Today, we have excellent cryptographic tools available to support the security of the many things we do in cyberspace. Sure, the use of encryption gives rise to social dilemmas, but cryptography is far too useful for these dilemmas to stifle future deployment. Cryptography is here to stay. But what does the future hold for cryptography and its usage?
The Future Is Already Here
Suppose you possess a letter whose contents need to remain confidential well into the future. You keep the letter in a security box, protected by a state-of-the-art lock, and sleep soundly until the day, a decade on, when you read in the paper that thieves have found a way of breaking into this model of security box. So, you buy a new security box, with a stronger locking mechanism, and transfer the letter to the new box. Several years later the same thing happens, so you buy another box, and so on. In other words, as attacks on security boxes become more sophisticated, so, too, does your defense against the evolving threat.
This strategy works fine for security boxes, but it doesn’t work for encryption. Encryption works more like this. You possess a confidential letter, of which you make multiple copies and place each copy in its own security box protected by a state-of-the-art lock. You give one of these security boxes to each of your worst enemies. Ten years later you learn that this model of security box can be broken into, so you buy a bunch of new security boxes and ask your enemies to give you back the old boxes so that you can upgrade them.1 Um, that’s not going to end well, is it?
The problem is simply that digital information is so readily copied and stored that we must assume encrypted data will be forever accessible to an attacker. In the event of future breakthroughs in attacks on cryptography, it’s not realistic to rely on simply upgrading the encryption algorithm in order to protect existing data. You can re-encrypt old plaintext with this stronger encryption algorithm, but you cannot guarantee that copies of the original ciphertext will not still be available for an attacker to break.2
The biggest challenge for designers of cryptographic algorithms is that the cryptography of today will be attacked tomorrow. If a deployed algorithm is rendered insecure by a future attack, the time and cost involved in replacing the algorithm is potentially substantial.3 When the block cipher DES was deemed insecure in the 1990s, it was so embedded in the banking infrastructure that replacing it was almost unthinkable. As a result, we still use DES today, albeit in the more secure form of Triple DES.
Consequently, modern cryptographic algorithms are designed very conservatively, with highly demanding security requirements and as much proofing against the future as possible. Designers try to anticipate how computers will evolve in the future, particularly with respect to improvements in processing power, and then add a significant margin for error. Recall that the fastest computer in the world today takes 50 million billion years to search for a 128-bit AES key. This sounds like excessive protection, but we want to encrypt data today that will still be confidential in, say, twenty-five years (in some cases, much longer). How good will the fastest computer be then? The cautious design of AES even supports longer key lengths, of 192 and 256 bits, which can either be used today for data needing extremely high levels of protection, or can be more cost-effectively switched to in the future.
As far as cryptography is concerned, the future must concern us today. It doesn’t matter precisely how the future eventually unfolds; what matters is that we anticipate it and prepare for it.
The “Q” Word
The word quantum seems to exert an almost mesmeric effect on people. It conjures up fascinating, sometimes alarming, notions of complex future technology beyond our intuition and comprehension.4 We shake our heads bemusedly and think: “Better leave that to the experts.” (For you, hopefully, the word cryptography no longer has the same impact.)
You must not back away, however, from the importance of the adjective quantum with respect to cryptography. It arises in at least three different contexts that, although fundamentally different, are often confused. The first relates to existing technologies of varying degrees of practicality. The second concerns important technology not yet existing but of high relevance today. The third concerns technologies neither existing today nor likely to be relevant in the near future.
Two potentially useful quantum technologies relating to cryptography already exist. Both of these concern different aspects of key management. The first is quantum random number generation. As we’ve seen, random numbers are extremely important in cryptography, particularly for key generation, and nondeterministic random number generators based on natural physical sources are top of the range. Some of the best of these are based on quantum mechanics.5 The second technology addresses the problem of establishing a common secret key in two different locations. Quantum key distribution is a means of transferring a randomly generated key from one location to another over a special quantum channel.
