# π¨π¦ Alfred Menezes & Nick Sullivan βΒ In Conversation

**Cloudflare Research**

Join Cloudflare's Head of Research, Nick Sullivan, for a special conversation with Alfred Menezes, professor in the Department of Combinatorics & Optimization at the University of Waterloo, and a member of the university's Cybersecurity and Privacy Institute.

**Tune in all week for conversations with Canadian tech leaders as we celebrate the opening of Cloudflare's new office in Toronto, Canada! π¨π¦**

**Learn more on the Cloudflare Blog:**

#### Transcript (Beta)

All right, welcome again to Cloudflare TV. I'm here today with a very special guest. So I'd like to welcome Professor Alfred Menezes from the University of Waterloo.

Today is the day in which Cloudflare is announcing our launch of a new Canadian office in the province Ontario.

So this is a very special conversation. Alfred was my professor for the first cryptography class I took while I did my undergrad at Waterloo.

So this is going to be a great conversation and we'll get to hear about Alfred's history as well as I guess learn about this same class which he's teaching today.

So Alfred, hello. Welcome to Cloudflare TV. Thank you very much for having me.

It's great to see you again. Absolutely. So let's get a little bit into your history with cryptography.

How did you first become interested in the subject?

So I was really a third year undergraduate student at the University of Waterloo and after my third year, Professor Scott Vanson who had taught me a course, he hired me as an undergrad research assistant.

This was in 1986. And in the end, he really, it was a make-work project.

It was basically to read the literature in cryptography which was very new at the time and compile a bibliography.

So it was complete make-work although I didn't know that at the time. And so I'd spend, you know, the days in the library just reading journals and reading papers and compiling them.

The other cool thing was, this was in 86, it was during the World Cup soccer which was in the U.S.

So basically I would go to work and then spend the mornings watching soccer on TV and then do my work in the evenings and nights and I just thoroughly enjoyed the freedom of doing what I want to when I want to and, you know, learning interesting things.

So that really got me hooked.

Yeah, so what type of topics did you study in this first project with Dr. Vanstone?

So there was a little work other than the make-work project. They were building a hardware chip to do arithmetic in the field GF 2 to the 593.

This was meant to be used in the log cryptosystems, you know, which at the time was feasible to do because building chips with RSA was very difficult at the time.

So we knew how to do it but when people built the chips they just wouldn't work because the hardware technology wasn't there.

So the arithmetic in this field was a bit easier. So they were designing nice architectures and actually building chips to do Diffie -Hellman in GF 2 to the 593 and I think 1013.

These things are totally insecure now, by the way.

Yeah, I was going to say that. Is there anything still encrypted with those with those chips, do you think?

Hopefully not. Apparently they weren't like fax machines with, you know, they might still be used, who knows if people use faxes still.

So but hopefully no one uses those anymore. Yeah, hopefully not. It's amazing how fast technology moves but with cryptography you really have to prepare for the long-term future with respect to what you encrypt and what algorithms you use.

So after doing this first project, how did you get further into cryptography?

What was your next step and where did that? I finished my undergrad and didn't really know what to do because I didn't think I had the skills to get a job, to be honest.

So I stayed on for a master's at Waterloo as a default and, you know, I ended up picking Scott Vanson as an advisor and you start talking crypto with him.

He was doing interesting things at the time, whether it's the mathematics, the cryptography, or the commercialization too.

So I just found the mix really amazing that someone could be doing, like, you know, abstract algebra and building chips doing it, which was, you know, really eye-opening to me.

So I sort of got hooked on this mix of mathematics, computer science, engineering, and commercialization at the same time.

Yeah, tell me a little bit more about what the field of cryptography looked like at the time.

What did commercialization mean in the 1980s in cryptography?

So maybe I'll just focus on, you know, what I knew with Scott Vanstone's group and then the company started with CertiCom.

So at the time they were promoting, first it was, you know, Diffie-Hellman over GF2 to the M, but then they started moving into elliptic curve cryptography, which seemed like something that was mathematical, but not really practical.

So he was really one of the first groups to really realize that this could be really useful and better than RSA, at least in the long term.

So in the first few days, it was really the first few years I was studying the mathematics of ECC, why the problem might be hard, how to implement things efficiently.

And the commercialization was mostly trying to, you know, gain some market share over RSA, which was dominant at the time.

So, you know, the initial push was to try to standardize this stuff.

And there was a lot of push from the RSA camp because they don't want something new coming in just because it threatens their product.

So it was a lot of the commercialization, a lot of behind the scenes fighting and standards organizations and trying to convince big companies that this is good technology and it's not something that they made up on their own and so on.

So there's a blend of all that standards, patents, implementation, software, hardware, the mathematics, the protocols, which was really an exciting part of being in cryptography, you can do all of that.

So the standards organizations that you work with, who were they and what were the dynamics involved?

You mentioned there was a lot of fighting or argumentation.

So the very first one I was sent to was in, I think, 93.

It was the IEEE P1363 working group, which was headed by Bert Kaliski of RSA Labs.

So they were trying to write a standard for public e-cryptography very generally.

And for weird reasons, the RSA and the Helman parts were blocked because of patent issues.

But for some reason, they allowed the ECC development to continue, even though technically they would fall under the general public key patents at the time.

But for whatever reason, they blocked RSA and Helman for at least a year, if not more.

