REESSE1+ . Reward . Proof by Experiment . A New Approach to Proof of P != NP

> http://arxiv .org/pdf/0908.0482 < REESSE1+ · Reward · Proof by Experiment · A New Approach to Proof of P ≠ NP * Shenghui Su 1 and Shuwang Lü 2 1 College of Computers, Beijing University of Technology, Beijing 100124, P. R. China 2 Graduate School, Chinese Academy of Sciences, Beijing 100039, P. R. China Abstract : The authors discuss what is provable security in cr yptography. Think that prov able security is asymptotic, relative, and dynamic, and only a supplement to but not a replacement of exact security an alysis. B ecause the conjec ture P ≠ NP has not been proven yet, and it is possible in terms of the two incom pleteness theorems of Kurt Gödel that there is some cryptosystem of which the security canno t or only ideally be prove n in the random oracle model, the security of a cryptosystem is between provability and unprovability, and any academic conclu sion must be ch ecked and v erified with practic es or experiments as much as possible. Extra, a new approach to proof of P ≠ NP is pointed out. Lastly, a reward is offered for the subexponential time solu tions to th e three REESSE1+ problems: MPP, ASPP, and TLP with n ≥ 80 and lg M ≥ 80, which may be regarded as a type of security proof by experiment. Keywords : Public key cr yptosystem , REESSE1+ problem, P rovable security, Exact securi ty, Subexponential time 1 Proof and Provable Security Shimon Even said, "A proof is what ever convinces me." [1] Oded Goldreich, a cryptologist, thinks that traditionally in mathe matics, a "proof" is a fixed sequence consisting of statements which either are self-e vident or are deriv ed from pre vious statem ents via self-evide nt rules, an d however, in ot her areas of hum an activity, t he notion of a " proof" has a m uch wider interpretation [1]. The several t ypes of proof me thods in com mon use are proof by const ruction, proof by contra diction, proof by induction, proof by deduction or reductio n, and proof by combination of the preceding methods [2] . Security is a type of attribute of a cryptosyst em or protocol . A cyptosyst em or prot ocol is said t o have pr ovable security if its partial or all security requirements can be stated formally in an antagonistic model, as opposed to heuristically, with clear assumptions that certain computational problem s ar e arduous, and the adve rsary has acces s to the crypt osystem as well as enough computati onal resources [3]. The proof of security (called a "reduction") is that these security requirements are met p rovided the assumptions about the adversary's access to the cryp tosy stem are satisfied and some clearly stated assumptions about t he hardness of certain comput ational problem s hold [3]. There are several approaches to pr ovable security. One is to establish the "correct" definition of security for a given and intuitively understo od computational task or problem. Another is to suggest constructions and reasoni ngs based on general assu mptions as m u ch as possible. For exam ple, the holding of the co njecture P ≠ NP. Some are in given theoretical m odels such as the random oracle model, where real hash functions ar e replaced by an idealization [3]. No real functi on can im plement a true ra ndom oracl e. In fact, it is known that certain artificial signature and encryption sch emes are prove n secure in the ran dom oracle m odel, but are trivial ly insecure when any real function is substituted for the random oracle [4]. It shouldn't be give n indifference that recently Koblitz a nd Menezes have criticized aspects of provable security in their papers Another Look at "Pr ovable Sec urity" and A nother Lo ok at "P rovable Security" II . These views ha ve been contr oversial in t he comm unity. Very rece ntly AMS p ublished a controversial article by Koblitz titled " The Uneasy Relationship Between Ma thematics and Cryptography" . Several rebuttals have been written and po sted [6][7]. * Manuscript first received Aug. 4, 2009, and last revi sed Aug. 25, 2014. Corresponding e-m ails: reesse@126.com . The offer is supported by JUNA. 1 > http://arxiv .org/pdf/0908.0482 < 2 Provable Security Is Asym ptotic, Relative, and Dynamic ― A Cryptosystem Is between Provability and Unprovability