This excerpt from the Stanford Emerging Technology Review (SETR) focuses on cryptography, one of ten key technologies studied in this new educational initiative. SETR, a project of the Hoover Institution and the Stanford School of Engineering, harnesses the expertise of Stanford University’s leading science and engineering faculty to create an easy-to-use reference tool for policy makers. Download the full report here and subscribe here for news and updates.
Cryptography originates from Greek words that mean “secret writing.” In ancient times, cryptography involved the use of ciphers and secret codes. Today, it relies on sophisticated mathematical models to protect data from being altered or accessed inappropriately. Cryptography is often invisible, but it is essential for most Internet activities such as messaging, e-commerce, and banking.
In recent years, a type of cryptographic technology called blockchain—which records transactions in distributed ledgers in the computing cloud that cannot be altered retroactively without being detected—has been used for a variety of applications, including time stamping and ensuring the provenance of information, identity management, supply chain management, and cryptocurrencies. Blockchain technologies can provide a transparent, secure way to track the movement of goods, their origin, quantity, and so forth, thereby improving efficiency in global supply chains and limiting underground or illegal extractions of certain materials.
The field of cryptography has also expanded in scope to include secure computation, a well-established subfield that enables multiple parties to contribute inputs to a function that they jointly compute in such a way that the specific inputs from each party are kept secret from the others.
Cryptography alone will never be enough to ensure the confidentiality, integrity, or availability of information. Inherent vulnerabilities in the software code that underpins all our Internet-connected devices, and the strong incentives for bad actors—from criminals to nation states—to engage in cyberattacks that exploit human and technical vulnerabilities help to explain why cybersecurity will be an ongoing challenge.
Bringing it into the future
There is a broad range of possibilities for cryptographically enabled data management services. Whether we will see their widespread deployment depends on complicated decisions about economic feasibility, costs, regulations, and ease of use.
Misaligned incentives can affect how fast innovations are deployed. Some cryptographic applications provide significant benefits for the parties whose data can be better protected and kept more private. But existing companies, having built their business models on legacy systems that ingest all their customers’ data, have no incentive to change their practices. They are the ones who would have to pay for these privacy-protecting capabilities, yet they would not benefit from their adoption.
A second point is that widespread deployment of cryptographic innovations will require confidence that the proposed innovations will work as advertised. That is, would-be users must have confidence in them. But concepts such as secure computation and zero-knowledge proofs are math-heavy and counterintuitive to most people. Expecting policy makers, consumers, and regulators to place their trust in these applications will be challenging.
Although cryptography is fundamentally a mathematical discipline, it requires both human talent and substantial computing resources to examine the efficiency of new techniques, write software that is computationally expensive, and conduct comprehensive scans of the Internet. Progress also relies on interdisciplinary centers that bring together faculty from different fields to share problem sets and understand the potential benefits that cryptographically enabled techniques and approaches could provide.
Research is funded by both the US government and by private industry, but funding from the US government is subject to many requirements that increase the difficulty of proposal submission manyfold (as much as a factor of sixty). Thus, research faculty often tend to prefer arrangements with the private sector, which tend to be much simpler. On the other hand, only the US government is able to fund research that may not pay off for many years (as in the case of quantum computing).
Policy, legal and regulatory issues
As a rule, public policy considerations are application specific; there has been no push to regulate basic research in cryptography for several decades.
Exceptional access
Exceptional access regulations would require communications carriers and technology vendors to provide US law enforcement agencies access to encrypted information (both data storage and communications) under specific legal conditions. Opponents of exceptional access argue that implementing this capability inevitably weakens the security afforded by encryption to everyone. Supporters of exceptional access do not debate this technical assessment: it is true that exceptional access, by definition, weakens encryption. However, they argue that that even if lower security is the result of implementing exceptional access, that price is worth the benefits to law enforcement.
Cryptocurrency regulation
Particularly considering the FTX scandal, during which the FTX cryptocurrency exchange went bankrupt and founder Sam Bankman-Fried was convicted of fraud, many have questioned the extent to which cryptocurrencies should be exchangeable for national currency and whether they are better regulated as investment instruments or as currency. The lack of a regulatory framework for cryptocurrency affects many American users, consumers, and investors who are often confused about the basic workings of cryptocurrencies and their markets.
Energy consumption
Bitcoin, an older and today the dominant cryptocurrency, consumes an enormous amount of energy. Bitcoin mining uses more energy than the Netherlands. For this reason, newer blockchains—notably Ethereum—are designed to use far less energy, and today, Ethereum’s annual energy use is less than one ten-thousandth of YouTube’s annual consumption. But Ethereum’s market capitalization is less than half that of Bitcoin, and whether any less energy-intensive cryptocurrency will displace Bitcoin remains to be seen.
Quantum computing
Current public-key cryptography is based on the long times required with today’s computers to derive a private key from its public-key counterpart. When realized, quantum computing will pose a significant threat to today’s public-key algorithms. Experts disagree on how long it will take to build quantum computers that are capable of this, but under the May 2022 National Security Memorandum 10, “Promoting United States Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems,” the US government has initiated the transition to quantum-resistant public-key algorithms. Many experts in the field expect quantum-resistant algorithms will be widely available by the time quantum computing comes online.
At the intersection of quantum computing and cryptography are two important issues. The first is that support for the transition to a quantum-resistant encryption environment should continue with urgency and focus.
A second issue is that messages protected by pre-quantum cryptography will be vulnerable in a post-quantum world. If those messages had been saved by adversaries (likely in the case of parties like Russia), those bad actors will be able to read a host of old messages. Containing secrets from the past, they may reveal embarrassments and dangers with potentially detrimental policy implications. Managing potential fallout from the quantum future is a policy problem that will need to be faced when quantum computers come online.