And during that time, we were the only thing that was being developed so we could go to meetings and present things and convince people this was good.

So that really got the standardization going. And that standard really isn't effective anymore, but that led to the ANSI standard.

So it got the banking community on board, which was surprisingly initially held up by the NSA.

But at some point, the NSA just became completely on board with ECC in the ANSI standards.

And that was really a very surprising development. People were shocked by that.

Because until that time, NSA mostly tried to block strong crypto from being standardized.

They wanted the world to stick to DES and nothing else. And then from ANSI, the NIST standard was finalized in 2000.

And they basically just pointed to the ANSI standard.

OK. So this is kind of interesting, right? I mean, you had RSA and Diffie-Hellman, which were the first two major public key systems for digital signatures, encryption with public keys.

And then elliptic curves comes along somewhere less than 10 years later.

And this becomes the one that is allowed to move forward.

So what was your initial impression with elliptic curve cryptography?

What about it seemed interesting? You mentioned how it didn't seem feasible at the early date that you were working at it.

But as we all know, elliptic curve is still in very, very wide use and is considered almost as secure as it was in the early days.

So how surprising is that to you? And how did your thoughts and relationships with elliptic curves evolve over time?

So I got into this as a master's student.

And to be honest, my interest was mathematics then, not really applied cryptography.

So I like the mathematics. I got to read algebraic geometry books and algebra books.

And in the back of my mind, this stuff is actually sort of useful, which is really shocking.

So I like the math. Scott and his company, Certicom, they were really motivated to do the implementations and the commercialization.

And I got sucked into that as a side project through Scott, which I'm very grateful for the opportunity.

But that wasn't my main interests.

And eventually, I like the math. I like the protocols. I like the implementation.

I did a little bit of each of that in my early years working in the field.

And maybe to address one of the points is how we got people interested in believing that the problem is hard.

We started a conference at Waterloo in 1997. It was first called a workshop on the ECDLP.

That's a hard problem underlying the security of all elliptic curve systems.

It was a two-day workshop. We got experts to give talks and have a conference focused just on that topic.

The next year, we renamed it the elliptic curve cryptography workshop.

And it still exists today.

You've spoken at it before, I believe. Yeah, you participated this past October in the conference too.

Yeah. No, it's amazing that it's still going strong.

And how do you keep a conference workshop going where you're talking about a technology or an encryption mechanism that just hasn't been broken yet?

I guess, where does the interest come from?

By the way, elliptic curves, again, this year, they're safe.

What sort of interest is there? Yeah. So elliptic curves are beautiful mathematical objects which have all kinds of number theoretic applications for over 150 years.

And you're correct in that, for now, we use them for ECDH, which we fully understand.

And it's quite elementary now, and maybe a signature scheme.

But it turns out the other properties have found uses in things like pairings.

So for many years, pairings was a really neat field because you have to understand the mathematics of pairings, how to implement them securely.

And you had beautiful protocols you designed, starting with Dan Bonet's work.

Just amazing things.

It didn't end up being used very much as envisioned originally. But in the last, really, two or three years, cryptocurrencies, it turns out, needs all kinds of cool crypto, which pairings can provide.

And when you work in cryptocurrencies, if you have a nice idea with pairings, it can be used literally in a few weeks.

Normal crypto takes years to be deployed and accepted. In the world of cryptocurrencies, it gets used very quickly.

So that helps engender interest in the mathematics, the protocols, the implementations.

And that just keeps going.

There always seems to be something interesting that you can do with elliptic curves and other mathematical objects in cryptography.

Yeah. The latest being isogenies with post-quantum cryptography that also invigorated our conference because now all kinds of new mathematics is thrown into the mix.

And isogenies are something that you never would dream would have an application in cryptography, but you've actually used this stuff at Cloudflare.

Yeah. Yeah. It's really exciting to be able to take these concepts that are really late chapter algebra concepts that are really deep mathematical problems and then apply them to really concrete systems for helping secure data.

The pairings situation is also, again, something that I found pretty fascinating because it's evolved some features that seemed a little bit far out there, a little bit not as easy to understand as simple encryption and digital signatures.

Things like identity-based cryptography, attribute-based cryptography, and what could these really be used for in real data protection systems.

And it turns out there's a lot of applications. We recently launched a service called GeoKey Manager, which is based on pairings.

And part of my work at the CryptoForum Research Group that works with the ITF is there's a new standard that's coming along to standardize pairing-based cryptography because- Oh, that's very cool to hear.

It's really going to be used. And it's fun to see things that are, I guess, approaching adulthood in terms of age.

The VEY pairing was, I believe, 2003, somewhere around that time, but sometime in this millennia when it was first presented.

And so it's going to be 18 years old.

So it's an adult protocol and finally getting standardization and implementation.

Well, actually, it was my PhD thesis work where we used the VEY pairing in a destructive way.

Right. That was in the, when was this now, like 1990. Oh, 1990, yes.

The constructive application, really the first major one was by Dan Binet and his coauthor, whose name, Matt Franklin.

That was in 2001. 2001, right.

So this is the constructive use. Oh, yeah. So that's a famous attack that you helped put together.

Maybe it's worth explaining a little bit to the audience at a high level, what the MQV attack is.

