03

CRYPTOGRAPHY

KEY TAKEAWAYS Overview

° Cryptography is essential for protecting informa- The word cryptography originates from Greek words
tion but will never be enough to secure cyber- that mean “secret writing.” In ancient times, cryp-
space. tography involved the use of ciphers and secret
codes. Today it relies on sophisticated mathemat-
° Cryptocurrencies have received a great deal ics to protect data from being altered or accessed
of media attention, but they are not the most inappropriately.1 We are typically unaware that many
important issue in cryptography today. of our day-to-day interactions with computers and
the internet involve cryptography, from securing our
° Cryptocurrencies use blockchain technology, but online shopping to protecting our cell phone calls.
they are not the same; blockchain has many other
important and promising applications. Cryptography is often invisible, but it is essen-
tial for most internet activities such as messaging,
e-commerce, banking, or even simple internet brows-
ing. Yet cryptography alone will never be enough
to ensure the confidentiality, integrity, or avail-
ability of information. Inherent vulnerabilities in
the software code that underpins all our internet-
connected devices and the strong incentives for bad
actors—from criminals to nation states—to engage in

45
 cyberattacks that exploit human and technical vulner- cryptography. It requires a secure key distribution,
abilities help to explain why cybersecurity will be an which is a method of distributing secret keys to all
ongoing challenge. parties who should have them—but preventing
those who shouldn’t from obtaining them.

Cryptography Basics: Public Keys,

Symmetric key cryptography proved to be incon-
Private Keys, and Hashes
venient and awkward because it requires in-person,
Here’s an example: Drew has a private message physical effort ahead of the first secure communica-
intended only for Taylor. To keep it confidential, she tion to be had between the communicating parties,
scrambles (encrypts) the message using an encryp- which makes it hard to talk to new people over the
tion algorithm and transmits the scrambled mes- internet. In the 1970s, Stanford professor Martin
sage to Taylor as ciphertext. When Taylor receives Hellman and Whitfield Diffie codeveloped a tech-
the ciphertext, he unscrambles (decrypts) it to reveal nique known as asymmetric cryptography or public-
what it originally said. This piece of decrypted text is key cryptography. Public-key cryptography relies on
known as the plaintext. Along comes Ellen, a third- a public key for encrypting messages that is freely
party eavesdropper who wants to see the plaintext, available to everyone, which means it can be widely
so she must use any means at her disposal to break distributed even over insecure channels. However,
the cryptographically provided protection. decrypting a message requires a private key that is
held only by the authorized party (see figure 3.1).2
An example of an encryption algorithm is the shift Although it is theoretically possible to derive a private
cipher. Each letter in the plaintext is replaced by key from a public key, that process (if well designed)
a letter that is some fixed number N of positions would take much too long for practical purposes
later in the alphabet. For example, if N = 2, Drew (e.g., it would take longer than the age of the uni-
substitutes an A in the plaintext with a C in cipher- verse). It is this essential property that is placed at risk
text, B in plaintext with D in ciphertext, and so on. by quantum computing, as discussed below.
If N = 3, then Drew substitutes A in plaintext with D
in ciphertext. To decrypt the ciphertext, Taylor must The mathematics of cryptography also underlie the
know that Drew is using the shift cipher and must creation of secure hashes. A hash is designed to accept
also know the value of N so that he can invert it. a message of any length and compute a unique fixed-
For example, knowing that N = 2, he knows to write length string of numbers—called the hash value—
down A when he sees C in the ciphertext. (Note corresponding to that message. Hashes have two key
that modern encryption algorithms are more sophis- properties. First, it is extremely difficult to find another
ticated and secure than what has been presented message that results in the same string of numbers.
here; they are also harder to explain.) Second, if all you have is the string of numbers, it is
infeasible to recover the original message.
In this scenario, both Drew and Taylor must share a
secret piece of information—the cryptographic key, Using a secure hash function, the sender can use
which is a string of numbers needed both to encrypt public-key cryptography to provide assurances of
and to decrypt the message. Drew and Taylor must integrity—information that cannot be tampered with
also know that the algorithm is the shift cipher. If or altered in any way—and identity, in that the orig-
Ellen somehow learns both of those facts, Ellen can inator of the message is who he or she claims to be.
decrypt the message as well. This type of encryption
algorithm—of which the shift cipher is an example— To illustrate, Alice (the sender) first computes the
is known as symmetric cryptography, or secret-key hash value of her message. Next, she encrypts the

