The Cryptographers’ Panel
>> ANNOUNCER: To present The Cryptographers' Panel, please welcome Honoree Fellow, Gonville and Caius College, Cambridge, Whitfield Diffie. >> WHITFIELD DIFFIE: I would like to be able to tell you something about what's coming up but we have three new members this year, so I thought we ought to get together and talk about what we are going to say. And after three Zoom meetings and a dinner, we can't even agree on what the questions should be. So, let me welcome these people in and see how long it takes them to walk across the stage.
There must be something I was supposed to say that I forgot. There we go. Adi Shamir, whom you just saw. Anne Dames. Clifford Cocks.
Radia Perlman. So, I don't think Adi Shamir needs any introduction. If you don't know who he is, you are at the wrong conference. I might just need a little more.
I'm Whitfield Diffie. If you don't know who I am, you are probably at the wrong session. But Cliff Cocks is another thing. Last summer, I wanted to register for the Crypto Conference in Santa Barbara.
So, I went on the IACR website and it asked me to prove that I was human. And it didn't, you know, show me a bunch of pictures and ask me to tell the drug dealers from the pimps or something like that. It said, give the last name of one of the inventors of the RSA cryptosystem. Well, Jim Bidzos, who was the great CEO of this company, used to call me the D in RSA, so I tried Diffie. Nah, it wasn't fooled.
So, next I tried Cocks, and it accepted it. Somebody down there has the right combination of respect and sense of humor. Now, let me back up on this a little bit. I have always been very impressed with RS&A because several people came close in various ways to discovering RSA and didn't. If it weren't for my wonderful combination of ignorance and attention deficit, I might have found it one night.
Don Knuth, you know, of whom there is no greater computer scientist, told Marty and me to study multiplication versus factoring as a one-way function. Marty Hellman and Stephen Pohlig invented the system called Pohlig-Hellman that does exponentiation of primes and at some point they said, you know, this could be done over composites also. Yeah, but why would you want to? And that slipped by them. But it took about, from the publication of "New Directions in Cryptography," it took about six weeks for RS&A to discover the RSA cryptosystem.
I thought that was pretty good. It turns out about three years earlier, Cliff was starting work at GCHQ. And they have a system of advisors in that kind of case in Britain. And his – he was the – his mentor was a cryptanalyst named Nick Patterson. And they had a problem because Cliff didn't have a full clearance yet, so Nick couldn't really talk to him about the things he presumably wanted to.
And one evening, I don't know, I think maybe I was told that Nick was driving him home from work or something. He told him about some work that James Ellis had done a few years earlier that they called non-secret encryption. And that the scheme had been proposed. Ellis had argued for how you could do it but hadn't yet shown any mechanism. Cliff solved it before he went to bed that night. So, you know, forever, six weeks, six hours.
I have been trying to get Cliff on this panel for years and I am just thrilled to have him here. And he's – you know, he had a three-year lead on RSA, Ellis had a five-year lead on me. They had some time. What did you do with the – with your lead in non-secret encryption? >> CLIFFORD COCKS: Okay, well we took the whole thing very seriously.
We looked at can we patent it? And we were told, no, you can't patent it. It's mathematics. Is what our lawyers said. Which is probably a mistake. And we looked at implementing it. By this stage, we had gotten the two ideas.
We had gotten the factoring approach and also the – what we now call Diffie-Hellman, the discreet logger approach, which has been discovered by Malcolm Williamson. And we looked at can we actually make a machine that will do this? We were doing it in the context of really wanting to sort of reduce the cost of key distribution. And the answer was at that time, and this was the right answer at that time, no, it's not worth doing because it's too expensive. The processing capability was not there at the time.
So, we had the ideas and essentially we thought, yeah, okay, that's great, but let's park it until it's time. And that was another ten, fifteen years. So, that's what we did with the ideas.
>> WHITFIELD DIFFIE: Okay. So, I have two more – we have three newcomers this year and let me introduce the other two. Anne Dames is a distinguished engineer in – working particularly in postquantum cryptography at IBM. And I'm going to say, you know, if you ask what are the institutions in the U.S. certainly that are most influential in cryptography, well, NSA and NIST certainly have to be given a lot of credit. But I think that following that, either the RSA Corporation itself or IBM must follow.
