LETTER TO THE EDITOR OF THE NOTICES OF THE AMS ==================================================== To the editor, In the famous joke, a mathematician would not infer the color of a sheep's right side from its left side. But Neil Koblitz, in his article on "The Uneasy Relationship between Mathematics and cryptography" makes quite a few broad generalizations from a handful of anecdotes. I found particularly misleading Koblitz's comments on proving security of cryptographic protocols, which he calls an "over-hyped" idea that only leads to "false confidence". Proofs of security of cryptographic protocols are standard mathematical proofs and in that sense are no more over-hyped or give false confidence than proofs in calculus. Of course, as with any mathematical statement, three questions arise: (1) What is exactly the statement being proven? (2) If the statement is an implication, do we have reason to believe that the antecedent is true? and (3) Is the proof correct? In this note and his previous essays with Menezes, Koblitz finds cases where security proofs are lacking in one or more of these points, and generalizes these to a blanket criticism of security proofs. Even though I agree there might be a bit more "crazy" assumptions and incorrect proofs in cryptography than other areas of mathematics, this is to be expected in such a young and vibrant field. As time progresses we should see more repeated validation of central results, and gain better understanding on which ssumptions are solid and which are not. (Perhaps eventually some of these assumptions will be proven, although at the moment they seem to be as hard as mathematical questions that went unresolved for centuries.) As in any mathematical discipline that attempts to model reality, Point (1) -the meaning of the statement being proven- is where cryptography has an inherent difficulty. We all know that the impossibility of angle trisection depends on the precise definition of allowed operations, but none of us relies on this result to protect our credit card information. Here indeed, cryptographers have sometimes misstepped and inadequately modeled the scenarios in which their system could be attacked, leading to systems that regardless of whether they have proofs of security, are in fact insecure in practice. But the problem is not inherently with proofs of security but rather with cryptography itself, a notoriously difficult subject which over its long history has seen many great minds miss some subtle points and design systems that were eventually broken. In fact, the only way to systematically improve the security of systems is to insist on precise modeling and definitions, and then to study these definitions using mathematical proofs, on the way identifying and correcting subtle weaknesses in protocols. Indeed, Koblitz's anecdote on the MQV and HMQV protocols demonstrates precisely how careful definitions and insistence on proofs can direct an incremental process towards more secure protocols. Best, Boaz Barak Assistant Professor of Computer Science Princeton University