1

Cryptography on weak BSS model of computation

Ilir Çapuniilir@cs.bu.edu

2

Tripling an angle with ruler and compass

X

3X

If x is an angle, then we define f(x) := 3x

3

Can we invert this function using the same tools?

Algebra: “NO”Important assumption: we are working with

straightedge and compass with infinite precision

4

Identification using this function

Initialization phase Alice generates a secret angle XA, computes

YA =3 * XA and publishes YA

Protocol Alice generates an angle S, and sends a copy of the it’s triple

value R to Bob Bob tosses a coin and sends a response to Alice If Bob said “head” Alice will send a copy of S and Bob will verify

if 3S=R If Bob said “tail” Alice will send a copy of S+XA and Bob will

check if YA+R == 3*(S + XA)

5

The structure

Introduction of BSS model of computationAlgebra recapAuxiliary resultsCryptography with ruler and compass

6

State space

Computation node

Output space

… 0 x0 x1 x2 … xk-2 xk-1 xk ...Input node 1

Input space

Branch node

Output node N

Shifting node

xl=0 otherwise

∞R

∞R

)(← η xgx

)(σ← xx

Program is a finite directed graph

Lin. map. I

Lin. map. O

n∞ ofunion disjoint RR

ηg

Legend

Polynomial (rational) function

7

What if R = Z2 ?

… we have a Turing machine!

State space

Computation node

Output space

… 0 0 1 0 … 1 1 0 ...Input node 1

Input space

Branch node

Output node N

Shifting node

xl=0 otherwise

*}1,0{

*}1,0{

)(← η xgx

)(σ← xx

Program is a finite directed graph

Lin. map. I

Lin. map. O

8

Some facts

BSS model provides a framework for algorithms of Numerical Analysis

Gives new perspective and adds additional (algebraic) flavor to P vs NP question In the weak BSS model, there is unconditional

separation between these two classes

9

Discrepancies of this model

Overly realisticCheating… and a couple of other problems

10

735,661.59 euros worth problem + 2 more59.6 million Serbian dinarsIs P = NP ?Is PR = NPR ?

Is PC = NPC ?

Transfer results Theorem. PC = NPC if and only if PK = NPK where K is

any algebraically closed field of characteristic 0 (say algebraic numbers)

Theorem. If PC = NPC then BPP contains NP

Solve 1, get 2

for free!!!

11

Talk progress

Introduction of BSS model of computationAlgebra recapAuxiliary resultsCryptography with ruler and compass

12

Algebraic preliminaries

Element t is algebraic over the field F if it is a root of a polynomial over F[X]

F(t) is the intersection of all fields containing F and t

F(t)/F could be viewed as a vector space over FThe dimension of this vector space is the

degree of the extension

13

Some previous work

All parties start with 0 and 1 and can perform finitely many operations +, -, * and /

Parties can sample real numbers from [0,1]State of knowledge of each party is the field

that he/she can generate

14

Talk progress

Introduction of BSS model of computationAlgebra recapDefinitions and auxiliary resultsCryptography with ruler and compass

15

Algebraic one-way functions

Easy to compute, but hard to invertAlice samples a real number r and computes r2

It is impossible to deduce r from r2 with infinite precision in finitely many steps P [ Q (t1, t2, …, tn, r2) Q( r ) = Q] =1

16

PK Encryption

Alice samples a real number SK then she computes PK which is in Q (SK)

m is a real number that Bob wants to send to Alice and c is its encryption using PK

We have

),(),(),( cSKQmPKQcPKQ

17

Who knows what?

c, PK

Q(PK), Q(SK), Q(SK,c)

Q(PK), Q(PK,c), Q(PK,m)

),(),(),( cSKQmPKQcPKQ

Q(PK), Q(PK,c)

18

Results

PKE is not possible since Q(PK,m)=Q(PK,c)Secure signature schemes are impossibleSecret key exchange is impossible

19

Talk progress

Introduction of BSS model of computationAlgebra recapAuxiliary resultsCryptography with ruler and compass

20

Constructability

OA is a unit segment in complex plane O(0,0), A(0,1)

Point M(x,y) is constructible if it can be constructed in finitely many steps using ruler and compass from OA

21

Axioms of constructability

Points O and A are constructible If B and C are constructible, then segment BC and the

line defined by them are constructible Circle with constructible center and radius is

constructible Intersection of 2 constructible rays is a constructible

point Intersection of 2 constructible circles are constructible

points Intersections of constructible circle and constructible

ray are constructible points

22

Algebraic facts

Set of all constructible points on C is called Pitaghorean plane

If M(x,y) is constructible, then x and y are constructible real numbers

The set of all constructible real numbers is a subfield of the field of real numbers

23

Computing vs constructing

If K=Q(S), S = set of coordinates of the points from the set which contains at least O and A

Every line has an equation of the form

Every circle has an equation

Kcbacbyax ,, where,0

Kcbacbyaxyx ,, where,022

24

FactsTheorem: If M(x,y) is constructible in one step,

then K(x,y) = K or to a quadratic extension of KTheorem: a) For every constructible point

M(x,y) there exists a finite sequence of subfields Ki, i=0,1,…, m each of which is quadratic extension of the previous one such that K0=K, and Km subset of R and x,y are elements of Km

b) x and y are algebraic over K and their degrees over K are powers of 2

c) Every point with coordinates in K or any of its quadratic extensions is constructible

25

Computational model

We use BSS model over the field of complex numbers

Each party can sample random points from unit circle

Each party can also toss a coinThe state of knowledge of each party is the field

he/she can generate

26

Is our computational system complete?

State space

Computation node

-10

Output space

… 0 x0 x1 x2 … xk-2 xk-1 xk ...Input node 1

Input space

If -10=0

Output node N

Computation node

Sqrt(-10)

xl=0 otherwise

Program is a finite directed graph

27

PK Encryption

Euclid before publishing his Elements has sampled a point SK=(SKx,SKy) and then he has computed PK=(PKx,PKy) and published in page 655 of the XIV book

Archimedes wants to send him a secret point M(x,y). Using Euclid’s PK he computes the ciphertext C(xc, yc).

Archimedes sends this point to Euclid

28

But… Using previous results over the field K, we will have

Malicious Romans that have copied C, enumerate all points and using encryption machine PK and X they obtain some Cx.

If C=Cx then M=X

),(),( CSKKMPKK

),( CPKKX

29

So

We have given a partial answer to Rivest, Shamir and Burmester’s question if the secure encryption could be performed with the ruler and compass In the weak algebraic model, where operations are

done with ruler and compass with infinite precision, “algebraic OWFs” exist, ZK identification protocols do exist… but, secure PK encryption is impossible