Complexity Theory
Definition 6. 16 (Complexity class BPP ) BPP (“bounded-error probabilistic poly nomial time”) is a subclass of PP that comprises all decision problems D ⊆
{0,1}∗ for which a probabilistic polynomial-time Turing machineM exists such that for every inputx∈ {0,1}∗
Pr[M outputs Yes |x∈D]≥
and
Pr[M outputs Yes |x /∈D]≤δ
with∈(1
Note that we must require that= 1andδ= 0. Otherwise, the subclassBPP degenerates toZPP,PP-Monte Carlo, orPP-Las Vegas.
The complexity classP and the various subclasses ofPPcan be ordered as follows:
P ⊆ ZPP ⊆ PP −PP −Monte Carlo
Las Vegas ⊆ BPP ⊆ PP
The challenging question is whether the inclusions are strict or not. In either case, algorithms that can solve problems in any of these complexity classes (not only P) are called efficient, and the problems themselves are called tractable. Problems that are not tractable in this sense are called intractable. But keep in mind that polynomials can have vastly different degrees, and hence algorithms that solve tractable problems can still have vastly different time complexities. Therefore, an efficient algorithm for solving a tractable problem need not be efficient for all practical purposes. Against this background, people sometimes use the term practically efficient to refer to polynomial-time algorithms where the polynomials have considerably small degrees.
6.7 FINAL REMARKS
In this chapter, we overviewed and discussed the fundamentals and results from complexity theory as far as they are relevant for contemporary cryptography. It should have become clear that complexity theory provides a useful mathematical theory and tool to argue about the (computational) security of a cryptographic system. In fact, complexity theory is one of the foundations (and probably the most important foundation) for modern cryptography. The notion of an efficient (polynomial-time) computation is at the core of complexity-theoretic considerations. In fact, the complexity classesP,PP, and the subclasses ofPP yield tractable problems (i.e., problems for which efficient deterministic or probabilistic algorithms are known). Contrary to that, the complexity classes N P and coN P comprise intractable problems (i.e., problems for which efficient algorithms are not known).11
Against this background, the P = N P conjecture plays a fundamental role in complexity-theoretic cryptography.
In spite of its usefulness, there are also a couple of shortcomings and limi- tations related to complexity theory that must be known and should be considered
11 Note that it is not known whether such algorithms are only not known or whether they do not exist in the first place.
with care (e.g., [12]). For example, it is impossible to elaborate on the computa- tional complexity of a specific function (or algorithm that implements the function). Instead, one always has to consider an infinite class of functions (or algorithms). This is unfortunate and sometimes inappropriate, because many concrete cryptographic systems employ functions that are fixed and for which an asymptotic extension is not at all obvious. Furthermore, as mentioned earlier, the distinction between effi- cient (i.e., polynomial-time) algorithms and inefficient (i.e., super-polynomial-time) algorithms is vague. It sometimes leads to a situation in which a theoretically effi- cient algorithm is practically so inefficient that it is infeasible to execute it on any reasonably sized input. To make things worse, complexity theory deals with worst- case complexity. This concept is questionable in cryptography, where breaking a system must be hard for almost all problem instances, not just some of them. There are some results addressing the average-case complexity of problems (e.g., [13]). Note, however, that in cryptography even average-case complexity results are not good enough, because problems must be hard for almost all instances. Furthermore, instead of proving the hardness of finding an exact solution for a computational problem, one may want to reason that even approximating the exact solution is in- tractable (again, complexity theory is inappropriate for this kind of reasoning). As already mentioned at the beginning of Section 6.2, an inherent difficulty of complex- ity theory is related to the fact that the state of the art in lower bound proofs for the computational complexity of a problem is poor. From a cryptographic viewpoint, it would be nice to have (and prove) some nontrivial lower bounds (be they polyno- mial or super-polynomial) for the complexity of breaking a concrete cryptographic system. Unfortunately, we are far away from that. Finally, we noted that all compu- tational models in use today are equivalent from a complexity-theoretic viewpoint. The discussion about the right model of computation, however, was reopened when Shor showed that certain problems can be solved in polynomial time on a quantum computer and Adleman showed that the same may be true for a DNA computer (see Section 6.5). A lot of research is currently being done (and large amounts of money are being spent) in quantum and DNA computing; hence, it will be interesting to see how these topics advance in the future.
References
[1] Garey, M.R., and D.S. Johnson, Computers and Intractability: A Guide to the Theory of NP-
Completeness. W. H. Freeman & Co., New York, 1979.
[2] Papadimitriou, C.H., Computational Complexity. Addison-Wesley, Reading, MA, 1993. [3] Hopcroft, J.E., R. Motwani, and J.D. Ullman, Introduction to Automata Theory, Languages, and
Computation, 2nd edition. Addison-Wesley, Reading, MA, 2001.
[4] Menezes, A., P. van Oorschot, and S. Vanstone, Handbook of Applied Cryptography. CRC Press, Boca Raton, FL, 1996.
[5] Shor, P.W., “Algorithms for Quantum Computation: Discrete Logarithms and Factoring,” Pro-
ceedings of the IEEE 35th Annual Symposium on Foundations of Computer Science (FOCS),
Santa Fe, NM, November 1994, pp. 124–134.
[6] Shor, P.W., “Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer,” SIAM Journal of Computing, October 1997, pp. 1484–1509.
[7] Vandersypen, L.M.K., et al., “Experimental Realization of Shor’s Quantum Factoring Algorithm Using Nuclear Magnetic Resonance,” Nature, Vol. 414, 2001, pp. 883–887.
[8] Nielsen, M., and I.L. Chuang, Quantum Computation and Quantum Information. Cambridge University Press, Cambridge, UK, 2000.
[9] Adleman, L.M., “Molecular Computation of Solutions to Combinatorial Problems,” Science, Vol. 266, November 1994, pp. 1021–1024.
[10] Lipton, R.J., “DNA Solution of Hard Computational Problems,” Science, Vol. 268, April 1995, pp. 542–545.
[11] P˘aun, G., G. Rozenberg, and A. Salomaa, DNA Computing: New Computing Paradigms. Springer- Verlag, New York, 1998.
[12] Maurer, U.M., Cryptography 2000±10, Springer-Verlag, New York, LNCS 2000, 2000, pp. 63–
85.
[13] Ajtai, M., “Generating Hard Instances of Lattice Problems,” Proceedings of 28th ACM Sympo-