The End of Encryption?

An anonymous reader writes "The encryption algorithms that make virtually all electronic commerce possible work only because certain mathematical problems are very, very hard to solve. But some mathematicians are trying to prove that there's really no difference between 'hard' and 'not hard' problems--known in the math biz as P and NP. In an article on TechnologyReview.com, Simson Garfinkel spells out the real-world consequences of this mathematical conundrum."

Nope, wrong, invalid.. nothing to see here.

[Ckwop]

No no no no no. How many more times? Cryptography has absolutely nothing to do with the question of P?=NP.

P?=NP refers to the asymptotic complexity as the problem. i.e. as the input size goes to infinity. It quite possible to have a problem whos complexity is approximately linear at the 100-1000-bit range and still NP-Complete. Conversely, it's possible to have a p-time algorithm for solving a problem that has a O(n^100) so it's still difficult to solve. While resolving P?=NP might bring new tricks to the table it's difficult to legislate for these tricks. There might not even be any we don't already know.

Another point, p?=np has no bearing on the security proof of the one-time pad or quantum mechanical key exchange. The latter will become practical over large distances to enable the former long before p?np is resolved. Cryptography will die when the last human draws its breath.

Simon.

Re:Nope, wrong, invalid.. nothing to see here.

[strictfoo]

These guys couldn't even figure out when the century began.

"There was a little bit of a controversy as to when the entry of the century was," he recalls. "Was it January 1, 2000, or January 1, 2001?

Come on now. They can't figure out that and we're looking to them to figure out the whole P=NP mess?

Re:Nope, wrong, invalid.. nothing to see here.

[Geiger581]

What you say is very true, but there are two big exceptions to note:
1) 1TP/QKE require as much storage/bandwidth for the key as for the message, and the key can never be resused. These are both severe drawbacks.
2) Crypto is useful for more than just hiding information. Digital signatures/integrity hashes are both very important and impossible to achieve -reuseably- with either of the schemes mentioned above.

Re:Nope, wrong, invalid.. nothing to see here.

[dmeranda]

Additionally it should be noted that there are many complexity classes other than just P and NP, and there are many X such that X > P and X > NP.

So even IF the P?=NP question applies, it doen't mean that cryptography itself is doomed. Just that harder problems might need to be used as the basis.

Re:Nope, wrong, invalid.. nothing to see here.

[Kippesoep]

Cryptography will die when the last human draws its breath. Probably one human before that. The last human won't need encryption, will he?

Re:Nope, wrong, invalid.. nothing to see here.

[plover]

Perhaps the author expressed the idea poorly by stating it in terms of solving P?=NP, but the ultimate point he was trying to get across is: will the currently difficult* problems that are the basis of modern cryptography remain difficult into the future? And for how long?

* I'm deliberately leaving 'difficult' undefined to dodge abuse from the language lawyers.

I've always wondered what would happen if some 15-year-old math wiz who is playing around in Mathematica comes up with a novel approach to factoring; and then what effect that would have on modern cryptography and communications. This article simply inflates that idea into a paranoia for the masses. Which, as you said, is nothing to see here, move along...

Re:Nope, wrong, invalid.. nothing to see here.

[jo42]

Only if he doesn't want Alien Archeologists reading his writings...

Re:Nope, wrong, invalid.. nothing to see here.

[J.R.+Random]

Sure there are harder complexity classes than NP, but they are irrelevant to cryptography. The point of cryptography is that for some encrpted message E there is a key K that makes E easy to decode. So the problem is in NP -- the NP machine guesses K and does the decryption. If you make your decryption problem harder than NP, then even with the key it will take a ridiculous amount of time to decode the message. Here of course I'm talking about public key encryption. The complexity issues are irrelevant to a one time pad, but a one time pad has to be as big as the message. So if you have a channel secure enough to send the one time pad, you may as well sent the message instead.

Re:Nope, wrong, invalid.. nothing to see here.

[jfengel]

Yes, but there's a reason P=NP is of particular interest for crypto problems.

NP problems as a category are easy to check answers, but hard to compute those answers. So a whole category of challenge-response systems are possible. I use the easy (checking) side of the NP problem and make codebreakers use the hard (computing) side.

For example, it's hard to factor large composite numbers, but easy to check if a set of primes multiplies out to that number.

Sure, there are plenty of other categories of crypto, but they're harder to deal with. One-time pads are hard to distribute, and quantum mechanical stuff isn't ready yet. But public-private key cryptosystems are based on computations like factoring: it's easy to encrypt something based on the large composite number, but harder to decrypt it unless you have the factors at hand. So I can distribute the large composite number (so anybody can send secret documents to me), and be fairly sure nobody will break the crypto.

Unless P=NP, in which case factoring the number will also be easy, and we'll have to resort to something smarter, like quantum crypto (assuming it can be made to work practically).

Re:Nope, wrong, invalid.. nothing to see here.

[John+Courtland]

So if you have a channel secure enough to send the one time pad, you may as well sent the message instead.

I wouldn't go so far as to say that. The pad has no bearing on the message sent aside from the ability to decrypt it, so you send the OTP via quantum-encrypted channels and verify its integrity at the recipient end. If the pad has not been comprimised *then* you send an OK (via the same quantum-encrypted channel, just in case) to recieve the encrypted message. This gives you one extra layer of security that pretty much defeats any monkey in the middle style attacks, because you need not send data unless the recipient is sure the pad is secure.

Re:Nope, wrong, invalid.. nothing to see here.

[RWerp]

I've always wondered what would happen if some 15-year-old math wiz who is playing around in Mathematica comes up with a novel approach to factoring

If anybody does something about factoring, he will do it with pencil and paper (or blackboard and chalk), not with Mathematica. Mathematica is only as good as the mathematicians are, it's not a magic box sent from heaven.

Re:Nope, wrong, invalid.. nothing to see here.

[mmusson]

Also, if a P=NP proof was found it would not necessarily gives us a procedure for generating the P algorithm that solves the NP complete problem. This would be an unfortunate situation.

Re:Nope, wrong, invalid.. nothing to see here.

[shawn(at)fsu]

This article simply inflates that idea into a paranoia for the masses

Can't that be said for every article on /.?

Re:Nope, wrong, invalid.. nothing to see here.

[swillden]

Additionally it should be noted that there are many complexity classes other than just P and NP, and there are many X such that X > P and X > NP.

True, but, in general, NP problems are really ideal for lots of cryptographic applications. The essence of the NP class is that it is the set of decision problems that are "easy" to solve given a particular piece of information and hard to solve otherwise. If I can be loose with terminology, an NP problem is a problem whose answer can be verified in polynomial time, but can only be found (as far as we know), in greater than polynomial time.

(BTW, I know the definition of NP as "non-deterministic polynomial", and what that means. The explanation I've given is equivalent, and easier to apply).

If P=NP, then all problems whose answers can be verified in polynomial time can also be solved in polynomial time. Of course, the polynomials in question could still make verification practical but solution impractical -- which is what we need for a useful public-key crypto algorithm. Or we could look to classes of algorithms of higher complexities, as you suggest, we'd have to find problems whose verification effort, although non-polynomial, was sufficiently low but whose solution effort was enough greater.

The really nice thing about NP is that when you increase the key size you're increasing the verification effort a small amount (it's pretty much linear with key size for the problems we use) and increasing the solution effort a large amount (as far as we know it's roughly exponential with the problems we use). This means that increased computing power always benefits the crypto user and hurts the attacker... because each increment of additional computation the crypto user chooses to perform creates a vastly larger amount of work for the attacker. The difference between linear and exponential is ideal.

None of this means that, in practice, algorithms base on decision problems in P, or EXP, or NEXP may very well be useful. But NP has a perfect structure, if it exists.

Re:Nope, wrong, invalid.. nothing to see here.

[CodeBuster]

While we are on the subject of P = NP here, there remains no proof either way that P = NP or that P != NP. However, a very large body of experimental evidence and related proofs tends to suggest that it is almost certain that P != NP. Many computer scientists are prepared to bet heavily on this outcome considering its near certainty. The threat to cryptography from quantum computing does not, as mentioned by Ckwop, have anything whatsoever to do with the computational complexity of the problem, but rather with the ability of quantum computers to try many solutions simultaneously, thus resulting in a much higher computational throughput. In effect the brute force attack is sped up by orders of magnitude and becomes feasible with today's algorithms and key sizes. However, the paranoid among us need not fear the death of encryption since quantum computing also makes possible new types of cryptography which are not based upon the asymptotic complexity of finding the solution to a problem. Even if all else fails we will always have the one time pad which is completely unbreakable (when proper pad discipline is observed) albeit somewhat cumbersome in practice.