A revolution is coming in computing technology. Quantum computers will, apparently, be able to perform some tasks much more speedily than today’s computers do.6 Quantum computers will have a significant impact on cryptography because some tasks relating to cryptography that are currently computationally infeasible on a conventional computer will become computationally feasible. Only a few fledgling quantum computers exist today, and their extremely limited capability makes a pocket calculator seem like a supercomputer. But quantum computers will only improve, so we need to take quantum computing seriously and prepare for its arrival.
Quantum computers will be capable of breaking some of the cryptographic algorithms that we use today. It is tempting to turn to the capabilities of quantum computers for a solution to this problem. After all, if quantum computers can break existing cryptography, why don’t we design new quantum cryptographic algorithms that run on quantum computers? There’s nothing wrong with this idea, but in terms of securing cyberspace, it should be a fairly low priority.
We don’t have serious quantum computers today, nor are we likely to have them soon. Time will pass. Eventually, probably, quantum computers will be developed by a few technologically advanced organizations. Only they will have the capability of using quantum cryptographic algorithms. Much more importantly, the rest of us will need cryptography that runs on conventional computers to protect us from the few quantum computers in existence. More time will pass. Eventually, maybe, quantum computers will become a bit more mainstream. Only then might quantum cryptographic algorithms possibly become useful. Eventually, maybe, might, possibly . . . I suspect this is more of an issue for our children (or perhaps their children) than for you or me.
Beware of anyone talking more generally about quantum cryptography. This ill-defined notion is often used to capture any, or all, of the three contexts I described at the start of this section. Quantum cryptography can thus exist today or not exist, be revolutionary or speculative, be practical or impractical. This is why quantum cryptography is a term I’ll avoid. We must not, however, avoid quantum computers. While they cannot yet hurl an angry bird at a pig,7 they have the potential to be devastating for modern cryptography.
Weapons of Mass Decryption
Here’s what we do know about quantum computers. They work in a fundamentally different way than the computers we use today. The data they process is represented in a form different from the binary encoding used by conventional computers. Through an ability to conduct some types of operations in parallel, they will be able to perform certain tasks much more efficiently than classical computers do.
Here’s what we don’t know about quantum computers. We don’t know when a practical quantum computer will be built. We don’t know whether quantum computers will be able to achieve in practice all that they promise in theory. We don’t know who will build the first practical quantum computers. We don’t know what the eventual rollout of quantum computers will look like. We don’t know whether quantum computers will ever become a mainstream consumer technology. In terms of cryptographic planning for the future, however, none of this matters. What matters is that future quantum computers are possible, and we need to develop the capability of defending against them today.8
It is true that quantum computers will have a significant impact on modern cryptography, but they won’t break all the cryptography that we use today. While some of the cryptographic algorithms in current use offer little protection against a quantum computer, others remain highly effective. It’s important to understand these different prognoses and their implications.
The main area of concern is asymmetric encryption and related digital-signature schemes. Almost all the asymmetric encryption and digital-signature schemes that we use today are based on the perceived difficulty of two mathematical problems: factoring and finding discrete logarithms. It is known that a sufficiently powerful quantum computer could, unfortunately, both factor and find discrete logarithms efficiently.9 In other words, a quantum computer would render all our current asymmetric encryption and digital-signature schemes ineffective. Not good.
The problem with the asymmetric encryption algorithms in use today is that their security is based on specific computational problems that are believed to be hard on conventional computers. If a quantum computer does not find these computational problems difficult, then we’re in trouble if such a machine ever becomes a reality.
For this reason, researchers are currently developing and analyzing new asymmetric encryption algorithms based on alternative computational problems not believed to be efficiently solvable by a quantum computer. These postquantum asymmetric encryption algorithms will replace the asymmetric encryption algorithms that we use today.10 A similar process is under way for developing new postquantum digital-signature schemes. Importantly, these postquantum cryptographic algorithms need to be capable of running on conventional computers; they do not themselves use quantum techniques, but they are designed to secure information against a future attacker with access to a quantum computer.
