I want to begin by thanking
Alan Oppenheim and his committee
for their hard work in
the selection process,
and for their good judgment
in choosing professor
Ronald L. Rivest as the Killion
award recipient for this year.
Many of you know, Ronald
from his great work
in computer science, and
electrical engineering,
and in CSAIL.
And so the real main event
here is to hear his speech.
So I will be very
brief in giving you
just a small introduction to
Ron and to his background.
He was born in
Niskayuna, New York,
which is a good Indian name
for New York, the state of New
York.
Did his undergraduate
and graduate degrees
at Yale and at Stanford, and
joined the MIT faculty here
in the Department
of Computer Science,
or what became the
Department of Computer
Science and electrical
engineering in 1974.
He is known best as one
of the founding fathers
of modern cryptography.
And we're going to hear about
the growth of cryptography
in his lecture here today,
and particularly in what's
called the public keys
activities, and component
of cryptography.
And the shorthand
version, as I understand,
the impact of his
work is he allows
us to use the internet with
some degree of security,
and some degree of safety, and
maybe some degree of confidence
that all of our
mistakes, which some
of us, as some people
in this audience
know better than others,
are prone to make
in using the internet or
using e-mail as we go along.
In particular, he and
two of his colleagues,
professor Shamir and
professor Adleman,
developed something that's
appropriately known as the RSA
system, after their initials.
And this is a particularly
appropriate MIT invention
because his
colleagues describe it
as elegant, simple, abstract,
and immensely practical.
I can't think of a better
way to describe MIT's values
in working across that whole
spectrum of innovation,
from discovery to application.
And in fact, he's carried
this into the commercial world
by developing two
different organizations.
One, RSA security systems,
and then a second company
called Verisign Incorporated.
So he's not only worked on
the discovery and development,
but also taking this
into the real world
of practice and application.
But in addition to his
great scholarly work,
he's also known as a
very accomplished teacher
and mentor.
Together with two colleagues,
Thomas Cormen and Charles
Leiserson he is an author
of a leading textbook
on algorithms for his field.
And as you know,
we have this thing
that I've come to know
as CSAIL, and maybe we
can give a quiz to see
if you can figure out
what the acronym is.
But it is the largest
laboratory here on campus,
and it's a laboratory
that was put together
by merging the AI, the
Artificial Intelligence
Lab with the laboratory
on computer science.
And knowing something about
some of the personalities who
were associated in
the earlier years
with these two institutions,
that is no small achievement.
And so Ron is really the
quintessential MIT professor.
He does path breaking
work in his research.
He carries it through to
have an impact on society.
He maintains his commitment
to education here
in the Institute, and worldwide
through his publications
and textbooks, and
he works to help
make this place run effectively,
not only in bringing scholars
together to work in
a common laboratory,
but also to build
the kind of spirit
and the kind of community that
lead his peers to recognize
his professional
achievements in the field,
his contributions to MIT, and
his contributions as a citizen
and a friend in our communities.
So I am delighted to
congratulate Ronald L.
Rivest on the Killian
Award Achievement
and welcome him to the podium.
[APPLAUSE]
So, the award reads the
president and faculty
of the Massachusetts
Institute of Technology
have the honor to present the
James R Killion Junior Faculty
Achievement Award for the
academic year 2010 and 2011,
to Ronald L. Rivest
in recognition
of his extraordinary
contributions
to modern cryptography, and to
the field of computer science,
and for his dedication to
MIT as a teacher, mentor,
and educator.
So congratulations.
[APPLAUSE]
And now for the main event.
We'll get started.
I think I should turn
on the microphone.
So let me start
by-- can hear me?
I guess it sounds
like it's on, yes.
Start by thanking you,
Tom, for the introduction,
and thanking MIT and
the selection committee
for this wonderful award.
MIT is really an
extraordinary place,
and to be recognized by one's
peers within an award like this
is really very
special, particularly
on the 150th birthday of MIT.
So I really appreciate
it, and thank you
to everyone who
participated in the process
for the presentation.
Thank you.
So I'd like to talk about
what I've been up to.
It was hard to figure out
how to prepare for this talk.
Basically the question
is, well, what
is that you've been up to
for the last few decades?
Why are they giving you
this award, and so on.
So I'd like to talk about
cryptography in large in a bit.
I'll talk about what
I've been doing,
but I'd like to set it
in a larger context.
Talk about the growth
of cryptography,
some of its roots, and
where it's going a bit too.
So I'll talk--
emphasizing what I do
and emphasizing the field more,
and try to set it in context.
So my target audience
is really the students
here best who haven't
been paying attention
to this field at all might
learn something about it.
So I have a slide somewhere.
Can we have my slides?
Maybe my laptop is dead.
Here we go.
Oh, password needed.
[LAUGHTER]
That wasn't planned.
That was my screen saver.
All right.
So let's get started.
So I actually have quite
a bit to talk about it,
and we'll just
dive right into it.
I'd like to give a historical
narrative for the field a bit
and then position my own
work with within that.
So we'll talk a bit about
what happened prior to '76,
the invention of
public key and RSA.
Some of the early steps
of seeing the technology
get out beyond those
early inventions.
A little few slides about the
cryptography business, crypto
policy, which is
still with us, but it
seems to have died down pretty
much as an issue of debate.
Some of the cryptographic
attacks of interest.
Where is the field going?
Some new directions.
What's next?
Conclusions and
Acknowledgements.
So that's the menu.
Starting off with
the earliest days.
Well, let's start
with the Greeks.
Everything starts there.
Euclid proved-- he had a proof,
that there are infinitely
many primes.
2, 3, 5, 7, so
they go on forever.
That's nice.
We can use them, as
many as you like.
So we have that.
We also have his
wonderful algorithm
called Euclid's
algorithm, that allows
you to find the largest number
that divides two given numbers.
12 and 13 you have 6 as their
greatest common divisor.
We knew that as well.
The Greeks practiced
cryptography
in an elementary way.
One of the ways they had was
to write a message on a leather
scroll, wrap it around a
stick of circumference unknown
to the enemy, and then pass the
leather strip without the ride
to the recipient.
So the period, the
circumference of that rod,
was the shared secret.
So that shared some of
the characteristics of not
public key, but
conventional cryptography,
where there's a shared secret
between sender and receiver,
and in a case, an unknown
period plays a role with RSA
as well as we'll see.
Periodicity plays a role
in some number theory
that comes into play.
Fermat, best known for his last
theorem, which he didn't prove,
is also known also for
his little theorem,
which he didn't prove either.
[LAUGHTER]
But he realized it was
true for any a less than p.
If you take a to the
p minus first power,
you get a number which
is a remainder of 1
when divided by p.
So 2 to the 6 is 64,
divide that by 7, you
get to a remainder of 1.
Euler, perhaps the greatest
mathematician of his time,
proved Fermat's Theorem
and generalized it,
as all good mathematicians do.
So he showed that a
to the [? fi ?] of n
is congruent to one mod, n
for any n where [? fi ?] of n
is just the number of
numbers less than n
that don't show a
common divisor with n.
We need that theorem
for the proof
of the correctness of RSA.
