Engineering Philosophy: Adi Shamir

Key Takeaways

• He is the “S” in RSA, the first practical public-key cryptosystem. With Ron Rivest and Leonard Adleman, Adi Shamir co-invented RSA at MIT in 1977 – publicly described that year and published in Communications of the ACM in February 1978. The scheme made it possible to encrypt to someone, and verify their signatures, without ever sharing a secret in advance, and its security rests on the difficulty of factoring large numbers. The work earned the three of them the 2002 ACM Turing Award.¹²
• He turned a polynomial into a perfect secret. In 1979 Shamir published “How to Share a Secret,” a threshold scheme that splits a secret among n people so that any k of them can reconstruct it and any k-1 learn nothing at all – not a hint, not a narrowing. The whole thing is built from nothing but points on a polynomial.³
• He is a master cryptanalyst – he attacks to defend. With Eli Biham in the late 1980s, Shamir publicly discovered differential cryptanalysis, a general method for breaking block ciphers, and he had earlier broken the Merkle-Hellman knapsack cryptosystem. The same mind that built RSA spent decades learning to break things, because in cryptography that is the only honest way to know a system is strong.⁴⁵
• He keeps converting clean mathematics into practical mechanism. Beyond RSA and secret sharing, Shamir co-invented the Fiat-Shamir heuristic – a way to turn an interactive proof into a non-interactive signature using a hash function – plus identity-based and visual cryptography schemes. A professor at the Weizmann Institute since 1980, his career is a long argument that deep number theory is a toolkit, not a museum.¹⁶

The Principle

“It later emerged that differential cryptanalysis was already known – and kept a secret – by both IBM and the National Security Agency.” – on the technique Biham and Shamir rediscovered in the open, paraphrasing the historical record⁴⁵

Most of engineering builds toward a demo. You write the thing, you run it, it works, and the working is the proof. Cryptography refuses that comfort. A cipher that encrypts and decrypts correctly has demonstrated nothing about whether it is secure – a broken cipher and an unbreakable one behave identically until someone attacks them. So the field had to invent a different standard of truth: a system is trustworthy not when it runs, but when serious people have tried hard to break it and failed. Shamir’s entire career is the embodiment of that standard. You secure a system by learning to break systems – attack to defend.⁴

The clearest expression is that he does both halves himself. He built RSA, the cornerstone of public-key cryptography, and he built Shamir’s Secret Sharing, a scheme with provable information-theoretic security.¹³ But he also broke the Merkle-Hellman knapsack cryptosystem – a rival public-key scheme that looked secure and was not – and he co-discovered differential cryptanalysis, a method general enough to threaten the Data Encryption Standard itself.⁴⁵ These are not two careers. They are one discipline. The construction work tells you what is possible; the destruction work tells you what is real. A cryptographer who only builds is guessing, and the most chilling proof of that came later, when it emerged that IBM and the NSA had known about differential cryptanalysis since the mid-1970s and kept it classified – meaning the public field had been building ciphers blind to an attack their adversaries already held.⁴⁵

There is a second half to the principle, quieter and just as load-bearing: the power of turning a clean mathematical idea into a practical mechanism. Secret sharing is just polynomial interpolation – a fact every student meets in algebra, that two points fix a line and three fix a parabola. Shamir saw that the same fact, read backward, is a security primitive: hand out points, and the curve stays hidden until enough of them gather.³ RSA is just modular exponentiation and the hardness of factoring.² The Fiat-Shamir heuristic is just replacing a verifier’s coin-flip with a hash.⁶ Find the clean mathematical structure, then read it as a mechanism. The genius is rarely new mathematics – it is seeing that old mathematics, looked at from the right angle, already is the thing you need to build.

Context

Adi Shamir was born on 6 July 1952 in Tel Aviv, Israel.¹ He took his BSc in mathematics from Tel Aviv University in 1973, then moved to the Weizmann Institute of Science for graduate work, earning an MSc in computer science in 1975 and a PhD in 1977.¹ His timing, like the field’s, was about to turn: 1977 was the year public-key cryptography went from a tantalizing idea to a working system.

