From proff Sun Sep 8 01:01:47 1996
Received: (proff@localhost) by suburbia.net (8.7.4/Proff-950810) id BAA02678 for best-of-security; Sun, 8 Sep 1996 01:01:46 +1000
Received: from toad.com (toad.com [140.174.2.1]) by suburbia.net (8.7.4/Proff-950810) with ESMTP id AAA02070 for ; Sun, 8 Sep 1996 00:46:57 +1000
Received: (from majordom@localhost) by toad.com (8.7.5/8.7.3) id GAA06781 for cypherpunks-outgoing; Sat, 7 Sep 1996 06:38:55 -0700 (PDT)
Received: from mailout1.h1.usa.pipeline.com (data1.h1.usa.pipeline.com [38.8.56.2]) by toad.com (8.7.5/8.7.3) with SMTP id GAA06773 for ; Sat, 7 Sep 1996 06:38:46 -0700 (PDT)
Received: from pipe3.t1.usa.pipeline.com by mailout1.h1.usa.pipeline.com (8.6.9/2.1-PSINet/Pipeline)
id NAA12748; Sat, 7 Sep 1996 13:38:15 GMT
Received: by pipe3.t1.usa.pipeline.com (8.6.12/SMI-5.4-PSI)
id NAA06648; Sat, 7 Sep 1996 13:38:09 GMT
Date: Sat, 7 Sep 1996 13:38:09 GMT
Message-Id: <199609071338.NAA06648@pipe3.t1.usa.pipeline.com>
To: cypherpunks@toad.com
Subject: Lattice Crypto
From: jya@pipeline.com (John Young)
X-PipeUser: jya
X-PipeHub: pipeline.com
X-PipeGCOS: (John Young)
X-Mailer: The Pipeline v3.4.0
Sender: proff
Precedence: bulk
The Economist, September 7, 1996, p. 79.
Cryptography: Puzzling secrets
The truly paranoid have but one friend: mathematics.
Nothing (and nobody) else can be as trusted to keep a
secret. To transmit your credit card number, for example,
through an Internet full of thieves, the best way is to
hide it in a mathematical problem so excruciatingly
difficult that no thief could ever crack it, even by
hijacking all the world's computers for the effort.
Devising such problems is the business of cryptographers.
To be useful, the problems must be easy to create as well
as impossible to unravel. Multiplying numbers is very
easy. Taking the result and working out what numbers were
multiplied together to produce it (known as
factorisation) is a lot more difficult. It is not obvious
that 4,294,967,297 is the product of 641 and 6,700,417.
The two smaller numbers in this calculation are prime:
that is, neither can be factorised into two further
smaller numbers. The coding systems generally used by
governments, businesses and software companies such as
Netscape (known as RSA encoding schemes, after Ronald
Rivest, Adi Shamir, and Leonard Adleman, who invented the
idea in 1977), mix a number even huger than 4,294,967,297
into a message, and then churn it in such a way that only
the number's prime factors can undo the mess. The big
number is used to make a "public key" (each user has his
own, but it is available to those who might wish to
communicate with him). The two prime factors compose a
private key, guarded carefully by their owner.
The trouble is that nobody is absolutely sure how safe
this scheme is. At present a public key that was 400
digits long would take existing computers longer than the
age of the universe to crack. But it remains to be proved
in a rigorous mathematical way that no systematic
short-cut exists. Indeed, some types of numbers are easy
to factorise, and RSA schemes must avoid these known
softies. It may yet turn out that, even if factorising is
hard in general (as mathematicians suspect, after
centuries of trying), there is a sneaky way, in the case
of some other types of numbers, to do it quickly.
This would be bad luck if you chose such a number.
Private users may not care much: it is unlikely that
someone who discovered such a loophole would use it for
anything so modest as unscrambling credit card numbers.
But governments, whose secrets are worth a lot more, are
always on the lookout for better cloaks to go with their
daggers. The ultimate cryptographic feat would therefore
be a mathematical proof that all choices of a particular
problem useful in code-making are forever intractable.
Nobody is that clever yet. But Miklos Ajtai, a
mathematician at the IBM Almaden Research Centre in San
Jose, California, has made progress with puzzles called
"lattice reductions". If you pick any such problem using
his guidelines, it is -- unlike a factorisation problem
-- guaranteed to be just as thorny as the most difficult
one imaginable. Since many mathematicians also suspect
that the toughest lattice-reduction problem is almost
impossible to crack, Dr Ajtai's proof, completed in May,
increases the confidence that they would all make good
wrappings for secret messages.
For mathematical aesthetes, lattice problems have more
panache than the dull numerals of factorisation. Instead
of factorising, say, a 200-digit number, a lattice
reduction invites the would-be codebreaker to deduce the
most basic way a pattern repeats itself in a piece of
200-dimensional decorative wallpaper. This is every bit
as hard as it sounds.
To describe a repeating pattern of rows and columns of
flowers on an ordinary piece of wallpaper, two "arrows"
suffice. Each points from one flower to a nearby one. If
you start with a wall which is blank, except for one
flower, you can reconstruct the entire design with the
arrows: lay the ends of the arrows on the flower and draw
new flowers (with new arrows) at each arrowtip. Repeat
the process with the new flowers and the wall will
eventually be full.
Although the obvious pair of arrows to choose in this
case would be at right angles to each other (eg, pointing
north and east) other pairs would also work: for example
north-east and east. But in this case the "north-east"
arrow would have to be longer to reach the centre of the
next flower than the "east" one. The puzzle is to find
the shortest set of arrows that can be used to replicate
the pattern -- easy in two or three dimensions, but
achingly complex in the higher-dimensional spaces that
the imaginations of mathematicians inhabit. By the time
the pattern has 200 dimensions, today's fastest computers
would be unable to find the 200 smallest arrows
describing an arbitrary pattern before the sun ran out of
fuel. Yet, as with two prime numbers, it is easy to begin
with those arrows and produce the design.
But how do you hide a secret message, accessible only
with a private key, in a publicly available lattice?
Shafi Goldwasser, Oded Goldreich and Shai Halevi, of the
Massachusetts Institute of Technology and the Weizmann
Institute, in Israel, have just proposed a way. In order
to encode a line of digits, they first interpret them as
coordinates for a point in the lattice. Then they mix up
the numbers by nudging that point a tiny random amount
into the empty space between lattice points. To retrieve
the original number, an eavesdropper would need to find
the way back to the nearest lattice point, which is
almost -- but not quite equivalent to knowing its
shortest arrows.
The trouble with it being not quite equivalent is that
the encoding scheme changes the problem slightly --
enough for it to fall just outside the range of Dr
Ajtai's proof that any instance of his lattice scheme is
as hard to solve as the most difficult one.
There is hope that the proof can be extended to include
the encryption scheme, or that the scheme can be modified
to fit the proof. But a proof that nobody could ever
invent a quick method to solve the toughest lattice
reduction would be nicer still -- except that its
inventor would put fellow code-breakers out of work. A
cryptographer who invented such a system might well be
tempted to keep it secret.
[Graphic of wallpaper omitted]
[End]