Slashdot Mirror

← Back to Stories (view on slashdot.org)

The End of Encryption?

Posted by michael on from the doom-and-gloom dept.

An anonymous reader writes "The encryption algorithms that make virtually all electronic commerce possible work only because certain mathematical problems are very, very hard to solve. But some mathematicians are trying to prove that there's really no difference between 'hard' and 'not hard' problems--known in the math biz as P and NP. In an article on TechnologyReview.com, Simson Garfinkel spells out the real-world consequences of this mathematical conundrum."

49 of 633 comments (clear)

  1. Nope, wrong, invalid.. nothing to see here. by Ckwop · · Score: 5, Insightful

    No no no no no. How many more times? Cryptography has absolutely nothing to do with the question of P?=NP.

    P?=NP refers to the asymptotic complexity as the problem. i.e. as the input size goes to infinity. It quite possible to have a problem whos complexity is approximately linear at the 100-1000-bit range and still NP-Complete. Conversely, it's possible to have a p-time algorithm for solving a problem that has a O(n^100) so it's still difficult to solve. While resolving P?=NP might bring new tricks to the table it's difficult to legislate for these tricks. There might not even be any we don't already know.

    Another point, p?=np has no bearing on the security proof of the one-time pad or quantum mechanical key exchange. The latter will become practical over large distances to enable the former long before p?np is resolved. Cryptography will die when the last human draws its breath.

    Simon.

    1. Re:Nope, wrong, invalid.. nothing to see here. by strictfoo · · Score: 4, Funny

      These guys couldn't even figure out when the century began.

      "There was a little bit of a controversy as to when the entry of the century was," he recalls. "Was it January 1, 2000, or January 1, 2001?

      Come on now. They can't figure out that and we're looking to them to figure out the whole P=NP mess?

      --
      I've just signed legislation that'll outlaw Russia forever. We'll begin bombing in five minutes.
    2. Re:Nope, wrong, invalid.. nothing to see here. by Geiger581 · · Score: 5, Insightful

      What you say is very true, but there are two big exceptions to note:
      1) 1TP/QKE require as much storage/bandwidth for the key as for the message, and the key can never be resused. These are both severe drawbacks.
      2) Crypto is useful for more than just hiding information. Digital signatures/integrity hashes are both very important and impossible to achieve -reuseably- with either of the schemes mentioned above.

    3. Re:Nope, wrong, invalid.. nothing to see here. by dmeranda · · Score: 4, Insightful

      Additionally it should be noted that there are many complexity classes other than just P and NP, and there are many X such that X > P and X > NP.

      So even IF the P?=NP question applies, it doen't mean that cryptography itself is doomed. Just that harder problems might need to be used as the basis.

    4. Re:Nope, wrong, invalid.. nothing to see here. by jfengel · · Score: 4, Informative

      Yes, but there's a reason P=NP is of particular interest for crypto problems.

      NP problems as a category are easy to check answers, but hard to compute those answers. So a whole category of challenge-response systems are possible. I use the easy (checking) side of the NP problem and make codebreakers use the hard (computing) side.

      For example, it's hard to factor large composite numbers, but easy to check if a set of primes multiplies out to that number.

      Sure, there are plenty of other categories of crypto, but they're harder to deal with. One-time pads are hard to distribute, and quantum mechanical stuff isn't ready yet. But public-private key cryptosystems are based on computations like factoring: it's easy to encrypt something based on the large composite number, but harder to decrypt it unless you have the factors at hand. So I can distribute the large composite number (so anybody can send secret documents to me), and be fairly sure nobody will break the crypto.

      Unless P=NP, in which case factoring the number will also be easy, and we'll have to resort to something smarter, like quantum crypto (assuming it can be made to work practically).

    5. Re:Nope, wrong, invalid.. nothing to see here. by mmusson · · Score: 4, Interesting

      Also, if a P=NP proof was found it would not necessarily gives us a procedure for generating the P algorithm that solves the NP complete problem. This would be an unfortunate situation.