After the doctorate he spent a year as a postdoctoral researcher at the University of Warwick in England, then went to the Massachusetts Institute of Technology, where he was a research staff member from 1977 to 1980.¹ MIT is where RSA happened. Ron Rivest, the cryptographer, had been chasing a public-key scheme inspired by the Diffie-Hellman idea that two parties could establish secrecy without a shared secret; Shamir and Adleman were his collaborators and, crucially, his adversaries – Rivest would propose a scheme, and Shamir and Adleman would break it, again and again, until one survived. The one that survived was RSA, named for the three of them, published in 1977 and in Communications of the ACM in 1978.² (Unknown to them, the British mathematician Clifford Cocks at GCHQ had described an equivalent system in a classified 1973 document that stayed secret until 1997 – another instance of the field building in the dark while intelligence agencies watched.)²

In 1980 Shamir returned to the Weizmann Institute, where he has been a professor in the department of computer science and applied mathematics ever since, later also holding an invited professorship at the École Normale Supérieure in Paris.¹ Almost everything that defines him – secret sharing, the assault on the knapsack ciphers, differential cryptanalysis with his student Eli Biham, the Fiat-Shamir heuristic, visual cryptography with Moni Naor, the cube attacks, the TWIRL and TWINKLE factoring devices – came out of Weizmann. In 2002 the Association for Computing Machinery gave Rivest, Shamir, and Adleman the Turing Award, computing’s highest honor, for their contributions to public-key cryptography.¹²

The Work

Shamir’s Secret Sharing: a parabola that keeps a secret

Start here, because it is the principle in its purest, most beautiful form. Suppose you have a secret – a master key, the launch code, the password to a treasury – and you want to split it among five trustees so that any three of them, together, can recover it, but no two of them can learn anything. You could try to physically cut the key into pieces, but that leaks: each piece narrows the guess. Shamir’s 1979 insight, in “How to Share a Secret,” was that polynomials already solve this exactly.³

The trick reads a grade-school fact backward. Two points determine a unique line; three points determine a unique parabola; in general, k points determine a unique polynomial of degree k-1. So to share a secret among n people with a threshold of k, you hide the secret as the constant term of a random degree-(k-1) polynomial – the value of the curve at x = 0 – and hand each person one point on that curve.³ Any k of them can interpolate the unique curve through their points and read off its value at zero. But the security is the astonishing part: with only k-1 points, the curve is not merely hard to find – it is genuinely undetermined. For every possible secret value, there is exactly one curve of the right degree that passes through their points and hits that value at zero. As Shamir’s scheme guarantees, “knowledge of any k-1 or fewer shares leaves S completely undetermined.”³ Fewer than the threshold reveals nothing; the threshold reveals everything. That clean all-or-nothing boundary is what makes it information-theoretically secure – secure not because breaking it is computationally hard, but because the information simply is not there.³

Why it matters as engineering: the scheme is the canonical example of Shamir reading mathematics as mechanism. He did not invent polynomial interpolation – it is centuries old. He saw that its failure mode – that you cannot recover a curve from too few points – is precisely a security property, and that its success mode – that enough points pin it down exactly – is precisely a recovery property. The same fact, used in both directions, becomes a cryptographic primitive that runs today inside hardware security modules, cryptocurrency custody, and certificate authorities. Clean math, read as a tool.³

RSA: encrypting to a stranger

RSA answered a question that had seemed almost paradoxical: how can two people who have never met, and who communicate only over a wire an adversary is listening to, exchange secrets? Classical cryptography required a shared key established in advance – but you cannot share a key over the very channel you are trying to protect. The breakthrough, which Rivest, Shamir, and Adleman built into a working system in 1977, was the trapdoor one-way function: an operation easy to compute forward and infeasible to reverse, unless you hold a secret piece of information.²

RSA’s trapdoor is factoring. You pick two large prime numbers and multiply them into a modulus n; n and a public exponent become your public key, which you can publish to the world. Anyone can use it to encrypt a message to you, via modular exponentiation. But decrypting requires the private key, which can only be derived from the two original primes – and recovering those primes from their product means factoring a very large number, a problem with no known efficient solution.² As the formulation goes, while it is practical to construct the keys, “when given only e and n, it is infeasible to compute eth roots modulo n.”² You publish the lock; only you hold the key; and the gap between them is the difficulty of factoring.