Because IBM proposed the – designed the first standardized public cryptosystem, the data encryption standard. It participated in the – it didn't get chosen but participated in the competition to select the advanced encryption standard. Has been very forward in its internal use of cryptosecurity and is now looking to things we will discuss later in the panel and has a particularly proactive attitude. I have known Radia Perlman for basically the whole same period of time I have been working in cryptography. She was at MIT a little bit after I was but I don't think I met her until she – until maybe she moved out here. But she is an expert in all aspects of networking.
And she started out in routing and in naming and things like that. And then she got fed up that people thought of her as, you know, a network person, not a network security person. So, she prepared a whole new edition of her book on network security with her partner, Charlie Kaufman, in order to convince us that she really did know network security. So, that's an example, you know, we, over the years, this panel originally started out with the RS&A and me and Marty and gradually over time, we have expanded in two directions, and one is toward people who may be not strictly speaking cryptographers, so in security outside of cryptography, and the other is toward younger people who are still working and still have things to say.
So, I want to get on to this. I think one of the big issues of the day is what's called quantum computing. And this panel doesn't agree as far as I can see any more about what quantum computing, how significant it is, than any other similar group of people in the world. But I thought I would at least ask.
So, anyone who wants to answer? >> ADI SHAMIR: So, I would like to start by giving you the big picture. Thirty years ago during the 90's, there were three new promising technologies on the horizon. One was – one of them was AI. The second one was cryptography. And the third one, an invention, was quantum computing. I think we all agree that AI had promised and delivered beyond our wildest expectations.
We can talk more about the achievements later on. But this is a clear case. In cryptography, we mostly delivered on our promises. We have good primitives, we have TLS, we know how to securely do all kinds of things. If I am trying to characterize what had been delivered in practice in quantum computing, I must say that the main things which had been delivered are more promises.
So, we promised and almost nothing in practice had been delivered. In the sense that as of today, not a single problem had been shown, practical problem, had been shown to be solvable by one of the available quantum computers faster than on a classical computer. So, I'm sorry for being harsh but I think that somebody must play the role of the young kid looking at the king. >> WHITFIELD DIFFIE: I think you have a limited experience of wildest promises, was it? Wildest possibilities.
I remember Marvin Minsky of Artificial Intelligence predicting in the late 50's. early '60s that by the 90's, computers would be playing office politics. >> RADIA PERLMAN: There's a lot of hype about quantum.
So, there's a lot of people that think it's the next big thing and that eventually all of our laptops will be quantum computers. And that, you know, with the hype stuff, they talk about all the things it's being considered for. It sort of reminds me of the hype around blockchain as well. So, yeah, it's important for us to do research into it because it's better that the good guys figure out if it's feasible than that the bad guys do in practice.
But it will have a significant impact on us, which is that we are all going to have to replace our current public key algorithms. But whether or not quantum computers of significant size ever exist. >> WHITFIELD DIFFIE: Cliff is looking attentive.
You want to say something? >> CLIFFORD COCKS: I was – I hope people might be concerned about this Chinese paper on – >> WHITFIELD DIFFIE: Yes, I was going to get on to what the threat – is there a threat in quantum computing and what is it, so. >> CLIFFORD COCKS: Yeah. I mean, this paper has suggested that they can attack with a 300-something bit quantum computer, which is – and I think the answer to that is probably that paper is not a concern so much. Now, that paper, essentially it builds on Claus Schnorr's factoring method, which uses closest vector in a lattice to create the pairs that you need to find smooth relations to factorize. And that method works very well for small modularly and it fails spectacularly badly on large modularly.
The Chinese paper essentially uses quantum super position to look at a cloud of values around what could be the smallest vector to improve on that. And they show that it works very well for small modularly, a medium sized modularly. Because you've got an exponential number of points in the cloud that you can look at. But there's really no evidence whatsoever that that's going to make any impact at all on what's required for the sort of large cryptographic size modularly where Claus Schnorr's method is totally sort of outpaced.
