To begin, Professor Anada, could you give us a brief overview of the history of cryptography?

Cryptography dates back to ancient times, but it became particularly important during the two World Wars. Early ciphers were substitution ciphers, where each letter was replaced with another according to a fixed table shared by the sender and receiver. The problem, of course, was that if the table was intercepted, the message could be decrypted. To address this, the Germans developed the Enigma machine in 1918, which used different substitution rules for each letter. Still, it was eventually cracked—much earlier than expected. What’s notable is that this wasn’t done just by analyzing grammar or writing styles, but by applying mathematical methods.

Then, in the 1970s, with the invention of the internet, we entered an era of what I like to call “open” cryptography. Unlike earlier periods when encryption was used primarily by governments and militaries, now it had to be usable by universities and the general public. That’s when public-key cryptography emerged—systems like RSA, where encryption and decryption use different keys. This led to the development of digital signatures and eventually the blockchain technology that underpins cryptocurrencies. The breakthrough was that even with a supercomputer, it would take an astronomical amount of time to find the private key used for decryption. In practice, this makes the system virtually unbreakable.

Do you see the rapid development of quantum computing as a threat to current cryptography?

To some extent, the principles of quantum computing are already well understood. Unless some radically new algorithm is discovered, we know where its theoretical limits lie, so it’s not something I see as an imminent threat. In fact, many researchers are more interested in its positive potential. That said, the cryptographic protocols currently used on the internet would be vulnerable if quantum computing continues to advance smoothly.

From a mathematician’s point of view, encryption and decryption form a kind of function–inverse function relationship. Because everything is now digitized, modern encryption is built around numbers, and mathematics—especially number theory—has become integral to these systems. But we must remember that encryption strength is based on the current limits of human knowledge. For example, RSA relies on the difficulty of the primary decomposition of large numbers, but if someone comes up with a new mathematical insight, the landscape could change overnight. There’s always that inherent risk in math-based cryptography.

Before RSA, it was considered common sense that encryption and decryption required the same key. But the moment we realized that keys could be separated—one public, one private—and that the public one didn’t need to be secret, it changed everything. That was, in my view, the turning point when encryption shifted from being something “dark”, closed and secretive to something more “open” and empowering. That’s another aspect of the “open cryptography” Professor Anada described.

Cryptographic technologies are no longer limited to communication—they’re now being applied in a wide range of areas. This brings not only benefits but also new risks that must be considered. Take genetic data, for example. It’s extremely private and must not be easily decrypted. The same goes for financial information.

People often say that Bitcoin is secure because it uses blockchain, but from your perspective as an economist, Professor Oishi, what do you see as the advantages and disadvantages of applying blockchain to financial markets?

Before I answer that, let me briefly explain what blockchain is. The core idea is to build a financial system that can function autonomously—without relying on centralized authorities like governments or banks. To do that, blockchain relies on four key technologies: public-key cryptography, digital signatures, peer-to-peer networking, and consensus mechanisms.

Transactions are recorded in blocks while preserving the anonymity of users, and these blocks are linked together in sequence. This data is shared in real time among a distributed network of participants around the world. That’s why blockchain is often referred to as a “distributed ledger” technology.

To prevent fraud and double spending, blockchain uses hash functions to convert transaction data into a sequence of alphanumeric characters. A transaction can’t be accepted unless its resulting hash meets certain criteria. To generate such a hash, a special value called a “nonce” must be found. The participants who search for this value are called miners.

Once a miner finds a valid nonce and generates a corresponding hash, they broadcast it to the network. Other participants verify whether the nonce and transaction data match. Only after this verification is the new block added to the chain. This process of agreement among participants is called the consensus mechanism.

What proportion of network participants must reach agreement? Is there a defined threshold? Depending on that, could a malicious group theoretically collude and manipulate the system?

That’s a good question. The required threshold varies depending on the specific blockchain protocol. In some systems, it’s more than half; in others, it may be two-thirds.

There’s a well-known problem in distributed systems called the Byzantine Generals Problem. It examines how a distributed system can reach legitimate consensus even in the presence of faulty or malicious actors. If the total number of participants is sufficiently large, it has been mathematically proven that a consensus supported by more than two-thirds of participants can be trusted.

Let’s say you, Professor Oishi, send me $10 worth of cryptocurrency. Could I then simply copy that transaction and immediately send the same amount to Professor Anada, who might use it right away? Is that possible?

No—it doesn’t work that way. The transaction between you and me has to be approved by the network before it becomes valid. Until that approval is finalized, you cannot use cryptocurrency in another transaction. So, double spending is prevented by design.

Also, each transaction includes a digital signature that proves ownership of the coins. These signatures are based on public-key cryptography, which means that the sender, the recipient, and even unrelated third parties can verify their authenticity. That makes unauthorized copying practically impossible.

However, there is a delay before a transaction is officially approved and recorded on the ledger. For Bitcoin, this takes around 10 minutes on average, though it can vary. For additional safety, people often wait for six block confirmations—so roughly an hour.

