cryptography on weak bss model of computation l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Cryptography on weak BSS model of computation PowerPoint Presentation
Download Presentation
Cryptography on weak BSS model of computation

Loading in 2 Seconds...

play fullscreen
1 / 29

Cryptography on weak BSS model of computation - PowerPoint PPT Presentation


  • 267 Views
  • Uploaded on

Cryptography on weak BSS model of computation. Ilir Çapuni ilir@cs.bu.edu. Tripling an angle with ruler and compass. 3X. X. If x is an angle, then we define f ( x ) : = 3x. Can we invert this function using the same tools?. Algebra: “ NO ”

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

Cryptography on weak BSS model of computation


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
tripling an angle with ruler and compass
Tripling an angle with ruler and compass

3X

X

If x is an angle, then we define f(x):= 3x

can we invert this function using the same tools
Can we invert this function using the same tools?
  • Algebra: “NO”
  • Important assumption: we are working with straightedge and compass with infinite precision
identification using this function
Identification using this function
  • Initialization phase
    • Alice generates a secret angle XA, computes YA =3 * XA and publishes YA
  • Protocol
    • Alice generates an angle S, and sends a copy of the it’s triple value R to Bob
    • Bob tosses a coin and sends a response to Alice
    • If Bob said “head” Alice will send a copy of S and Bob will verify if 3S=R
    • If Bob said “tail” Alice will send a copy of S+XAand Bob will check if YA+R == 3*(S + XA)
the structure
The structure
  • Introduction of BSS model of computation
  • Algebra recap
  • Auxiliary results
  • Cryptography with ruler and compass
slide6

Input space

Lin. map. I

State space

Input node 1

Program is a finite directed graph

Computation node

Shifting node

Legend

Branch node

xl=0

otherwise

Output nodeN

Polynomial (rational) function

Lin. map. O

Output space

what if r z 2
What if R= Z2 ?

Input space

Lin. map. I

State space

Input node 1

Program is a finite directed graph

Computation node

Shifting node

Branch node

xl=0

otherwise

Output nodeN

Lin. map. O

Output space

… we have a Turing machine!

some facts
Some facts
  • BSS model provides a framework for algorithms of Numerical Analysis
  • Gives new perspective and adds additional (algebraic) flavor to P vsNP question
    • In the weak BSS model, there is unconditional separation between these two classes
discrepancies of this model
Discrepancies of this model
  • Overly realistic
  • Cheating
  • … and a couple of other problems
735 661 59 euros worth problem 2 more 59 6 million serbian dinars
735,661.59 euros worthproblem + 2 more59.6 million Serbian dinars

Solve 1, get 2

for free!!!

  • Is P = NP ?
  • Is PR = NPR ?
  • Is PC = NPC ?
  • Transfer results
    • Theorem. PC = NPC if and only if PK = NPK where K is any algebraically closed field of characteristic 0 (say algebraic numbers)
    • Theorem. If PC = NPC thenBPP contains NP
talk progress
Talk progress
  • Introduction of BSS model of computation
  • Algebra recap
  • Auxiliary results
  • Cryptography with ruler and compass
algebraic preliminaries
Algebraic preliminaries
  • Element t is algebraic over the field F if it is a root of a polynomial over F[X]
  • F(t) is the intersection of all fields containing F and t
  • F(t)/Fcould be viewed as a vector space over F
  • The dimension of this vector space is the degree of the extension
some previous work
Some previous work
  • All parties start with 0 and 1 and can perform finitely many operations +, -, * and /
  • Parties can sample real numbers from [0,1]
  • State of knowledge of each party is the field that he/she can generate
talk progress14
Talk progress
  • Introduction of BSS model of computation
  • Algebra recap
  • Definitions and auxiliary results
  • Cryptography with ruler and compass
algebraic one way functions
Algebraic one-way functions
  • Easy to compute, but hard to invert
  • Alice samples a real number rand computes r2
  • It is impossible to deduce r from r2 with infinite precision in finitely many steps

P [ Q (t1, t2, …, tn, r2)  Q( r ) = Q] =1

pk encryption
PK Encryption
  • Alice samples a real number SK then she computes PK which is in Q (SK)
  • m is a real number that Bob wants to send to Alice and c is its encryption using PK
  • We have
who knows what
Who knows what?

Q(PK), Q(SK), Q(SK,c)

Q(PK), Q(PK,c), Q(PK,m)

c, PK

Q(PK), Q(PK,c)

results
Results
  • PKE is not possible since Q(PK,m)=Q(PK,c)
  • Secure signature schemes are impossible
  • Secret key exchange is impossible
talk progress19
Talk progress
  • Introduction of BSS model of computation
  • Algebra recap
  • Auxiliary results
  • Cryptography with ruler and compass
constructability
Constructability
  • OA is a unit segment in complex plane O(0,0), A(0,1)
  • Point M(x,y) is constructible if it can be constructed in finitely many steps using ruler and compass from OA
axioms of constructability
Axioms of constructability
  • Points O and A are constructible
  • If B and C are constructible, then segment BC and the line defined by them are constructible
  • Circle with constructible center and radius is constructible
  • Intersection of 2 constructible rays is a constructible point
  • Intersection of 2 constructible circles are constructible points
  • Intersections of constructible circle and constructible ray are constructible points
algebraic facts
Algebraic facts
  • Set of all constructible points on Cis called Pitaghorean plane
  • If M(x,y) is constructible, then x and y are constructible real numbers
  • The set of all constructible real numbers is a subfield of the field of real numbers
computing vs constructing
Computing vs constructing
  • If K=Q(S), S = set of coordinates of the points from the set which contains at least O and A
  • Every line has an equation of the form
  • Every circle has an equation
facts
Facts
  • Theorem: If M(x,y) is constructible in one step, then K(x,y) = K or to a quadratic extension of K
  • Theorem:a) For every constructible point M(x,y) there exists a finite sequence of subfieldsKi, i=0,1,…, m each of which is quadratic extension of the previous one such thatK0=K, and Km subset of R and x,y are elements of Km

b) x and y are algebraic overK and their degrees over K are powers of 2

c) Every point with coordinates in K or any of its quadratic extensions is constructible

computational model
Computational model
  • We use BSS model over the field of complex numbers
  • Each party can sample random points from unit circle
  • Each party can also toss a coin
  • The state of knowledge of each party is the field he/she can generate
is our computational system complete
Is our computational system complete?

Input space

State space

Input node 1

Program is a finite directed graph

Computation node

-10

Computation node

Sqrt(-10)

If -10=0

xl=0

otherwise

Output nodeN

Output space

pk encryption27
PK Encryption
  • Euclid before publishing his Elements has sampled a point SK=(SKx,SKy) and then he has computed PK=(PKx,PKy) and published in page 655 of the XIV book
  • Archimedes wants to send him a secret point M(x,y). Using Euclid’s PK he computes the ciphertext C(xc, yc).
  • Archimedes sends this point to Euclid
slide28
But…
  • Using previous results over the field K, we will have
  • Malicious Romans that have copied C, enumerate all points and using encryption machine PK and X they obtain some Cx.
  • If C=Cx then M=X
slide29
So
  • We have given a partial answer to Rivest, Shamir and Burmester’s question if the secure encryption could be performed with the ruler and compass
    • In the weak algebraic model, where operations are done with ruler and compass with infinite precision, “algebraic OWFs” exist, ZK identification protocols do exist… but, secure PK encryption is impossible