Letters to the Editor

Koblitz Article Misleading the paper due to my strong disagree- reality, the precise statement of a I found Koblitz’s essay “The uneasy ment with its contents, but rather due theorem is crucial to its practical relationship between mathematics to the nature of this paper which, in meaning. Indeed, while we all know and cryptography” (Notices, Vol. 54, my opinion, is not a novel technical that the impossibility of angle trisec- No. 8) misleading in several ways. contribution of the type sought by tion depends on the precise defini- Most importantly, I believe that the journal. My opinion was that the tion of allowed operations, none of us Koblitz’s views regarding the subject paper may only be published as a relies on this theorem to protect our are based on several fundamental “position paper”. Since the authors credit card information. Here indeed misconceptions. For example, he refused to revise the title of their cryptographers have sometimes mis- seems to view the unfortunate (and paper accordingly, the editor-in-chief stepped and inadequately modeled rare) cases in which flaws were found was forced to write a special preface the scenarios in which systems could in published claimed “proofs” (of se- that explains that their paper is a be attacked, leading to systems that curity) as indication that proofs are position paper. regardless of their formal analysis useless (w.r.t. security). In my opin- were insecure in practice. But the ion, these incidences merely reinforce —Oded Goldreich problem is not inherently with proofs the importance of careful verification Weizmann Institute of Science of security but rather with cryptogra- of proofs, which constitute our only [email protected] phy itself, a notoriously difficult sub- way of distinguishing facts from con- ject which over its long history has jectures. Furthermore, Koblitz often (Received August 27, 2007) seen many great minds miss subtle confuses proofs with what is being points and design systems that were proved, and consequently does not eventually broken. distinguish between the inadequacy Koblitz Misrepresents In fact, the only way to systemati- of the claim (e.g., an unsatisfactory Cryptography cally improve practical security is to definition of security) and the in- In the famous joke, a mathematician insist on precise modeling, and study correctness of its proof. Finally, he would not infer the color of a sheep’s these models using mathematical often uses unsound reasoning (e.g., right side from its left side. But Neal proofs, on the way refining the mod- inferring that last-minute conference Koblitz, in his article on “The uneasy els and identifying and correcting submissions indicate a rush to pub- relationship between mathematics subtle weaknesses in protocols. In- lish minor results). and cryptography” makes quite a few deed, Koblitz’s anecdote on the MQV The foregoing flaws dominate broad generalizations from a handful and HMQV protocols demonstrates the series of papers by Koblitz and of anecdotes. precisely how careful definitions and Menezes (see references in Koblitz’s Koblitz’s disparagement of secu- insistence on proofs can direct an essay). For a discussion of the main rity proofs is particularly misleading. incremental process towards more flaws, the interested reader is re- Proofs of security of cryptographic secure protocols. ferred to my essay http://eprint. protocols are standard mathemati- iacr.org/2006/461. Let me just cal proofs and in that sense are no —Boaz Barak stress that, in contrary to Koblitz’s more “over-hyped” (to use Koblitz’s Princeton University belief, the fact that this essay does term) than proofs in calculus. Ko- [email protected] not criticize the papers of Koblitz blitz gives examples of mistakes in and Menezes for inadequate refer- security proofs, but as we know such (Received August 30, 2007) ences to prior work does not mean examples can be found in any area of that such cases are not numerous. mathematics. He also criticizes these On the contrary. Koblitz’s essay suf- proofs for relying on unproven con- Publication of Koblitz’s Article fers from the same problems, and jectures. This is indeed most often Questioned in addition it provides a distorted the case, as is not surprising in such I was shocked and dismayed that the account of my own essay (e.g., the a young and vibrant field. Eventually AMS Notices published Neal Koblitz’s (legitimate) controversy regarding we might prove these conjectures article [“The uneasy relationship be- the “Random Oracle Model” is far (although some seem as hard as the tween mathematics and cryptog- from being the focus of my essay and hardest open problems in mathemat- raphy”, September 2007] without, was certainly not the source of my ics) but regardless, it’s much better to apparently, any editorial oversight. concerns regarding the Koblitz and use a protocol proven secure under As one who works in the field of Menezes papers). a well-defined and widely believed “provable security”, I vehemently I also wish to correct Koblitz’s conjecture than a protocol with no disagree with Koblitz’s main argu- account of the events related to the analysis at all. ment—more on this below—but this publication of his paper with Mene- Koblitz points out the obvious is not my primary complaint. Instead, zes in the Journal of Cryptography. I truth that in cryptography, as in what I found abhorrent is that the did not object to the publication of any mathematical field that models article crosses the line from academic