There is better news for some other cryptographic tools. Symmetric encryption algorithms tend not to rely on any one specific computational problem for their security. They rely more on intelligent engineering than just on mathematics, placing such a complex computational obstacle course between plaintext and ciphertext that the best option for an attacker is to simply search for the correct key rather than try to break the algorithm itself.
It is currently believed that the best a quantum computer can do is reduce the time it takes to perform an exhaustive key search by a margin that is substantial, but not so significant that all the symmetric encryption algorithms we use today would be ineffective. More specifically, it is believed that symmetric-key lengths need to double in order to protect against an attacker with a quantum computer.11
The symmetric encryption algorithm most widely deployed today is AES, typically with a key length of 128 bits. However, AES also supports a key length of 256 bits, so anyone fearing a quantum computer could simply switch to this key-length setting. That said, some ubiquitous applications do not use AES. Most card payment networks currently rely on Triple DES, which has shorter keys, so these networks will need to change the symmetric encryption algorithm they use in order to become secure against a quantum computer.
Quantum computers present a genuine threat to the cryptography we use today. We are taking urgent action now to address this threat, and I am quietly confident that we will develop a suite of cryptographic algorithms suitable for protecting against quantum computers long before quantum computers themselves become practical reality. Until we do so, however, there remains a risk that data encrypted today could be broken in the future by a quantum computer.
Magic Channels
What is a reality today is technology providing quantum key distribution (QKD). This is neither an encryption algorithm nor anything requiring a quantum computer. Rather, QKD is precisely what it’s called: a method of using quantum mechanics to distribute a symmetric key.
Let’s go back to basics on the key-distribution problem. Two users wish to exchange an encrypted message using their favorite symmetric encryption algorithm. To facilitate the exchange, they each somehow need to obtain a copy of the same secret symmetric key. One option is for the sender to generate a random key and then transfer this key to the receiver. But how?
In the absence of telepathy, we have a real problem here to solve. The sender cannot simply send the key to the receiver over an unprotected communication channel, since an attacker could be watching the channel and would thus learn the key. Right?
As it turns out, this isn’t quite true. If the communication channel is a standard one, such as a mobile telecommunications network, Wi-Fi, or the internet, then the argument is valid. Suppose, however, that the channel is instead a “magic” communication channel, with the special property that if any attacker intercepts information being exchanged over it, the recipient is made aware of this interception (an alarm bell rings, if you like). The sender could then simply transfer the key over the magic channel to the receiver. If no alarm bell rang, the users would know that nobody else had seen the key. If the alarm bell did ring, then the sender and receiver would throw the key away and try again.
The process of QKD works precisely in this way, where the “magic” channel is a quantum optical channel, instantiated through the likes of either line-of-sight aligned lasers or optical fibers. The key is encoded as quantum states, and a special property of quantum mechanics means that anyone attempting to read data on the channel will inadvertently alter these states in a way that can later be detected by the receiver.12 There is no doubt that QKD is an extremely clever application of quantum mechanics. Various experimental networks have been set up using QKD, and QKD has been used to distribute a key in space via satellites.13 You can buy commercial QKD systems today, although they are not cheap.
Just because a technology is exciting and innovative, however, does not mean we really need it. Hovercraft, the Concorde, and Sony’s MiniDisc were all brilliant inventions addressing real problems, but they never made it into the mainstream, for a variety of reasons. Although QKD may well find niche applications, it seems likely it will join this list of technologies more hyped than deployed. Here’s why.
First, QKD is an expensive solution for a problem that can be solved more cheaply. QKD distributes a symmetric key for use with any symmetric encryption algorithm. This is great, but we already have many ways of solving this particular problem, including preinstalling long-term keys and deriving encryption keys from them when needed, as is done for your mobile phone, Wi-Fi network, bank card, and other devices.
