The rule suggests that rather of looking far and wide for candidate one-way functions, cryptographers could just concentrate their efforts on understanding Kolmogorov complexity. “ It all hinges on this trouble, ” Ishai said. The proof is “ discovery work on the foundations of cryptanalysis. ”
The newspaper has prompted cryptographers and complexity theorists to work together more closely, spurring a burst of activity uniting their approaches. “ Multiple research groups are working to get to the bottom of things, ” said Ryan Williams, a calculator scientist at the Massachusetts Institute of Technology .
normally, a hard problem is an obstacle. But in cryptanalysis, where you can deploy it against your adversaries, it ’ s a boon. In 1976, Whitfield Diffie and Martin Hellman wrote a groundbreaking paper in which they argued that the particular severity of one-way functions was precisely what cryptographers needed to meet the demands of the dawning computer age. “ We stand today on the verge of a revolution in cryptography, ” they wrote.
Reading: Quanta Magazine
In the decades that followed, researchers figured out how to build a wide diverseness of cryptanalytic tools out of one-way functions, including private key encoding, digital signatures, pseudorandom number generators and zero-knowledge validation ( in which one person can convince another that a statement is true without revealing the validation ). Diffie and Hellman ’ s paper was “ about like a prophecy, ” Pass said. From the unmarried build up block of one-way functions, cryptographers managed to build “ these super-complex and beautiful creatures, ” he said .
To get a feel for how one-way functions influence, imagine person asked you to multiply two big prime numbers, say 6,547 and 7,079. Arriving at the answer of 46,346,213 might take some work, but it is eminently accomplishable. however, if person alternatively handed you the count 46,346,213 and asked for its prime factors, you might be at a loss. In fact, for numbers whose prime factors are all boastfully, there is no effective direction ( that we know of ) to find those factors. This makes multiplication a promise candidate for a one-way function : adenine long as you start with bombastic adequate prime numbers, the process seems easy to do, but hard to undo. But we don ’ deoxythymidine monophosphate know for certain that this is the case. person could find a fast means to factor numbers at any moment .
Cryptographers have gleaned an assortment of likely one-way functions from different areas of mathematics, but no single routine has a higher title than another. If, say, generation were toppled as a one-way officiate tomorrow, that wouldn ’ t say anything about the validity of the early candidate one-way functions. Cryptographers have long asked whether there is some quintessential one-way routine — one which, if broken, would pull all the other candidates down with it .
In 1985, Leonid Levin, a calculator scientist at Boston University, answered this doubt in a formal sense, demonstrating a “ universal ” one-way officiate that is guaranteed to be a one-way function if anything is. But his construction was “ identical artificial, ” said Eric Allender, a calculator scientist at Rutgers University. It is “ not something anybody would have studied for any reason other than to get a consequence like that. ”
What cryptographers were very after was a universal one-way routine that stemmed from some natural problem — one that would give real insight into whether one-way functions exist. Researchers long had a particular trouble in take care : Kolmogorov complexity, a measure of randomness that originated in the 1960s. But its connection with one-way functions was insidious and baffling .
Pass became fascinated with that connection as a alumnus student in 2004. Over the years he toyed with the trouble, without much success. But he felt sure there was something there, and a abound of activeness in Kolmogorov complexity over the past five years alone heightened his sake .
Pass tried to persuade several graduate students to explore the doubt with him, but none were bequeath to take on what might turn out to be a bootless project. then Yanyi Liu started calibrate school at Cornell. “ Yanyi was audacious, ” Pass wrote in an electronic mail. together, they plunged in .
What Is Random?
The concept of randomness is, by its nature, catchy to pin down. There ’ mho a Dilbert comic comic strip in which an function enlistment guide shows Dilbert the accountancy department ’ south “ random number generator ” — which turns out to be a monster who just keeps repeating the number 9. “ Are you sure that ’ sulfur random ? ” Dilbert asks. “ That ’ s the problem with randomness, ” his guide answers, “ you can never be sure. ”
If person shows you the number strings 99999999999999999999 and 03729563829603547134 and says they were chosen randomly, you can ’ t precisely debunk that claim : Both strings have the like probability of being created when you pick digits randomly. Yet the second string surely feels more random .
“ We think that we know what we mean when we say, ‘ That thing is random, ’ ” Allender said. “ But it wasn ’ t very until the notion of Kolmogorov complexity was defined that that was shown to have a mathematically meaningful definition. ”
To get at the impression of a random string of numbers, Andrey Kolmogorov decided in the 1960s to focus not on the procedure by which the string was generated, but on the relief with which it can be described. The string 99999999999999999999 can be concisely described as “ 20 9s, ” but the string 03729563829603547134 might not have any description shorter than the string itself .
Kolmogorov defined the complexity of a string as the length of the shortest possible program that produces the string as an output. If we ’ rhenium dealing with, say, thousand-digit strings, some have very short programs, such as “ print a thousand 9s ” or “ print the number 23319 ” or “ print the first thousand digits of π using the follow formula…. ” other strings are impossible to describe succinctly and have no course of study shorter than one that writes out the integral string and fair tells the computer to print it. And some strings have programs whose duration falls somewhere in the middle.
