Cryptography Resources & Guidelines

The following has not yet been verified. Please improve it by logging in and editing it. If you believe that is not sufficient to solve the problem, please discuss it with the community on the Talk Page. If you think that this article should be removed, please contact [email protected]

On the difficulty of proving claims

Cryptography is a field where it’s notoriously hard to prove claims to be true, and only slightly easier to prove claims false. And due to the complexity of the field, any proposed algorithm or cryptographic system should be assumed to be insecure until there is sufficient evidence of its security (reverse burden of evidence).

The field is heavily reliant on computational difficulty, as described by the mathematical field of complexity theory, a field which is under continuous research and which still has many big questions remaining unanswered (the most notable unanswered one is if the complexity class P is equal to the class NP).

The trust in the security of algorithms like RSA is based on mathematically proving that they are no easier to solve than certain other mathematical problems which we assume to be hard to solve, and yet we don’t have evidence that these underlying mathematical hard problems in question are actually hard to solve. The belief in their hardness is based on the lack of evidence of their weakness, and on for how long people have failed to find weaknesses. But on the other hand, when we find evidence that an algorithm is weak, then it is straightforward to prove the weakness simply by showing exactly how you can solve it’s mathematical problem step by step using resources that are practically attainable.

So in short, proving security is hard, and proving insecurity is only easy once you have found how something is insecure.

Which means that in cryptography you should never make absolute claims, and you should preferably only refer to current consensus among experts when making claims about the security of algorithms and of the software implementing them. The only field connected to cryptographic algorithms in which you can make absolute security claims is for information theoretically secure algorithms, but even then you must consider the issues around their practical implementations (and some of these algorithms can not be implemented in practical manners). And as for software implementations, formally verified programming methods can be used to prove that the software is no less secure than the algorithms it implements (it adds no new weaknesses), but even for formally verified software you are still reliant on correct usage of the software in order to maintain security.


Cryptology ePrint Archive – A resource pre-publication of whitepapers (prior to peer review)

Image information

  • TODO tags

      Is there a problem with this article? [Join] today to let people know and help build the news.
      • Share

      Subscribe to our newsletter

      Be the first to collaborate on our developing articles

      WikiTribune Open menu Close Search Like Back Next Open menu Close menu Play video RSS Feed Share on Facebook Share on Twitter Share on Reddit Follow us on Instagram Follow us on Youtube Connect with us on Linkedin Connect with us on Discord Email us