A Gentle Introduction to Cryptography

Why

There are a lot of tutorials on the internet about cryptography and some are even addressed to those that haven’t been in contact with cryptography as of yet, so why then, you would ask, is there a? need for another introduction. Of all these introductions that I have come across, not one is addressing the “why” question, instead they all focus on the “how”. They go through great lengths in simplifying the math behind encryption and and explain how encryption and its derivative concepts work, but they leave out what I consider one of the most important ingredients in understanding something; the why: why it exists, what is it good for, is it really necessary, what are the practical applications? These are anchor questions, they have the capacity to connect an abstract concept with something that is real, and by doing so they entice curiosity, and aid the process of learning and understanding, by giving purpose to this non-trivial task.

Sometimes these whys are simple. They connect to immediate personal necessities we often call pains, or pain-points, so it’s easy to make the correlation between the needs and the solution to those needs (the how) and then, understand the hows to such degree that we can repeatedly apply them to our advantage - to solve the pain. Cryptography is not one of these. The problems (pain-points) cryptography solves are abstract themselves. They emerge at the intersection of multiple types of social interaction between people - communication, political interest, economic constraints, social ascension, et cetera - so I will start by defining some of these abstract concepts that ultimately reveal the pains that require cryptography to mend.

In this introduction, I will focus predominantly on detailing the whys of cryptography and will only superficially touch the how, when this is necessary to emphasize some aspects of the “why”. My hope is that this will help people better understand what cryptography is, because unlike our mundane real world existence, which can go by with little or no brush with cryptography, our cybernetic life could not possibly exist without encryption and adjacent concepts and understanding that, understanding the why, will give people the power to leverage cryptography to protect their assets and ultimately their advantage within cyberspace.?

An important note - to correctly set the expectation - this introduction is not about cryptocurrency and blockchain. Yes, cryptography is a fundamental element of this field, but blockchain is but one of many applicabilities of cryptography. The focus of the series is cybersecurity in general, and I will be looking at cryptography as a fundamental tool of cybersecurity. As part of the applicabilities, I will discuss about the cryptographic elements of blockchain, but hopefully, by then, I’ll be able to put sufficient context around those components to emphasize not how the blockchain operates, but why can those cryptographic tools be used to obtain, among other things, what blockchain is today - an attempt to look at things from a creator’s mind.?

Preamble

When talking about cryptography and the phenomena that make it necessary I will inevitably speak of concepts which may be new, but there will also be words that you already know or even use frequently, as these phenomena are not as far from everyday practical reality as the word “cryptography” would make you think. Most of these words mean exactly what you expect they would, but in some cases, the profession puts some stricter perspective on it, implying some technical aspects which do not uphold so rigidly in the day to day. The reason for this will become evident in the next chapter, with the first concept I will discuss. To avoid any confusion, I will briefly highlight those finer nuances, but before getting into any discussion about cryptography, let me emphasize an important duality about the field which always bothered me.

On one end, concepts and procedures in cryptography are very strict, always black and white, 99.9% precision is not acceptable, either something is 100% provable given a set of premises, or it cannot be considered - it does not exist. There is a strange solace in this approach, which I am particularly fond-of, but then cryptography goes back on this principle and compromises on the very premises those proofs are based on, which are not at all perfect, but rather only “good enough”. There is of course a good reason for this compromise, which boils down to practicality in terms of resources (time, compute power and energy expenditure), the backflip of which is a continuous and unavoidable race against the evolution of technology. Whatever compromises make encryption practical while keeping cracking impractical by today’s standard, may not hold strong against technology just a few years in the future, which means encryption must continuously evolve. Nevertheless, if you find it confusing that at one point I talk about irrefutable processes, and at another I mention probabilities, this is the reason.?

