An interview with Joshua Holden, author of The Mathematics of Secrets: Cryptography from Caesar Ciphers to Digital Encryption
There are lots of interesting things related to secret messages to talk about—history, sociology, politics, military studies, technology. Why should people be interested in the mathematics of cryptography?
Modern cryptography is a science, and like all modern science it relies on mathematics. If you want to really understand what modern cryptography can and can’t do you need to know something about that mathematical foundation. Otherwise you’re just taking someone’s word for whether messages are secure, and because of all those sociological and political factors that might not be a wise thing to do. Besides that, I think the particular kinds of mathematics used in cryptography are really pretty.
What kinds of mathematics are used in modern cryptography? Do you have to have a Ph.D. in mathematics to understand it?
I once taught a class on cryptography in which I said that the prerequisite was high school algebra. Probably I should have said that the prerequisite was high school algebra and a willingness to think hard about it. Most (but not all) of the mathematics is of the sort often called “discrete.” That means it deals with things you can count, like whole numbers and squares in a grid, and not with things like irrational numbers and curves in a plane. There’s also a fair amount of statistics, especially in the codebreaking aspects of cryptography. All of the mathematics in this book is accessible to college undergraduates and most of it is understandable by moderately advanced high school students who are willing to put in some time with it.
What is one myth about cryptography that you would like to address?
Cryptography is all about secrets, and throughout most of its history the whole field has been shrouded in secrecy. The result has been that just knowing about cryptography seems dangerous and even mystical. In the Renaissance it was associated with black magic and a famous book on cryptography was banned by the Catholic Church. At the same time, the Church was using cryptography to keep its own messages secret while revealing as little about its techniques as possible. Through most of history, in fact, cryptography was used largely by militaries and governments who felt that their methods should be hidden from the world at large. That began to be challenged in the 19th century when Auguste Kerckhoffs declared that a good cryptographic system should be secure with only the bare minimum of information kept secret.
Nowadays we can relate this idea to the open-source software movement. When more people are allowed to hunt for “bugs” (that is, security failures) the quality of the overall system is likely to go up. Even governments are beginning to get on board with some of the systems they use, although most still keep their highest-level systems tightly classified. Some professional cryptographers still claim that the public can’t possibly understand enough modern cryptography to be useful. Instead of keeping their writings secret they deliberately make it hard for anyone outside the field to understand them. It’s true that a deep understanding of the field takes years of study, but I don’t believe that people should be discouraged from trying to understand the basics.
I invented a secret code once that none of my friends could break. Is it worth any money?
Like many sorts of inventing, coming up with a cryptographic system looks easy at first. Unlike most inventions, however, it’s not always obvious if a secret code doesn’t “work.” It’s easy to get into the mindset that there’s only one way to break a system so all you have to do is test that way. Professional codebreakers know that on the contrary, there are no rules for what’s allowed in breaking codes. Often the methods for codebreaking with are totally unsuspected by the codemakers. My favorite involves putting a chip card, such as a credit card with a microchip, into a microwave oven and turning it on. Looking at the output of the card when bombarded by radiation could reveal information about the encrypted information on the card!
That being said, many cryptographic systems throughout history have indeed been invented by amateurs, and many systems invented by professionals turned out to be insecure, sometimes laughably so. The moral is, don’t rely on your own judgment, anymore than you should in medical or legal matters. Get a second opinion from a professional you trust—your local university is a good place to start.
A lot of news reports lately are saying that new kinds of computers are about to break all of the cryptography used on the Internet. Other reports say that criminals and terrorists using unbreakable cryptography are about to take over the Internet. Are we in big trouble?
Probably not. As you might expect, both of these claims have an element of truth to them, and both of them are frequently blown way out of proportion. A lot of experts do expect that a new type of computer that uses quantum mechanics will “soon” become a reality, although there is some disagreement about what “soon” means. In August 2015 the U.S. National Security Agency announced that it was planning to introduce a new list of cryptography methods that would resist quantum computers but it has not announced a timetable for the introduction. Government agencies are concerned about protecting data that might have to remain secure for decades into the future, so the NSA is trying to prepare now for computers that could still be 10 or 20 years into the future.
In the meantime, should we worry about bad guys with unbreakable cryptography? It’s true that pretty much anyone in the world can now get a hold of software that, when used properly, is secure against any publicly known attacks. The key here is “when used properly.“ In addition to the things I mentioned above, professional codebreakers know that hardly any system is always used properly. And when a system is used improperly even once, that can give an experienced codebreaker the information they need to read all the messages sent with that system. Law enforcement and national security personnel can put that together with information gathered in other way—surveillance, confidential informants, analysis of metadata and transmission characteristics, etc.—and still have a potent tool against wrongdoers.
There are a lot of difficult political questions about whether we should try to restrict the availability of strong encryption. On the flip side, there are questions about how much information law enforcement and security agencies should be able to gather. My book doesn’t directly address those questions, but I hope that it gives readers the tools to understand the capabilities of codemakers and codebreakers. Without that you really do the best job of answering those political questions.