SlideShare a Scribd company logo

9. Hard Problems

Sam Bowne
Sam Bowne

This document discusses computational hardness and complexity classes related to cryptography. It covers the computational complexity of problems like factoring large numbers and the discrete logarithm problem. These problems are assumed to be hard, even for quantum computers, and form the basis for cryptographic techniques. The document also discusses how cryptography could be broken if faster algorithms were found for these problems or if the key sizes used were too small.

1 of 51
Download to read offline
CNIT 141 Cryptography for Computer Networks 9. Hard Problems Updated 11-2-22
Topics • Computational Hardness • Complexity Classes • The Factoring Problem • The Discrete Logarithm Problem • How Things Can Go Wrong
Computational Hardness
Computational Hardness • Computationally hard problems • Also called intractable problems • Take an unreasonable amount of time to solve • Regardless of hardware
Measuring Running Time • Search an array of n elements to find x • Loop goes from 1 to n • Expected value: n/2 • Complexity is linear in n • Doubling n doubles running time search(x, array, n) : for i from 1 to n if (array[i] == x) return i ; return 0;
Complexity Classes • Searching a list: linear or O(n) • Sorting a list: linear-logarithmic or O(n log n) • Brute-force key recovery: exponential or O(2n) • Quadratic time is O(n2)
Linear is Fast (Easy) • Compared to exponential or quadratic
Polynomial vs. Superpolynomial Time • Polynomial time includes O(n2), O(n3), O(n4), etc. • They are considered practically feasible • Superpolynomial time is anything that grows faster than polynomial, like O(2n) or O(nlog(n)). • They are considered impractical, or hard
Quadratic v. Superpolynomial
Complexity Classes
• Time complexity • TIME(n2) • All problems solvable in O(n2) • TIME(2n) • All problems solvable in O(2n) Complexity Classes
Space Complexity • The memory required by an algorithm • SPACE(n2) • Require O(n2) bits of memory
Nondeterministic Polynomial Time • P is the class of all polynomial-time algorithms • NP is the class of non-deterministic polynomial-time algorithms • Problems for which a solution can be verified in polynomial time • Even though the solution may be hard to find
NP Problems • Recovering a secret key with known plaintext • Easy to verify whether a key is correct (P) • Finding the key is hard but that's a different problem
Problems Outside NP and P • Consider brute-forcing the one-time pad • When the correct plaintext is unknown • You cannot recognize the solution when you find it • This is very hard, not in P and not in NP • Verify that no solution exists to a problem • Must test all possible solutions • An unlimited number of possibilities
NP-Complete Problems • The hardest problems in the class NP • We don't know how to solve them in polynomial time • But they are all equally hard • An efficient solution for any one NP-complete problem can be used to solve all the others
NP-Complete Problems
9. Hard Problems
NP-Hard • Some video games are NP-complete • Tetris, Super Mario Brothers, Candy Crush Saga • Some are even harder: NP-hard • Provably as difficult as NP-complete problems • May not be in NP
P vs. NP • If you could solve the hardest NP problem in polynomial time • You could solve all NP problems in polynomial time • NP would equal P • No one has proven this yet • There's a $1 million bounty for the proof
Does P = NP? • Most theorists say no • If it did, any easily- verified solution would be easy to find, in principle • All cryptography would be insecure, in principle • In practice, it might not matter, if easy solutions are difficult to find
Quantum Computers • Link Ch 9e
• Link Ch 9f
Practical Cryptography • If breaking a cipher were NP-complete • That would be a very strong cipher • But NP-complete problems are impractical for cryptography • Because they are easy in specific cases • So real cryptography uses problems that are probably not NP-hard