That being said, the fact that we compromise does not invalidate the importance of irrefutably of cryptographic principles. An irrefutable process built on an imperfect, but highly reliable basis, is capable of accurately forwarding that reliability, which is mathematically calculable. Conversely, should we accept wishy-washy processes, they would further erode the imperfection of those premises making the resulting accuracy mathematically incalculable, and thus unreliable.

With that in mind I will jump into the subject and demystify the most common concepts in cryptography one by one, in a logical order, such that as I get to more advanced concepts, the concepts they are built upon are no longer strange to you.

Guarantees

This is a word we often use in reality to imply certainty of the expected result. The only difference is that in cryptography this is not a lax notion, but it has to be backed by a mathematically measured value. When 100% guarantee cannot be mathematically proven, cryptography will only accept exceptions that are extremely rare. So rare in fact that they usually need to be measured in geological times.

The reason for this is that we can only make predictions and probabilities based on the technologies we know, but technology is evolving in ways we can not know. As an example, the computation power of the year 2000’s strongest supercomputer - which consumed 2 Megawatts of power to run - in the year 2022 fits in a laptop and consumes 200 Watts. All this through predictable incremental evolution, without any new algorithms or any disruptive technology. Because of this, overprovisioning is a must, and it is why in cryptography, and cybersecurity in general, we really like 100% mathematical guarantees. What a true mathematical guarantee really means is that nobody in this universe no matter how technologically advanced they might be, or how much power and time they had at their disposal, they would still not be able to invalidate it. Needless to say, we don’t have lots of those, but the few that we know of are serene.

Communication, Documents and Messages

Again, these are not words that are strange to anyone but they do require a little clarification because they are used with a more technical scope in information technology in general and cryptography in particular, compared to how we use them in everyday language.

When we talk about encryption - and at this point I haven’t gone through explaining this word, so let’s default to whatever somebody thinks about encryption - it only makes sense when it comes to communication, a transfer of information. This is because the very reason for encryption is to make some information inaccessible - make it non-information - which would consequently make it utterly useless to a party that holds that encrypted information.

Communication implies that there are in fact at least two ends to it, one that is the source of the information and one that is the recipient of the information, and that these ends do not in fact have simultaneous access to the information, as otherwise communication would not be necessary.

Because the ends are not simultaneously in contact with the information, information cannot pass from one end to the other in the form it exists at the source, but instead it has to take a form that is known to both ends and it is compatible with the environment it travels through. We can call this form a “document”. I realize that in everyday life document has a slightly stricter meaning, which often captures the environment it resides in and the way it is preserved in that environment, but in a generic way we can consider any information that finds itself outside both the source and the destination as being a document. These could be more obvious forms like a letter, or a text file, but also slightly unusual ones like a sequence of sounds both - when that sequence of sounds is wrapped in a file, such as an mp3, but also in its more fluid form, as a stream on the radio.?

The most common way people imagine communication in real life is when there is a spatial displacement between the source and the destination - like talking over the phone - but in practical? terms there could also be a temporal displacement also. In fact, such temporal displacement is mandated by the laws of physics and it exists even when we are under the impression that the communication happens in real time, it is just very, very small, but taking aside such hair-splitting, a more obvious temporal displacement is when we leave a voice message, which can easily be recognized as a specific type of document. And to further highlight how generic the concept of communication is, it is not inconceivable that I leave a voice message to myself, as a reminder, in which case the communication is between me, and a future me. I am both the source and the destination of the “message”, which is nothing else but the building block, the unit of communication.?

Of course we call this communication with our future self, saving, or archiving, or storring, which makes sense in everyday life to provide more context to an action, but when it comes to encryption we can look at things in a fantastically simple way: all information exchange, regardless if it’s spatial, temporal or both, is communication. To be transferred, information must be captured in a document, and when the source and the destination of such a document is defined, it becomes a “message”.

I will close with one more clarification, that when we say we send an encrypted message, what is really meant is that the message contains an encrypted (non-information) document. The source and the destination elements of the message are obviously not encrypted (they have to be information), otherwise the message would not find its way to the destination or, at arrival, it? would be impossible to tell where it came from. This raises some interesting discussions, some of which I will touch on later.

