cryptography on weak bss model of computation
DESCRIPTION
Cryptography on weak BSS model of computation. Ilir Çapuni [email protected]. Tripling an angle with ruler and compass. 3X. X. If x is an angle, then we define f ( x ) : = 3x. Can we invert this function using the same tools?. Algebra: “ NO ” - PowerPoint PPT PresentationTRANSCRIPT
![Page 2: Cryptography on weak BSS model of computation](https://reader034.vdocument.in/reader034/viewer/2022052414/5681462a550346895db3378a/html5/thumbnails/2.jpg)
2
Tripling an angle with ruler and compass
X
3X
If x is an angle, then we define f(x) := 3x
![Page 3: Cryptography on weak BSS model of computation](https://reader034.vdocument.in/reader034/viewer/2022052414/5681462a550346895db3378a/html5/thumbnails/3.jpg)
3
Can we invert this function using the same tools?
Algebra: “NO”Important assumption: we are working with
straightedge and compass with infinite precision
![Page 4: Cryptography on weak BSS model of computation](https://reader034.vdocument.in/reader034/viewer/2022052414/5681462a550346895db3378a/html5/thumbnails/4.jpg)
4
Identification using this function
Initialization phase Alice generates a secret angle XA, computes
YA =3 * XA and publishes YA
Protocol Alice generates an angle S, and sends a copy of the it’s triple
value R to Bob Bob tosses a coin and sends a response to Alice If Bob said “head” Alice will send a copy of S and Bob will verify
if 3S=R If Bob said “tail” Alice will send a copy of S+XA and Bob will
check if YA+R == 3*(S + XA)
![Page 5: Cryptography on weak BSS model of computation](https://reader034.vdocument.in/reader034/viewer/2022052414/5681462a550346895db3378a/html5/thumbnails/5.jpg)
5
The structure
Introduction of BSS model of computationAlgebra recapAuxiliary resultsCryptography with ruler and compass
![Page 6: Cryptography on weak BSS model of computation](https://reader034.vdocument.in/reader034/viewer/2022052414/5681462a550346895db3378a/html5/thumbnails/6.jpg)
6
State space
Computation node
Output space
… 0 x0 x1 x2 … xk-2 xk-1 xk ...Input node 1
Input space
Branch node
Output node N
Shifting node
xl=0 otherwise
∞R
∞R
)(← η xgx
)(σ← xx
Program is a finite directed graph
Lin. map. I
Lin. map. O
n∞ ofunion disjoint RR
ηg
Legend
Polynomial (rational) function
![Page 7: Cryptography on weak BSS model of computation](https://reader034.vdocument.in/reader034/viewer/2022052414/5681462a550346895db3378a/html5/thumbnails/7.jpg)
7
What if R = Z2 ?
… we have a Turing machine!
State space
Computation node
Output space
… 0 0 1 0 … 1 1 0 ...Input node 1
Input space
Branch node
Output node N
Shifting node
xl=0 otherwise
*}1,0{
*}1,0{
)(← η xgx
)(σ← xx
Program is a finite directed graph
Lin. map. I
Lin. map. O
![Page 8: Cryptography on weak BSS model of computation](https://reader034.vdocument.in/reader034/viewer/2022052414/5681462a550346895db3378a/html5/thumbnails/8.jpg)
8
Some facts
BSS model provides a framework for algorithms of Numerical Analysis
Gives new perspective and adds additional (algebraic) flavor to P vs NP question In the weak BSS model, there is unconditional
separation between these two classes
![Page 9: Cryptography on weak BSS model of computation](https://reader034.vdocument.in/reader034/viewer/2022052414/5681462a550346895db3378a/html5/thumbnails/9.jpg)
9
Discrepancies of this model
Overly realisticCheating… and a couple of other problems
![Page 10: Cryptography on weak BSS model of computation](https://reader034.vdocument.in/reader034/viewer/2022052414/5681462a550346895db3378a/html5/thumbnails/10.jpg)
10
735,661.59 euros worth problem + 2 more59.6 million Serbian dinarsIs P = NP ?Is PR = NPR ?
Is PC = NPC ?
