
Factoring may be easier than we think - vinchuco
http://math.mit.edu/~cohn/Thoughts/factoring.html
======
sunstone
You can be sure that our numerate friends at the NSA have spent some quality
time trying to find an efficient factoring algorithm over the past few
decades.

As they are still so keen on controlling encryption we can assume with good
confidence that so far they have failed. And given the stakes it's really not
likely to be the possibly untested problem that this author speculates about.

~~~
davidwihl
In 1996 I asked Robert Morris Sr if he was worried that so much crypto was
dependent upon factorization. "Worried? I'm not worried, but I can tell you
that if US Military lives are at stake, we don't use algorithms that depend on
factorization."

From that I would infer and speculate that the NSA found a pragmatic solution
to factorization long ago.

~~~
oconnor0
What are the other options?

~~~
gnarbarian
One time pad.

~~~
w8rbt
One time pads are still used by governments. They can easily control the hard
parts (secure pad distribution and operational procedure).

------
eschutte2
In addition to which, of those 100, some of the ones with the strongest
incentive to crack factoring work for places with a strong disincentive to
publish their results.

EDIT: Missed the sentence in the article where this is hinted at.

------
tokenadult
"Of course, I have no real evidence for my views; if I had any good ideas for
factoring, I'd be working on them instead of writing this. On the other hand,
the people who talk about the great difficulty of factoring have equally
little evidence. The net result is that it's reasonable to hope that factoring
is difficult, but you should regard that as a provisional hypothesis rather
than a certainty."

I see the article kindly submitted here is the equivalent of an amateur blog
post, just a note posted to one personal webpage that happens to be served up
by the MIT server. This is a case when the Hacker News protocol for displaying
a domain for the submitted article was misleading rather than helpful. The
author is gainfully employed and highly educated in related disciplines,

[http://math.mit.edu/~cohn/](http://math.mit.edu/~cohn/)

but he hasn't worked for a long time in this aspect of number theory, so the
note is just thinking out loud, nothing more.

~~~
Cieplak
> _but he hasn 't worked for a long time in this aspect of number theory, so
> the note is just thinking out loud, nothing more._

Dismissing his ideas because of his lack of credentials? How many software
stories are upvoted despite their authors lacking PhDs in computer science?

> _the Hacker News protocol for displaying a domain for the submitted article
> was misleading rather than helpful_

Dr. Cohn is a professor at MIT in the department of mathematics.

------
ajamesm
This article makes it seem so easy to leap in and take a crack at it, but it
seems like Step One is to either not value your own autonomy or to not rely on
a wage.

I'm not a professional mathematician (recreational learner, at best) and part
of the reason I didn't pursue a career of interesting problems like this is
because I don't want to do so as a cog in academia or a spook at the NSA.

Am I wrong? Are there people who've had experiences that contradict my cynical
perceptions?

~~~
Paul-ish
I think you are, in fact, being cynical. Every year I see articles stating
that mathematician is the happiest/best paid career.

[http://blogs.wsj.com/atwork/2014/04/15/best-jobs-
of-2014-con...](http://blogs.wsj.com/atwork/2014/04/15/best-jobs-
of-2014-congratulations-mathematicians/)

[http://www.npr.org/templates/story/story.php?storyId=1001428...](http://www.npr.org/templates/story/story.php?storyId=100142849)

~~~
pavel_lishin
Does that NPR job survey count people who tried their hand at being
mathematicians, and hated it so much that they quit, or were unable to find
jobs as mathematicians?

~~~
vinchuco
... are you trying your hand at being a mathematician by asking that question?
:)

~~~
pavel_lishin
Comment for the job you want, not the job you have!

------
eximius
He's not wrong, but that doesn't make him right.

~~~
Animats
He makes the good point that factoring is already below exponential time, and
there's been progress over the years in speeding it up. Even if someone
doesn't develop a polynomial time algorithm, there still could be substantial
progress.

There's also the possibility of new algorithms which are fast for some
products of two primes, but not all. There are lots of problems, such as
linear programming, where the worst case is exponential but the average case
is far faster. Even something that allowed easy factoring of only 1% of
products of two primes would be useful to an attacker.

~~~
eximius
I'm not too terribly worried. There are enough efforts to look for post-
quantum crypto algorithms that I think by the time we come up with something
that actually threatens factoring, we'll have alternatives.

If quantum stuff comes first, then we can go to lattice based systems (which
are the leading candidate as far as I know - please correct me otherwise, I am
familiar with lattice based systems but have not done research for a better
base).

If factoring is solved first, we can stick with elliptic curves.