Re:Nope, wrong, invalid.. nothing to see here.

[attam]

i took ron rivest's crypto class my senior year at MIT and simson was the TA (one of two TAs actually). oh man, is this guy high on himself! he might be the most condescending person i've ever talked to and the worst part is that he doesn't even seem to realize it. he has crazy articles in techreview all the time and sometimes it just seems like he is fishing for "a good idea."
all in all, i know he's a sharp guy, but i think sometimes his ambition wins over his better judgement.

Re:Nope, wrong, invalid.. nothing to see here.

[Coryoth]

Factoring is overrated. A good solution to factoring will only really kill RSA. What you really want is a fast solution to the discrete Log Problem for arbitrary groups. Solve that and Diffie-Hellman, El-Gamal systems (pretty much all public key crypto, including elliptic curve crypto) are out the window, and serious problems result.

Jedidiah

Re:Nope, wrong, invalid.. nothing to see here.

[iwadasn]

This is why you use extremely long keys and strong algorithms. Use 4k RSA keys guys. It doesn't guarantee against attacks, but it does dramatically extend the time horizon. Even if there is a means of making factoring easier, it might not make it easy enough if the key is very big.

Make a key 10^10 as hard as the biggest one that can be broken (at least), and then only a very severe break will put you in danger.

Re:Nope, wrong, invalid.. nothing to see here.

[Captain+Segfault]

No no no no no no! Your first sentence is wrong! See Wikipedia's complexity article

In any case, we could use a problem with, say, exponential complexity (in particular, not in NP) such that the reverse is also exponential, but with a larger exponent, such that it would still be exponentially easier to encode than to decode.

Re:Nope, wrong, invalid.. nothing to see here.

[CodeBuster]

Granted, but please understand that it has been several years since I last looked at this material in a university course on Algorithm Design and Complexity Analysis. That having been said, what I meant (and should have said) was the NP-C or NP Complete problems. It follows from the formal definition that:

A decision problem C is NP-complete if:

1) it is in NP and

2) every other problem in NP is reducible to it. Where reduction means that for every problem L, there is a polynomial-time many-one reduction, a deterministic algorithm which transforms L into instances of C, such that the answer to C is yes if and only if the answer to L is yes.

Sigh...formalisms are so tedious, but some people live for this sort of thing. Anyway, since NP-C is a subset of NP and NP overlaps P it follows that IF someone proves that P = NP then the problems in NP-C can be reduced so that they are equivalent to solving a problem in P which is bad for current cryptography methods for obvious reasons. My previous post was an honest mistake and I stand corrected.

Re:Nope, wrong, invalid.. nothing to see here.

[nachoboy]

There's nothing stopping one from sending more than one "one time pad" through that initial secure channel ... Or for that matter, an agreement to use the King James Bible as a pad, starting at Exodus 9:3

Bzzzzzt. Wrong answer. The security of a one-time pad lies in the fact that the pad contains truly random data and that the pad is only used once. Pseudo-random number generators, or, worse, English text can NOT substitute for real random data. Read the first chapter of any cryptography text for more details. (Personally I recommend Schneier.)

Re:Nope, wrong, invalid.. nothing to see here.

[nachoboy]

Therefore, OTP isn't really unbreakable either.

On the contrary, a real (see rules below) one-time pad is truly the only unbreakable cryptosystem. Without access to the key, no amount of brute-forcing or analysis will ever recover the plaintext.

OTP could partially be helped by using commonly available documents, images, binaries, whatever as the pad, but then you increase the chances of someone else finding the pad, and you still have to store an index of which document uses which pad somewhere.

People keep suggesting this sort of thing - eliminate the cumbersome difficulties of a genuine one-time pad by using some sort of public data. Dictionaries, encyclopedias, or virtually any other store of information are NOT suitable for use as one-time pads. Using non-random data for your pad destroys the inherent security of the one-time pad. There is no shortcut.

Rules of one-time pads:
1) Data MUST be completely random. Pseudo-random does not count. "Looks random to me" does not count. "Comes from a much larger set of data" (a la phone book, etc) does not count. How to generate this random data is left as an exercise to the reader.
2) Data must NEVER be reused. Not to the same recipient, not on the same message, not when you run out of pads.
3) Data must only be known to those who can be trusted with the plaintext of the message (duh!).

Re:Nope, wrong, invalid.. nothing to see here.

[mekkab]

If the Julian calendar was (and is) right then it's August 20th today instead of september 2nd

Sweet! My credit card payment isn't late afterall!

Who needs it?

[romper]

Guvf jbexf whfg svar sbe zr!

Re:Who needs it?

That's not encrypted. That's in German!

w00t

Re:Who needs it?

[iabervon]

The moderators couldn't find "Shaal"?

Didn't that guy...

[Skiron]

... write 'Bridge over encrypted waters ~(__8-(0) Doh!'?

Easy killer...

[danielrm26]

This is really quite simple - the type of machine that can render Prime-based and Discrete Log-based encryption "useless" has not been invented yet. Furthermore, as the article points out, most (including Adelman) belive it'll be a long time before one is.

The problem (P vs. NP) is still just as difficult, and we aren't really much closer to solving it than 10 or 20 years ago.

Re:Easy killer...

[Christopher+Thomas]

This is really quite simple - the type of machine that can render Prime-based and Discrete Log-based encryption "useless" has not been invented yet.

If by "prime-based" you're talking about deriving prime factors for things like RSA public keys, then the machines have been invented - they just haven't been built yet. Shor's Algorithm allows a quantum computer to factor numbers extremely rapidly, which breaks RSA quite badly. This is due to the nature of factoring, not of quantum computing itself - no quantum computing algorithm _presently_ known can break discrete-log encryption in less than the square root of the number of steps a classical computer would take to do it, for example. However, only time will reveal which algorithms are vulnerable to QC and which aren't.

Quantum computers with enough qubits to do useful RSA public-key factoring will probably be built within about 10-20 years, based on the progress to date. Possibly earlier, but I'm going to be conservative and hedge a bit.

Re:Easy killer...

[bobbozzo]

4-qbit q computers have already been built (as of 2002).
(They can factor a 4-bit number.)

Not very useful, but a great demonstration.

These claims were presented by a Physics prof at DefCon 10.
http://www.defcon.org/html/defcon-10/defcon-10-spe akers.html#walterdaugherity

And, According to /., IBM built a 5-qbit computer in 2000.

More than Just P=NP

[SparafucileMan]

"For more than 30 years, mathematicians have sought in vain the answer to a simple problem in theoretical computer science. The problem is what's known as an open question --it's a simple equation that is either true or false. It can't be both."

Which is not exactly true. It could be true but not provable. It could be false but not provable. It could be provably true, or provably false. Or, it could be neither true nor false.

Re:More than Just P=NP

[sploo22]

Well, it could be proven to be theoretically undecidable like the halting problem, couldn't it? Then I guess it would be true or false, but nobody would ever know so it's all semantics.

Re:More than Just P=NP

[ksorim]

The continuum hypothesis is undecidable in certain versions of set theory. Why couldn't the Riemann hypothesis be undecidable too?

My understanding of Gödel is that in any sufficiently strong system of axioms there will always be statements that are neither provable nor disprovable. That is: there is a statement S such that S isn't provable and the negation of S isn't provable.

Is my understanding of Gödel wrong?

Re:More than Just P=NP

[AJWM]

Firstly, the halting problem is trivially decidable for any particular program, the program either halts or it doesn't.

Okay, suppose you're given a program that computes successive digits of, say, pi. Trivially we can say that it won't halt (not counting physical or architectural limitations of the computer), by definition.

Suppose we now add a test wherein the program halts if it detects a particular sequence of digits. Will it halt or not?

Show the trivial method by which you decide your answer.

Re:More than Just P=NP

[PaulBu]

Firstly, the halting problem is trivially decidable for any particular program, the program either halts or it doesn't.

Sorry, you are wrong here. Yes, if you ran a program and it stopped you know your answer. But if the program is still running, how would you know if it will eventually halt or not? And if it is one of those programs that do *not* halt, you'd have to wait for infinite amount of time to declare it "non-halting".

