
Mathematicians Seal Loophole to Breaking RSA Encryption - chmaynard
https://www.quantamagazine.org/mathematicians-seal-back-door-to-breaking-rsa-encryption-20181217/
======
wbhart
The title and the article are severely misleading. One can easily try the
method described in the article and find that empirically, it doesn't work for
large numbers. That implies that no one is seriously taking such a naive
approach. You don't need a mathematical proof either way to know this.

But even so, the paper doesn't show that all polynomials are irreducible. It
doesn't even show most are, just ones of a very special form (with 0 and 1
coefficients, randomly chosen in a certain way). Therefore, the paper doesn't
rule out other kinds of polynomials, even if this were a serious approach.

Furthermore, even if the paper showed that all kinds of polynomials were
almost always irreducible, that wouldn't rule out the existence of a very
clever algorithm for writing the integers as values of polynomials that aren't
irreducible.

Consider the following analogy: there are exceedingly many possible prime
factors of 6000 digit numbers; far too many to practically test them all one
after the other. I can produce a mathematical proof that shows that I'll never
test primality of a 6000 digit number by trying all possible prime factors in
order. But that doesn't prevent the existence of algorithms that can quite
quickly tell you whether the number is prime or composite (such algorithms
actually exist). Just because something looks hard or it can be proven that
some naive approach is computationally infeasible, doesn't mean there isn't a
very clever algorithm that makes it easy.

The authors of the actual math paper really asked for any unwanted attention
they get from this news article, though. They actually give the integer
factorisation problem as a motivation in their paper!

------
segfaultbuserr
This is the actual paper.

[https://arxiv.org/abs/1810.13360](https://arxiv.org/abs/1810.13360)

It's worth noticing that Riemann Hypothesis is assumed in the proof, as I
layman, I think it means the proof merely gives us more _confidence_ about the
difficulty of integer factorization. But integer factorization itself still
remains an open question.

> _Abstract. We consider random polynomials with independent identically
> distributed coefficients with a fixed law. Assuming the Riemann hypothesis
> for Dedekind zeta functions, we prove that such polynomials are irreducible
> and their Galois groups contain the alternating group with high probability
> as the degree goes to infinity. This settles a conjecture of Odlyzko and
> Poonen conditionally on RH for Dedekind zeta functions._

Page 2, _Section 1.1, Motivation_ has a summary.

> _Beyond its intrinsic interest, the problem of irreducibility of random
> polynomials of high degree is motivated by some other problems, which we now
> briefly discuss. It is believed to be computationally difficult to determine
> the prime factorization of integers. On the other hand, polynomial time
> algorithms are known for computing the factorization of polynomials in Z[x].
> Given an integer N ∈ Z_{ >0}, we can write it as N=P(2) for a unique
> polynomial P with 0,1-coefficients. By computing the factorization of P in
> Z[x] and evaluating the factors at 2, we can obtain a factorization of N._

> _The only weakness of this approach is that the polynomial P may be
> irreducible and thus the factorization of N obtained may be trivial. The
> problem we study in this paper thus asks for the probability that this
> procedure returns only a trivial factorization. Therefore, it is desirable
> to have results, such as those of this paper, proving that this probability
> converges to 1 very fast. We will discuss our method in Section 1.3. The
> method links the problem of irreducibility of random polynomials with mixing
> times of certain Markov chains, which are "mod p" analogues of the Bernoulli
> convolutions we had studied in earlier work._

> _In this paper, we use results available for the Markov chains to study
> random polynomials, but this can be reversed. In particular, in a
> forthcoming paper, we will use the results of this paper to obtain new
> results about the Markov chains. Our results on irreducibility assume the
> Riemann hypothesis for Dedekind zeta functions, or at least some information
> on the zeros. In our last theorem, Theorem 7, we show that conversely
> irreducibility of random polynomials has (modest) implications about the
> zeros of Dedekind zeta functions._

~~~
throwawaymath
There are a huge number of proofs published every year which assume the
Riemann Hypothesis. So while you're technically correct that this only gives
us _confidence_ , it does significantly reduce our uncertainty and
compartmentalize it to the Riemann Hypothesis.

That's really what assuming the Riemann Hypothesis is useful for in modern
mathematics. You can obtain new results for a wide variety of things using the
following routine:

1\. Assume the Riemann Hypothesis is true and attempt to prove your theorem.

2\. Now assume the Riemann Hypothesis is false and attempt to prove the same
theorem.

If you were only able to prove your theorem under one of those conditions, you
have a nice result. If you were able to prove the theorem under one condition
and disprove it under the other condition, you've got a _great_ result (see
the list of things which are equivalent to Riemann). And of course, you might
find that you've proven or disproven the theorem for both conditions, which is
still good.

~~~
segfaultbuserr
Thanks for your excellent explanation.

------
jcranberry
> _The mathematicians Emmanuel Breuillard and Péter Varjú of the University of
> Cambridge proved that as polynomials with only 0 and 1 as coefficients get
> longer, they’re less and less likely to be factorable at all._

...

> _Breuillard and Varjú proved that it’s nearly impossible to find polynomials
> of that length that can be factored._

Can someone provide a link to the paper? I'm assuming that what they proved is
that (my math is rusty, so what I'm saying may be incorrect) solving
polynomials of a single variable with all coefficients either 1 or 0 becomes
prohibitively difficult as the the degree increases, which is what I'm getting
from the second comment, not that the frequency of irreducible polynomials
increases, which is what I get from the first quote.

~~~
segfaultbuserr
[https://arxiv.org/abs/1810.13360](https://arxiv.org/abs/1810.13360)

~~~
jcranberry
Thanks...looks like I was wrong.

