59.6 million Serbian dinars

Solve 1, get 2

for free!!!

  • Is P = NP ?
  • Is PR = NPR ?
  • Is PC = NPC ?
  • Transfer results
    • Theorem. PC = NPC if and only if PK = NPK where K is any algebraically closed field of characteristic 0 (say algebraic numbers)
    • Theorem. If PC = NPC thenBPP contains NP
talk progress
Talk progress
  • Introduction of BSS model of computation
  • Algebra recap
  • Auxiliary results
  • Cryptography with ruler and compass
algebraic preliminaries
Algebraic preliminaries
  • Element t is algebraic over the field F if it is a root of a polynomial over F[X]
  • F(t) is the intersection of all fields containing F and t
  • F(t)/Fcould be viewed as a vector space over F
  • The dimension of this vector space is the degree of the extension
some previous work
Some previous work
  • All parties start with 0 and 1 and can perform finitely many operations +, -, * and /
  • Parties can sample real numbers from [0,1]
  • State of knowledge of each party is the field that he/she can generate
talk progress14
Talk progress
  • Introduction of BSS model of computation
  • Algebra recap
  • Definitions and auxiliary results
  • Cryptography with ruler and compass
algebraic one way functions
Algebraic one-way functions
  • Easy to compute, but hard to invert
  • Alice samples a real number rand computes r2
  • It is impossible to deduce r from r2 with infinite precision in finitely many steps

P [ Q (t1, t2, …, tn, r2)  Q( r ) = Q] =1

pk encryption
PK Encryption
  • Alice samples a real number SK then she computes PK which is in Q (SK)
  • m is a real number that Bob wants to send to Alice and c is its encryption using PK
  • We have
who knows what
Who knows what?

Q(PK), Q(SK), Q(SK,c)

Q(PK), Q(PK,c), Q(PK,m)

c, PK

Q(PK), Q(PK,c)

results
Results
  • PKE is not possible since Q(PK,m)=Q(PK,c)
  • Secure signature schemes are impossible
  • Secret key exchange is impossible
talk progress19
Talk progress
  • Introduction of BSS model of computation
  • Algebra recap
  • Auxiliary results
  • Cryptography with ruler and compass
constructability
Constructability
  • OA is a unit segment in complex plane O(0,0), A(0,1)
  • Point M(x,y) is constructible if it can be constructed in finitely many steps using ruler and compass from OA
axioms of constructability
Axioms of constructability
  • Points O and A are constructible
  • If B and C are constructible, then segment BC and the line defined by them are constructible
  • Circle with constructible center and radius is constructible
  • Intersection of 2 constructible rays is a constructible point
  • Intersection of 2 constructible circles are constructible points
  • Intersections of constructible circle and constructible ray are constructible points
algebraic facts
Algebraic facts
  • Set of all constructible points on Cis called Pitaghorean plane
  • If M(x,y) is constructible, then x and y are constructible real numbers
  • The set of all constructible real numbers is a subfield of the field of real numbers
computing vs constructing
Computing vs constructing
  • If K=Q(S), S = set of coordinates of the points from the set which contains at least O and A
  • Every line has an equation of the form
  • Every circle has an equation
facts
Facts
  • Theorem: If M(x,y) is constructible in one step, then K(x,y) = K or to a quadratic extension of K
  • Theorem:a) For every constructible point M(x,y) there exists a finite sequence of subfieldsKi, i=0,1,…, m each of which is quadratic extension of the previous one such thatK0=K, and Km subset of R and x,y are elements of Km

b) x and y are algebraic overK and their degrees over K are powers of 2

c) Every point with coordinates in K or any of its quadratic extensions is constructible

computational model
Computational model
  • We use BSS model over the field of complex numbers
  • Each party can sample random points from unit circle
  • Each party can also toss a coin
  • The state of knowledge of each party is the field he/she can generate
is our computational system complete
Is our computational system complete?

Input space

State space

Input node 1

Program is a finite directed graph

Computation node

-10

Computation node

Sqrt(-10)

If -10=0

xl=0

otherwise

Output nodeN

Output space

pk encryption27
PK Encryption
  • Euclid before publishing his Elements has sampled a point SK=(SKx,SKy) and then he has computed PK=(PKx,PKy) and published in page 655 of the XIV book
  • Archimedes wants to send him a secret point M(x,y). Using Euclid’s PK he computes the ciphertext C(xc, yc).
  • Archimedes sends this point to Euclid
slide28
But…
  • Using previous results over the field K, we will have
  • Malicious Romans that have copied C, enumerate all points and using encryption machine PK and X they obtain some Cx.
  • If C=Cx then M=X
slide29
So
  • We have given a partial answer to Rivest, Shamir and Burmester’s question if the secure encryption could be performed with the ruler and compass
    • In the weak algebraic model, where operations are done with ruler and compass with infinite precision, “algebraic OWFs” exist, ZK identification protocols do exist… but, secure PK encryption is impossible