As to your solution of "comparing P and NP sets" -- I think you are slightly trolling here! ;-)

Paul B.

Re:More than Just P=NP

You really have no fucking idea, do you?

Re:More than Just P=NP

[Dr.+Zowie]

Hmmm... Thanks for the "...of course you are right...", but, er, you just described the definition of decidability. If it's "impossible to write a [n algorithm] which takes as input a description of a program P and a description of an input x and decides whether P halts on x", then the question of whether P halts on x is not decidable.

See some of the definitions online...

Re:More than Just P=NP

[abb3w]

Disclaimer: I am not a mathematician, so don't rely on this as advice when counting to ten.

Is my understanding of Gödel wrong?

Bluntly, yes.

Bluntly, no; it seems his understanding of the Reimann hypothesis is.

On the other hand, the Riemann hypothesis is a particular question about a precisely stated function on the precisely defined set of complex numbers. There is only one such function and only one such set of complex numbers, no matter which set theory you are talking about.

To be perhaps marginally more understandable, construction of the complex numbers requires the axioms for construction (and infinite inductive properties) of the Natural numbers, and axioms for construction of addition and multiplication. Complex powers require (briefly) the use of calculus, which merely requires adding axioms for how to take a limit into the mix.

The Reimann Zeta function of a complex number is the infinite sum of every integer when taken to the power of the additive inverse of the complex number being considered. The behaviors of this function (such as where it has zeros, as the Reimann hypothesis considers) are therefore only reliant on the axioms necessary for the above constructions. Proof of this is left as an exercise to the student. =)

The hypothesis is either true or false: there either exists a zero not on the strip or there doesn't. There is no third option.

...or at least, no third option as long as you work with the axioms describing what any normal mathematician considers the Complex Numbers. One may feel free to construct your own Complex/Real/Integer/Natural Numbers out of your own axioms and belly button lint if you will, but I doubt it will be more interesting than the belly button lint itself.

Of course, proving this degree of axiomatic dependence rigorously is more than I am able to do. This is also left as an exercise for....

Re:More than Just P=NP

[tc]

Whether the continuum hypothesis is true or false depends on your choice of axioms. I'm not sure what your statement about "if it is true, then it can't be proved true" means. If you accept the axiom of choice, then the continuum hypothesis is true, if you accept its negation then it isn't - simple as that, really.

It has been shown that with the standard set of axioms (without the 'axiom of choice'), you can construct models where the continuum hypothesis is either true or false, at your option.

If you incorporate the axiom of choice, then the continuum hypothesis is true.

If you incorporate the negation of the axiom of choice, then the continuum hypothesis is false.

For reference, the axiom of choice simply states that given a set of non-empty sets, it is possible to form another set consisting of one element from each set. Put another way, if I have several boxes, each box containing at least one item, then it is possible to take one item from each box.

When considering finite collections of sets (or even countably finite collection of sets), the statement is trivially true. When you allow uncountable collections of uncountable sets, things get...weird.

For example, if you allow the full form of the axiom of choice, then you can prove things like the Banach-Tarsky paradox, which basically says that you can cut the unit (solid) sphere up into finitely many pieces, and reassemble those pieces using only translation and rotation to form two spheres identical to the original. This is pretty fucked up, which is why the axiom of choice is considered a questionable one.

For an easier to grasp example, consider the set of all non-empty subsets of the reals. The axiom of choice says I can choose an element from each of those subsets. But how do I do that? What procedure do I use? At first you might say, pick the lowest or highest element, but what about those subsets unbounded at one end. Or the element closest to zero - but what about open sets where the infimum or supremum isn't in the set? It's really tricky to come up with a choice procedure, however complex, that works for all cases. After a while of playing with examples, you wonder if perhaps it's not possible.

Personally, I think the axiom of choice is a bad axiom. Choosing one thing from each set sounds like a sort of 'counting' operation to me, and yet the axiom of choice is saying that it's okay to do that even with uncountable collections of things. It's trying to crowbar the uncountable to behave like the countable. If you do that, thinks break.

So, from an intuitive point of view, where we don't like to have things like the Banach-Tarsky paradox, we could say that the axiom of choice is 'bad', and therefore that we prefer to believe its negation, and hence that the continuum hypothesis is false. A strict Platonist would probably take that point of view.

In support of this viewpoint is also the consideration of where axioms come from in the first place. They are things that we hold to be 'self evidently' true. For example, if A implies B and B implies C, then we can deduce by applying the transitive axiom that A implies C. That seems self evident, but to be rigorous we state it as an axiom. To me the axiom of choice just doesn't meet the 'smell test' for a self-evident axiom, but that's only an opinion.

If you're not a strict Platonist, then you might not believe that. Instead you might believe that there is no such thing as absolute truth, and that truth itself is a logical abstract and that one can only rationally ask about the truth or falsity of a statement in respect to a set of self-consistent axioms which can choose freely.

Re:More than Just P=NP

[CoughDropAddict]

Oof! Undecidable is not the same thing as not computable. Undecidable, to simplify, means that a statement has no truth value in a system of axioms, i.e. its positive or negative could be added as an axiom and the system would still be consistent.

Wikipedia (see here and here) and my Theory of Computation textbook disagree with you.

From Theory of Computing -- a Gentle Introduction:

We will use the term decidable language as a synonym for Turing computable language.

Re:Sound of Silence

[baylanger]

In other words, cryptography is dust in the air?

There's always OTP

[ikewillis]

OTP will always remain a viable means of private key cryptography. When you interleave signal with noise, the result will always have the properties of noise.

Re:There's always OTP

[gweihir]

OTP will always remain a viable means of private key cryptography.

Theoretiocal OTP: yes.

However the existence of randomness in nature if a pure observation and may be an oversimplification. There is not much indication this may be so, but when I look at what quantum physicists currently believe, I am pretty much convinced we don't understand this universe yet.

Re:There's always OTP

[Viking+Coder]

You're absolutely right. Except for the "very hard" part.

It costs about a hundred bucks to buy a good (secure) random number generator. Noisy diodes, for instance, work great. Hell, taking photos of lava lamps works, too.

QRNG

SafeXcel

VIA C3 RNG

Ha!

[chill]

For 90% of the public, ALL math problems more complex than 2+2 are hard!

Re:Ha!

[DrSkwid]

yes, for sufficiently large values of 2

Re:Ha!

[kallisti]

If you think 2+2=4 is simple, then you haven't seen this!

Could be argued

[onyxruby]

Could be argued, for that matter the entire concept of "random" is truely just a human thought construct. Since crypto is heavily dependent upon the concept of random, this will become a bigger problem as time goes on.

It can well be argued that absolutely nothing is in fact random. From coin flips to roulette anything can eventually be learned and predicted on some level. The only point where I might even question this is with quantam states, and even there we really know precious little. It is simply too early to say one way or another on quantam.

Re:Could be argued

[Christopher+Thomas]

It can well be argued that absolutely nothing is in fact random. From coin flips to roulette anything can eventually be learned and predicted on some level.

Even in a purely classical universe, sensitivity to starting conditions makes things like coin tosses and die rolls impossible to predict if set up carefully. This is that whole "chaos" topic you may have heard about in the press in the 1980s. You'd have to have excruciatingly accurate knowledge of the state of everything in the past light-cone of the event you're trying to predict, as of the time of prediction, for it to work with perfect reliability.

In our quantum universe, the uncertainty principle makes it impossible even in principle to measure starting state to the required precision, for the schemes that are used for true random number generation in electronic systems. Additionally, if quantum processes are accepted as truly random, they inject enough noise to taint macroscopic events with true randomness if the consequences of the noise are given enough time to propagate.

In summary, true randomness exists as a very fundamental result of the laws of nature, and won't go away no matter how good our measurements get.

Re:Could be argued

[captnitro]

Mathematics is a 'human thought construct', man. The interesting part about it is that these ideas reliably correspond to real things. There's nothing inherent in the universe to say that three apples can't be described some other way, but mathematics describes it as '3' and if I add '2' more, I get '5'.

Realistically, I could argue "what constitutes an apple?" or "are these apples really '1' each?", but as far as mathematics goes, it's the ideals of the numbers matter.

"Random" isn't random when you're talking about coin tosses or roulette, just a very complex and physical "pseudo-random". "Random" is a mathematical ideal, just like "2" apples. While we can't generate truly random, we can get damn close, and certainly close enough to use. (Example: Via's C3 'Padlock' encryption engine takes electrical noise off the chip. Not truly random, but good enough to keep people from reading your e-mail.)

