
A New Provable Factoring Algorithm - mr_tyzic
http://rjlipton.wordpress.com/2014/10/18/a-new-provable-factoring-algorithm/
======
Sniffnoy
I'm a little confused as to what distinction is being made here between
"provable" and "unprovable" factoring algorithms. Is it just that "provable"
ones may output the correct result all the time, while "unprovable" ones are
probabilistic and output the correct result with high probability? (E.g.,
roughly the distinction between P or ZPP on the one hand and BPP on the other
hand, if these hypothetically ran in polynomial time and we were talking about
decision problems.) Or is something even weaker meant by "unprovable", like
retuning possibly incorrect results based not on a random input but on the
number to be factored? I assume it's the former -- if it were the latter I'd
say such things are not really factoring algorithms, practically useful as
they might be -- but the way it's worded isn't exactly clear.

~~~
algorias
Well, in math some things are true but not provable unless our formal system
is inconsistent. This is one of Gödel's incompleteness theorems.

It's therefore not far fetched that some algorithms might in fact always work
correctly, but at the same time a proof for their correctness doesn't exist.
You can never be sure (literally!) that you're not just confusing it with an
algorithm that's wrong but happens to work on all problem instances you've
thrown at it so far.

IIUC, when the article says unprovable, what it actually means is unproven. To
correctly describe an algorithm as unprovable, you would have to have a proof
of its unprovability, which would be quite something.

~~~
thaumasiotes
There's no obstacle in principle to proving that something can't be proved. As
far as I understand things, the continuum hypothesis has been shown to be
unprovable within ZFC (since ZFC is consistent with both the truth and the
falsity of the continuum hypothesis, obviously it is unable to prove the
hypothesis true or false), and theoretical computer science produces results
of the form "to prove X, the following kinds of approaches cannot work".

~~~
JadeNB
"ZFC is consistent with …" must, of course, be replaced by "If ZFC is
consistent, then so are …".

In fact, singling out ZFC gives you another example of this kind of result: if
ZF is consistent, then so are ZF+C and ZF-C.

~~~
thaumasiotes
That all depends whether you're comfortable saying a contradiction is
"consistent" with an unrelated proposition; I don't see much of a problem with
it. Contradictions, being impossible, are logically consistent with everything
else. I guess unprovable propositions _would_ switch over to being provable,
though.

~~~
JadeNB
> That all depends whether you're comfortable saying a contradiction is
> "consistent" with an unrelated proposition; I don't see much of a problem
> with it. Contradictions, being impossible, are logically consistent with
> everything else. I guess unprovable propositions would switch over to being
> provable, though.

Oh, I see. I read "A is consistent with B" as "A+B is consistent", but I can
see the validity of the reading "A+B is 'as consistent as' A".

------
phkahler
I found an algorithm to determine the parity (even or odd) of the number of
factors in N. Never wrote about it because IDK if it's unique, and also
because it's time complexity seems poor and I never tried to prove any upper
bound or make it faster. Anyone know of something similar? Would this be
interesting?

~~~
damarquis
A fast algorithm for parity would be interesting. There is currently no better
way to compute parity than factoring N.

There is a well known hand wavy-argument that computing any function on the
prime factors of arbitrary integers should be difficult. Very roughly the idea
is that if you can compute such a function over the integers you can probably
also compute it over other rings. Applying it over certain number fields would
let you get information about the low bits of the prime factors which is
thought to be hard.

There is a bit more information given in Terrence Tao's answer here
[http://mathoverflow.net/questions/3820/how-hard-is-it-to-
com...](http://mathoverflow.net/questions/3820/how-hard-is-it-to-compute-the-
number-of-prime-factors-of-a-given-integer)

His answer is about counting the number of distinct prime factors but I think
that it can extended to the parity of this value as well.

~~~
phkahler
Thanks, the mathoverflow link was very informative. It's funny because I
started out computing a number that I thought would be useful for factoring N,
but it turned out that it would take one of 2 values depending if N was prime
or had 2 factors (this is easily proven). Subsequent testing via software
seemed to indicate it was actually determining the parity of the number of
primes. I believe that's what it does in general but never bothered to go any
further.

------
h3xe

        I want to replace systems like AES with ones that uses
        the hardness of factoring for their security. Systems
        like AES rely on intuition and experimental testing for
        their security—there is not even a conditional proof that
        they are secure.
    

1) You can prove symmetric crypto is secure 2) In the light of (upcoming fast)
factoring algorithms, using crypto that relies on factoring everywhere sounds
very stupid.

~~~
nhaehnle
Please point to a proof of the security of symmetric crypto if you can. Last I
checked, such a proof would have still been considered an incredible
breakthrough.

All that people are doing is to show that k rounds of cypher C can be broken,
where actual implementations use K > k rounds, and then arguing that nobody
has been able to break more despite a lot of effort, cypher C is probably
secure in practice. That is good evidence, but not a proof.

~~~
Groxx
One-time-use random data XOR your data = provably secure symmetric crypto,
afaik. I could try to hunt down a proof of that one. _Impractical_ , sure, but
provable.

Also afaik, others haven't been proven / can only be proven to have certain
qualities, and leave gaps which have massive real-world implication. So yeah,
I'm curious for other proofs too.

~~~
duaneb
One time pads are currently the only provable "unbreakable" encryption. The
proof is trivial.

