What is cryptography ?
Cryptography can be defined essentially as data treatment techniques that render certain actions by some people impossible, very difficult, or very improbable, while allowing these actions to others without problems. Cryptography consists mainly in setting up data operations that render certain actions or operations a practically untraceable puzzle, while nevertheless allowing other operations to be performed relatively easily.
The original application of cryptography was of course "secret communication". This is still a very important part of cryptography, but in the mean time, the cryptographic applications have exploded, and "secret communication" has become just one, although still important, aspect of it. Secret communication consists in making public a source of information, that conveys a message that is unintelligible to most people, but that is perfectly intelligible to others, because these others possess an extra amount of information that renders the message visible. In the standard secret communication application, one considers "friends" and "enemies". The friends are the people that are supposed to understand the message, and hence are in possession of the extra amount of information (often called the key) that allows them to render the message intelligible ; the enemies are all the others, who may eavesdrop on the source, are not supposed to possess the key. We want them to be in the impossibility of reading the message. A friend is a person possessing keys, and is hence able to do operations that others are not able to do. People who are targeted not to be able to do something, are called enemies. One shouldn't consider this too much in the military sense, although of course, there are similarities and originally, cryptography was mostly a military affair.
We will see that modern cryptography makes these concepts much more involved: some keys are distributed publicly, sometimes agents are at the same time enemies and friends. In as much as "allowing friends to do certain actions on data, which are rendered impossible, hard to do, or very improbable to succeed, for enemies" becomes an essential part of economy in our increasingly data-driven world, one can imagine the importance that cryptography has taken the last few decades. Nevertheless, cryptography is still a very poorly understood domain by most users who depend nevertheless very strongly on it for their economic activity, their privacy and even their security. This is a worrisome situation. You could think of it as equivalent to most merchants not mastering arithmetic sufficiently to do the bookkeeping of their trades !
Cryptography is a technology, mainly based upon mathematics, computing and entropy, as we will see. Let us return to the standard application: secret communication. If the goal were simply to send out information to be understood by everybody, we would be in the normal communication engineers' domain. Everybody would be a friend. If the goal were to make information unintelligible, that wouldn't be too much of a hassle too: adding sufficient noise to it would swamp it mostly and render it unintelligible to everybody. Everybody would be an enemy. The subtlety in cryptography is of course that one needs techniques which make the operation of rendering the information readable to friends much more easy by using a key, than any operation on that same information by enemies, not possessing the key. The intelligible message to be shared with friends is called the clear text. The unintelligible message is called the cypher text. The extra amount of information shared amongst friends is called the key. The cypher text should be produced with the help of the key, from the clear text. The clear text should be produced again from the cypher text, with the key. Without the key, it should be impossible, very difficult or highly improbable to produce the clear text from the cypher text. As such, a mathematical operation should be found which does exactly that. However, mathematics is usually not involved with not finding solutions. This is what makes cryptography special: one should have mathematical puzzles which are hard or impossible to solve ! This is also what makes "doing cryptography in your basement" dangerous. Indeed, in as much as it is always possible to show that a mathematical puzzle can be solved, it is much harder, or even essentially impossible, to show that a mathematical puzzle cannot be solved. It is not because you cannot solve it, or your friends cannot solve it, that nobody can solve it. As such, there is in fact no way to test the reliability of a cryptographic technique individually. The only thing one can do, is to publish the technique, hope it will get a certain attention by sufficient cryptographers in the world who try to "break" it, where breaking a cryptographic technique consists essentially in finding a way to do with the data what an enemy wasn't supposed to be able to do with it.
This is why the golden rule in cryptography is: for important cryptographic applications, only use well-known, published techniques, and don't invent your own in your basement.
If there is one thing to remember in cryptography, it is the above statement.
Cryptographic applications and systems
As we said before, the original application of cryptography was "secret communication", but in the mean time, the applications have exploded, and "secret communication" has become only one of many applications.
- secret communication between a small group of friends. This is the original application of cryptography. It is based upon what is called symmetric cryptographic techniques. A small group of friends share a key they keep secret. With that key, they can transform any clear text in a cypher text, and each of them can re-transform the cypher text into a clear text, while all other people, not in possession of the secret key, can't do that. The "friend" status is acquired by obtaining the key.