Shamir’s specific role is worth stating plainly, because it is the principle again: he was, alongside Adleman, the cryptanalyst of the trio. The story of RSA’s invention is a story of breaking – Rivest proposed candidate schemes and Shamir and Adleman attacked them until only one withstood the assault. The surviving scheme was strong precisely because it had survived the attacks of two people determined to break it. RSA is not a system that was designed to be secure and then hoped to be; it is a system that earned the claim by surviving its own authors.²

Attack to defend: breaking knapsacks and differential cryptanalysis

If RSA shows Shamir building, the next body of work shows him doing what the field needs even more: breaking. In the late 1970s, the Merkle-Hellman knapsack cryptosystem was a leading rival to RSA, its security resting on the “subset-sum” problem, which is NP-complete and so looked formidably hard. Shamir broke it. He showed that the particular knapsacks Merkle-Hellman used were not the hard general case but a special, structured one that could be solved efficiently – demolishing a scheme many had trusted.¹ The lesson is one cryptography keeps relearning: a problem being hard in general does not mean the instances your cipher actually uses are hard. Only attack reveals the difference.

His most influential cryptanalytic work came with his student Eli Biham in the late 1980s: differential cryptanalysis, published around 1990.⁴⁵ It is a general technique that studies how differences between pairs of inputs to a cipher propagate to differences in the output. If certain input differences lead to certain output differences with non-random probability, that statistical bias is a crack – a leak of information about the key – and Biham and Shamir turned it into attacks on a range of block ciphers, including a theoretical weakness in the Data Encryption Standard, then the world’s most important cipher.⁴⁵

Then the field learned something humbling. In 1994, Don Coppersmith revealed that IBM – which had designed DES in the 1970s – had known about differential cryptanalysis “as early as 1974,” that defending against it had been an explicit design goal of DES, and that the NSA had pressed to keep the technique classified because “disclosure of the design considerations would reveal the technique of differential cryptanalysis, a powerful technique that could be used against many ciphers.”⁴⁵ DES’s mysterious internal constants, long suspected of hiding a backdoor, turned out to be hiding a defense against an attack the public did not know existed. The episode is the strongest possible argument for Shamir’s principle. For two decades the open community had built and trusted ciphers while remaining blind to a fundamental attack that adversaries already held. Biham and Shamir’s public rediscovery did not weaken cryptography – it strengthened it, by dragging the attack into the light where everyone could design against it. Attack to defend, at the scale of an entire field.⁴⁵

Fiat-Shamir and the breadth of the toolkit

The same instinct – find the clean structure, read it as a mechanism – runs through Shamir’s other inventions. The Fiat-Shamir heuristic, with Amos Fiat in the mid-1980s, solved a practical problem with interactive proofs of knowledge: such proofs require a live back-and-forth, where a verifier sends a random challenge and a prover responds. Fiat and Shamir saw that the verifier’s only job was to supply unpredictable randomness, and that a cryptographic hash function applied to the prover’s own message could supply that randomness just as well – turning a conversation into a single, self-contained, non-interactive proof, which is to say a digital signature.⁶ That one transformation underpins a large fraction of modern signature schemes and zero-knowledge systems. He also proposed identity-based cryptography (using a person’s identity as their public key), co-invented visual cryptography with Moni Naor (splitting an image into transparencies that reveal a secret only when stacked – secret sharing you can see), and later developed cube attacks and the TWIRL and TWINKLE factoring devices.¹ Across all of it, the pattern holds: a known piece of mathematics, turned the right way, becomes a tool.

The Method

Read across RSA, secret sharing, the broken knapsacks, differential cryptanalysis, and Fiat-Shamir, and the same commitments recur. Shamir’s method is less a slogan than a set of standing habits.

