[Cryptography] List of Proven Secure Ciphers / Hashes
Jerry Leichter
leichter at lrw.com
Fri Sep 5 16:18:02 EDT 2014
On Sep 5, 2014, at 3:16 PM, Bear <bear at sonic.net> wrote:
> NP problems are those for which we do not know whether any
> polynomial-time solution exists. In practice all successful
> modern ciphers are based on NP problems.
That's not a good way to say it; and, again, if we want to discuss a technical subject on a technical level, details matter.
P: There are problems we know have a poly-time algorithm.
not-P: There are problems we know do *not* have a poly-time algorithm.
Unknown: And, of course, there are problems where we don't know whether there's a poly-time algorithm.
Among problems in Unknown, there is a subset that we know *can* be solved in "non-deterministic polynomial time", something that has a number of equivalent formulations, but is perhaps easiest to visualize as "given a proposed solution, you can check whether it really is one in polynomial time (in the size of the original problem)." If P=NP, then in fact all of those problems actually are in P. If P!=NP, at least one of them is not.
Since NP is a subclass of problems about which we lack some knowledge, it's inherently a "no harder than" descriptions. There may well be problems that we currently put in NP (because we haven't found a poly-time algorithm for them) which we later determine to be in P. Linear programming was long in NP - the best algorithm was actually exponential time in the worst case. Then Karmarker showed that it was actually in P.
Among all the problems in NP, there is a further subclass of the NP-complete problems, which are the "hardest" problems in NP, in the following sense: If you can find a poly-time algorithm for any NP-complete problem, it will implicitly give you a poly-time algorithm for all problems in NP.
BTW, factoring is in NP, but is not known to be NP-complete. In fact, there is good reason to believe it is *not* NP-complete.
> For cryptography we want problems that are hard; but it doesn't
> really matter whether they are hard in a way that is proportional
> to an exponential (non-polynomial)function or hard in a way that
> is proportional to some polynomial of very high degree. It only
> matters that they are too hard for solving them to be likely or
> practical.
>
> For example, if there is some problem whose difficulty is O(N^50)
> for N-bit keys of at least some minimum size, then it isn't NP,
> but it could be suitable for cryptography anyway.
Actually that's not a good example.
The "hardness" in P and in NP are (a) asymptotic - an NP, or even an NP-complete, problem could be very easy for n up to 10^1000, but *eventually* turn into something for which we know of no poly-time algorithm; (b) about *worst case* time: If, for every n, there is a one problem of size n such that the difficulty of solving those single, special problems grows faster than any polynomial, then the problem as a whole is not in P, even if "almost all" cases are easy.
Since we do cryptography with a fixed size parameter, and we want "almost all" - probably "all" - of our particular uses of it to be hard, the P and NP classes are simply irrelevant.
On the other hand, the question of asymptotic complexity *does* tell you something about the scaling behavior of your algorithm. If your algorithm asymptotically takes time 2^n, adding 1 to n doubles the difficulty. If you algorithm grows as n^50, adding 1 to n grows the difficulty by (n+1/n)^50, which grows pretty slowly even for reasonably small n. So if you find you chose a security parameter that's too small, recovery for the exponential case may be easy, while recovery for the polynomial case - even with a polynomial of degree 50 - may be difficult.
But just what security parameter *do* you need? It really depends on the constant terms. If the "concrete complexity" (something that's usually very difficult to compute: Real numbers, not just growth rates) of your exponential algorithm is 10^-100*2^n, it's not a reasonable choice unless n is absurdly large; with if you polynomial algorithm has complexity 10^100*n^50, even very small n give you a high degree of security.
Different measures of complexity are good for different things. Use the wrong measure and your results are meaningless.
-- Jerry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4813 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140905/6278e336/attachment.bin>
More information about the cryptography
mailing list