There's going to be a
lot of math in this talk,
don't worry if you're-- but
that's an important theorem,
1736.
Perhaps the greatest
mathematician ever was Gauss.
He lived from 1777 to 1855.
He just died before
the founding of MIT.
So 1861 was our [INAUDIBLE]
just before that.
At the age of 21, he
wrote his famous book,
Disquisitiones Arithmeticae.
I think I'm mispronouncing
that probably.
And said, "The problem of
distinguishing prime numbers
from composite numbers
and of resolving
the ladder into
their prime factors
is known to be one of the
most important and useful
in arithmetic.
The dignity of
science itself seems
to require a solution of a
problem so elegant and so
celebrated."
Nice plug for the problem.
Actually, he had it wrong.
There's two problems there,
and he confounded them.
There's the problem of telling
whether a number is prime
or not, which turns out
actually, to be easy.
And then there's the
problem of separating
a number that's not prime
into its prime factors, which
we think is hard.
We hope is hard.
But he sort of conflated
those two problems together.
This fellow you may
not have heard about.
He's not well-known in the
computer science field,
actually.
He was an economist.
He was worried about
Britain running out of coal.
He had lots of
interesting things
to say about energy
usage and the logician.
But the reason I like him
is he gave the world's
first factoring challenge.
In 1874, he published a book
on the philosophy of science
saying, "What two numbers
multiplied together will
produce 8616460799?"
This is a measly 10 digit
number, but at the time,
it seemed out of
reach for factoring.
That's about the size of
a phone number, right?
You can factor this
on your smartphone.
In fact, it was factored,
but after he died.
Derek Lehmer
factored it in 1903.
No cash prize was
ever offered for that.
So cryptography proceeded
with fits and starts.
There was lots of work
in handy cryptography.
World War I introduced
a qualitative change
in patterns of communication.
The radio came on the scene.
Marconi invented
radio, showed that you
could transmit long distances
from one place to another.
That's marvelous for
working with your military.
You can give them
their orders and so on,
but it also tells your
enemy what their orders are.
So it provided a
very strong demand
for the use of cryptography.
The use of cryptography
just soared
in World War I because of that.
Cryptography played
an essential role
in World War I. The decipherment
of the Zimmerman telegram,
which was intercepted by
the British and published,
showed that the Germans
were planning to sell off
parts of the US to Mexico in
return for the Mexicans help,
and this brought the US
into World War I decisively.
Between the two World
Wars, Alan Turing
did a number of
marvelous things.
He is well known for his
invention of the Turing
machine, and the foundations
of computability,
as well as the
Turing test for AI,
and many other
interesting things.
Some biological systems
he worked with as well.
But the point here is he
worked on the foundations
of computability and
showed, decisively,
that some problems are
impossible to compute
on a computer.
There are things you
can't solve with any kind
of reasonable computer, any
kind of imaginable computer.
The halting problem is
that the best known one.
So that sort of set
the stage for thinking
about computers as
devices that you can use
and what they can do.
And as time went on we
get into World War II,
where such devices start
being built and used
for the purposes
of cryptography.
The Germans in particular,
had the famous enigma machine
to encipher their messages.
This is a picture of one that
had some rotors that move.
It's a nice little
digital device.
You push the buttons and
get the light showing
what-- the encipherment
is letter by letter.
So we start getting
into a computer age
almost with encipherment.
And Turing and others who
had familiarity with notions
of computation, William Friedman
in the US, broke these ciphers.
This is well known now.
It wasn't at the time.
It wasn't for quite
a while after that.
It had great impact on the war.
The war was arguably shortened
by several years because
of these cryptanalytic
breakthroughs.
And the first computers
were built about that time
for that effort.
The Colossus is arguably
one of the world's
first programmable computers.
So Claude Shannon,
one of our own,
was a faculty member
here for many years,
met Turing in the
later stages the war.
Became familiar with some
of the cryptanalytic work.
Became intrigued by
cryptography as a field,
and wrote a very important
paper on cryptography
showing that the one time pad
was in fact, theoretically
unbreakable.
That's his paper there.
It wasn't published for a while.
He's better known perhaps,
for his work on error
correcting codes, but
that was done later
and published earlier.
So there's some more connections
with MIT, which I'll emphasize
the MIT connections when I can.
The field didn't really
blossom in a public way,
in the public sector, until
David Kahn's book, I would say.
1967, he wrote a thousand page
book detailing the development
of cryptography from the
Greeks all the way up
to the present time.
He did not know about
the World War II
cryptanalytic
efforts at that time,
so they were not in his book.
But this book inspired lots
of modern day cryptographers,
including myself, to become
interested in the field,
with Diffie and others.
NSA, our National
Security Agency,
tried to suppress
publication of this book
because it brought
attention to the field,
and had a lot of interesting
technical detail too.
But Khan went ahead and
published it anyway.
And he's updated
it since to include
more recent developments, but
it does look it's a great book
and still recommended.
So, marching on.
The field of computer
science of all,
we started seeing messages--
bits being passed around that
ought to be protected.
The US government
decided there should
be some sort of
commercial standard.
There was internal conflict
about what that should be
like, how strong should it be.
Horst Feistel, who got a BS
here at MIT in math, I think,
helped provide the architecture
with this ladder type
architecture on the right there.
NSA had their fingers in the
pot it seems, on this design,
arguing that the key size
should be kept short.
I think they wanted 64 bits.
IBM wanted 64 bits.
NSA wanted 48, and
they compromised at 56.
That story is still
not entirely told,
and there's a talk coming up
next week at the RSA conference
where Dickie George will present
a lot of interesting detail
about that interactions.
Looking forward
to that next week.
So computers as both a practical
tool and a theoretical subject
of interest, really blossomed
starting in the 60's
with the work of
Hartmanis and Stearns,
who laid the foundations for
computational complexity.
Turing showed that
some problems were
unsolvable on any
computer, but then we
get down to interesting
problems, which
seem solvable in principle, but
they just take a lot of time.
So the theory of computational
complexity started with them.
Manny Blum, who
did his PhD.D here
with Marvin Minsky in
the math department,
elaborated on that theory.
And then the theory
of NP-completeness
was developed by Cook and Karp.
The notion of polynomial
time reduction,
showing that one problem is
easily reduced to another,
is a key notion there.
So talking about
problems that are hard
becomes something in the air.
That's important
for cryptography.
You need to think about
making the problem hard, not
impossible, because
you can't do that,
but you can make it hard
for the adversary to solve.
So now we get to the point
where public key gets invented.
So these guys, Ralph
Merkle, Marty Hellman,
who had just finished an
assistant professorship at MIT
and was at Stanford,
and Whit Diffie,
who had done a
degree here at MIT,
but was out in California,
independently--
or I should say Ralph
Merkle independently
from Whit and Marty,
invented the idea
of public key cryptography.
A marvelous idea.
Just a really stroke of
genius on these parts.
And it's a really
qualitatively different notion
than classical cryptography
because it separates out
the public key and
the private key.
And Diffie and Hellman
wrote up their take
on this in the paper, New
Directions in Cryptography,
which is very
inspirational to me
and to many other people, where
they laid out this vision.
