Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Encryption Security Science

The End of Encryption? 633

An anonymous reader writes "The encryption algorithms that make virtually all electronic commerce possible work only because certain mathematical problems are very, very hard to solve. But some mathematicians are trying to prove that there's really no difference between 'hard' and 'not hard' problems--known in the math biz as P and NP. In an article on TechnologyReview.com, Simson Garfinkel spells out the real-world consequences of this mathematical conundrum."
This discussion has been archived. No new comments can be posted.

The End of Encryption?

Comments Filter:
  • by Ckwop ( 707653 ) * on Wednesday September 01, 2004 @03:52PM (#10132325) Homepage

    No no no no no. How many more times? Cryptography has absolutely nothing to do with the question of P?=NP.

    P?=NP refers to the asymptotic complexity as the problem. i.e. as the input size goes to infinity. It quite possible to have a problem whos complexity is approximately linear at the 100-1000-bit range and still NP-Complete. Conversely, it's possible to have a p-time algorithm for solving a problem that has a O(n^100) so it's still difficult to solve. While resolving P?=NP might bring new tricks to the table it's difficult to legislate for these tricks. There might not even be any we don't already know.

    Another point, p?=np has no bearing on the security proof of the one-time pad or quantum mechanical key exchange. The latter will become practical over large distances to enable the former long before p?np is resolved. Cryptography will die when the last human draws its breath.

    Simon.

    • These guys couldn't even figure out when the century began.

      "There was a little bit of a controversy as to when the entry of the century was," he recalls. "Was it January 1, 2000, or January 1, 2001?

      Come on now. They can't figure out that and we're looking to them to figure out the whole P=NP mess?
    • by Geiger581 ( 471105 ) on Wednesday September 01, 2004 @03:58PM (#10132405)
      What you say is very true, but there are two big exceptions to note:
      1) 1TP/QKE require as much storage/bandwidth for the key as for the message, and the key can never be resused. These are both severe drawbacks.
      2) Crypto is useful for more than just hiding information. Digital signatures/integrity hashes are both very important and impossible to achieve -reuseably- with either of the schemes mentioned above.
    • by dmeranda ( 120061 ) on Wednesday September 01, 2004 @04:00PM (#10132423) Homepage
      Additionally it should be noted that there are many complexity classes other than just P and NP, and there are many X such that X > P and X > NP.

      So even IF the P?=NP question applies, it doen't mean that cryptography itself is doomed. Just that harder problems might need to be used as the basis.
      • Sure there are harder complexity classes than NP, but they are irrelevant to cryptography. The point of cryptography is that for some encrpted message E there is a key K that makes E easy to decode. So the problem is in NP -- the NP machine guesses K and does the decryption. If you make your decryption problem harder than NP, then even with the key it will take a ridiculous amount of time to decode the message. Here of course I'm talking about public key encryption. The complexity issues are irrelevant
        • So if you have a channel secure enough to send the one time pad, you may as well sent the message instead.

          I wouldn't go so far as to say that. The pad has no bearing on the message sent aside from the ability to decrypt it, so you send the OTP via quantum-encrypted channels and verify its integrity at the recipient end. If the pad has not been comprimised *then* you send an OK (via the same quantum-encrypted channel, just in case) to recieve the encrypted message. This gives you one extra layer of secu

      • by mmusson ( 753678 ) on Wednesday September 01, 2004 @04:33PM (#10132768)
        Also, if a P=NP proof was found it would not necessarily gives us a procedure for generating the P algorithm that solves the NP complete problem. This would be an unfortunate situation.
      • by swillden ( 191260 ) * <shawn-ds@willden.org> on Wednesday September 01, 2004 @04:41PM (#10132853) Journal

        Additionally it should be noted that there are many complexity classes other than just P and NP, and there are many X such that X > P and X > NP.

        True, but, in general, NP problems are really ideal for lots of cryptographic applications. The essence of the NP class is that it is the set of decision problems that are "easy" to solve given a particular piece of information and hard to solve otherwise. If I can be loose with terminology, an NP problem is a problem whose answer can be verified in polynomial time, but can only be found (as far as we know), in greater than polynomial time.

        (BTW, I know the definition of NP as "non-deterministic polynomial", and what that means. The explanation I've given is equivalent, and easier to apply).

        If P=NP, then all problems whose answers can be verified in polynomial time can also be solved in polynomial time. Of course, the polynomials in question could still make verification practical but solution impractical -- which is what we need for a useful public-key crypto algorithm. Or we could look to classes of algorithms of higher complexities, as you suggest, we'd have to find problems whose verification effort, although non-polynomial, was sufficiently low but whose solution effort was enough greater.