So it's an attack which shows you how you can solve the ECDLP for some special elliptic curves, which it turns out were attractive for practical use at the time by mapping it to the log problem in finite fields, where the problem can be solved more efficiently.

So sort of a reduction algorithm, which took a hard problem to a different domain, where the problems have faster algorithms.

So it really just showed that certain elliptic curves are less secure than we would like.

So initially, the standards communities banned those curves from cryptographic use, because it turns out those are exactly the curves we need in pairing -based cryptography.

Right. A case where, when we found these attacks, some people actually threw their hands up and said, all ECC is bad, because all this mathematics and there's weaknesses, and you can break anything maybe in a few years.

So it scared them away from any ECC.

But 15 years later, they're going, these are cool curves, let's use them and stick everywhere.

So it was a strange example where something was believed to be dead, but then brought back to life in cryptography.

This doesn't happen in cryptography, once you suspect something like RC4.

RC4 is still kind of good enough.

I mean, if you just throw away a few bits here and there, you're good to go.

But no one will use RC4 anymore for any serious application, because it's just been tainted.

Right. And you mentioned isogenies. In particular, one of the algorithms is supersingular isogeny Diffie -Hellman.

And that's, again, supersingular curves, which is the category which seemed threatened at the time.

That's what the isogeny is.

The elliptic curve log problem does not need to be difficult. It's not related to the security of isogeny-based crypto, so it's just a totally different use of elliptic curves.

And for the listeners who don't know, but the cool thing is, in ECC, you send points back and forth.

With isogeny-based crypto, you send elliptic curves back and forth, and points.

But the main thing is elliptic curves, which is really cool.

Yeah. Well, I think we can probably get really deep into this.

And you and I have a very long conversation about this. But for the time being, let's take a step back and get a little bit more into how you ended up back at the University of Waterloo as a professor.

Yes. So again, my PhD was kind of by default.

I wasn't sure what to do with my life or didn't think I had the skills to work and why someone would hire me.

So I did a PhD by default. And then the job market was terrible in the early 90s.

But I was lucky to get a faculty position right out of my PhD at Auburn University in Alabama in the US.

So I moved down south for five and a half years until the opportunity came up to come back to Waterloo.

And I jumped at that chance and have been here since. Yeah. So I spent a lot of time at Waterloo.

I did my undergrad there. For the folks who aren't as familiar with the university, this is a global audience.

Tell us a little bit about the University of Waterloo itself.

So it's a fairly new university. It was just founded in 1957.

So it's not like the University of Toronto in Canada, which has a much richer history.

But from the first days, we focused on different things like engineering, math, computer science.

And we really pioneered the co-op system where about 75% of our students across all disciplines spend 24 months during their undergrad in internships, up to six of them, four months each.

So they go to school for five years instead of four.

They don't get a break at all. They do four-month school semesters, four-month work semesters, and jobs around the world.

So they finish with 24 months of work experience in many companies.

And so that really makes us very unique.

And that's the one thing we are good at is co-op. For example, I think we place about 18,000 students each year in internships.

The second biggest program in North America is Northeastern in Boston.

And last I read, they place about 3,000 students a year in internships.

So no school in the U.S. matches our scale for co-op.

Another nice feature is we have this Faculty of Mathematics.

So our own college with five math departments, which is quite unique, and 8,000 undergrads.

And again, that scale I don't think is matched anywhere that I know of in North America.

By the way, which departments were you in when you were an undergrad?

When I was an undergrad, I did pure mathematics and common networks and optimization, which are two of the big.

Pure mathematics was very much chalk on the chalkboard and writing proofs.

And common networks and optimization was a little bit more interactive, but also very good at helping elucidate some of the mysteries of how things can be counted in the world.

Very abstract, but also approachable subjects.

Yes, I think those are two big features of Waterloo is the co-op program, our mathematics faculty, and the fact that we have 8,000 undergrads in the math faculty.

Those numbers are really quite astounding. Yeah, that's amazing.

So what is it like to teach at Waterloo? I thoroughly enjoy it because I only teach students in the faculty of math.

So for example, I never need to explain to students why math is interesting.

They just don't ask the question because, I mean, they chose to come to a faculty of mathematics.

So even though their interests might be computer science, they're in the faculty of math.

And so they know they shouldn't ask me, why is math interesting?

Because my answer would be, well, why did you come here?

Well, it would be a quick answer. So they all have some interest in math.

So it's kind of nice when you have a big audience where you don't have to spend the energy just telling them this is actually interesting and useful.

They kind of know that. Also, because of large numbers of students, I can teach like my applied crypto class.

And this semester, I have 275 students in my class.

So it's amazing having such a large audience where a lot of students actually like the class.

It's not like they're taken because they have to.

It's a lot of real world stuff, a lot of ideas and concepts.

And for the most part, they like it, which is really fun to teach when you have a large audience that kind of really wants to be there most of the time.

How has that class been received over the years?

I know that cryptography itself as a subject matter has gone from being very niche to being something that has a lot more widespread appeal, if you will, or at least more well known in the mainstream.

First of all, how many years have you taught the class and how has the audience changed?

I taught the first version of this class in 2000.

So that's 21 years ago. I think I've taught it 16 times since.

I think when you took it, which was in 2003, 2004. I remember the room itself, probably out of 130 students was the maximum size.

But four years ago, the numbers jumped to 220.

I don't know why. My suspicion is that we had a lot of students trading in cryptocurrencies.

