RSAC: The Cryptographers' Panel

The Cryptographers' Panel was moderated by RSA's Zulfikar Ramzan, and featured Ron Rivest (the R of RSA), Adi Shamir (the S of RSA), Ross Anderson (professor of security engineering at Cambridge University and Edinburgh University—as it happens my two almae matres), and Carmela Troncoso (assistant professor at EPFL—in full, the École polytechnique fédérale de Lausanne).

As a sort of teaser, topics covered included:

• Non-fungible tokens (NFTs)
• Integer factorization developments (important for the RSA public key system that the internet depends on)
• Responsible disclosure
• Quantum computing
• The SolarWinds breach
• Contact tracing and vaccine documentation
• Resilience

For me, the annual Cryptographer's Panel is one of the must-attend sessions at RSAC, since it always features some of the famous names of cryptography, people who have been working in the area from back when the US government still considered it a munition. People forget that when browsers were first introduced, the export versions for use outside the US had hobbled security since the key-length was reduced. Usually, Whitfield Diffie is on the panel, but this year he had his own special session "A Whitrospective". See my post RSAC: Opening Keynote and a Whitrospective.

[In this post, stuff in brackets like this is additional explanation by me, not something that the panel discussed. Typically, the panelists just assume everyone knows all the abbreviations and jargon, in the same way that an EDA panel would assume everyone knew what EDA stands for, or what Verilog is.]

As in previous years, the panel started with complaints that the word "crypto" has been taken by another group of people. [It now no longer is associated with cyber-security but with digital currencies like Bitcoin.}

Running with that, Zulfikar, "Z" from now on, started by asking the panel if they had a position on NFTs? [NFTs are non-fungible tokens, a way for people to sell digital products like artworks so that the "genuine" ones can be distinguished from the copies.]

Ron: I had been paying attention to Bitcoin but I had no idea what an NFT was a year ago. Here's an analogy, the tulip craze. Tulips are a physical object you can have. But you can also have a picture of a tulip. The next layer, anyone can copy that picture and enjoy the copy. The third level is an NFT that points to the picture, so two levels removed from reality. To me it is a little like homeopathic medicine...you dilute and dilute. We'll see where it goes.

Adi: I am a bit more positive than Ron. I think it is a nice way for digital artists to monetize their output. Some people collect coins, or stamps, and some people collect NFTs. It's fine with me. We may try and do something with this using NFTs. [The document in the picture is one of the original copies of the MIT Technical Report on the RSA implementation of public-key encryption from 1997.]

Z moved on: Back in March, which already feels so long ago, there was a new algorithm for integer factorization that will quote destroy the RSA cryptosystem unquote. [RSA depends on the fact that there is no known efficient algorithm for factorizing large numbers, think hundreds of digits.]

Ron: Well, this is certainly a result that caught my eye. I started asking around and asked the author first of all whether he had demonstrated factorizations. I also pointed him at some criticisms on the web he hadn’t seen, and he updated his paper. So I think that the dust has not settled yet. The proof is in the pudding, so I want to see some numbers get factored. Jury still out.

Adi: Of course I looked at the paper. Someone tried to implement the ideas on 400-bit RSA number. So at the moment, it looks as if it doesn’t factorize numbers that are much smaller than today’s keys but we should keep our minds open.

Z: We all know the implications of factorization, so how about responsible disclosure?

Adi: You are supposed to find the company or standards organization in charge and let them know in advance about the problem, give them time to fix it. I’ve done it in the past many times, although occasionally get a letter from a lawyer.

Carmela: It is difficult to do responsible disclosure here, since it is not one company, it is used everywhere.

Ross: When we started 20 years ago, we started on responsible disclosure. The bug-finding guys want everything disclosed immediately, the company lawyers want everything buried forever. The compromise is responsible disclosure. But that's difficult when you break something big like Linux or RSA.

Ron: Factorizing is almost unique in that you can show you can factor without showing how. You can say that "the method will be revealed in a couple of years”. That may be workable in case of RSA as a means of responsible disclosure.

Ross: Someone who can do it could steal all Satoshi’s bitcoins which would be another way to demonstrate the capability! [Satoshi Nakamoto is the pseudonym of the person or people who came up with the algorithms behind Bitcoin. "He" has Bitcoins worth literally billions of dollars at current prices. For more on what is known about him, see my post Who Is Satoshi Nakamoto?]

Z: What about the recent results in quantum computing? [For some background on what they are talking about, see my post What Is Quantum Supremacy?].

Adi: It is always two steps ahead and one step back. The paper that claimed experimental evidence of fermion that Microsoft used as topological qubit paper has been retracted. In 2018, a Microsoft VP said that there would be a Joanna fermion discovered. IBM had to attack the previous claim about quantum supremacy since they could do without quantum. Recently another claim that the same distribution Google claimed supremacy could be done with only 60 GPUs. That is the one step back. Ambitions roadmap that by 2023 would have 1000 qubits…let’s see.

Ron: I can't believe the amount of money being invested in the nascent technology that doesn’t yet exist. Can you build at scale that enables you to do real computation? Second, are there applications that are useful?