- secret communication from just anybody to someone. With the advent of mass communication and the internet, a new application emerged. With asymmetric cryptographic techniques, it is possible to have a key pair. One element of the key pair is called the public key, and the other part is called the private or secret key. The public key makes it possible to transform a clear text into a cypher text, but the secret key is needed to transform it back to a clear text. As such, if one renders public the public key, then anybody can pick it up, encrypt a text into a cypher text, and render that cypher text public. Nobody but the original owner of the key pair will be able to transform it back into a clear text. This system has the advantage of not having to share a key amongst friends.
- data fingerprints. Cryptographic hash functions can generate small "fingerprints" of a large amount of data, in such a way that it is essentially impossible to modify the data in any meaningful way, and obtain the same fingerprint. Of course, the original fingerprint has to be generated on the reliable data, and the fingerprint has to be made available reliably.
- digital signature This is a combination of the two preceding points. Someone makes a public/secret key pair, and uses the secret key together with a cryptographic hash function to produce a small fingerprint of a given data set (say, a document), and also makes the public key available. Everybody can verify, using the public key, that the document is the one that had to be treated with the person possessing the secret key that corresponds to that public key. The public key by itself however, is not sufficient to have generated that signature. At the base, a digital signature allows the signer to prove that he did sign the document, and the verifier to verify that the signer did sign the document in as far as the verifier can trust the public key provided by the signer. A digital signature is useful in verifying that a certain communication is not faked by an enemy but is a genuine communication from the person you expect it to come from.
- non-repudiation This is a somewhat more involved digital signature, that allows the receiver of a document that the signer did sign the document even though this last one would like to deny it. This is equivalent to the signature of a contract. The signer of the contract cannot deny that he signed it.
- Certification Digital certification consists in having trusted certification authorities that issue proofs of ownership of public keys. A cryptographic certificate allows one to verify that a provided public key does belong to an entity claiming it is that entity, in the same way as that entity has claimed its identity with the certification authority. Essentially, a cryptographic certificate is a public key that has been signed by the certification authority, which normally it only did when it did verify the identity of the requester.
- Proof of zero-knowledge An interactive protocol allows one agent to prove that he knows something, without revealing it, and without the verifier afterwards being able to prove to others that the original agent had that knowledge. A zero-knowledge proof is somewhat the opposite to the non-repudiation signature.
- Proof of work The agent proves that he has done an amount of computation, with the checker only having to spend an insignificant fraction of the computational work to verify it. This can be useful in order to avoid huge numbers of solicitations in a communication environment: before the answer is considered, the other party has to do some work, spend some resources. For an individual request, that effort is reasonable, but for a massive attack, that would require huge wasting of resources.
- Ring signatures This is similar to a digital signature, except for the fact that the person signing, can use the public keys (or the certificates) of many other people. It can then only be verified that one of the people involved has signed the document, without being able to pinpoint which of the different people. Nevertheless, the real signer can, if he wants to, prove that he did sign the document in the end, and not the others.
- Hiding data in other data or noise. When making public a cypher text, everybody can see that it is a cypher text, even though only friends can know the message in it. Sometimes, one doesn't even want to make visible that one is making public a cypher text. As such, it is possible to "hide" a cypher text inside an innocent-looking piece of data, such as an image, or a sound file or the like. Enemies cannot even determine whether there is some cypher text included in it or not. There are more sophisticated versions of this, where a cypher text can be decrypted with a certain key, yielding a certain clear text message, but when decrypted with another key, yielding another clear text message, or noise. As such, it is impossible to prove that the cypher text contains anything else but the first encrypted clear text.
- ....
As in any engineering, there is a bottom-up structure. At the basis, there are fundamental mathematical cryptographic techniques. One step up, there are the application blocks such as listed above: there is still a strong link between a certain technique, and a specific application. Next, these application blocks can be combined in different ways to make up a cryptographic system with a certain use. Even though the blocks themselves are already simple systems by themselves, much more complex systems can be constructed on top of that.
Safe web browsing is one such system. Anonymous communication another system. Crypto currencies are another recent development.