The provable security of a c ryptosystem or a di gital signer is asymptotic, rel ative, and dynam ic, which can be understood because c the proof of secur ity of a cryp tosystem or a d igital signer is through redu ction, which decides that the security is relevant to some intractabilities; d the one-wayness of an intractability is b ased on computational complexity, wh ich indicates that the security is asymptotic from the threshold value o f a dominant parameter; e the security proof is made always with some assumptions ― an interger factorization problem having no polynom ial tim e solution for exam ple, yet they are asy mptoti c, relative, and dynam ic; f the speed of a computer has been risi ng continually since 1978; g the model of computation will lift to th e quantum Turing machine or oth ers; h if provable security can assure that a scheme is absolutely or un conditionally secure, a pair of "spears" and "shields" will disapp ear, and cryptanalysts will lose their occu pations. In visualization, iron doors are firmer than wood doors from an asymptot ic or rela tive sense, but we may not say that an i ron door 0.5 mm thick is firmer tha n a wood door 10 m m thic k. An iron door 10 mm thick is secure now, but we m ay not say that the iron door 10 m m thick is still secure in future. In provabl e security theory, t he most basi c assum ption P ≠ NP has not been proven yet. Additio nally, in terms of the two incompleteness theorems of Kurt Friedrich Gödel [8], it is possible that the security of some cryptosystem, especially some multivariate or multiproblem cryptosystem, cannot or only ideally be proven in the rando m oracle model. Gödel essentially cons tructed a formula which claims that it is unprovable in a given form al system because if it were pr ovable, it would be false, which contradicts t he idea that in a consistent system , pr ovable statem ents are always true [8]. Thus, t he security of a cryptosystem is ri ght between provability and unprovability. 3 Provable Security Is Only a Supplement to But Not a Replacement of Security Analysis The significance of provable secur ity consi sts in the thing that it provides a piece of theoretical evidence that a crypt ographic schem e should be secure or a compuatio nal problem should be intractable generically; neverthless, it can not replace "exact security" or "concrete security". The exact security is practice-or iented, and aims to giv e the more precise estimate of running ti me of an attack task [9], which indicat es that one can quantify the secur ity by computing precise bounds on computational effort, rather than an asymptotic boun d which is guaranteed to act fo r a sufficiently large value of the security d ominant parameter. The exact security is obtained through secu rity analysis when a value of a security dom inant parameter is given. Security analysis cannot attempt exh austively all potential attack methods sometimes, but it must consider the most efficient a ttacks so far [10]. Besides, securit y analysis does not exclude formal proofs such as the random oracle m odel and polynom ial tim e Turing reduction. In general, the security analysis of primitive p roblems ― an interger factori zation problem (IFP) and a discrete logarithm problem (DLP) for example is ve ry arduous because it is im possible to searc h exhaustively all solu tion methods. However, the s ecurity analysis of some composite problems ― a multivariat e permut ation problem (MPP) and a n anomal ous subset pro duct prob lem (ASPP) for example is comparatively easy because the com bin ations of multiple variables in the com posite problems may be seached exha ustively on the assumption t hat the prim itives IFP, DLP etc can be solved in tolerable subexponenti al tim e [11] [12]. Why are the c omposite pr oblem s MPPand ASPP very hard ? There are t wo reasones: c findi ng a specific permutation of the multiple variables in the MPP is very difficult; d A S S P i s p r o v e n t o b e NP-Complete, and veri fied with experim ents to be asym ptotically secure. 