I read that the reason why NP complete problems like SAT are not used in asymmetric cryptography is that it's hard to generate hard instances of it. Is there any other reason why? Supposing we have an algorithm that efficiently generates hard instances of SAT in reasonable size with its only valid solution, how could we use this to encrypt and decrypt messages?
Asked
Active
Viewed 90 times
2 Answers
1
Actually, it's easy to create (what we hope to be) hard instances of SAT.
Take any secure encryption instance, be it AES, RSA, IES, ML-KEM, whatever. Express that as a circuit, and then convert the circuit into an SAT instance. Done.
With SAT (and any other NP-Complete) algorithm, you can take an NP problem (and essentially all crypto lives in NP), and translate that into the NP-Complete problem. That's part of what NP-Complete means (and the other half is that it also lives within NP).
However, that's not what we mean when we want an 'encryption' algorithm that relies on SAT. What we would really like (and don't know how to) is to be able to create an encryption algorithm that, if we can solve arbitrary instances of, we can solve SAT.
That looks to be a very difficult problem [1]. It is especially difficult for public key encryption, for this reason. If we have an instance of the problem, there has to be a proof that the solution is one way, that is, the plaintext is a specific value. However, there must also exist proofs of the negation where the answer is 'false', that is, the plaintext is not that specific value, but something else. What this means is that the problem lies within $NP \cap coNP$. If the problem is NP-complete (which it would be if a problem Oracle can be used to solve SAT), then we must have $NP = coNP$, and we don't know if that's true (and if it's not true, then there's no public key encryption system which is also NP-complete)
[1]: There might be ways to do it if we're satisfied with symmetric encryption or hashing - I haven't kept track
poncho
- 154,064
- 12
- 239
- 382
0
It is illustrative to look at Impagliazzo's five worlds. Impagliazzo shows generating hard SAT instances (or any NP complete problem) together with their solution implies a one-way function: consider the function which takes the random bits used by the algorithm, and outputs the problem it produced (without the solution). This is a one-way function, otherwise these instances could be solved by reversing the function and getting the solution from the random bits. By known reductions, this gives symmetric cryptography. In terms of Impagliazzo's worlds, this rules out being in Pessiland.
However, this still doesn't give public-key cryptography, and this is exactly the distinction between Minicrypt and Cryptomania - generating hard SAT instances is Minicrypt, and for public-key cryptography we need Cryptomania.
On a possibly unrelated note, you might want to take a look at witness encryption, which is encryption where the public key is an instance of an NP-complete problem (for example SAT), and decryption can be done using a witness to the instance. However, all known schemes for this are very complex and their security is dependent on much stronger assumptions than the instance being hard.
Command Master
- 351
- 3
- 11