CNIT 141: 9. Hard Problems
1 like577 views
The document discusses hard computational problems related to cryptography, including complexity classes, the factoring problem, and the discrete logarithm problem. It explains how different problems can be categorized by their computational difficulty and the implications for cryptographic security, particularly in relation to quantum computing. Additionally, it highlights the significance of hardness assumptions in cryptographic practices and the potential vulnerabilities associated with them.
![Measuring Running Time
• Search an array of n elements to find x
• Number of loops between 1 and n
• Expected value: n/2
• Complexity is linear in n
• Doubling n doubles running time
search(x, array, n):
for i from 1 to n
if (array[i] == x) return i;
return 0;](https://image.slidesharecdn.com/141-ch9-190331005253/85/CNIT-141-9-Hard-Problems-5-320.jpg)
CNIT 141: 9. Hard Problems
- 1. CNIT 141 Cryptography for Computer Networks 9. Hard Problems
- 2. Topics • Computational Hardness • Complexity Classes • The Factoring Problem • The Discrete Logarithm Problem • How Things Can Go Wrong
- 4. Computational Hardness • Computationally hard problems • Also called intractable problems • Take an unreasonable amount of time to solve • Regardless of hardware
- 5. Measuring Running Time • Search an array of n elements to find x • Number of loops between 1 and n • Expected value: n/2 • Complexity is linear in n • Doubling n doubles running time search(x, array, n): for i from 1 to n if (array[i] == x) return i; return 0;
- 6. Complexity Classes • Searching a list: linear or O(n) • Sorting a list: linear-logarithmic or O(n log n) • Brute-force key recovery: exponential or O(2n) • Quadratic time is O(n2)
- 7. Linear is Fast • Compared to exponential or quadratic
- 8. Polynomial vs. Superpolynomial Time • Polynomial time includes O(n2), O(n3), O(n4), etc. • They are considered practically feasible • Superpolynomial time is anything that grows faster than polynomial, like O(2n) or O(nlog(n)). • They are considered impractical, or hard
- 11. • Time complexity • TIME(n2) • All problems solvable in O(n2) • TIME(2n) • All problems solvable in O(2n) Complexity Classes
- 12. Space Complexity • The memory required by an algorithm • SPACE(n2) • Require O(n2) bits of memory
- 13. Nondeterministic Polynomial Time • P is the class of all polynomial-time algorithms • NP is the class of non-deterministic polynomial-time algorithms • Problems for which a solution can be verified in polynomial time • Even though the solution may be hard to find
- 14. NP Problems • Recovering a secret key with known plaintext • Easy to verify whether a key is correct (P) • Finding the key is hard but that's a different problem
- 15. • Link Ch 9c
- 16. Problems Outside NP and P • Consider brute-forcing the one-time pad • You cannot recognize the solution when you find it • This is very hard, not in P and not in NP • Verify that no solution exists to a problem • Must test all possible solutions • An unlimited number of possibilities
- 17. NP-Complete Problems • The hardest problems in the class NP • We don't know how to solve them in polynomial time • But they are all equally hard • An efficient solution for any one NP-complete problem can be used to solve all the others
- 20. NP-Hard • Some video games are NP-complete • Some are even harder: NP-hard • Provably as difficult as NP-complete problems
- 21. P vs. NP • If you could solve the hardest NP problem in polynomial time • You could solve all NP problems in polynomial time • NP would equal P • No one has proven this yet, there's a $1 million bounty for the proof
- 22. Does P = NP? • Most theorists say no • If it did, any easily- verified solution would be easy to find, in principle • All cryptography would be insecure, in principle • In practice, it might not matter (link Ch 9d)
- 23. Quantum Computers • Link Ch 9e
- 24. • Link Ch 9f