        The really nice thing about NP is that when you increase the key size you're increasing the verification effort a small amount (it's pretty much linear with key size for the problems we use) and increasing the solution effort a large amount (as far as we know it's roughly exponential with the problems we use). This means that increased computing power always benefits the crypto user and hurts the attacker... because each increment of additional computation the crypto user chooses to perform creates a vastly larger amount of work for the attacker. The difference between linear and exponential is ideal.

        None of this means that, in practice, algorithms base on decision problems in P, or EXP, or NEXP may very well be useful. But NP has a perfect structure, if it exists.

      • P Complete (Score:3, Funny)

        by U96 ( 538500 )
        One important class of problems which should be included in this discussion is the class of P Complete problems.

        These are problems for which there exists a polynomial time reduction to the P Problem, which is the ability to optimally distribute P straight pegs in U linearly arranged slots (where P less than or equal to U), so as to maximize the distance between pegs.

        For example, for (P=2, U=5), the optimal solution is a peg at the first and last slots. For (P=3, U=5), optimal is U0, U2, U4, etc.

        It can b
    • by aristus ( 779174 ) on Wednesday September 01, 2004 @04:04PM (#10132482)
      Cryptography will die when the last human draws its breath. Er.... shouldn't that be third-to-last human?
    • Perhaps the author expressed the idea poorly by stating it in terms of solving P?=NP, but the ultimate point he was trying to get across is: will the currently difficult* problems that are the basis of modern cryptography remain difficult into the future? And for how long?

      * I'm deliberately leaving 'difficult' undefined to dodge abuse from the language lawyers.

      I've always wondered what would happen if some 15-year-old math wiz who is playing around in Mathematica comes up with a novel approach to facto

    • by jfengel ( 409917 ) on Wednesday September 01, 2004 @04:20PM (#10132637) Homepage Journal
      Yes, but there's a reason P=NP is of particular interest for crypto problems.

      NP problems as a category are easy to check answers, but hard to compute those answers. So a whole category of challenge-response systems are possible. I use the easy (checking) side of the NP problem and make codebreakers use the hard (computing) side.

      For example, it's hard to factor large composite numbers, but easy to check if a set of primes multiplies out to that number.

      Sure, there are plenty of other categories of crypto, but they're harder to deal with. One-time pads are hard to distribute, and quantum mechanical stuff isn't ready yet. But public-private key cryptosystems are based on computations like factoring: it's easy to encrypt something based on the large composite number, but harder to decrypt it unless you have the factors at hand. So I can distribute the large composite number (so anybody can send secret documents to me), and be fairly sure nobody will break the crypto.

      Unless P=NP, in which case factoring the number will also be easy, and we'll have to resort to something smarter, like quantum crypto (assuming it can be made to work practically).
    • by CodeBuster ( 516420 ) on Wednesday September 01, 2004 @04:43PM (#10132876)
      While we are on the subject of P = NP here, there remains no proof either way that P = NP or that P != NP. However, a very large body of experimental evidence and related proofs tends to suggest that it is almost certain that P != NP. Many computer scientists are prepared to bet heavily on this outcome considering its near certainty. The threat to cryptography from quantum computing does not, as mentioned by Ckwop, have anything whatsoever to do with the computational complexity of the problem, but rather with the ability of quantum computers to try many solutions simultaneously, thus resulting in a much higher computational throughput. In effect the brute force attack is sped up by orders of magnitude and becomes feasible with today's algorithms and key sizes. However, the paranoid among us need not fear the death of encryption since quantum computing also makes possible new types of cryptography which are not based upon the asymptotic complexity of finding the solution to a problem. Even if all else fails we will always have the one time pad which is completely unbreakable (when proper pad discipline is observed) albeit somewhat cumbersome in practice.
  • by romper ( 47937 ) * on Wednesday September 01, 2004 @03:53PM (#10132337)
    Guvf jbexf whfg svar sbe zr!
  • by Skiron ( 735617 ) on Wednesday September 01, 2004 @03:55PM (#10132358)
    ... write 'Bridge over encrypted waters ~(__8-(0) Doh!'?
  • Easy killer... (Score:5, Interesting)

    by danielrm26 ( 567852 ) * on Wednesday September 01, 2004 @03:55PM (#10132364) Homepage
    This is really quite simple - the type of machine that can render Prime-based and Discrete Log-based encryption "useless" has not been invented yet. Furthermore, as the article points out, most (including Adelman) belive it'll be a long time before one is.