Lattice Problems • Including Learning With Errors • The only NP-hard problems successfully used in cryptography • The basis for New Hope • Made it to round 2, but not round 3, of the NIST Post-Quantum Cryptography Standardization Process • Links Ch 9i, 9j, 9k
The Factoring Problem
The Factoring Problem • Given a large number N that is the product of two primes p and q • Find p and q • How difficult is this problem? • Prime numbers cannot be divided evenly by any number other than themselves and one • 1, 2, 3, 5, 7, 11 are prime • 9=3x3 and 15=3x5 are not prime
Factoring Large Numbers in Practice • Simplest algorithm • Try dividing by all numbers from 2 to N-1 • If n is the number of bits in N • This is O(2n) --a hard problem • Requires 2256 operations for 256-bit N
Factoring Large Numbers in Practice • Improved algorithm • Try only primes from 2 to sqrt(N) • This is O(2n/2/n) --still hard, but easier • Requires 2120 operations for 256-bit N
Factoring Large Numbers in Practice • Fastest known algorithm • General number field sieve (GNFS) • Requires 270 operations for 1024-bit N • Requires 290 operations for 2048-bit N • So we recommend 4096-bit keys for 128 bits of security
Experimental Results • In 2005, a 663-bit N was factored using 75 cpu-years • In 2009, a 768-bit N was factored using 2000 cpu-years • People speculate that the NSA can factor a 1024-bit N
Is Factoring NP-Complete? • No polynomial-time algorithm is known • Suggesting that factoring is not in P • However, we can easily verify a factor once it is found • So factoring is in NP • Factoring is probably easier than NP- complete problems, but this has not been proven
Quantum Computers • Can factor numbers easily using quantum algorithms • But they don't work well enough yet
Hardness Assumption • Cryptography starts from a problem which is assumed to be hard • The encryption is proven to be at least as hard as that "hard" problem • Factoring and discrete logarithm problems are used as hardness assumptions
The Discrete Logarithm Problem
What is a Group? • A set of elements and an operation ✖︎ that obey certain group axioms • Example: Zp* • Numbers from 1 to p-1, where p is prime • Z5* contains {1, 2, 3, 4}
Group Axioms • Closure • Associativity • Identity existence • Inverse existence
Group Axioms • Closure • For any two elements x and y in the group x ✖︎ y is in the group • Associativity • For any three elements x, y, and z (x ✖︎ y) ✖︎ z = x ✖︎ (y ✖︎ z)
Group Axioms • Identity existence • There is an identity element e such that e ✖︎ x = x ✖︎ e = x • Inverse existence • For any x in the group, there exists y such that x ✖︎ y = y ✖︎ x = e
Commutative Groups • For all x and y in the group. x ✖︎ y = y ✖︎ x
Cyclic Groups • There's at least one element g such that g1, g2, g3, ... mod p • Span all group elements • g is called the generator of the group
The Hard Thing • The DLP consists of finding y for which gy = x • Within a group Zp*, where p is a prime number • And x is a known group element • This problem is about as hard as factoring
How Things Can Go Wrong
Unlikely Problems • These are possible but experts don't expect them to happen • Someone finding a fast algorithm to factor numbers • Someone proving that P = NP
When Factoring is Easy • This 1024-bit number is easily factored, because it has a small factor
Other Easily-Factored Numbers • If p and q are not random • Near a known value 2b • Or some bits of p or q are known • Or if N is small, such as 128-bit RSA
OpenSSL Allows Short Keys
Original RSA Paper • Recommended 512-bit keys (in 1978) • Link Ch 9g
• 2015 paper presents two attacks • Logjam MITM attack downgrades TLS to "export-grade" with 512-bit keys • State-level adversaries can probably find a 1024-bit secret prime number used by millions of servers, and it appears that the NSA has done so • Link Ch 9h
9. Hard Problems
9. Hard Problems

