views:

124

answers:

4

Hi,

I realize this question might not be that programming related, and that it by many will sound like a silly question due to the intuitive logical fault of this idéa.

My question is: is it provable impossible to construct a cryptographic scheme (implementable with a turing-complete programming language) where the encrypted data can be decrypted, without exposing a decryption key to the decrypting party?

Of course, I can see the intuitive logical fault to such a scheme, but as so often with formal logic and math, a formal proof have to be constructed before assuming such a statement. Is such a proof present, or can it easely be constructed?

Thank you for advice on this one!

Edit: Thank you all for valuable input to this discussion!

A: 

No; but I'm not sure you're asking what you want to be asking.

Obviously any person who is decrypting something (i.e. using a decryption key) must, obviously, have the key, otherwise they aren't decrypting it.

Are you asking about RSA, which has different keys for decrypting and encrypting? Or are you asking about a system where you may get a different (valid) result, based on the key you use?

Noon Silk
"different (valid) result, based on the key you use" I'm pretty sure I saw something like that with one-time pads; those have their own set of problems though (notably that they're __one__ time pads; also key length and distribution).
Piskvor
Piskvor: Exactly, OTP is unbreakable, because essentially the key *is* the resulting plaintext :P
Noon Silk
A: 

Yes.

Proof: Encryption can be considered as a black box, so you get an input and an output and you have no idea how the black box transforms the input to get the output.

To reverse engineer the black box, you "simply" need to enumerate all possible Turing machines until one of them does produce the same result as the one you seek.

The same applies when you want to reverse the encryption.

Granted, this will take much more time than the universe will probably live, but it's not impossible that the algorithm will find a match before time runs out.

In practice, the question is how to efficiently find the key that will decode the output. This is a much smaller problem (since you already know the algorithm).

Aaron Digulla
No, you're wrong, because without the key (or plaintext) you cannot determine if the result you get is valid.
Noon Silk
That it produces the 'same result' for a given output doesn't mean it is the same machine. I'm pretty sure it is in general undecidable whether 2 Turing machines do the same thing.
Greg
@silky: that is left as an exercise to the reader ;)
Piskvor
@silky: True, you need to know something about the input to know whether the decoding worked. But knowing that it is English text is usually enough to write an automated verifyer.
Aaron Digulla
@Greg: Several machines can produce the same output, so they are equivalent as far as we care here.
Aaron Digulla
@Greg: And you're right in the *general* case, it's undecidable but we know which output we want, so any machine that generates the right output is "correct" for this special task.
Aaron Digulla
Agree with silky. If random-monkey decryption yields both "I hate soda" and "Vote Democrat" how do you know which cleartext is the right one?
Jason S
@Jason: Please see the RC5 project for details: http://www.distributed.net/rc5/index.php.en
Aaron Digulla
+3  A: 

YES!!! This already exists and are called zero knowledge protocols and zero knowledge proofs.

See http://en.wikipedia.org/wiki/Zero-knowledge%5Fproof

However, you have to have a quite a good background in mathematics and crypto to understand the way it works and why it works.

One example of a zero knowledge protocol is Schnorr's ZK protocol

Henri
caveat: "Zero-knowledge proofs are not proofs in the mathematical sense of the term because there is some small probability, the soundness error, that a cheating prover will be able to convince the verifier of a false statement. In other words, they are probabilistic rather than deterministic. However, there are techniques to decrease the soundness error to negligibly small values."
Piskvor
IMHO this is something else; but if it helps the OP, all the better :)
Noon Silk
@siliy, yeah ... we get slightly too much backfeed on the downvote side. I am sure you helped op, we could mention keystores as well, but there is for the most part no total solution that can attain achievement for op. That's not what op asked for. ( note folks, I said slightly ) If this is not what op asked for ( something else ) may I suggest the only thing I can think of is that there is no final solution to key management, unless we talk about happy-land concepts like trust.
Nicholas Jordan
+1  A: 

If by "decrypted" you just mean arrive at the clear text in some way, then it is certainly possible to create such a cryptographic scheme. In fact it already exists:

Take an asymmetric encryption scheme, eg: RSA where you have the public key but not the private key. Now we get a message that's been encrypted with the public key (and therefore needs the private key to decrypt it). We can get the original message by "brute force" (yes, this'll take an enormously long time given a reasonable key/block size) going through all possible candidates and encrypting them ourselves until we get the same encrypted text. Once we get the same encrypted text we know what the decrypted text would be without ever having discovered the private key.

Laurence Gonsalves