They use the word crypto, which is our word, but they use the word crypto and they probably, some of them thought that applied crypto meant cryptocurrencies.

So I suspect, I don't know for sure, this is why the numbers went up, but they remained high.

So we started offering the course twice a year.

My colleague Douglas taught it in the fall. There were 200 students and now 275 in my semester.

So the combined numbers have gone up to 475. They keep growing.

So there is strong interest among students. They like the mathematics. They like the applications.

Many use a little bit of security encrypted in their co-op terms.

So they want to know more. If nothing else, they have to click on certificates and do something there and they like to know what's happening behind the scenes.

So many come to the class already motivated to learn the topic because they've used it in their co-op work terms.

Yeah, it was one of my favorite classes in undergraduate.

So I really appreciate your commitment to teaching this to the next generation.

And speaking of which, it's been pretty difficult over the last year or so with all the changes due to the worldwide pandemic.

How have you adapted your teaching style or how has the class changes or how has teaching at Waterloo changed over the last year?

Yeah, so we've been online of course exclusively since March of last year.

Just a little story. March of last year when we shut down, we were near the end of our semester.

So we had one week to plan our last two weeks of video lectures.

And for people like me who have never used a webcam before, nor an iPad, nor recorded a video, we had no idea what to do.

So I eventually started recording using OBS on my MacBook Air, which is terrible for video.

I didn't know that. So my fan would kick in and dominate the sound.

And the only way I could fix it was I tried putting my laptop on bags of ice, which didn't really help.

So in the end, what I did was I would record one slide at a time.

In between slides, I would put my laptop in my freezer and then record the next slide.

It helped with the fan, but the condensation on the microphone and the camera meant my video quality was just absolutely awful.

So it was really kind of embarrassing just kind of trying to get through the last two weeks.

So in July, when I realized this is going to go on for a few months, so I'll be teaching online again in January, I decided to let me learn how this technology works.

I invested a couple of months on watching a lot of YouTube videos to learn how to make good videos.

So I put a lot of time and energy into my videos just because it was kind of fun.

It was amusing and an obsession too. So I pre -recorded all my videos, but there was a lot of editing and a lot of what I thought was creative editing, but who knows?

Okay. May I ask what is the creative editing? So the first thing, when I tried recording, I couldn't smile in front of the camera.

I just can't do it.

When I'm pre-recording to an audience, I won't even be seen for several months.

I could not smile. So I have fairly serious lectures, but I learned how to do memes.

I looked at meme sites, a lot of music. I started paying for a lot of music to get the right music I thought matched a joke or an intro or something.

So I have music. I learned how to use Keynote, which has a really nice animation.

I did interviews with several ex-students, which I can add to the lecture right after I introduced the associated crypto.

As the lecture ends with those words, I move on to a couple of ex-students who do that stuff in industry now.

So it was a really nice tie between the mathematics, the application and ex -students who teach this stuff, who I taught the math using in the real.

So I thought some aspects of the lectures were hopefully engaging to these poor undergrads sitting at home watching hours of boring, droning videos, because we just don't know how to do videos.

It's a new thing for us. Yeah, that sounds fun. I think that I would enjoy taking the class.

Are any of these videos available online? How do you interact with the students?

I put them through our learning management system and they're on YouTube, but unlisted.

I don't want the world to see them because my voice, I hate hearing my voice and the thought of people watching hearing my voice that I don't know just kind of makes me cringe.

I interact with students through office hours.

I've switched to GatherTown, which I think of as two-dimensional Zoom.

If you haven't used it, it's a really nice interactive system where you can, I can talk to 20 students at the same time and divide up into groups, go back and forth, use the whiteboard, show them video, have private discussions.

So I've actually really enjoyed my office hours. With Zoom, they were a nightmare, I thought.

I switched after two weeks to GatherTown and I've actually enjoyed them.

Yeah, there's so many different tools for communicating nowadays.

I've used GatherTown for several different conferences, which has been, well, it's not the same as face-to-face, but it's at least gives you some level of I'm going to be walking towards someone or having some sort of level of spatial dimensions to it.

And, you know, I could get students to talk to each other, work together on problems.

Once I got them to turn the cameras on, which is a challenge, people don't like the cameras on, it turns out.

And, you know, I was respectful of their privacy initially, but then I thought about the cost.

And when I weighed privacy with the cost, I realized, no, I'm going to really try to push you to turn your camera on without requiring it.

Because I think the cost doesn't outweigh the privacy gain you have by turning your camera off for an hour and having a conversation.

So I really had to think hard about privacy versus cost. And I came out on the side of, I prefer having a camera on, but it wasn't a requirement.

Okay.

So I remember in the class, we had this textbook, which was available online called The Handbook of Applied Cryptography.

And even back in 2004, you would say, oh, this is old.

Some of these things, they don't apply anymore. We're going to do some editing on it.

Tell me a little bit about this book and its history.

Yeah. So the book, I think Scott Manstone first had the idea to write a book in cryptography.

So he got Paul Van Oschot and I, we were both his ex-PhD students, and I guess sold us on the idea.

So we started planning it, I think it was 93.

And then it was really three years of really hard work. I had to learn a lot because I didn't know many, my interests were more on the mathematical side of things.

I had to learn a lot of other aspects of cryptography. And so it was three really hard years of work.

