CRYPTOGRAPHY: STATE OF THE SCIENCE ASIACRYPT 2003 invited talk Adi Shamir Computer Science Dept The Weizmann Institute Israel

Cryptography: major trends

u From secret to public

Cryptography is central crypto Math& stat Computers and chips Com&info theory Comp science Hi-tech industry Policy issues

Cryptography is fun u Gets lots of media attention u Attracts hackers u Is full of delightful ideas u Serves as an excellent educational tool

Cryptography: major trends u From secret to public u From national to international

The geography of cryptography u Publicly started in the US

The geography of cryptography u Publicly started in the US u Followed by Europe

The geography of cryptography u Publicly started in the US u Followed by Europe u Is rapidly expanding in Asia

Cryptography: major trends u From secret to public u From national to international u From art to science

Cryptography as a scientific discipline Is thriving as a scientific area of research: u Taught at most major universities u Attracts many excellent students u Discussed at many conferences (>25 in the next 6 months!) u Published in hundreds of papers (e.g., EPRINT) u Major conferences have >500 attendees (Major trade shows have >10,000 attendees) Received the ultimate seal of approval from the general CS community (the Turing award…)

Should we rename the field? u Cryptography means “secret writing” u The official naming of the field: Cryptology = Cryptography + cryptanalysis

Should we rename the field? u Cryptography means “secret writing” u The official naming of the field: Cryptology = Cryptography + cryptanalysis u These terms have problematic conotations u Many research subfields do not deal with the encryption or decryption of secret information

Should we rename the field? u Cryptography means “secret writing” u The official naming of the field: Cryptology = Cryptography + cryptanalysis u These terms have problematic conotations u Many research subfields do not deal with the encryption or decryption of secret information u I propose to call the broader field Adversity Theory = cryptology + other areas

Cryptography: major trends u From secret to public u From national to international u From art to science u From math to physics

Related scientific fields: u OLD COMBINATIONS: u Probability and statistics u Algebra u Number Theory

Related scientific fields: u OLD COMBINATIONS: u Probability and statistics u Algebra u Number Theory u NEW COMBINATIONS: u Signal processing (in steg, fingerprinting) u Electronics (in side channel attacks) u Physics (in quantum computers and crypto)

Cryptography: major trends u From secret to public u From national to international u From art to science u From math to physics u From theory to practice

Cryptography unites Theory & practice u Practical theory: - using abstract math tools in cryptanalysis - proving the security of real protocols -developing new cryptographic schemes u Theoretical practice: - developing new notions of security, complexity, logics, and randomness - turning cryptography from art to science

New challenges in cryptography u Payment systems u Cellular telephony u Wi-Fi networks u RFID tags u DRM systems

Cryptography: major trends u From secret to public u From national to international u From art to science u From math to physics u From theory to practice u From political to legal issues

Cryptographic misconceptions u By policy makers: crypto is dangerous, but: - weak crypto is not a solution - controls can’t stop the inevitable u By researchers: A provably secure system is secure, but: - proven false by indirect attacks - can be based on false assumptions - requires careful choice of parameters u By implementers: Cryptography solves everything, but: - only basic ideas are successfully deployed - only simple attacks are avoided - bad crypto can provide a false sense of security

The three laws of security: u Absolutely secure systems do not exist u To halve your vulnerability, you have to double your expenditure u Cryptography is typically bypassed, not penetrated

Cryptography: A rapidly moving field

u 75-80: Public key cryptography, basic schemes

Cryptography: A rapidly moving field u 75-80: Public key cryptography, basic schemes u 80-85: Theoretical foundations, new protocols

Cryptography: A rapidly moving field u 75-80: Public key cryptography, basic schemes u 80-85: Theoretical foundations, new protocols u 85-90: Zero Knowledge, secure computation

Cryptography: A rapidly moving field u 75-80: Public key cryptography, basic schemes u 80-85: Theoretical foundations, new protocols u 85-90: Zero Knowledge, secure computation u 90-95: Diff&lin cryptanalysis, quantum comp

