Friday, 5 March 2021

Do You Want to Be a Cryptographer?

 Alan Turing
I've always been interested in information security since 2003, but it wasn't until I enrolled on the cryptography module — while studying for a Master in Advanced Computer Science in England in 2018— that I started getting more keen on the mathematical side of cryptography; perhaps it was in part because I cherish mathematics and had the right cryptography teacher. What's more, I admire Alan Turing since he strove to do good work in difficult conditions during World War II; his work saved millions of lives. All of these things together inspired me to immerse myself in the world of cryptography.

Not so long ago, I started considering doing a PhD in cryptography, but I had also heard about security engineering and then I got a bit confused. Generally speaking, there are two different specialities, which may be mistakenly perceived: cryptography and engineering security, but you might have also heard about 'applied cryptography' and 'pure cryptography'. For cryptographers, cryptography is primarily pure cryptography — working on the mathematical side — whereas 'applied cryptography' is more related to security engineering. So, I also mean 'pure cryptography' when I mention 'cryptography'.

Although I had done my master's dissertation on cryptography, I still had some doubts. What to study then? I wondered. In most cases, after starting a PhD in cryptography, people convince themself that they don't relish cryptography but security engineering. In this sense, I had to make a wise decision.

Searching on the internet, I found an inspiring essay, by Bruce Schneier, that helped me to clear things up. The essay must be read thoroughly before entering the cryptography world or embarking on the journey of doing a PhD. You will understand all the differences between related fields and other aspects involved in this amazing and challenging area of theoretical computer science.

Obviously, there are other things to be taken into consideration when doing a PhD such as career opportunities, funding, supervisor, time, etc. I will not expand on that now, though. Also, I have to confess that it wasn't an easy decision to make; it took me some time to figure out many other things. However, that essay also helped me decide to do a PhD in cryptography.

I would highlight the main difference is that learning cryptography means the study of mathematics in-depth or having a very good understanding of the underlying mathematical ideas at least, whereas this is not required if you go for security engineering. Mathematics is the framework that you create new cryptography on; good cryptography needs good mathematics, as simple as that. If you don't relish maths then you'd better go for security engineering.

Talking of the essay, 'Cryptographers create new cryptography and invent new cryptographic algorithms,' Bruce says, 'whereas security engineers are implementers of cryptography.' Also, he adds, 'Getting a PhD in cryptography is by far the easiest way to become a cryptographer' – Yes, I do agree. I'd also say that it is probably the most straightforward way of acquiring strong cryptography skills. Also, he says, 'While doing a PhD you will convince yourself if you really want to become a cryptographer.' Yes, but I think you may waste some time – which might be regrettable. Finally, he remarks, 'You must have training in mathematics and computer science; if you have a good mathematics background is advantageous.' – and I'd remark it is vital to cryptography.

Now, here is a summary of Schneier's essay. I have firsthand experience of the following facts and ideas, I second all of them. If you still want to read the whole essay this is the link: http://www.windowsecurity.com/uplarticle/4/cryptwant.txt
• A cryptographer is someone, who is active in the field of cryptography: someone who engages in research, writes papers, breaks algorithms and protocols, and sometimes writes his own algorithms and protocols.
• Most people who implement cryptography in software and hardware products are not cryptographers. They are implementers of cryptography, security engineers. I find that most people who say they want to be cryptographers actually want to be security engineers. They want to be a person who builds secure systems that use cryptography. Security engineering requires a strong understanding of cryptography, but it does not require creating new cryptography.
• Both mathematical and computer science training is vital. The ability to find loopholes in a system, be they mathematical, systematical, or procedural, is vital to a cryptographer.
• Almost certainly you will get the urge to invent new cryptographic algorithms and will believe that they are unbreakable. Almost certainly your creations will be breakable, and almost certainly no one will spend the time breaking them for you. You can break them yourself as you get better.
• Cryptography uses number theory, but cryptography uses ideas from many varied areas of mathematics. In fact, one of the most interesting aspects of cryptography is that great ideas come from all over mathematics. Cryptographers need a broad knowledge of mathematics; this is the only way that new connections are made and really original ideas are found.
• Vital computer science courses include algorithm design, computational complexity, and theory of computation. Keep reading books on cryptography: The Handbook of Applied Cryptography by Alfred J. Menezes, Paul C. van Oorschot, and Scott A. Vanstone, or Doug Stinson's Cryptography: Theory and Practice. Read books about computer security.
• If you have a good mathematics background, you can teach yourself cryptography. This option is much harder, but it is possible.
• Learning to be a cryptographer is not easy, and it makes sense to question whether that is what you really want to do. Luckily, the process has many points where you can decide to change your mind. And as I said in the beginning, many people who say they want to be cryptographers actually want to be security engineers. While the requirements for a security engineer are much the same — read books, read research papers, take classes, learn cryptography and how it's used — a PhD is not required.
Note that — for some prospective students — cryptography may be seen as an unconventional research field, but I don't consider it as such nor as an abstract investment. On one way or the other, I also understand they might want to go for something 'more practical'. As with most things in life,  it's all about following your passion. Other students might say cryptography is too hard, which means to me they don't like it or they have had a not-so-good cryptography teacher, that's it.

To me, doing a PhD in cryptography sparks my imagination beyond limits; it is not meant to restrict me or be a pain in the neck; on the contrary, it is meant to set me free. So, cryptography might not be for everyone, you've got to be very conscious of it.

I hope this post helps you make a wise decision if you are thinking of doing a PhD in cryptography or starting a career in cryptography. If you still have some doubts after reading the essay you can get in touch with me so that I could provide you with some advice and share my experience with you.

So, do you still want to be a cryptographer?

(Image source: www.history.org.uk)