And it was really a chance for me to learn cryptography, is why I took on the project.

And the book has been a success in terms of getting researchers to use it and practitioners to use it in the workplace.

But it really is outdated. It was finished in 96. So it's a lot of things have changed since then.

Yeah. What sort of things would you do differently if you were going to take on the Herculean task of writing a overview to applied cryptography nowadays?

It'd be very hard. I mean, we've been asked many times to upgrade the book to a second edition, but the hard thing would be to, which topics do you choose?

What is interesting from a practitioner point of view? Because there are things that are used, but really should be deprecated, but it takes 20 years to deprecate things.

There are things which are beginning to be used, things that'll be used in the next five years.

And do we include post-quantum crypto?

I mean, and all the fancy protocols that are used in cryptocurrency. So that field is very vast now.

And choosing topics for a book of that scope would be pretty much impossible.

You couldn't please everyone. So I just couldn't write a handbook of that scope today.

I could write a specialized book in a specific topic, not a broad cryptography book.

It just would be pretty much impossible to do.

Yeah. What advice would you give to someone who's considering writing a cryptography book?

I guess the main thing is, first of all, make sure you know who your audience is.

Many people write books for the audience, which is basically themselves or people they know.

And then they are surprised that this other audience doesn't care about their book.

It's like teaching. When you teach a course, who is your audience?

You get to know them, their skill sets, their interests, their backgrounds, and then you can redesign the course for that audience.

And that's really the most important thing in communications is knowing the person you're talking to.

And teaching is communications, as is writing a book. You're communicating in a certain way to a certain audience.

If you can nail the audience from the beginning, you have a successful book.

Yeah, absolutely. And speaking of speaking, or I guess teaching and series of pieces of information that are meant to educate folks, there is a series called Another Look at Provable Security that's written by yourself and Neil Koblitz, which has been going on for a while.

There's a lot of different entries in it. For folks who aren't aware, what is provable security?

And why did you take on this project? And what do you think that people have gotten out of it over the years?

So as you know, in cryptography, we have these mathematical problems that we study and believe are hard.

So they're well-studied problems. But now you want to use that, leverage that hardness to do something useful like encryption or signatures or something more complicated.

And so ideally, you design a protocol, and security should rely on nothing more or less than breaking the underlying hard problem.

So sometimes you design a protocol and you think breaking it requires solving a hard problem.

But there could be shortcuts that we haven't thought of as yet.

So ideally, you would like to prove that there is no shortcut to breaking this protocol, other than by solving this problem, which has been well -studied and is widely believed to be hard.

And that's called proving something secure. But the proof is highly conditional, conditioned on the assumption that a certain problem is hard, and that you define security properly.

But our definitions don't always cover all kinds of attacks which someone might launch in practice.

So in the research community, proofs have really dominated the theme of research.

And of course, who wouldn't want a proof of security?

They're great to have. But it's also important to understand what the proofs don't give you, what they don't guarantee.

And in my view, the researchers spend a lot more time doing proofs than understanding what the proofs actually mean in practice.

So we started this project of trying to understand more deeply what proofs mean in practice.

And we felt that doing it gently wouldn't get much attention, so we were a little provocative in our articles, to get to the point quickly without mincing our words.

So we took an opposing point of view of the majority of the community and presented the articles in a hopefully readable and, we thought, amusing but also provocative way.

So what are some of the more controversial articles that have come out of this series?

I was wondering how diplomatic I should be.

So we have a whole web page on this. It's called anotherlook .ca.

And we have our articles and some commentary about them, some opposing points of view we post on the website too.

But in the end, we get strong reactions, like people thinking that we claim that all proofs are bad, even in mathematics.

And we certainly have never said that.

You know, just when you work in an applied field, any applied field, when you claim you've developed some theoretical technique which is important in practice, you have to spend time thinking about what the proofs or techniques actually mean in practice.

Sometimes they mean a lot, but they also have some, you know, they don't cover some kinds of attacks.

And people should know that.

Otherwise, you can easily convince people to use your crypto technology because you have a proof.

I've done that at standards meetings. And they say, show me the proof.

Great, here's a 20 -page document with Greek letters and subscripts.

And they go, wow, this must be secure because it's 20 pages of math I don't understand.

So it's a very useful tool to convince people to use your stuff by throwing proofs at them.

It's a great marketing tool. It must be useful to actually believe something is secure.

But whether you do or not, it's a great marketing tool as well.

Yeah. So would you say that having a proof or something provable security is necessary but not sufficient for an applied cryptography decision?

Yes.

So, I mean, I view crypto, if you want to deploy a system more broadly, you have to have a huge checklist.

Proofs is just one item in that checklist. And the importance of the situation and the protocol.

In some cases, you can really come up with nice, short, simple proofs, which are really convincing.

In others, you can have a half-page heuristic argument, you wave your hands with a very believable proof.

And it's almost a proof, just not rigorous and formal. Making it formal may be 50 pages of stuff no one will ever read.

So you can do it, but no one's going to read that stuff.

So it's not clear whether people use your protocol because you have a 50-page proof they haven't read or because you have a nice convincing half-page argument.

So all these things are useful in convincing someone that something is secure.

Proofs is just one way. Yeah. What are the other important aspects when deciding among a plethora of options when thinking about building secure systems with cryptography?

