 Download Presentation Cryptography on weak BSS model of computation

# Cryptography on weak BSS model of computation - PowerPoint PPT Presentation Download Presentation ## Cryptography on weak BSS model of computation

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
##### Presentation Transcript

1. Cryptography on weak BSS model of computation Ilir Çapuni ilir@cs.bu.edu

2. Tripling an angle with ruler and compass 3X X If x is an angle, then we define f(x):= 3x

3. Can we invert this function using the same tools? • Algebra: “NO” • Important assumption: we are working with straightedge and compass with infinite precision

4. Identification using this function • Initialization phase • Alice generates a secret angle XA, computes YA =3 * XA and publishes YA • Protocol • Alice generates an angle S, and sends a copy of the it’s triple value R to Bob • Bob tosses a coin and sends a response to Alice • If Bob said “head” Alice will send a copy of S and Bob will verify if 3S=R • If Bob said “tail” Alice will send a copy of S+XAand Bob will check if YA+R == 3*(S + XA)

5. The structure • Introduction of BSS model of computation • Algebra recap • Auxiliary results • Cryptography with ruler and compass

6. Input space Lin. map. I State space Input node 1 Program is a finite directed graph Computation node Shifting node Legend Branch node xl=0 otherwise Output nodeN Polynomial (rational) function Lin. map. O Output space

7. What if R= Z2 ? Input space Lin. map. I State space Input node 1 Program is a finite directed graph Computation node Shifting node Branch node xl=0 otherwise Output nodeN Lin. map. O Output space … we have a Turing machine!

8. Some facts • BSS model provides a framework for algorithms of Numerical Analysis • Gives new perspective and adds additional (algebraic) flavor to P vsNP question • In the weak BSS model, there is unconditional separation between these two classes

9. Discrepancies of this model • Overly realistic • Cheating • … and a couple of other problems

10. 735,661.59 euros worthproblem + 2 more59.6 million Serbian dinars Solve 1, get 2 for free!!! • Is P = NP ? • Is PR = NPR ? • Is PC = NPC ? • Transfer results • Theorem. PC = NPC if and only if PK = NPK where K is any algebraically closed field of characteristic 0 (say algebraic numbers) • Theorem. If PC = NPC thenBPP contains NP

11. Talk progress • Introduction of BSS model of computation • Algebra recap • Auxiliary results • Cryptography with ruler and compass

12. Algebraic preliminaries • Element t is algebraic over the field F if it is a root of a polynomial over F[X] • F(t) is the intersection of all fields containing F and t • F(t)/Fcould be viewed as a vector space over F • The dimension of this vector space is the degree of the extension

13. Some previous work • All parties start with 0 and 1 and can perform finitely many operations +, -, * and / • Parties can sample real numbers from [0,1] • State of knowledge of each party is the field that he/she can generate

14. Talk progress • Introduction of BSS model of computation • Algebra recap • Definitions and auxiliary results • Cryptography with ruler and compass

15. Algebraic one-way functions • Easy to compute, but hard to invert • Alice samples a real number rand computes r2 • It is impossible to deduce r from r2 with infinite precision in finitely many steps P [ Q (t1, t2, …, tn, r2)  Q( r ) = Q] =1

16. PK Encryption • Alice samples a real number SK then she computes PK which is in Q (SK) • m is a real number that Bob wants to send to Alice and c is its encryption using PK • We have

17. Who knows what? Q(PK), Q(SK), Q(SK,c) Q(PK), Q(PK,c), Q(PK,m) c, PK Q(PK), Q(PK,c)

18. Results • PKE is not possible since Q(PK,m)=Q(PK,c) • Secure signature schemes are impossible • Secret key exchange is impossible

19. Talk progress • Introduction of BSS model of computation • Algebra recap • Auxiliary results • Cryptography with ruler and compass

20. Constructability • OA is a unit segment in complex plane O(0,0), A(0,1) • Point M(x,y) is constructible if it can be constructed in finitely many steps using ruler and compass from OA

21. Axioms of constructability • Points O and A are constructible • If B and C are constructible, then segment BC and the line defined by them are constructible • Circle with constructible center and radius is constructible • Intersection of 2 constructible rays is a constructible point • Intersection of 2 constructible circles are constructible points • Intersections of constructible circle and constructible ray are constructible points

22. Algebraic facts • Set of all constructible points on Cis called Pitaghorean plane • If M(x,y) is constructible, then x and y are constructible real numbers • The set of all constructible real numbers is a subfield of the field of real numbers

23. Computing vs constructing • If K=Q(S), S = set of coordinates of the points from the set which contains at least O and A • Every line has an equation of the form • Every circle has an equation

24. Facts • Theorem: If M(x,y) is constructible in one step, then K(x,y) = K or to a quadratic extension of K • Theorem:a) For every constructible point M(x,y) there exists a finite sequence of subfieldsKi, i=0,1,…, m each of which is quadratic extension of the previous one such thatK0=K, and Km subset of R and x,y are elements of Km b) x and y are algebraic overK and their degrees over K are powers of 2 c) Every point with coordinates in K or any of its quadratic extensions is constructible

25. Computational model • We use BSS model over the field of complex numbers • Each party can sample random points from unit circle • Each party can also toss a coin • The state of knowledge of each party is the field he/she can generate

26. Is our computational system complete? Input space State space Input node 1 Program is a finite directed graph Computation node -10 Computation node Sqrt(-10) If -10=0 xl=0 otherwise Output nodeN Output space

27. PK Encryption • Euclid before publishing his Elements has sampled a point SK=(SKx,SKy) and then he has computed PK=(PKx,PKy) and published in page 655 of the XIV book • Archimedes wants to send him a secret point M(x,y). Using Euclid’s PK he computes the ciphertext C(xc, yc). • Archimedes sends this point to Euclid

28. But… • Using previous results over the field K, we will have • Malicious Romans that have copied C, enumerate all points and using encryption machine PK and X they obtain some Cx. • If C=Cx then M=X

29. So • We have given a partial answer to Rivest, Shamir and Burmester’s question if the secure encryption could be performed with the ruler and compass • In the weak algebraic model, where operations are done with ruler and compass with infinite precision, “algebraic OWFs” exist, ZK identification protocols do exist… but, secure PK encryption is impossible