------
jmount
The idea of writing A in binary and forming the 0/1 polynomial such that p(2)
= A is nifty. Then if you factor p(x) it into two polynomials with integer
coefficients u(x)v(x) you have u(2) and v(2) are divisors of A, so if none of
them are equal to +-1 you have found something. Assuming it is easy to factor
the polynomials.

Factoring polynomials is somewhat easy, but you have to specify factoring into
what.

The terminology needs a little clean-up. By the fundamental theorem of algebra
we know every polynomial over the reals factors into a product of polynomials
of degree no more than 2. So they probably don't mean factoring/primality in
general but a definition of factoring in to square-free polynomials. Factoring
into square-free polynomials is easy as if q(x)*q(x) divides into p(x) then it
also divides into p'(x) (the derivative of p(x) with respect to x) and
therefore divides into gcd(p(x), p'(x)). And the gcd() will have integer
coefficients and be degree less than p(x) (so not equal to p(x) and degree >=
q(x), so if q(x) is non-trivial it forces something nice to happen; even if
you don't know what q(x) is).

~~~
WhiteSage
You want the coefficients of the factors to be integers. That is why you can
very seldomly factor them.

------
smartbit
Can we now safely use RSA keys of length 2048? Or is it still advised to use
only use 4096bit long keys?

This notwithstanding that ED25519 is preferred above RSA, eg as OpenSSH
supports Curve25519 for 5 years and _is the default when both the client and
server support it_
[https://www.openssh.com/txt/release-6.5](https://www.openssh.com/txt/release-6.5)

~~~
wbhart
No. This proof says nothing about the security of RSA. I don't know anyone
seriously trying to break RSA by factoring polynomials. It's pretty easy to
test a bunch of random polynomials and pretty quickly find that this just
isn't going to work. You don't need a proof to know this empirically, which is
why it isn't a serious attack.

Even if most polynomials were irreducible, which this work doesn't show, that
wouldn't rule out having a method that cleverly, but efficiently writes the
numbers as polynomials that aren't irreducible.

Also, according to the article, the result is only for polynomials with 0 or 1
coefficients, which aren't the only polynomials, obviously!

------
throwawaymath
I dislike that Quanta used the term "Back Door" in their headline. That has a
pretty specific meaning in information security generally and cryptography
particularly. This was not a back door.

The tl;dr: it was conjectured that a more feasible method of factoring large
numbers might exist by finding their unique polynomial representation.
Polynomials are more quickly factored than integers, and to every integer
there corresponds a unique polynomial per the fundamental theorem of algebra.

But that method doesn't actually work, because as polynomials get larger they
become commensurately more difficult to factor. In other words, it is as or
more difficult to find the polynomial you'd want than it is to just find the
prime factors for any given RSA semiprime.

This is a neat result, but nothing is changing for RSA.

~~~
segfaultbuserr
To people with some infosec knowledge, the poor choice of word "backdoor"
sounds as if that the article is about importing an asymmetric backdoor to RSA
encryption, which is not the case. If the author wants to have a casual style
of writing, I think "loophole" could be used.

~~~
throwawaymath
Agreed. "Loophole" would have been a particularly better choice of
terminology. RSA has never had a "back door" in the sense of, e.g.,
DUAL_EC_DRBG.

------
TheRealPomax
This is textbook scientific clickbait. Catchy title, then an article that says
nothing other than affirming the status quo, while then making a claim that
demonstrates the title was a clickbait title.

"mathematicians show that the longer the input, the less likely it is that
input can be factored" is the literal reason we use longer and longer keys as
time goes on.

Shame on this author. These mathematicians did some nice work, and yet the
author felt the need to sell snake oil based on it.

~~~
smadge
I don’t understand your anger. The conclusion is that it was previously
empirically believed to be the case but logically unproven that these
polynomial representations of integers were unlikely to be factorable. If I
understand this article correctly, it is now logically proven, shutting the
door on that particular attack.

~~~
TheRealPomax
But it _doesn't_ shut the door: it leaves the door exactly where it already
was. It was the case that to make it harder to crack, you make the number
bigger. The proof shows that, yes, even if you try the polynomial trick,
you're still bound to that limitation: the longer the polynomial, the less
likely you'll find an factorisation.

But that proof doesn't change anything. It's a good proof, and the author
abuses it to make a claim that cannot be made. No doors have been shut, the
status is still quo. Except the author got some ad revenue for writing a
clickbaity article that made it onto hacker news.

------
dannykwells
Can anyone provide a deeper (Algebraic? Number theoretical?) explanation of
the polynomial/prime connection? I'd never heard of it before and it's
interesting.

~~~
pdpi
The way positional number systems work, each position corresponds to a power
of the base — e.g. 415 = 4 * 10^2 + 1 * 10^1 + 5 * 10^0. A slightly more
complicated way to say this is 415 = 4 * x^2 + 1 * x^1 + 5, where x = 10.
Ignore the x = 10 part for a bit, this is your polynomial. You can factor this
polynomial normally without changing the fact that substituting x = 10 yields
the original number. Because of this, it follows that the factors of the
polynomial must also be divisors of the original number when you substitute
the variable for the appropriate value!

~~~
amelius
But why is it useful to turn the base of the number system into a variable?
Why go through polynomials when you can factor integers directly?

~~~
pdpi
Because factoring integers is notoriously hard (which is why RSA is safe), but
factoring polynomials is easier, and factoring a polynomial results in finding
a divisor for the corresponding integer. Crucially, this relationship is not
symmetrical — compound polynomial guarantees compound number, but compound
number doesn't guarantee compound polynomial — so the open question was: how
often can you use this trick to make breaking RSA easier. What this result
proves is that the attack is highly unlikely to work.

