On the difficulty of proving claims
Cryptography is a field where it’s notoriously hard to prove claims to be true, and only slightly easier to prove claims false. And due to the complexity of the field, any proposed algorithm or cryptographic system should be assumed to be insecure until there is sufficient evidence of its security (reverse burden of evidence).
The field is heavily reliant on computational difficulty, as described by the mathematical field of complexity theory, a field which is under continuous research and which still has many big questions remaining unanswered (the most notable unanswered one is if the complexity class P is equal to the class NP).
The trust in the security of algorithms like RSA is based on mathematically proving that they are no easier to solve than certain other mathematical problems which we assume to be hard to solve, and yet we don’t have evidence that these underlying mathematical hard problems in question are actually hard to solve. The belief in their hardness is based on the lack of evidence of their weakness, and on for how long people have failed to find weaknesses. But on the other hand, when we find evidence that an algorithm is weak, then it is straightforward to prove the weakness simply by showing exactly how you can solve it’s mathematical problem step by step using resources that are practically attainable.
So in short, proving security is hard, and proving insecurity is only easy once you have found how something is insecure.
Which means that in cryptography you should never make absolute claims, and you should preferably only refer to current consensus among experts when making claims about the security of algorithms and of the software implementing them. The only field connected to cryptographic algorithms in which you can make absolute security claims is for information theoretically secure algorithms, but even then you must consider the issues around their practical implementations (and some of these algorithms can not be implemented in practical manners). And as for software implementations, formally verified programming methods can be used to prove that the software is no less secure than the algorithms it implements (it adds no new weaknesses), but even for formally verified software you are still reliant on correct usage of the software in order to maintain security.
Cryptology ePrint Archive – A resource pre-publication of whitepapers (prior to peer review)