(Complexity Theory) Given a large non-semiprime, is there a hard to compute but easy to verify problem?

Question

Let's say I had an arbitrary number that was large, say 512 bits or bigger, but wasn't necessarily a semiprime. What is a computation that I could do on this number that would give me a unique solution that is guaranteed to be very inefficient to compute, but very quick to verify? I am looking for something in number theory / complexity theory. The problem needs to have a solution, rather than a decision problem of "yes" or "no".

Answer 1

What's asked is an algorithm implementing a hard to compute function of the input number $x$ with an easy way to check the result.

If we can use auxiliary fixed parameters, and are content with probabilistic algorithms to implement a deterministic function, we can use something based on the Discrete Logarithm Problem in $\mathbb Z_p^*$.

Parameters selection: we draw an arbitrary public prime $p$ with $\ell=\left\lceil\log_2 p\right\rceil$ suitably larger than 512 to adjust the difficulty (more on the choice of $\ell$ later), and $q=(p-1)/2$ prime (that is, $p$ and $q$ are a pair of safe and Sophie Germain primes). Then we select a public generator $g$, that is in the context an integer $g\in[2,p-1)$ with $g^q\bmod p=p-1$ (the smallest $g$ will do, it's always prime, and if we search $g$ among primes starting from $2$ we'll try on average about two candidates, with geometric distribution). This setup insures that $y\mapsto g^y\bmod p$ is a bijection over the integers in $[1,p)$.

The computation asked is to, on input $x$ and the parameters $(p,g)$, output the uniquely defined integer $y\in[1,p)$ with $x+1=g^y\bmod p$. Verification of $y$ is easy.

The best methods we have to solve that problem for $\ell$ somewhat above 512 and otherwise arbitrary $x$ $p$ are expensive, with cost $$\begin{align}\exp\biggl(\left(\sqrt[3]{\frac{32}{9}} + o(1)\right)(\ln p)^{\frac{1}{3}}(\ln \ln p)^{\frac{2}{3}}\biggr) &= L_p\left[\frac{1}{3},\sqrt[3]{\frac{32}{9}}\,\right]\\ &= L_{\bigl(2^\ell\bigr)}\left[\frac{1}{3},\sqrt[3]{\frac{32}{9}}\,\right] \end{align}$$ and the current record is for $\ell=795$, see this.

If the problem is already too hard with $\ell=513$ (it already takes many CPU⋅days), we can lower $\ell$ and truncate $x$ to $\ell-1$ bits.

There are a few rough edges: the work to solve several instances sharing $p$ does not scale proportionally with the number of instances; and solutions are trivial for some $x$, including $x=0$, and more generally $x=g^y-1$ for integer $y\in\bigl[0,\ (512/\log_2g) \bigr)$. But these issues can be ironed out (for the later one: we can replace $x$ by a hash of $x$, which impairs neither computation nor verification). Also, other DLP-based solutions work, including on elliptic curve groups.

Notably, we have no proof of the work required, even with classical computers. And in some decades, hypothetical CRQC could conceivably lower the cost.

Answer 2

Factoring would be difficult. Your 512 bit number could be the product of three 171 bit primes. If one prime is smaller then the other two would be larger. As long as the second largest prime is large it’s hard to factor.

Answer 3

Let's say I had an arbitrary number that was large, say 512 bits or bigger, but wasn't necessarily a semiprime. What is a computation that I could do on this number that would give me a unique solution that is guaranteed to be very inefficient to compute, but very quick to verify?

How about "given $x$, what's the value $y$ s.t. $x = \text{SHAKE}( y || \text{arbitrary number} )$ (with $x$ being long enough that the solution is guaranteed unique)?

Obviously, quick to verify, and if $y$ is long enough, very inefficient to compute...