Symmetric Encryption in the P=NP world

Question

I expected to find answers along the lines of quantum-computing insight into attacking AES; however, answers on this question aren't applicable because "Quantum computers give a quadratic speedup on a (sic) general search problems".

Let us suppose the very worst case: $\mathsf{P} = \mathsf{NP}$ by constructive proof. Therefore, 3-SAT and direct polynomial attacks on AES and all other standard-model symmetric ciphers.

How do we construct something that takes a serious attack to break besides using ECB and sending one block per key? Do quantum-proof symmetric ciphers with properties other than those of the one-time pad actually exist?

I think I can prove that if you use any kind of MAC other than polynomial evaluation MAC (or something else with its characteristic deniability) your cipher must fail.

I can prove that ciphered random data is possible because you can't break ECB over random data, but that proof is useless.

I am aware of the implausibility of ending up in this world of $\mathsf{P} = \mathsf{NP}$. I am also aware of this old post describing very good reasons why $\mathsf{P} \stackrel{?}{=} \mathsf{NP}$ is a poor model for breakability. I am interested in this problem because I am reasonably certain that any solution must use an encryption method that is, of itself, deniable.

The one-time pad has this property; however, I'd rather have an answer that offers something less unwieldy, if possible.

Answer 1

An important thing to note is that $\mathsf{P} = \mathsf{NP}$ would not fundamentally threaten cryptography - even theoretical cryptography. What it would imply, as mentioned by Meir Maor in his answer, is that there is no one-way function, which means essentially no "traditional" cryptography.

However, one-way functions, and most of cryptography, are theoretically defined as requiring a superpolynomial gap between the best attack and the honest use of the algorithms. Still, if tomorrow you prove $\mathsf{P} = \mathsf{NP}$, there can still exist functions which take time $n$ to compute, but time $n^{10}$ to invert. This would not at all contradict $\mathsf{P} = \mathsf{NP}$. It would however suffice for all practical purposes: take $N = 2^{10}$, then evaluating your function takes $2^{10}$ steps, while inverting it takes $2^{100}$ steps. That security margin is good enough for most uses.

Such one-way functions, where the gap between evaluation and inversion is a fixed polynomial instead of superpolynomial, are called fine-grained one-way functions. They are an emerging subject of study in cryptography (see e.g. this recent paper), mainly because they can in theory be built from weaker assumptions than those known to imply standard OWF (even though exhibiting such a fine-grained OWF from a generic, well-studied assumption which is not believed to imply OWF remains, as of today, an open problem). They can be used to construct fine-grained pseudorandom generators and stream ciphers.

It does not seem absurd that, in the event that we prove $\mathsf{P} = \mathsf{NP}$, our best attack on AES would still require $n^{10}$ steps. In this case, after some appropriate key-size adjustments, everyone would just keep on using the good old AES, as if nothing had ever happened, and theoretical cryptographers would replace "assume this OWF takes $\mathsf{superpoly}(n)$ steps to break" by "assume this OWF takes $n^{10}$ steps to break".

Answer 2

If $\mathsf{P} = \mathsf{NP}$, then there are no one-way functions, there are no trap door one-way functions and essentially no cryptography.

If $\mathsf{P} = \mathsf{NP}$, it means verifying a key and finding the key are equally hard (up to a polynomial reduction). So one time pads still work, they are information theoretically secure and don't rely on computational difficulty. But all encryption, symmetric or not, hashing, etc, becomes insecure.

Practically, quantum key exchange may save us, it will allow a non cryptographic secure channel for sharing key material and then allow one time pad.

It is worth noting that it is possible we live in cryptography dystopia even if $\mathsf{P}$ does not equal $\mathsf{NP}$. We do not know the existence of one-way functions, they may not exist, even if $\mathsf{P} \, \not = \mathsf{NP}$.