For that reason, when we're talking about one-time pads and the like, the proof of uncrackability has to do with the ideal, not the fact that we're getting our random data set from a monkey at the zoo. Obviously if your "random" data set was a monkey who sat on the "A" key for twenty minutes, that's a factor. But the ideal is what we're talking about, and if we can get close *enough*, we should be fine.

Re:Could be argued

[DarkMan]

The only point where I might even question this is with quantam states, and even there we really know precious little.

Uh, sort of. Heisenbergs uncertinty principle can be read as "We can never know the details" of quantum states. If it is true, then it does not matter whether or not a quantum state could be determanitsic if we can measure the things we need to determine it.

Now, there is an awful lot of discoveries and technology that have been predicated on Heisenbergs principle being true (or, at least, true enough, for some value of enough) [0]. Thus, the burden of proof is heavily on the side of anyone claiming that it's not valid (just as it is for anyone claiming Einsteins relativity is wrong, and as it was for Einstien when he showed Newton was wrong [1]).

So, I refute your claim on 'It's too early', by Schottky diodes, Mossbauer spectroscopy and quantum computing, which all rely on quantum states having true randomness [2].

Furthermore, by the way, there was a bunch of work on something called the Bell inequality, which, although painfully esoteric in testing, has disproved the existance of hidden variables. That is, it is _not_ the case that quantum states are deterministic, by data we can't measure. There are no such hidden bits of data.

Moreover, pretty much every macroscopic physical observable is a statistical average of very many microscopic states or events. These microstates are randomly distributed within some known distribution (e.g. disribution individual molectular kinetic energies for a given temperature of a set of particles). The various physical laws that we depend on (in the case of temperature, the predicability of the increase in the rate of some chemical reaction with increasing temperature, for example) have the concept of this random disribution so inherent in them, that I must argue that if 'random' is a a human thought construct, it is fortunate that the laws of nature also think that way (i.e. random is a physical concept)

Such is the opinion of this quantum physicist, at any rate.

[0] E.g Mossbauer spectroscopy
[1] Strictly, Newton was farsighted enough to state his basic assumptions expcitly. Einstein just showed that one of them ("Time is the same for all men") was incorrect, and the consequences of it.
[2] Or, at very least, something that is indistinguisable from it.

Re:Could be argued

[gweihir]

Randomness is not a human construct, I am not sure where you are getting this idea from. There are certain events that are PROVABLY unpredictable, e.g. radioactive decay and certain quantum effects.

Wrong. Sorry. Physics cannot prove things. They can only show that things are very likely and they can have theories that predict things. Often this works, but from time to time it fails. All physical deductions relating to reality are derived from experiments. Experiments are allways imprecise and frequently deliver wrong results.

Ask any physicist. They know that they just have a best guess, but no hard facts.

Re:Could be argued

[DarkMan]

The problem is, however, that the random nature of quantised states exerts some influcence on macroscopic states. It's not very big. In fact, it's posivtly tiny (other wise the quantum nature of things would have explored sooner). Let me give an example.

Light has momentum. The solar sail is the most direct application of this.

Consider a coin toss. In the average place where it takes place, there is uneven illumination. That is, as the coin is spinning, there will be time where the illumination on one side is different to the other. So far this is still accontable for.

However, some of the incoming light will be absorbed by the material of the 'coin', which will enter an excited state, and then later re-emit that light. There is a hugh amount of photochemistry which relies on this sort of behaviour.

So, as the coin is spining in the air, the momentum from reflected light is calculable. Let's ignore the effect of absorbing the light, and focus on the re-emmision which will apply some momentum. In what direction is the light re-emited?

Well, that's a tough question. Most importantly, as the coin is spinning in the air, it depends on the time between absorbtion and re-emmision. That's a quantum phenonema, and is randomly distributed in a Gaussian disribution about some mean.

So, to calculated the effect of the coin toss exactly, you need to account for all those quantum effects. Which is impossible, because they are random.

I accept my example is a little contrived, in that the effect of the differential momentum transfer by photonic processes is negligable for any real coin, compared to other factors. It is, however, not zero, and is a solid example of how the randomness of quantum events effects macroscopic observables.

Given enough time, the fuzzyness of the quantum states gradually takes over. For most things that's a long time - it is, however, non zero.

Re:Could be argued

[iwadasn]

By "prove" we mean to some disgusting (like 20) number of sigma. The odds of us all dying of a stroke on the same day is greater than the odds of us being wrong about that.

The odds aren't ever zero, but they're usually close enough.

Re:Could be argued

[Maltheus]

Whenever the debate between a random universe and a deterministic universe comes up, people always pull quantum mechanics out of their pocket and say, "Since we can never predict the future (Heisenberg), then the universe must be random." The inability predict the future has absolutely nothing to do with whether or not the universe is deterministic. It just means that you can't know the future without changing it. That's just a reassertion of deterministic principles in itself. If our observations of the universe changes it, then that is an extension of determinism as our decision to observe is based on our genetics and upbringing. Randomness is only our inability to understand the causes behind effects.

People just don't want to live in a deterministic universe because they want to believe they have free will. Well, if you lived in a random universe and your leg just started kicking out and flailing without any decision, chemical factor or message from the brain, then would you be any more free? It seems to me that a person only has freedom in a deterministic universe anyway. Only then can my decisions have any consequence.

Re:Could be argued

[Thundersnatch]

You seem to be missing some of the language nuances. A scientific theory can become a physical law though a large accumulation of evidence which is called a proof. So yes, scientist can "prove" things, insofar as as these terms are defined in the scientific method.

As for your thoery, "physics cannot prove things"... I think it is invalid. It seems to have a logical flaw in that does not appear to be falsifiable if you choose not to accept the large accumulation of evidence that defines a scientific proof.

Music and mathmatics from one person?

[Spokehedz]

In an article on TechnologyReview.com, Simson Garfinkel spells out the real-world consequences of this mathematical conundrum.

Who else read that as Simon Garfunkle? Come on... I couldn't be the only person here, could I?

And besides... if you want real security, just do double encryption. use two common, off-the-shelf encryption methods, one encrypting the other's data and your data is now as safe as it can get. further encryptions in encryptions will only add to bloat and time to decrypt.

Re:Music and mathmatics from one person?

And besides... if you want real security, just do double encryption.

I suggest using double ROT-13.

It's still a "what if" piece...

[bersl2]

So far as we know, P != NP.

And that's it. And I haven't seen a shred of evidence to the contrary.

Yes, the article is somewhat truthful, in that if P == NP, the world will have been turned on its head, but the same thing is true about thousands of scientific and/or mathematical assertions, each of which is more likely to be overturned than P != NP.

Re:It's still a "what if" piece...

[gweihir]

Yes, the article is somewhat truthful, in that if P == NP, the world will have been turned on its head

Nor necessarily. If it turns out that NP only has problems with complexity n^100 in it, then for most paractical purposes we are still in business, since practical algorithms in P may range up to complexity n^4, if that.

For crypto (on-way functions) it just needs to be very hard in one direction and very easy in the other. Choosing N and NP is a nice pair of things were this works, but not the only one.

Re:Sound of Silence

[jejones]

As one would say to Mycroft in The Moon is a Harsh Mistress, that's a "funny only once" joke...and the "once" was probably decades ago.

Another magical no more secrets box

[syousef]

When will people learn that as long as people have secrets to keep they'll find ways of keeping them? There may be advances in technology which will render certain methods of keeping the secret obsolete, but this search for a magic algorithm is silly.

I imagine one day there may be an advance that will mean a total security overhaul will be required though, and that could provide a window of chaos in the most extreme circumstances. However every advance in decryption tends to quickly lead to an advance in encryption that can beat it. At least historically that's been the way it is.

Until they can literally read the contents of my brain, I'm not too worried.

All he does is explain P and NP

[GillBates0]

and ponders over whether the recent MD5 news from the Mathematics conference (in an earlier /. story today) will lead to any discoveries that may help answer whether P=NP.

Ignoring the fact that the answer to P?=NP has little to do with breaking encryption for a moment, even if an NP computer is conceived and developed, it'll just lay down a *huge* plethora of computing possibilities at our disposal, including new encryption techniques.

Encryption cannot die, algorithms can.

