[Cryptography] List of Proven Secure Ciphers / Hashes
Jonathan Katz
jkatz at cs.umd.edu
Fri Sep 5 15:55:57 EDT 2014
Let's try to clarify things in an attempt to put this to rest.
Assumption 1: We are talking about asymptotic security (as a function of
key length), not concrete security. Why? Because if you care about
concrete security, then P and NP are irrelevant since, as a previous
person noted, any scheme with some fixed key length k can be broken in
*constant* time 2^k.
Let's let n -- a parameter! -- denote the length of the key.
Assumption 2: Encryption runs in time polynomial in n.
You can question this assumption, and in fact it might be meaningful to
allow encryption to run in time n^{log n}. But this is the assumption I
am making.
Assumption 3: You want security to hold against all polynomial-time
adversaries.
You can question this assumption, and in fact it might be meaningful to
only require security for adversaries running in time n^10 (but not those
running in time n^11). But this is the assumption I am making.
We must also fix a notion of security. For concreteness, let's use the
notion of CPA-security (i.e., security against chosen-plaintext attacks);
see the Katz-Lindell textbook for formal definitions. CPA-security, as
defined there, already incorporates Assumptions 1, 2, and 3.
Now, what I claim is:
If P=NP, then no public-key or symmetric-key encryption scheme is
CPA-secure.
On Fri, 5 Sep 2014, Jerry Leichter wrote:
> On Sep 4, 2014, at 9:23 PM, Jonathan Katz <jkatz at cs.umd.edu> wrote:
>> Once you allow known-plaintext attacks, symmetric-key crypto is also in NP.
> This is a meaningless statement. NP has an exact, technical definition. There's nothing to "allow" or "disallow".
>
> Whether "is in NP" or even "is NP complete" is relevant to cryptography is something one can debate - though not very much, as the answer is clear: No. (NP is about the hardest problems in some set. Knowing that there is *some* hard problem is not particularly useful when what you want to know is that *a particular problem* - reading a particular cipher text, for example - is hard.)
>
> But if you're going to talk about a technical matter, you have to use the language as it's understood in the community.
> -- Jerry
>
>
>
More information about the cryptography
mailing list