A diagrammatic approach to information flow in encrypted - PowerPoint PPT Presentation

� � � � � � � � � � � � � � � � � � � � � � � � � � � A diagrammatic approach to information flow in encrypted communication Z p Peter M. Hines Z p Z p Y.C.C.S.A. , Univ. York r g a s , J r g ad s , t A , D u r g ab s , t A , B u Z p ‚ Z p r g ac s , t A , C u r g s , J r g d s , J r g b s , J GraMSec Z p Z p r g c s , J r g bd s , t B , D u Graphical Models for Security Z p (online) – June 2020 r g cd s , t C , D u Z p r g bc s , t B , C u Z p Z p peter.hines@york.ac.uk www.peterhines.info

An overview ... This talk is about using tools from category theory to reason about communication: What is category theory? 1 Motivation, definitions, & history. Current theory & applications. Useful tools: diagrammatic & otherwise Why might it be useful for communication? 2 Graphical descriptions of protocols & communication. Reasoning as diagram manipulation. ‘Category theory for communication’, not vice versa! peter.hines@york.ac.uk www.peterhines.info

Category theory – a broad overview Category Theory – the original motivation A formalism for reasoning about the ‘large-scale’ properties of mathematical structures. We might consider the ‘category’ of all groups , or all rings , or even all sets , etc., and study their properties and relationships with each other. A category consist of objects and arrows : Objects All mathematical structures of a certain kind. Arrows Structure-preserving mappings between objects. Composition Arrows may be composed ... peter.hines@york.ac.uk www.peterhines.info

Beyond topology: the spread of category theory Why should we be interested? More recently, category theory has been used to model information flow in : Formal Logic & Deduction Quantum algorithms & protocols Theoretical & practical computer science, Linguistics & natural language processing, Cognitive science & psychology. Why – what is the appeal? These often use very simple tools developed for use within category theory, rather than the actual theory itself. peter.hines@york.ac.uk www.peterhines.info

There’s something about category theory ... Diagrammatic reasoning Category theory frequently expresses equations as pictures . Algebraic manipulations are replaced by diagram-chasing . Our simple aims : Express protocols / communication generally using such 1 graphical tools, Use ‘diagram-chasing’ to reason about them. 2 peter.hines@york.ac.uk www.peterhines.info

� � � The definition ... A category C consists of a class of objects, Ob p C q and a set of arrows C p A , B q between any two objects. Matching arrows can be composed f A B g gf C Composition is associative h p gf q “ p hg q f There is an identity 1 A at each object A peter.hines@york.ac.uk www.peterhines.info

� � � � � These are the tools we are looking for ... Identities and equations are traditionally expressed graphically. A diagram in the category Set x ÞÑ x 2 Z N x ÞÑ abs p x q n ÞÑ n 2 n ÞÑ n p mod 2 q N t 0 , 1 u n ÞÑ n p mod 2 q A diagram commutes when all paths with the same source / target describe the same arrow. peter.hines@york.ac.uk www.peterhines.info

� � � � � A passing observation! The word problem for groups / monoids is a special case of deciding commutativity of diagrams. Some simple arithmetic bijections ... $ n n p mod 2 q “ 0 $ 2 n n p mod 4 q “ 0 ’ ’ ’ 2 n ´ 1 n p mod 4 q “ 1 ’ n ` 2 n p mod 8 q “ 2 & & X p n q “ Y p n q “ n ` 1 n ` 2 n p mod 8 q “ 3 n p mod 8 q “ 6 2 ’ ’ n ´ 1 ’ ’ n p mod 8 q “ 7 n p mod 2 q “ 1 % % n 2 4 n n p mod 2 q “ 0 $ $ 2 n n p mod 2 q “ 0 ’ n ` 2 n p mod 4 q “ 1 ’ & & n ` 1 n p mod 4 q “ 1 Z p n q “ T p n q “ n ` 1 n p mod 8 q “ 3 n ´ 1 2 n p mod 4 q “ 3 ’ % ’ n ´ 3 2 % n p mod 8 q “ 7 4 We may prove this diagram commutes : Y T � N N N T Z T N N X but how easily can we decide commutativity for arbitrary diagrams over t X , Y , Z , T u ? peter.hines@york.ac.uk www.peterhines.info

A simple aim! We wish to use a single diagram to model Underlying algebra Knowledge of participants Information flow The aims : Make things clearer by drawing them as pictures! 1 Interpret commutativity / failure of commutativity in 2 terms of communication. Develop tools for (graphical) reasoning about 3 communication. peter.hines@york.ac.uk www.peterhines.info

Illustration by example Commuting Action Key Exchange (CAKE) A general prescription for key exchange protocols. Introduced in 2004 by V. Shpilrain & G. Zapata Includes many interesting protocols as special cases We will look at the monoid-theoretic version: Example 3, Section 3 of Combinatorial Group Theory and Public Key Cryptography S.-Z. (2004). peter.hines@york.ac.uk www.peterhines.info