1454 Notices of the AMS Volume 54, Number 11 Letters to the Editor argument to personal screed, from of publishing “contributions” of this driven design” methodology is a tes- constructive criticism to belliger- nature. tament to the fundamental role of the ent name-calling. I cannot imagine theory of cryptography in bringing the Notices publishing a similarly —Jonathan Katz more secure systems to practice. disparaging article about any other University of Maryland There is no better way to as- academic discipline. [email protected] sess the value of the HMQV pro- By another fault of the editors, tocol than reading the paper itself readers were not given the oppor- (Received August 30, 2007 posted under http://eprint.iacr. tunity to read a companion article org/2005/176. In particular, the in- containing a countervailing point of Koblitz’s Arguments troduction and concluding remarks view. Without dissecting Koblitz’s Disingenuous section in the paper, unchanged since arguments point-by-point, let me Addressing Neal Koblitz’s disingenu- the original publication, already con- assure readers that proofs in mod- ous arguments against theoretical ern cryptography are as meaningful cryptography in his recent article in tain answers to many of the points as proofs in any other field. Can a the Notices requires far more elabora- raised by Koblitz against our meth- scheme that has been proven secure tion than allowed by the space allo- odology. Also note the preface where still succumb to a real-world attack? cated for this letter (see http://www. I comment on a correction pointed Yes, but this does not invalidate the ee.technion.ac.il/~hugo/ams- out by Alfred Menezes that, contrary proof. (A proof is given with respect letter). Let me thus focus only on to Koblitz’s misleading account, did to a particular definition; any single some of Koblitz’s unfounded claims not change in any essential way the definition is not appropriate for all against my work on the HMQV proto- results and value of the work, neither possible environments in which a col that he uses as a way to discredit with respect to its provability nor scheme may be deployed.) Are most the entire field of complexity-based the substantial practical benefits of results in cryptography conditional? cryptography (what he refers to as HMQV. Yes, but this has been shown to be “provable security”) and to deny the Let me end by stressing a very inherent until the P​ vs. N​P​ question significant achievements of this field, important point in understanding the is settled, and should not hold back in particular its important contribu- role of theory when designing and research. Do mistakes happen? Oc- tions to the practice of cryptogra- analyzing real-world cryptographic casionally, though rarely. But this phy. systems: By its very nature, there surely does not diminish the impor- Contrary to what Koblitz claims, is no (and cannot be) empirical evi- tance of proofs in the first place. the HMQV work represents a prime dence for the security of a design. Frankly, I cannot understand why example of the success of theoreti- any mathematician would discour- cal cryptography, not only in laying Indeed, no concrete measurements age the use of definitions, proofs, rigorous mathematical foundations or simulations can show that attacks and formal reasoning in any field. for cryptography at large, but also in against a cryptographic scheme are (Indeed, these elements have helped its ability to guide us in the design not feasible. The only way to do so cryptography progress from an art of truly practical solutions to real- is to develop a formal mathemati- to a science.) Koblitz’s article clari- world problems. Indeed, the HMQV cal model and language in which fies his motivation: sheer elitism. key-agreement protocol that resulted to reason about such schemes. The According to Koblitz, cryptographers from this work not only improved area of theoretical cryptography and publish papers of “little originality” significantly on its predecessor, the its applications has been remarkably and containing “tiny improvements”; MQV protocol, in terms of analysis successful in developing such mod- when we do publish something of and security guarantees, but the pro- els. They are certainly not perfect potential interest, it is likely to be tocol itself became more practical, and will be further improved over wrong. According to Koblitz, cryp- improving performance and lowering time, but the foundations laid so tographers are simply incapable of the dependency on external mecha- far are outstanding. Whoever finds writing correct proofs, hence his nisms such as trust in certification them insufficient should be encour- admonition that anyone other than authorities and key derivation func- aged to improve upon them or come “trained mathematicians” simply tions. up with alternatives. Emotional and give up on the goal. This is snobbery This double improvement, in both unfounded attacks against a whole at its purest. security and performance, is no coin- research area and its individuals, as Publication of Koblitz’s article cidence. It is the very understanding has the potential to cause serious that one obtains through the process carried by Koblitz, are of no use. damage: not to the field of cryptog- of formally proving (or disproving) a raphy—which will continue to do cryptographic protocol that allows —Hugo Krawczyk fine with or without Koblitz’s sup- us to eliminate safety margins that IBM T. J. Watson Research Center port—but to the future involvement are often added to cryptographic [email protected] of mathematicians in this field. In schemes when there is not enough the future, the editors should more confidence in the strength of the (Received September 3, 2007) carefully weight the pros and cons design. The success of this “proof-

