Cryptography on weak BSS model of computation

1 / 29

# Cryptography on weak BSS model of computation - PowerPoint PPT Presentation

Cryptography on weak BSS model of computation. Ilir Çapuni ilir@cs.bu.edu. Tripling an angle with ruler and compass. 3X. X. If x is an angle, then we define f ( x ) : = 3x. Can we invert this function using the same tools?. Algebra: “ NO ”

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

## Cryptography on weak BSS model of computation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

### Cryptography on weak BSS model of computation

Ilir Çapuni

ilir@cs.bu.edu

Tripling an angle with ruler and compass

3X

X

If x is an angle, then we define f(x):= 3x

Can we invert this function using the same tools?
• Algebra: “NO”
• Important assumption: we are working with straightedge and compass with infinite precision
Identification using this function
• Initialization phase
• Alice generates a secret angle XA, computes YA =3 * XA and publishes YA
• Protocol
• Alice generates an angle S, and sends a copy of the it’s triple value R to Bob
• Bob tosses a coin and sends a response to Alice
• If Bob said “head” Alice will send a copy of S and Bob will verify if 3S=R
• If Bob said “tail” Alice will send a copy of S+XAand Bob will check if YA+R == 3*(S + XA)
The structure
• Introduction of BSS model of computation
• Algebra recap
• Auxiliary results
• Cryptography with ruler and compass

Input space

Lin. map. I

State space

Input node 1

Program is a finite directed graph

Computation node

Shifting node

Legend

Branch node

xl=0

otherwise

Output nodeN

Polynomial (rational) function

Lin. map. O

Output space

What if R= Z2 ?

Input space

Lin. map. I

State space

Input node 1

Program is a finite directed graph

Computation node

Shifting node

Branch node

xl=0

otherwise

Output nodeN

Lin. map. O

Output space

… we have a Turing machine!

Some facts
• BSS model provides a framework for algorithms of Numerical Analysis
• Gives new perspective and adds additional (algebraic) flavor to P vsNP question
• In the weak BSS model, there is unconditional separation between these two classes
Discrepancies of this model
• Overly realistic
• Cheating
• … and a couple of other problems

Solve 1, get 2

• Is P = NP ?
• Is PR = NPR ?
• Is PC = NPC ?
• Transfer results
• Theorem. PC = NPC if and only if PK = NPK where K is any algebraically closed field of characteristic 0 (say algebraic numbers)
• Theorem. If PC = NPC thenBPP contains NP
Talk progress
• Introduction of BSS model of computation
• Algebra recap
• Auxiliary results
• Cryptography with ruler and compass
Algebraic preliminaries
• Element t is algebraic over the field F if it is a root of a polynomial over F[X]
• F(t) is the intersection of all fields containing F and t
• F(t)/Fcould be viewed as a vector space over F
• The dimension of this vector space is the degree of the extension
Some previous work
• All parties start with 0 and 1 and can perform finitely many operations +, -, * and /
• Parties can sample real numbers from [0,1]
• State of knowledge of each party is the field that he/she can generate
Talk progress
• Introduction of BSS model of computation
• Algebra recap
• Definitions and auxiliary results
• Cryptography with ruler and compass
Algebraic one-way functions
• Easy to compute, but hard to invert
• Alice samples a real number rand computes r2
• It is impossible to deduce r from r2 with infinite precision in finitely many steps

P [ Q (t1, t2, …, tn, r2)  Q( r ) = Q] =1

PK Encryption
• Alice samples a real number SK then she computes PK which is in Q (SK)
• m is a real number that Bob wants to send to Alice and c is its encryption using PK
• We have
Who knows what?

Q(PK), Q(SK), Q(SK,c)

Q(PK), Q(PK,c), Q(PK,m)

c, PK

Q(PK), Q(PK,c)

Results
• PKE is not possible since Q(PK,m)=Q(PK,c)
• Secure signature schemes are impossible
• Secret key exchange is impossible
Talk progress
• Introduction of BSS model of computation
• Algebra recap
• Auxiliary results
• Cryptography with ruler and compass
Constructability
• OA is a unit segment in complex plane O(0,0), A(0,1)
• Point M(x,y) is constructible if it can be constructed in finitely many steps using ruler and compass from OA
Axioms of constructability
• Points O and A are constructible
• If B and C are constructible, then segment BC and the line defined by them are constructible
• Circle with constructible center and radius is constructible
• Intersection of 2 constructible rays is a constructible point
• Intersection of 2 constructible circles are constructible points
• Intersections of constructible circle and constructible ray are constructible points
Algebraic facts
• Set of all constructible points on Cis called Pitaghorean plane
• If M(x,y) is constructible, then x and y are constructible real numbers
• The set of all constructible real numbers is a subfield of the field of real numbers
Computing vs constructing
• If K=Q(S), S = set of coordinates of the points from the set which contains at least O and A
• Every line has an equation of the form
• Every circle has an equation
Facts
• Theorem: If M(x,y) is constructible in one step, then K(x,y) = K or to a quadratic extension of K
• Theorem:a) For every constructible point M(x,y) there exists a finite sequence of subfieldsKi, i=0,1,…, m each of which is quadratic extension of the previous one such thatK0=K, and Km subset of R and x,y are elements of Km

b) x and y are algebraic overK and their degrees over K are powers of 2

c) Every point with coordinates in K or any of its quadratic extensions is constructible

Computational model
• We use BSS model over the field of complex numbers
• Each party can sample random points from unit circle
• Each party can also toss a coin
• The state of knowledge of each party is the field he/she can generate
Is our computational system complete?

Input space

State space

Input node 1

Program is a finite directed graph

Computation node

-10

Computation node

Sqrt(-10)

If -10=0

xl=0

otherwise

Output nodeN

Output space

PK Encryption
• Euclid before publishing his Elements has sampled a point SK=(SKx,SKy) and then he has computed PK=(PKx,PKy) and published in page 655 of the XIV book
• Archimedes wants to send him a secret point M(x,y). Using Euclid’s PK he computes the ciphertext C(xc, yc).
• Archimedes sends this point to Euclid
But…
• Using previous results over the field K, we will have
• Malicious Romans that have copied C, enumerate all points and using encryption machine PK and X they obtain some Cx.
• If C=Cx then M=X
So
• We have given a partial answer to Rivest, Shamir and Burmester’s question if the secure encryption could be performed with the ruler and compass
• In the weak algebraic model, where operations are done with ruler and compass with infinite precision, “algebraic OWFs” exist, ZK identification protocols do exist… but, secure PK encryption is impossible