It is argued that QKD might keep us safe from attackers with quantum computers, since QKD could be used to distribute keys for a special symmetric encryption algorithm known as the one-time pad. This algorithm is as theoretically secure as it is possible to make any symmetric encryption algorithm, since it encrypts every single bit of the plaintext individually by using a random key.14 Unfortunately, the one-time pad is an expensive algorithm to use because it requires random keys that are as long as the plaintext. For most of us, why go to all the hassle of distributing one-time pad keys when, as previously noted, AES, with a relatively short (256-bit) key, is also secure against an attacker with a quantum computer?
Second, with respect to the emergence of quantum computers, QKD addresses the wrong problem. To use QKD requires having a fixed network of known devices, each using special technology to establish connections. This is precisely the kind of setting where symmetric cryptography is sufficient to secure the network. But symmetric encryption is not what will be severely compromised if practical quantum computers are ever built. The cryptographic emergency arising from quantum computers appears to be the need for new forms of asymmetric encryption. We need new asymmetric encryption algorithms in order to secure connections in open environments, such as the World Wide Web, where there is no preestablished relationship between communicating parties. Connections in open environments cannot be secured by the use of QKD. This is why the development of postquantum asymmetric encryption algorithms is far more important to our future security than QKD is.
Cryptography Everywhere!
Hopefully you are now more than aware of your personal dependency on cryptography for securing your activities on the internet, making phone calls, purchasing items with bank cards, and so on. Most of these clearly need cryptography, because they are activities that necessarily occur in some aspect of what we would traditionally regard as cyberspace.
One trend we are witnessing is a blurring of the separation between objects we readily associate with cyberspace, such as computers, tablets, and phones, and other everyday items. We are becoming used to the idea that televisions, gaming consoles, watches, and cars are also increasingly connected to cyberspace. Perhaps we can (almost) see the case for those being joined by the likes of thermostats, ovens, window blinds, and washing machines. But do we really need internet-enabled salt shakers, mirrors, toasters, and trash cans, all of which have appeared on the retail market?15
This phenomenon of increased connectivity is sometimes referred to as the Internet of Things (IoT) and is being driven partially by the development of minute, low-cost sensing technologies, capable of being embedded in everyday objects. Since almost anything could be connected to cyberspace, and most cyber-enabled things need some degree of security, as the IoT expands we’re going to be using even more cryptography in the future, and in surprising places.16
One environment ripe for IoT innovation is your home. You can buy technology today that will connect your home appliances, making it easier to control electrical devices such as lighting and heating, and improving energy efficiency. You might not consider your domestic appliances in need of much security, but think again. Much of the data on a smart home network is sensitive. The times that your lights and heating go on and off, when you watch television, when you cook, and when you run the shower all provide a template of your typical day. This might not make exciting reading for everyone, but it could be priceless for someone intending to break into your home.
You want all this data to be correct in order to obtain an accurate energy bill. And you clearly don’t want just anyone having access to this network; otherwise, a mischief maker might condemn you to living in a haunted house where lights flick on and off mysteriously, the oven heats up in the middle of the night, and your heating is turned off on the coldest night of the year. Fortunately, your cyber home could be made safe and secure with the appropriate deployment of cryptography. Let’s hope that those developing all this connected technology are paying attention.17
One advantage of smart ovens, internet-enabled light switches, and cyber heaters is that they are all large enough “things” to potentially support the same type of cryptography that we use in our phones, bank cards, and car locks. The same is not true, however, for some of the other devices that we’re connecting to the internet. Tiny devices such as RFID (radio-frequency identification) tags (which can be used to label products) and miniature wireless sensors (which have all sorts of intriguing applications, like crop monitoring and wildlife tracking) are constrained in their ability to store and process data. They tend to have limited memory and a need to conserve power in order to prolong their battery life.
To secure such devices using cryptography, researchers are developing special lightweight cryptographic algorithms, and in the future even lighter algorithms may be needed.18 These lightweight algorithms typically sacrifice some security in order to make substantial performance gains over conventional cryptographic algorithms. This is arguably an acceptable compromise, since data gathered by such devices may not need to remain confidential for a long period of time. And, certainly, using lightweight cryptography is better than no cryptography at all.