Cryptography: A rapidly moving field u 75-80: Public key cryptography, basic schemes u 80-85: Theoretical foundations, new protocols u 85-90: Zero Knowledge, secure computation u 90-95: Diff&lin cryptanalysis, quantum comp u 95-00: Side channel attacks, elliptic curves

Cryptography: A rapidly moving field u 75-80: Public key cryptography, basic schemes u 80-85: Theoretical foundations, new protocols u 85-90: Zero Knowledge, secure computation u 90-95: Diff&lin cryptanalysis, quantum comp u 95-00: Side channel attacks, elliptic curves u 00-05: ???

The basic schemes: Major trends

u Secret key cryptography: DES out, AES in

The basic schemes: Major trends u Secret key cryptography: DES out, AES in u Public key cryptography: RSA steady, EC improving, faster schemes increasingly risky and less appealing. Should not be used for long term security.

The basic schemes: Major trends u Secret key cryptography: DES out, AES in u Public key cryptography: RSA steady, EC improving, faster schemes increasingly risky and less appealing. Should not be used for long term security. u Quantum schemes: the wild card

Some of my controvertial positions:

When applied in practice:

Some of my controvertial positions: When applied in practice: u Security should not be overdone

Some of my controvertial positions: When applied in practice: u Security should not be overdone u Security should not be overexposed

Some of my controvertial positions: When applied in practice: u Security should not be overdone u Security should not be overexposed u Security should not be underregulated

Some of my controvertial positions: When applied in practice: u Security should not be overdone u Security should not be overexposed u Security should not be underregulated u Security should be guided by an ethical code

Some of my controvertial positions: When applied in practice: u Security should not be overdone u Security should not be overexposed u Security should not be underregulated u Security should be guided by an ethical code u Security should be complemented by legal measures

Cryptographic status report In each of the six major subareas I’ll summarize: u The major achievements so far u Strong and weak points, major challenges u A 1-10 grade

Theory of cryptography u Well defined primitives & definitions of security u Well understood relationships between notions u Deep connections with randomness & complexity u Beautiful mathematical results u Highly developed theory u Excellent design tools u Challenge: reduce dependence on assumptions u Final grade: 9

Public key encryption and signature schemes u RSA, DH, DSA u Based on modular arithmetic, EC, other ideas(?) u Vigorous cryptanalytic research u Excellent theory u Expanding applications u Challenges: Break a major scheme, make a new one u Final grade: 8

Secret key cryptography – block ciphers u DES, AES, modes of operation u Differential and linear cryptanalysis u Good cryptanalytic tools u Reasonable choice of primitives u Many good schemes u Challenge: Connect strong theory with strong practice u Final grade: 7

Secret key cryptography – stream ciphers u Linear feedback shift registers u Fast correlation attacks, algebraic attacks u Limited cryptanalytic tools u Narrow choice of primitives u Many insecure schemes u Challenge: Improve weak theory and weak practice u Final grade: 4

Theoretical Cryptographic protocols u Zero knowledge interactive proofs u Secure multiparty computations u Almost anything is doable and provable u Many gems u Theoretical protocols are too slow u Challenge: Make the strong theory practical u Final grade: 8

Practical Cryptographic protocols u Many ad-hoc ideas u Proofs in the random oracle model (ROM) u Rapidly expanding body of results u Lots of buggy protocols u Reasonable design primitives u Improving theory u Challenges: incorporate side channel attacks, ROM u Final grade: 5

Cryptographic predictions: u AES will remain secure for the forseeable future u Some PK schemes and key sizes will be successfully attacked in the next few years u Crypto will be invisibly everywhere u Vulnerabilities will be visibly everywhere u Crypto research will remain vigorous, but only its simplest ideas will become practically useful u Non-crypto security will remain a mess

Summary u It was a thrilling 25 year journey u The best is yet to come u Thanks to everyone!