[Cryptography] What to put in a new cryptography course
John Denker
jsd at av8n.com
Thu Jul 7 04:55:12 EDT 2016
On 06/22/2016 09:33 PM, Phillip Hallam-Baker wrote:
> * Complexity is the enemy of security.
.... and quite a few others seem to agree.
However, I'd say that's true except when it's not true.
Here is a sentiment that has been expressed in various ways by
Aristotle, Ptolemy, Ockham, Einstein, and innumerable others:
_Make things as simple as possible, but not simpler._
I suppose in theory, /ceteris paribus/ simpler is better ...
but in reality the ceteris are almost never paribus.
Here's an example I know a little something about, namely random
number generators:
The simple ones are not good, and
the good ones are not simple.
A good one requires:
-- fundamental physics
-- electrical engineering
-- computer programming
-- mathematical cryptography
-- practical security
-- user interfaces
-- explanation and education
-- et cetera.
And (!) each one of those ingredients by itself has a fair bit
of complexity.
Insofar as the product is complicated, there are lots of ways it
might fail if you make a mistake ... but if you oversimplify
it, that's a mistake unto itself, and the thing will fail for
sure.
Crypto in particular and security in general demand attention
to detail. Up to a point it helps to reduce the number of
details ... but even so, and the end of the day there still
remain a treeeemendous number of details.
Eliminating complexity is nice work if you can get it, but
the other 99% of the job revolves around inventing systematic
ways of /managing/ the complexity that remains.
More information about the cryptography
mailing list