One notable implication of the way we use cryptography today is that, from the perspective of many systems you interact with in cyberspace, you are your cryptographic key. An ATM will dispense money only if the system is convinced that the chip on the presented card contains the cryptographic key it believes belongs to you. You will be charged for any phone call made using the cryptographic key stored on the SIM card linked to your name. Your car door will open for anyone who is able to use the cryptographic key associated with your car key fob.
In the future, however, this embodiment of the cryptographic key is likely to be taken one step further. You won’t just be represented by cryptographic keys; your body will contain cryptographic keys, possibly many of them. A major area that is likely to benefit from IoT technologies is the arena of medical science and health care. The types of things connected to cyberspace in the future will include medical implants such as pacemakers and other wearable or ingestible monitoring devices. These technologies may well communicate data to health-related apps running on your mobile phone, or possibly report directly to your doctor’s office. This Internet of Me isn’t speculation; it’s already happening. It most definitely requires security, and hence cryptography.19
In 2012, the US TV series Homeland featured an episode in which Vice President Walden is assassinated by a remote attacker who connects to and accelerates his pacemaker. This episode must have been very uncomfortable viewing for the thousands of pacemaker patients around the world. Yet, just as for all IoT applications of the future, if we design and deploy cryptography appropriately, their hearts needn’t flutter. Medical databases can be kept confidential, and pacemakers can be designed to communicate only with authorized medical experts and to restrict acceptable settings to safe values. The challenge for society is to ensure that such fictional attacks remain so.
Cloudy, with Sunny Cryptographic Intervals
Once upon a time, the world worked like this: You generated data (documents, photos, emails, whatever) and stored it on your personal computer under your control. If you worried about the security of your data, then it was your responsibility to protect it, using cryptography, of course. This arrangement applied just as much to situations in which “you” related to an organization as to “you” the individual.
Nowadays, the world often works more like this: You generate data and store it somewhere (goodness knows where) under someone else’s (goodness knows whose) control. You can access your data anytime from anywhere, and you can generate much more data than you have the ability to store locally. This is how the likes of Gmail for email, Dropbox for file sharing, Spotify for music streaming, and Flickr for photo curation all work. More significantly, many organizations are increasingly entrusting their entire data sets to similar data-hosting services because it’s easier, cheaper, and much more convenient than managing their own systems. This general idea is rather loosely refer to as the cloud. Of course, there isn’t just one cloud—there are many—but the fundamental principle behind them all remains the same.
Handing your data over to someone else is not without obvious risks.20 That said, a decent cloud service provider should take cybersecurity seriously. Indeed, it’s even possible that data in the cloud is safer than data stored locally, since data owners are not always good at basic security measures such as backing up. However, in some situations—for example, when outsourcing a medical database—we do not want a cloud service provider to view the data they store on our behalf. In these cases the obvious solution is to encrypt the data before we submit it to the cloud.
Alas, an encrypted medical database in the cloud presents a significant problem. Suppose we want to identify patients with a particular condition, or rearrange database entries by date of birth, or compute the average age of patients who have a specific medical profile. Since conventional encryption schemes are designed to produce unintelligible ciphertext with no apparent relationship to the plaintext it represents, we cannot conduct these operations directly on the ciphertext. We must thus download the encrypted database from the cloud, decrypt the data, and then analyze it locally. This process is both inefficient and inconvenient, since the primary motivation for using the cloud in the first place was to avoid having all this data stored on our own computers.
The need for cryptography seems to erode some of the benefits of cloud computing. In fact, however, something more interesting has happened: the need for cloud computing has driven a wave of innovation in cryptography. Special types of cryptographic algorithms are being designed precisely for the types of scenarios just discussed.21 For example, searchable encryption schemes enable data owners to search data while it remains encrypted, while homomorphic encryption enables data owners to perform a range of different types of computation (such as addition and multiplication) on encrypted data without first decrypting it. Encrypting data by using such schemes allows encrypted data to be processed while still being stored securely in the cloud.
