Revision as of 14:18, 4 January 2015 edit Qwertyus (talk \| contribs) Extended confirmed users 31,640 edits actually expected and average are not the same ← Previous edit		Revision as of 05:12, 26 May 2015 edit undo 2401:fa00:9:1:e120:5ac0:28c0:f770 (talk) →Cryptography: Factoring integers is not known to be NP hard. Next edit →
Line 75: For most problems, average-case complexity analysis is undertaken to find efficient algorithms for a problem that is considered difficult in the worst-case. In cryptographic applications, however, the opposite is true: the worst-case complexity is irrelevant; we instead want a guarantee that the average-case complexity of every algorithm which "breaks" the cryptographic scheme is inefficient.<ref name="katz07">J. Katz and Y. Lindell, Introduction to Modern Cryptography (Chapman and Hall/Crc Cryptography and Network Security Series), Chapman and Hall/CRC, 2007.</ref> Thus, all secure cryptographic schemes rely on the existence of [[one-way functions]].<ref name="bog06"/> Although the existence of one-way functions is still an open problem, many candidate one-way functions are based on ~~NP-~~hard problems such as [[integer factorization]] or computing the [[discrete log]]. Note that it is not desirable for the candidate function to be NP-complete since this would only guarantee that there is likely no efficient algorithm for solving the problem in the worst case; what we actually want is a guarantee that no efficient algorithm can solve the problem over random inputs (i.e. the average case). In fact, both the integer factorization and discrete log problems are in NP ∩ [[coNP]], and are therefore not believed to be NP-complete.<ref name="ab09"/> The fact that all of cryptography is predicated on the existence of average-case intractable problems in NP is one of the primary motivations for studying average-case complexity. ==Other results==

Average-case complexity: Difference between revisions