46 STANFORD EMERGING TECHNOLOGY REVIEW

hash value with her private key, a process analo- Blockchain
gous to signing a document, generating a “digital
Blockchain is a cryptographic technology for creat-
signature” of the message’s hash.3 Alice then sends
ing distributed ledgers in the computing cloud. A
the message and its digital signature to Bob (the
blockchain records transactions so that they cannot
receiver).
be altered retroactively without detection. Because
Upon receipt of the message, Bob can recover the the entire blockchain can be distributed over thou-
hash value for the message that Alice purportedly sands of computers, it is always accessible; anyone
sent and compare that value to his own computation can deploy an application for it, and no one can
of the hash value. If these match, Bob can be assured prevent any such deployment. Moreover, anyone
that the message has not been altered in transmis- can interact with this application, and no one can
sion and also that Alice was the party who sent it, prevent such an interaction. Finally, data cannot be
since only Alice could have used Alice’s private key erased. Later transactions may indicate that correc-
to create a digital signature of the message’s hash. tions are necessary, but the original data remain.

Messages can also be digitally time-stamped. A A blockchain can be visualized as a chain of blocks
known authoritative time and date server—such as where each block contains a single transaction and
the Internet Time Servers operated by the National a cryptographic hash of the previous block, creating
Institute of Standards and Technology—accepts a a chain in which every block except the first is linked
message, appends the current date and time, and to the previous block. As more transactions occur,
then provides a digital signature for the stamped the blockchain gets longer because more blocks are
message. added to the chain.

FIGURE 3.1 How public-key cryptography works

Drew’s
Drew
Servers Taylor
Taylor’s
private private
key key

Send
me $ mi34fpe9501qk

Encrypted email to Taylor

Drew uses Taylor uses
Taylor’s mi34fpe9501qk Taylor’s private
public key key to decrypt
to encrypt the message

Public Keys
Taylor’s Drew’s
public key public key Send
mi34fpe9501qk
me $

03 Cryptography 47
 FIGURE 3.2 How a blockchain manages transactions

1 2 3
A wants to send The transaction is represented The block is broadcast to
money to B online as a “block” every party in the network

4 5 6
Those in the network The block then can be added The money moves
confirm the validity of the to the chain, which provides from A to B
transaction an indelible and transparent
record of transactions

The distributed nature of blockchain also increases are always available and whose execution cannot
security. A new transaction is broadcast to every party be reversed—once a smart contract processes
in the network, each of which has a replica of the entire an incoming request, that processing cannot be
blockchain (see figure 3.2). Each party tries to validate reversed. Smart contracts can be used to implement
the new transaction. It could happen that these repli- financial instruments, to record ownership of digital
cas may not be fully synchronized; some might have assets, and to create marketplaces where people
received the new transaction while others did not. To can buy and sell assets. Smart contracts are com-
ensure that all replicas are identical, blockchains have posable—one smart contract can use another—thus
mechanisms for coming to consensus on the correct creating a vibrant ecosystem of innovation where
information. Ethereum, for example, accepts transac- one project can make use of a service developed by
tions that have been validated by two-thirds of the another project. Once deployed, they are available
participants. Blockchains are designed with economic forever, running whenever someone interacts with
incentives for replicas to behave honestly. them. By contrast, cloud computing applications
are inherently transient—as soon as the application
Applications that run on a blockchain are called developer stops paying the cloud fees, the cloud
smart contracts. These are computer programs that provider kills the application.