CAKE – sharing protocol Alice and Bob will come to share a secret element of a monoid M . Alice and Bob both have large key pools A , B Ď M that satisfy 1 ab “ ba @ a P A , b P B . A fixed public root element γ P M is chosen. 2 Alice chooses her private key , p α 1 , α 2 q P A ˆ A , and publicly 3 broadcasts α 1 γα 2 P M Bob chooses his private key , p β 1 , β 2 q P B ˆ B , and publicly 4 broadcasts β 1 γβ 2 P M . Alice computes α 1 β 1 γβ 2 α 2 and Bob computes β 1 α 1 γα 2 β 2 . 5 By the point-wise commutativity of A , B Ď M , these are equal, giving Alice and Bob’s shared secret σ as σ “ α 1 β 1 γβ 2 α 2 “ β 1 α 1 γα 2 β 2 peter.hines@york.ac.uk www.peterhines.info

� � � � � � � � � � The algebra of CAKE The required arrows are: The root γ 1 Alice & Bob’s private keys, p α 1 , α 2 q and p β 1 , β 2 q 2 Alice & Bob’s public announcements, P A and P B 3 Their shared secret σ 4 Expressing the required relationships as a commuting diagram : ‚ ‚ σ α 2 α 1 β 2 ‚ ‚ P B β 1 � ‚ ‚ β 2 P A β 1 α 2 α 1 � ‚ ‚ γ peter.hines@york.ac.uk www.peterhines.info

Knowns and unknowns in semigroup CAKE In this protocol, who comes to know what? The epistemic data: Everybody γ, P A , P B Alice & Bob σ Alice Bob α 1 , α 2 β 1 , β 2 Nobody α 1 β 1 , α 2 β 2 peter.hines@york.ac.uk www.peterhines.info

Combining algebraic & epistemic data Introducing epistemic data to diagrams Form the subset-lattice of participants. Label each edge in the diagram by an element of this lattice: f , X � ‚ ‚ X Ď t Alice , Bob , Eve u consists of participants who know the value of f , or (more accurately) are able to perform the operation f . peter.hines@york.ac.uk www.peterhines.info

� � � � � � � � � � CAKE, in summary The Algebraic-Epistemic (A-E) diagram for semigroup-CAKE: ‚ ‚ σ, t A , B u α 2 , t A u β 2 , t B u α 1 , t A u ‚ ‚ P B , J β 1 , t B u � ‚ ‚ β 2 , t B u P A , J β 1 , t B u α 2 , t A u α 1 , t A u � ‚ ‚ γ, J What is and is not shown! This diagram summarises the ‘final state of affairs’ : who ends up knowing what. We are interested in deducing implicit information such as ordering of events, communication between participants, etc. peter.hines@york.ac.uk www.peterhines.info

Commuting diagrams?? Treating 2 t A , B , E u , X as a monoid: Question: Is this diagram for CAKE a commuting diagram over the product category M ˆ 2 t A , B , E u ? Answer: No! Turning a bug into a feature: The reasons why / points at which it fails to commute are highly significant. Announcements / information sharing by participants. 1 Different routes to calculating the same value. 2 peter.hines@york.ac.uk www.peterhines.info

� � � � � � Failure of commutativity & public announcements Diagram 1 commutes, Diagram 2 is from CAKE. β 1 γβ 2 , t B u β 1 γβ 2 , J ‚ ‚ ‚ ‚ Diagram 1 Diagram 2 β 2 , t B u β 1 , t B u β 2 , t B u β 1 , t B u � ‚ � ‚ ‚ ‚ γ, J γ, J In diagram 1 , Bob computes β 2 γβ 1 . 1 In diagram 2 , Bob computes β 2 γβ 1 , 2 and announces the result. peter.hines@york.ac.uk www.peterhines.info

� � � Public announcements as inequalities The points at which announcements have been made appear as inequalities : β 1 γβ 2 , J � ‚ ‚ β 2 , t B u ď β 1 , t B u � ‚ ‚ γ, t A , B , E u From a category-theory viewpoint ... Public announcements lead to failure of commutativity. peter.hines@york.ac.uk www.peterhines.info

� � � � � � The other way commutativity fails : In another sub-diagram of CAKE, we have failure of commutativity without announcements : ‚ ‚ σ, t A , B u α 2 , t A u β 2 , t B u α 1 , t A u ‚ ‚ P B , J β 1 , t B u � ‚ ‚ P A , J Here, the non-trivial orderings p α 1 , t A uqp P B , Jqp α 2 , t A uq ă p σ, t A , B uq p β 1 , t B up P A , Jqp β 2 , t B uq ă p σ, t A , B uq arise because Alice and Bob take distinct routes to calculating the shared secret. peter.hines@york.ac.uk www.peterhines.info