Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
D
uring the first six thousand years— puter scientists at the Massachusetts Institute
until the invention of public key in of Technology—Ron Rivest, Adi Shamir, and Len
the 1970s—the mathematics used in Adleman—invented a radically new cryptographic
cryptography was generally not very system. An article in Scientific American by Mar-
interesting. Well into the twentieth tin Gardner described the RSA idea, explained
century cryptographers had little use for any its significance, and caused a sudden upsurge in
of the concepts that were at the cutting edge of popular interest in both cryptography and number
mathematics. Indeed, mathematicians looking at theory.
cryptography in those years might have found jus- In those years RSA was the most important
tification for Paul Halmos’ infamous title “Applied way to achieve what came to be called “public key
Mathematics Is Bad Mathematics.” cryptography”. Earlier systems for scrambling
There were some exceptions. In the 1940s Alan messages worked well in military or diplomatic
Turing, the father of computer science, worked applications, where there was a fixed hierarchy of
extensively in cryptography and, in particular, people who were authorized to know the secret
showed how to use sophisticated statistical tech- keys. But by the 1970s, with large sections of the
niques to crack a code; and Claude Shannon, the economy rapidly becoming computerized, the
father of information theory, worked on the foun- limitations of classical cryptography were com-
dations of cryptography. ing to the fore. For example, suppose that a large
In the same decade G. H. Hardy wrote in A network of banks wants to be able to exchange
Mathematician’s Apology that “both Gauss and encrypted messages authorizing money transfers.
lesser mathematicians may be justified in rejoicing In traditional cryptography any pair of banks must
that there is one science [number theory] at any have its own secret set of keys that they agree on
rate, and that their own, whose very remoteness and exchange using a trusted courier. The number
from ordinary human activities should keep it of possible pairs of banks could easily be in the
gentle and clean.” In Hardy’s day most applications hundreds of millions. So the earlier type of cryp-
of mathematics were military, and as a pacifist tography, called “private key” (or “symmetric key”),
he was pleased that number theory was studied becomes extremely unwieldy.
not for its practical uses, but only for its intrinsic In public key cryptography, the key needed to
aesthetic appeal. scramble a message is public information. Each
This image of number theory as “gentle and user of the system (for example, each bank) has
clean” took a big hit in 1977 when three com- its own public key, which is listed in a directory
much like someone’s phone number. Anybody can
Neal Koblitz is professor of mathematics at the University
encrypt a message using the public key. However,
of Washington, Seattle. His email address is koblitz@
math.washington.edu. the unscrambling process requires knowledge of a
totally different key, which the user keeps secret.
This article is based on an Invited Address given at the
AMS meeting at the Stevens Institute of Technology in The procedure for scrambling a message is called
Hoboken, NJ, on April 14, 2007. Parts of it are taken from a “trapdoor one-way function”. This means that
the cryptography chapter of his forthcoming book Ran- once we look up the bank’s public key it is com-
dom Curves: Journeys of a Mathematician, to be published putationally easy (with the help of a computer) for
by Springer-Verlag. us to send it an encrypted message. If, however,
T
elite of narrow specialists is likely to he story of our first paper on “provable secu-
understand in detail or raise doubts rity” has an amusing postscript. Just before it
about. That is, a “proof” is something was due to appear in J. Cryptology—and almost
that a non-specialist does not expect to two years after it was accepted for publication—a
really have to read and think about. member of the editorial board objected strongly
to its acceptance by the journal. Although it was
The word “argument”, which we pre- too late for him to block publication, the editor-
fer here, has very different connota- in-chief was sufficiently worried that he wrote an
tions. An “argument” is something that unprecedented Editor’s Note at the beginning of
should be broadly accessible. And even
the January 2007 issue in which he justified his
a reasonably convincing argument is
decision to go ahead with publication.
not assumed to be 100% definitive. In
The editorial board member who objected to
contrast to a “proof of a theorem”, an
our article was Oded Goldreich of the Weizmann
“argument supporting a claim” sug-
Institute, who is one of Israel’s leading computer
gests something that any well-educated
scientists and a top name (some would say the
person can try to understand and per-
top name) in theoretical cryptography. When he
haps question.
was unable to prevent our article from appearing
Menezes and I also investigated some subtler in J. Cryptology, he posted on the cryptography
problems of interpretation of provable security eprint server a 12-page essay titled “On Post-
results. Even when the proofs are correct, they Modern Cryptography” that lashed out at us on
often mask a big “tightness” gap. This means that philosophical grounds. (See http://eprint.
in the reduction argument the attack on the pro- iacr.org/2006/461.) He accused Menezes and
tocol must be repeated millions of times in order me of being “post-modern” and “reactionary” be-
to solve the hard computational problem. In this cause our criticisms of provable security “play to
case the practical guarantee that one gets is very the hands of the opponents of progress.”
weak. Menezes found some extreme examples of The part of our paper that seems to have in-
this “nontightness” problem in a few well-known censed Goldreich the most was our explanation of
papers on random number generators. In one why we were not persuaded by certain arguments
paper it turned out that, if you carefully follow the
that he and others had made in order to under-
authors’ argument with recommended parameter
mine the so-called “random oracle” assumption.
values, all they’ve really proven is that an attacker
The random oracle assumption relates to what are
would need time at least 10−40 nanoseconds to
called “hash functions” (short strings of symbols
break the system. That’s much less time than it
that act as a sort of “fingerprint” of a message).
takes light to travel a micron.
This assumption essentially says that the finger-
What had happened was that people had made
print that a well-constructed hash function gives
recommendations for parameter values that were
based on an asymptotic theorem. That theorem is in practice indistinguishable from a random
said that in the limit as N approaches infinity, you string of symbols. This is an intuitively reasonable
can securely generate O (log log
N
) pseudorandom assumption, and in our paper we argued that all
bits each time you perform a squaring modulo attempts to undermine it—even ones that the au-
the composite number N . (Here “securely” means, thors claimed to be of practical relevance—in fact
roughly speaking, that no one can distinguish be- use constructions that violate basic cryptographic
tween the sequence and a truly random one by an principles and so have no relation to real-world
algorithm that runs in reasonable time.) However, cryptography. We concluded our discussion by
as I mentioned when discussing Joe Silverman’s saying that “our confidence in the random oracle
xedni calculus, it is fallacious to use an asymptotic assumption is unshaken.”
result as a practical guarantee of security. Rather, Goldreich responded to this by bringing down
one needs to perform a detailed analysis using the wrath of the Old Testament upon us. Accusing
realistic ranges for the parameters. It is often a us of turning the random oracle into a “fetish”, he
lot harder (as it was for xedni) to carry out this recounted a story from the Bible that our paper
concrete analysis than to prove the asymptotic reminded him of (in what follows I’ve preserved