23

I was on wikipedia on list of unsolved computer science problems and found this: Is public-key cryptography possible?

I thought RSA encryption was a form of public-key cryptography? Why is this a problem?

Raphael
  • 72,336
  • 29
  • 179
  • 389
Namster
  • 463
  • 3
  • 8
  • 5
    We don't even know if symmetric crypto can be secure, and that's a much weaker conjecture than public key encryption being secure. – CodesInChaos Sep 16 '15 at 08:50
  • @CodesInChaos That's true as long as we are speaking about security based on computational complexity. But if you are considering information theoretical security there are provably secure constructions such as the one-time-pad for encryption and Wegman-Carter for message authentication. – kasperd Sep 16 '15 at 12:30

3 Answers3

31

We don't know for sure that RSA is safe. It could be that RSA can be broken in polynomial time, for example if factoring can be done efficiently. What is open is the existence of a a provably secure public-key cryptosystem. We don't know for sure that such a cryptosystem exists at all; for all we know, every cryptosystem could be broken efficiently.

A different, unrelated problem with RSA is that it can be broken by quantum computers. This is an unrelated problem since the definition of a secure public-key cryptosystem only requires that the cryptosystem not be breakable by classical (non-quantum) computers.

Practically speaking, though, RSA seems secure, and it is used all the time. This is due to the gap between theory and practice. While theoretically we don't know for sure that RSA is secure, practically speaking we have to use some public-key cryptosystem, and RSA is a good choice since people have tried to break it and failed. Generally speaking, a known cryptosystem that people care about is more secure than an obscure one, since it has resisted the attempts of cryptographers. This doesn't constitute a proof that it is secure – it might well not be – but it's the best we can do.

Yuval Filmus
  • 276,994
  • 27
  • 311
  • 503
  • 4
    In few words: Safe-ish until broken. – Ismael Miguel Sep 16 '15 at 09:35
  • 2
    Great answer. I would also add that any cryptography is only delivered with a time frame of low probability of being broken. No one delivers a crypto system and state it is secure. They always say it is not likely at all to be broken in the next 5 years or so. This is a bit of a problem for sales, as, often enough, non-technical clients see this as a stated weakness. – RSinohara Sep 16 '15 at 11:31
  • This is actually a general shortcoming across computer science: CS is very good at proving how long an algorithm will take, but very weak at being able to prove that there are no faster algorithms. – RBarryYoung Sep 16 '15 at 13:01
3

Here are some other angles/details on this question, more specific & generally. As YF writes in a comment, despite appearances, RSA is not proven to be at least as hard as factoring. Breaking RSA involves the discrete log problem which of course is closely related to factoring in complexity, but not proven to be the same complexity. But (as pointed out) not even factoring has been proven hard.

YF also mentions quantum computation. As insiders are well aware, RSA is not secure against quantum computation which is proven to be able to factor in P time using Shors algorithm. Shors algorithm was considered a breakthrough at the time. And another breakthrough to mention in a "nearby" area is the AKS primality algorithm which proved that primality testing is in P. Theoretical breakthroughs in complexity theory are rare but not unheard of.

YF doesnt mention, but is always lurking in the background of these questions, the "big question" of P=?NP is still open. It is generally thought that "algorithmic cryptography could be impossible" (except for one-time pads) if P=NP, which is generally disbelieved by experts.

An excellent way to scientifically conceptualize this is Impagliazzos 5 worlds, overview by Kabanets. remarkably, complexity theorists do not know "which of the 5 worlds we live in" although there is circumstantial evidence leaning some ways. What world we live in depends on open complexity theory conjectures. They also relate to open problems on existences of trapdoor functions and one way functions. (RSA is conjectured to be both.) There was a 2009 research conference on Impagliazzos worlds with the latest thinking reported.

peterh
  • 416
  • 4
  • 19
vzn
  • 11,034
  • 1
  • 27
  • 50
  • 1
    see also status of Impagliazzos worlds / [cstheory.se]. in short, roughly, RSA is regarded by experts as plausibly or likely secure but not proven secure and that gap cuts through many of the biggest open questions in the field. – vzn Sep 17 '15 at 18:07
2

One thing that needs to be defined here is the definition of possible. There are two ways to answer this. The first is, can a public key cryptosystem be considered information-theoretically secure? In the broadest sense this requires that the algorithm be secure even when subjected to an attack involving infinite computing power. There is one known system that has achieved this, the one time pad, however this is only in theory as we can not create the truly random numbers required, and is private key. The second way the question can be viewed is, can a public key cryptosystem be considered unconditionally secure?. This second definition is looser. In the case of RSA, if someone were to prove that integer factorization was as difficult as we currently think it is, and prove there were no other assumptions or flaws in the system, then RSA would be unconditionally secure. Unconditional security removes the requirement of infinite computing power, and relaxes it to impossible in the physical universe. Since our public key algorithms all rely on massive assumptions on computability they do not meet the second definition.

lPlant
  • 1,612
  • 9
  • 19
  • Breaking RSA is not equivalent to factoring; it is potentially easier. – Yuval Filmus Sep 16 '15 at 20:34
  • This answer is confused. The one-time pad is not a public-key cryptosystem, so it is not correct that the one-time pad has achieved this. The answer to "can a public key cryptosystem be considered information-theoretically secure?" is "No". Also, there is no known proof that "factoring is hard" implies "RSA is secure"; indeed, there are reasons to suspect that there might not be any reduction of that form. – D.W. Sep 16 '15 at 22:02