There are so many different types of ciphers and instantiations of algorithms and finite fields and elliptic curves and all these sort of things.

What are the major concerns when building a new system that you should be aware of?

So the first thing is picking the crypto primitives or pieces is use standardized cryptography.

And cryptography standardized by accredited standards organizations like the ones, like the ITF, which I know you're very active in.

They certainly get advice from people around the world. They have heated, heated debates, as you know, long heated debates over years before they get something very close to consensus.

And so in the end, you can have a very strong faith that what they produce was done in good faith with strong people, competent people studying this stuff.

And it's well -written, readable, and accessible. So once you've chosen things, you've got to implement things securely.

And that's a different, difficult challenge.

Then you want clever people who can also program and like to program.

And they should be pretty clever. And you know, they're pretty hard to get.

You can get clever people who don't like to program or programmers who don't like to do math or think about technical, mathematical stuff.

Ideally, you want strong people with a strong math background who at some point learn how to code and have a strong interest in the application.

Yeah.

Given that, you know, there's so much more applications of cryptography nowadays, almost every software developer is exposed to it in one way or another.

You think of every application, like we have Zoom right now.

They just released some documentation about having end-to-end encryption inside of Zoom.

That's kind of a very narrow niche field.

But even just logging into websites, doing authentication, all of these touch cryptography in one way or another.

We've gotten up to somewhere around 80% of all websites use HTTPS now versus five years ago when it was much, much lower.

And so more programmers are exposed to cryptography and it's intimidating, honestly, for a lot of people to see this.

So if you're someone who's helping build the cryptographic library and you understand the primitives, you've implemented things properly, what sort of things should you think about when actually exposing the capabilities that your cryptographic library gives you to these developers who, you know, they may not have a math background or they may not want to spend the time to really understand all the implications?

What sort of things do you have to think about when exposing cryptography to the general programming pool of engineers?

Imagine one thing is to minimize what they can do with the API, right?

Don't let them be creative in the use of cryptologists.

Have, you know, encrypt, decrypt, simple things, nothing fancy.

Give them as few options as possible, because as you know, they can really mess things up.

Yeah, but in the end, it's tough because if they want to use the crypto, fine, the crypto could be great, but then there's key management.

And that's just a conceptual, simple thing.

Certificates, so easy, but in practice, this is a nightmare.

And those are problems I don't fully appreciate because I don't use certificates on a large scale.

You know, I read about them and teach about them, but still, I don't use this stuff.

I don't use crypto on a large scale like you do at Cloudflare.

I learn about things from people like you and the next student who works at Google, but I don't use that myself.

So going to large scale is a nightmare.

From the textbooks where we do Alice and Bob, I try to give students a sense of the scale by, for example, explaining how Signal works, which is a beautiful protocol.

That's extremely useful, amazing security, end-to -end security.

Yeah, and I give them a sense for why certificates are conceptually trivial but are TLS on the web.

So I don't know how you get people to do key management properly, even though you give them good crypto to use.

It's just a higher layer of complexity, which in the end is where the hardness really is in deploying crypto on a large scale, I think.

Yeah, and I think this is one of the biggest challenges right now in the industry as well, is how do you provide the right APIs and the right abstractions and the right ability to separate storage and distribution of key material to widely deployed applications, especially ones that are built on the cloud or more likely than not built on multiple different clouds with various different types of technologies that may not have the same standard interfaces.

Yeah, it is really challenging, and it's a way where you have to expose things in a way that developers can not make a mistake, make it as hard as possible to make a mistake when doing so.

Okay, so... So I guess the phrase we use is, you know, people should use boring crypto, not cool crypto.

Leave the cool crypto to the researchers, and for the most part, I tell students in my class, I'm teaching you boring crypto.

The cool crypto comes at the very end. I expose you to cool stuff.

Well, that's left for graduate courses and research, not for a first crypto class.

Yeah, yeah. And that leads back to, I guess, around seven years ago when Heartbleed happened in the OpenSSL library.

And there were all these different problems, and people had to upgrade OpenSSL because their private keys were being leaked, and different groups came around and said, let's take this piece of software, and let's fork it.

And one version of OpenSSL that came about from this, from the folks at Google, was titled boring SSL for just that reason.

So Adam Langley and David Benjamin at Google had that same mindset where, you know, this should be boring.

We want to get rid of all the interesting things from this. Cryptography is not...

It's not a bunch of Legos for people to build any tower they want.

It really has certain applications, and we want to limit it to the ones that are well vetted.

I think that's a good philosophy. On the other side of the coin, there are, you had mentioned this earlier, there's a lot of new, brand new applications of cryptography in the cryptocurrency and blockchain world that have motivated the use of pairings and the use of all sorts of new cool crypto, if you will.

And all this new cool crypto is being used to protect what is effectively value store, or it's things people are exchanging these cryptographic tokens for real money, billions of dollars even.

So how has your experience been watching cryptocurrency sort of come out of nowhere over the last 10 years?

And how do you think it's influenced the field of cryptography?

So one thing is, of course, they stole the word crypto from us.

So when I say applied crypto, I got to remind my students, I mean, cryptography, not cryptocurrencies, please.

I mostly follow cryptocurrencies as a recreational thing.

I don't do research in it. But my sort of involvement, which is maybe a nice story for your Canadian launch, was in August 2012, I decided to learn about Bitcoin because it was mysterious to me.