Direct versus Indirect Communication, Interference

The Chinese whispers, or the telephone game, is a very popular children’s game all around the world which can help emphasize some important aspects that surface within the context of encryption. The idea of the game is - just in case you are not familiar with it - to form a chain in a group of people, the head of the chain thinks of a secret (basically a piece of information) and then it whispers it into the ear of the next member of the chain, which in turn whispers it into the ear of the next one, and so on, all the way to the end of line, where the information is publicly disclosed and then compared to what the head of the chain actually sent down the line. In the end everybody laughs at the funny ways the information changes (deteriorates) as it travels across the chain.

In this game, deterioration occurs because information is not repeated accurately as it travels the chain, but rather depends on the members’ memory and interpretation. If we consider each step in its minimum form, the information and two parties, there is only one way communication can happen - source transforms information into document, document is sent to destination, destination restores document into information (as described in the previous section). This level of isolation is ensured in the game through the rule that each member of the chain whispers the message into the next member’s ear. As a result, any effect on the information transfer can be attributed to either the transcription of the information into document (encoding) or the reverse operation, the interpretation of the document into information (decoding), but no interference (reading / changing) can occur to the document itself while in transit, because the communication is direct. This concept of direct communication is fundamental to the field of encryption because it is one of those “guarantees” encryption relies upon. When communication is direct, encryption is not necessary, which is important because at some point in the process, every encryption mechanism requires some form of non-encrypted communication.

If we look at the communication in the game holistically however, from one end to the other, which is what most communication in real life resembles, each member of the chain except the head and the tail are in fact part of the information transfer component of the communication. Because of this, information can not only be affected by the encoding and decoding of the information at the head and the tail respectively, but also, the document itself can be affected in transit between source and destination. Communication in this case is indirect, and thus prone to information leak and alteration. This is where encryption becomes useful, because it gives us means to better understand these effects on documents in transit, and even to control or prevent some of them.

Confidentiality, Integrity, Availability (the CIA of information)

If you had even a little bit of brush with cybersecurity, you are likely to have heard the notion of the CIA triad, which ensures the security of information - confidentiality, the guarantee that the information is only seen by the destination and never in transit; integrity, the guarantee that the document was not altered in transit; and availability, the guarantee that the information stays accessible to the destination. As a side-note, let’s reiterate that storing documents for my very own needs, like personal files, is also a form of communication - communication with my future self - so all rules apply the same way. While these are security concepts, they are important from an encryption perspective because in every one of these guarantees, encryption is either needed to ensure the guarantee, or encryption can interfere with the guarantee itself.?

The concepts are quite self-evident, what is perhaps a bit less intuitive is the relationship between them and how they add up to ultimately provide security to information. I personally would prefer to call the triad AIC (Availability, Integrity, Confidentiality), which is way less cool than CIA, but in spite of how security practitioners uphold the equal importance of all three, there is always an order of importance among them. In some edge cases, by the very nature of the information - such as would be an embarrassing secret - confidentiality could be more important than availability (like maybe you would chose that nobody had that information, not even you, as opposed to the remote chance that somebody else might also find out), but in the vast majority of real world practical cases, availability is almost always more important than confidentiality - you would rather keep the information available to you even at the risk that somebody else may also become aware of it. Availability can often be more important than integrity as well. For example deteriorated documents are better than no documents at all, because at least you do have access to some information as opposed to being completely oblivious, but of course there are edge cases here as well. If integrity were to mean that somebody altered a document to mislead you, then it would make sense to choose no information as opposed to false information, if only you knew that the received information was false in the first place. Yet in other cases, confidentiality is not important at all, such as in case of the information in an encyclopedia, where the emphasis lies exclusively on availability and integrity.