48 STANFORD EMERGING TECHNOLOGY REVIEW

 such as the diamond industry; industries with signif-
icant counterfeit issues, such as luxury goods; or
Key Developments industries where the true source of goods is impor­
tant, such as organic or vegan food. Blockchain can
greatly simplify the job of forensic accountants trying
A Host of Blockchain Applications
to trace transactions.
Blockchain technology was developed decades ago
but has recently been used for a variety of applica- Transactional records Many kinds of transactional
tions. All those listed below have been implemented records can be stored on a blockchain, thereby
in some form and are operational today, though per- streamlining the process of buying and selling items
haps not on particularly large scales. by reducing fraud, increasing transparency, reducing
paperwork, and making the process more efficient.
Time-stamping and data provenance Because
data written to a blockchain cannot be modified or
Cryptocurrencies Cryptocurrencies are digital instru­
removed, blockchains provide a good mechanism
ments that many people use as a medium of exchange.
for data provenance and time-stamping. An artist or
Well-known cryptocurrencies include Bitcoin, Ethe-
an author who creates a new work of art can post a
reum, Avalanche, and Polygon, each with its own
hash of the work to the chain, thereby proving the
unique features and applications. Because they are
time at which the object was created. If later some-
not issued by any central authority, they are not sub-
one else claims authorship of the creation, the artist
ject to the same national regulatory regimes that
can point to the chain to prove its provenance.
govern traditional currencies (i.e., so-called fiat cur-
rencies). Cryptocurrencies use a blockchain structure
Identity management A blockchain stores all
to ensure the integrity and immutability of transac-
the data from a person’s important documents—
tion data, making it resistant to fraud and counter-
diplomas, health-care and financial records, tax
feiting and reducing its susceptibility to government
returns, birth certificate—in encrypted form. These
interference or manipulation. Contrary to a common
original records are saved digitally, signed by their
belief, cryptocurrencies can but do not have to sup-
original providers, and, when made available through
port private or secret transactions—indeed, the
the blockchain, provided with provenance and
most popular cryptocurrencies deliberately do not
time-stamping. Blockchain also facilitates selective
hide the details of their transactions. Those who
revelation: upon request, the person can authorize
transact in cryptocurrencies often wish to exchange
release of data only to the minimal extent necessary
their instruments for fiat currency, or real dollars, and
to satisfy the request. For example, people can prove
generally use a cryptocurrency exchange to do so.
that their age is above some legal minimum, like
Such exchanges are regulated financial institutions
twenty-one, but not have to reveal their date of birth.
that transact in investments rather than currency.
A person can allow a health-care researcher to look at
her records for specific data—for example, whether
she has ever had an abortion—without revealing her
Secure Computation
name. Applications of blockchain for identity manage-
ment, such as SpruceID, are already being deployed.4 The field of cryptography has also expanded in
scope to include secure computation, a well-
Supply chain management Blockchain can pro- established subfield that enables multiple parties
vide a transparent and secure way to track the move- to contribute inputs to a function that they jointly
ment of goods and their origin and quantity. This compute in such a way that the specific inputs from
can be particularly valuable for high-value industries, each party are kept secret from the others. Secure