>> WHITFIELD DIFFIE: Let's come back up out of the trench a little bit because people talk about a quantum threat to cryptography and they are often rather casual about that. What systems are threatened? >> ANNE DAMES: Let me comment on that for a minute. So, when we think about the current systems that we have, we have to think about what systems might be threatened as a result of a potential quantum computer. And so, right now, we understand that the public key systems, those are the ones that are most vulnerable, and because of Grover's algorithm, we have to consider symmetric key and hashing functions as well, but there we may only need to increase the size of the keys or the message digests. >> WHITFIELD DIFFIE: Okay, so basically, symmetric systems like AES are affected in only a limited way.
>> ANNE DAMES: That's correct. >> WHITFIELD DIFFIE: And, however, RSA, Diffie-Hellman, elliptic curve Diffie-Hellman are all being threatened at least in the imaginations of the physicist? >> ADI SHAMIR: Let me make one small comment. Don't misunderstand what I said earlier. Quantum computers, even though they do not exist today in any usable form, might be developed in the next thirty or forty years. So, the reason we may want to switch to other algorithms is due to the danger that the NSA or other bad guys are going to record everything which is being said today and wait until quantum computers become available and then break the cryptography.
So, it's not an immediate threat at the moment but things you say today using older algorithms such as RSA or elliptic curves might become decryptable in the future. >> WHITFIELD DIFFIE: Well, as a so-called bad guy, of course, NSA is one of the farthest looking in proposing to replace our algorithms with quantum resistant algorithms as soon as possible. They have been calling for it for eight years. Yes, Anne.
>> ANNE DAMES: I was just going to comment. One of the things that folks talk about a lot is the number of qubits in the system. The experts are doing a lot of research in this area and there are other factors as well that need to be considered, such as the quantum volume or the quality. You also need to consider, of course, the qubits, the scale, but you also need to think about performance. If you cannot solve a problem quickly, that's also something that has to be considered. So, there are a lot of factors that affect what people define as progress in this area.
>> ADI SHAMIR: One particular area which should be of interest to the audience is how long can you keep qubits without it decohering into unusable form. And there has been small improvements. Just a couple of months ago, a team of researchers from Yale University have shown how to extend the lifetime of a qubit in storage from one millisecond to 1.8 milliseconds. But this is the kind of progress that we are talking about.
Remember, in order to do – to factorize RSA, which is 2,048 bits, you may need the computations lasting for days. And if you are going to run Grover's algorithm, you may have to run it for years. So, we are far, far away from solving the problems of decoherence.
>> WHITFIELD DIFFIE: Okay, but we're in, as an engineering and business community, we are in an interesting position, because powerful organizations explicitly, NSA and NIST, are both seeing a threat of quantum computing and calling for quantum resistant algorithms. So, whether or not the quantum computing ever comes along, there's a significant likelihood that we are going to face requirements for designing systems that call for quantum resistant algorithms. So, you know, maybe you can tell us a little about, there's been a big contest over the past few years to develop the first round of quantum resistant algorithms and we have one of the experts on that subject right here, so. >> ANNE DAMES: I will comment about the competition just a bit.
As you mentioned, NIST initiated a process probably back in 2016 to identify algorithms that were resistant to attack by quantum computers. And last year, they selected four of those algorithms for standardization. They selected one key encapsulation mechanism or encryption algorithm which was called CRYSTALS-Kyber which was based on structured lattices, and then they selected three other algorithms for digital signatures. Two of them were based on structured lattices, that's CRYSTALS-Dilithium and FALCON.
And they selected Sphincs+, which was based on hashing. So, these different algorithms have different characteristics. For example, the most efficient of the algorithms for around three were I think Dilithium and FALCON, but FALCON has smaller public keys but requires floating points, so, that's a little bit of a challenge. Dilithium does not require that. And then when you think about Sphincs+, Sphincs+ has smaller keys but the signatures are quite large.
So, you have to consider what use cases you really have in order to determine which of those algorithms you need to use for the specific uses that you have and the requirements that you have. >> ADI SHAMIR: Talking about use cases, I want to make the following comment. 99.99%, maybe a few additional nines, of the messages being sent today, being encrypted or being signed, do not require a fifty-year secure life.
You know, most of the emails you send are about where are we going to meet for lunch tomorrow or what are the products that the company is going to make next year. But very, very few messages, kinds of communication, require fifty-year security. So, if it is indeed the case that quantum computers are at least twenty, thirty years away, you should think very carefully whether you want to already shift into the post quantum algorithms which had been proposed by NIST. And if you do so, what kind of scheme you choose.