And I'll tell you that the
vision that they laid out.
And they said at
the beginning, they
realize this is
potentially very important.
They said, "We are at
the brink of a revolution
in cryptography."
So the idea that
they proposed was
to do public key
cryptography this way.
Everybody would
have a public key,
and you could use that public
key to encrypt a message.
So if somebody wants to
encrypt a message for party A,
they would take the
message and somehow
apply the public key to that and
come up with a cipher text C.
So the public key would
do the encryption,
and a separate key
would do the decryption.
So if A received a message
encrypted with a public key,
they could use the
secret key to decrypt.
And it's easy to compute
matching key pairs.
So having these two
keys be different,
and the key notion
is-- coming back
to this notion of
computational difficulty,
is that publishing one of them
shouldn't reveal the other one.
It should be computationally
hard to figure out
the secret key,
given the public key.
So somebody could tell
you the public key
and you wouldn't be able to
figure out the secret key.
You could encrypt to mail to
somebody, but not decrypt.
So that's public key
encryption as they present it.
These are deterministic
operations
mapping the message space to
the cipher space one to one.
Right, but computationally
hard to invert.
Digital signatures was
another idea they had,
which in my mind, was even more
inspirational than the notion
of public key cryptography.
The idea that you could
somehow take a message
and add something to the end
of it which would authenticate
the sender, and authenticate
the contents of the message
in a way that could be
verified by anybody,
well I think, in some
ways more revolutionary
than the idea of public
key cryptography itself.
Or they're related
[INAUDIBLE] encryption.
So the idea is you just
turned things around.
You sign with the
secret key and you
let people verify your
signature with your public key.
So if message M is to
be signed, party A,
the signer can apply secret
key, obtaining signature sigma,
and then you can verify
that signature as correct
given the message,
and the signature,
and the public key of
the alleged signer,
by verifying this equation.
You just check that the
mappings go back and forth.
So what maps to-- if the
message maps to the signature,
than the signature should map to
the message with the other key.
Marvelous idea.
And so we can imagine them
sending e-mail around signed
and doing all these wonderful
things, having the technology
for doing digital signatures.
These are amazing ideas.
They didn't know how to
implement them at all.
They had the brilliant insight.
They said, this is cool stuff.
We think you ought to
be able to do this.
They had some ideas,
but they could not
implement what
they proposed here,
and they published
a paper saying this.
And so this paper was
our starting point
thinking about public key.
The guy in the middle
with the hair is me.
Adi Shamir is on the left, and
Len Adleman is on the right.
Adi and Len where
assistant professors
in the math department
at the time, and I
was in the computer
science department.
And we have this
wonderful structure at MIT
where people of
different departments
can work together
in the same lab,
and LCS is that, and
provide that kind
of synergy between people
with different styles.
So we made a proposal known
as the RSA proposal, which
solves the problem posed
by Diffie and Hellman
for implementing public key.
And it relies, in part, on
the difficulty to factoring.
If you multiply two
prime numbers together,
p and q, to get a product n,
you can publish that product
without revealing
what the primes are.
So it's a foundation for
building a public key crypto
system.
That by itself is not enough.
You need to have some way
of transforming messages.
That allows you to build
a key, as it turns out.
So with RSA as we
proposed it, you
have a public consisting
not only of the number
n, the product of two primes,
but some other number e, which
just needs to be
relatively prime,
that is share no
divisors with phi of n.
Just a technical condition.
And then the secret
key is another number
d that relates to e in a certain
way, and you can compute e
from d using the Euclid
algorithm that I presented
on the very first slide.
That's the structure of the
set up for the public keys,
and then the RSA equations
are well known at this time,
but they give us-- [INAUDIBLE]
I was told to use a slide
for pointing, sorry.
There we go.
So we take the message M,
we raise it to the eth power
and take the remainder mod n.
That's a one to
one transformation
of the residues,
mod n, to itself.
So M to the e, the message
raised to the power.
Taking the remainder
mod n, and gives you
the cipher text you want.
And that the corresponding
secret key operation
is the same thing with
just a different exponent.
So that's our proposal for
the RSA scheme, and it works.
It still seems to work.
We'll talk about
the security of RSA,
but that was the
proposal we-- it
was the first concrete proposal
for a public key system
in the lines of Diffie-- as
proposed by Diffie and Hellman.
So once we had
the idea, we said,
well how hard is factoring?
Factoring at the time-- because
it really relies on factoring.
You need to keep the prime
secret to make this secure.
Factoring at the
time was not that
much of an academic
research area.
It was sort of a backwater
area that hobbyist cared about.
And so we talked to people
who liked that sort of thing.
Martin Gardner wrote a column
in Scientific American, which
some of you may have read.
A wonderful recreational
mathematician,
inspired lots of
computer scientists.
You should read his
columns if you haven't.
He wrote a column on this.
We had contacted him about
the difficulty of factoring,
what he knew about it.
He got excited about public
key and wrote a column,
and he offered a copy
of our technical memo
that we did we could mail out.
We even got together to put
together a challenge cipher,
and offered a hundred
dollars for anyone
who could figure out a
particular secret message that
was encrypted with a
modulus, and that was
the product of two
primes, the modulus
and having like 129 digits.
So a lot bigger than
[? Jeavons ?] 10 digit puzzle.
We estimated at the time that it
would take 40 quadrillion years
to break.
That was a bad estimate.
In part, due to I
think a numerical error
in the calculation,
but also because there
were no published analysis
of factoring algorithms.
Richard Chapell had some
notes that we consulted,
and I think we made a mistake
in interpreting some of that,
but even then, it looked like
it should have been secure
for a long time.
We'll get to that again.
Anyway, we published the memo.
We didn't actually distribute
the copies of the memo
to the thousands of people
that wrote for it based
on Martin Gardner's
article, because
of the question is whether it
was legal to distribute works
in cryptography.
And MIT was very supportive
in resolving that issue,
and we eventually mailed out
copies of this yellow memo
on the left.
Our journal article
appeared not much later.
One of the things that's maybe
not well appreciated either,
is that the RSA paper
not only proposed
public key cryptography,
but did something else which
is very enduring, which
is invented Alice and Bob.
So Alice and Bob made
their first appearance
in this paper as protagonists,
or partners in this endeavor.
And so I was trying to resist
when describing publicly
key before using
party A. You know,
I always talk about Alice and
Bob when they're doing this.
And Alison and Bob, they send
public keys back and forth,
and encrypted messages
back and forth.
What's been surprising
is that Alice and Bob now
appear in all the crypto
papers everywhere,
and they've even spread
out into other fields.
I was very surprised
the other day.
I was watching television
and there was a nice nature
show about black holes,
and there was Bob slowly
watching Alice disappear
into a black hole.
[LAUGHTER]
So they've made it around.
So they even have a web page
of their own, a Wikipedia page.
But I think there's
a point there,
which is not only are they
a cute expository device,
but cryptography's about
people who care about things.
There's people with motivations,
there's a narrative,
there's a scenario and
they're trying to do things.
And so it's not
just about devices
trying to communicate as a
satellite talking to ground
receiver, something like that.
