Most amateur mathematicians like myself, don’t believe the world is flat or that the government is bombarding us with mind-control chemicals, we just like to enjoy having a go at the mathematical problems of the day over a cup of tea or, more likely, a beer or two. C’mon Bruce, don’t be so hard, it makes us feel .. er .. cranky! ]]>

I found an interesting posting on a blog. Do you have a comment on this ?

]]>But it is not a mathematical proof,

because it relies on things we observe in nature.

So therefore, there will be no 1M$. ]]>

IIRC integer factorization is known to NOT be NP-complete, it’s just no known if it’s in P. It may be in NP – P – NP-complete (That is not in P, not NP-complete, but still in NP)

]]>Let AES-K be Rijndael with a K-bit key and 128-bit block. Let AES-K-ECB and AES-K-CTR be Electronic Codebook mode and Counter mode, respectively.

For a chosen-plaintext attack on AES-K-ECB, the problem is clearly in P. In fact, the attacker can succeed in time and space linear in the time it takes to do ordinary encryption/decryption with the key.

That’s because AES-K-ECB is a simple substitution cipher on an alphabet of 2^128 “letters”. So it can be broken with 2^128 chosen plaintexts. And 2^128 is merely O(1), because it doesn’t depend on K. The “key” you find is a table with 2^128 entries, which is merely O(1) space. So AES-K-ECB is in P.

If you prefer counter mode, AES-K-CTR uses a counter the size of the block, so the counter wraps around every 2^128 blocks, so you need only 2^256 chosen plaintext blocks to completely break it. So again, AES is in P.

This is a great illustration of how the P ?= NP question truly isn’t relevant for cryptography. Cryptographers want to know whether AES-256-CTR is secure. Many people bet it is. But AES-K-CTR can be broken in polynomial time, and so is in P. And AES-256-CTR isn’t in any complexity class, because classes like P and NP need a “size” that goes to infinity.

So from a complexity theory viewpoint, AES is no different from the decoder ring you get in a cereal box.

]]>That’s not true. Even if P=NP, there may still be no algorithm for breaking AES-256 other than brute force.

If P=NP, then there’s a polytime algorithm for breaking AES-K, for keys of size K, that’s polynomial in the limit as K goes to infinity. But it’s possible that this magic algorithm works by reducing the AES-K problem to a small set of AES-256 problems, breaking each of those subproblems by brute force, then combining their answers to get the answer to the original AES-K problem. Such an algorithm tells us nothing new about AES-256.

So even if P=NP, it’s still possible that AES-256 has no breaks other than brute force. It’s even possible that AES-trillion has no breaks other than brute force. All P=NP would tell us is that we’ll have something other than brute force for key lengths above SOME unknown threshold.

[p.s. Yes, I know AES-K technically doesn’t exist for large K; obviously I mean Rijndael-K for any K for which AES-K isn’t defined]

]]>We trust AES-256 because of two things. First, we know of no cracks (this is admittedly speculative), and therefore the only way anybody’s come up with to break it is brute force. Second, it physically cannot be brute-forced with the resources of only one galaxy. Even if some quantum trickery reduces the effective keylength in half, it’s still impossible to brute-force a 128-bit key with the resources of only one solar system.

If P=NP, we know there’s a way to crack it without the need for brute force. The standard way (based on the proof) may be infeasible in the same way as brute force, but now we know that we don’t need brute force. It’s like a crack reducing complexity to something like 2^192; it reduces our confidence in the cipher.

]]>