So, tomorrow there is going to be another panel that I am going to participate in, in which I am going to detail my recommendations. But just to give you one of my controversial views on the topic, among the three digital signatures, I recommend only Sphincs+ because it is based – it is the most – it has the largest signature size but it is the one that has the highest security level, in my opinion, and when you choose among the three available security levels, go – if you decide to switch today to a post quantum algorithm, go for the highest security only. Because if your secrets require fifty-year secure life, don't skimp on security. Take the most conservative and secure scheme among those and use the highest security level. >> CLIFFORD COCKS: I think it's interesting that three of those four algorithms all use the same basics and mathematical principle for their security, which is, in a sense, a weakness.
I know that NIST is looking for more proposals so that it can diversify the security. So, I think I am with Adi that if you really are concerned about security over a very long time, you might want to think quite carefully about the potential that one algorithm will survive that long. >> WHITFIELD DIFFIE: I think I make a recommendation in that direction, which is the problem I haven't been able to solve and don't seem likely to, which is to use what are called cellular automata.
They're a nonlinear, invertible cellular automata and I won't explain that right now, and they are not – even though they are invertible, finding the inverse is very difficult. And I think if those things can be – if that theory can be fleshed out, we are going to get a variety of new sorts of public use systems out of it. So, I recommend it to anyone. >> ADI SHAMIR: But I would be very worried about using a new kind of basis for public key cryptography because during the competition, two schemes, one called Psych, which was based on exogeny of elliptic curves, and another one called Rainbow based on multivariate cryptography were broken very badly by a classical algorithm. So, be very worried about using a new basis for securing. >> WHITFIELD DIFFIE: Using it – I mean, I can't settle with both of you.
Cliff is complaining that there's too narrow a basis and you're complaining about using anything new, so I'm not sure. >> CLIFFORD COCKS: I think you need – you are absolutely right, Adi. I mean, there is a – completely new ideas, that there is quite a high attrition rate if they are proposed for cryptography. And they take time to be sure that they are strong. At the same time, to have a very narrow base of problem solving which you're relying on security is also a weakness.
You need both. >> ADI SHAMIR: I'm actually on record saying at another conference that if you are worried about fifty or a hundred year security, don't use public key cryptography. Use a classical cryptosystem and go through the hassle of manual exchange of keys. But public key cryptography has inherent risks with it and anyone who really wants the highest level of security that will last for the next hundred years, I don't see any public key cryptosystem that will give us strong assurance. >> WHITFIELD DIFFIE: So, speaking of lack of assurance, this is the tenth anniversary of something that I found very impressive. A man named Edward Snowden became the biggest leaker of all time.
And he leaked, I don't know, thousands at least, and maybe tens of thousands of top secret NSA documents. Now, the definition in the Internal Security Act of 1950 of top secret is that their disclosure would cause exceptionally grave damage to the country. I would hate to think what 10,000 such exposures would cause.
But the fact is, I don't see anything you could call exceptionally grave damage. I am curious, could exceptionally grave damage be kept secret? And on the other hand, you know, the civil libertarians were thrilled with this event. They had been – thought NSA was spying on them all along and now they had evidence of it, but you know, I haven't seen a lot of change from that either. The most significant thing I can think of is I'm told Google did a marvelous piece of work on its internal network security in response to these disclosures.
I was wondering if anybody has any other comments about that. >> RADIA PERLMAN: Well, the world hasn't seemed to really fall apart as a result of that. But – >> WHITFIELD DIFFIE: Or come together. >> RADIA PERLMAN: Right, right; that's true.
But it's kind of great that he exposed that some low level IT person could get access to all of this stuff. So, we have learned our lesson. So, there's like no way a low level IT person these days could possibly – >> WHITFIELD DIFFIE: Until we get to [inaudible], yes.
>> RADIA PERLMAN: Right, the notion that the government is kind of using all the metadata in order to spy on us, it was kind of obvious that they would, I think. But also, compared to what the government is looking at, our browser vendor, our, you know, just cookies in general are tracking. When we go to the supermarket, the supermarket knows everything that you have bought, unless you want to pay twice as much for the stuff.
So, yeah. I'm not sure that it's really been a problem. >> WHITFIELD DIFFIE: Okay so? >> ADI SHAMIR: I would like to summarize the situation in the following way.