So I found Satoshi's paper, but I had a lot of questions and I couldn't find any good reading material because it was mostly blogs written by decoders using their scripting language, which I don't understand.

So I eventually found this online magazine, Bitcoin magazine, which had really nice articles written in plain English, but very clear and technically accurate without any math.

So I learned quite a bit from those articles.

And then the very next week, I was teaching first year algebra at Waterloo, the math 145 class.

I looked at my list of students and I noticed the same name as the person whose articles I read the week before.

And it was the same person, Vitalik Buterin.

So I asked him, are you the same guy who wrote those articles?

He said, yes. I said, come to my office. So I spent some time teaching me about Bitcoin.

And throughout the semester, he answered all my questions I had about Bitcoin.

It was really, I learned more from him as an 18 -year-old than he learned from me in my first year algebra class.

Then a year later, he dropped out of school and started Ethereum.

So he's now arguably the number one guy in the world in cryptocurrencies because Satoshi is unknown.

Here in Toronto, he was a Toronto high school student. He keeps in touch. He spoke in my class two years ago, the same year you spoke in my class as well.

So part of my motivation is following Ethereum and what he does and the technology around it is exciting for me.

Yeah, Ethereum is one of the more interesting projects.

And as folks who've been watching that space know, Ethereum has been transitioning from Ethereum, the original version of Ethereum, to Ethereum 2, which includes quite a lot of different pieces of cryptography for helping it scale and helping the blockchain itself not be something that just people have to compute hashes and burn energy just to find the right hashes.

It's much more efficient from an environmental standpoint.

So Ethereum 2 is super interesting.

And our team at Cloudflare, the pairing based crypto that we worked on actually was something that we've collaborated a bit with the Ethereum folks on.

Oh, cool. So it's been a fun mingling of different types of fields. I think with Cloudflare, there's the classic, let's encrypt and protect data on the Internet.

And with cryptocurrencies, it's, well, let's see if we can create our own view of the world and some sort of ledger that is immutable.

Yes. And the idea of a smart contract.

So Vitalik's vision of building the world's first decentralized computer, basically.

That's his view, this big view of Ethereum. He tracks lots of very smart young people to his community.

So he's extremely good at managing people older than him, large numbers of people with strong ideas and visions and egos.

But he keeps them in check very nicely.

He's a very smart guy, very good communicator with people in the community, I think.

And he has really good motives. It's not clear what will happen with these cryptocurrencies, but Ethereum is a wonderful experiment.

Wonderful experiment. It's spawning all kinds of cool computer science and questions which the mainstream academic community may not be focusing on.

But they really are motivating lots of nice ideas broadly around computer science and even economics.

Yeah.

And a lot of it is based on the curves and the work that you helped get standardized in the early days of elliptic curve cryptography.

So I know that for a lot of what Cloudflare does with cryptography, it's related to standards for banking and finance.

There's the FIPS standards for the US government. And there's been kind of somewhat changing requirements for that over the years with respect to different elliptic curves.

You had participated in that, choosing which curves would be used, how to generate curves.

Maybe you can share a little bit of your history with respect to how the curves that we use every day for the Internet were chosen and how long we expect them to be secure.

Yeah. So it was about the mid-1990s when we started in the ANSI community writing down the standards for what was first ECDSA, a signature scheme.

So the standards organization wanted some sample elliptic curves. And at the time, it was kind of tedious to pick a curve and make sure that it was secure by counting the number of points on it.

Could be done, but it was kind of slow. Algorithms were slower and computers were slower.

Also at the time, in around 96, three groups independently found the same attack, essentially, on a very special kind of elliptic curve.

And so the fear was, oh, maybe other curves are insecure too.

So in any case, we needed some curves where we could have some assurance that they were selected at random and had the right number of points on them.

So the NSA representatives at the standards community volunteered to provide us with some elliptic curves.

So even then the banking community didn't quite trust NSA unconditionally, for good reason.

So as a sort of compromise, I just designed this little routine where using the SHA-1 hash function, where I give this routine to NSA, they pick a seed, run it through the hash function, and the output determines the coefficients of the elliptic curve.

So they do that until they find a curve that is secure, and then they give me the seed.

So I can regenerate the curve and prove to others that the curve came.

So the NSA couldn't pick a very special curve that can break, and then reverse the SHA-1 process to get the seed, because SHA-1 is known to be pre-image resistant.

So it was some assurance that the curve was not chosen with nefarious intentions by the NSA.

And that was successful in convincing the community that these curves are good enough, even though they were generated by the NSA.

Now after Snowden, people started mistrusting these curves because they were NSA tainted.

Even though there is no logical mathematical reason why these curves are bad.

If there was a weakness that NSA knew about them in 1997, it's hard to imagine that 24 years later, the rest of us haven't found that weakness.

Or that the NSA would imagine that in 97, the rest of the world couldn't find that weakness and then break the curves with the US government uses themselves.

So we believe these curves are so strong as they were in 1997.

But there are better curves available now.

Things that are a bit faster, like curve 25519, which came later, which is also easy to implement and be resistant to side channel attacks of some kinds.

So there are competing curves which objectively are better. Okay. And more recently, this set of curves that were defined as high security versus super high security, there was a change in the advice from the NSA where the 256 bit, 128 bit level security curve was no longer recommended.

