1
$\begingroup$

I've heard differing opinions/statements of fact from different professors and sources as to whether cracking RSA is "thought" to be in NP, or known to be an NP-complete problem. Can anyone shed light on this discrepancy? which is it, or do we know?

  • 0
    Please read the [FAQ](http://cstheory.stackexchange.com/faq) to understand the scope of cstheory. I am closing the question as off-topic and migrating to Math.SE.2011-08-16

1 Answers 1

10

Proving that breaking any cryptosystem is $\mathsf{NP}$-complete would be a great achievement in cryptography, since $\mathsf{P} \neq \mathsf{NP}$ is probably the most "standard" hardness assumption around. For the case of RSA, security of the system is based on hardness of the integer factorization problem. This problem lies in the intersection of $\mathsf{NP}$ and $\mathsf{coNP}$, and is thus unlikely to be $\mathsf{NP}$-complete. However, it's obviously in $\mathsf{NP}$ (just guess the private key, and decrypt).

  • 1
    There have been a number of non-number-theoretical attempts on NP-complete cryptosystems too (for instance, systems based on the knapsack problem), but all of those have had specialized constructions that turn out to yield non-NP-complete versions of the appropriate problem. $I$n fact, proving the secureness of an encryption scheme (more specifically, proving the existence of one-way functions) is even harder than proving the P-NP separation, since IIRC there are worlds where P is inequal to NP but one-way functions don't exist.2011-08-16