What is so powerful about encryption in general, is that it has the tools necessary to help us solve these problems in various combinations, by leveraging various mechanisms either alone or in combination. I will first highlight what these mechanisms are and how they work in principle (without going into too many details) and then I will dive into some of the more usual use-cases we encounter, and explain how we can combine distinct encryption tools to solve a CIA problem. Basically the “whys”.

Without further ado, let’s get you familiar with three basic tools of cryptography, which is all you will need to understand the vast majority of “whys” encryption is good for: symmetric encryption, asymmetric encryption and hashing. The first two are categorized as reversible encryption and second is categorized as non-reversible encryption, but more correctly a digest.?

Symmetric Encryption

Finally, I have arrived at the word which probably prompted you to read the article in the first place so let’s see what symmetric encryption is and how it works by using a very simple use case.

Symmetric encryption is what most people think encryption is, basically using a mechanism to conceal a document so that others won’t have access to its content even if it is stored in plain sight. The reason is simple. I want to be able to send my friends secrets, always, even if I am unable to communicate with them directly - whisper the message into their ear, as I would do in the telephone game.

There are many symmetric encryption mechanisms, and mathematically they are very complicated, but they all share some basic aspects, and that is all anyone needs to know to understand the principle behind symmetric encryption, its purpose and limitations.

Symmetric encryption is a reversible transformation that makes a document unintelligible by using some mechanism, generally called an algorithm. In this unintelligible form, the document can be safely exposed for observation to any third party, as long as that third party does not know what was the algorithm used to encrypt the document, because knowing the algorithm and its operating parameters, is all that is necessary to revert the document to its original form. Symmetric encryption is of course reversible encryption, and this reversibility is part of its design and purpose.

One of the simplest forms of encryption is what is called Caesar’s Cipher, named after Julius Caesar who used it in his private conversations (well, at least back in the days when there weren’t any cryptanalysts around, as this cipher is crazy simple to crack - I’ll get into that).

Caesar’s cipher is a shift cipher that many children play with - some even invent it on their own. Basically you have the letters of the alphabet, and you pick a random number, say number 2 for simplicity, and to encrypt the message you will shift every letter in your message to the right with that number: “A” become? “C”, “R” becomes “T”, and so on. If you encounter letters that shifted to the right by your number exceed the alphabet, such a “Y” in our case, you use the alphabet like a clock, where the end connects to the beginning in a forever loop, and so, for our shift of 2, “Y” becomes “A”.

If the recipient knows the algorithm and also knows its operating parameter (number 2 in our case), he or she can readily recover the original text by shifting the letters to the left (reverse direction). In cryptography we call these parameters keys, and for this particular case of symmetric encryption, symmetric key, because the same parameter (key) is needed for both encrypting the document and decrypting it.?

Simple enough, with a few caveats. The recipient has to know the algorithm and the parameter, which themselves must be sent either directly or using encryption. In case prior direct communication is possible, where encryption is not necessary, that could be a solution, but for the latter, using symmetric encryption is no longer suitable as you will end up in a forever encryption madness: using encryption to send the key, which you encrypt with a key, which you send using encryption, and so on. This problem is called the “key exchange” problem, and it is a critical piece that can make or break secure communication, and as such a fundamental requirement in cryptography. This is where asymmetric keys can help, but first I will talk about the next caveat, strength of the encryption, and how to crack Caesar’s cipher.

Attacking Symmetric Encryption And Other Shortcomings

Imagine it’s 49BC. A messenger is stopped at the gates of Rome carrying a letter. The letter is brought to magistrates who inspect it but at first look they see nothing but random letters forming unrecognizable words:

FGEKOWU, K YKNN ETQUU VJG TWDKEQP YKVJ OA VTQQRU CPF OCTEJ KPVQ TQOG. YCKV HQT OG CV VJG ICVGU. AQWT HTKGPF, LWNKWU.