      --
      SYS 49152
    6. Re:Nope, wrong, invalid.. nothing to see here. by CodeBuster · · Score: 4, Informative

      While we are on the subject of P = NP here, there remains no proof either way that P = NP or that P != NP. However, a very large body of experimental evidence and related proofs tends to suggest that it is almost certain that P != NP. Many computer scientists are prepared to bet heavily on this outcome considering its near certainty. The threat to cryptography from quantum computing does not, as mentioned by Ckwop, have anything whatsoever to do with the computational complexity of the problem, but rather with the ability of quantum computers to try many solutions simultaneously, thus resulting in a much higher computational throughput. In effect the brute force attack is sped up by orders of magnitude and becomes feasible with today's algorithms and key sizes. However, the paranoid among us need not fear the death of encryption since quantum computing also makes possible new types of cryptography which are not based upon the asymptotic complexity of finding the solution to a problem. Even if all else fails we will always have the one time pad which is completely unbreakable (when proper pad discipline is observed) albeit somewhat cumbersome in practice.

  2. Who needs it? by romper · · Score: 5, Funny

    Guvf jbexf whfg svar sbe zr!

    --
    Right is wrong when left is right.
    1. Re:Who needs it? by Anonymous Coward · · Score: 5, Funny

      That's not encrypted. That's in German!

      w00t

  3. Didn't that guy... by Skiron · · Score: 4, Funny

    ... write 'Bridge over encrypted waters ~(__8-(0) Doh!'?

  4. Easy killer... by danielrm26 · · Score: 5, Interesting

    This is really quite simple - the type of machine that can render Prime-based and Discrete Log-based encryption "useless" has not been invented yet. Furthermore, as the article points out, most (including Adelman) belive it'll be a long time before one is.

    The problem (P vs. NP) is still just as difficult, and we aren't really much closer to solving it than 10 or 20 years ago.

    --
    dmiessler.com -- grep understanding knowledge
    1. Re:Easy killer... by Christopher+Thomas · · Score: 4, Informative

      This is really quite simple - the type of machine that can render Prime-based and Discrete Log-based encryption "useless" has not been invented yet.

      If by "prime-based" you're talking about deriving prime factors for things like RSA public keys, then the machines have been invented - they just haven't been built yet. Shor's Algorithm allows a quantum computer to factor numbers extremely rapidly, which breaks RSA quite badly. This is due to the nature of factoring, not of quantum computing itself - no quantum computing algorithm _presently_ known can break discrete-log encryption in less than the square root of the number of steps a classical computer would take to do it, for example. However, only time will reveal which algorithms are vulnerable to QC and which aren't.

      Quantum computers with enough qubits to do useful RSA public-key factoring will probably be built within about 10-20 years, based on the progress to date. Possibly earlier, but I'm going to be conservative and hedge a bit.

  5. More than Just P=NP by SparafucileMan · · Score: 5, Insightful
    "For more than 30 years, mathematicians have sought in vain the answer to a simple problem in theoretical computer science. The problem is what's known as an open question --it's a simple equation that is either true or false. It can't be both."

    Which is not exactly true. It could be true but not provable. It could be false but not provable. It could be provably true, or provably false. Or, it could be neither true nor false.

    1. Re:More than Just P=NP by sploo22 · · Score: 4, Insightful

      Well, it could be proven to be theoretically undecidable like the halting problem, couldn't it? Then I guess it would be true or false, but nobody would ever know so it's all semantics.

      --
      Karma: Segmentation fault (tried to dereference a null post)
    2. Re:More than Just P=NP by PaulBu · · Score: 4, Informative

      Firstly, the halting problem is trivially decidable for any particular program, the program either halts or it doesn't.

      Sorry, you are wrong here. Yes, if you ran a program and it stopped you know your answer. But if the program is still running, how would you know if it will eventually halt or not? And if it is one of those programs that do *not* halt, you'd have to wait for infinite amount of time to declare it "non-halting".

      As to your solution of "comparing P and NP sets" -- I think you are slightly trolling here! ;-)

      Paul B.

  6. There's always OTP by ikewillis · · Score: 4, Insightful

    OTP will always remain a viable means of private key cryptography. When you interleave signal with noise, the result will always have the properties of noise.

