In general, in IT Security the customer asks for certainty: the peace of mind that data has remained secret, that data is safe, and that data will not be compromised. The IT Security vendor sells (via a product, consulting, monitoring, auditing) these assurances –but, is this the case really?
Actually, most customers know (or should know) that an IT vendor can only provide a measure of assurance –uncertainty always remains. Yes, data might have been revealed and might be in the process of being stolen via undetected means, unnoticed vulnerabilities, or through other means –such as good old fashioned weak human links such as gossip, unauthorized data sharing, or the like.
Yet, optimistically for sure, many folks, some of them seasoned IT professionals, like to think that cryptography can provide certainty. Certainty however, is not a staple of the physical world, and neither it is in the realm of secrets and IT. Though we usually like to believe that some things can be known with absolute certainty, the archetypical example is the standard kilogram measure kept in Paris France. While this piece of metal, the so-called “Grand K,” defines the standard kilogram (and the pound as well) its weight (and mass) varies when compared against its copies, as seen in the graph below:
In the realm of cryptography, uncertainty is also unavoidable –just as it is in the physical sciences. Even when we talk about quantum properties such as entangled bits and photons noise, as an unavoidable fact of life and measurement, always creates an element of uncertainty –something to keep in mind when the next vendor comes along with its sale pitch.