Upload
frank-hensley
View
223
Download
3
Embed Size (px)
Citation preview
2
Tripling an angle with ruler and compass
X
3X
If x is an angle, then we define f(x) := 3x
3
Can we invert this function using the same tools?
Algebra: “NO”Important assumption: we are working with
straightedge and compass with infinite precision
4
Identification using this function
Initialization phase Alice generates a secret angle XA, computes
YA =3 * XA and publishes YA
Protocol Alice generates an angle S, and sends a copy of the it’s triple
value R to Bob Bob tosses a coin and sends a response to Alice If Bob said “head” Alice will send a copy of S and Bob will verify
if 3S=R If Bob said “tail” Alice will send a copy of S+XA and Bob will
check if YA+R == 3*(S + XA)
5
The structure
Introduction of BSS model of computationAlgebra recapAuxiliary resultsCryptography with ruler and compass
6
State space
Computation node
Output space
… 0 x0 x1 x2 … xk-2 xk-1 xk ...Input node 1
Input space
Branch node
Output node N
Shifting node
xl=0 otherwise
∞R
∞R
)(← η xgx
)(σ← xx
Program is a finite directed graph
Lin. map. I
Lin. map. O
n∞ ofunion disjoint RR
ηg
Legend
Polynomial (rational) function
7
What if R = Z2 ?
… we have a Turing machine!
State space
Computation node
Output space
… 0 0 1 0 … 1 1 0 ...Input node 1
Input space
Branch node
Output node N
Shifting node
xl=0 otherwise
*}1,0{
*}1,0{
)(← η xgx
)(σ← xx
Program is a finite directed graph
Lin. map. I
Lin. map. O
8
Some facts
BSS model provides a framework for algorithms of Numerical Analysis
Gives new perspective and adds additional (algebraic) flavor to P vs NP question In the weak BSS model, there is unconditional
separation between these two classes
9
Discrepancies of this model
Overly realisticCheating… and a couple of other problems
10
735,661.59 euros worth problem + 2 more59.6 million Serbian dinarsIs P = NP ?Is PR = NPR ?
Is PC = NPC ?
Transfer results Theorem. PC = NPC if and only if PK = NPK where K is
any algebraically closed field of characteristic 0 (say algebraic numbers)
Theorem. If PC = NPC then BPP contains NP
Solve 1, get 2
for free!!!
11
Talk progress
Introduction of BSS model of computationAlgebra recapAuxiliary resultsCryptography with ruler and compass
12
Algebraic preliminaries
Element t is algebraic over the field F if it is a root of a polynomial over F[X]
F(t) is the intersection of all fields containing F and t
F(t)/F could be viewed as a vector space over FThe dimension of this vector space is the
degree of the extension
13
Some previous work
All parties start with 0 and 1 and can perform finitely many operations +, -, * and /
Parties can sample real numbers from [0,1]State of knowledge of each party is the field
that he/she can generate
14
Talk progress
Introduction of BSS model of computationAlgebra recapDefinitions and auxiliary resultsCryptography with ruler and compass
15
Algebraic one-way functions
Easy to compute, but hard to invertAlice samples a real number r and computes r2
It is impossible to deduce r from r2 with infinite precision in finitely many steps P [ Q (t1, t2, …, tn, r2) Q( r ) = Q] =1
16
PK Encryption
Alice samples a real number SK then she computes PK which is in Q (SK)
m is a real number that Bob wants to send to Alice and c is its encryption using PK
We have
),(),(),( cSKQmPKQcPKQ
17
Who knows what?
c, PK
Q(PK), Q(SK), Q(SK,c)
Q(PK), Q(PK,c), Q(PK,m)
),(),(),( cSKQmPKQcPKQ
Q(PK), Q(PK,c)
18
Results
PKE is not possible since Q(PK,m)=Q(PK,c)Secure signature schemes are impossibleSecret key exchange is impossible
19
Talk progress
Introduction of BSS model of computationAlgebra recapAuxiliary resultsCryptography with ruler and compass
20
Constructability
OA is a unit segment in complex plane O(0,0), A(0,1)
Point M(x,y) is constructible if it can be constructed in finitely many steps using ruler and compass from OA
21
Axioms of constructability
Points O and A are constructible If B and C are constructible, then segment BC and the
line defined by them are constructible Circle with constructible center and radius is
constructible Intersection of 2 constructible rays is a constructible
point Intersection of 2 constructible circles are constructible
points Intersections of constructible circle and constructible
ray are constructible points
22
Algebraic facts
Set of all constructible points on C is called Pitaghorean plane
If M(x,y) is constructible, then x and y are constructible real numbers
The set of all constructible real numbers is a subfield of the field of real numbers
23
Computing vs constructing
If K=Q(S), S = set of coordinates of the points from the set which contains at least O and A
Every line has an equation of the form
Every circle has an equation
Kcbacbyax ,, where,0
Kcbacbyaxyx ,, where,022
24
FactsTheorem: If M(x,y) is constructible in one step,
then K(x,y) = K or to a quadratic extension of KTheorem: a) For every constructible point
M(x,y) there exists a finite sequence of subfields Ki, i=0,1,…, m each of which is quadratic extension of the previous one such that K0=K, and Km subset of R and x,y are elements of Km
b) x and y are algebraic over K and their degrees over K are powers of 2
c) Every point with coordinates in K or any of its quadratic extensions is constructible
25
Computational model
We use BSS model over the field of complex numbers
Each party can sample random points from unit circle
Each party can also toss a coinThe state of knowledge of each party is the field
he/she can generate
26
Is our computational system complete?
State space
Computation node
-10
Output space
… 0 x0 x1 x2 … xk-2 xk-1 xk ...Input node 1
Input space
If -10=0
Output node N
Computation node
Sqrt(-10)
xl=0 otherwise
Program is a finite directed graph
27
PK Encryption
Euclid before publishing his Elements has sampled a point SK=(SKx,SKy) and then he has computed PK=(PKx,PKy) and published in page 655 of the XIV book
Archimedes wants to send him a secret point M(x,y). Using Euclid’s PK he computes the ciphertext C(xc, yc).
Archimedes sends this point to Euclid
28
But… Using previous results over the field K, we will have
Malicious Romans that have copied C, enumerate all points and using encryption machine PK and X they obtain some Cx.
If C=Cx then M=X
),(),( CSKKMPKK
),( CPKKX
29
So
We have given a partial answer to Rivest, Shamir and Burmester’s question if the secure encryption could be performed with the ruler and compass In the weak algebraic model, where operations are
done with ruler and compass with infinite precision, “algebraic OWFs” exist, ZK identification protocols do exist… but, secure PK encryption is impossible