Why cryptography is not based on NP-complete problems

There is one cryptosystem that uses an NP-hard problem for its security: the McEliece cryptosystem. The problem used here is decoding a generalized version of an error correcting code, which can be made both NP-hard in theory and in practice if you use the right kind of code. It is reliant on using very specific algorithmic parameters to stay hard, though. However, the versions that are not broken are likely post-quantum ready.

The article is a bit confusing (to me as a layman), basically as I understand it&#x27;s saying that the reason we can&#x27;t form cryptosystems out of arbitrary NP-complete problems is because there exist randomized algorithms that work for 99% of inputs (average vs. worst-case complexity, e.g. why the simplex algorithm works in practice). But there are some things missing:<p>* We know that randomized algorithms exist for NP-complete problems. But couldn&#x27;t we have some problem in NP that while reducible to e.g. 3SAT always reduce to &quot;very hard&quot; instances?<p>* Conversely, there&#x27;s no guarantee that there doesn&#x27;t exist a randomized algorithm for something that&#x27;s NP-hard (and not in NP), right?<p>The argument along the lines of NP-complete vs NP-hard seems to be a non-sequitur, since the actual distinction is average vs. worst-case hardness right? It may just so happen that all currently known problems in NP are easy &quot;on average&quot;, but I don&#x27;t think that&#x27;s formally guaranteed.<p>Edit: <a href="https:&#x2F;&#x2F;theory.stanford.edu&#x2F;~trevisan&#x2F;average&#x2F;slides.pdf" rel="nofollow">https:&#x2F;&#x2F;theory.stanford.edu&#x2F;~trevisan&#x2F;average&#x2F;slides.pdf</a> seems to imply that (1) is an open question.

&gt; For example, it could be possible that, if we generated a random map in some way, 99% percent of the time, the three-color map coloring problem would be easy, but 1% of the time, it would be very difficult.<p>&gt; This would still be NP-complete, but would make for a terrible cryptosystem - a scheme based on this problem would be easily broken 99% of the time!<p>I don’t think this explanation is great. We could just generate instances until we found the hard one and then use it. So the answer is more complex than just as written.

This seems like a definition issue, with respect to the set from which we are randomly sampling... what constitutes the problem? If you randomly select numbers and try to factor them--which to me seems like a fair way to define the problem: factoring, not two-primes factoring--the vast majority of numbers are, in fact, very easy to factor ;P. Instead, we say we only want to randomly select a number which is only two primes multiplied together in order to find the juicy hard versions of the problem. (And, even then, finding those numbers isn&#x27;t precise! We rely on probabilistic primarily tests to weed out numbers that are probably not prime.)<p>Similarly, who is to say that there isn&#x27;t some way to define what the hard instances of NP-complete problems are, and we just should be sampling from that difficult region of the problem space instead of all possible problems, the same way we sample only from the difficult-to-factor coprimes instead of from all possible numbers? There is definitely something interesting going on with the harder instances of these problems, and researchers have managed to discover a kind of &quot;phase transition&quot; among instances of some of the problems between ones with so many solutions they are easy and ones with so few solutions they are also once again easy (and my knowledge on this is about 20 years rusty and outdated... maybe this is better understood and characterized now).

The RSA problem in article doesn&#x27;t mention that RSA&#x27;s difficulty is based on MODULUS prime factorization, not simple prime factorization.<p><a href="https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;RSA_(cryptosystem)" rel="nofollow">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;RSA_(cryptosystem)</a>

&gt; Instead, cryptography needs problems that are hard in the average case, like the RSA problem, the discrete logarithm for elliptic curves, and the shortest vector problem for lattices. We don’t technically know whether these are NP-complete<p>But we <i>do</i> know that the shortest vector problem is NP-hard (in Linf norm), and so is its decision version [1]. We don&#x27;t have a reduction in the other direction, but we know that SVP is as-hard-as-NP-complete-or-harder.<p>This goes against the general argument of the article, but only weakly so, because I think lattice-based systems are less broadly deployed than elliptic curves or factoring (not a crypto person, though).<p>[1] H. Bennett, &quot;The Complexity of the Shortest Vector Problem.&quot;, 2022 <a href="https:&#x2F;&#x2F;simons.berkeley.edu&#x2F;sites&#x2F;default&#x2F;files&#x2F;docs&#x2F;21271&#x2F;svp-simons.pdf" rel="nofollow">https:&#x2F;&#x2F;simons.berkeley.edu&#x2F;sites&#x2F;default&#x2F;files&#x2F;docs&#x2F;21271&#x2F;s...</a>

The keyword not mentioned here is one-way function. Cryptography is for the most part based on candidates for one-way functions: functions that are easy to perform on any input but difficult to undo on average. The existence of such a function would imply that P is not NP but the converse doesn&#x27;t hold.

Another problem with NP-hard is that it only covers deterministic algorithms.<p>Even if most instances of a problem are deterministically hard, they might still have a randomized algorithm which solves them feasibly.

Aren&#x27;t hash functions a counterexample? There have been attempts at using SAT solvers to find preimage and collision attacks on them.

Surely because of Goldreich &amp; Wasserstein&#x27;s result that public key encryption based on NP completeness necessitates NP=co-NP?

Does this mean there is a relationship between the NP completeness of a problem and the worst case time complexity of algorithms which solve it?

Some of the graphics have black text on a transparent background and so are hard to read with a dark theme.

slightly off topic but I would like to understand better why there is handwringing going around about cryptosystems being broken by future quantum computers. Don&#x27;t we already have quantum resistant cryptosystems? Why not just switch to them across the board?

The author should’ve stayed in the NP class and not drop out.

It&#x27;s unfortunate that he doesn&#x27;t understand complexity analysis and has taken it upon himself to write an article that requires it as an underpinning.<p>In particular, I stopped reading at<p>&gt; the discrete logarithm for elliptic curves, ... We don’t technically know whether these are NP-complete<p>This is wildly misleading. We do know with absolute certainty that the decision problem for DLC is NP-Hard, and therefore that EPDLC inherits at least NP-Hardness. While it is true that their presence in NP-Hard does not require their pressence in NP (and thus are not proved NP Complete), it is misleading to characterize as the author has here that they are <i>weaker</i> than NP, instead of the known certainty that NP is the absolute minimum bound for their hardness.