  7. Could be argued by onyxruby · · Score: 4, Interesting
    Could be argued, for that matter the entire concept of "random" is truely just a human thought construct. Since crypto is heavily dependent upon the concept of random, this will become a bigger problem as time goes on.

    It can well be argued that absolutely nothing is in fact random. From coin flips to roulette anything can eventually be learned and predicted on some level. The only point where I might even question this is with quantam states, and even there we really know precious little. It is simply too early to say one way or another on quantam.

    1. Re:Could be argued by Christopher+Thomas · · Score: 5, Insightful

      It can well be argued that absolutely nothing is in fact random. From coin flips to roulette anything can eventually be learned and predicted on some level.

      Even in a purely classical universe, sensitivity to starting conditions makes things like coin tosses and die rolls impossible to predict if set up carefully. This is that whole "chaos" topic you may have heard about in the press in the 1980s. You'd have to have excruciatingly accurate knowledge of the state of everything in the past light-cone of the event you're trying to predict, as of the time of prediction, for it to work with perfect reliability.

      In our quantum universe, the uncertainty principle makes it impossible even in principle to measure starting state to the required precision, for the schemes that are used for true random number generation in electronic systems. Additionally, if quantum processes are accepted as truly random, they inject enough noise to taint macroscopic events with true randomness if the consequences of the noise are given enough time to propagate.

      In summary, true randomness exists as a very fundamental result of the laws of nature, and won't go away no matter how good our measurements get.

    2. Re:Could be argued by DarkMan · · Score: 4, Interesting
      The only point where I might even question this is with quantam states, and even there we really know precious little.


      Uh, sort of. Heisenbergs uncertinty principle can be read as "We can never know the details" of quantum states. If it is true, then it does not matter whether or not a quantum state could be determanitsic if we can measure the things we need to determine it.

      Now, there is an awful lot of discoveries and technology that have been predicated on Heisenbergs principle being true (or, at least, true enough, for some value of enough) [0]. Thus, the burden of proof is heavily on the side of anyone claiming that it's not valid (just as it is for anyone claiming Einsteins relativity is wrong, and as it was for Einstien when he showed Newton was wrong [1]).

      So, I refute your claim on 'It's too early', by Schottky diodes, Mossbauer spectroscopy and quantum computing, which all rely on quantum states having true randomness [2].

      Furthermore, by the way, there was a bunch of work on something called the Bell inequality, which, although painfully esoteric in testing, has disproved the existance of hidden variables. That is, it is _not_ the case that quantum states are deterministic, by data we can't measure. There are no such hidden bits of data.

      Moreover, pretty much every macroscopic physical observable is a statistical average of very many microscopic states or events. These microstates are randomly distributed within some known distribution (e.g. disribution individual molectular kinetic energies for a given temperature of a set of particles). The various physical laws that we depend on (in the case of temperature, the predicability of the increase in the rate of some chemical reaction with increasing temperature, for example) have the concept of this random disribution so inherent in them, that I must argue that if 'random' is a a human thought construct, it is fortunate that the laws of nature also think that way (i.e. random is a physical concept)

      Such is the opinion of this quantum physicist, at any rate.

      [0] E.g Mossbauer spectroscopy
      [1] Strictly, Newton was farsighted enough to state his basic assumptions expcitly. Einstein just showed that one of them ("Time is the same for all men") was incorrect, and the consequences of it.
      [2] Or, at very least, something that is indistinguisable from it.
    3. Re:Could be argued by gweihir · · Score: 4, Insightful

      Randomness is not a human construct, I am not sure where you are getting this idea from. There are certain events that are PROVABLY unpredictable, e.g. radioactive decay and certain quantum effects.

      Wrong. Sorry. Physics cannot prove things. They can only show that things are very likely and they can have theories that predict things. Often this works, but from time to time it fails. All physical deductions relating to reality are derived from experiments. Experiments are allways imprecise and frequently deliver wrong results.

      Ask any physicist. They know that they just have a best guess, but no hard facts.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  8. It's still a "what if" piece... by bersl2 · · Score: 5, Insightful

    So far as we know, P != NP.