03 Cryptography 49
 computation enables data privacy during computa- many people were exposed to COVID in aggregate,
tion, ensuring that no party learns more information without learning who was exposed.
about the other parties’ inputs than what can be
inferred from the result alone. Secure computation
Zero-Knowledge Proofs
also allows users to prove they possess knowledge
of a statement without having to disclose the actual A zero-knowledge proof is a cryptographic method
content of that statement. that allows Paul (the prover) to prove to Vivian (the
verifier) that Paul knows a specific piece of informa-
To illustrate secure computation, consider the prob- tion without revealing to Vivian any details about
lem of determining the collective wealth of three that information. The term “zero-knowledge” indi-
people while keeping the individual wealth of each cates that Vivian gains zero new knowledge about
person secret. Alice chooses a large random number the information in question, apart from the fact that
and in secret adds her wealth to that number. Alice what Paul is saying is true.
then gives the sum to Bob privately, who adds his
wealth secretly to the number received from Alice. Consider a simplified example that demonstrates the
Bob secretly passes the total to Charlie, who does the logic: two people dealing with a locked safe. Let’s say
same computation and then passes the result to Alice. Paul wants to prove to Vivian that he knows the com-
Alice then in secret subtracts her original random bination to the safe, but he doesn’t want to reveal the
number from the number received from Charlie and combination to Vivian. With a zero-knowledge proof,
reveals the result to everyone else. That revealed Paul can convince Vivian that he knows the combina-
number is the sum of each party’s wealth but at no tion without exposing the combination itself.
time does anyone learn of anyone else’s wealth.5
To do so, Vivian writes something on a piece of
This example is oversimplified (in fact, there is a subtle paper and does not show it to Paul. Together, they
flaw in the procedure described). It’s not exactly how put the paper into the safe and spin the combination
a real-world secure computation works, but it sug- lock. Vivian now challenges Paul to say what is on the
gests how computation on secret data might be paper. Paul responds by asking Vivian to turn around
accomplished. True secure computation protocols (so that Vivian cannot see Paul) and then enters the
use more complex mathematics to defend against combination of the safe, opens it, looks at the paper
malicious behavior and to guarantee the privacy of and returns it to the safe, and closes it. When Vivian
each person’s input during the computation process. turns around, Paul tells her what was on the paper.
Paul has thus shown Vivian that he knows the com-
Applications of secure computation allow data ana- bination without revealing to Vivian anything about
lytics to be performed on aggregated data without the combination.
disclosing the data associated with any individual
element of the dataset. Banks can detect fraud with- In practice, of course, zero-knowledge proofs are
out violating the privacy of individual customers. A more complex, yet they already have seen real-
group of workers can calculate their average salary world implementations:
without revealing their colleagues’ personal pay.
A Stanford system called Prio allows for a network Banking A buyer may wish to prove to a seller
of connected computers to work together to com- the possession of sufficient funds for a transaction
pute statistics, with clients holding their individual without revealing the exact amount of those funds.
data privately.6 This was deployed, for example, This capability has been implemented in the Zcash
on mobile phones during COVID to calculate how cryptocurrency.7

50 STANFORD EMERGING TECHNOLOGY REVIEW

Provenance for digital images Cameras can pro- to pay for these privacy-protecting capabilities, yet
vide a digital signature for every photo capturing they would not benefit from their adoption.
an image and information about the time, date,
and location. But such photos can then be digi- A second point is that widespread deployment
tally cropped, resized, or converted from color to will require confidence that proposed innovations
black-and-white. Zero-knowledge proofs have been will work as advertised. That is, would-be users of
implemented in the standards of the Coalition for these innovations must have confidence in them.
Content Provenance and Authenticity to ensure But concepts such as secure computation and
that the original photo was properly signed and zero-knowledge proofs are math heavy and coun-
that only permissible edits were made to the origi- terintuitive to most people. Expecting policymak-
nal without having to trust the editing software that ers, consumers, and regulators to place their trust in
was used.8 these applications will be challenging.

Cooperative tracking and verification of numbers

Challenges of Innovation and
of tactical nuclear warheads A zero-knowledge
Implementation
proof methodology has been developed to cooper-
atively provide updates on the movement and status Although cryptography is fundamentally a math-
changes of warheads in accordance with a political ematical discipline, it requires both human talent
agreement to do so without revealing other sensitive and substantial computing resources to examine the
information. This approach has not yet been imple- efficiency of new techniques, write software that is
mented in any real arms control agreement, but its computationally expensive such as zero-knowledge
feasibility has been demonstrated in principle.9 provers, and conduct comprehensive scans of the
internet. Progress also relies on interdisciplinary cen-
ters that bring together faculty from different fields
to share problem sets and understand the potential

Over the Horizon benefits that cryptographically enabled techniques

and approaches could provide.