Build and break with the same hands. The defining move is to refuse the division of labor between those who construct systems and those who attack them. Shamir co-invented RSA and broke the Merkle-Hellman knapsack; he proved secret sharing secure and co-discovered differential cryptanalysis. The lesson transfers far past cryptography: you do not understand what you have built until you have tried, in earnest, to defeat it. It is the evidence gate raised to a way of life – “it works” is not evidence of security; “serious people tried to break it and could not” is.²⁴

Trust only what survives attack. A cipher that has merely been designed carefully is a hope; a cipher that has withstood concentrated cryptanalysis is a fact. The discipline is to treat your own system as guilty until attacked – to assume there is a crack and go looking for it, rather than waiting for an adversary to find it for you. This is the cryptographic form of Thompson’s “Reflections on Trusting Trust”: the founding insight that you cannot trust what you have not adversarially examined, because the threat you cannot see is the one that gets you – as the classified history of differential cryptanalysis proved.⁴⁵

Read mathematics as mechanism. The most powerful primitives are rarely new mathematics; they are old mathematics seen from a new angle. Polynomial interpolation becomes secret sharing; the hardness of factoring becomes a trapdoor; a hash function becomes a stand-in for an interactive verifier. The habit is to look at a clean structure and ask not “what is this?” but “what could this do?” – the same economy of means that makes the strongest primitives also the simplest, in the spirit of minimum worthy product.³⁶

Prefer provable security where you can get it, and earned security everywhere else. Secret sharing is information-theoretically secure – no computer, however powerful, can extract the secret from too few shares, because the information is not present.³ RSA is computationally secure – safe only as long as factoring stays hard. Shamir works at both levels and is precise about which he has. The discipline is to know exactly what your security claim rests on, and never to confuse “no one has broken it yet” with “it cannot be broken.” It is quality is the only variable applied to trust: the only thing that counts is whether the guarantee is real.²³

Distrust the special case hiding in the general one. Breaking Merkle-Hellman taught the field that a problem being NP-complete in general says nothing about the specific instances a cipher actually uses.¹ The standing habit is to suspect that the convenient, structured version of a hard problem – the one easy enough to build a system around – may be exactly the version that is easy to break. The same skepticism Leslie Lamport brought to distributed systems: do not trust the property you assumed; find the precise condition under which it actually holds.

Influence Chain

Who Shaped Him

Diffie, Hellman, and the public-key idea. RSA was a direct response to Whitfield Diffie and Martin Hellman’s 1976 proposal that secrecy could be established without a pre-shared key. Diffie-Hellman posed the question – a public-key cryptosystem ought to exist – and Rivest, Shamir, and Adleman built the first practical answer.² (Direct influence)

Ron Rivest and Leonard Adleman. The RSA collaboration was genuinely three-handed: Rivest the relentless proposer, Shamir and Adleman the relentless breakers. The adversarial structure of that partnership – propose, attack, repeat – shaped Shamir’s lifelong conviction that construction and cryptanalysis are one discipline.² (Formative influence)

The number-theoretic tradition. Shamir’s signature move – reading classical mathematics as cryptographic mechanism – descends from the long tradition that connects number theory, the difficulty of factoring, and the algebra of finite fields to computation. His genius was application, not invention, of that mathematics. (Formative influence)

Who He Shaped

Eli Biham and modern cryptanalysis. Differential cryptanalysis, developed with his student Biham, became a standard tool that every serious block-cipher designer must now defend against – it reshaped how ciphers are built, including the design criteria for the Advanced Encryption Standard.⁴⁵

The entire public-key ecosystem. RSA underpinned decades of secure communication, digital signatures, and key exchange. Every time a browser establishes a secure connection or verifies a certificate, it stands on the public-key foundation Shamir helped lay.²

Zero-knowledge and signature schemes. The Fiat-Shamir heuristic is a workhorse beneath a vast range of modern digital signatures and zero-knowledge proof systems, including those now central to privacy-preserving and blockchain cryptography.⁶