I don't have any inside information from, you know, governmental sources. I personally believe that Snowden caused a catastrophe in the short-term and a big problem in the long-term. And the reason that I'm saying that it was a catastrophe in spite of the fact that not many people died as an immediate result, is that I believe that the U.S. lost a large fraction of their sources of information. And you know that sources and methods are considered the crown jewels of spy craft. They are the things which are kept most tightly.
And if you just look at the thousands of objects described in the catalog that Snowden leaked, they show you pictures, exactly what all foreign governments have to look for, how an implant looks like, what are the dimensions, what are the ranges, et cetera. I can't believe that this didn't cause a major loss of sources and methods. And if you ask about did anyone get killed, I would say the following. Suppose that you have a high level spy who is just sitting next to President Xi. If you lose him, is it a catastrophe or not? If Xi decided to invade Taiwan, then it could have major impact.
>> WHITFIELD DIFFIE: I mean, the latter would fall – the law gives us examples, the breaking of a diplomatic treaty or the starting of a war. And I can't attribute either of those so far – >> ADI SHAMIR: Loss of a spy could lead to a war in Taiwan. >> WHITFIELD DIFFIE: It could, it could.
This is like quantum computing. >> CLIFFORD COCKS: I don't want to answer on my own behalf, but it's worth quoting what Jeremy Fleming, that was the director of GCHQ in the UK, said on the BBC Today program back last December. He was asked about this.
He said, the way in which Snowden's revelations played out cost this nation and many other nations a lot of blood and money and wasted effort. I deeply regret all of that and I really hope Snowden values his time in court to explain that. I mean, I think that sort of gives a sense of the feeling. >> WHITFIELD DIFFIE: Unfortunately for Snowden, we stopped him from going to South America where we no doubt by now, we would have captured him, and he got to Moscow where he's probably safe.
You know, Radia was talking about all of the data that are collected, and particularly in Europe, there's a – there are a lot of laws regulating the handling of private information. And the Royal Society has come out with a report that you participated in on privacy enhancing technologies. So, I wondered if you could give us a quick.
>> CLIFFORD COCKS: Overview of what the findings were? Yes, certainly. Because I think it's an area in which it's going to be quite a big one for cryptography and cryptographic techniques. And the point is that there is just a vast amount of personal data that is collected these days. And there were quite rightly these very strong rules and laws about how that has to be protected. At the same time, there's a lot of potential by being able to combine and to use that personal data for public good or for economic good.
I mean, just a couple of examples. There are loads. But for example, the use of personal medical data to improve on medical diagnostics. At the moment, the pharma industry in the UK is lobbying the government to allow some of that data to be used to help identify which medications are working well and which ones are not.
Or again, with financial data. If institutions collaborate, it makes it – they can do a better job of identifying fraudulent, malicious activity. And we know as cryptographers, there are techniques that we have that can help. We can think of things like differential privacy or federated learning or of course, things like secure multiparty computation or homomorphic encryption. And the thing is, these techniques are not really being used as extensively as they could to assist in enabling private data to be used.
And the question is why not? What do we need to do about it? And you know, the thing that we shouldn't be doing or the thing that's not going to help so much is doing lots of research into more and more obtuse protocols or techniques. The problem really is, I think, two things. One is sort of a lack of understanding by data controllers, and along with that, a lack of or very immature standards or descriptions of what's best practice. So, if a data controller is given this opportunity to – or is asked about can we use this data to – for this particular function? The outcome clearly is a good one.
It's not clear necessarily, what could they do to demonstrate they have used best practice? Or how they were to show due diligence. So, I think as a community, we should be doing two things. One is encouraging a better understanding of what our techniques are and what they can do and what they can achieve. And secondly, encouraging standards and situations to try to come up with some pretty strong standards, clear standards on, you know, what is required and what is not required.
So, it's very much that end of the problem that we need to put effort into. And I think governments have got a role to play in, you know, demonstrating what you can do with data and how you can use it for public good. >> WHITFIELD DIFFIE: So, I want to get on to two other major developments in the security and business world. And the first one is artificial intelligence, machine learning, chatbots.