A searchable encryption scheme allows the encrypted database to be searched, items matching the search to be identified, and only those matching items then to be returned to the data owner, who decrypts them locally. Homomorphic encryption schemes allow a data owner to compute the average value of some encrypted numerical database items by first computing the average ciphertext value (in the normal way), which are returned to the data owner, who then decrypts this value locally to obtain the average plaintext value. This capability paves the way for more complex computations, such as running data analytics on encrypted data.
This sort of functionality is very much a work in progress, since many of these new cryptographic schemes are not yet efficient enough to see wide-scale deployment.22 Nonetheless, it shows how far cryptography has advanced since the early 1970s, when the cryptographic tool kit really consisted of only symmetric encryption. As new cyberspace applications emerge, with specific security requirements, we can expect even more cryptographic tools to be designed to secure them. The future is not just wider use of cryptography; it’s more cryptography itself.
The Rise and Rise of the Machines
The day is not far off, we are told, when computers may become more intelligent than humans. Nobody knows when this technological singularity will occur (some say the 2030s, others the 2040s).23 Nor does anyone know whether these ultraintelligent computers will be technologies like the computers of today, or whether they will be digital cyborgs, arising from the convergence between computer networks and the human brain. It’s not even clear exactly what more intelligent means, or whether we’ll even be aware that the technological singularity has taken place.
These issues are details. What is beyond dispute is that computers are becoming more and more capable of conducting tasks previously associated with humans. Today, computers can do things that only humans could have done a few decades ago, such as interpreting human speech and driving cars. Advances in artificial intelligence are expected to push this process further and further. It’s possible to imagine the development of robots capable of providing medical diagnoses, binoculars able to identify all objects in their view, and vehicular systems that operate fully automatically. Unnervingly, artificial intelligence will undoubtedly deliver many things we cannot yet imagine, some of which could end up being beyond our full control.24
We are fueling this progress by the sheer volume of data being generated. In 2018, users posted about 50,000 photos to Instagram, created 500,000 tweets, and sent 13 million text messages—every minute of the day.25 This creation of vast amounts of data, and improvements in the algorithms used to process and make deductions from it, are helping computers to perform analytical tasks well beyond the capabilities of humans.26
What does all this mean for the future of cryptography? Whatever their form and function, the computers of the future will certainly need cryptography to protect their data. It’s quite possible that these computers will be better at using cryptography than we are, capable of making sure that appropriate cryptographic protection has been applied.
The more fascinating question to consider, however, is: What impact might artificial intelligence have on cryptography itself?27 Could a computer of the future become so smart that it could break all known cryptography, just like the machine in Dan Brown’s Digital Fortress?
I doubt it. Cryptography is threatened when there is a capability gap of some sort between users and attackers of cryptography. As illustration, it’s worth reflecting on which capability gaps were exploited by past governments to control the use of encryption. In the 1950s and 1960s, the capability gap was superior knowledge of how to design cryptography. In the 1970s and 1980s, it was the ability to legally restrict the strength and movement of cryptographic technology. More recently, the Snowden revelations suggest it was a superior ability both to have a systemic view of how cryptography was used, and to politically influence some of the main technology providers. If we fail to develop quantum-resistant asymmetric encryption algorithms, then a future capability gap could be represented by possession of a quantum computer.
I can certainly imagine advances in automated reasoning and artificial intelligence threatening today’s cryptography. A highly sophisticated computer program might well be able to conduct a more thorough security analysis of a cryptosystem than we can carry out today. It might find subtle flaws, discoverable only by sophisticated investigation. It might be able to find unobvious patterns in encrypted data. But for advances in artificial intelligence to lead to a capability gap, it is necessary to imagine an advanced attack machine being capable of doing things the rest of us are totally unaware of. I can’t completely rule this out, but I think the advancement of modern science unfolds in a sufficiently open and collaborative environment that it’s unlikely anyone can keep this type of capability a secret for very long.