More Related Content

9. Hard Problems

  • 1. CNIT 141 Cryptography for Computer Networks 9. Hard Problems Updated 11-2-22
  • 2. Topics • Computational Hardness • Complexity Classes • The Factoring Problem • The Discrete Logarithm Problem • How Things Can Go Wrong
  • 4. Computational Hardness • Computationally hard problems • Also called intractable problems • Take an unreasonable amount of time to solve • Regardless of hardware
  • 5. Measuring Running Time • Search an array of n elements to find x • Loop goes from 1 to n • Expected value: n/2 • Complexity is linear in n • Doubling n doubles running time search(x, array, n) : for i from 1 to n if (array[i] == x) return i ; return 0;
  • 6. Complexity Classes • Searching a list: linear or O(n) • Sorting a list: linear-logarithmic or O(n log n) • Brute-force key recovery: exponential or O(2n) • Quadratic time is O(n2)
  • 7. Linear is Fast (Easy) • Compared to exponential or quadratic
  • 8. Polynomial vs. Superpolynomial Time • Polynomial time includes O(n2), O(n3), O(n4), etc. • They are considered practically feasible • Superpolynomial time is anything that grows faster than polynomial, like O(2n) or O(nlog(n)). • They are considered impractical, or hard
  • 11. • Time complexity • TIME(n2) • All problems solvable in O(n2) • TIME(2n) • All problems solvable in O(2n) Complexity Classes
  • 12. Space Complexity • The memory required by an algorithm • SPACE(n2) • Require O(n2) bits of memory
  • 13. Nondeterministic Polynomial Time • P is the class of all polynomial-time algorithms • NP is the class of non-deterministic polynomial-time algorithms • Problems for which a solution can be verified in polynomial time • Even though the solution may be hard to find
  • 14. NP Problems • Recovering a secret key with known plaintext • Easy to verify whether a key is correct (P) • Finding the key is hard but that's a different problem
  • 15. Problems Outside NP and P • Consider brute-forcing the one-time pad • When the correct plaintext is unknown • You cannot recognize the solution when you find it • This is very hard, not in P and not in NP • Verify that no solution exists to a problem • Must test all possible solutions • An unlimited number of possibilities
  • 16. NP-Complete Problems • The hardest problems in the class NP • We don't know how to solve them in polynomial time • But they are all equally hard • An efficient solution for any one NP-complete problem can be used to solve all the others
  • 19. NP-Hard • Some video games are NP-complete • Tetris, Super Mario Brothers, Candy Crush Saga • Some are even harder: NP-hard • Provably as difficult as NP-complete problems • May not be in NP
  • 20. P vs. NP • If you could solve the hardest NP problem in polynomial time • You could solve all NP problems in polynomial time • NP would equal P • No one has proven this yet • There's a $1 million bounty for the proof
  • 21. Does P = NP? • Most theorists say no • If it did, any easily- verified solution would be easy to find, in principle • All cryptography would be insecure, in principle • In practice, it might not matter, if easy solutions are difficult to find
  • 24. Practical Cryptography • If breaking a cipher were NP-complete • That would be a very strong cipher • But NP-complete problems are impractical for cryptography • Because they are easy in specific cases • So real cryptography uses problems that are probably not NP-hard
  • 25. Lattice Problems • Including Learning With Errors • The only NP-hard problems successfully used in cryptography • The basis for New Hope • Made it to round 2, but not round 3, of the NIST Post-Quantum Cryptography Standardization Process • Links Ch 9i, 9j, 9k
  • 27. The Factoring Problem • Given a large number N that is the product of two primes p and q • Find p and q • How difficult is this problem? • Prime numbers cannot be divided evenly by any number other than themselves and one • 1, 2, 3, 5, 7, 11 are prime • 9=3x3 and 15=3x5 are not prime
  • 28. Factoring Large Numbers in Practice • Simplest algorithm • Try dividing by all numbers from 2 to N-1 • If n is the number of bits in N • This is O(2n) --a hard problem • Requires 2256 operations for 256-bit N
  • 29. Factoring Large Numbers in Practice • Improved algorithm • Try only primes from 2 to sqrt(N) • This is O(2n/2/n) --still hard, but easier • Requires 2120 operations for 256-bit N
  • 30. Factoring Large Numbers in Practice • Fastest known algorithm • General number field sieve (GNFS) • Requires 270 operations for 1024-bit N • Requires 290 operations for 2048-bit N • So we recommend 4096-bit keys for 128 bits of security
  • 31. Experimental Results • In 2005, a 663-bit N was factored using 75 cpu-years • In 2009, a 768-bit N was factored using 2000 cpu-years • People speculate that the NSA can factor a 1024-bit N
  • 32. Is Factoring NP-Complete? • No polynomial-time algorithm is known • Suggesting that factoring is not in P • However, we can easily verify a factor once it is found • So factoring is in NP • Factoring is probably easier than NP- complete problems, but this has not been proven
  • 33. Quantum Computers • Can factor numbers easily using quantum algorithms • But they don't work well enough yet
  • 34. Hardness Assumption • Cryptography starts from a problem which is assumed to be hard • The encryption is proven to be at least as hard as that "hard" problem • Factoring and discrete logarithm problems are used as hardness assumptions
  • 36. What is a Group? • A set of elements and an operation ✖︎ that obey certain group axioms • Example: Zp* • Numbers from 1 to p-1, where p is prime • Z5* contains {1, 2, 3, 4}
  • 37. Group Axioms • Closure • Associativity • Identity existence • Inverse existence
  • 38. Group Axioms • Closure • For any two elements x and y in the group x ✖︎ y is in the group • Associativity • For any three elements x, y, and z (x ✖︎ y) ✖︎ z = x ✖︎ (y ✖︎ z)
  • 39. Group Axioms • Identity existence • There is an identity element e such that e ✖︎ x = x ✖︎ e = x • Inverse existence • For any x in the group, there exists y such that x ✖︎ y = y ✖︎ x = e
  • 40. Commutative Groups • For all x and y in the group. x ✖︎ y = y ✖︎ x
  • 41. Cyclic Groups • There's at least one element g such that g1, g2, g3, ... mod p • Span all group elements • g is called the generator of the group
  • 42. The Hard Thing • The DLP consists of finding y for which gy = x • Within a group Zp*, where p is a prime number • And x is a known group element • This problem is about as hard as factoring
  • 43. How Things Can Go Wrong
  • 44. Unlikely Problems • These are possible but experts don't expect them to happen • Someone finding a fast algorithm to factor numbers • Someone proving that P = NP
  • 45. When Factoring is Easy • This 1024-bit number is easily factored, because it has a small factor
  • 46. Other Easily-Factored Numbers • If p and q are not random • Near a known value 2b • Or some bits of p or q are known • Or if N is small, such as 128-bit RSA
  • 48. Original RSA Paper • Recommended 512-bit keys (in 1978) • Link Ch 9g
  • 49. • 2015 paper presents two attacks • Logjam MITM attack downgrades TLS to "export-grade" with 512-bit keys • State-level adversaries can probably find a 1024-bit secret prime number used by millions of servers, and it appears that the NSA has done so • Link Ch 9h