    And that's it. And I haven't seen a shred of evidence to the contrary.

    Yes, the article is somewhat truthful, in that if P == NP, the world will have been turned on its head, but the same thing is true about thousands of scientific and/or mathematical assertions, each of which is more likely to be overturned than P != NP.

  9. All he does is explain P and NP by GillBates0 · · Score: 5, Interesting
    and ponders over whether the recent MD5 news from the Mathematics conference (in an earlier /. story today) will lead to any discoveries that may help answer whether P=NP.

    Ignoring the fact that the answer to P?=NP has little to do with breaking encryption for a moment, even if an NP computer is conceived and developed, it'll just lay down a *huge* plethora of computing possibilities at our disposal, including new encryption techniques.

    Encryption cannot die, algorithms can.

    --
    An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
  10. I saw this movie by revery · · Score: 4, Funny

    I saw a movie about this exact same thing. Luckliy Robert Redford and his team won and the world was made safe from Ben Kingsley, but it was touch and go there for a little bit.

    I was worried.

    The one way to tell for sure if the good guys win, is if the Republican National Committee goes bankrupt and GreenPeace gets a sizable donation. Also, you might see Sydney Poitier in Tahiti and Dan Akroyd in a brand spanking new RV.

    --
    Pain?

    Try Prison.

  11. Re:Quantum Computers / Shor's Algorithm by wwest4 · · Score: 5, Informative

    > Or a quantum computer is made that can break all these passwords.

    No. To put in plain language: there are forms of encryption more advanced than those that employ difficult math problems. Quantum computing does not pose a threat to a OTP system that employs quantum key exchange. Sorry.

  12. I have discovered... by CSG_SurferDude · · Score: 4, Funny

    I have discovered a truly remarkable proof which this post is too small to contain.

    --

    LongTail SSH Brute Force analysis tool is here!

  13. Get with the times! by Otter · · Score: 4, Insightful

    Ask Slashdot dealt with this issue three years ago! When it comes to uninformed, idle speculation, this site is way ahead of MIT!

    --
    What I'm listening to now on Pandora...
  14. "last human draws its breath" by aristus · · Score: 5, Funny

    Cryptography will die when the last human draws its breath. Er.... shouldn't that be third-to-last human?

    --
    Sometimes seventeen/Syllables aren't enough to/Express a complete
    1. Re:"last human draws its breath" by Issue9mm · · Score: 5, Funny

      Actually, I'm thinking second-to-last really. As the third-to-last person on the earth, I may choose to encrypt a document entitled "How to kill Fred and Bill" so that that the other two may not access it.

      -9mm-

    2. Re:"last human draws its breath" by whovian · · Score: 4, Funny

      Unless any of them turns out to be Alice. Or Bob.

      --
      To-do List: Receive telemarketing call during a tornado warning. Check.
  15. Re:Quantum Computers / Shor's Algorithm by swillden · · Score: 4, Interesting

    Quantum computing does not pose a threat to a OTP system that employs quantum key exchange.

    In practice it may never pose a threat to symmetric ciphers, like AES, either. Those don't rely on hard math problems as much as on non-linearity and complexity. Quantum computers may someday be good at solving simple but hard problems, but it's likely they'll never be able to attack complex problems, easy or hard.

    --
    Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  16. The article sums it up best by GreenCrackBaby · · Score: 4, Insightful
    Adelman thinks that we'll be waiting for the solution for a long time. Resolving the question of P and NP, he says, "would require new and brilliant ideas and not routine incremental progress. From my perspective, we are no nearer to solving the problem now that we were when bell-bottom pants were cool."


    The whole thing is a bunch of alarmist speculation.

    --

    "The market alone cannot provide sufficient constraints on corporation's penchant to cause harm." -- Joel Bakan
  17. This is Crazy by jetkust · · Score: 4, Funny

    But some mathematicians are trying to prove that there's really no difference between 'hard' and 'not hard' problems

    Well, it's always better to have the hard problem. You may have to seek medical attention, but at least your pride remains intact.

  18. It's not "the end of encryption" at all by Bruce+Perens · · Score: 4, Insightful
    You mean public-key encryption . I fail to see how the one-time pad would be effected by new ways to solve NP-hard problems.