There are other cryptocurrencies like Ethereum that process transactions much faster.

This may be a slight digression, but we often hear reports of large-scale cryptocurrency thefts from exchanges. Are such incidents related to the blockchain system itself?

Those leaks typically occur at exchanges where legal currency and cryptocurrency are exchanged. In most cases, the issue stems from human error or poor data management at the exchange, rather than flaws in the blockchain system itself.

Indeed, the blockchain system behind Bitcoin, which achieved great success, is an innovative and autonomously decentralized system.

Every participant’s computer holds a complete copy of the blockchain, so even if part of the network fails, the data can be easily recovered.

Moreover, if you try to tamper with a block, its hash value changes dramatically, which invalidates the hashes of all subsequent blocks. To override that, you’d need to recalculate the nonce values for every block that follows—a computationally infeasible task with current technology. That’s why the blockchain is considered highly tamper-resistant.

To return to your original question, Professor Anada—the main advantage of blockchain is that it enables transactions without centralized authorities like banks, and this decentralization can reduce transaction costs. Beyond cryptocurrencies, blockchain can also represent physical assets—such as real estate or securities—in digital form, allowing them to be traded online.

On the downside, the legal systems governing property rights haven’t yet caught up with these developments. That creates ambiguity, especially when it comes to digital assets. From a law and economics perspective, I see this as a major concern. As long as uncertainties remain around legal entitlements, the full potential of asset tokenization—whether for tangible or intangible property—cannot be realized.

Let’s say we try to represent real-world assets in digital form—like buying and selling real estate without going through a realtor. In that case, we’d need a system where everyone involved can mutually verify the transaction. You’d also need miners. Doesn’t that mean the whole system requires a large number of participants to function? I wonder if there’s a practical limit to applying blockchain in physical asset transactions.

You’re absolutely right. To make such a system work, you need a sufficient number of network nodes—that is, participants. That’s why designing effective incentive structures to encourage participation is so important.

Take Bitcoin as an example: miners who succeed in verifying transactions are rewarded with Bitcoin, and in some cases, they also receive transaction fees. So, there’s a clear economic incentive to join the network.

That said, today Bitcoin functions less as a payment method that reduces transaction costs and more as an investment vehicle or asset management tool.

This reminds me of something similar in the digital art world—NFTs. Could you explain what NFTs are, Professor Oishi? Also, in the art market, expertise plays a critical role. How is such professional knowledge preserved or applied in an NFT-based system?

NFT stands for Non-Fungible Token. It refers to a unique digital asset that cannot be exchanged on a one-to-one basis like regular currency.

Digital data can be copied endlessly, but NFTs are recorded on the blockchain, which verifies the authenticity and ownership of the asset. This gives the token its uniqueness and value.

What’s especially interesting is that NFTs can be programmed to return a portion of proceeds to the original creator every time the asset is resold. In the traditional art market, once a piece is sold, the artist rarely receives any further compensation—even if the resale price skyrockets. NFTs introduce a fundamentally new model of creative ownership.

As Professor Oishi mentioned earlier, preventing fraud and double spending requires consensus from a majority—often two-thirds—of the network’s nodes. That means you might need ten thousand, a hundred thousand, or even a million active participants to ensure security.

But in a limited market, securing that many participants might be difficult. I’d be interested to know: what’s the minimum number of nodes needed to maintain a secure system?

We’ve been talking mainly about Bitcoin, but other cryptocurrencies like Ethereum have introduced a mechanism called “smart contracts.” These are self-executing contracts where the terms and conditions are written into code on the blockchain.

When the agreed conditions are met, the transaction automatically takes place. Think of it like saying, “I agree to buy under these terms,” and the moment the other party accepts, the deal is executed. The transaction’s origin, authenticity, and history can all be verified within that same block.

Ethereum launched in 2014, and it’s precisely this kind of functionality that has made it a powerful platform.

Economics textbooks often note that for free markets to function effectively, governments must recognize and protect property rights and intellectual property rights. Yet blockchain appears to be designed precisely to operate without government oversight.

Given that, could blockchain technology potentially transcend traditional institutions like the state or government? How do you see the relationship between blockchain, legal systems, and economic activity developing in the future?

Once a blockchain system is set in motion, it fundamentally resists external intervention. That’s why any contingency measures or revision procedures must be coded in advance.

However, as I mentioned earlier, without well-defined digital property rights, smooth transactions become difficult, and there is room for all sorts of problems to arise later.

Another major issue is that blockchains operate independently of government oversight. This makes it technically difficult to combat misuse by anti-social groups or for purposes like money laundering.

Currently, there are no mechanisms within most blockchain systems to exclude illicit behavior, so this remains an important challenge for the future.

That point makes me think of your research, Professor Anada—specifically regarding technologies that balance anonymity and traceability.

Yes, take cryptocurrencies, for example. It’s entirely possible that they could be used to trade weapons or illegal drugs without going through any financial institutions. And in fact, some cryptocurrencies have been used for money laundering.