4 Is Cryptology an Academic or Technologic Thing The term ination "-lo gy" indicat es that cryptol ogy inclines towards technol ogy as a cryptosystem may be prot ected by a pat ent, and i s a type of bit m agic to a great extent, w hich, of c ourse, does not exclude cryptology from bear ing scientific ingredients ― computational complexity th eory and formal 2 > http://arxiv .org/pdf/0908.0482 < security proof in public key crypt ography for example. Technology a nd science never repel each other. Applied academic things m ust be checked and verifi ed with practices or experim ents as technologic things. The pr ovable securit y only give a f ormal veri fication of secu rity of a publ ic key cryptosy stem, but the ultimate and summit v erification is practices and experiments, and moreover the experiments on academic things should be repeatable. Academic thin gs should se rve technol ogic thin gs, but not dissociate fr om technol ogic things , further not tem pt cryptology to devi ate from the techn ologic crit erion, a nd especi ally not s uppress tec hnologic things. Therefore, people shoul d appraise a public key encr yptio n scheme or a si gnature scheme objectively, dialectically, and materialistically, but not subj ectively, metaphysically, or idealistically. 5 A New Approach to Proof of P ≠ NP In [13], we prove t hat the TL P y ≡ x x (% M ) with M prime is computationally harder than the DLP y ≡ g x (% p ) through asymptot ic granularity reduct ion, which indicates t hat P ≠ NP holds. However, the asymptotic gr anularity reduction is based on the assumption th at the noninvertibility o f a univariate increasing function y = f ( x ) w ith x > 0 is in direct proportion to its growth rate reflected by its derivative. Therefore, the proof of P ≠ NP for which a reward of $1 ,000,000 is offered by CIM i s equi valent t o the proof of the above assumption. The la tter seems to be easi er. 6 A Reword Is Offered for Subexponential Time Solutions to the Three REESSE1+ Problems It may be regarded as a t ype of proof by experim ent. Here, n ≥ 80 is the length of a binary string b 1 … b n ≠ 0 of which the bit-pair string is B 1 … B n /2 containing at most n / 4 00-pairs, t he sign % de notes ‘m odulo’,  means ‘ M – 1’ with M prime, and lg x means the logarithm of x to the base 2. The analysis in [11] an d [12] shows that any eff ectual attack on REESSE1+ will be reduced to the solution of four intractabilities: a multivariate permutation problem (MPP), an an omalous subset product pr oblem (ASPP ), a transcendent al logari thm probl em (TLP), and a p olynom ial root fin ding problem (PRFP) so far. It is well known that it is infeasible in subex ponential time to find a large root to the PRFP ax n + bx n –1 + c x + d ≡ 0 (% M ) with a ∉ {0, 1}, | b | + | c | ≠ 0, d ≠ 0, and n , M large enough [13][14]. Let n = 80, 96, 112, 128 w ith  lg M  = 38 4, 464, 544, 640 for the optimized REESSE1+ encryption scheme or with  lg M  = 80, 96, 112, 128 for the lightweight REESSE1+ signing scheme . Assume that ({ C 1 , …, C 3 n /2 }, M ) is a public key, and ({ A 1 , …, A 3 n /2 }, { ℓ (1) , …, ℓ (3 n /2 ) } , W , δ , M ) with W , δ ∈ (1 ,  ), A i ∈ {2, 3, …, 1201}, and ℓ ( i ) ∈ {+/ − 5, +/ − 7, …, +/ − (2(3 n / 2 ) + 3 )} is a private ke y, where the sign +/ − means that the plus si gn + or minus sign − is select ed, and unknown to the masses. The authors pr omise solemnly that c anyone who can extract the original private key definitely from the MPP C i ≡ ( A i W ℓ ( i ) ) δ (% M ) for i = 1, …, 3 n /2 in DLP subexponential time will be awarded $100000 when n = 80, 96, 11 2, 128 with  lg M  = 384, 464, 544, 640, or $10000 with  lg M  = 80, 96, 112, 128; d anyone who can recover the original plaintext b 1 … b n definitely from the ASPP Ḡ ≡ ∏ n /2 i =1 ( C 3( i – 1) + B i ) Ḅ i (% M ) with C 0 = 1 and Ḅ i a bit-pair shadow in DLP subexponential time will be awarded $100000 when n = 80, 96, 11 2, 128 with  lg M  = 384, 464, 544, 640, or $10000 with  lg M  = 80, 96, 112, 128, w here Ḅ i = 0 if B i = 00 , = 1 + the number of successive 00-pairs before B i if B i ≠ 00, or = 1 + the number of successive 00-pairs before B i + the number of successive 00-pairs after the rig ht mos t n on- 00- pa ir if B i is the leftmost non-00-pair as b 1 … b 12 = 010000110100 = B 1 … B 6 = 01 00 00 11 01 00 with Ḅ 1 … Ḅ 6 = 2 0 0 3 1 0. e anyone who can find the original large answer x ∈ (1,  ) definitely to the TLP y ≡ ( g x ) x (% M ) with known g , y ∈ (1,  ) in DLP subexpo nential time