Transfer results Theorem. PC = NPC if and only if PK = NPK where K is
any algebraically closed field of characteristic 0 (say algebraic numbers)
Theorem. If PC = NPC then BPP contains NP
Solve 1, get 2
for free!!!
![Page 11: Cryptography on weak BSS model of computation](https://reader034.vdocument.in/reader034/viewer/2022052414/5681462a550346895db3378a/html5/thumbnails/11.jpg)
11
Talk progress
Introduction of BSS model of computationAlgebra recapAuxiliary resultsCryptography with ruler and compass
![Page 12: Cryptography on weak BSS model of computation](https://reader034.vdocument.in/reader034/viewer/2022052414/5681462a550346895db3378a/html5/thumbnails/12.jpg)
12
Algebraic preliminaries
Element t is algebraic over the field F if it is a root of a polynomial over F[X]
F(t) is the intersection of all fields containing F and t
F(t)/F could be viewed as a vector space over FThe dimension of this vector space is the
degree of the extension
![Page 13: Cryptography on weak BSS model of computation](https://reader034.vdocument.in/reader034/viewer/2022052414/5681462a550346895db3378a/html5/thumbnails/13.jpg)
13
Some previous work
All parties start with 0 and 1 and can perform finitely many operations +, -, * and /
Parties can sample real numbers from [0,1]State of knowledge of each party is the field
that he/she can generate
![Page 14: Cryptography on weak BSS model of computation](https://reader034.vdocument.in/reader034/viewer/2022052414/5681462a550346895db3378a/html5/thumbnails/14.jpg)
14
Talk progress
Introduction of BSS model of computationAlgebra recapDefinitions and auxiliary resultsCryptography with ruler and compass
![Page 15: Cryptography on weak BSS model of computation](https://reader034.vdocument.in/reader034/viewer/2022052414/5681462a550346895db3378a/html5/thumbnails/15.jpg)
15
Algebraic one-way functions
Easy to compute, but hard to invertAlice samples a real number r and computes r2
It is impossible to deduce r from r2 with infinite precision in finitely many steps P [ Q (t1, t2, …, tn, r2) Q( r ) = Q] =1
![Page 16: Cryptography on weak BSS model of computation](https://reader034.vdocument.in/reader034/viewer/2022052414/5681462a550346895db3378a/html5/thumbnails/16.jpg)
16
PK Encryption
Alice samples a real number SK then she computes PK which is in Q (SK)
m is a real number that Bob wants to send to Alice and c is its encryption using PK
We have
),(),(),( cSKQmPKQcPKQ
![Page 17: Cryptography on weak BSS model of computation](https://reader034.vdocument.in/reader034/viewer/2022052414/5681462a550346895db3378a/html5/thumbnails/17.jpg)
17
Who knows what?
c, PK
Q(PK), Q(SK), Q(SK,c)
Q(PK), Q(PK,c), Q(PK,m)
),(),(),( cSKQmPKQcPKQ
Q(PK), Q(PK,c)
![Page 18: Cryptography on weak BSS model of computation](https://reader034.vdocument.in/reader034/viewer/2022052414/5681462a550346895db3378a/html5/thumbnails/18.jpg)
18
Results
PKE is not possible since Q(PK,m)=Q(PK,c)Secure signature schemes are impossibleSecret key exchange is impossible
![Page 19: Cryptography on weak BSS model of computation](https://reader034.vdocument.in/reader034/viewer/2022052414/5681462a550346895db3378a/html5/thumbnails/19.jpg)
19
Talk progress
Introduction of BSS model of computationAlgebra recapAuxiliary resultsCryptography with ruler and compass
![Page 20: Cryptography on weak BSS model of computation](https://reader034.vdocument.in/reader034/viewer/2022052414/5681462a550346895db3378a/html5/thumbnails/20.jpg)
20
Constructability
OA is a unit segment in complex plane O(0,0), A(0,1)
Point M(x,y) is constructible if it can be constructed in finitely many steps using ruler and compass from OA
![Page 21: Cryptography on weak BSS model of computation](https://reader034.vdocument.in/reader034/viewer/2022052414/5681462a550346895db3378a/html5/thumbnails/21.jpg)
21
Axioms of constructability
Points O and A are constructible If B and C are constructible, then segment BC and the