Impact of Cryptography
Research is funded by both the US government and
The applications described above suggest a broad private industry, but funding from the US govern-
range of possibilities for cryptographically enabled ment is subject to many requirements that increase
data management services. Whether we will see the difficulty of proposal submission manyfold (as
their widespread deployment depends on compli- much as a factor of sixty). Thus, research faculty often
cated decisions about economic feasibility, costs, tend to prefer arrangements with the private sector,
regulations, and ease of use. which tend to be much simpler. On the other hand,
only the US government is able to fund research that
Misaligned incentives can affect how fast innovations may not pay off for many years (as in the case of
are deployed. Some of the applications described quantum computing).
above provide significant benefits for the parties
whose data can be better protected and kept more
Policy, Legal, and Regulatory Issues
private. But existing companies, having built their
business models on legacy systems that ingest all As a rule, public policy considerations are applica-
their customers’ data, have no incentive to change tion specific; there has been no push to regulate
their practices. They are the ones who would have basic research in cryptography for several decades.

03 Cryptography 51
 Quantum-resistant algorithms are expected to be widely
available by the time quantum computing comes online.

EXCEPTIONAL ACCESS notably Ethereum—are designed to use far less

energy, and today, Ethereum’s annual energy use is
Exceptional access regulations would require com-
less than 1/10,000 of YouTube’s annual consump-
munications carriers and technology vendors to
tion. But Ethereum’s market capitalization is less than
provide US law enforcement agencies access to
half that of Bitcoin, and whether any less energy-
encrypted information (both data storage and
intensive cryptocurrency will displace Bitcoin remains
communications) under specific legal conditions.
to be seen.
Opponents of exceptional access argue that imple-
menting this capability inevitably weakens the secu-
rity afforded by encryption to everyone. Supporters QUANTUM COMPUTING AND CRYPTOGRAPHY
of exceptional access do not debate this technical
Current public-key cryptography is based on the
assessment: it is true that exceptional access, by
long times required with today’s computers to derive
definition, weakens encryption. However, they argue
a private key from its public-key counterpart. When
that even if lower security is the result of implement-
realized, quantum computing (discussed more fully
ing exceptional access, that price is worth the bene-
in chapter 8 on semiconductors) will pose a signifi-
fits to law enforcement.10
cant threat to today’s public-key algorithms. Experts
disagree on how long it will take to build quan-
CRYPTOCURRENCY REGULATORY CONCERNS tum computers that are capable of this, but under
the May 2022 National Security Memorandum 10,
Particularly considering the 2023 FTX trading scan- “Promoting United States Leadership in Quantum
dal, in which the FTX cryptocurrency exchange went Computing While Mitigating Risks to Vulnerable
bankrupt and founder Sam Bankman-Fried was Cryptographic Systems,” the US government has
charged with fraud, many have questioned the extent initiated the transition to quantum-resistant public-
to which cryptocurrencies should be exchangeable key algorithms. Many experts in the field expect
for national currency and whether they are better quantum-resistant algorithms will be widely avail-
regulated as investment instruments or as currency. able by the time quantum computing comes online.
The lack of a regulatory framework for cryptocur-
rency affects many American users, consumers, and At the intersection of quantum computing and cryp-
investors who are often confused about the basic tography are two important issues. The first is that
workings of cryptocurrencies and their markets. support for the transition to a quantum-resistant
encryption environment should continue with
urgency and focus.
ENERGY CONSUMPTION

Bitcoin, an older and today the dominant cryp- A second issue is that messages protected by
tocurrency, consumes an enormous amount of pre-quantum cryptography will be vulnerable in a
energy; Bitcoin mining uses more energy than the post-quantum world. If those messages had been
Netherlands.11 For this reason, newer blockchains— saved by adversaries (likely in the case of parties like