It's about the kind of
scenarios you care about,
where people have
goals, or motivations,
or trying to be evil
or good, or whatever,
and cooperate or not
cooperate, and stuff like this.
So having names for
the parties is captures
the spirit of what you're trying
to do in cryptography well.
It was also revealed not
too long ago, well 1999,
that the invention of
public key and things
apparently also happened
in British intelligence
circles at about the same
time or even a touch earlier
by these fellows.
James Ellis, Clifford Cocks,
Malcolm Williams, and so they
announced that later.
But they didn't
barely go anywhere.
It sat in a drawer
basically there,
and they had the
idea of public key
and some of the math
that might go with it,
but they didn't have the idea
of digital signatures either.
So that was a kind of
interesting revelation.
Maybe we'll learn more
about that as time goes on.
Now the world of what
happens in the public sector,
and what happens behind the
walls of classification,
I don't have any
security clearance.
So I don't know
what goes on there,
but it's sort of parallel.
They can watch what we do, and
we don't know what they do.
Interesting stories to come out.
Early steps.
So another interesting
thing that happened,
happened here at MIT as well.
So after the original
invention of RSA-- now
the management of
public keys, well, there
was this nice Bachelor's thesis
done by Loren Kohnfelder, who
did it here at the
MIT math department
under the supervision
of Len Adleman
which invented the notion
of a digital certificate.
Many of you played with your
certificates on your browser.
The idea that you can have
a signed message basically
saying, so-and-so authenticates
that this is your public key,
or the certificate
from Amazon saying this
is Amazon's public key.
So that notion was invented here
at MIT as a bachelor's thesis.
We saw a lot of activity
in the academic sphere
and we said, well, this is about
time to get a society together.
So this is really
the first steps
of turning this
from a hobby field
and some interesting papers sort
of on the fringes of computer
science, into a real
professional area.
There was a society founded
by David Chaum, myself,
and others called the IACR.
It now runs all the professional
conferences in the area,
and there's hundreds of
papers published every year,
and dozens of
conferences and so on.
So it's really grown up
in a professional way.
In addition to getting
the societies right,
there are also theoretical
foundations laid at this time
too.
I have photos here of a
professor Shafi Goldwasser
and Professor Silvio
Micali, who joined
our faculty about
that time, and laid
some of the early
foundations for this.
And two particular works
that I like, one of which
I'm involved in, one
of which I'm not.
The first one I'm
not, it was there
paper on probabilistic
encryption, which
showed that-- well first of all,
gave good definitions of what
it means to be secure.
Cryptographers have
for a long time
been working in an
ad hoc way, and we
started to see a field
developed in this paper
sort of illustrative
of how to start
laying good foundations by
getting the right definitions
and showing how to
achieve those definitions.
In order to achieve
those definitions,
they argue that encryption,
public key encryption,
needs to be randomized.
The original art RSA
was not randomized.
The notion of Diffie
Hellman was not randomized.
Coming up with a scheme
where the messages have
to be different every time.
The cipher text has to be
different every time you
encrypt the same message,
was a key insight.
And then their paper
lays the foundations
for good encryption.
The other side of public
key was signatures,
and I worked with
Shafi and Silvio
on a paper which did a similar
thing for digital signatures,
trying to get the
definitions right.
What does it mean to have
a secure digital signature
scheme?
How can you achieve it?
And that uses a particular
style definition,
which have become popular.
Not the first place
that was used,
but it's again, laying the
theoretical foundations
for work and security.
So in addition to
having the foundations
for public key stuff
as a practical matter,
some other things
needed to happen.
Public key as it
was, was too slow.
It was really painful to
find big prime numbers
and to take modular
explanations, particularly
with the machines
at the time, which
were a thousand times or more
slower than they are today.
So the computers
were a lot slower.
Even so, doing the
number theory takes time.
So both for encryption
and signatures,
you need some way
to speed this up.
For encryption, having
a fast stream cipher
helps, and RC4 was a scheme that
I proposed that actually turned
out to be widely used, quite
fast, and sufficiently secure
for lots of applications.
And I've got some
details here about how
it works, which I'll skip over.
But the idea is it's just a
very few lines [INAUDIBLE]
every new byte is
pseudorandom data.
And it's used widely.
It's used in the PDF files,
Skype, Kerberos, et cetera.
So it's very fast.
Stream cipher generates
a pseudorandom stream
that you exor with the message
in the style of the one time
pad that Shannon analyzed.
So there's one
practical foundation.
On the digital signature
side, again, you
need some way to sign
very large files.
How do you sign a large file?
You can't run the number
theory on a big file.
So you can run something
called a hash function that
takes a large file, compresses
it down to a fingerprint,
and you sign that instead.
So MD5 was one of my
proposals for that.
It ran fast on 32-bit machines.
It was supposed to be
collision resistant,
that is shouldn't be possible
to have two files that
give you the same fingerprint.
We'll talk about that in
just a minute some more.
But it turned out to
be very widely used.
I was surprised at the quick
uptake of this proposal
before, as it turns out,
sufficient analysis was done.
The Business Of
Cryptography, MIT,
and the Technology Licensing
Office, a patent was filed.
Issued in '83.
The three of us, Adi and Len
and I, founded a company.
The activity of that company is
well summarized by this slide
for many years.
[LAUGHTER]
There was really no market and
nothing happening for a while.
Eventually we hired Jim
Bidzos, who I'm convinced
could sell snow to the city of
Boston in the middle of winter.
Very sharp business man,
and very sharp technically.
And he was able to have a
first license to Lotus, Lotus
Notes, embedded in some
of the RSA technology,
and was able to grow
the business after that.
So he really made this fly.
The RSA conference series
got started in '91,
in part to bring
together people who
cared about public
key cryptography,
and also to talk about crypto
policy, which was starting
to boil up at that time.
Today, Jim runs
Verisign, which is
doing a great business of
the notion of certificate,
which was invented here
by Loren Kohnfelder.
There's 1.3 billion
certificate checks
per day done by
Verisign right now,
and 65 billion DNS
requests per day,
which will soon be authenticated
with public key crypto
with the NSA.
So this is all happening--
growing up very nice
to build a secure public
key infrastructure.
RSA itself, the company got
sold to Security Dynamics,
which is now part of
EMC, a local company.
But actually not only
Jim made an effort,
there was another fellow
that had a big contribution
on the practical
development of cryptography,
which was Tim Berners-Lee.
Search Tim Berners-Lee.
He deserves the
[INAUDIBLE] the invention
of the world wide web.
Just like radio, Marconi's
invention of radio
made cryptography essential
for that communication medium.
The web itself, is a
communication medium,
really drove the demand
for cryptography.
People are communicating all
over the place on the web,
doing commerce and so on too.
The demand for cryptography
blossomed with the web.
So without that,
I think we'd still
be thinking about
potential implications
rather than doing
real applications.
Policies, I said, started
to become an issue.
The birth pangs of
cryptography came away
from being a purely intelligence
agency kind of business,
into becoming a tool
of ordinary commerce,
was not easy and there were
many debates, discussions,
and policy steps forward
as this happened.
There was a early
attempt at chill research
by a fellow who worked at NSA.
