[Cryptography] Is there a public-key algorithm whose best-known attack is exponential-time?
Seth David Schoen
schoen at loyalty.org
Thu Jul 25 00:50:43 EDT 2024
I'm working on a project which, among other things, had me read Merkle
(1978), where the conclusion states
> This paper has thus far dealt with a method which is O(N↑2). If an
> exponential method were possible, it would offer such significant
> advantages over traditional techniques that it would almost surely
> supplant them in short order. The problem appears to offer enough leverage
> age that it can be attacked, as witness the current solution, and an
> exponential solution would offer significant practical advantages over
> traditional techniques. The problem merits serious consideration. The
> author will make the following conjecture: An exponential method is
> possible. The reader is invited to consider the problem.
This is to say that the straightforward attack on Merkle's Puzzles,
the system introduced there, is O(n²), and Merkle, realizing that this
is not that great for practical use, conjectures that there is a
public-key cryptosystem where the time complexity of an attack (without
knowledge of the private key) will be exponential instead of quadratic.
I first thought "well, he was right ... RSA!" (which he cites in an
"Addenda" section); then a moment later I thought "wait, no, the time
complexity of the best-known attack is subexponential". As highlighted
by Eric Hughes's song about the general number field sieve's complexity.
Is Merkle's conjecture actually literally correct, so far as we know?
That is, is there any public-key cryptosystem where the computational
work for an attacker, in the best known attack, is actually exponential?
(I assume that the encryption operation should be polynomial-time, so
not some algorithm where encryption is exponential-time and naive
decryption is also exponential-time, just with a bigger exponent.)
More information about the cryptography
mailing list