Survey and Review

Abstract

Most readers of SIAM Review routinely use public-key cryptography, perhaps without realizing it. Whenever you visit a webpage starting with https and send information, it is encoded so that the information you send, e.g., your credit card number, is transmitted securely. This can be done rapidly using standard cryptography techniques, provided the computers on each end have the same secret key to use for encoding and decoding the information. But how do the computers exchange this key in the first place? For this, a more computationally intensive public-key system is used that allows the encoded message---in this case, the secret key---to be sent in such a way that only the intended recipient can decode it. This can be done using information the web server makes publicly available to anyone who wants to send a secret message. The basis for public-key cryptosystems is a one-way f(x) that can be made publicly available in a form that is easy to evaluate by anyone, or by any web browser, but that is essentially impossible to invert except by someone who possesses additional information. To send a message x the sender computes f(x) and sends this value. Presumably only the intended recipient has the means to invert the function and determine x. Many public-key cryptosystems have been proposed in the past few decades, mostly based on number theoretic or combinatorial problems that are computationally intractable. One of the first and best known is the RSA system, based loosely on the fact that it is easy to multiply two huge primes together but computationally infeasible to factor the product. Other cryptosystems are based on the log problem: given elements y and g of a finite field, determine an integer x such that y = gx. Neal Koblitz and Alfred J. Menezes, the authors of the following Survey and Review paper, are number theorists who have worked extensively on an approach known as elliptic curve cryptography. This is based on a discrete log problem in which the finite field is replaced by a group action on integer solutions to certain polynomial equations in x and y. The product of two points that lie on the solution curve in the x-y plane is a third point on the curve, defined by a simple geometric construction. The paper provides an introduction to these and other public-key cryptosystems, as well as some insight into the practical aspects of designing secure cryptosystems. As in most branches of applied mathematics, there is often a large gap between what can be rigorously proved and what is needed in practice. In the case of cryptography it can be very difficult to prove that a proposed system is in fact secure. Even if the underlying problem can be shown to be hard in some technical sense, e.g., NP-hard, there may be other ways discovered to decipher a given message without solving the general case of the problem, or side-channel attacks may be devised that exploit vulnerabilities that have little to do with the underlying mathematical theory. Turning elegant mathematical ideas into viable security systems for the real world is a fascinating challenge in applying mathematics.