Bitcoin, by design, offers anonymity. But the real question is: under what conditions, and with what authority, should that anonymity be broken and the identities disclosed? We’re still at a stage where such questions haven’t been fully addressed in practice—so I believe it’s up to researchers to lead those discussions before implementation.

If we’re talking about something clearly criminal—like drug trafficking—then I imagine it’s easier to build public consensus around surveillance or enforcement. But what about cases that aren’t so black and white, like tampering or misuse? Should anonymity be protected in those situations?

When Bitcoin launched in 2009, it was, in a sense, designed as an alternative to government-issued currency. Its creators must have thought carefully about what parts of legal money to imitate and what parts to abandon.

Rather than true anonymity, Bitcoin was based on the idea of using pseudonyms for transactions. But at that time, the link between those pseudonyms and real-world identities—and how to trace them—wasn’t well thought out.

That’s precisely the kind of problem we now need to explore more deeply.

When people use cryptocurrency, they typically create an account that ensures anonymity. But since individuals can create multiple accounts, it is possible for people to perform fraudulent or deceptive transactions by coordinating actions among multiple accounts.

This makes it essential to build some level of traceability into the system.

Exactly. Let’s assume that each node in the network corresponds to a real person. If someone were to create and/or gain control of over half of the total nodes, they could potentially manipulate the system.

To prevent that kind of abuse, we’ll need safeguards—whether through exchanges or some form of regulatory oversight.

As economists, Professor Oishi and I often consider how to design systems that sustain participant motivation over time. In that regard, the incentive mechanisms embedded in blockchain are particularly intriguing.

From your perspective as a mathematician, Professor Murata, do you find anything especially noteworthy about this? Of course, you’re welcome to say “not really” if that’s the case (laughs).

Actually, my field is number theory, and I’ve worked extensively on primitive roots and other areas closely related to RSA and ElGamal encryption.

So I have a good understanding of why encryption is considered secure—what makes it hard to break.

At its core, encryption involves transforming meaningful integers into meaningless ones in a way that allows them to be converted back when necessary. Over time, people have figured out how to make that process practical, and that’s how cryptography came to be applied so widely.

But when these methods are used in specific domains, domain-specific challenges often arise. Solving those problems usually involves translating them into mathematical terms and then working with mathematicians to extend the mathematics accordingly. I find that process of mutual development very exciting.

Mathematics has a remarkable ability to build elegant, abstract components with local precision and global universality. That’s why it’s been so well-suited for applications like public-key cryptography and digital signatures.

It might sound odd, but it reminds me of the microbots in the Disney movie Big Hero 6. In that story, millions of tiny robots come together to form a giant machine. Mathematics can produce those kinds of building blocks.

But as that giant machine begins to move, its economic and legal implications—both positive and negative—start to reveal themselves. That’s the impression I’ve gotten listening to you all today.

As I mentioned earlier, encryption and decryption form a function-inverse function relationship. So, theoretically, anything encrypted can be decrypted.

But humans only live about 100 years. If it takes 10,000 years to perform the decryption, the secret is effectively safe. Somewhere along the way, that shift in perspective occurred.

In reality, only about three function-inverse function pairs have been discovered that meet the practical requirements for cryptography. So they’re quite rare, even in all of mathematics.

Mathematics often celebrates the beauty of symmetry. But cryptography focuses on asymmetry—irreversibility—and builds that into a functional system.

To me, that’s a very novel and fascinating approach. It’s not something you see much in traditional mathematics.

The original philosophy of cryptography was that secrets must remain secret—and therefore must never be broken.

During World War II, the Japanese military reportedly used different encryption methods depending on the level of secrecy required.

But with RSA encryption, the strength of the cipher can be adjusted simply by changing the number of digits in the prime numbers used.

This led to a new way of thinking: rather than assuming that encryption must never be broken, we can accept that it might be broken someday—so we just tailor the encryption strength to the “shelf life” of the secret.

It feels like the philosophy of cryptography itself underwent a fundamental transformation.

That’s a good point. RSA with 2048-bit keys is the current standard, but we also have 3072-bit and 4096-bit versions available.

However, the longer the key, the slower the decryption. That’s why the stronger versions aren’t widely used—unless there’s a very specific need.

When we design these systems, it’s hard to anticipate exactly how they’ll be used in the future. So as researchers, we try to err on the side of caution and build in higher levels of security.

We also now have cryptographic systems under development that are resistant to quantum computing.

What’s fascinating is that while physics, chemistry, and biology tend to focus on irreversible processes, almost all of mathematics has been built around reversible ones.

Now we’re seeing that body of reversible mathematics being applied to irreversible contexts—and producing major breakthroughs.

That’s an exciting development in itself.

Today’s dialogue on cryptography offered multiple perspectives—mathematical, economic, and societal—through which to appreciate the field, revealing its intricacy and depth.

I found it deeply enriching and hope our readers will enjoy exploring these perspectives as much as we have.