[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

*To*: [email protected]*Subject*: Lattice Crypto*From*: [email protected] (John Young)*Date*: Sat, 7 Sep 1996 13:38:09 GMT*Sender*: [email protected]

The Economist, September 7, 1996, p. 79. Cryptography: Puzzling secrets The truly paranoid have but one friend: mathematics. Nothing (and nobody) else can be as trusted to keep a secret. To transmit your credit card number, for example, through an Internet full of thieves, the best way is to hide it in a mathematical problem so excruciatingly difficult that no thief could ever crack it, even by hijacking all the world's computers for the effort. Devising such problems is the business of cryptographers. To be useful, the problems must be easy to create as well as impossible to unravel. Multiplying numbers is very easy. Taking the result and working out what numbers were multiplied together to produce it (known as factorisation) is a lot more difficult. It is not obvious that 4,294,967,297 is the product of 641 and 6,700,417. The two smaller numbers in this calculation are prime: that is, neither can be factorised into two further smaller numbers. The coding systems generally used by governments, businesses and software companies such as Netscape (known as RSA encoding schemes, after Ronald Rivest, Adi Shamir, and Leonard Adleman, who invented the idea in 1977), mix a number even huger than 4,294,967,297 into a message, and then churn it in such a way that only the number's prime factors can undo the mess. The big number is used to make a "public key" (each user has his own, but it is available to those who might wish to communicate with him). The two prime factors compose a private key, guarded carefully by their owner. The trouble is that nobody is absolutely sure how safe this scheme is. At present a public key that was 400 digits long would take existing computers longer than the age of the universe to crack. But it remains to be proved in a rigorous mathematical way that no systematic short-cut exists. Indeed, some types of numbers are easy to factorise, and RSA schemes must avoid these known softies. It may yet turn out that, even if factorising is hard in general (as mathematicians suspect, after centuries of trying), there is a sneaky way, in the case of some other types of numbers, to do it quickly. This would be bad luck if you chose such a number. Private users may not care much: it is unlikely that someone who discovered such a loophole would use it for anything so modest as unscrambling credit card numbers. But governments, whose secrets are worth a lot more, are always on the lookout for better cloaks to go with their daggers. The ultimate cryptographic feat would therefore be a mathematical proof that all choices of a particular problem useful in code-making are forever intractable. Nobody is that clever yet. But Miklos Ajtai, a mathematician at the IBM Almaden Research Centre in San Jose, California, has made progress with puzzles called "lattice reductions". If you pick any such problem using his guidelines, it is -- unlike a factorisation problem -- guaranteed to be just as thorny as the most difficult one imaginable. Since many mathematicians also suspect that the toughest lattice-reduction problem is almost impossible to crack, Dr Ajtai's proof, completed in May, increases the confidence that they would all make good wrappings for secret messages. For mathematical aesthetes, lattice problems have more panache than the dull numerals of factorisation. Instead of factorising, say, a 200-digit number, a lattice reduction invites the would-be codebreaker to deduce the most basic way a pattern repeats itself in a piece of 200-dimensional decorative wallpaper. This is every bit as hard as it sounds. To describe a repeating pattern of rows and columns of flowers on an ordinary piece of wallpaper, two "arrows" suffice. Each points from one flower to a nearby one. If you start with a wall which is blank, except for one flower, you can reconstruct the entire design with the arrows: lay the ends of the arrows on the flower and draw new flowers (with new arrows) at each arrowtip. Repeat the process with the new flowers and the wall will eventually be full. Although the obvious pair of arrows to choose in this case would be at right angles to each other (eg, pointing north and east) other pairs would also work: for example north-east and east. But in this case the "north-east" arrow would have to be longer to reach the centre of the next flower than the "east" one. The puzzle is to find the shortest set of arrows that can be used to replicate the pattern -- easy in two or three dimensions, but achingly complex in the higher-dimensional spaces that the imaginations of mathematicians inhabit. By the time the pattern has 200 dimensions, today's fastest computers would be unable to find the 200 smallest arrows describing an arbitrary pattern before the sun ran out of fuel. Yet, as with two prime numbers, it is easy to begin with those arrows and produce the design. But how do you hide a secret message, accessible only with a private key, in a publicly available lattice? Shafi Goldwasser, Oded Goldreich and Shai Halevi, of the Massachusetts Institute of Technology and the Weizmann Institute, in Israel, have just proposed a way. In order to encode a line of digits, they first interpret them as coordinates for a point in the lattice. Then they mix up the numbers by nudging that point a tiny random amount into the empty space between lattice points. To retrieve the original number, an eavesdropper would need to find the way back to the nearest lattice point, which is almost -- but not quite equivalent to knowing its shortest arrows. The trouble with it being not quite equivalent is that the encoding scheme changes the problem slightly -- enough for it to fall just outside the range of Dr Ajtai's proof that any instance of his lattice scheme is as hard to solve as the most difficult one. There is hope that the proof can be extended to include the encryption scheme, or that the scheme can be modified to fit the proof. But a proof that nobody could ever invent a quick method to solve the toughest lattice reduction would be nicer still -- except that its inventor would put fellow code-breakers out of work. A cryptographer who invented such a system might well be tempted to keep it secret. [Graphic of wallpaper omitted] [End]

- Prev by Date:
**Re: Court challenge to AOL junk-mail blocks** - Next by Date:
**Re: Court challenge to AOL junk-mail blocks** - Prev by thread:
**RE: IDC_ard** - Next by thread:
**forward secrecy in mixmaster** - Index(es):