Kolmogorov complexity cursorily became one of the core concepts of calculator skill. The notion is so fundamental that it was independently discovered multiple times in the 1960s. It ’ sulfur “ a deep problem, not equitable about randomness [ and ] mathematics, but in truth about science in general, ” Pass said .
There ’ randomness just one drawback to Kolmogorov complexity : It ’ s incomputable, meaning that there is no program that can calculate the complexity of every possible string. We know this because if there were such a plan, we ’ d end up with a contradiction .
To see this, think we have a program that can compute Kolmogorov complexity for any string. Let ’ s call the plan K. now, let ’ s search for the smallest string of numbers — call it S — whose Kolmogorov complexity is double the distance of K. To be concrete, we could imagine that K has 1 million characters, so we ’ rhenium looking for a drawstring S whose Kolmogorov complexity is 2 million ( meaning that the shortest program that outputs S has 2 million characters ) .
With program K in our toolbox, calculating S is easy ( though not necessarily quick ) : We can write a new program that we ’ ll call P. The program P basically says, “ Go through all strings in order, using broadcast K to compute their Kolmogorov complexity, until you find the inaugural one whose Kolmogorov complexity is 2 million. ” We ’ ll need to use program K when build P, so wholly P will have slenderly more than 1 million characters. But this course of study outputs S, and we defined S as a string whose short course of study has 2 million characters. There ’ s the contradiction .
But this contradiction evaporates if, rather of looking for the shortest course of study that outputs a string, we look for the shortest sanely effective program that outputs the string ( where we get to specify what “ fair ” means ). After all, the broadcast P takes an enormous amount of time to run, since it has to check so many strings. If we forbid such slow programs, we end up with a notion called “ time-bounded ” Kolmogorov complexity. This translation of Kolmogorov complexity is computable — we can calculate the time-bounded Kolmogorov complexity for every potential string, at least in principle. And in some ways, it is as natural a concept as the original Kolmogorov complexity. After all, Pass said, what we actually care about is, “ Can you actually generate the string while we live on Earth, or while the universe even exists ? ”
Since time-bounded Kolmogorov complexity is computable, a natural following doubt is how hard it is to compute. And this is the question that Liu and Pass proved holds the keystone to whether one-way functions exist. “ It ’ s a lovely penetration, ” Allender said .
More specifically, suppose you ’ ve set your sights on a less gallant finish than calculating the accurate time-bounded Kolmogorov complexity of every possible string — suppose you ’ re capacity to calculate it approximately, and precisely for most strings. If there ’ s an efficient way to do this, Liu and Pass showed, then true one-way functions can not exist. In that case, all our candidate one-way functions would be instantaneously breakable, not just in theory but in practice. “ Bye-bye to cryptography, ” Pass said .
conversely, if calculating the approximate time-bounded Kolmogorov complexity is besides hard to solve efficiently for many strings, then Liu and Pass showed that truthful one-way functions must exist. If that ’ s the case, their paper evening provides a specific room to make one. The one-way function that they describe in their composition is besides complicated to use in real-world applications, but in cryptanalysis, practical constructions often quickly follow a theoretical discovery, Ishai said. The impracticality of Liu and Pass ’ one-way function, he said, is “ not a cardinal limit. ”
And if their routine can be made virtual, it should be used in predilection to the candidate one-way functions based on multiplication and other numerical operations. For if anything is a one-way function, this one is. “ If we can break a outline like that, then all other schemes out there can besides be broken, ” Pass said .
A Richer Theory
The composition has set off a shower of modern inquiry at the interface of cryptography and complexity theory. While both disciplines investigate how hard computational problems are, they come at the motion from different mindsets, said Rahul Santhanam, a complexity theorist at the University of Oxford. Cryptography, he said, is fast-moving, pragmatic and affirmative, while complexity hypothesis is slow-moving and button-down. In the latter field, “ there are these long-standing capable questions, and once in every twelve years, something happens, ” he said. But “ the questions are very thick and difficult. ”
nowadays cryptanalysis and complexity have a shared finish, and each field offers the other a fresh position : Cryptographers have knock-down reasons to think that one-way functions exist, and complexity theorists have different potent reasons to think that time-bounded Kolmogorov complexity is hard. Because of the new results, the two hypotheses bolster each early .
Read more: A Few Thoughts on Cryptographic Engineering
“ If you believe this [ Kolmogorov complexity ] problem is difficult … then you believe in one-way functions, ” Williams said. And “ if you believe in crypto at all, then you ’ ve kind of got to believe that this version of time-bounded Kolmogorov complexity must be hard. ”
Cryptographers are immediately faced with the undertaking of trying to make Liu and Pass ’ one-way function more virtual. They are besides starting to explore whether any other “ master problems ” besides time-bounded Kolmogorov complexity might besides govern the universe of one-way functions, or of more twist cryptanalytic tools. complexity theorists, interim, are starting to dig deeper into understanding the severity of Kolmogorov complexity .
All of this suggests that the discovery ’ s true bequest might be still to come. “ [ It ’ second ] a seeded player of something that is likely to develop into a much richer hypothesis, ” Ishai said .