The End of the Golden Age of Crypto
Tim May
tcmay at got.net
Tue Nov 12 11:57:46 PST 2002
On Tuesday, November 12, 2002, at 11:04 AM, Tim May wrote:
> (There are famous examples of using Hamiltonian cycles for giving zero
> knowledge proofs. I wrote one up here for the list about 10 years
> ago...it may be findable by searching on the right keywords. But using
> one of the NP-complete problems to produce a ZK certificate is not the
> same as something like RSA encryption...though one would think there
> _must_ be a way to make it so....like I said, fame awaits someone who
> figures this out.)
I dug up the last article I did on this. Here it is:
* To: cypherpunks at algebra.com
* Subject: CDR: An Introduction to Complexity, Hamiltonian Cycles, and
ZeroKnowledge Proofs--Part 1
* From: Tim May <tcmay at got.net>
* Date: Sat, 4 Nov 2000 13:05:07 -0800
* Cc: Olav <he-who-watches at gmx.de>
* In-Reply-To:
<Pine.OSF.4.05.10011041310080.11460-100000 at hcs.harvard.edu>
* Old-Subject: An Introduction to Complexity, Hamiltonian Cycles, and
ZeroKnowledge Proofs--Part 1
* References:
<Pine.OSF.4.05.10011041310080.11460-100000 at hcs.harvard.edu>
* Reply-To: cypherpunks at ssz.com
* Sender: owner-cypherpunks at ssz.com
------------------------------------------------------------------------
At 2:20 PM -0500 11/4/00, dmolnar wrote:
>On Sat, 4 Nov 2000, Jim Choate wrote:
>
>>
>> On Sat, 4 Nov 2000, Declan McCullagh wrote:
>>
>> > "NP" problems, on the other hand, are those that can be solved in
>> > nondeterministic polynomial time (think only by guessing). NP
>> > includes P.
>>
>> Actualy any time that can't be described using a polynomial (i.e.
a0 +
>> a1x + a2x^2 + ...) is NP. For example something that executes in
factorial
>> or exponential time is NP.
>
>I'm sorry - by the definitions I know, Declan has it closer.
>I'm not sure what you're getting at with "any time that can't be
>described..." or "something that executes in factorial or exponential
>time." As far as I know, NP is a class of *problems*, not a
>class of running times or even a class of algorithms.
And I'm going to give a completely informal, but I hope useful,
introduction. Though formalism is very important, and jargon is
useful, I suspect that all the talk of "succinct certificates,"
"oracles," "reducibility," "nondeterministic polynomial time,"
"Co-NP," etc., isn't very useful to someone just coming to this stuff
for the first time.
I figure understanding math comes from thinking about specific
problems, drawing pictures, mulling things over, drawing more
pictures, and basically just "becoming one with the problem." Formal
definitions then begin to make a lot more sense. While Bourbaki may
favor only the tersest of explanations, I think they are dead wrong.
(Fair warning: I knew a lot more about this stuff in 1992 when I was
reading Garey and Johnson, Harel, etc. and trying to figure out the
zero knowledge papers of Goldwasser and her colleagues. These days,
terms like "Co-NP" are not in my daily repertoire of concepts I have
a good handle on. But the basic ideas don't need such formal
definitions. It's more important to have some _intuition_ about
common problems and then see the obvious connections with crypto.
David Molnar and others are much better versed in the current lingo.)
So, the German guy, Olav, who asked about what P and NP and all that
stuff means should think of a specific problem. The "Travelling
Salesman Problem" is one problem that's a lot of fun to think about,
for complexity issues (and also for specific algorithms, like
"simulated annealing," "heuristic search," "genetic programming,"
etc.). However, I'm going to pick the "Hamiltonian Path" (or
Hamiltonian Circuit) problem for most of my discussion.
It's equally fun, and is one of the canonical "NP-complete" examples.
It turns out that these problems are all similar in a deep way to
each other. Though there may not be obvious links between Hamiltonian
paths, tiling problems in the plane, Go problems on generalized Go
boards, grammar problems, "Monkey puzzles," the Minesweeper game
mentioned in this thread, and so on, it turns out that they share
deep similarities. In fact, with some effort ("polynomial time
effort," so to speak) one problem can be converted to another. Hence
the notion that if one could find an "easy" algorithm to solve one,
one would have solved all of them.
(And always keep in mind that these problems are considered in their
_general_ forms, with something like N cities, M x N tile arrays, a
Go board of N x N grid points, and so on. Any _specific_ instance is
not the essence, though of course a specific instance may still be
hideously complicated to solve. And slight factors of 2 or 20 or even
20 million, or, indeed, anything short of "exponential in N," are not
important. This is often called "Big O" notation, e.g, the
complexity/effort goes as "O (N^3)" or "O (N!)". For exact
definitions of these kinds of terms, consult any of the many books on
this stuff; I'm just trying to provide the motivation and basic ideas
here.)
TRAVELLING SALESMAN PROBLEM
Take 10 cities in Europe. For example: Berlin, Paris, Madrid, Rome,
Marseilles, Hannover, Geneva, Amsterdam, Warsaw, and London.
The TSP (Travelling Salesman Problem) would be to find the shortest
path that connects all cities. Exhaustive search finds the shortest
path on the order of (N -1)! calculations, where N is the number of
cities. Actually, (N -1)! divided by two. Neither the direction of
the path (the factor of 2) nor the starting city (the N -1) matters.
For 10 cities, this is trivial to solve exhaustively: a mere 180,440
paths to be computed. However, for 20 cities the number of paths to
be computed is about 6 x 10^16. For 50 cities, 3 x 10^62 paths. Whew.
Are their better algorithms than exhaustive search over all paths?
There may be many algorithms which give "pretty good" results.
