It’s a good time to be a hacker. I use that as the umbrella term to describe all people involved in any kind of security research. Now more than ever, it is difficult to find any operation computer security isn’t a paramount concern in, and security researchers lie at the centre of defending the systems which hold our data.

Over the last two months I’ve had the privilege in attending the DEFCON hacking conference in Las Vegas for the first time, as well as a summer school for the Design and Security of Cryptographic Algorithms in Bulgaria, hosted by KU Leuven. At the latter, I’d found myself discussing topics ranging from the perils of using RC4 schemes in TLS, linear attacks on cryptosystems, and Galois Theory with academic experts from around the world, including Dr Rijmen, the co-designer of AES.

I attended DEFCON with Sorin, also from Imperial, and we both learnt more of the professional paranoia necessary to be a security researcher. I met a great deal of interesting people with similar thought processes, and quickly learnt that mathematically obsessing over problems and trying to break things was a welcome norm there.

By contrasting these two conferences, I also learnt that the gap between cryptographers (mathematicians) and cryptographic engineers (implementers) appears quite wide. While one may be concerned with improving a cipher algorithm’s S-Boxes such that they may be more resistant to linear attack, the other may be busy finding ways of protecting an implementation from fault injection or software bugs which leak intermediate values.

Although it would appear this gap is closing and more software engineers are concerned with the underlying maths of what they write, one thing still troubles me:

Our security today still largely relies on either the computational or mathematical difficulty of solving certain problems.

This was the primary focus of a Black Hat presentation [PDF] widely referenced as warning of a so-called ‘Cryptopocalypse’. Bruce Schneier blogged with a commentary on this easing the scaremongering it produced. The talk suggested that as advances in maths become more frequent, and as computers become more powerful, we may soon see practical ways of factoring RSA encrypted keys and Diffie-Hellman key exchange may fall.

All of the mainstream ciphers used today rely on the difficulty of solving some problem. After some time, these problems may become easier – whether it’s solving the discrete logarithm problem or brute forcing the DES keys in our SIM cards.

What happens then, if it can be found that the computational complexity problem yields that P = NP? Will we then have run out of problems which cannot be solved efficiently in polynomial time?

Instead of relying on the hardness of problems for security, and extending the number of bits or making things harder whenever people get closer to practical solutions, we should consider designing cryptosystems for which the math is not merely resistant, but provably secure.

Vernam’s One Time Pad cipher is an example of a cryptosystem which is considered information-theoretically secure. This cipher provides perfect security, but has a great deal of impracticalities when considering real world use. Today, we see companies extending their RSA key lengths and adopting perfect forward secrecy, reducing the likelihood of decrypting years of data from one compromised session key.

Perhaps much in the same way companies have done this, as well as having adopted multi-factor authentication with time based code generation, we can investigate means of adopting OTP as a practical cipher. Arguably, this would reduce the problem of exhaustive key search to finding problems with the entropy of random number generators, though this has always been a problem.

Every layer of the OSI model has its own security considerations, and even the underlying mathematics underpinning the standard libraries we use for encryption have their own fields. It is a challenge to acquire an expertise across all of these circles of security, but good things often happen when people focusing in different areas are brought together.

Maybe the next addition to this spectrum of security groups will be physicists. Once we are able to produce and maintain stronger quantum computers, quantum cryptography will potentially hold paradigm-shifting benefits to local and online privacy.

The programmers of tomorrow may not be coding on classical machines at all, and an intimate understanding of the laws surrounding the quantum mechanics involved may become just as important as knowledge of the mathematics of security are to cryptographic engineers today.

— Alex Kara