Once we know about it, we can do something about it. If intelligent computers make a leap forward in their ability to attack cryptography, I believe this intelligence will almost certainly permit the more intelligent design of cryptography. Today’s cryptography is designed by humans, with computers used to model and test its security. Future computers may well be better at this design process than we are, creating stronger cryptography that has been more thoroughly scrutinized. They will probably also be smarter than we are at analyzing entire computer systems, determining what cryptography to apply, and then making sure it is implemented correctly.
Cryptographic progress is sometimes framed as a “race” between attackers and designers. When attack techniques improve, so, too, must cryptographic designs in order to counter them. Overall, I think the designers generally stay ahead in this game, as long as they pay attention to the way attack techniques develop. If cryptographic design heeds the progress of artificial intelligence, I believe the cryptography used to support our future computing needs will be sufficient. However, nobody alive today has any idea how our artificially intelligent future is really going to pan out.
Trusting Cryptography
One thing that will need to change in our cryptographic future concerns the notion of trust.28 Cryptography is closely linked to trust, and our future security ultimately relies on this connection becoming even tighter. It’s important to understand why.
Trust is the “firm belief in the reliability, truth, or ability of someone or something.”29 This is precisely what cryptography facilitates in cyberspace. We need to know who knows what. We need to know which information is correct. We need to know who is communicating with whom. Because of the nature of cyberspace, trust is impossible to build without cryptography.
Cryptography also relies on trust. For cryptography to work, we need to trust that certain mathematical computations are hard to perform on a computer. We need to trust that an attacker’s computing power does not exceed anticipated levels. We need to trust that users of cryptography will behave in expected ways and not, for example, share their cryptographic keys on their social media accounts.
Ultimately, however, cryptography itself must be trusted. The 2013 Snowden revelations significantly dented many people’s trust in cryptography.30 As previously discussed, the design process for cryptographic algorithms cannot always be trusted. Nor can the implementation of cryptography on the technologies we use today, or the ways in which keys are managed. If there is no belief in the reliability of cryptography, what hope is there of establishing meaningful trust in cyberspace?
Establishing trust in cryptography is challenging. A significant barrier is the sheer complexity of what we need to trust in order to trust cryptography. It’s not just about algorithms; it’s necessary to trust the entire system in which cryptography is used, including the manufacturers of the technologies and the operators of the networks on which cryptography is deployed. All this is made yet more complex by the fact that different people trust and mistrust different sets of things.31
Nonetheless, some positive trends suggest that we’re moving in the right direction.
The first relates to choice. Parliamentary democracy is a system of government whose popularity arises, in part, because citizens can choose their representatives. We don’t always trust our politicians, but we probably trust them more than if they’d been imposed on us. In the mid-1970s, cryptography didn’t offer much choice. If you wanted to use symmetric encryption, then DES was almost your only option. Today, there are dozens of symmetric encryption algorithms to choose from. Choice doesn’t imply greater security, but it can help to build trust.
The cryptography used to protect 4G and 5G telecommunications networks supports a choice of cryptographic algorithms, including special algorithms developed in China, for use in China. The Chinese don’t appear to trust cryptographic algorithms developed by others (and no doubt, some other people don’t trust Chinese algorithms), but having their own algorithms included in the specifications means that the Chinese have greater trust in telecommunications security. Similarly, you can configure the TLS security settings in your web browser so that, from the choice of cryptographic algorithms offered there, only algorithms you trust can be used to secure connections to a web server.