Dividing the cities into regions and optimizing each one, then
stitching the results together works pretty well. (Used in a lot of
algorithms, developed at Los Alamos for bomb designs...the Metropolis
algorithm, for example.). Simulated annealing works pretty well. And
so on.
But these are all just approximations, not actual solutions. Good
enough for engineering, and evolution (which is why a rabbit trying
to get from his burrow to a food source to another food source
doesn't die of starvation while he's trying to solve the Travelling
Rabbit Problem exactly).
One of the characteristics of this kind of problem is that there is
often/usually no way to really measure "convergence on a solution."
In a maze, for example, as one travels down various maze passages one
may know that the goal is "just a few meters away," but this does
little good: one may have to backtrack, or undo, ALL moves all the
way back to the beginning of the maze search to take another branch
point! "Close doesn't count."
(The similarities with most modern crypto should be getting obvious.
Most modern crypto only falls to "brute force" -- exhaustive search,
trying all the paths, trying to factor a modulus, etc. There is no
"getting closer" in most modern ciphers.)
HAMILTONIAN PATH PROBLEM
Find a path or cycle on a graph which passes through each node once
and only once. (Or demonstrate whether any such cycle exists, a
slightly different form.)
I said I would also use the Hamiltonian Path Problem, HPP. This one
is worth spending an hour or two drawing pictures and trying to find
clever solutions. It will make the ideas much clearer, I think. And
will also lead to a good understanding of "zero knowledge proofs" and
the applications of them to things like pass phrases and security
systems which don't leak information to wiretappers or even to the
system being accessed! (Quite a feat, that.)
OK, go back to those 10 cities in Europe. As we know, some of those
cities have direct rail connections to other of the cities, some
don't. Berlin and Paris are connected (ignore trivial issues of their
perhaps being intermediate cities and towns...). Madrid and London
are not connected directly by rail lines.
The HPP is to take a graph, the set of cities and the links between
them, and find a path or cycle which passes through each node (city)
once and only once. And returns to the starting node. For example,
one such path might look like:
Rome to Marseilles to Madrid to Geneva to Warsaw to Berlin to
Hannover to Amsterdam to Paris to London...whoops, London is only
connected to Paris, so we're stuck in London.
(This isn't the essence of a HPP, and one could stipulate that all
cities must be connected to at least two other cities.)
Let's throw London out and only consider N cities with connections to
at least two other cities.
How many possible paths need to be calculated depends on the number
of interconnections. Some time spent with a pencil and paper will be
invaluable.
As the number of cities increases, the number of paths to consider
goes up roughly as N! (N factorial, as above with the TSP). This is
not polynomial in the number of cities. (Hence, for newcomers, one
starts to get the idea of "nonpolynomial time," though there are some
nuances and quibbles to deal with.)
However, suppose someone presented a purported Hamiltonian cycle for
a graph? That is, a claimed path through the N cities that passed
through each city once and only once?
This could be verified in practically no time, just by eyeballing the
purported cycle.
And thus one gets at the idea of an "oracle," a machine or god which
can "guess" the solution. (Hence the idea behind "nondeterministic
polynomial time." Again, there are nuances and formal issues, but
this is the general idea.)
(The intuition goes like this: For a large graph, of, say, 100
cities, the calculations required to compute the O (100!) paths would
be vastly greater than all the computers that will ever be built
could ever do in a billion universes, blah blah. If someone presents
a solution, they must have "oracular" powers. Well, not really, as we
shall see.)
ZERO KNOWLEDGE--APPLYING THIS TO PASS PHRASES
"I am Tim May and I present my proof of this: I know a Hamiltonian
cycle for this particular graph which is my signature graph."
So I present a graph with 100 cities on it, linked in various ways,
and show a Hamiltonian cycle. Proof.
Except that now I've given this proof to anyone watching, including
the system or person I just showed the proof to.
Is there a way to prove beyond any doubt that I know the Hamiltonian
cycle without actually revealing it. There is. Wow. Trippy stuff.
I'll wait a day or two to explain.
However, related to our above discussion of HOW FREAKING HARD it is
to compute such a Hamiltonian cycle on a reasonably large graph, HOW
DID I EVER FIND ONE?
Well, I have no oracular or magical abilities to "guess"
("non-deterministic polynomial time"). Instead, I constructed the
Hamiltonian cycle from scratch!
I took N cities, with no specified links, and connected them in some
Hamiltonian cycle. Very easy to do. Just draw N cities or nodes and
draw lines connecting them, satisfying the once and only once
criterion.
Ah, but then draw in a bunch of _other_ links between the nodes.
The full graph, nodes and links, is VERY HARD for anyone else to find
a Hamiltonian cycle for, but trivial for _me_ to find a Hamiltonian
cycle for!
So I can use the fact that I know a Hamiltonian cycle for "my"
"signature graph" as a pass phrase, or other proof of identity. The
trick to be able to prove that I know it without actually revealing
it. As I said, I'll describe the trick later today or tomorrow.
By the way, my favorite book on this is David Harel's "Algorithmics."
Not exactly intended for a beginning student, but much more
descriptive and basic than _most_ of the books on complexity theory.
Lots of pictures, lots of descriptions of actual problems (tiling
puzzles, my favorites).
I confess that I only skimmed the sections on "Presburger arithmetic"
and why it is "beyond NP" in some weird sense.
Have fun,
--Tim May
--
---------:---------:---------:---------:---------:---------:---------
:----
Timothy C. May | Crypto Anarchy: encryption, digital money,
ComSec 3DES: 831-728-0152 | anonymous networks, digital pseudonyms,
zero
W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information
markets,
"Cyphernomicon" | black markets, collapse of governments.
More information about the cypherpunks-legacy
mailing list