    Bruce

    --
    Bruce Perens.
    1. Re:It's not "the end of encryption" at all by Control+Group · · Score: 5, Informative
      True, but OTPs aren't reusable, and the key needs to have as much information as the message, so they're not an answer to digital signatures or secure transactions online. Or at least, not an answer that's easy enough for me to comprehend.

      Since those are the areas in which most people encounter encryption, that's what the author was focusing on.

      On the other hand, the author also didn't give any reason to think that P?=NP is even coming closer to being resolved, and certainly no reason to think that it will end up being P=NP...so I don't see how PKE is threatened, either.

      It's a non-story, if you ask me. Not that anyone did.

      --

      Reality has a conservative bias: it conserves mass, energy, momentum...
    2. Re:It's not "the end of encryption" at all by OdinHuntr · · Score: 5, Funny
      True, but OTPs aren't reusable

      OH MY GOD, THEY'RE NOT???

  19. Out of fashion, I guess. by jlowery · · Score: 4, Funny
    "From my perspective, we are no nearer to solving the problem now that we were when bell-bottom pants were cool."

    Bell-bottom pants aren't cool anymore? Man... what a bummer. I got to quit bogarting those roaches.

    --
    If you post it, they will read.
  20. My favorite Simson Garfinkel work by Anonymous Coward · · Score: 5, Funny

    "50 Ways to Break Encryption"...
    just calculate the key, Lee
    hack the algorithm, Jim
    reverse-engineer, Samir

    sleep, what's that?

  21. Factoring is another NP problem -- NO! by Randym · · Score: 4, Insightful
    Factoring is another NP problem.

    I'm surprised that Simson made this elementary mistake.

    Factoring has *not* been proved to belong to either P or NP. It's an "open problem".

    --
    DNA is a Turing machine. You, however, being dynamic and emergent, are not.
  22. I have a proof by rumblin'rabbit · · Score: 4, Funny

    I have a proof that proving P = NP is an NP-complete problem. Unfortunately this posting is too small to hold the proof.

  23. Re:Eventually by chill · · Score: 4, Insightful

    Digital Fortress was a complete piece of shit. Please don't base anything off that rag. It was written with the express purpose of capitalizing off of Dan Brown's momentum being made into a movie. The "visuals" described fit Hollywood nicely -- meaning they have no basis in reality.

    It is easy for a person to come up with an algorithm that THEY can't crack. Most are painfully obvious to outsiders with any experience.

    Other than proper implementation of a one-time pad, you'll probably find any encryption will eventually fall.

    --
    Learning HOW to think is more important than learning WHAT to think.
  24. This is silly by hugesmile · · Score: 4, Funny
    How hard is this?

    P=NP
    P/P=NP/P
    1=N

    Therefore, P=NP for all problems where N=1.

    See, that clearly wasn't a NP problem!

  25. Re:Eventually by Anonymous Coward · · Score: 4, Interesting

    Digital Fortress was a total piece of crap. While A moderatly interesting book, the crypto is totally wrong. The ONLY perfect encryption is a one-time-pad. If there is a key it can be broken. The whole "make it impossible to figure out it its really cleartext" is just a not-so-clever plot device.

    Think about it this way, when you use PGP/GPG to encrypt something, it compresses the file first. The argument Dan Brown used was that when you try a key on this "unbreakable" crypto that you get garbage out and can't use the typical language statistics to figure out if the result is valid or not. If this was true, then any form of binary data would be impossible to decrypt.

    A more mathish approach. The idea was to take a cleartext, M, run it through a "magic function" Z then encrypt that, or Encrypt(Z(M)). Well, a little digging will find that chained encryption doesn't buy much. Thats why AES is around, rather than using 3DES or 5DES. or nDES. All his digital fortress was doing was using two encryption methods. But, this just doesn't work.

