1 Cryptography on weak BSS model of computation Ilir Çapuni

Slides:



Advertisements
Similar presentations
Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
Advertisements

Foundations of Cryptography Lecture 2: One-way functions are essential for identification. Amplification: from weak to strong one-way function Lecturer:
1 Complexity ©D.Moshkovitz Cryptography Where Complexity Finally Comes In Handy…
Secure Computation of Linear Algebraic Functions
Cannonballs, Donuts, and Secrets
1 390-Elliptic Curves and Elliptic Curve Cryptography Michael Karls.
ITIS 6200/ Secure multiparty computation – Alice has x, Bob has y, we want to calculate f(x, y) without disclosing the values – We can only do.
SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Digital Signatures and Hash Functions. Digital Signatures.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Notation Intro. Number Theory Online Cryptography Course Dan Boneh
7. Asymmetric encryption-
Elliptic curve arithmetic and applications to cryptography By Uros Abaz Supervised by Dr. Shaun Cooper and Dr. Andre Barczak.
CNS2010handout 8 :: introduction to number theory1 computer and network security matt barrie.
Complexity and Cryptography
Introduction to Modern Cryptography, Lecture ?, 2005 Broadcast Encryption, Traitor Tracing, Watermarking.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
Introduction to Modern Cryptography, Lecture 7/6/07 Zero Knowledge and Applications.
The Power of Randomness in Computation 呂及人中研院資訊所.
ON THE PROVABLE SECURITY OF HOMOMORPHIC ENCRYPTION Andrej Bogdanov Chinese University of Hong Kong Bertinoro Summer School | July 2014 based on joint work.
Electronic Payment Systems. Transaction reconciliation –Cash or check.
Foundations of Cryptography Lecture 9 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 2 Lecturer: Moni Naor.
Dan Boneh Introduction What is cryptography? Online Cryptography Course Dan Boneh.
Lecture 12 Commitment Schemes and Zero-Knowledge Protocols Stefan Dziembowski University of Rome La Sapienza critto09.googlepages.com.
Introduction to Public Key Cryptography
1 CIS 5371 Cryptography 8. Asymmetric encryption-.
Equations of Circles 10.6 California State Standards 17: Prove theorems using coordinate geometry.
Quadratic Residuosity and Two Distinct Prime Factor ZK Protocols By Stephen Hall.
Lesson 2.5 The Fundamental Theorem of Algebra. For f(x) where n > 0, there is at least one zero in the complex number system Complex → real and imaginary.
ElGamal Public Key Cryptography CS 303 Alg. Number Theory & Cryptography Jeremy Johnson Taher ElGamal, "A Public-Key Cryptosystem and a Signature Scheme.
Constructible Numbers By Brian Stonelake. The Three Problems of Antiquity Roughly 2500 years ago, the Ancient Greeks wondered if it is possible to: –
Page 1 Secure Communication Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.
10.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 10 Symmetric-Key Cryptography.
Cryptography Lecture 8 Stefan Dziembowski
1 Network Security Lecture 6 Public Key Algorithms Waleed Ejaz
Public-Key Encryption with Lazy Parties Kenji Yasunaga Institute of Systems, Information Technologies and Nanotechnologies (ISIT), Japan Presented at SCN.
1 Preliminaries Precalculus Review I Precalculus Review II
Protocols to do seemingly impossible 1 CHAPTER 11: Protocols to do seemingly impossible A protocol is an algorithm two (or more) parties have to follow.
Wonders of the Digital Envelope Avi Wigderson Institute for Advanced Study.
February 18, 2015CS21 Lecture 181 CS21 Decidability and Tractability Lecture 18 February 18, 2015.
Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.
Improved Non-Committing Encryption with Application to Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia Univ.), Tal Malkin (Columbia.
4 th lecture.  Message to be encrypted: HELLO  Key: XMCKL H E L L O message 7 (H) 4 (E) 11 (L) 11 (L) 14 (O) message + 23 (X) 12 (M) 2 (C) 10 (K) 11.
Secure Computation (Lecture 5) Arpita Patra. Recap >> Scope of MPC > models of computation > network models > modelling distrust (centralized/decentralized.
 Carl Gauss provided a proof of the fundamental theorem of algebra at the age of 22.  Gauss is considered the prince of mathematics.  Gauss was able.
Communication vs. Computation S Venkatesh Univ. Victoria Presentation by Piotr Indyk (MIT) Kobbi Nissim Microsoft SVC Prahladh Harsha MIT Joe Kilian NEC.
Quantum Cryptography Slides based in part on “A talk on quantum cryptography or how Alice outwits Eve,” by Samuel Lomonaco Jr. and “Quantum Computing”
15-499Page :Algorithms and Applications Cryptography I – Introduction – Terminology – Some primitives – Some protocols.
NEW DIRECTIONS IN CRYPTOGRAPHY Made Harta Dwijaksara, Yi Jae Park.
Public Key Cryptosystems RSA Diffie-Hellman Department of Computer Engineering Sharif University of Technology 3/8/2006.
By the end of this section, you will be able to: 1. Determine the number and type of roots for a polynomial equation; 2. Find the zeros of a polynomial.
Secure Computation (Lecture 9-10) Arpita Patra. Recap >> MPC with honest majority in i.t. settings > Protocol using (n,t)-sharing, proof of security---
1.6 Basic Construction 1.7 Midpoint and Distance Objective: Using special geometric tools students can make figures without measurments. Also, students.
The main study of Field Theory By: Valerie Toothman
Bit Commitment, Fair Coin Flips, and One-Way Accumulators Matt Ashoff 11/9/2004 Cryptographic Protocols.
Software Security Seminar - 1 Chapter 2. Protocol Building Blocks 발표자 : 최두호 Applied Cryptography.
Key Exchange in Systems VPN usually has two phases –Handshake protocol: key exchange between parties sets symmetric keys –Traffic protocol: communication.
Multi-Party Computation r n parties: P 1,…,P n  P i has input s i  Parties want to compute f(s 1,…,s n ) together  P i doesn’t want any information.
PROBABILITY AND COMPUTING RANDOMIZED ALGORITHMS AND PROBABILISTIC ANALYSIS CHAPTER 1 IWAMA and ITO Lab. M1 Sakaidani Hikaru 1.
Topic 36: Zero-Knowledge Proofs
Asymmetric-Key Cryptography
Finding polynomial roots
Topic 25: Discrete LOG, DDH + Attacks on Plain RSA
CS21 Decidability and Tractability
Symmetric-Key Cryptography
Oblivious Transfer.
Presentation transcript:

1 Cryptography on weak BSS model of computation Ilir Çapuni

2 Tripling an angle with ruler and compass X 3X If x is an angle, then we define f(x) := 3x

3 Can we invert this function using the same tools? Algebra: “NO” Important assumption: we are working with straightedge and compass with infinite precision

4 Identification using this function Initialization phase  Alice generates a secret angle X A, computes Y A =3 * X A and publishes Y A Protocol  Alice generates an angle S, and sends a copy of the it’s triple value R to Bob  Bob tosses a coin and sends a response to Alice  If Bob said “head” Alice will send a copy of S and Bob will verify if 3S=R  If Bob said “tail” Alice will send a copy of S+X A and Bob will check if Y A +R == 3*(S + X A )

5 The structure Introduction of BSS model of computation Algebra recap Auxiliary results Cryptography with ruler and compass

6 State space Computation node Output space …0x0x0 x1x1 x2x2 … x k-2 x k-1 xkxk... Input node 1 Input space Branch node Output node N Shifting node x l =0 otherwise Program is a finite directed graph Lin. map. I Lin. map. O Legend Polynomial (rational) function

7 What if R = Z 2 ? … we have a Turing machine! State space Computation node Output space …0010… Input node 1 Input space Branch node Output node N Shifting node x l =0 otherwise Program is a finite directed graph Lin. map. I Lin. map. O

8 Some facts BSS model provides a framework for algorithms of Numerical Analysis Gives new perspective and adds additional (algebraic) flavor to P vs NP question  In the weak BSS model, there is unconditional separation between these two classes

9 Discrepancies of this model Overly realistic Cheating … and a couple of other problems

10 735, euros worth problem + 2 more 59.6 million Serbian dinars Is P = NP ? Is P R = NP R ? Is P C = NP C ? Transfer results  Theorem. P C = NP C if and only if P K = NP K where K is any algebraically closed field of characteristic 0 (say algebraic numbers)  Theorem. If P C = NP C then BPP contains NP Solve 1, get 2 for free!!!