Re:All he does is explain P and NP

[Vaevictis666]

Encryption cannot die, algorithms can.

True - and if NP is found to be P, then it will effectively hose encryption as we know it today. Your private-key/public-key encryption that relies on those big primes you know and love? Well then would be easily broken - the standard is private key is the two prime factors, public key is their product, and if an easy way to factor is found, then from the public key I can deduce the private, thus breaking your encryption.

They're not as unrelated as you'd think, but it's true that it's not the be-all end-all of encryption.

Re:All he does is explain P and NP

[Chris+Burke]

Yeah, it's not a great article, though I do welcome the opportunity to broaden peoples' mathematical horizons. Still.

He starts off making it sound like P?=NP could be resolved soon in favor of P=NP, but Adelman says we aren't any closer to solving it than we were in the 70's, and the only one the author quotes as saying a solution may be imminent predicts that it will be shown that P != NP (the answer i think most mathematicions expect).

There's a lot more than just encryption riding on the answer (and as you say, encryption not so much) as tons of useful algorithms would go from intractable (exponential) to tractable (polynomial), and that's why people have been looking at the problem for so many years. Without success.

Re:All he does is explain P and NP

[Frizzle+Fry]

It's not about bounded vs. unbounded, it's about polynomial vs. exponential (or worse). Problems in P can be solved in polynomial time.

You're right that you can brute force an answer. But that will require trying all 2^128 keys (in this case). So you can see that the amount of work you have to do will grow exponentially with the input.

Re:All he does is explain P and NP

[falsifian]

But the example the reporter gave was of key based encryption being brute forced. Shouldn't that, by his definition, be a bounded problem? There are only so many x bit numbers. If you use 128 bit encryption, then you have =2^128 possible keys to try.

128-bit brute-force anything is a bounded problem. Since there are only 2^128 possible inputs, all you have to do is pick the longest time it takes your program to run out of all those 2^128, and you can say your program runs in constant time (or better).

I have time to kill, am very interested in theoretical CS, and am a karma whore. Therefore I will now explain P vs NP in detail, in case anyone wants an explanation. I used this article to verify some of the fine points.

P and NP are classes of decision problems: problems in which you are presented with an input and must say "yes" or "no". For example, "Is this a prime number?" and "Is there a path from A to B on this graph (network)?" are decision problems.

A problem is in P if you can write a computer program to solve it in "polynomial" time. What that means is this: you give me a program, a polynomial (like 3*n^3) and a starting number m. Whenever your program is given an input, it must say "yes" or "no" within 3*n^3 time units. If the program you gave always gives the right answer in 3*n^3 steps (or whatever the polynomial was) for *any* input that's n symbols long, where n>=m, then the problem is in P. If no program and polynomial exist that satisfy this, then the problem is not in P. It's hard to prove that a problem is not in P, because you have to prove that no program at all can solve it.

NP is a bit more complicated. The definition is essentially the same as for P, except the program runs on a very strange kind of computer. One way of thinking of it is that it has a magic coin. Any time the program wants, it can flip the magic coin and decide what to do according to the whether the coin shows heads or tails. For example, if the computer wants to check if a number is composite (not prime), it can flip the coin a whole bunch of times to get the digits of a possible factor of the program. Here's the really confusing part: when you run the program, the computer actually tries every possible sequence of coin flips. If there is at least one sequence of flips that would get the program to say "yes", then the computer says "yes". If every single sequence says "no", then the computer says "no". So if the program wants to check if a number is composite, all it needs to do is flip the coin a few times to get a possible factor, and say whether that factor divides the number. If the number is composite, then at least one sequence of flips will generate a factor and the program will say "yes". NP stands for "non-deterministic", which is a good description of the weird computer.

A problem is in NP if the weird computer can solve it in polynomial time. Note that every problem in P is also in NP: if a normal computer can solve it without a magic coin, then so can the NP computer.

The question P=NP is the following: can every problem that can be solved in polynomial time on the weird computer also be solved in polynomial time (possibly with a larger polynomial) on a normal computer?

Two more definitions:

• A problem is NP-hard if every problem in NP is reducable to it. For example, the satisfiability problem is NP-hard. If you give me a problem that can be solved in NP, I can make a very simple and quick program that will take any input to your problem and turn it into an equivalent input for the satisfiability problem.
• A problem is NP-complete if it is NP-hard and also in NP. Satisfiability is NP-complete because it's NP-hard but can be solved in NP. A program that is NP-hard but not in NP is more difficult to solve than problems in NP.

I hope I didn't just confuse you more... just read the wikipedia article if this doesn't help.

I saw this movie

[revery]

I saw a movie about this exact same thing. Luckliy Robert Redford and his team won and the world was made safe from Ben Kingsley, but it was touch and go there for a little bit.

I was worried.

The one way to tell for sure if the good guys win, is if the Republican National Committee goes bankrupt and GreenPeace gets a sizable donation. Also, you might see Sydney Poitier in Tahiti and Dan Akroyd in a brand spanking new RV.

--
Pain?

Try Prison.

Re:I saw this movie

[ErikTheRed]

The one way to tell for sure if the good guys win, is if the Republican National Committee goes bankrupt

Yes, I know this is funny, but keep in mind that a few years ago on the Clipper Chip issue it was also Kerry vs. Ashcroft - but it was Kerry pushing for the Clipper Chip and then Senator Ashcroft pushing for individual privacy. Ashcroft has since done a post-9/11 180-degree flip on his views here, but nothing suggests that Kerry has done the same (insert Kerry flip-flop joke here if you want, but no one really knows what he really thinks right now - maybe not even Kerry).

The bottom line - no political party can be trusted to secure your privacy, civil liberties, etc. Pick your candidates on their individual stances on the issues important to you. Depressingly, most of the time the only difference between the parties (and candidates) is how much lubrication they'll use when fucking you in the ass.

Re:Quantum Computers / Shor's Algorithm

[wwest4]

> Or a quantum computer is made that can break all these passwords.

No. To put in plain language: there are forms of encryption more advanced than those that employ difficult math problems. Quantum computing does not pose a threat to a OTP system that employs quantum key exchange. Sorry.

Re:Eventually

[savagedome]

You are thinking of One time pads

The only encryption theoretically unbreakable.

I have discovered...

[CSG_SurferDude]

I have discovered a truly remarkable proof which this post is too small to contain.

Re:I have discovered...

[FuzzyFox]

Prove it!

Get with the times!

[Otter]

Ask Slashdot dealt with this issue three years ago! When it comes to uninformed, idle speculation, this site is way ahead of MIT!

"last human draws its breath"

[aristus]

Cryptography will die when the last human draws its breath. Er.... shouldn't that be third-to-last human?

Re:"last human draws its breath"

[Issue9mm]

Actually, I'm thinking second-to-last really. As the third-to-last person on the earth, I may choose to encrypt a document entitled "How to kill Fred and Bill" so that that the other two may not access it.

-9mm-

Re:"last human draws its breath"

[Janek+Kozicki]

"How to kill Fred and Bill"

I humbly prefer killing Bill only. If I may.

Re:"last human draws its breath"

[Puff+Daddy]

Er.... shouldn't that be third-to-last human?

Eff that, ain't no one getting to see my e-mail come Hell, high water, or the end of the human race.

Re:"last human draws its breath"

[MarsDefenseMinister]

Eve. Her name is Eve. Bob and Alice are going to kill her.

Re:"last human draws its breath"

[whovian]

Unless any of them turns out to be Alice. Or Bob.

Re:"last human draws its breath"

[Chandon+Seldon]

If the only humans left are you, Britney, and Christina, we might as well give up on the continuation of the human race anyway...

Re:Quantum Computers / Shor's Algorithm

[Tongo]

But if a quantum computer can be made to do this, then most likely a quantum computer can be created to securly transmit one time pads to the other end. A one time pad is unbreakable because the key length is the same as the message length. (boy I hope I got that right :)

Re:Quantum Computers / Shor's Algorithm

[swillden]

Quantum computing does not pose a threat to a OTP system that employs quantum key exchange.

In practice it may never pose a threat to symmetric ciphers, like AES, either. Those don't rely on hard math problems as much as on non-linearity and complexity. Quantum computers may someday be good at solving simple but hard problems, but it's likely they'll never be able to attack complex problems, easy or hard.

