 Welcome to Eurocrypt in the age of the coronavirus. So you might have noticed that things aren't completely normal. But look on the bright side. So via zoom, we get to see how people live when they're at home. We get a lovely sampling of bad haircuts either self inflicted or otherwise. And we're stressed out. But, and sometimes it seems as if we're barely keeping our heads above water. But it's important to remember that our health should always be our highest priority. Well, what's the use of a book thought Alice without pictures or conversations. I usually translate into what's the use of a talk without pictures or examples. So today I'll mostly try to entertain you with some stories. And I hope that they're not only entertaining, but perhaps also sometimes useful. Mostly these stories are about lessons I've learned that I wish I had learned sooner. And one theme of this talk will be working well together. So the talk is entitled, mathematics and cryptography, a marriage of convenience. And one of my collaborators said, well, maybe it's a menage a tour since quantum and post quantum cryptography have brought physicists into the relationship. And another collaborator thought it really should be an open relationship since it should include lawyers and politicians. And I think he liked the idea of an open relationship. And there's a need for technical people and policymakers to learn how to communicate with each other and build mutually beneficial relationships. So as we're seeing, we're living in an interdependent world where everyone relies on everyone else. And we're more likely to survive and thrive if we can learn good ways to live and work together. So one good reason for mathematicians and cryptographers to learn to work well together is to make sure that we have good computer security and cryptography. So if a system security is based on the presumed difficulty of some problem from number theory, it would be reassuring if the right number theorists in the right field first know about the problem and second try hard to solve it so that we have reason to believe that it might actually be a hard problem. So for the sake of both good science and computer security, it's important to have good communication between the people who build a cryptography and the crypt analysts and mathematicians who can test security. So for most things that I do or that happened to me, I try to ask myself, what can I learn from this? So if you want to ask yourself that about this talk, I'll just point out some of the recurring themes that you might notice. They're going to be communication, community, curiosity in being open to opportunities and doing the right thing. So I don't seem to have gotten very far down the alphabet, but maybe there'll be some later talk someday and I'll be able to do the rest of the alphabet. Okay, well, my parents didn't graduate from college, but they believed in the value of a good education. And I did manage to get a good education at New York City public schools, despite the fact that the city was on the verge of bankruptcy at the time. So this was fourth grade. But the story I'm going to tell you is I think from first or second grade but I didn't like the photo for that. So you get fourth grade. So I missed a few days of class and when I returned the teacher was talking about something called rational numbers. And the students all knew what that was, but I'd never heard of rational numbers and I got really worried. Didn't know how I was going to figure out how I was going to catch up and figure out what this was. So my friend Janet was sitting near me and I whispered to her, what are rational numbers. And she whispered back fractions. Well, this was clearly completely implausible. So fractions was a perfectly good word. Why would you come up with some new phrase to mean exactly the same thing so this couldn't be. So she had to be wrong. I was sure I'd never find out what rational numbers were. I would fall hopelessly behind in math and never be able to recover. Well, that didn't happen. But since then I've been wary of unnecessary jargon. So I was on my high schools math team, which was an early experience that taught me the importance of community. And the other kids, including Stuart Haber, who some of you may know, told me about something called the Ross program. So that was a summer program for high school students. And it taught exactly the elementary number three that the cryptographers need even use notation familiar to cryptographers like ZP instead of Z mod PZ. And to this day, I'm still friends with many people that I met in that program. Some have even been helpful in my career and some are very important in my life. Some of the students went on to become mathematicians or computer scientists. Others became lawyers or doctors or went into other fields. Al Jean became one of the original writers for the television show The Simpsons. And in this program, I learned the importance of correcting clear proofs and good communication. And I went from being as I went from being a student to a counselor to a seminar instructor. So as students, we pride ourselves in getting only four hours of sleep at night and working the rest of the time. And later on when I taught a problem session in the program, one day my students showed up and something was clearly different. And it turned out they had a test earlier that morning and had pulled an old night or the night before and hadn't gotten any sleep. So they're all falling asleep in the seminar. So I asked them, which do you need most a problem session or sleep. And they all said sleep. So I turned out the lights and that made it pitch black because there were no windows. They put their heads down on the table some of them even lay down on the floor, and they