Wrote a letter,
said that you may
be violating the International
Traffic and Arms Regulations
by publishing this
kind of stuff.
It turns out there's a
nice exemption in the ITAR
for academic research.
But MIT had put
together a committee.
MIT, I found was very
supportive for doing work
in these kinds of various--
where deep policy decisions
need to be talked about.
Francis Low, Dertouzos, Walter
Rosenbirth, John Deutch,
and myself, and
others had a committee
where we talked about
these kinds of policies,
and decided that really,
the law was clear.
We could go forward
with this, and we did.
The government, meanwhile,
tried to continue
to control things and
propose that everybody should
use crypto chips that had keys
that they could read and so on.
Big brother inside,
and that didn't
fly very well,
particularly when it
was revealed that they
had technical flaws
in their proposal.
Today, the world is
much more harmonious.
I think everybody realizes we
live in an information based
society where information needs
to be authenticated, protected,
and good crypto security is
part of the whole cybersecurity
picture that we need
to be working towards
to make our information
infrastructure work
the way we want it to.
That's not entirely
unanimous, but I
think we're pretty much there.
Attacks.
So life is never rosy in the
crypto world all the time.
That number that we published
in Martin Gardner's column
back in '77, that's it right
there, that 129 digit number,
eventually was factored using
some new algorithms and a bunch
of volunteers all
over the internet,
to this product of a 64
digit prime and another 65
digit prime.
It was about 5,000 MIPS-years.
A MIPS is a million
instructions per second machine,
so that's maybe not a
lot by today's standards,
but it was a distributed effort.
Very nicely done, and they got
the secret message out too.
"The Magic Words Are
Squeamish Ossifrage,"
was the secret message
that was published.
We never thought anybody
would see those words.
We just picked them at random
out of the dictionary, so.
We thought if they got them,
we'd recognize them again.
There's the folks, there's me
on the left with the four guys.
They've got their squeamish
ossifrage t-shirts on.
They're holding a long print
out of the number they factored.
It's [INAUDIBLE] we
the suit, he always
wears a suit, and the check
that we gave him for $100.
That was the cheapest purchase
of computation time in history.
How are we doing then factoring?
RSA depends on the
security of factoring.
So what's happening with
the art of factoring?
So this is the chart of
the recent benchmark.
So the dot on the left
is the factorization
of RSA 129, a 129 digit number.
The most recent
factorization is the dot
on the right, which was a
factorization of what's known
as RSA 768, a 768-bit number.
That's 232 decimal digits.
So they've been making progress.
Computers have been
getting better.
Algorithms have gotten better.
The line at the top is for a
normal high security RSA key,
it has 248 bits.
That's 616 digits.
So are they going
to get up to there?
I don't know.
There's lots of primes.
So if we have to raise
the barrier again,
that's not hard to do.
That's one of the nice things
about a scheme like this.
We're working with laws
of computation here.
We don't know what they are yet.
Factoring could be
an easy problem.
It could be factoring a
million digit number turns out
to be easy.
Maybe someone here will
discover such an algorithm.
In which case, all the
factoring based crypto goes away
and we have to think
of other things.
In fact, there are
other proposals
around that could be used
as replacements for RSA,
and things like that, and
are being used concurrently
with RSA now.
But this is the kind of question
you get as a cryptographer.
How good are the
attackers going to get?
And you don't know
because you can't
prove that the computation is
difficult with the technology
we have.
Those are open questions.
Is P different than nP?
How hard is factoring?
We don't know.
Not only that, but
they're changing
the rules of the game a bit.
Peter Shor, who's
here at MIT, has
proposed-- he's a faculty
member in the math department.
I don't know if Peter's here.
Proposed a fast
factorization algorithm
that's based on fundamentally
different computational
architectures, based on the
use of qubits and quantum
computation.
This works, in principle.
If you can build a
quantum computer,
you should be able to factor
in polynomial time, very
large numbers.
Building a quantum computer
seems to be a challenge.
I don't expect to see
big ones built, actually,
but that's just a guess,
or maybe I'm just biased.
So far they've been able to
factor 15 with a small one,
and that's an enormous
accomplishment.
So so they may build up to
bigger numbers later on.
We'll see.
It's an interesting
technical question,
can you build a large
quantum computer?
Once you do it,
you've demonstrated
that you can do it, then
nobody uses RSA anymore,
and you got no market for them
whatsoever because it's not
clear still what you use quantum
computers for, except breaking
RSA.
[LAUGHTER]
So dark clouds on the
horizon for RSA, maybe.
Now, remember we had
the public key leg.
We also had the other
legs of fast encryption
that were not public key style
with RC4 and digital signatures
where we needed a hash function.
So Xiaoyun Wang, a professor
at [INAUDIBLE] University now,
and colleagues, have
worked about 10 years
to pick apart that internal
details of MD5, that hash
function that I proposed.
They worked very, very hard at
and finally figured out that
in fact, it was defective.
That in fact, if you're
clever enough, and they were,
you could come up with ways
of creating pairs of messages
that had the same hash value.
So a signature for
one message would
look like a signature
for another message.
It's a disaster.
So they really broke it open,
and they not only broken MD5,
they broke lots of
other hash functions
that had been modeled on MD5.
So it was a major breakthrough.
It doesn't mean hash functions
are impossible in principle.
In fact, it seems
quite likely that you
can build good hash functions.
NIST who has gotten a little
gun shy about some of this,
has started a competition
for a new hash function
for a national standard.
It's called the
SHA-3 competition.
We had submitted an entry
from MIT here as part of that.
We're not in the
finalists running,
but there's a lot of
good candidates who are.
It's an interesting competition.
So hash functions
took a beating there.
More new directions, so.
The field has really blossomed.
There's lots and lots of
wonderful stuff happening
to cryptography.
I don't have time to tell
you about everything.
I mean, if I did, then we'd
go into an hour lecture
on each of these topics.
There's just lots and lots
of interesting applications,
theoretical foundations,
developmented definitions,
oblivious transfer
of key linkage,
proxy encryption, payment
systems, whatever.
So there's lots of
interesting stuff.
A typical crypto
conference will have
talks on many of these topics.
So the field has blossomed.
It's not just refinements
of the same notions
we started with in
encryption signatures,
but there's lots
of applications.
There's multi party
computation, what happens when
you start losing your keys.
Do other kinds of weird things
like oblivious transfer.
Can I give you a
message and such-- no,
I won't even define
it right now.
But lots of fun stuff.
So I'm going to talk
about four of them.
Zero-knowledge proofs, payment
systems, voting systems,
and homomorphic encryption.
So, the first one I didn't
have anything to do with,
but it's such beautiful stuff
I can't help but mention it.
So I'll talk about that.
And then payment
systems, voting systems,
and homomorphic
encryption, which
I had some connection with.
Zero-knowledge proofs.
So this is a notion developed by
professors Goldwasser, Micali,
and Rackoff, and refined
by Goldreich, Micali,
and Wigderson.
So, I sort of wrote a
haiku here to describe it.
The definition is,
I can convince you
that I know a solution to a
hard problem-- like factoring,
I know the factor of
some number maybe--
while telling you nothing
about the solution itself.
