RSA Cryptographers Come Out Swinging

The RSA Conference 2021 Virtual Experience is happening May 17-20 and Symantec, as a division of Broadcom, will be providing a summary of some of the leading stories from the conference to help you stay informed.

One of the more entertaining and anticipated sessions at the RSA Conference is a conversation between some of the world’s top cryptographers on the state of computer science. But this year’s discussion was unique as the panelists gathered virtually to reflect on cryptography’s resilience after one of the most tumultuous years in recent memory. 

It lived up to the advance billing as Ron Rivest, a famed cryptographer and a professor at Massachusetts Institute of Technology who co-created RSA public-key encryption, got things going by taking a swipe at the cultural phenomenon of non-fungible tokens (NFTs), drawing a parallel to the Tulip Mania that gripped the Netherlands in the 17th century.

“So tulips are a physical object and you can own them. You can possess them. You can plant them. You could enjoy them. And then you can have a picture of a tulip…so then we can have a picture of a tulip. This is the next layer and you can enjoy that. You can pass it around, but anybody can copy it. The third level, which is the NFT, is sort a token which points at the picture. So, we're two levels removed from reality.”

Openly acknowledging his skepticism, Rivest likened NFTs to homeopathic medicine.

“You diluted, you diluted, you diluted – what's left? We start off with a tulip and we have the picture of the tool. And then we have the NFT for the picture of the tulip. So what's left ­– the beauty is in the eye of beholder. I'm probably not going to buy any NFTs, but who knows? I might sell one.”

Fellow panelist Adi Shamir, another co-creator of RSA public-key encryption and a professor of computer science at Israel’s Weizmann Institute was slightly more optimistic about the possibilities, even hinting at plans to auction off an NFT of the first page of a 1977 MIT technical report signed by the three RSA founders and then donating the proceeds to charity.

“I think it's a nice way for digital artists to monetize their creations. I think that we should all look at it like a game of Monopoly. So, a group of people decide to join forces and play the game. And in that game, some people claim that they own the White House in the real world. It doesn't give them the rights to evict Donald Trump or Joe Biden, but they can play the game,” he said. So, I think that it makes sense in certain situations…some people collect points, some people collect stamps, some people will collect NFTs. If they want to pay money for this, fine with me.”

On a more serious note, the panelists considered the role of technology, particularly digital contact tracing, in the effort to contain COVID-19.

“I think that we have to admit the fact that privacy considerations have reduced the effectiveness of many of the contact tracing systems,” said Shamir. He argued that privacy concerns from Apple and Google have prevented the sharing of location information, “so we have to admit we are getting less capable contact tracing programs. People will say that it's a price worth paying – but we are paying a price.”

Shamir noted that despite the success of Israel’s vaccination rollout, contact tracing played a very minor role in the outcome. Few Israelis downloaded the app, according to Shamir, who credited the nation’s security services for providing contact information between phones. “That's certainly not privacy-preserving in any way or form,” he said.

Ross Anderson, a professor of security engineering at Cambridge University and Edinburgh University, also took a dim view of the deployment of technology to meet the challenges of the COVID-19 era. In the United Kingdom and other nations, Anderson said that non-tech deployments have contributed to more smoothly executed vaccine rollouts.

“The contact tracing that worked in Britain has been the old-fashioned variety where nurses at a general practice form up people in a line. They can speak the local language. They can get compliance from people by winning their trust. Where we tried to put that into call centers, it worked remarkably less well – and as for the app, it works almost not at all.” 

He didn’t expect that would change dramatically as more people hopped on planes and trains in coming months. 

“We’re going to see the same thing again when it comes to vaccine passports and immunity certification. If you try to bring in a vaccine passport into the UK, where we will have vaccinated everybody by July, then by the time you have written some software and tested it, it's too late.

“But then we’ll have good old-fashioned paper mechanisms like we have for the Yellow Fever vaccination,” he continued. “I've got my vaccine card, which was written out by the nurse when I got my jab and that's fine. I can stick it in my passport and that is good enough. Trying to build an all-seeing, all-dancing worldwide system is the wrong thing to do at a time like this. It's just rent seeking by tech companies who want dun governments for hundreds of millions of dollars and in the process, they will cause thousands of more lives to be unnecessarily lost.” 

In the meantime, panelists cautioned about the often-fraught relationship between privacy and effectiveness, a perennial sticking point in public debates. 

“These apps are not effective unless they're adopted widely,” said Rivest. “And one of the reasons people don't adopt them is because they perceive them as being invasive of their privacy. So, trying to win on a technical point by having a less private system may just get you a less effective system overall because fewer people will be using the system.”

That question came up a few times during the session, particularly when it touched on the fact that digital systems are often only adopted if people think that they're trustworthy, resilient and – perhaps, above all – secure.

However, when it comes to building secure systems, Rivest was not handing out high grades. 

“We, as cryptographers, are actually pretty terrible at designing resilient systems,” he said. “Resilience means you do well in the face of a break-in or something like that. And we have ideas for coping with that…. but the idea of re-keying and re authenticating everybody is not one that we talk about much. I think overall, I would give us a great C minus as cryptographers on resilience. I think the systems we tend to design tend to be brittle and break if there's a serious key compromise.”

Shamir turned out to be an even tougher grader – but was more charitable when it came to the cryptography community. 

“I will give system designers a D or F. I'll probably give cryptographers an A. I think that the cryptography community has done great things in standardizing very good crypto systems. I think that the turning point was when AES (Advanced Encryption Standard) was standardized. Since then, there have been several carefully constructed multi-year attempts to design crypto systems, which have been looked at over the last year. There is, of course, the post-Quantum cryptography by NIST. NIST just announced the third stage in evaluating lightweight cryptography. ISO is looking now at a number of other standards, including full encryption. I think that with all this careful standardization, it is going to greatly enhance our ability to have robust and secure crypto systems.”

Carmela Troncoso, an assistant professor at the École Polytechnique Fédérale de Lausanne, came down between the two extremes. But while awarding cryptographers a B, she said more work needs to be invested when it comes to deployment.

“Sometimes we don't give enough help to developers, especially when we talk about things like fully homomorphic encryption or multi-party computation that have a lot of tricks,” she said. “But I think that the thing that we probably need to think about is that the more that we move to these platform goals, like the mobile platform and the cloud platform, we have to move with resilience because we're putting all of our eggs in the same basket. And the same thing happened last year when Amazon went [offline] and half of the US couldn’t enter their doors because they had Amazon Ring.”