[Cryptography] quantum computers & crypto

Peter Gutmann pgut001 at cs.auckland.ac.nz
Sun Nov 7 01:19:49 EST 2021


Ray Dillinger <bear at sonic.net> writes:

>I believe it was Knuth who checked in something warning people to 'beware
>bugs in the above code; I have only proven it correct, not tested it.'
>People think of him as a theorist, but that single incident proves to me that
>he is also an engineer and craftsman who has dealt with the real world.

That may have been a reference to Peter Naur's 1969 25-line text-formatting
routine which has a long history of being repeatedly proven correct and then
failing after being proven correct, including fairly simple stuff that would
have been noticed immediately had it actually been run on test data rather
than merely being proven correct.  The whole saga ran on for over fifteen
years, possibly only stopping when people got tired of revisiting it, and
ended up with something like two dozen faults being found in 25 lines of code
that had been repeatedly proven correct.

A more crypto-relevant one is Needham-Schroeder, which was proven secure using
BAN logic, then found to have flaws and re-proven secure using the FDR model
checker, and then found to have more flaws and re-proven secure again with the
NRL protocol analyser.

Thus the difference between cryptomathics and crypto engineering, the crypto
engineers don't stop at "a solution exists" but plan for failures beyond that
point.

>Some don't 'get it', but they're the same folk in spirit as those who wanted
>me to fix my code because their coverage analysis tool found 'dead code' that
>could never be executed.

Someone I know worked in an environment that had a government-agency-mandated
requirement for 100% test coverage (I'm going to be a bit vague here so as not
to reveal any identities).  However the one thing you couldn't test was a lot
of the exception/error handling, so after a lot of arguing they had an
engineering team spend about six months removing all exception and error
handling that couldn't be tested, which was most of it, from equipment that
was going to be operated in unusually harsh environments where errors and
exceptions were likely and where service calls were prohibitively expensive.

They did successfully meet the requirement for 100% test coverage though, so
all was well.

Peter.



More information about the cryptography mailing list