Initially they thought it was a foreign language, but then clues like the messenger being Roman, and the fact that he was trying to enter Rome, led them to think that perhaps it was English, but somehow transformed to conceal the original text (for the sake of simplicity, let’s assume Romans spoke modern English, as they do in the movies). Armed with this additional context, and with the assumption that it must be a simple transformation - because the separation between words and sentences was still recognizable - they started analyzing how short length words in the mangled text were relating to known words of equal length:

VJG <-> THE, VGJ <-> AND, VGJ <-> ONE

After a bit of trial and error someone spotted that “G” is two places after “E” and so are both “J” and “V” compared to “H” and “T”. They extrapolated the rule to the entire text and, bingo:

DECIMUS, I WILL CROSS THE RUBICON WITH MY TROOPS AND MARCH INTO ROME. WAIT FOR ME AT THE GATES. YOUR FRIEND, JULIUS.

This story is obviously fictional, otherwise the Roman Empire would never have come to pass, but the purpose here is to emphasize how complexity of the algorithm influences the success of encryption. Patterns, repetitions are quickly recognized through cryptanalysis - the process, profession even, dedicated to deciphering encrypted texts - which is why modern ciphers take measures to mask patterns that inevitably appear in documents, especially language. I say mask, because no current encryption algorithm is capable of completely removing patterns, and thus they are all potentially breakable through cryptanalysis. It is just a matter of time, technological evolution, new tools and strategies in cryptanalysis, until all current encryption algorithms will be proven obsolete. Many, like Caesar’s Cipher but much more complex, have already fallen.

As a side note, we know of a mechanism to achieve perfect encryption - mathematically guaranteed that no advanced civilization can decrypt it - but it is impractical for everyday use. Nevertheless, it is remarkable through its simplicity, so I will touch on it in a later chapter.?

There are a couple of other shortcomings to symmetric encryption, which need to be understood if we are to correctly use them in building CIA triad strategies. First of all, Decimus never got the letter, so obviously, symmetric encryption can not help with the availability component of information - interestingly, it can actually hurt the availability component, but that is a story for later.?

Similarly, if the magistrates were to fail to decrypt the message, they could have just replaced it with a random text and sent it along to the destination. Upon receival, Decimus would have applied the cipher and ended up with a complete nonsense message, potentially concluding that Julius simply had too much to drink and forgot they agreed on number 2 as the common (symmetric) key to their cipher. He would have had no way to know the message was tempered with. Symmetric encryption normally does not guarantee message integrity either.

The only CIA element symmetric encryption can be used for, is the confidentiality component. This would of course hold true whether I am sending documents to a distant destination in the present, in which case the process of using encryption to ensure confidentiality is called “encryption in transit”, but also if we encrypt for our future selves, in which case we call it “encryption at rest”. In both cases, the mechanics are identical. There are of course, many symmetric encryption algorithms, but there are no two types of symmetric encryption, which means that some of these limitations cannot be overcome no matter how good the algorithms are.?

As a summary. We current symmetric encryption algorithms are very secure relative to today’s technology development, so within the aforementioned probabilistic caveat, they offer very good confidentiality guarantees, but that is about it. They are unable to help (on their own) with any of the other CIA aspects, or the additional security aspect (safe key exchange) which is specific to cryptography:

Asymmetric Encryption

The problem of exchanging symmetric keys is a big one, so big in fact that it makes symmetric encryption highly impractical no matter how effective the algorithm is. The only natural way to guarantee the secrecy of the shared key is via direct communication and in most cases this is impossible. Imagine if you had to physically visit the headquarter of each and every website you visit and exchange an encryption key prior to your web visit. That would defeat the purpose of the Internet itself. To overcome this challenge and to cover some other shortcomings of symmetric encryption, asymmetric encryption was invented.

Like symmetric encryption, asymmetric encryption is also a reversible encryption (transformation), but instead of using the same key to encrypt and decrypt documents, asymmetric encryption is using two keys. These two keys are mathematically linked in such a way that documents that are encrypted with one of the keys, can only be decrypted using the other key - hence the name asymmetric.