The Throughline

Shamir is the security keystone of this series – the figure who makes the rest of the stack trustworthy. Tim Berners-Lee built a web meant for everyone, but a web you can shop and bank and speak freely on depends utterly on public-key cryptography for its TLS connections and signed certificates – which is to say, it depends on RSA and the field Shamir helped found. Thompson and Ritchie gave us the systems we run on and, in “Reflections on Trusting Trust,” the founding warning that you cannot trust what you have not adversarially examined – the exact instinct Shamir built a career on. And Leslie Lamport gave distributed systems the discipline of defining correctness precisely and proving it, against Byzantine adversaries who behave arbitrarily; Shamir’s secret sharing is that same impulse in cryptographic form, a primitive with a proof rather than a hope. Where Berners-Lee says this is for everyone and Thompson says trust nothing you did not build, Shamir says: I will build you something secure, and then I will spend my life trying to break it – because that is the only way either of us will know it is real. (Series bridge)

What I Take From This

The lesson I keep from Shamir is trust only what survives attack. My instinct, like most builders’, is to treat working code as proof – the tests pass, the demo runs, ship it. Cryptography forbids that comfort, because a broken system and a sound one look identical until someone attacks them, and Shamir’s answer is to be that someone first. He broke the knapsack ciphers; he and Adleman broke Rivest’s candidate schemes until RSA survived; he and Biham broke DES badly enough to expose what intelligence agencies had hidden for twenty years. So when I build something now – an auth flow, a permission boundary, a data pipeline – I try to put on the attacker’s hat before an attacker does, to assume there is a crack and go hunting for it rather than waiting to be told. The confidence that matters is not “I cannot see how this breaks”; it is “I tried hard to break it and could not.”

The second lesson is that the most powerful mechanisms are clean mathematics read the right way. Secret sharing undid me a little when I first understood it – it is only the schoolbook fact that points determine a polynomial, and yet it yields a secret that is provably, information-theoretically safe. Shamir did not invent harder math; he saw that math he already had was, from one angle, exactly a security primitive. That changed how I look at the structures already in front of me. The hash I use for lookups can be a commitment; the redundancy I added for reliability can be a threshold scheme; the constraint I treated as a nuisance can be the lock. The skill is not always inventing something new – it is recognizing that the clean thing you already understand is, turned the right way, the mechanism you needed.

FAQ

What is Adi Shamir known for?

Adi Shamir is an Israeli cryptographer and professor at the Weizmann Institute of Science, best known as the “S” in RSA – the first practical public-key cryptosystem, which he co-invented with Ron Rivest and Leonard Adleman at MIT in 1977. The three shared the 2002 ACM Turing Award for that work. He also invented Shamir’s Secret Sharing (1979), co-discovered differential cryptanalysis with Eli Biham, and co-created the Fiat-Shamir heuristic, among many other contributions to cryptography.¹²

What is Shamir’s Secret Sharing?

It is a method, published by Shamir in 1979 in “How to Share a Secret,” for splitting a secret among n people so that any k of them can reconstruct it but any k-1 learn nothing. The secret is hidden as the constant term of a random polynomial of degree k-1, and each person receives one point on that curve. Because k points uniquely determine a degree-(k-1) polynomial, any k shares recover the secret – while fewer than k leave it “completely undetermined,” giving the scheme information-theoretic security.³

What is the “S” in RSA, and how does RSA work?

The “S” is Shamir; RSA stands for Rivest, Shamir, and Adleman. RSA is a public-key cryptosystem: each user has a public key anyone can use to encrypt messages to them or verify their signatures, and a private key only they hold. Its security rests on a trapdoor – the public key is built from the product of two large prime numbers, and recovering the private key requires factoring that product back into its primes, which is computationally infeasible for large enough numbers. RSA was published in Communications of the ACM in 1978.²

What is differential cryptanalysis?

Differential cryptanalysis is a general technique, publicly discovered by Eli Biham and Adi Shamir in the late 1980s, for attacking block ciphers by studying how differences between pairs of inputs propagate to differences in the output. Statistical biases in that propagation can leak information about the secret key; Biham and Shamir used it to find a theoretical weakness in DES. It later emerged that IBM and the NSA had known of the technique since the mid-1970s and kept it classified, having secretly designed DES to resist it.⁴⁵

Sources