December 2007 Notices of the AMS 1455 Letters to the Editor ASSISTANT, ASSOCIATE OR FULL PROFESSOR (2 POSITIONS) CENTER FOR ALGORITHMS AND Reply to Katz, Goldreich, and HMQV protocol had been deployed INTERACTIVE SCIENTIFIC SOFTWARE (CAISS) Krawczyk in its original form as published, not only would the advertised “prov- FLSA Status: Exempt Jonathan Katz misstates what I wrote in my article and attributes to me able security” guarantee have been Compensation: Assistant false, but in certain settings HMQV Professor: $38,801 - $67,092, things I never said, all to justify accus- Associate Professor: $50,321 - ing me of “sheer elitism” and “snob- could have been breached by a mali- $80,020, Professor: $62,268 - bery at its purest”. I never objected cious adversary. That’s not a minor $95,997 (Salaries effective matter. (See http://eprint.iacr. 9/19/2007) to cryptographers making a carefully reasoned, rigorous argument in sup- org/2005/205 for detailed explana- College Web Site: www.ccny.cuny.edu tions of the security flaws that have Notice Number: FY13784 port of a claim. Indeed, in my papers with Menezes on “provable security” been found in HMQV.) Indeed, if Closing Date: Open until filled. Krawczyk believes that fallacies in POSITION DESCRIPTION AND DUTIES we give detailed explanations of the need for precision in definitions and proofs are so unimportant, then why The City College of the City University of New York as bother to give proofs at all? part of its continuing efforts to achieve the highest security analysis, and we describe

quality in teaching and research is making available some of the best examples of early —Neal Koblitz two new tenure-track positions in one or other of and more recent research along these the Department of Mathematics or Computer University of Washington lines. In my article what I took issue Science, or the School of Education. These [email protected] positions will be closely associated with CAISS, the with was all the hype, misleading ter-

Center for Algorithms and Interactive Scientific minology, and easily misunderstood (Received September 14, 2007) Software. CAISS has embarked on a number of and misinterpreted “theorems” that projects involving symbolic computation (see our website: www.caissny.org and the associated site one finds in much of the “provable se- www.grouptheory.org). The objective is to build curity” literature. It is hard to escape on past efforts culminating in an ongoing, the impression that mathematical innovative, high-risk, creative, research group with jargon and the theorem-proof para- wide-ranging interests. It is expected that successful applicants will have digm are often used to kick dust in almost limitless creative license with the the eyes of outsiders. expectation that funding from a number of sources, It is Oded Goldreich, not me, who both government and commercial, will flow gives a misleading version of the from these efforts. These positions promise to be extremely exciting opportunities for the events surrounding his last-minute right candidates. effort to prevent publication of my Collaboration with the Computer Science and article with Menezes in the Jour- Mathematics Departments and the School of nal of Cryptology. Our paper had Education, and working on some research with one gone through the refereeing process or two undergraduates will be expected. almost two years before, and had Teaching responsibilities will be reduced for the first two years (and possibly the third year) to one been judged to be of sufficient tech- course per semester. nical novelty to merit acceptance. QUALIFICATION REQUIREMENTS Goldreich’s essay “On post-modern A PhD in Mathematics, Computer Science or a cryptography” finds fault with our closely related field is required. Rank and salary to article not on technical, but rather be determined depending on the experience of on philosophical grounds. Calling the applicant. Menezes and me “post-modern [and] Energy, a high degree of programming skills, interest in open source and zero learning curve reactionary”, he is incensed by some software, a deep knowledge of the Linux and of our conclusions—notably, that Microsoft operating systems, evidence of an ability “our confidence in the random oracle to build and design software, new learning tools assumption is unshaken” and that and/or academic accomplishments and a willingness to go out on a limb and work very hard cryptography “is as much an art as are a must. a science”. Whatever Goldreich’s rea- TO APPLY sons might have been for attempting Applicants should send a curriculum vitae and at to block our article on the eve of its least 3 letters of recommendation to: Mary Tramel, publication, in the scientific world Mathematics Dept, CAISS NAC 8/133, City College of New York, 160 Convent Ave, New York, such conduct by an editorial board NY 10031, E-mail: [email protected]. member is irregular and improper. Hugo Krawczyk’s letter itself is The City University of New York is an Equal Employment Opportunity/Affirmative an illustration of what I find so ex- Action/Immigration Reform and Control Act/ Americans with asperating in the “provable security” Disabilities Act Employer field. In order to advertise his work as “a prime example of the success of theoretical cryptography,” Kraw- czyk minimizes the fact that his published proof was fallacious. If the

1456 Notices of the AMS Volume 54, Number 11