Ross: My own view is that the physicists are copying Ron and Adi that enabled number theorists to get their shovels into the military budgets. And quantum mechanics physicists wanted to do something similar. As far as quantum cryptography, I’m entirely unimpressed. We’ve known how to do that for 40 years. I am a skeptic. I am not surprised nobody has seen any quantum speedup yet and I’m not certain that will happen.

Adi: Combine the two biggest hypes, quantum computing and AI. Quantum will solve all the training problems we have with large datasets. I don’t believe it.

Ross: it is like setting up old computers with switches. Quantum computing is like that today.

Z: What about machine learning in adversarial environments? Where are we on building secure systems under adversarial conditions? [For background on adversarial AI, see my post Fooling Neural Networks.]

Carmela: Robust, fair, explainable, and privacy-preserving. I’d like to talk about how these four dimensions may not be compatible.

Ross: In addition to privacy and adversarial, there are robustness issues when there are some inputs that will cause system to burn as much as possible. Natural language is very vulnerable to means of attack such as putting foreign characters in. This happens to all the systems the big tech companies have put it, like Chinese characters in Russian text. There will be new wrinkles when you start seeing machine learning systems used in an adversarial system such as Chinese vs India drone swarms over the Himalayas.

Z: What happens if you take a technology people understand and try and make it work at scale?

Adi: Adversarial examples are happening everywhere. Today we don’t have a good understanding where adversarial examples come from and what they represent. But until we solve the robustness issue, I will be very reticent about deploying at scale.

Ron: Complexity is the enemy of security, and ML is very complicated with millions of parameters. So it violates the basic premise for security.

Z; SolarWinds? The new CEO of SolarWinds is one of the keynote speakers here at the conference. [For background on SolarWinds see my post The Biggest Security Breach Ever.]

Ross: SolarWinds is a very good warning to us all. There are hundreds of companies like SolarWinds that have their software in hundreds of systems. SolarWinds was a startup and is now mature and a monopoly being run by bankers as a cash cow. One thing you always need to do is ask about culture and motivation.

Adi: Intel is saying they will farm out some of their manufacturing, which I see as important from a supply chain security point of view. Today, the US only produces 12% of the worlds’ semiconductors. In each Intel chip, there is a TRG [true random-number generator] and I’m afraid that by tweaking the process parameters, the quality of those random number generators could degenerate.

Z: Today in covid there is community tracing, also community passports. What about security aspects?

Camela: At the end of day, the protocol has to run on mobile and that is not owned by us, but by two companies [Apple and Google]. There are several choices for privacy engineering. The WHO proposing things on infrastructure that does not even exist yet. We need to think about the resilience of the systems.

Z: We spent a lot of time engineering privacy into systems. Has Covid undermined them?

Adi: I think we have to admit that privacy considerations have reduced the effectiveness of the contact tracing systems we are using. In some ways, Apple and Google have prevented many countries from doing things that don’t really violate privacy such as the NHS [National Health Service] in the UK. So walk into a bar and scan a QR code, but since it has location information Apple/Google would not let them use it. So we have less capable contact tracing than we could have.

Carmela: Do you think contact tracing made a difference vs speed of vaccination?

Adi: Contact tracing was limping and not many people had downloaded the application. It was the security services that provided the information around phones, which was not privacy-preserving in any way.

Ross: Tech has got in the way. The contact tracing that has worked has been old-fashioned with nurses calling up in the local language. Call centers have not worked so well. Apps not at all. The UK will have everyone vaccinated by July. Where the need is is for international travel. But we have old-fashioned paper like that for yellow fever vaccination. That is good enough. Trying to create an all-singing all-dancing system is just an attempt by tech companies to get hundreds of millions of dollars.

Ron: This is effectiveness vs privacy. Apps are not effective unless adopted, but one reason they don’t get adopted is that people are worried about their privacy. So making them less private may make them less effective, too.

Z: What's your perspective on resilience?

Ron: Resilience is an interesting property. One we should really be striving for but cryptographers are not good at this…things like doing well in the face of a breaking. The idea of rekeying and reauthenticating everyone is not something we talk about much. We design systems that are brittle. I give us a C-.

Adi: I give a D or an F. Cryptography communication has created great systems. It was a big problem was when AES was standardized. There is post-quantum cryptography being standardized by NIST. They are at the third stage in evaluating lightweight cryptography. ISO is working on secure-multiparty and fully homomorphic system. [For background on fully homomorphic systems, see my post Fully Homomorphic Encryption.] I think this flies in the face of having secure cryptography systems.

Carmela: The thing we need to think about is the more we move to the platform world, we are removing resilience by putting all our eggs in the same basket.

Ross: I agree with Carmela and would put it more strongly: we have seen system problems like Heartbleed [for some info on the Heartbleed vulnerability, see my post Open Source in 2020], but imagine Verisign [one of the main providers of domain name certificates that ensure that when you think you are talking to your bank, that you are really talking to your bank.] compromised by some nation. Governments are taking cryptocurrency on board. People talk about a multi-cloud strategy but it is very hard to migrate real applications from Azure to AWS since all the crypto has to change.

Z: I give the panel an A+. Thank you all.

Sign up for Sunday Brunch, the weekly Breakfast Bytes email.