    Dan Brown doesn't think or do any research whatsoever before he writes a book. Virtually ALL of the crypto related information was WRONG. Skipjack was a problem, not because of any backdoor, but because it was only availible as a tamper-proof hardware chip, noone got to look at it. The Caesar cipher was an alphabetic rotation, not a geometric cipher. Hell, there simply isn't enough energy given out by a star in a year to power a machine capable of brute-forcing 256-bit encryption, schieder wrote an essay on it.

    Under current theory, the ONLY perfect encryption scheme is a OTP.

  26. Re:Hard and tedious are different things by puppetman · · Score: 4, Informative

    Actually, it's problems solved in polynomial time vs non-deterministic polynomial time. Your two examples are both problems that can be solved in polynomial time.

    It's not simple math. IE find two prime factors to a very very large number. Guesses are made to find the factors. But even though guesses are polynomial in amongst themselves, the number of guesses you need to make before you hit on a solution is non-deterministic. Thus it's NP (non-deterministic polynomial time).

  27. Re:As I thought I understood it... by RWerp · · Score: 5, Informative

    by having a plaintext and cyphertext, a quantum computer can make it very trivial to find the key using certain iterative attacks on the algorithm. I mean, isn't the quantum computer "instantly" backtracking up until the substitution step of each round, as the operations would be reversible up until that point? I would think the complexity to crack is only dependant on the number of rounds.

    There is no possibility to use a quantum computer to make simultaneous dictionary attack (guessing the key by trying all possible keys at the same time), because, contrary to what most people think, you can do only one usable computation at the same time on a quantum computer. The difference between classical and quantum computer is that you can 'tune' the quantum computer into doing this one computation which is important -- like the one needed to break the key. If you can do that, you've cracked the cipher. But it requires an algorithm specific to the cipher in question. A good defense before such attack would be to change the cipher in such a way as to make the corresponding quantum algorithm useless, and make attacker think really hard before coming up with another one. A bit more challenging than just increasing the key length.

    IANAQCE (I Am Not A Quantum Computing Expert), but that's what I gathered from listening to seminars delivered by people from the field.

    --
    "Long run is a misleading guide to current affairs. In the long run we are all dead." (John Maynard Keynes)
  28. Re:Ha! by kallisti · · Score: 4, Interesting

    If you think 2+2=4 is simple, then you haven't seen this!

  29. Re:Quantum Computers / Shor's Algorithm by swillden · · Score: 5, Informative

    I thought that all the public key (etc) systems relied on a "hard math problem" to produce the public-key secret-key pair.

    Sort of. Actually, they rely on the hard math problem to make it so someone who knows the secret key can do something that someone who knows the public key cannot, and, potentially, vice versa. Generation of keys is simpler.

    When I generate my DES and AES keys I go through that "mostly prime" exercise.

    Umm, no. DES and AES don't care about primes, or factoring, etc., at all. The DES and AES keyspaces are (nearly) flat. To pick a DES/AES key, you just choose a random 56-bit/128-bit number. (I said nearly because DES does have some weak keys, so some people choose to avoid those).

    So quantum computing should be able to do the "large nubmer factoring" exercise necessary to crack the key...

    For public-key algorithsm like RSA, DSA, Diffie-Hellman, ECC (well, you don't use factoring to attack ECC, but same notion), etc., yes. For secret-key algorithms like DES, AES, IDEA, RC-4, Twofish, etc., no, there is no number factoring exercise or similar that will help. So probably not, which was my point.

    --
    Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  30. Re:Why P!=NP by Krisbee · · Score: 4, Funny

    I think you would end up as a very, very dead person very very quickly if you publish a way to crack RSA in a very very short time.

  31. I'll Tell You What The Consequences Are by s5fb29330 · · Score: 4, Funny

    The consequences are that I won't be able to safely browse Slashdot from work over an ssh tunnel without getting in trouble, anymore.

    I've had secure, non-snoopable access to the Internet for my entire professional life. If I actually have to start working I don't think I'll be able to handle it.

  32. Factoring is not known to be NP-complete by JoeBuck · · Score: 4, Insightful

    Because factoring is not known to be NP-complete, there might turn out to be a polynomial-time algorithm for factoring, but no polynomial-time algorithm for NP-complete problems. If this were true, RSA might be broken, but other public-key algorithms might still be strong enough.