    The problem (P vs. NP) is still just as difficult, and we aren't really much closer to solving it than 10 or 20 years ago.
    • Re:Easy killer... (Score:5, Informative)

      by Christopher Thomas ( 11717 ) on Wednesday September 01, 2004 @04:17PM (#10132608)
      This is really quite simple - the type of machine that can render Prime-based and Discrete Log-based encryption "useless" has not been invented yet.

      If by "prime-based" you're talking about deriving prime factors for things like RSA public keys, then the machines have been invented - they just haven't been built yet. Shor's Algorithm allows a quantum computer to factor numbers extremely rapidly, which breaks RSA quite badly. This is due to the nature of factoring, not of quantum computing itself - no quantum computing algorithm _presently_ known can break discrete-log encryption in less than the square root of the number of steps a classical computer would take to do it, for example. However, only time will reveal which algorithms are vulnerable to QC and which aren't.

      Quantum computers with enough qubits to do useful RSA public-key factoring will probably be built within about 10-20 years, based on the progress to date. Possibly earlier, but I'm going to be conservative and hedge a bit.
  • by SparafucileMan ( 544171 ) on Wednesday September 01, 2004 @03:57PM (#10132383)
    "For more than 30 years, mathematicians have sought in vain the answer to a simple problem in theoretical computer science. The problem is what's known as an open question --it's a simple equation that is either true or false. It can't be both."

    Which is not exactly true. It could be true but not provable. It could be false but not provable. It could be provably true, or provably false. Or, it could be neither true nor false.

  • There's always OTP (Score:5, Insightful)

    by ikewillis ( 586793 ) on Wednesday September 01, 2004 @03:58PM (#10132396) Homepage
    OTP will always remain a viable means of private key cryptography. When you interleave signal with noise, the result will always have the properties of noise.
    • by gweihir ( 88907 )
      OTP will always remain a viable means of private key cryptography.

      Theoretiocal OTP: yes.

      However the existence of randomness in nature if a pure observation and may be an oversimplification. There is not much indication this may be so, but when I look at what quantum physicists currently believe, I am pretty much convinced we don't understand this universe yet.
  • Could be argued (Score:5, Interesting)

    by onyxruby ( 118189 ) <onyxruby@ c o m c a s t . net> on Wednesday September 01, 2004 @03:59PM (#10132410)
    Could be argued, for that matter the entire concept of "random" is truely just a human thought construct. Since crypto is heavily dependent upon the concept of random, this will become a bigger problem as time goes on.

    It can well be argued that absolutely nothing is in fact random. From coin flips to roulette anything can eventually be learned and predicted on some level. The only point where I might even question this is with quantam states, and even there we really know precious little. It is simply too early to say one way or another on quantam.

    • Re:Could be argued (Score:5, Insightful)

      by Christopher Thomas ( 11717 ) on Wednesday September 01, 2004 @04:12PM (#10132558)
      It can well be argued that absolutely nothing is in fact random. From coin flips to roulette anything can eventually be learned and predicted on some level.

      Even in a purely classical universe, sensitivity to starting conditions makes things like coin tosses and die rolls impossible to predict if set up carefully. This is that whole "chaos" topic you may have heard about in the press in the 1980s. You'd have to have excruciatingly accurate knowledge of the state of everything in the past light-cone of the event you're trying to predict, as of the time of prediction, for it to work with perfect reliability.

      In our quantum universe, the uncertainty principle makes it impossible even in principle to measure starting state to the required precision, for the schemes that are used for true random number generation in electronic systems. Additionally, if quantum processes are accepted as truly random, they inject enough noise to taint macroscopic events with true randomness if the consequences of the noise are given enough time to propagate.

      In summary, true randomness exists as a very fundamental result of the laws of nature, and won't go away no matter how good our measurements get.
    • Re:Could be argued (Score:5, Interesting)

      by DarkMan ( 32280 ) on Wednesday September 01, 2004 @04:21PM (#10132654) Journal
      The only point where I might even question this is with quantam states, and even there we really know precious little.


      Uh, sort of. Heisenbergs uncertinty principle can be read as "We can never know the details" of quantum states. If it is true, then it does not matter whether or not a quantum state could be determanitsic if we can measure the things we need to determine it.

      Now, there is an awful lot of discoveries and technology that have been predicated on Heisenbergs principle being true (or, at least, true enough, for some value of enough) [0]. Thus, the burden of proof is heavily on the side of anyone claiming that it's not valid (just as it is for anyone claiming Einsteins relativity is wrong, and as it was for Einstien when he showed Newton was wrong [1]).