- 25. Practical Cryptography • If breaking a cipher were NP-complete • That would be a very strong cipher • But NP-complete problems are impractical for cryptography • Because they are easy in specific cases • So real cryptography uses problems that are probably not NP-hard
- 26. Lattice Problems • Including Learning With Errors • The only NP-hard problems successfully used in cryptography • The basis for New Hope • The front-runner for post-quantum encryption • Links Ch 9i, 9j
- 28. The Factoring Problem • Given a large number N that is the product of two primes p and q • Find p and q • How difficult is this problem? • Prime numbers cannot be divided evenly by any number other than themselves and one • 1, 2, 3, 5, 7, 11 are prime • 9=3x3 and 15=3x5 are not prime
- 29. Factoring Large Numbers in Practice • Simplest algorithm • Try dividing by all numbers from 2 to N-1 • If n is the number of bits in N • This is O(2n) --a hard problem • Requires 2256 operations for 256-bit N
- 30. Factoring Large Numbers in Practice • Improved algorithm • Try only primes from 2 to sqrt(N) • This is O(2n/2/n) --still hard, but easier • Requires 2120 operations for 256-bit N
- 31. Factoring Large Numbers in Practice • Fastest known algorithm • General number field sieve (GNFS) • Requires 270 operations for 1024-bit N • Requires 290 operations for 2048-bit N • So we recommend 4096-bit keys for 128 bits of security
- 32. Experimental Results • In 2005, a 663-bit N was factored using 75 cpu-years • In 2009, a 768-bit N was factored using 2000 cpu-years • People speculate that the NSA can factor a 1024-bit N
- 33. Is Factoring NP-Complete? • No polynomial-time algorithm is known • Suggesting that factoring is not in P • However, we can easily verify a factor once it is found • So factoring is in NP • Factoring is probably easier than NP- complete problems, but this has not been proven
- 34. Quantum Computers • Can factor numbers easily using quantum algorithms • But they don't work well enough yet
- 35. Hardness Assumption • Cryptography starts from a problem which is assumed to be hard • The encryption is proven to be at least as hard as that "hard" problem • Factoring and discrete logarithm problems are used as hardness assumptions
- 37. What is a Group? • A set of elements and an operation ✖ that obey certain group axioms • Example: Zp* • Numbers from 1 to p-1, where p is prime • Z5* contains {1, 2, 3, 4}
- 38. Group Axioms • Closure • Associativity • Identity existence • Inverse existence
- 39. Group Axioms • Closure • For any two elements x and y in the group • x ✖ y is in the group • Associativity • For any three elements x, y, and z • (x ✖ y) ✖ z = x ✖ (y ✖ z)
- 40. Group Axioms • Identity existence • There is an identity element e such that • e ✖ x = x ✖ e = x • Inverse existence • For any x in the group, there exists y such that • x ✖ y = y ✖ x = e
- 41. Commutative Groups • For all x and y in the group. • x ✖ y = y ✖ x
- 42. Cyclic Groups • There's at least one element g such that • g1, g2, g3, ... mod p, • Span all group elements • g is called the generator of the group
- 43. The Hard Thing • The DLP consists of finding y for which • gy = x • Within a group Zp*, where p is a prime number • And x is a known group element • This problem is about as hard as factoring
- 44. How Things Can Go Wrong
- 45. Unlikely Problems • These are possible but experts don't expect them to happen • Someone finding a fast algorithm to factor numbers • Someone proving that P = NP
- 46. When Factoring is Easy • This 1024-bit number is easily factored, because it has a small factor
- 47. Other Easily-Factored Numbers • If p and q are not random • Near 2b • Or some bits of p or q are known • Or if N is small, such as 128-bit RSA
- 49. Original RSA Paper • Recommended 512-bit keys (in 1978) • Link Ch 9g
- 50. • 2015 paper presents two attacks • Logjam MITM attack downgrades TLS to "export-grade" with 512-bit keys • State-level adversaries can probably find a 1024-bit secret prime number used by millions of servers, and it appears that the NSA has done so • Link Ch 9h