OK.
So I can tell you that I've got
it, and if I gave it to you,
you would know that
that was it, but I'm not
going to give it to you.
You're not going to see.
You're going to be
frustrated, but you'll
know that I've got it
and I've got it right.
Beautiful notion, right?
Wonderful notion.
And even if you're very
skeptical, I can convince you.
Have more dialogue [INAUDIBLE]
So it's a beautiful notion, has
lots and lots of applications
within cryptography.
Secrets are the essence
of cryptography.
This shows how to keep a secret
while using it to convince
somebody that you've got it.
Right, so having
secrets lost when
you're working with them is
the bane of cryptographers,
and the shows that
you can keep a secret
and still use it
effectively for the purpose
of convincing somebody
that you've got it.
Wonderful work.
I didn't have anything
to do with this.
I said this is
[INAUDIBLE] and others.
Very useful.
That's one thing.
Just trying to give you a
flavor, a sampling of some
of the things that
cryptographers
have been playing around.
So that's one.
Probabilistic MicroPayment.
So this is a issue that
Silvio and I got involved
with around 10 years ago.
Paying for music over
the web and small payment
seemed like it ought
to be going somewhere.
So we said, what's the best
we can do as cryptographers
to come up with a
payment system that
works efficiently and securely?
So we took the idea, which was
not new probabilistic payments,
and made it secure.
So a probabilistic payment,
if I want to pay you a dime,
I'll pay you a dollar with
probability of one in 10.
The expected value is
the same, and if you're
selling lots of
things, like you might
be if you were a music merchant
or something like that,
it all works out in the end.
So how do you flip coins
fairly in such an application?
Well we use pseudorandom
digital signatures,
some nice cryptography
to make that work,
and there's lots more
details on how that works.
But it was an attempt
to take this perceived
need of an efficient
probabilistic efficient payment
system, make it efficient
for very small payments
where credit card companies
were charging lots
and lots for each payment,
and make it efficient just
between the two
parties, primarily.
So we founded a company
and there's a MIT patent
involved in all that too.
So the short story is it didn't
go too very far as a business.
Wonderful theory stuff,
but as a business
I think we were
ahead of our time.
That's the officials
[INAUDIBLE].
Didn't make that.
So voting systems.
I've spent a lot of time these
days talking about voting,
and I think cryptography has a
role to play in voting as well.
There's a whole spectrum of new
cryptographic voting systems,
Chaum, Neff, Benaloh,
Ryan, myself, Adida,
others, trying to take
the classic problem,
how do you vote securely?
How do you vote verifiably, and
make it as real and workable
as we can, using the best
technology that we have?
So a lot of the proposals
that we're looking at
have the following character.
You vote, perhaps on paper,
you take your ballots,
you post them on the
web in encrypted form
so that anybody can see them.
You can see that your vote is
posted properly encrypted form,
because it's encrypted,
you can't sell your vote.
That's always a problem
with voting systems.
And the crypto
works in such a way
that anybody can verify
that the tally is right.
You add up a bunch of
ciphertext and you can
see that the number is right.
There's some cute math for that.
Not everybody likes
cute math and voting.
There's some issues
with persuading people
that this stuff
really does work,
and that you can believe
the results without having
to do all the math as well.
And in fact, the fact
that you can do it
with paper ballots
that can be recounted
by hand or statistically
sampled and counted by hand,
gives comfort to people who
aren't mathematically oriented
as well.
Voting really has to
satisfy everybody.
It's a challenge.
So cryptography here,
though in some sense,
increases the transparency
and verifiability.
So it may be that
large prime numbers
will have a role to play in our
democracy down the road a bit.
This is a very promising
area, and we're actually
seeing at least
one jurisdiction,
Tacoma Park, Maryland, has
used one of these systems
in the recent election
and they use it again.
Finally, hopefully
homomorphic encryption,
one of the hot
buzzwords of the field.
Back in 1978, Mike
Dertouzos was running
lab for computer
science at the time.
And Len Adleman and I
came upon the question,
can you compute
on encrypted data?
Can you work with data that's
been encrypted piece by piece,
and take the pieces, combine
the pieces while leaving them
encrypted in such a way that--
so you take two ciphertexts,
you combine them and you end up
with a new ciphertext in such
a way that the
underlying plaintext
for that new ciphertext is
the appropriate operation
on the underlying plaintext.
So this is what the mathematics
would call a homomorphism.
And you want a
cryptosystem that's
homomorphic for a sufficiently
rich set of operations,
you can do arbitrary
computations.
We couldn't see how to do this.
We asked the question.
So we get some credit
for asking the question,
but we couldn't solve it.
Right, and so it was
just solved recently
by this guy, Craig Gentry.
Wonderful solution based on,
not numbers theory really,
but lattices, and
some technology that's
been evolving in that
direction of hard problems.
There's some hard
problems involving
lattices over the integers.
And it works.
You can do arbitrary
operations on encrypted data,
keeping it encrypted.
So if you're a cloud
computing service provider,
maybe you can work on your
client's encrypted data,
providing the encrypted
results they want,
and not running
any risk yourself
of having disclosing
the client's data.
That's the dream.
It's not very efficient yet.
There's a lot of work to
do to make it efficient.
So that's the fourth of
my sampler things here.
So where are we going?
What's next?
Well, it's hard to tell where
the field's going to go.
Making some of these
crypto results practical,
I think is a theme that
we'd like to see more of.
It takes the classical
20 years or something
like that, before the
publication of a paper--
its appearance in
reality, I think.
And so we're starting
to see the time
when some of the
theory work should
be appearing in practice more.
Is factoring really hard?
I don't know.
We don't know.
We'd like to know.
Because we have to assume
things like factoring is hard,
it's good to have
crypto where we're
minimizing the assumptions.
So we don't want
to make assumptions
that are unnecessary
or possibly false,
and so we need to design
crypto to minimize
how many mathematical
assumptions we make,
how many complexity
assumptions we make.
Showing p as different
than np would be wonderful.
Showing they're
the same would be
really tough for cryptography.
Finding out whether quantum
computing is practical,
that's a challenge
in its own right,
and it has bearing on
crypto as you've seen.
The interface between
crypto and reality
is still a bit tenuous, though.
And smartphones--
everybody's got a smartphone.
Alice and Bob communicating
and doing exponentiations
together is fine, but in
practice, Alice and Bob
don't do the math
in their heads.
They've got smartphones
that do it for them,
and there's user
interfaces to consider.
There's software
vulnerabilities in the software
stack for the smartphone.
The whole business of
grounding crypto, which
is this sort of ideal world,
on technology that's fast
changing and full of
bugs is a problem,
and we need to
work harder to try
to make cryptography robust
in that kind of a working
environment.
Finally, for a
challenge, if you'd
like to think about
something, there
was a 35th anniversary
party we had not too
long ago for the lab for
computer science and AIs
as we're merging.
So we put together a
crypto puzzle there,
and that's a puzzle which
was designed to be solvable
in 35 years.
So that was our 35th
anniversary party.
We said, let's have
something which
should be solvable in
precisely 35 years.
So I designed some-- of course,
I haven't been terribly good
at some of my estimates.