52 STANFORD EMERGING TECHNOLOGY REVIEW

Russia), those bad actors will be able to read a host NOTES
of old messages. Containing secrets from the past,
they may reveal embarrassments and dangers with 1. National Institute of Standards and Technology, “Cryptography,”
potentially detrimental policy implications.12 accessed August 15, 2023, https://www.nist.gov/cryptography.
2. Whitfield Diffie and Martin Hellman, “New Directions in Cryp-
tography,” IEEE Transactions on Information Theory IT-22, no. 6
(November 1976): 644–54.
CENTRAL BANK DIGITAL CURRENCIES AND THE
3. In this context, encrypting the hash value simply means running
EROSION OF US FINANCIAL INFLUENCE the encryption algorithm using as the input key a string of numbers
that just happen to be Alice’s private key. In most cases involving
A central bank digital currency (CBDC) is a type of public-key cryptography, the private key is used only for decryp-
cryptography-based digital currency issued and tion purposes, but nothing stops a user from using it in other ways.
4. https://www.spruceid.com.
regulated by a country’s central bank, with legal
5. This example is inspired by Keyless Technologies, “A Begin-
tender status and value equivalent to the country’s ner’s Guide to Secure Multiparty Computation,” Medium, Feb-
traditional currency—that is, digital assets backed by ruary 22, 2020, https://medium.com/@keylesstech/a-beginners
-guide-to-secure-multiparty-computation-dc3fb9365458.
central banks. A CBDC can be designed with any
6. See “Prio,” Stanford University, accessed September 25, 2023,
number of the functional characteristics of crypto- https://crypto.stanford.edu/prio.
currencies and thus can be regarded as a “national 7. Zcash, “What Are Zero-Knowledge Proofs?,” accessed August 30,
cryptocurrency.” However, a CBDC could be imple- 2023, https://z.cash/learn/what-are-zero-knowledge-proofs.
mented in a centralized manner to improve perfor- 8. Trisha Datta and Dan Boneh, “Using ZK Proofs to Fight Disin-
formation,” Medium, September 29, 2009, https://medium.com
mance and efficiency instead of using distributed /@boneh/using-zk-proofs-to-fight-disinformation-17e7d57fe52f.
blockchain technology. 9. Miles A. Pomper et al., OP55: Everything Counts: Building a
Control Regime for Nonstrategic Nuclear Warheads in Europe,
CNS Occasional Paper Series, James Martin Center for Nonprolif-
An important benefit of a CBDC is the marriage of
eration Studies, May 10, 2022, https://nonproliferation.org/op55
convenience and lower costs of digital transactions— -everything-counts-building-a-control-regime-for-nonstrategic
by cutting out middlemen—and the regulatory over- -nuclear-warheads-in-europe.
10. US Department of Justice, “Attorney General William P.
sight of traditional banking. In 2021, nearly six million
Barr Delivers Keynote Address at the International Conference
Americans had no access to a bank account. Lower on Cybersecurity,” July 23, 2019, https://www.justice.gov/opa
transaction costs would improve financial inclusion /speech/attorney-general-william-p-barr-delivers-keynote-address
-international-conference-cyber.
and enable many more people to have access to a
11. Digiconomist, “Bitcoin Energy Consumption Index,”
well-regulated financial system. Those lower costs accessed September 16, 2023, https://digiconomist.net/bitcoin
would also apply to cross-border transactions, there- -energy-consumption.
12. Herbert Lin, “A Retrospective Post-Quantum Policy Problem,”
fore reducing the costs of international commerce.
Lawfare, September 14, 2022, https://www.lawfaremedia.org
/article/retrospective-post-quantum-policy-problem.
The United States is considering issuing its own 13. Federal Reserve, “Central Bank Digital Currency (CBDC): Fre-
CBDC.13 Although the dollar is the currency most quently Asked Questions,” accessed August 15, 2023, https://
www.federalreserve.gov/cbdc-faqs.htm.
used in cross-border transactions, the development
14. Darrell Duffie and Elizabeth Economy, eds., Digital Curren-
of CBDCs by others could reduce global depen- cies: The US, China, and the World at a Crossroads, (Stanford, CA:
dence on the dollar and on a financial infrastruc- Hoover Institution, 2022), https://www.hoover.org/sites/default
/files/research/docs/duffie-economy_digitalcurrencies_web
ture largely controlled today by the United States _revised.pdf.
(e.g., SWIFT). This could significantly undermine the
effectiveness of US economic sanctions and other
financial tools. Today, more than ninety nations are
researching, piloting, or deploying CBDCs, with sev-
eral already testing cross-border transactions. China
is the first major country to deploy a CBDC widely
within its own economy, the digital yuan.14

03 Cryptography 53