The article sums it up best

[GreenCrackBaby]

Adelman thinks that we'll be waiting for the solution for a long time. Resolving the question of P and NP, he says, "would require new and brilliant ideas and not routine incremental progress. From my perspective, we are no nearer to solving the problem now that we were when bell-bottom pants were cool."

The whole thing is a bunch of alarmist speculation.

This is Crazy

[jetkust]

But some mathematicians are trying to prove that there's really no difference between 'hard' and 'not hard' problems

Well, it's always better to have the hard problem. You may have to seek medical attention, but at least your pride remains intact.

Re:Yep, its doomed.

[0123456]

"In short, his method would allow really [really-really] fast code breaking using quantum 'computers'."

AFAIR the best known quantum algorithm for breaking conventional crypto merely reduces search time to about its square root. So increase your key length from 128 to 256 bits, and it will take about as long to crack a key as a current computer would for a 128-bit key.

This is one reason why most new crypto algorithms have 256-bit keys rather than 128-bit.

It's not "the end of encryption" at all

[Bruce+Perens]

You mean public-key encryption . I fail to see how the one-time pad would be effected by new ways to solve NP-hard problems.

Bruce

Re:It's not "the end of encryption" at all

[Control+Group]

True, but OTPs aren't reusable, and the key needs to have as much information as the message, so they're not an answer to digital signatures or secure transactions online. Or at least, not an answer that's easy enough for me to comprehend.

Since those are the areas in which most people encounter encryption, that's what the author was focusing on.

On the other hand, the author also didn't give any reason to think that P?=NP is even coming closer to being resolved, and certainly no reason to think that it will end up being P=NP...so I don't see how PKE is threatened, either.

It's a non-story, if you ask me. Not that anyone did.

Re:It's not "the end of encryption" at all

[OdinHuntr]

True, but OTPs aren't reusable

OH MY GOD, THEY'RE NOT???

Out of fashion, I guess.

[jlowery]

"From my perspective, we are no nearer to solving the problem now that we were when bell-bottom pants were cool."

Bell-bottom pants aren't cool anymore? Man... what a bummer. I got to quit bogarting those roaches.

Re:Quantum Computers / Shor's Algorithm

In theory. But I would then like to suggest that a codebreaker could feed a series of qubits into a quantum computer of the same length as the message, hit compute, and have a perfect decryption of the message dump out in one universe.

The ability to feed the correct message back from that universe to the rest of us may be a bit tricky, but could perhaps be done by having the individual in the lucky universe set all quanta to 0xFF in a bank of LEDs in a pattern representing the plaintext.

My favorite Simson Garfinkel work

"50 Ways to Break Encryption"...
just calculate the key, Lee
hack the algorithm, Jim
reverse-engineer, Samir

sleep, what's that?

Factoring is another NP problem -- NO!

[Randym]

Factoring is another NP problem.

I'm surprised that Simson made this elementary mistake.

Factoring has *not* been proved to belong to either P or NP. It's an "open problem".

Re:Factoring is another NP problem -- NO!

[mrtroy]

Factoring is another NP problem. I'm surprised that Simson made this elementary mistake.
Factoring has *not* been proved to belong to either P or NP. It's an "open problem".

Exactly. RSA will not die...factoring still will take a long period of time, with larger keys.

Think twice

You don't want the aliens decoding your pr0n collection.

I have a proof

[rumblin'rabbit]

I have a proof that proving P = NP is an NP-complete problem. Unfortunately this posting is too small to hold the proof.

Re:I have a proof

[rumblin'rabbit]

Okay, I haven't actually proven that proving P=NP is an NP-complete problem. I have proven, however, that if you did have a proof that proving P=NP is an NP-complete problem, then verifying its correctness would be easy. Unfortunately this posting is too large to hold the proof.

Hard and tedious are different things

[GoClick]

Adding 2 numbers and 25 billion numbers is really not that dissimilar in ways of difficulty, however it still takes a lot longer to do one than the other. The strength of cryptography doesn't come from how hard something is so much as how long it takes to do all that simple math.

Re:Hard and tedious are different things

[puppetman]

Actually, it's problems solved in polynomial time vs non-deterministic polynomial time. Your two examples are both problems that can be solved in polynomial time.

It's not simple math. IE find two prime factors to a very very large number. Guesses are made to find the factors. But even though guesses are polynomial in amongst themselves, the number of guesses you need to make before you hit on a solution is non-deterministic. Thus it's NP (non-deterministic polynomial time).

Re:Eventually

[chill]

Digital Fortress was a complete piece of shit. Please don't base anything off that rag. It was written with the express purpose of capitalizing off of Dan Brown's momentum being made into a movie. The "visuals" described fit Hollywood nicely -- meaning they have no basis in reality.

It is easy for a person to come up with an algorithm that THEY can't crack. Most are painfully obvious to outsiders with any experience.

Other than proper implementation of a one-time pad, you'll probably find any encryption will eventually fall.

Re:Mandatory

[That's+Unpossible!]

Well, since he's a graduate student at MIT, I'll wager he has.

"Garfinkel holds three degrees from the Massachusetts Institute of Technology and a masters of science degree from Columbia University. He is a member of the Association for Computing Machinery (ACM), Computer Professionals for Social Responsibility (CPSR), and has a certification in computer security (CISSP) from International Information Systems Security Certifications Consortium."

Hard vs not hard

[kmo]

But some mathematicians are trying to prove that there's really no difference between 'hard' and 'not hard' problems

If they succeed, won't it be humiliating for those mathematicians that have spent decades studying this problem to find it isn't harder than solving 2 + 2.

Re:Mandatory

[mec]

Actually, the article's not all that bad.

Two problems: in his explanation of "P", the author says that P-time algorithms consume an amount of time proportional to the input size. That's way incomplete. P-time problems consume time proportional to some polynomial function of the input size, such as O(n^2), O(n^3), O(n^100), in addition to just plain O(n).

The second problem is where the author states that fast solutions to NP-complete problems would open up vulnerabilities to "hackers and viruses". Well, I'm not up on the latest virus developments, but AFAIK most viruses exploit known vulnerabilities rather than trying to crack algorithmically hard problems. Maybe there's some subtle way a virus could use a powerful P-time factorizer, but I think the author really just stated "hackers and viruses" because it sounded nice.

The article's also incomplete, as other posters have pointed out, because plenty of P-time algorithms are useless for real attacks. If your algorithm takes (1000 years) * (n^1000), where "n" is the key length, that is polynomial time, but it's still too damn long.

I've seen much worse in the trade press.

This is silly

[hugesmile]

How hard is this?

P=NP
P/P=NP/P
1=N

Therefore, P=NP for all problems where N=1.

See, that clearly wasn't a NP problem!

Why P!=NP

[26199]

There's no mathematical proof, but consider this: a lot of problems have been shown to be NP complete. That is, if they can be solved quickly (in polynomial time), every NP problem can also be solved quickly (in polynomial time).

Some of these problems would make you a very, very rich person if you came up with a way to solve them quickly.

Nobody has.

That's enough evidence for every-day use, IMO.

Re:Why P!=NP

[Krisbee]

I think you would end up as a very, very dead person very very quickly if you publish a way to crack RSA in a very very short time.

Re:Eventually

Digital Fortress was a total piece of crap. While A moderatly interesting book, the crypto is totally wrong. The ONLY perfect encryption is a one-time-pad. If there is a key it can be broken. The whole "make it impossible to figure out it its really cleartext" is just a not-so-clever plot device.

Think about it this way, when you use PGP/GPG to encrypt something, it compresses the file first. The argument Dan Brown used was that when you try a key on this "unbreakable" crypto that you get garbage out and can't use the typical language statistics to figure out if the result is valid or not. If this was true, then any form of binary data would be impossible to decrypt.

A more mathish approach. The idea was to take a cleartext, M, run it through a "magic function" Z then encrypt that, or Encrypt(Z(M)). Well, a little digging will find that chained encryption doesn't buy much. Thats why AES is around, rather than using 3DES or 5DES. or nDES. All his digital fortress was doing was using two encryption methods. But, this just doesn't work.

Dan Brown doesn't think or do any research whatsoever before he writes a book. Virtually ALL of the crypto related information was WRONG. Skipjack was a problem, not because of any backdoor, but because it was only availible as a tamper-proof hardware chip, noone got to look at it. The Caesar cipher was an alphabetic rotation, not a geometric cipher. Hell, there simply isn't enough energy given out by a star in a year to power a machine capable of brute-forcing 256-bit encryption, schieder wrote an essay on it.

