17

I think I have a basic misunderstanding in the definition of a decision problem.

It's widely believed that a constructive proof of P=NP with a practical implementation would break all modern cryptography, for example:-

I'm not sure I understand why.

For example, 3-SAT is NP-Complete. So if we had an algorithm that could decide satisfiable or unsatisfiable in polynomial time, we could prove P=NP. Correct?

That doesn't mean we need an algorithm that can find a solution that satisfies the input, only one that can decide whether or not a solution exists, correct?

Or, equivalently, using Diffie-Hellman key exchange (quoted from wikipedia because I don't have enough rep to post more than 2 links):-

  • Alice and Bob agree to use a prime number p and base g
  • Alice chooses a secret integer a, then sends Bob A = g^a mod p
  • Bob chooses a secret integer b, then sends Alice B = g^b mod p
  • Alice computes s = B^a mod p
  • Bob computes s = A^b mod p
  • Alice and Bob now share s.

Clearly if Eve could calculate a and b from A and B, that would be problematic, but a proof of P=NP would only guarantee the existence of an algorithm that given A, B, g, and p could decide whether or not a and b exist such that A^b mod p = B^a mod p. Would that be so problematic?

To express my question more generally:-

  • Must an algorithm that decides a problem in NP also be able to construct a solution for that problem which can then be verified in polynomial time?

  • Would an algorithm that decides (but does not construct a "solution") an NP-complete problem in polynomial time be sufficient to prove P=NP?

  • Would such a proof have any impact on cryptography at all?

  • Or have I misunderstood something basic?

Community
  • 1
user256439
  • 273
  • "Is there a solution whose first bit is 1? Yes. Is there a solution whose first two bits are 11? No. Is there a solution whose first three bits are 101? Yes. Is there a solution whose first four bits are 1011? No." ... – Stack Exchange Broke The Law Jul 23 '15 at 21:36
  • Regarding the crypto part: just because an algorithm exists doesn't mean you can find it. If the proof is nonconstructive then it will have zero impact on modern cryptography. And even if it's constructive, if the algorithm itself is practically slow then that will also have no impact on modern cryptography. etc. – user541686 Jul 24 '15 at 00:14

3 Answers3

13

If you could decide SAT problems in polynomial time, then you could also find a solution (for those instances that have them) in polynomial time.
Namely, if Boolean expression $A$ is satisfiable and $x$ is a variable appearing in $A$, choose one of the expressions $A|_{x=T}$ and $A|_{x=F}$ (obtained by setting $x$ to "true" or "false" respectively) that is satisfiable (at least one must be). Recurse until assignments for all variables have been found.

This extends to all problems in NP that can be reduced to SAT in such a way that a solution to the SAT problem generates (in polynomial time) a solution to the original problem. Most of the classical cases of NP-completeness are of this type.

In your example, we need to generalize a little bit, from the problem

Given $A,B,g,p$, do there exist $a,b$ such that ...

to

Given $A,B,g,p$ and $a_0, b_0, n$, do there exist $a,b$ such that $a \equiv a_0 \mod 2^n, b \equiv b_0 \mod 2^n$, and ...

Robert Israel
  • 470,583
  • Right! You can reduce the problem so that deciding it allows you to partially solve it, and recurse. Of course! I feel pretty stupid now :D – user256439 Jul 28 '15 at 09:06
  • This comes after a rather long time, but I have a question. You mentioned you could pick a variable $x$ and set it to either true or false and recurse. Why does knowing there is a solution even necessary? Wouldn't you be able to do this regardless of whether there is a solution or not? And how is this polynomial? wouldn't this be a $2^{n}$ time algorithm? – giorgioh Jul 15 '21 at 03:05
  • The point is that knowing whether a solution exists lets you prune the tree to avoid that factor of $2^n$: if you know there is no solution with $x=false$, you don't have to explore the branch where $x=false$. At each level you only make one choice of value for a variable, namely one such that a solution exists with that value of this variables and whatever values have been chosen previously for other variables. – Robert Israel Jul 15 '21 at 21:14
6

Must an algorithm that decides a problem in NP also be able to construct a solution for that problem which can then be verified in polynomial time?

No, but a solution can be easily derived using the decision procedure for NP problems because all "natural" NP-complete problems seem to be downward self-reducible and all NP problems can be reduced to NP-complete problems.

Would an algorithm that decides (but does not construct a "solution") an NP-complete problem in polynomial time be sufficient to prove P=NP?

Yes. P and NP are classes of decision problems. A binary yes/no answer is all that is required for decision problems. Thanks to self-reducibility a decision procedure is all that's needed to construct a solution as well.

Would such a proof have any impact on cryptography at all?

Maybe. If the degree of the polynomial degree required to solve NP-complete problems is large in the worst case, then decrypting conventionally encrypted strings might still turn out to be hard, just not exponentially so. If the degree required is small then one-time pads are going to enjoy a renaissance.

Kyle Jones
  • 1,921
1

The existence of one-way functions implies $\mathbf{P}\ne \mathbf{NP}$, hence if $\mathbf{P} = \mathbf{NP}$, one-way function do not exist. In turn, the security of most cryptographic constructs (pseudorandom generators, encryption schemes, ...) implies the existence of one-way functions, so they cannot exist if one-way functions do not exist.

Note that the question of $\mathbf{P}$ vs. $\mathbf{NP}$ may be less relevant to practical cryptography than you think: if we can invert a one-way function in $p(n)$ time but the degree of $p$ is reasonably large, then inverting it will remain infeasible in practice. It is, however, very relevant to the theoretical foundations of cyptography, so cryptography in practice would become more suspect even if not outright impossible. (Maybe the NSA knows a polynomial of smaller degree...)

fkraiem
  • 3,169