~~~
coldtea
> _I 'm not too terribly worried. There are enough efforts to look for post-
> quantum crypto algorithms that I think by the time we come up with something
> that actually threatens factoring, we'll have alternatives._

That's hardly a consolation, since all that we've encrypted and shared until
then will be trivial to break as long as people have them in encrypted form
(which is very easy to do).

~~~
eximius
That is sort of inevitable, I think. Best case, it is never broken and we
never get quantum computers, but I hope that doesn't come to pass.

So the next best case is that most of the details recovered by such breakage
are irrelevent to those still alive. I think thats far more likely anyway.

------
tptacek
A reason, and not the best one, to stop using RSA and conventional DH and
switch to elliptic curves.

~~~
pbsd
The argument laid out by Cohn also works against elliptic curves: the discrete
log is not NP-hard either, and if anything even less people have tried to
attack it than factorization (according to Cohn, subexponential factorization
only happened in the 1970s, after centuries of trying; elliptic curves are not
that old). Some lattice problems, on the other hand, are known to be NP-hard.
What does this tell us about their worthiness as cryptographic problems? Not a
lot.

~~~
tptacek
Which do you think is going to happen first: progress against RSA that
plausibly threatens 2048 (or 3072) bit keys, or progress against ECC that
plausibly threatens Curve25519?

~~~
asd999101
I think progress against ECC happens first. Because quantum computers exist.
I'm not sure how large a problem they can work on yet.

ECC is used with smaller bit lengths which makes it easier to get a sufficient
quantum computer.

Of course I may have a fundamental misunderstanding here, and if so, I'd love
to be enlightened.

~~~
tptacek
Quantum computing confuses every thread about RSA and ECC.

Shor threatens RSA _and_ ECC. Neither RSA nor ECC are considered post-quantum
schemes. If quantum computing is really your threat model, you want to be
doing what Google did: run both a pre-quantum and a post-quantum key exchange
and mix the results with a KDF.

Which post-quantum approach you choose, I don't care. (I'm a quantum computing
skeptic).

What you _do not_ want to do is build a cryptosystem using _solely_ a post-
quantum key exchange algorithm, or, even worse, try to build a cryptosystem
without any asymmetric key exchange at all. In both cases, implementation
errors --- some of which, in the latter case, are probably inevitable --- will
doom your system immediately.

------
mofreek
tl;dr: I don't have any evidence this is true, but there's no counter evidence
either.

------
raverbashing
Number theory is a fascinating subject, but it's more or less like taking a
text in English and trying to make sense of the text by reading columns and
not lines

Most factorization algorithms require you to find either a loop or a quadratic
congruence (mod n). What changes is the way they try to find these

------
Cieplak
The Lenstra elliptic curve factorization method is quite interesting:

[https://en.wikipedia.org/wiki/Lenstra_elliptic_curve_factori...](https://en.wikipedia.org/wiki/Lenstra_elliptic_curve_factorization)

------
nkoren
Maybe _much_ easier...

[http://blogs.discovermagazine.com/fire-in-the-
mind/2013/02/2...](http://blogs.discovermagazine.com/fire-in-the-
mind/2013/02/25/oliver-sacks-and-the-amazing-twins/)

...or maybe not.

------
PeterWhittaker
I truly understand neither a) why this piece of puff is on HN nor b) why it is
so highly voted.

As others have noted, _I have no real evidence for my views_. To me this is a
total WTF? The author is ignorant of the subject and like so many experts
outside their fields supposes that the field that has suddenly piqued their
interest cannot, must not, be all that complex.

Factoring some numbers is very, very easy. Factoring other numbers is
computationally hard. The consensus in the field is that there are no
shortcuts. See, e.g., [1] and [2].

[1] [http://www.cs.virginia.edu/~kam6zx/is-it-secure/the-
hardness...](http://www.cs.virginia.edu/~kam6zx/is-it-secure/the-hardness-of-
factoring/)

[2]
[https://en.wikipedia.org/wiki/Integer_factorization](https://en.wikipedia.org/wiki/Integer_factorization)

Next, I shall write a brief article declaring that warp drive is likely far
easier than everyone thinks. Please upvote it when I submit it to HN....