And they – what they seem to be pretty good at is human engineering. But there seems to be promises – they seem to offer promise, lots of things promise around here, of both applying intelligence to developing better security techniques or applying it to breaking security techniques. So, I was wondering if anybody has a quick comment on that. >> ADI SHAMIR: So, at last year's conference, I think I said that I believe that the main impact of AI on the security would be in the defensive side, detecting all kinds of abnormal behaviors, et cetera. And I didn't see much room for offensive side.
And I was thinking mostly about discovering weaknesses in code, et cetera, which humans seem to be doing better. I have completely changed my mind as a result of last year's developments, including ChatGPT and et cetera. I now believe that the ability of ChatGPT to produce perfect English to interact with people is going to be misused on a massive scale.
Just to give you one small example. Suppose – you know that banks are very sensitive to rumors and to runs the bank. It's not difficult to instigate it. And I believe that someone could use ChatGPT in order to create a sequence of thousands of Tweets about people claiming that they tried to withdraw their money and they couldn't, et cetera. So, I believe that the new developments are going to have major impact on social engineering.
>> WHITFIELD DIFFIE: Radia has already pointed out in our discussions that people will believe anything these days. So, no doubt they will believe ChatGPT as well. >> ADI SHAMIR: If thousands of different people are going to say different things, you know, not in broken English, it's going to have an impact. >> WHITFIELD DIFFIE: I wonder if they can think of something to say to make us believe in blockchains.
Blockchain has been having a bad year and I can't tell if it's just, you know, because you have guys like Sam Bankman-Fried getting in trouble or whether there's something wrong with the technology. And I have been – I have to admit to having been enthusiastic about it in the abstract. When bitcoin appeared, I thought it was the most incredible improvement over the decades Chow Man spent working on that subject and his school spent working on that subject. But what do you guys think about that? >> RADIA PERLMAN: Well, there's cryptocurrencies and there's blockchain.
So, for a while, everyone was saying blockchain is like the next pillar that we must, you know, base all of our technology on. And so, you know, when people say how can I apply blockchain to this thing? Because if I do whatever blockchain is, my thing will then become secure and stuff. So, I try to – >> WHITFIELD DIFFIE: It's like Bacchas calling four trying compilers because compilers was something else at the time but they were what there was money for.
>> RADIA PERLMAN: Right, so what I try to really urge people to do is when you're working on something, start with what problem are you solving. Look at different ways of doing it and then choose the best thing. And if blockchain happens to be the best thing, which is unlikely, by all means – but one time an engineer said to me, oh, but my manager, you know, what you said sounds good but my manager wants me to use blockchain. So I said, fine, do what I said.
Look at all the alternatives. Choose the best one, build that, and then tell your manager you built it with blockchain. He will never know the difference.
>> WHITFIELD DIFFIE: So, I have, over the years, been responsible for remembering people we have lost along the way. And this is the – I think the most disturbing year for that since five years ago when my wife and a man named Mahlon Doyle, who was the most influential crypto designer in NSA's history, died. A man named Brian Snow died.
He was a member of both the secret and the public communities. And he was the first NSA person to understand the importance of the public community and not in an entirely hostile way. And he began going to public meetings. He didn't do a great deal of speaking.
He did work internally on public key and studying the things outside people were studying. But I found it very interesting. He paid us a great compliment in something he said to me I think at crypto '83.
We had listened to a paper I didn't actually like very much about a – systems with a structure that resembled some of the structure of NSA. And he had liked it and he said, you know, we have seen this territory before but you are covering it very fast. And he recognized that a community of hundreds of mathematicians were going to make progress in this area and that the secret community had to make – take what advantage it could of that progress rather than just being frightened by it. If I were doing lines for applause, it wouldn't be obits.
Two other people, a few of you will have heard of, most of you not, died within a year of each other this year. Two NSA crypto mathematicians who did some work of relevance to this community. The names are Jack Mortick and Dave Cargo. And I'm beginning – when you hear the last two, you will understand, I think Marty Hellman and I maybe should begin to get nervous. But not quite in cryptography, but very much in the same kinds of mathematics and such, Abraham Lempel and Jacob Ziv, as in Lempel–Ziv data compression, died within a couple of months of each other earlier this year.
So, there are a few fewer of us now and I'm grateful to have all of you who are left. Thank you very much. Thank you.