P vs. NP and Quantum Computation Sandy Kutin CSPP 532 8/21/01.

P vs. NP andQuantum Computation

Sandy KutinCSPP 5328/21/01

Overview

We’ll define some classes of problems P: Polynomial time (quick calculations) NP: Search problems (most crypt problems) NP-complete: The hardest search problems

We’ll discuss a little bit about quantum computation: Why it may one day break RSA How we could design a system which quantum

computers can’t break (we think)

Computability Theory

What is a “computer”, and what can it do?1936: Alan Turing defines Turing Machine

Idealized computer: internal state, I/O tape

1936: Church-Turing thesis: Any “reasonable” computing device is the same

Focus was on computability of a function: Is there a Turing machine which computes the

function, and never gets stuck in a loop?

Complexity Theory

Pre-1960s: “Can it be done?”Now: “How much work does it take?”Measurements of algorithmic complexity

Time complexity: how many steps Space complexity: how much memory

Example: find a collision in an n-bit hash: Brute-force: 2n steps, constant memory Birthday: roughly 2n/2 steps, 2n/2 memory

P

Cobham, ‘64; Edmonds, ‘65: P = decision problems computable in polynomial time

Decision problem: yes/no answerPolynomial time: number of steps a Turing

Machine takes is < nd, where n is the length of the input (in bits), d = degree

Different definitions of “Turing Machine”, “step”, but polynomial time doesn’t change Example: Euclid’s algorithm takes 2n steps, or 2n3

bit operations; both polynomial

Rates of Growth

Time 1 day 1 week 1 year 1000 yearsn 50 350 18,250 18 millionn2 50 132 955 30,208n20 50 55.1 67.2 94.92n/2 50 55.6 67.0 87.02n 50 52.8 58.5 68.5

Moore’s Law: Computer speed doubles every 18 monthsSo “1000 years” today could be 1 day in 2029

Solvable problem size as a function of time

Problems in P

Input: A, B. Output: is gcd(A,B) = 1?Input: A, N. Output: does A divide N?Input: A, N. Output: is A a Miller-Rabin witness to

N being composite?Decryption (if DK is polynomial-time)

Input: ciphertext C, key K. Output: is there ASCII text M, so EK(M) = C?

Algorithm: let M = DK(C), see if it’s ASCII(i.e., see if each byte in M is printable ASCII)

Graph 2-colorability

A graph has n vertices; edges go betweenAdjacent vertices must get different colorsInput: graph. Output: Is it 2-colorable?

Yes No

Exponential time

Some problems take more than polynomial time (we think) Input: N. Output: Is N composite? Input: N, K. Output: Does N have a factor less

than K? Input: Ciphertext C. Output: Is there a key K and

an ASCII message M so EK(M) = C?EXP is the class of decision problems which

take exponential time to solveBut: we can be more precise

NP

Informally, NP means “search problems”Two formal characterizations#1: Non-deterministic polynomial time

Machine starts by making all possible guesses Works on each simultaneously (polynomial time) If any “computation path” (guess) produces a

“yes” answer, output “yes” Otherwise, output “no”

Example: Is N composite?

Our initial “guess” is a

possible factor FWe check to see if

each F divides N; this

takes polynomial time If any F divides N,

then “N is composite”Also solves: Does N have a factor less than K?Could be lots of guesses, very few leading to “Yes”; that’s

fine

589

3 5 7 9 11 13 15 17 19 21 232

N N N N N N N N Y N NN

More NP examples

Could do Miller-Rabin for “Is N composite?” Guess is a number A < N Computation: is A a Miller-Rabin witness? If there’s a witness, answer “Yes”. If not, “No”.

Another example: Decryption problem Input: Ciphertext C. Output: Is there a key K and an

ASCII message M so EK(M) = C?

Guess is a possible key K Computation: is DK(C) an ASCII message?

Another characterization

A problem in P looks like:f(x) = 1? f(x) is polynomial-time in the length of x

A problem in NP is: (y)(f(x,y) = 1) ? In words: does there exist a number y such that

f(x,y) is 1? (We’re “searching” for y.) y is the proof, or witness; polynomial-size in x y corresponds to the non-deterministic “guess” Again, f(x,y) is polynomial-time Polynomial-time verifiable proof

P = NP ?

Intuitively: P is the class of “easy” problems, NP the class of “hard” problems

Conjecture (Edmonds, 1965)? P ≠ NPNobody knows

PNPCOMP

FACT

NP-completeness

(Cook, 1971) A problem is NP-complete if: It’s in NP, and it’s as hard as anything in NP

Cook-Levin Theorem: uses “reduction” ideaExample (Karp, 1972): graph 3-colorability

?

No

Yes

Quantum Computation

Quantum mechanics: If you send a photon through a polarizer, it’s half

in one orientation, half in another Combine n photons: you’re simultaneously in 2n

states (this is called a superposition) The system collapses when you measure it

Weird idea (Feynman, 1982): This is kind of like non-determinism Maybe we could build a “quantum computer”

Quantum Cats

Two cats in a boxBased on a photon,

one is releasedQuantum cat is a

superposition of catsSee a tail –

superposition of tailsLook at face; collapse

into one classical cat Elwood and Jake

What’s a qubit?

Unit of computation:

quantum bit, or qubitEnter superpositionDo computation

“in alternate universes” If we just measure, this

is probabilistic; chance of success may be small If we can use quantum interference, we can increase

chance of observing the right answer

589

3 5 7 9 11 13 15 17 19 21 232

N N N N N N N N Y N NN

Quantum Computers: Theory

QP = class of problems solvable in polynomial time by a quantum computer Could we actually build a quantum computer? Are any interesting problems in QP, but not P?

Grover (1996): n-bit search in 2n/2

Nice, but still exponential time

Shor (1994): factoring, discrete log in QPA quantum computer could break RSAWe still have a long way to go to build one

Complexity (we think)

P

NPCOMPFACT

QP

NP-complete

Usual assumption: P smaller than QP, which is smaller than NPMany people believe “Is N composite?” is in P; most believe

factoring is not in P

The Future of Cryptography

Can we design a cryptosystem based on an NP-complete problem? As secure as it can be; quantum won’t work Problem: 3-colorability is hard in the worst-case We need average-case hardness; we want to

generate graphs so 3-colorings are hard to find This is an active area of research

Quantum Key Exchange (1984) Eve can’t listen without being detected, by

Heisenberg’s Uncertainty Principle