So we'll see how that goes, but
it should be solvable in 2034
with the technology we estimate
will be available by then.
You can that on
the website there.
And the time capsule, as
it's called, will be opened.
It's just a big lead sack, but
I'm not sure anybody actually
knows where that is right now.
[LAUGHTER]
It's somewhere around.
So conclusions, so
cryptography, this
is a wonderful field
of work and there's
lots of different things
that it brings together.
It's not a solution to all
of our security problems,
but it's an essential
component of any solution
that you want to put together.
And research in these areas
is really a nice blend
of lots of different things.
Mathematics, statistics,
algebra, number theory,
theoretical computer
science, complexity theory,
electrical engineering,
psychology, user interfaces,
software, and
development and so on.
It's sort of like the
mid-east of research
because everything
goes through it.
[LAUGHTER]
It's just wonderful that way.
We've done a lot
in a few decades,
but there's a lot more to do.
Like Alice and Bob,
cryptography is here to stay
and it's a lot of fun.
So I'd like to close by
thanking all of my colleagues.
MIT is a wonderful
place to work,
and the environment provided
for this kind of research
has just been fantastic.
I've listed here some of my
co-authors and colleagues
that I've worked with on
this, and some of the students
that I've worked with as well.
It does not list all of the
students who graduated out
of our cryptography group,
or all of the visitors
that we've had come
by, and so on too,
but it's been a very rich,
rewarding kind of community
to work within, and
very productive.
I'd also like to thank the
B. Blackburn, my assistant,
for all her support.
My family, my mother and
father, and Gail, my wife,
and Alex and Chris, my boys,
for their support as well.
I live this chaotic life.
So thanks to all of you,
and thanks for this award,
very much.
I very much appreciate it.
[APPLAUSE]
I'd be happy to answer
questions if there's questions.
This wouldn't be MIT
if we don't allow
an opportunity for
questions, challenges,
solutions to the puzzle,
are also a possibility.
We have microphone's
here if you would come.
I invite questions for Ron
about this fantastic work.
Go ahead.
No, I've given my thought.
OK.
I'll ask first one
if that's all right.
OK.
That is, one of the questions
that many of us get asked,
is where do your
ideas come from?
What's the source of all
this creative energy,
and what have you found outside
and just doing equations?
Where does the
inspiration, where
do the ideas for the next--
So I think cryptography,
a lot of the ideas
are driven by-- good question.
I think cryptography is
driven a lot by applications.
You can sort of sit back and
you can say, well what is it
we're trying to do?
We're building this
information structure.
The functionality of--
All of a sudden you've
got smartphones in your pocket.
What are the security
issues with your smartphone?
Or you're trying to do payments.
How do you make payments work?
So there's a lot of
natural questions
that just fall out of
the evolving information
technology.
Say how do we think about
what's happening there?
How do we deal with
people losing passwords?
How do we deal with
trusting somebody
too much in a scenario?
So the situations give rise
to the technical questions,
and if you can just sort
of crystallize them out,
and so I think a lot of
the problem formulation
is really driven by
observation of what we're
trying to do with this
information structure
that we're building.
The technical ideas
how to approach them,
I don't know that
those are-- I think
they come out of the little
water that falls on your head
when you're taking a shower.
[CHUCKLES]
The real world is the source.
Are there practical
alternatives to RSA
that don't depend on hardness
of factoring or other number
theory problems?
Yeah, great question.
It would be a shame if RSA were
the only alternative out there
because it is vulnerable,
and factoring could fall.
But there's a popular
suite of algorithms
based on elliptic curves,
which are used as well.
They are again, potentially
vulnerable to some quantum
attacks, and so on.
There are schemes
based on lattices.
So a lattice is
a space of points
in a high dimensional space
with integer coordinates,
and you can add points,
and do things like this.
There's a lot of interesting
questions, like can you
find the closest point in the
lattice next to a given point,
and things like this.
So there's a rich suite of
foundational problems to work.
We need more.
Cryptography is a great
consumer of hard problems.
So if you come up
with a problem,
I just can't solve this.
Give it to cryptographer.
Maybe he'll be able to
make a cryptosystem out
of it or something.
You get the nice benefit
if you've got a problem.
Either you can solve
it, and that's nice,
or you can't solve it,
and then you can use it
as a foundation for a problem.
But elliptic curves
and lattices are maybe
the two worth
mentioning right now
as alternative to the basic
factoring based things.
There's some discrete
log things that
are very close to
factoring as well.
There are alternatives
out there.
We teach classes
about this stuff.
You can come learn about
all the alternatives
in some of the classes.
This is a little bit away
from your main focus,
but I just spent January
reading a large number
of recommendations letters
which arrived digitally,
and most of them had
signatures pasted in,
which is a wonderful
way of verifying
that this letter really
came from this person.
Now, I personally
set myself up to be
able to do real
digital signatures,
but it cost me $600 a year, and
it required a certain amount
of savvy about computers.
So why is it that we haven't
reached a point where everyone
can easily sign their
messages, and have
some assurance the receiver can
verify that it was really them
that did it?
Yeah, I think
getting crypto ought
to be used in the real world is
largely a question of standards
and motivation.
I mean, there are
places where crypto
gets used easily and
naturally like Skype.
Skype is a closed
system that's built in.
Every Skype client has nice
cryptography built into it,
and when you're talking with
Skype, you're authenticated
and then communicating
nicely with the technology
they provide.
Email is a whole other
beast because everybody's
got different email clients.
You need standards that are
widely adopted and implemented
too.
People don't care
about e-mail security
enough to go through the extra
steps as you're talking about.
Maybe MIT should require
on all recommendations
that every recommendation
be digitally signed
with RSA, or elliptic
curves, or something else.
That would be fine, whatever.
It's even worse.
In many cases, a
digitally signed document
will not be accepted,
even by MIT.
Really?
Like a thesis.
I cannot sit in another
country and sign a PhD thesis
and submit it.
Point taken.
Those of us on the
theory side of crypto
say this stuff is
usable, but then
when you try to take
this, in principle,
usable theory, and
make it widely used,
this is the problem we had
with the micro-payments too.
It's hard to take ideas that
seem like they're potentially
usable, and get them
used to the extent
that everybody's naturally
using them and using them.
Because there's a networking
effect with most technology
like this.
You've got to have a
fraction of people using it
before the people
join the bandwagon.
So some clever marketing.
Email, we do use security
a lot when you're browsing.
I mean, the places where
you think you might need it
the most-- email is not
a high security domain,
most of the time.
Mostly it's spam and
letters from your friends
that you can
recognize because it's
what they're talking about.
But someplace where
you're dealing
with an unknown
website, potentially you
want to buy something from
Amazon or something like that,
you want to know it's
really Amazon site.
So their cryptography is
working well, I'd say.
You have certificates
for those websites.
You can identify them as being
the right partners to talk to.
But things like MIT
recommendations,
we've got a ways to go.
So modern cryptography
is I think
most effective when
everybody uses it,
or everybody's willing to.
But RSA is among
protocols I know of,
almost unique in that
people used it widely
while it was still patented.