11 Talk progress Introduction of BSS model of computation Algebra recap Auxiliary results Cryptography with ruler and compass

12 Algebraic preliminaries Element t is algebraic over the field F if it is a root of a polynomial over F[X] F(t) is the intersection of all fields containing F and t F(t)/F could be viewed as a vector space over F The dimension of this vector space is the degree of the extension

13 Some previous work All parties start with 0 and 1 and can perform finitely many operations +, -, * and / Parties can sample real numbers from [0,1] State of knowledge of each party is the field that he/she can generate

14 Talk progress Introduction of BSS model of computation Algebra recap Definitions and auxiliary results Cryptography with ruler and compass

15 Algebraic one-way functions Easy to compute, but hard to invert Alice samples a real number r and computes r 2 It is impossible to deduce r from r 2 with infinite precision in finitely many steps P [ Q (t 1, t 2, …, t n, r 2 )  Q( r ) = Q] =1

16 PK Encryption Alice samples a real number SK then she computes PK which is in Q (SK) m is a real number that Bob wants to send to Alice and c is its encryption using PK We have

17 Who knows what? c, PK Q(PK), Q(SK), Q(SK,c) Q(PK), Q(PK,c), Q(PK,m) Q(PK), Q(PK,c)

18 Results PKE is not possible since Q(PK,m)=Q(PK,c) Secure signature schemes are impossible Secret key exchange is impossible

19 Talk progress Introduction of BSS model of computation Algebra recap Auxiliary results Cryptography with ruler and compass

20 Constructability OA is a unit segment in complex plane O(0,0), A(0,1) Point M(x,y) is constructible if it can be constructed in finitely many steps using ruler and compass from OA

21 Axioms of constructability Points O and A are constructible If B and C are constructible, then segment BC and the line defined by them are constructible Circle with constructible center and radius is constructible Intersection of 2 constructible rays is a constructible point Intersection of 2 constructible circles are constructible points Intersections of constructible circle and constructible ray are constructible points

22 Algebraic facts Set of all constructible points on C is called Pitaghorean plane If M(x,y) is constructible, then x and y are constructible real numbers The set of all constructible real numbers is a subfield of the field of real numbers

23 Computing vs constructing If K=Q(S), S = set of coordinates of the points from the set which contains at least O and A Every line has an equation of the form Every circle has an equation

24 Facts Theorem: If M(x,y) is constructible in one step, then K(x,y) = K or to a quadratic extension of K Theorem: a) For every constructible point M(x,y) there exists a finite sequence of subfields K i, i=0,1,…, m each of which is quadratic extension of the previous one such that K 0 =K, and K m subset of R and x,y are elements of K m b) x and y are algebraic over K and their degrees over K are powers of 2 c) Every point with coordinates in K or any of its quadratic extensions is constructible

25 Computational model We use BSS model over the field of complex numbers Each party can sample random points from unit circle Each party can also toss a coin The state of knowledge of each party is the field he/she can generate

26 Is our computational system complete? State space Computation node -10 Output space …0x0x0 x1x1 x2x2 … x k-2 x k-1 xkxk... Input node 1 Input space If -10=0 Output node N Computation node Sqrt(-10) x l =0 otherwise Program is a finite directed graph

27 PK Encryption Euclid before publishing his Elements has sampled a point SK=(SK x,SK y ) and then he has computed PK=(PK x,PK y ) and published in page 655 of the XIV book Archimedes wants to send him a secret point M(x,y). Using Euclid’s PK he computes the ciphertext C(x c, y c ). Archimedes sends this point to Euclid

28 But… Using previous results over the field K, we will have Malicious Romans that have copied C, enumerate all points and using encryption machine PK and X they obtain some C x. If C=C x then M=X

29 So We have given a partial answer to Rivest, Shamir and Burmester’s question if the secure encryption could be performed with the ruler and compass  In the weak algebraic model, where operations are done with ruler and compass with infinite precision, “algebraic OWFs” exist, ZK identification protocols do exist… but, secure PK encryption is impossible

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.