      So, I refute your claim on 'It's too early', by Schottky diodes, Mossbauer spectroscopy and quantum computing, which all rely on quantum states having true randomness [2].

      Furthermore, by the way, there was a bunch of work on something called the Bell inequality, which, although painfully esoteric in testing, has disproved the existance of hidden variables. That is, it is _not_ the case that quantum states are deterministic, by data we can't measure. There are no such hidden bits of data.

      Moreover, pretty much every macroscopic physical observable is a statistical average of very many microscopic states or events. These microstates are randomly distributed within some known distribution (e.g. disribution individual molectular kinetic energies for a given temperature of a set of particles). The various physical laws that we depend on (in the case of temperature, the predicability of the increase in the rate of some chemical reaction with increasing temperature, for example) have the concept of this random disribution so inherent in them, that I must argue that if 'random' is a a human thought construct, it is fortunate that the laws of nature also think that way (i.e. random is a physical concept)

      Such is the opinion of this quantum physicist, at any rate.

      [0] E.g Mossbauer spectroscopy
      [1] Strictly, Newton was farsighted enough to state his basic assumptions expcitly. Einstein just showed that one of them ("Time is the same for all men") was incorrect, and the consequences of it.
      [2] Or, at very least, something that is indistinguisable from it.
  • by bersl2 ( 689221 ) on Wednesday September 01, 2004 @04:00PM (#10132421) Journal
    So far as we know, P != NP.

    And that's it. And I haven't seen a shred of evidence to the contrary.

    Yes, the article is somewhat truthful, in that if P == NP, the world will have been turned on its head, but the same thing is true about thousands of scientific and/or mathematical assertions, each of which is more likely to be overturned than P != NP.
    • Yes, the article is somewhat truthful, in that if P == NP, the world will have been turned on its head

      Nor necessarily. If it turns out that NP only has problems with complexity n^100 in it, then for most paractical purposes we are still in business, since practical algorithms in P may range up to complexity n^4, if that.

      For crypto (on-way functions) it just needs to be very hard in one direction and very easy in the other. Choosing N and NP is a nice pair of things were this works, but not the only one.
  • by syousef ( 465911 ) on Wednesday September 01, 2004 @04:00PM (#10132431) Journal
    When will people learn that as long as people have secrets to keep they'll find ways of keeping them? There may be advances in technology which will render certain methods of keeping the secret obsolete, but this search for a magic algorithm is silly.

    I imagine one day there may be an advance that will mean a total security overhaul will be required though, and that could provide a window of chaos in the most extreme circumstances. However every advance in decryption tends to quickly lead to an advance in encryption that can beat it. At least historically that's been the way it is.

    Until they can literally read the contents of my brain, I'm not too worried.
  • by GillBates0 ( 664202 ) on Wednesday September 01, 2004 @04:01PM (#10132439) Homepage Journal
    and ponders over whether the recent MD5 news from the Mathematics conference (in an earlier /. story today) will lead to any discoveries that may help answer whether P=NP.

    Ignoring the fact that the answer to P?=NP has little to do with breaking encryption for a moment, even if an NP computer is conceived and developed, it'll just lay down a *huge* plethora of computing possibilities at our disposal, including new encryption techniques.

    Encryption cannot die, algorithms can.

    • Encryption cannot die, algorithms can.

      True - and if NP is found to be P, then it will effectively hose encryption as we know it today. Your private-key/public-key encryption that relies on those big primes you know and love? Well then would be easily broken - the standard is private key is the two prime factors, public key is their product, and if an easy way to factor is found, then from the public key I can deduce the private, thus breaking your encryption.

      They're not as unrelated as you'd think, bu

    • Yeah, it's not a great article, though I do welcome the opportunity to broaden peoples' mathematical horizons. Still.

      He starts off making it sound like P?=NP could be resolved soon in favor of P=NP, but Adelman says we aren't any closer to solving it than we were in the 70's, and the only one the author quotes as saying a solution may be imminent predicts that it will be shown that P != NP (the answer i think most mathematicions expect).

      There's a lot more than just encryption riding on the answer (and as
  • by revery ( 456516 ) * <<ten.2cac> <ta> <selrahc>> on Wednesday September 01, 2004 @04:03PM (#10132455) Homepage
    I saw a movie about this exact same thing. Luckliy Robert Redford and his team won and the world was made safe from Ben Kingsley, but it was touch and go there for a little bit.

    I was worried.

    The one way to tell for sure if the good guys win, is if the Republican National Committee goes bankrupt and GreenPeace gets a sizable donation. Also, you might see Sydney Poitier in Tahiti and Dan Akroyd in a brand spanking new RV.