To understand how it is possible to create such pairs of keys - this is not something that can easily be understood in terms of everyday phenomena - let’s see a very basic example. Imagine you have two numbers, 29 and 1/29. These are mathematically linked because 29 * 1/29 is in fact 1. Now if you take a random number N and multiply it with 29, you obtain the encrypted number N * 29. In order to get your original number back you need to multiply your “encrypted” number not with the same key, 29, as you would end up with a wildly wrong result N * 29 * 29, but rather with the pair of the key 1/29, in which case you would obtain the same number back: N * 29 * 1 / 29 = N.?

The above example is too simple to be usable, asymmetric keys are obtained and work in a much more complicated way than this, and they also have the additional fundamental property that it is impossible, or at least very hard (geological times hard), to determine one key by knowing the other. Modern asymmetric cryptography algorithms however do guarantee both these aspects (reversibility and hard to compute asymmetry) and by doing so eliminate the need for prior key exchange. I can give you the number 29 in plain public, even if the entire world sees it, because they would need the other key, the private 1/29, to snoop on any document you encrypt with 29, which I haven’t shared with anyone, not even you. This is why asymmetric cryptography is also called colloquially Public Key Cryptography, as the key that I share is assumed to be public knowledge, and the one I don’t share stays private, hence their names: public key and private key, respectively.

As a side note, from the perspective of the inner workings, mathematical perspective, the two keys are reciprocal to each other, with no other distinction: anything that one encrypts requires the other key to decrypt, and vice versa. In theory it does not matter which one we make public as long as we don’t mix them up, as that would defeat the purpose. The reasons why we name them and treat them separately are practical in nature, such as the way they are stored. You would want to keep both keys for yourself, whereas you would only want to distribute your public key. Also,? you may want to keep your private key under password, whereas a public key need not be password protected. There are also other, resource related reasons, for example, to make computation faster, some algorithms may choose to allow a little imbalance between the keys, meaning the public key would be somewhat easier to determine from the private key with cryptanalysis, than the other way around. In any case, it is important that you always only share your public key, never the private one.?

Asymmetric encryption is very inefficient at encrypting and decrypting so it is not suitable for use on large documents. It’s slow - around 10x slower - and weak by comparison, which means it requires a lot of time and resources to operate and if used on large documents the patterns that inevitably emerge facilitate the cracking of the encryption. However, the combination of properties it has - the fact that you always need the other key to decrypt, and that key is practically impossible to determine from the key you used to encrypt, makes it a very powerful tool that can beautifully complement symmetric encryption when it comes to building CIA information flows. We can see this complementarity as we summarize strengths and weaknesses:

Hashing

The third component in the toolset is also a transformation, but a very different one. Unlike encryption, hashing is an irreversible process - the result of the hashing, the hash, or digest, can no longer be used to recover the source of the hash, the original document. The property that it generates non-information from information, is shared with encryption - a similarity that is especially striking when used on short texts, like passwords - and because of this, hashing is sometimes called irreversible encryption. That said, this is an improper term, as hashing is a very different operation, both by how it works and the purpose it serves, the why.

Hashing was first invented to make indexing of large pieces of text of arbitrary length more efficient by creating a short, fixed length representation of the texts such that they uniquely represented their source. Obviously, there was no way to recreate the text from the hash, otherwise this invention would have been the holy-grail of data compression, but it did not matter because it allowed for fast predictable lookups in databases. It is one thing to compare a text of thousands of characters with a million other texts of comparable lengths, and a very different thing to compare their 32 character hashes. While the original text cannot be reproduced from the hash, some characteristics are preserved, such as, if you were to hash a text multiple times with the same algorithm it will give you the same hash every time, while hashing a different one - having even just one character difference - will result in a different hash. You can see hashes as the DNA of documents. Let’s see a very simple, made-up, hashing algorithm applied to the text that we used above:

DECIMUS, I WILL CROSS THE RUBICON WITH MY TROOPS AND MARCH INTO ROME. WAIT FOR ME AT THE GATES. YOUR FRIEND, JULIUS.