Under current theory, the ONLY perfect encryption scheme is a OTP.

Re:Quantum Computers / Shor's Algorithm

Yeah and 640KB should be enough for anybody.

Re:Keeping the honest people honest

[DylanQuixote]

Well, "enough CPU cycles" is usually so high a number that it isn't possible to compute before the end of the universe.

Re:As I thought I understood it...

[RWerp]

by having a plaintext and cyphertext, a quantum computer can make it very trivial to find the key using certain iterative attacks on the algorithm. I mean, isn't the quantum computer "instantly" backtracking up until the substitution step of each round, as the operations would be reversible up until that point? I would think the complexity to crack is only dependant on the number of rounds.

There is no possibility to use a quantum computer to make simultaneous dictionary attack (guessing the key by trying all possible keys at the same time), because, contrary to what most people think, you can do only one usable computation at the same time on a quantum computer. The difference between classical and quantum computer is that you can 'tune' the quantum computer into doing this one computation which is important -- like the one needed to break the key. If you can do that, you've cracked the cipher. But it requires an algorithm specific to the cipher in question. A good defense before such attack would be to change the cipher in such a way as to make the corresponding quantum algorithm useless, and make attacker think really hard before coming up with another one. A bit more challenging than just increasing the key length.

IANAQCE (I Am Not A Quantum Computing Expert), but that's what I gathered from listening to seminars delivered by people from the field.

"Some mathematicians are trying to prove"

[arodland]

that P=NP. Of course some of them are. But almost every other mathematician with at least three brain cells is reasonably convinced of the opposite. The article covers the "consequences" of P=NP that anyone who's read an introductory text already understands, but fails to mention that a single NP-complete problem inside P is about as likely as finding a number without Goldbach property. It's just silly sensationalism for the sake of ... um, something about uninformed people that starts with 's'.

Re:Quantum Computers / Shor's Algorithm

[swillden]

Thank you for making my point. Quantitative changes occur incrementally over time, like memory requirements. Qualitative changes, however, like the fundamental difference between quantum computers and Von Neumann computers, and the algorithms that can be executed on each, don't.

You could argue that, but you'd be wrong.

[mindstrm]

True randomness does exist, it's all around us.

You are probably thinking "If we just knew everything about the starting conditions, we could predict the outcome."

In this universe, however, you CANNOT know the starting conditions to an infinite degree of accuracy. I don't mean "it's difficult" or "we can't do it with today's technology" but that it's fundamentally not possible. No state exists whereby you can know waht you would need to know. Such predictions are not possible.

You can say we don't know enough about quantum mechanics yet or whatever.. but look at something as simple as the Heisenberg uncertainty principle: you cannot know the speed and location of a particle at the same time. The more accurately you know one, the less you know of the other. This coupled with chaos theory means things really are random.

You are correct in that some things can be predicted.. we COULD measure enough about a roulette wheel to predict with a high degree of accuracy what is going on.. same with a coin toss. But look at something like nuclear decay, for instance... and we will NEVER be able to predict when a given atom is going to decay... it's buried in the quantum noise and in the uncertainty principle.

Re:Quantum Computers / Shor's Algorithm

[swillden]

I thought that all the public key (etc) systems relied on a "hard math problem" to produce the public-key secret-key pair.

Sort of. Actually, they rely on the hard math problem to make it so someone who knows the secret key can do something that someone who knows the public key cannot, and, potentially, vice versa. Generation of keys is simpler.

When I generate my DES and AES keys I go through that "mostly prime" exercise.

Umm, no. DES and AES don't care about primes, or factoring, etc., at all. The DES and AES keyspaces are (nearly) flat. To pick a DES/AES key, you just choose a random 56-bit/128-bit number. (I said nearly because DES does have some weak keys, so some people choose to avoid those).

So quantum computing should be able to do the "large nubmer factoring" exercise necessary to crack the key...

For public-key algorithsm like RSA, DSA, Diffie-Hellman, ECC (well, you don't use factoring to attack ECC, but same notion), etc., yes. For secret-key algorithms like DES, AES, IDEA, RC-4, Twofish, etc., no, there is no number factoring exercise or similar that will help. So probably not, which was my point.

Divide check

[td]

P=NP
P/P=NP/P
1=N

Your proof fails when P=0, in which case any value of N will work.

Best Quotation

[Juiblex]

"In practical terms, that would spell the end of encryption as we know it. The Internet would be vulnerable to hackers and computer viruses." Made me laugh :p~~~

Simson Garfinkel

[cyclist1200]

Poor man was only two letters away from being a music sensation...

I'm sure he's never heard that before in his life.

Mod Parent Down. Mixed up NP and NP-complete

[Dulimano]

As many of his other repliers already pointed out, parent mixed up the NP and NPC (NP-complete) classes. Factoring is in NP. On the other hand, it is very-very unlikely that it is NP-complete (more precisely NP-hard), because this would imply that NP=co-NP.

What does NP=co-NP mean, you ask? You can consult http://en.wikipedia.org/wiki/Co-NP for the details. But the important point is that it is just as unlikely as P=NP.

I'll Tell You What The Consequences Are

[s5fb29330]

The consequences are that I won't be able to safely browse Slashdot from work over an ssh tunnel without getting in trouble, anymore.

I've had secure, non-snoopable access to the Internet for my entire professional life. If I actually have to start working I don't think I'll be able to handle it.

Some critical notes on the article

[Stygius]

(1) The terminology is misleading. The author speaks of "NP problems" without further qualification, and calls these problems "hard problems". NP problems, in the sense of problems belonging to the complexity class NP, however, are not "hard" in general, because all problems in P belong to NP (this is a trivial theorem). And no problem has been shown to be in NP but outside P. He might be referring to the so-called NP-hard problems, which formally are the problems at least as hard as the hardest problems in NP. But this wouldn't make much sense, since he doesn't bring up the NP-complete problems (the only NP-hard problems we know of inside the class NP) until the end of the article.

(2) Suppose P=NP. I, for one, would see this to be a good thing. The gain in the field of e.g. combinatorial planning and scheduling would be enormous, far outweighing any loss in the field of cryptography.

Quantum Chosen-Plaintext Attack ?

[Mad+Bad+Rabbit]

There is no possibility to use a quantum computer to make simultaneous dictionary attack (guessing the key by trying all possible keys at the same time), because, contrary to what most people think, you can do only one usable computation at the same time on a quantum computer.

Disclaimer: I don't know a bra from a ket, but...

If you had a quantum computer, could you break any public-key cryptosystem by doing:

• Encrypt a chosen plaintext P1 and get a cypertext X1
• Take an unknown cyphertext X2, and replace X1 with a superposition of X1 and X2
• Step backwards through the encryption, to get a superposition of P1 and P2 (the unknown plaintext)
• Use the known value of P1 to get P2 from the superposition

(Or is the above stupid and wrong, and I'd need an actual course in quantum physics to even understand why?)

Re:for instance "Primes is in P"

[skeptikos]

Primality testing is in NP. Every problem in P is in NP. What you meant was primality testing is not NP-hard.

The End of Light?

[Various+Assortments]

Researchers have shown that simply throwing a thick blanket over a subject can result in a Denial of Light attack. Pundits have suggested that with this knowledge, there is no longer any point in using light any more, when it can be denied so simply. Experts are working overtime to come up with a solution.

MOD PARENT UP

[finkployd]

Few people know that Ashcroft was once a crusader for personal freedom and privacy and took a stance against the Clipper Chip. Oh course, NOW he is a total fucktard who wipes various parts of his body with the bill of rights, I guess prolonged exposure to government does that to people.

Incidently most of the geeks I know (myself included) who voted for Bush did so because at the time he appeared to be the lesser of two evils. Al "Mr Clipper Chip" Gore certainly was no friend of the technology industry or anyone interested in privacy while he was VP.

Of course now we know that there are no lesser of two evils. Kerry and Bush will both screw over the country hard. Let's face it, nobody likes either of these two failures. They just hate the other guy enough to pretend to like one of them. It is a sad say in the US when these two are the best options we have.

Finkployd

Re:Quantum Computers / Shor's Algorithm

[swillden]

What's the difference?

That's a tough one to answer concisely. The best way to see the difference is probably to look at the algorithms.

