Shamir’s predictions of the future
When he received the 2002 Turing Award that he shared with Ronald Rivest and Leonard Adelman for "for their ingenious contribution for making public-key cryptography useful in practice," Adi Shamir gave a talk entitled "Cryptography: State of the Science." In this talk he made some predictions about what the future would bring. Here's what he said:
- AES will remain secure for the foreseeable future
- Some PK schemes and key sizes will be successfully attacked in the next few years
- Crypto will be invisibly everywhere
- Vulnerabilities will be visibly everywhere
- Crypto research will remain vigorous, but only its simplest ideas will become practically useful
- Non-crypto security will remain a mess
It's been a while since Shamir made these predictions, so let's compare them with what's really happened so far to see how accurate he was.
Is AES still secure? The best attack so far roughly reduces the bit strength of an AES key by only two bits. That still leaves AES extremely secure, so this prediction seems to be fairly accurate.
What about the security of public-key schemes? RSA-768 was factored in 2009. That's not as big as the RSA keys that have been used for quite a while, but it's as big as some of the keys that were used back in the dot-com era. But none of the major public-key schemes have actually been successfully attacked, so this prediction also seems to be partially accurate. At least so far.
In crypto invisibly everywhere yet? I'd say that it's not. Aside from the almost universal use of SSL, crypto really isn't that widely used yet, so I'd say that this prediction really hasn't come true yet.
Are vulnerabilities visibly everywhere? Absolutely. The many recent high-profile attacks that we heard about through 2011 seem to make it clear that this one's definitely true.
Is crypto research still vigorous? Based on the number of papers that you can find on the IACR's preprint server, I'd say that it definitely is. But, as Shamir predicted, almost all of these new ideas really don't amount to much. They may help academic cryptographers get tenure, but that's about the extent of their usefulness. Most of these new ideas probably never get implemented, and of the few that do get implemented, very few of them seem to end up being practical, so Shamir's prediction about the future of crypto research certainly seems to be reflected in what we see today.
Is non-crypto security a mess? Absolutely. In the big picture, we really don't seem to know how to make software yet. We're much like the ancient engineers who tried lots of different approaches to making bridges until they found one that seemed to work reliably. Similarly, we really don't quite seem to know how to make software yet, at least not reliable software. And since some of the bugs that creep into software affect the security that it enforces, this means that we also don't really know how to make secure software yet.
So there's been no significant attack found against the widely-used public-key schemes. And cryptography isn't invisibly everywhere yet. But the rest of Shamir's predictions seem to have already come true. That's a much better accuracy that we get from other experts. Like government economists, for example.