And that caused a little bit of confusion in the community.

Yes. Unfortunately, NSA makes these announcements and they don't give any rationale.

They just say, we're going to make the switch with zero rationale.

And then there's all this conspiracy theories being formed by cryptographers, professional cryptographers, because really anything could be true if you think about it with the NSA.

And Snowden proved that anything you suspect they might be doing, they actually might be doing, it's possible.

Maybe unlikely, but possible. Yeah. So I would imagine the only intention is simply they have locked up security in mind, because when they build things, for the most part, they prefer using hardware to software and they can't upgrade hardware efficiently, quickly.

So when they pick a standard, they would like it to be in use for 25 years, if not longer, which is not the case with software-based standards.

So why not just switch to P384 instead of P256? Right. Otherwise, a change in 15 years might be very painful for them.

Well, that's the reasonable answer, but you can't stop people from coming up with conspiracy theories.

In 2015, when NSA made their announcement about moving to post-quantum crypto in the near future, among other things, they said, well, if you're using RSA and we're thinking of switching to ECC, don't bother.

Wait till post-quantum comes around.

And then that caused all kinds of conspiracies. And Neil Colbert and I, we wrote a little article, sort of a gossip article, which is likely my most widely read article ever, which is collecting the potential theories behind why NSA could have made that announcement.

So yeah, I was very proud of that sort of gossip paper I wrote in cryptography.

Yeah, that's kind of reverse engineering of potential reasons why a certain announcement would be made.

It was really fun.

Certainly crypto gossip makes the field interesting too. Speculating what countries, governments, companies are up to, and it sort of makes the field exciting too.

Yeah. It's very interesting because cryptography is not only this thing that exists in pure abstract mathematics, and then something that applies to business and business applications, but it's also inherently political in that it really puts some capabilities in the hands of people that did not exist before.

The ability to share information in a way that's completely blind to everyone except someone with the key.

Yes, but also the ability to just have a normal conversation with end-to-end encryption without with the same security assurances we had over from the beginning of time that if we're close enough to each other, we can hear each other, but no one else can.

And that's just a part of human nature is this assumption that when you have a conversation with someone in a room, it's a private conversation.

And with the Internet, if you don't have end -to-end encryption, that assumption is no longer true.

So it really enables some basic, I think, human needs and even rights to have a conversation, especially these days when we're all stuck at home using Zoom to communicate.

Yeah, absolutely.

So Alfred, this is really fantastic. Thanks so much for spending time with me here today.

And we're excited to launch Cloudflare's office in Canada and grow it.

It's great to hear about the evolution of your class at the University of Waterloo and all the great things you've been doing.

So again, thanks for joining me.

And it's great to see you. Thanks for having me. And drop by to Waterloo when you have the chance in the coming year or two.

I will try. Once international travel becomes something we can do.

We're getting close, hopefully. We're getting close.

I'll definitely make it back. Okay. All right. Thanks again. Take care.

Bye. We're betting on the technology for the future, not the technology for the past.

So having a broad network, having global companies now running at full enterprise scale gives us great comfort.

It's dead clear that no one is innovating in this space as fast as Cloudflare is.

With the help of Cloudflare, we were able to add an extra layer of network security controlled by Allianz, including WAF, DDoS.

Cloudflare uses CDN, and so allows us to keep costs under control and caching and improve speed.

Cloudflare has been an amazing partner in the privacy front. They've been willing to be extremely transparent about the data that they are collecting and why they're using it.

And they've also been willing to throw those logs away.

I think one of our favorite features of Cloudflare has been the worker technology.

Our origins can go down and things will continue to operate perfectly. I think having that kind of a safety net, you know, provided by Cloudflare goes a long ways.

We were able to leverage Cloudflare to save about $250,000 within about a The cost savings across the board is measurable, it's dramatic, and it's something that actually dwarfs the yearly cost of our service with Cloudflare.

It's really amazing to partner with a vendor who's not just providing a great enterprise service, but also helping to move forward the security on the Internet.

One of the things we didn't expect to happen is that the majority of traffic coming into our infrastructure would get faster response which is incredible.

Like Zendesk just got 50% faster for all of these customers around the world because we migrated to Cloudflare.

We chose Cloudflare over other existing technology vendors so we could provide a single standard for our global footprint, ensuring world-class capabilities in bot management and web application firewall to protect our large public-facing digital presence.

We ended up building our own fleet of HAProxy servers such that we could easily lose one and it wouldn't have a massive effect.

But it was very hard to manage because we kept adding more and more machines as we grew.

With Cloudflare we were able to just scrap all of that because Cloudflare now sits in front and does all the work for us.

Cloudflare helped us to improve the customer satisfaction.

It removed the friction with our customer engagement.

It's very low maintenance and very cost effective and very easy to deploy and it improves the customer experiences big time.

Cloudflare is amazing.

Cloudflare is such a relief. Cloudflare is very easy to use. It's fast. Cloudflare today plays the first level of defense for us.

Cloudflare has given us peace of mind.

They've got our backs. Cloudflare has been fantastic. I would definitely recommend Cloudflare.

Cloudflare is providing an incredible service to the world right now.

Cloudflare has helped save lives through Project Fairshot.

We will forever be grateful for your participation in getting the vaccine to those who need it most in an elegant, efficient, and ethical manner.

Thank you.