And I'm wondering what
you think the role is
of patents in
technology licensing
in modern cryptography.
Great question.
There's a lot of discussion
and debate about-- RSA
was patented by MIT.
The patent was very useful at
growing the business of RSA.
And the hypothetical
question is,
what would have happened
had RSA not been patented,
is an interesting one
to think about too.
I think RSA would still
have been used widely,
but not as widely.
It was really facing
a lot of challenges
to get that technology
out and used.
And particularly the
government attempts
to suppress the
evolution of RSA,
it could have succeeded had
not Bidzos put together the RSA
conference series where
there were a lot of people
talking explicitly about
this, and journalists
were covering it.
I think the
difficulty of getting
past some of these pressures,
plus the lack of market,
I think the thing
could have just
been a hobby curiosity PGP
and 0.01% of the population's
computers or
something like that.
It's hard to tell.
Anyway, the patents
expired, as patents do.
That's a good thing
about patents.
If you don't like
patents of this sort,
the right question
is probably, what's
the appropriate
duration of a patent?
I think patents are a
good thing, in general.
For software, patents
of some sorts,
I think maybe they
should be shorter.
I tend to think that the patent
business-- well, the patent
office is not working
that well right now.
They take forever.
But I think there's an
interesting set of questions
and discussions to have there.
And again, we of courses that
talk about that too, I think.
Not in our department.
Yeah?
Can you talk about
voting systems,
and if there's still theoretical
work that needs to happen?
Or is it more getting
government signed on,
getting people signed on?
So voting I think is still open.
There are lots of
good ideas there.
Benidita finished
a PhD here at MIT,
and had some wonderful ideas.
David Chaum and team with
Scentegrity in the Tacoma Park
election is doing things.
I think the hard part
is getting a system that
meets all of the requirements
of voting systems,
including usability and
understandability by the people
that are using it.
And both usability
and understandability
are tough when you've got
cryptographic components
because you don't
want people typing
in long strings of digits.
You don't want to be a
requirement that you've
got to believe the crypto
in order to believe
the outcome of the election.
You would like to have
alternative means of verifying
the outcome as well.
So those are challenges.
I think we can meet
all those, but I
think there's work to be done.
Voting, I think, is where the
challenge are particularly
demanding because you have
to keep-- you want the voter
to be able to verify that
her vote was correctly
cast in a way where she
can't sell her vote.
That's the essential
different thing about voting
is that you can't let
people sell their votes.
Otherwise it's like
banking, and if they
want to show their
bank account that's
fine, just doing transactions
remotely or something.
But voting has this
unique requirement
that you can't set up
a voting system where
people can sell their
votes, and so it's
really tough, technically.
And then glaring on top
of that, the usability
and understandability
requirements and so on too.
We'll get there, and
there's work to be done.
Yes, sir.
Professor, you mentioned
quantum computing
as one pillar of quantum
information systems science.
Could you give me your take
on quantum key distribution
and some of the nascent
systems and companies
that are out there?
Quantum key distribution, I
haven't paid a lot of attention
to them.
I think they're
interesting, technically.
I think the business market
for them is probably not there.
I think that giving
keys around effectively
is the heart of a lot of
cryptographic problems.
Doing the set up, people sort
of sweep that aside and say,
how do you get the keys
established in the first place?
What does the quantum
key distribution buy you?
It buys you a certain
amount of, in principal,
protection against
advances in computation.
But those advances
haven't materialized yet.
It's probably a
better economic choice
for most users of
cryptography to go
with some of the
classical things, I think.
But they're fun to play with
and experiment with them,
and they get easier to use
over time like anything else,
and maybe they'll shed some
light on quantum computation
too, and integrate with that.
Yes?
How far ahead do you think
intelligence agencies are?
Or behind?
It depends on what--
The question was how far ahead
or behind are intelligence?
I don't know.
I have no security
clearances, so [INAUDIBLE]
speculation on my part,
but I in terms of-- they
can certainly read everything
that the academic community
publishes, and they do.
And they show up at the
academic conferences
and don't say much of anything.
[LAUGHTER]
And they've got a long history
with internal secret journals
and stuff like that too,
where they develop things.
So they may be several
years ahead in some areas,
and behind in others.
They focus on
different problems.
The kinds of things that
academics care about,
like what are the real
foundations of cryptography?
What does it take to make
the right definitions
and how can you
disentangle carefully
those assumptions about
what needs to be assumed
for secure cryptography?
I don't think that's
the-- well, maybe it is.
But I speculate that that's
not the kind of thing
that they work as hard on
as their other problems.
Like how do you manage
petabytes of data
coming through their
antennas every day?
Which is more of what
they have to worry about.
So I don't know.
I mean, I really can't answer.
I think in many ways
the academic community
and the intelligence
community are fairly collegial
these days, as much
as they can be,
given that they can't say much.
This isn't really
about cryptography,
but politicians are for sale.
Our political system is a wash
in corporate and other cash,
why not let voters
sell their vote?
[LAUGHTER]
Why not have people be able
to do auctions for their vote?
[INAUDIBLE]
This country has a long history
of people selling their votes.
It's alleged that--
Dead or alive.
What?
Dead or alive.
Yeah, dead or alive.
So it's there's a nice
book called Steal This Vote
by Andrew Gumbel, which
documents a lot of this.
My own personal
take is it's better
to have voting systems
where the voters are not
subject to bribery or coercion.
That will end up
with a better result.
You take your political system
and pick your consequence.
Hi, Ron.
Hi, Albert.
Speaking of
[INAUDIBLE] reminds me
of a fight I got into
with a classmate who
was the director of
[INAUDIBLE] back in the '80s.
And he told me that his people
had discovered RSA years
before you.
And my thought to that was
sort of outrageous theft
of your intellectual
entitlement.
For those people who
chose to be secret,
they had no right to be
making a claim like that.
So my question is, has that
ever been substantiated?
I had the one slide there about
James Ellis, and Clifford Cox,
and Malcolm
Williams, who claimed
to have invented the notion
of public key cryptography.
And this is not in the
US, this is in Britain.
There are documents which
describe, in some detail,
what they claim they've
invented back in the early 70s.
It's only a couple
of years before RSA.
They just put in the drawer.
They didn't know what
to do with it either.
I don't know what level
of proof you want.
I mean, they could all
be making this all up.
I don't think they are, but--
No, I was told about
stuff going on in NSA.
I don't know.
Again, I don't have clearances.
I haven't heard that rumor.
I think that the NSA knew about
some of the British inventions,
and maybe that's what
was being referred to.
I'm not the right
guy to ask on that.
Well, I think we
can all see why Ron
is the recipient of really
one of the highest awards
that we can provide at MIT.
The James R. Killian award is
a very, very special award.
It's been an award of peers
for enormous contributions
to the community
and to the field.
And so I think this
is just fitting to see
the brain versus
the age, [INAUDIBLE]
people here and your
colleagues who are here
to not only recognize, and
join with you in learning more
about this field.
But I'll end with a
prediction that maybe we
should have a bet
that your 35 year time
horizon will be too long.
Someone in this group--
[LAUGHTER]
So, congratulations.
Thank you.
[APPLAUSE]