Symmetric ciphers work by doing a whole bunch of different operations, mixing and munging the data in complex ways, and doing it over and over again. In the case of DES, for example, there are 16 rounds. AES-128 uses 10 rounds. Each of the individual mathemetical operations are simple, easily reversible and weak, from a security standpoint. The strength is achieved by repeating them many times in particular ways to create an overall structure that is hard to break.

In contrast, public key ciphers, like RSA, consist of only a single mathematical operation, one that has useful properties. An RSA encryption operation just requires calculating m^n mod p. The operation is very simple and straightforward, but there's no known way to reverse it efficently without the private key.

P Complete

[U96]

One important class of problems which should be included in this discussion is the class of P Complete problems.

These are problems for which there exists a polynomial time reduction to the P Problem, which is the ability to optimally distribute P straight pegs in U linearly arranged slots (where P less than or equal to U), so as to maximize the distance between pegs.

For example, for (P=2, U=5), the optimal solution is a peg at the first and last slots. For (P=3, U=5), optimal is U0, U2, U4, etc.

It can be shown that any problem which can be reduced in polynomial time to straight men at a row of urinals is P Complete.

A bit OT, but no less interesting point...

[pVoid]

I don't remember whether it was an Arthur C. Clarke invention or not, but there was a way to have a perfect one time pad...

It is by having a satelite system, like the GPS system, constantly broadcast synchronized truly random data. That way, any two recipients can communicate as much data as they want by simply synchronizing their communication to a certain time, and using the one time pad that's being broadcast by the satelites at that point in time.

Now, this turns the one time pad bandwidth issue into a secret key (the timestamp) issue. How do you communicate the timestamp between the two sources?

There's another benefit though, and that's that the sheer amount of data being generated by these satelites will make it prohibitive to analyze a transmission after the fact... only live interceptions could be used.

Re:A bit OT, but no less interesting point...

[gordlea]

Just record the random data, then as long as i have some idea of when you wrote the message, i'll just brute force it (if he encrypted it at 12:00 would it work, if not, 12:01, etc..)

Even if the data changed every ns it still wouldn't be very secure (assuming i have access to the sat signal)

the Grover algorithm

[r6144]

Actually a QC can do simultaneous computations by using superpositioned states, although getting the desired result out can be challenging.

If there is only one correct key, you can use the Grover algorithm to reduce the complexity to O(sqrt(N)). It first make a superposition of all possible N=2^n keys, then for each iteration the encryption algorithm is applied on it (simulataneously to all keys), yielding a "it is the right key or not" answer for each key, still superposed. Then a conditional 180deg-phase-shift operator and a "diffuse" operator is applied on the resulting superposed state, the result being that the eigenstate containing the correct key now has a larger weight than others in the superposed state, so that it has a higher probability to be observed when measured. By repeating the encryption-conditionPhaseShift-diffuse process O(sqrt(N)) times, the eigenstate containing the correct key will have a sufficiently large weight in the superposed state, and we can measure it and get the correct key with a high probability. So you see the encryption operation is always done simultaneously to every key, but you need to repeat the operation O(sqrt(N)) times to make the desired result strong enough to be measured.

Of course, the Grover algorithm is O(sqrt(N)), as opposed to O(N) of a purely brute-force attack, so just double the key length and you will be safe.

For references, google for "quprog.pdf".

Factoring is not known to be NP-complete

[JoeBuck]

Because factoring is not known to be NP-complete, there might turn out to be a polynomial-time algorithm for factoring, but no polynomial-time algorithm for NP-complete problems. If this were true, RSA might be broken, but other public-key algorithms might still be strong enough.

Re:Factoring is not known to be NP-complete

[sangdrax]

What about the NP-complete Mine Sweeper? NP-complete problems in Tetris?

Factoring is in the intersection of NP and coNP, and thus is (with the current knowledge) probably easier than NP-complete problems. Proving P=NP makes NP-complete problems easier, but Factoring never was that difficult.

It draws its strength partially due to the fact that it uses very large numbers. So even a polynomial algorithm (if it has a high degree) may not be fast enough in practice if a key can be generated much faster.

Simson Garfinkel?

[Ferzelic]

I think my parents had some of their albums...

Re:As I thought I understood it...

[Minna+Kirai]

Today we use the same approach:

No. It's not the same. Holes in DES or AES arise only because of human error in creating the cipher. (And if you wanted better security, you'd be using Diffie-Hellman anyhow). They are not expected, anticipated, or unavoidable.

But in a hypothetical future with quantum computing, breaking the encryption doesn't rely on discovering a flaw, just going through the work. Fundamentally so much easier.

Re:it may have been covered but...

[vidarh]

Their explanation is crap. I'm sure I'll make tons of mistakes and get flamed to death by people who actually paid attention when this was covered at school, but here's an attempt at a more complete explanation...

A "P" problem is a decision problem (a yes/no question essentially) that can be solved in polynomial time: Worst case for searching for a book in a finite collection is a multiple of the worst case time it takes to search one book in the house and the number of books - a straight linear search of all books in the house.

An "NP" problem is a decision problem where a solution can be verified in polynomial time. If P=NP then any problem where a solution can be verified in polynomial time can also be solved in polynomial time. Solving the problem here refers to finding the answer (is the book I seek in the house?) while verifying the solution refers to controlling that the answer is correct.

An P problem is also an NP problem - if you can solve a problem in polynomial time you can by definition also verify an answer in polynomial time: solve the problem, and compare the result with the proposed answer.

However the problem is that while it is thought that not all NP problems are also in P, it is not proven, and may be unprovable. But we don't know which, and don't have a simple way of verifying whether an NP problem is in P or not.

This is what sucks for encryption. Encryption currently rely on it being hard to solve a specific problem but easy to verify the solution (the key) by trying to decrypt an encrypted message, and if it fails (or presents us with gibberish) we know the key presented to us was not the right solution. This can be done in polynomial time

However, it only protects us because nobody (at least as far as we know) can solve the problems posed by the encryption methods in less than exponential time. Exponential time to solve the problem means that the effort could for instance (but not necessarily) double for each extra bit added to the key. The general rule is that the effort is 2^p(n) where p() is a polynomial function of n, and n is the size of the information space of the problem. The problem asked by encryption is essentially "will this key slotted into this encryption function give the original message?"

Let's go back to the book search, and twist it so that it fits the situation with encryption now. In the book search, the question is "does the book I seek exist in the house?". In a normal world, this problems worst case solution increases in effort by a constant factor for each extra book added, but to make it comparable to encryption we need to complicate the problem.

Imagine a crazy world where the best way we have to look for a solution to the book problem is to compare all the books with eachother and a paper strip with the title of the book we want, and only when we happen to compare the paper slip with the right book have we found the solution. In that case, each time we add a book, the problem increases (the number of direct relationships between n entities n(n-1), where n in this case would include the paper strip with the solution) but where we can still verify the final solution by comparing the book we finally found with the paper strip.

The kind of twisted scenario above is what most encryption algorithms are today: A problem that gives protection only because we don't know how to quickly solve it, but where there could be a simple way of solving them right around the corner. If P=NP all encryption algorithms that depend on this relationship can be broken in polynomial time.

However even proving that P and NP are not equal only means that "safe" encryption using this relationship is possible, not that current algorithms are safe - to prove that an algorithm is safe you'd need to separately prove that the problem can only be solved in exponential time. But a proof that P!=NP would give us an indication that it might at least be possible for such a proof to exist, as proving that the problem posed by an encryption algorithm can only be solved in exponential time would at the same time prove that P!=NP.

proof of P=NP without supplying an algorithm

[sangdrax]

A proof of P=NP could merely show there must exist a P algorithm for every NP problem. It doesn't necessarily have to give such an algorithm, only show its theoretical existence. While such a proof would prove P=NP, it would still be of little practicle use.

Only once such a conversion algorithm is found then, yes, every NP problem can be actually solved in polynomial time.

Re:proof of P=NP without supplying an algorithm

[Pseudonym]

I think I agree, though I'm having some trouble imagining what form such an "existence proof" could take, other than providing a P algorithm for some particular NP-Complete problem.

Well, it could be a contrapositive-type of proof. Show that if there is no algorithm in P which solves a certain NP-hard problem, then there is a P algorithm which solves a problem in EXPTIME or something like that. (It is known that P != EXPTIME.)

However, we are now pretty sure that the problem will never be settled. The reason is a rather nice theorem from last year that any proof that P != NP must be exponential in the size of the model used to construct the proof. So P is probably not equal to NP, but the proof is intractable.