- 267 Views
- Uploaded on

Download Presentation
## Cryptography on weak BSS model of computation

**An Image/Link below is provided (as is) to download presentation**

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Can we invert this function using the same tools?

- Algebra: “NO”
- Important assumption: we are working with straightedge and compass with infinite precision

Identification using this function

- Initialization phase
- Alice generates a secret angle XA, computes YA =3 * XA and publishes YA
- Protocol
- Alice generates an angle S, and sends a copy of the it’s triple value R to Bob
- Bob tosses a coin and sends a response to Alice
- If Bob said “head” Alice will send a copy of S and Bob will verify if 3S=R
- If Bob said “tail” Alice will send a copy of S+XAand Bob will check if YA+R == 3*(S + XA)

The structure

- Introduction of BSS model of computation
- Algebra recap
- Auxiliary results
- Cryptography with ruler and compass

Lin. map. I

State space

Input node 1

Program is a finite directed graph

Computation node

Shifting node

Legend

Branch node

xl=0

otherwise

Output nodeN

Polynomial (rational) function

Lin. map. O

Output space

What if R= Z2 ?

Input space

Lin. map. I

State space

Input node 1

Program is a finite directed graph

Computation node

Shifting node

Branch node

xl=0

otherwise

Output nodeN

Lin. map. O

Output space

… we have a Turing machine!

Some facts

- BSS model provides a framework for algorithms of Numerical Analysis
- Gives new perspective and adds additional (algebraic) flavor to P vsNP question
- In the weak BSS model, there is unconditional separation between these two classes

Discrepancies of this model

- Overly realistic
- Cheating
- … and a couple of other problems

735,661.59 euros worthproblem + 2 more59.6 million Serbian dinars

Solve 1, get 2

for free!!!

- Is P = NP ?
- Is PR = NPR ?
- Is PC = NPC ?
- Transfer results
- Theorem. PC = NPC if and only if PK = NPK where K is any algebraically closed field of characteristic 0 (say algebraic numbers)
- Theorem. If PC = NPC thenBPP contains NP

Talk progress

- Introduction of BSS model of computation
- Algebra recap
- Auxiliary results
- Cryptography with ruler and compass

Algebraic preliminaries

- Element t is algebraic over the field F if it is a root of a polynomial over F[X]
- F(t) is the intersection of all fields containing F and t
- F(t)/Fcould be viewed as a vector space over F
- The dimension of this vector space is the degree of the extension

Some previous work

- All parties start with 0 and 1 and can perform finitely many operations +, -, * and /
- Parties can sample real numbers from [0,1]
- State of knowledge of each party is the field that he/she can generate

Talk progress

- Introduction of BSS model of computation
- Algebra recap
- Definitions and auxiliary results
- Cryptography with ruler and compass

Algebraic one-way functions

- Easy to compute, but hard to invert
- Alice samples a real number rand computes r2
- It is impossible to deduce r from r2 with infinite precision in finitely many steps

P [ Q (t1, t2, …, tn, r2) Q( r ) = Q] =1

PK Encryption

- Alice samples a real number SK then she computes PK which is in Q (SK)
- m is a real number that Bob wants to send to Alice and c is its encryption using PK
- We have

Results

- PKE is not possible since Q(PK,m)=Q(PK,c)
- Secure signature schemes are impossible
- Secret key exchange is impossible

Talk progress

- Introduction of BSS model of computation
- Algebra recap
- Auxiliary results
- Cryptography with ruler and compass

Constructability

- OA is a unit segment in complex plane O(0,0), A(0,1)
- Point M(x,y) is constructible if it can be constructed in finitely many steps using ruler and compass from OA

Axioms of constructability

- Points O and A are constructible
- If B and C are constructible, then segment BC and the line defined by them are constructible
- Circle with constructible center and radius is constructible
- Intersection of 2 constructible rays is a constructible point
- Intersection of 2 constructible circles are constructible points
- Intersections of constructible circle and constructible ray are constructible points

Algebraic facts

- Set of all constructible points on Cis called Pitaghorean plane
- If M(x,y) is constructible, then x and y are constructible real numbers
- The set of all constructible real numbers is a subfield of the field of real numbers

Computing vs constructing

- If K=Q(S), S = set of coordinates of the points from the set which contains at least O and A
- Every line has an equation of the form
- Every circle has an equation

Facts

- Theorem: If M(x,y) is constructible in one step, then K(x,y) = K or to a quadratic extension of K
- Theorem:a) For every constructible point M(x,y) there exists a finite sequence of subfieldsKi, i=0,1,…, m each of which is quadratic extension of the previous one such thatK0=K, and Km subset of R and x,y are elements of Km

b) x and y are algebraic overK and their degrees over K are powers of 2

c) Every point with coordinates in K or any of its quadratic extensions is constructible

Computational model

- We use BSS model over the field of complex numbers
- Each party can sample random points from unit circle
- Each party can also toss a coin
- The state of knowledge of each party is the field he/she can generate

Is our computational system complete?

Input space

State space

Input node 1

Program is a finite directed graph

Computation node

-10

Computation node

Sqrt(-10)

If -10=0

xl=0

otherwise

Output nodeN

Output space

PK Encryption

- Euclid before publishing his Elements has sampled a point SK=(SKx,SKy) and then he has computed PK=(PKx,PKy) and published in page 655 of the XIV book
- Archimedes wants to send him a secret point M(x,y). Using Euclid’s PK he computes the ciphertext C(xc, yc).
- Archimedes sends this point to Euclid

But…

- Using previous results over the field K, we will have
- Malicious Romans that have copied C, enumerate all points and using encryption machine PK and X they obtain some Cx.
- If C=Cx then M=X

So

- We have given a partial answer to Rivest, Shamir and Burmester’s question if the secure encryption could be performed with the ruler and compass
- In the weak algebraic model, where operations are done with ruler and compass with infinite precision, “algebraic OWFs” exist, ZK identification protocols do exist… but, secure PK encryption is impossible

Download Presentation

Connecting to Server..