    --
    Pain?

    Try Prison.

    • The one way to tell for sure if the good guys win, is if the Republican National Committee goes bankrupt

      Yes, I know this is funny, but keep in mind that a few years ago on the Clipper Chip issue it was also Kerry vs. Ashcroft - but it was Kerry pushing for the Clipper Chip and then Senator Ashcroft pushing for individual privacy. Ashcroft has since done a post-9/11 180-degree flip on his views here, but nothing suggests that Kerry has done the same (insert Kerry flip-flop joke here if you want, but no o

  • by CSG_SurferDude ( 96615 ) <wedaa.wedaa@com> on Wednesday September 01, 2004 @04:04PM (#10132473) Homepage Journal

    I have discovered a truly remarkable proof which this post is too small to contain.

  • by Otter ( 3800 ) on Wednesday September 01, 2004 @04:04PM (#10132481) Journal
    Ask Slashdot dealt with this issue [slashdot.org] three years ago! When it comes to uninformed, idle speculation, this site is way ahead of MIT!
  • by GreenCrackBaby ( 203293 ) on Wednesday September 01, 2004 @04:07PM (#10132511) Homepage
    Adelman thinks that we'll be waiting for the solution for a long time. Resolving the question of P and NP, he says, "would require new and brilliant ideas and not routine incremental progress. From my perspective, we are no nearer to solving the problem now that we were when bell-bottom pants were cool."


    The whole thing is a bunch of alarmist speculation.

  • by jetkust ( 596906 ) on Wednesday September 01, 2004 @04:09PM (#10132533)
    But some mathematicians are trying to prove that there's really no difference between 'hard' and 'not hard' problems

    Well, it's always better to have the hard problem. You may have to seek medical attention, but at least your pride remains intact.
  • by Bruce Perens ( 3872 ) <bruce@perens.com> on Wednesday September 01, 2004 @04:11PM (#10132547) Homepage Journal
    You mean public-key encryption . I fail to see how the one-time pad would be effected by new ways to solve NP-hard problems.

    Bruce

  • by jlowery ( 47102 ) on Wednesday September 01, 2004 @04:11PM (#10132548)
    "From my perspective, we are no nearer to solving the problem now that we were when bell-bottom pants were cool."

    Bell-bottom pants aren't cool anymore? Man... what a bummer. I got to quit bogarting those roaches.

  • by Anonymous Coward on Wednesday September 01, 2004 @04:17PM (#10132607)
    "50 Ways to Break Encryption"...
    just calculate the key, Lee
    hack the algorithm, Jim
    reverse-engineer, Samir

    sleep, what's that?
  • by Randym ( 25779 ) on Wednesday September 01, 2004 @04:17PM (#10132609)
    Factoring is another NP problem.

    I'm surprised that Simson made this elementary mistake.

    Factoring has *not* been proved to belong to either P or NP. It's an "open problem".

  • by rumblin'rabbit ( 711865 ) on Wednesday September 01, 2004 @04:21PM (#10132657) Journal
    I have a proof that proving P = NP is an NP-complete problem. Unfortunately this posting is too small to hold the proof.
  • by hugesmile ( 587771 ) on Wednesday September 01, 2004 @04:29PM (#10132730)
    How hard is this?

    P=NP
    P/P=NP/P
    1=N

    Therefore, P=NP for all problems where N=1.

    See, that clearly wasn't a NP problem!

  • Why P!=NP (Score:3, Informative)

    by 26199 ( 577806 ) on Wednesday September 01, 2004 @04:34PM (#10132771) Homepage

    There's no mathematical proof, but consider this: a lot of problems have been shown to be NP complete. That is, if they can be solved quickly (in polynomial time), every NP problem can also be solved quickly (in polynomial time).

    Some of these problems would make you a very, very rich person if you came up with a way to solve them quickly.

    Nobody has.

    That's enough evidence for every-day use, IMO.

  • by cyclist1200 ( 513080 ) on Wednesday September 01, 2004 @05:24PM (#10133275) Homepage
    Poor man was only two letters away from being a music sensation...

    I'm sure he's never heard that before in his life.
  • by s5fb29330 ( 115659 ) on Wednesday September 01, 2004 @05:35PM (#10133364) Homepage
    The consequences are that I won't be able to safely browse Slashdot from work over an ssh tunnel without getting in trouble, anymore.

    I've had secure, non-snoopable access to the Internet for my entire professional life. If I actually have to start working I don't think I'll be able to handle it.

Single tasking: Just Say No.

Working...