line defined by them are constructible Circle with constructible center and radius is
constructible Intersection of 2 constructible rays is a constructible
point Intersection of 2 constructible circles are constructible
points Intersections of constructible circle and constructible
ray are constructible points
![Page 22: Cryptography on weak BSS model of computation](https://reader034.vdocument.in/reader034/viewer/2022052414/5681462a550346895db3378a/html5/thumbnails/22.jpg)
22
Algebraic facts
Set of all constructible points on C is called Pitaghorean plane
If M(x,y) is constructible, then x and y are constructible real numbers
The set of all constructible real numbers is a subfield of the field of real numbers
![Page 23: Cryptography on weak BSS model of computation](https://reader034.vdocument.in/reader034/viewer/2022052414/5681462a550346895db3378a/html5/thumbnails/23.jpg)
23
Computing vs constructing
If K=Q(S), S = set of coordinates of the points from the set which contains at least O and A
Every line has an equation of the form
Every circle has an equation
Kcbacbyax ,, where,0
Kcbacbyaxyx ,, where,022
![Page 24: Cryptography on weak BSS model of computation](https://reader034.vdocument.in/reader034/viewer/2022052414/5681462a550346895db3378a/html5/thumbnails/24.jpg)
24
FactsTheorem: If M(x,y) is constructible in one step,
then K(x,y) = K or to a quadratic extension of KTheorem: a) For every constructible point
M(x,y) there exists a finite sequence of subfields Ki, i=0,1,…, m each of which is quadratic extension of the previous one such that K0=K, and Km subset of R and x,y are elements of Km
b) x and y are algebraic over K and their degrees over K are powers of 2
c) Every point with coordinates in K or any of its quadratic extensions is constructible
![Page 25: Cryptography on weak BSS model of computation](https://reader034.vdocument.in/reader034/viewer/2022052414/5681462a550346895db3378a/html5/thumbnails/25.jpg)
25
Computational model
We use BSS model over the field of complex numbers
Each party can sample random points from unit circle
Each party can also toss a coinThe state of knowledge of each party is the field
he/she can generate
![Page 26: Cryptography on weak BSS model of computation](https://reader034.vdocument.in/reader034/viewer/2022052414/5681462a550346895db3378a/html5/thumbnails/26.jpg)
26
Is our computational system complete?
State space
Computation node
-10
Output space
… 0 x0 x1 x2 … xk-2 xk-1 xk ...Input node 1
Input space
If -10=0
Output node N
Computation node
Sqrt(-10)
xl=0 otherwise
Program is a finite directed graph
![Page 27: Cryptography on weak BSS model of computation](https://reader034.vdocument.in/reader034/viewer/2022052414/5681462a550346895db3378a/html5/thumbnails/27.jpg)
27
PK Encryption
Euclid before publishing his Elements has sampled a point SK=(SKx,SKy) and then he has computed PK=(PKx,PKy) and published in page 655 of the XIV book
Archimedes wants to send him a secret point M(x,y). Using Euclid’s PK he computes the ciphertext C(xc, yc).
Archimedes sends this point to Euclid
![Page 28: Cryptography on weak BSS model of computation](https://reader034.vdocument.in/reader034/viewer/2022052414/5681462a550346895db3378a/html5/thumbnails/28.jpg)
28
But… Using previous results over the field K, we will have
Malicious Romans that have copied C, enumerate all points and using encryption machine PK and X they obtain some Cx.
If C=Cx then M=X
),(),( CSKKMPKK
),( CPKKX
![Page 29: Cryptography on weak BSS model of computation](https://reader034.vdocument.in/reader034/viewer/2022052414/5681462a550346895db3378a/html5/thumbnails/29.jpg)
29
So
We have given a partial answer to Rivest, Shamir and Burmester’s question if the secure encryption could be performed with the ruler and compass In the weak algebraic model, where operations are
done with ruler and compass with infinite precision, “algebraic OWFs” exist, ZK identification protocols do exist… but, secure PK encryption is impossible