wil l be awar ded $100000 when n = 80, 96, 112, 3 > http://arxiv .org/pdf/0908.0482 < 128 with  lg M  = 384, 464, 544, 640, or $10000 with  lg M  = 80, 96, 112, 128. Of course, any solution mus t be described with a formal proc ess, and can be verified with our examples. The time of solvi ng a problem should be rel evant to arithm etic steps, but irrel evant to CPU speeds. The DLP subexponential time means th e running time of an algorithm for solving the DLP in the prime field ( M ) through Index-calculus met hod at present, namel y L M [1 / 3, 1.923]. Note that the TLP is written as y ≡ ( g x ) x (% M ) instead of y ≡ x x (% M ) due to the asymptotic property of M , and in [11] and [1 2], some pieces of evidence incline people to believe that the subset product problem (SPP) Ḡ 1 ≡ ∏ n i =1 C i b i (% M ) is harde r than the DLP asymptoti cally, but due t o  lg M  ≤ 640 and the density of a related knapsack being low, SPP can almost be solved in DLP subexponenti al tim e [12]. Appendix A ― Computation of Density of a Knapsack from ASPP 1) Wrong Computation of Dens ity in Section 5.2 of [12] It is known from Section 3.2 of [ 12] that a ciphertext is an ASPP Ḡ ≡ ∏ n i =1 C i ḅ i (% M ). Let C 1 ≡ g u 1 , …, C n ≡ g u n , Ḡ ≡ g v (% M ), where g is a generator of ( * M , ·) randomly sel ected. Then, seeking ḇ 1 … ḇ n from Ḡ is equivalent to sol ving the congruence u 1 ḅ 1 + … + u n ḅ n ≡ v (%  ) , ( 1 ) where { u 1 , …, u n } is called a com pact sequence (knapsa ck) due to ḅ i ∈ [0, n / 2 + 1]. Seeking ḅ 1 … ḅ n from (1) is called the anomalous subset sum problem (ASSP). Note that c we stipulate that b 1 … b n ≠ 0 contains at m ost n /2 0-bits; d if g is different, { u 1 , …, u n } will be different for the same { C 1 , …, C n }, and thus { u 1 , …, u n } has randomicit y. When (1) will be reduce d through the LLL lattice ba sis reduction algorithm , it should be converte d into a non-modular form : ḅ 1 u 1 + … + ḅ n u n ≡ v + k  , ( 2 ) where k ∈ [0, n ] is an integer. To seek the original solutio n to (2), k must traverse from 0 to n . Let D be the density of the compact sequence { u 1 , …, u n }. We see that in Section 5.2 of [12], the formula D ≈ n 2 /  lg M  is wrong, which is firs t pointed out by Xiangdon g Fei (an associate professor from Nanjing Universi ty of Technology). 2) Right Computation of Dens ity in Section 5.2 of [12] Considering the structure of a lattice basis from (1) and the bit-length of a bit shadow ḅ i ∈ [0, n /2+1 ] (on the assumption that b 1 … b n contains at most n / 2 0-bits), the right com putation of density of an ASSP knapsack in [12] should be D = ∑ n i =1  lg ( n /2+1 )  /  lg M  = n  lg ( n /2 +1 )  /  lg M  . Concretely speaking, for n = 80 with  lg M  = 696, D = 80 × 6 / 696 ≈ 0.6897 < 1; for n = 96 with  lg M  = 864, D = 96 × 6 / 864 ≈ 0.6667 < 1; for n = 112 with  lg M  = 1030, D = 112 × 6 / 1030 ≈ 0.6524 < 1; for n = 128 with  lg M  = 1216, D = 128 × 7 / 1216 ≈ 0.7368 < 1. These densities mean that the or iginal solution to (1) may possi bly be found through LLL lattice basis reduction (not certainly, and even with very low probability) becau se D < 1 only assure that the shortest vector is unique, but it cannot assure that the vector of the original solution is just the shorte st vector in the reduced basis. 3) Bit Shadows Enhance Resistance of a Low Density ASSP Knapsack to Attacks The LLL algorithm is to reduce a lattice basis 〈 1, 0, … , 0, Ñ u 1 〉 , 〈 0, 1, …, 0, Ñ u 2 〉 , …, 〈 0, 0, … , 1, Ñ u n 〉 , 〈 1/2, 1/ 2, …, 1/2, Ñ ( v + k  ) 〉 , wher e Ñ > 1/2( n ) 1/2 . No matter whether ( v + k  ) is a classical subset sum or an a nomalous subset sum , and whether the density is less than 1 or greater than 1, the LLL algorithm runs by its inherent rules. Lastly, the n + 1 vectors 〈 ê 1 , …, ê n , ê n + 1 〉 ′ s which occur in the reduced basis are the first n + 1 approxim ately shortest vectors, i ncluding the short est vector, of which quite some satisfy ê 1 u 1 + … + ê n u n ≡ v + k  (omitting the term ê n + 1 = 0). If D < 1, the shortest vector is unique; and if ( v + k  ) is a classical subset sum, the shortest vector is just the original solu tion. We know from the above discussi on that it has two necessary conditions to solve a SSP or ASSP 4 > http://arxiv .org/pdf/0908.0482 < through LLL lattice basis reduction: c the vector of the original solution is the shortest; d the sh ortest vector in the lattice is unique. D < 1 assures that the shortest vector is unique; a nd a classical subset sum assures that the vector of th e original solution is just the shortest v ector. Return to (1). Even though the density of an ASSP knapsack is less than 1, the o riginal solu tion is not necessarily found since ḅ i ∈ [0, n / 2 + 1] is a bit shadow (indicates that the original solution does not necessarily occur in th e reduced basis), and there lik ely exist many solutions in the lattice. For example, let n = 4 (short but without loss of generality), M = 263, { u 1 , …, u 4 } = {48, 71, 257, 4}, and v = 261 ( u i and v are obtained through the discrete logarithms of C i and Ḡ ). Here, t he density of { u 1 , …, u 4 } is D = n  lg ( n /2+1 )  /  lg M  = 4 × 2 / 9 = 0.8889 < 1. Assume that a plaintext b 1 … b 4 = 1100, and it s related bit sh adow string ḅ 1 … ḅ 4 = 1300 (thus 1 × 48 + 3 × 71 = 261). However, according to LLL lattice basis reduc tion, sought solution will be 0011 (notice, not the original) because there is 1 × 25 7 + 1 × 4 = 261, an d 〈 0, 0, 1, 1 〉 | (1 2 + 1 2 ) 1 / 2 is the shortest vector i n the lattice while 〈 1, 3, 0, 0 〉 | (1 2 + 3 2 ) 1 / 2 is not the shortest, and even it will not occu r in the reduced basis consisting of 5 vectors. 4) Density of an Optimized ASSP Knapsack The modulus of prototy pal REESSE1+ is rel atively large, so i n practice, i t needs to be opt imized (optimized REESSE1+ is called JUNA). Return to Section 6. When n = 80, 96, 112, 1 28, correspond ingly ther e is  lg M  = 3 84, 464, 544, 640. The density of an optim ized ASSP knapsack is D = (3 n /2 )  lg ( n /4+1 )  /  lg M  with Ḅ i ∈ [0, n /4+1 ] (on the assumption that B 1 … B n /2 contains at most n / 4 00-pairs). Concretely speaking, for n = 80 with  lg M  = 384, D = 120 × 5 / 384 ≈ 1.5625 > 1; for n = 96 with  lg M  = 464, D = 144 × 5 / 464 ≈ 1.5517 > 1; for n = 112 with  lg M  = 544, D = 168 × 5 / 544 ≈ 1.5441 > 1; for n = 128 with  lg M  = 640, D = 192 × 6 / 640 ≈ 1.8000 > 1. Under the circum stances, owing to D > 1 (i ndicates there will exist many solutions to the ASSP, and even the shorte st vector is als o nonuni que), it is impossible to find the ori ginal plaint ext b 1 … b n through LLL lattice basis reduction. There fore, at present ther e e xists no subexponentia l time soluti on to the ASPP used in the optimi zed encryption scheme. References [1] Oded Goldreich, Foundations of Cryptography: Basic Tools . Cambridge, U K: Cambridge University Press, 2001, ch. 4. [2] Michael Sipser, Introduction to the Theory of Computation . Boston: PWS Publishing Company, 1997, ch. 0. [3] http://en.wikipedia.org/wiki/Provable_security. [4] Ran Canetti, Oded Goldreich, and Shai Halevi, The Random Oracle Methodology Revisited, in Proc. STOC 1998 , pp. 209–218. [5] N. Koblitz and A. Menezes, Anothe r Look at "Provable Security" II, Progress in Cryptology - INDOCRYPT 2006 , Berlin: Springer, 2006, pp. 148-175. [6] http://www.wisdom.weizma nn.ac.il/~oded/on-pmc.html. [7] http://in-theory.blogspot.com/2007_08_26_archive.html. [8] Kurt Godel, On Formally Undecidable Propositions of Principia Mathematica and Related Systems, Monatshefte für Mathematik und Physik v38, 1931, pp. 173–98. [9] Mihir Bellare and Phillip Rogaway, The Exact Security of Digital Signatures - How to Sign with RSA and Rabin, in Proc. Advance in Cryptology: Eurocrypt '96 , pp. 399-416. [10] Schneier Bruce, Applied Cryptography second Edition: protocols, al gorithms, and source code in C . New York: John Wiley & Sons, 1996, ch. 1, 19. [11] Shenghui Su and Shuwang Lü, The REESSE1+ Public Key Cryptosystem v2.21, available: http://eprint.iacr.org/2006/420.pdf (revised Dec. 2012). [12] Shenghui Su and Shuwang Lü, A Public Key Cr yptosy stem Based on Three New Provable Problems, Theoretical Computer Science , vol. 426-427, 2012, pp. 91-117. [13] S. Su, S. Lü, and X. Fan, Asymptotic Granularity Reduction and Its Application, Theoretical Computer Science , vol. 412, issue 39, Sep. 2011, pp. 5374-5386. [14] D. Coppersmith, Small Solutions to Polynom ial Equations and Low Exponent RSA Vulnerabilities, Journal of Cryptology , v. 10, no. 4, 1997, pp. 223-260. 5