We take a fixed length array, say ten cells, and we start parsing the text. As we iterate over the characters, we write their position from the alphabet into cells and then move up one cell. We make the rule that each cell can only go from 0 to 9, so if we exceed 9, like we do in case of letter “M”, we only consider the last digit (instead of 13, we only keep 3 and discard the 1). When we get to the end of the array we treat it like a clock, and go back to the beginning, as if the end and the beginning were connected. The first cell is no longer empty (we wrote a number there in the previous round) so instead of just putting a number there, we add it to the one that is already in the cell. If we exceed 9, we only consider the last digit again. When we get to the end of our original text, we stop and we will have as a result a number, the hash, or the digest, which depends heavily on the type, number and order of the characters in the original text.

There are many hashing algorithms, some create numbers, some texts, but they all share the same characteristics that even a single difference in any of the character, order, occurrence of letters in the source text, will cause the hash to be different. It turns out that this technique is not only useful for finding texts in a database, but we could also use this tiny piece of text to verify the integrity of a document - to know if the document changed or not since we last performed a hash on it.

Cryptographic hashing algorithms - the ones dedicated for cryptography - are much more complex and adhere to strict mathematical rigor. They are longer, and even a single character change will generate wildly different hashes - forcing big changes into the entire row, not just one cell. They also offer well defined probabilities regarding the likelihood that two texts will generate the same hash, which is called hash collision. This probability is very important because collision is inevitable. Fixed length outputs mean there are only a finite number of combinations possible - in our example 10 to the power of 10 combinations, or ten billion - but we are hashing arbitrary length texts. Sooner or later some combination of text will create the same hash. If these doppelgangers were easy to create, then it would be possible to replace the original text with one that made sense, but delivered a different message, all the while the destination was under the impression that the text had not been altered. Unlike my basic example, cryptographic hashing algorithms can make sure that collisions are so rare that enormous numbers of computations need to be made to hit a collision, finding a useful one even harder, which makes hashing a complementary key pillar in CIA flows:

Putting it all together

So there they are, the three fundamental elements of cryptography that are needed (minimum necessary) to establish any CIA use-case. Alone, each of them are more or less useless, but in combination they become very powerful because they complete each-other in ways that allow us to create the basis of secure communication.

I only left availability in this chart to highlight that the field of encryption can not help with the availability aspect of the CIA security triad. As I mentioned earlier and will discuss several chapters later (at the ransomware use-case) encryption, when used improperly or with ill intent, can in fact impact the availability of information - a highly important component of security. This stands proof that encryption is a very powerful tool that we should not be taking lightly, as it can very well become a weapon in the wrong hands. In any case, until we get to that chapter, I will assume availability to be out of scope, the emphasis being on the other key components: confidentiality, integrity and key exchange.

***

In this chapter, there were quite a few concepts to cover, so I only briefly touched on the real world uses of encryption and why the different tools of cryptography are necessary to solve these use-cases. Cyberspace is a strange place, very different from our reality, and seemingly simple things, like trust, or identity, that we take for granted in the real world, are in fact very difficult to solve in cyberspace. With the next chapter, I will start discussing what these things mean in cyberspace, why they are necessary when it comes to the usefulness of the Internet, and the roles cryptography and its elements play in achieving the goal.

Until then, I am keen to hear your comments and on this chapter, and curious to hear the use-cases you find most intriguing and complicated. Don’t shy away with the hard questions. I am happy to discuss and brainstorm on them even if I don’t have an answer. The reality is, some of these use cases are so complicated, that they are as of yet unresolved, which is why cybersecurity is how it is, and why we are are discussing these things in the first place.