A second trend has been an increased interest, in both the academic and practitioner communities, in deploying cryptography securely in real technologies. In the past, the security of cryptography was evaluated independently from the operating environments in which it was used. Now, we are evaluating algorithms not just in isolation, but mindful of the wider cryptosystem within which they are used. For example, a cryptographic protocol such as TLS is evaluated to determine not just that it’s logically correct and achieves its stated security goals, but also that these qualities remain true after implementation in a real environment where auxiliary information such as error messages could be exploited by a clever attacker. While there are several smaller annual gatherings of cryptographic experts to discuss the theory of cryptography, one of the biggest meetings is now the Real World Crypto Symposium, where hundreds of researchers and developers together advance their collective knowledge about how to foster greater trust in the cryptography used to secure technologies in widespread use today.32
Most fundamentally, I believe—post-Snowden—users tend to be less complacent about security. This shift includes a greater awareness of the need to have cryptography that we can trust. The arguments between governments and technology providers about end-to-end encryption are just one example. The fact that you are reading this book is perhaps another.
Do you trust cryptography to provide adequate security for your needs? I have given you plenty of indication that you should, with some caveats. If we work toward having not just secure cryptographic algorithms but also secure cryptographic systems that run secure implementations of cryptography, then in the future it should be possible to trust cryptography even more. I certainly hope so.
Cryptography and You
What about your personal cryptographic future? It’s good to know how, and why, cryptography underpins cybersecurity. Should you now just carry on with your future activities in cyberspace as before, safe in the knowledge that cryptography is out there “doing its job” to keep you secure?
For one thing, I hope demystifying cryptography has removed some of the fear of the unknown when you consider cybersecurity. It’s not something that only computer whiz kids have any hope of understanding. Cryptography provides the basic tools from which security technologies are built. By appreciating how cryptography works, you already have some of the fundamental knowledge about how security is constructed in cyberspace.
I also hope that knowing about cryptography will change the way you think about security in cyberspace. Regarding cybersecurity through a cryptographic lens can be very useful. When your bank issues you a gadget to use when accessing your account online, you now know that it’s really giving you an algorithm and a unique cryptographic key. As long as you keep the device under your personal control, you have a much securer way of logging in than if, say, you are asked for a six-digit PIN and your mother’s maiden name.
Thinking cryptographically can also help you make sense of current affairs. When you read in the media that the security of a particular technology you use has been “broken,” where does the problem actually lie? Is there a problem with the cryptographic algorithms used, is there a flaw in the ways the keys are generated, or have the keys been stolen from a central server? Do you, personally, need to take any action as a result? Should you wait for the technology provider to fix the problem, should you just change your password, or should you abandon the technology in favor of another?
Knowing the basics of cryptography should also give you the confidence you need to evaluate your current cybersecurity practices. How is data protected on your current devices? Are your network connections to websites cryptographically protected? How easy would it be for someone else to “become you” in cyberspace? You might even decide to take proactive action. If you have really sensitive data on your laptop, perhaps you should encrypt it. If you regularly put confidential data onto memory sticks, perhaps you should upgrade to using those with cryptographic protection.
Just as importantly, you can utilize your cryptographic knowledge when deciding which technologies or services you engage with in the future. Ask yourself awkward questions. What security is provided? What algorithms are used? Who generates the keys, and where are they stored? It’s not always easy to have these questions answered, but providers are getting better about releasing the details because they’re increasingly realizing that security doesn’t just make products safer; security sells. Make cryptography part of the way you evaluate what to use, and what to do, in cyberspace.
Appreciating the role that cryptography plays in underpinning cybersecurity should also help you contribute to the wider societal debates concerning its use. I encourage you to have your say about how society should juggle desires for security and privacy in cyberspace. This doesn’t mean you have to become a politician. Big issues are best addressed by a combination of high-level policy and action on the ground. The response to global warming, for example, requires a combination of global political leadership and day-to-day changes by every individual. The two are intertwined, since individual actions can influence policy, and policy can change personal behaviors. Thus you, too, can contribute to the debates about security and privacy, including control of the use of cryptography, through your individual actions. You do so when you decide what information to share online, when you choose which technologies to interact with, and when you react to news stories or relevant events. Have your say, and don’t let others decide the future for you.
Be aware of cryptography and what it can do for you. Today, our security relies on cryptography. Our future security will depend on it even more.