267 Views

Download Presentation
## Cryptography on weak BSS model of computation

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -

**Cryptography on weak BSS model of computation**Ilir Çapuni ilir@cs.bu.edu**Tripling an angle with ruler and compass**3X X If x is an angle, then we define f(x):= 3x**Can we invert this function using the same tools?**• Algebra: “NO” • Important assumption: we are working with straightedge and compass with infinite precision**Identification using this function**• Initialization phase • Alice generates a secret angle XA, computes YA =3 * XA and publishes YA • Protocol • Alice generates an angle S, and sends a copy of the it’s triple value R to Bob • Bob tosses a coin and sends a response to Alice • If Bob said “head” Alice will send a copy of S and Bob will verify if 3S=R • If Bob said “tail” Alice will send a copy of S+XAand Bob will check if YA+R == 3*(S + XA)**The structure**• Introduction of BSS model of computation • Algebra recap • Auxiliary results • Cryptography with ruler and compass**Input space**Lin. map. I State space Input node 1 Program is a finite directed graph Computation node Shifting node Legend Branch node xl=0 otherwise Output nodeN Polynomial (rational) function Lin. map. O Output space**What if R= Z2 ?**Input space Lin. map. I State space Input node 1 Program is a finite directed graph Computation node Shifting node Branch node xl=0 otherwise Output nodeN Lin. map. O Output space … we have a Turing machine!**Some facts**• BSS model provides a framework for algorithms of Numerical Analysis • Gives new perspective and adds additional (algebraic) flavor to P vsNP question • In the weak BSS model, there is unconditional separation between these two classes**Discrepancies of this model**• Overly realistic • Cheating • … and a couple of other problems**735,661.59 euros worthproblem + 2 more59.6 million Serbian**dinars Solve 1, get 2 for free!!! • Is P = NP ? • Is PR = NPR ? • Is PC = NPC ? • Transfer results • Theorem. PC = NPC if and only if PK = NPK where K is any algebraically closed field of characteristic 0 (say algebraic numbers) • Theorem. If PC = NPC thenBPP contains NP**Talk progress**• Introduction of BSS model of computation • Algebra recap • Auxiliary results • Cryptography with ruler and compass**Algebraic preliminaries**• Element t is algebraic over the field F if it is a root of a polynomial over F[X] • F(t) is the intersection of all fields containing F and t • F(t)/Fcould be viewed as a vector space over F • The dimension of this vector space is the degree of the extension**Some previous work**• All parties start with 0 and 1 and can perform finitely many operations +, -, * and / • Parties can sample real numbers from [0,1] • State of knowledge of each party is the field that he/she can generate**Talk progress**• Introduction of BSS model of computation • Algebra recap • Definitions and auxiliary results • Cryptography with ruler and compass**Algebraic one-way functions**• Easy to compute, but hard to invert • Alice samples a real number rand computes r2 • It is impossible to deduce r from r2 with infinite precision in finitely many steps P [ Q (t1, t2, …, tn, r2) Q( r ) = Q] =1**PK Encryption**• Alice samples a real number SK then she computes PK which is in Q (SK) • m is a real number that Bob wants to send to Alice and c is its encryption using PK • We have**Who knows what?**Q(PK), Q(SK), Q(SK,c) Q(PK), Q(PK,c), Q(PK,m) c, PK Q(PK), Q(PK,c)**Results**• PKE is not possible since Q(PK,m)=Q(PK,c) • Secure signature schemes are impossible • Secret key exchange is impossible**Talk progress**• Introduction of BSS model of computation • Algebra recap • Auxiliary results • Cryptography with ruler and compass**Constructability**• OA is a unit segment in complex plane O(0,0), A(0,1) • Point M(x,y) is constructible if it can be constructed in finitely many steps using ruler and compass from OA**Axioms of constructability**• Points O and A are constructible • If B and C are constructible, then segment BC and the line defined by them are constructible • Circle with constructible center and radius is constructible • Intersection of 2 constructible rays is a constructible point • Intersection of 2 constructible circles are constructible points • Intersections of constructible circle and constructible ray are constructible points**Algebraic facts**• Set of all constructible points on Cis called Pitaghorean plane • If M(x,y) is constructible, then x and y are constructible real numbers • The set of all constructible real numbers is a subfield of the field of real numbers**Computing vs constructing**• If K=Q(S), S = set of coordinates of the points from the set which contains at least O and A • Every line has an equation of the form • Every circle has an equation**Facts**• Theorem: If M(x,y) is constructible in one step, then K(x,y) = K or to a quadratic extension of K • Theorem:a) For every constructible point M(x,y) there exists a finite sequence of subfieldsKi, i=0,1,…, m each of which is quadratic extension of the previous one such thatK0=K, and Km subset of R and x,y are elements of Km b) x and y are algebraic overK and their degrees over K are powers of 2 c) Every point with coordinates in K or any of its quadratic extensions is constructible**Computational model**• We use BSS model over the field of complex numbers • Each party can sample random points from unit circle • Each party can also toss a coin • The state of knowledge of each party is the field he/she can generate**Is our computational system complete?**Input space State space Input node 1 Program is a finite directed graph Computation node -10 Computation node Sqrt(-10) If -10=0 xl=0 otherwise Output nodeN Output space**PK Encryption**• Euclid before publishing his Elements has sampled a point SK=(SKx,SKy) and then he has computed PK=(PKx,PKy) and published in page 655 of the XIV book • Archimedes wants to send him a secret point M(x,y). Using Euclid’s PK he computes the ciphertext C(xc, yc). • Archimedes sends this point to Euclid**But…**• Using previous results over the field K, we will have • Malicious Romans that have copied C, enumerate all points and using encryption machine PK and X they obtain some Cx. • If C=Cx then M=X**So**• We have given a partial answer to Rivest, Shamir and Burmester’s question if the secure encryption could be performed with the ruler and compass • In the weak algebraic model, where operations are done with ruler and compass with infinite precision, “algebraic OWFs” exist, ZK identification protocols do exist… but, secure PK encryption is impossible