went to sleep. And that was what they really needed. So I'm glad I listened to what the students told me. Sometimes you just have to stop everything and take care of your health and the best advice I can give students and more generally everyone is your highest priorities your health get plenty of sleep and eat well and maybe listen to other people find out their needs. Well, my undergraduate college did not have a computer science department at that time. I had a high powered programming course in the applied math department, but since I didn't have any background I decided I'd better first cross register for a course at MIT, and there I learned Fortran using punch cards. So then I took the high powered course or among other things I learned to program the PDP eight and PDP 11 in machine language and assembly language, which has been completely useless for me and I don't remember any of it. What I do remember is that we had really annoying quizzes where the idea was to write down a short program in 10 minutes, but we were allowed some what seemed to me ridiculously large number of mistakes and I remember it was three or five. Now I could write down a completely correct program in 12 minutes which meant 10 minutes to think and plan and two minutes to write it down. It was terribly unfair that there was no reward for taking that extra two minutes to get it right. So after 10 minutes, I didn't I hadn't written anything, and the test was over. So, you know, for our homework assignments the other students would spend maybe half an hour writing the program and maybe 16 hours debugging it well I can write it in, you know, twice the time in an hour, but I spent considerably less time debugging. So I did have this idea that fast and dirty is better than slow and careful. When I think of publishing and competitive conference proceedings versus publishing in journals. So I think of it as the tortoise in the hair. So I think better work gets done when there's time for referees to fully check the work and for some back and forth between the referees and the authors to make sure papers are correct and well written. And, you know, the output might be better than research is done under tight deadlines with page limits and short timeframes for reviewing. And I'm also a great believer in using experts sending preference to the experts putting preference online and getting feedback before publishing. So it might make sense to cut down on the number of conferences, especially given we might not be able to go to conferences for a while, and cut back on the number of competitive proceedings volumes and instead encourage more journal publication. And of course we might have to change the reward system so that good editors and reviewers are appropriately rewarded for reviewing. That's both good and timely. Okay, I went on to do number theory in particular elliptic curves and a billion varieties, which are the higher dimensional generalizations of elliptic curves you don't need to know what they are for this talk. They say that elliptic curves are useful for cryptography because they're defined by a simple polynomial equation. So they're easy for a computer to handle and they have a useful addition law. Okay, so I went on did number theory. When a proof of Fermat's last theorem was first announced by Andrew Wiles, a reporter for the San Francisco Chronicle came to the mathematical sciences Research Institute in Berkeley, and interviewed a group of us. Now one of the mathematicians explained from Oslo's theorem by saying that certain equations have no non trivial solutions that are rational numbers. And he kept using the phrase rational numbers. So I looked over at the journalist and saw that his eyes had glazed over and he'd stopped listening. So I leaned over and whispered, when he says rational numbers he means fractions. And the reporter breathed the sigh of relief and said, thank you. So, again, it's important to keep in mind that people from other communities might have a different vocabulary. Well, as most of this audience knows in the mid 1970s, with Diffie Marty and Marty Hellman came up with the idea of public key cryptography and used it to create shared secrets. And in the mid 1980s, Victor Miller and Neil coblets independently realized that elliptic curves can be used to do cryptography they can be used to do things like Diffie Hellman key agreement which I'll talk a little more about later. So soon after that I had the opportunity to spend a year at IBM so that was in the late 1980s. And the people I interacted with the most there were Victor Miller who you saw in the last slide he was my mentor that year, and Don Copper Smith seen here. And my first cryptography talk was actually a survey talk I gave at IBM and elliptic curve cryptography with Victor Miller in the audience which I'm really embarrassed to think about now. Since he was the expert and certainly knew a whole lot more than I did. So why do I call this slide they knew the law and obeyed it well there are a number of stories I can give out to give just one of them. So before I started IBM they asked me what type of computer I used and I told IBM that I used a Macintosh. So IBM bought me an Apple computer and they bought all the software that I plan to use, even though I already had a lot of the software. They were real sticklers for the rules, both in pain for software and also in a lot of other ways. And I would tell people that the difference I saw between IBM and academia was that IBM knew the law and obeyed it. And in fact when I was in Silicon Valley a decade or so later I noticed that not all companies were so good about knowing the law and obeying it so by the turn of the century. Silicon Valley was starting to look like the TV show Silicon Valley. Don Coppersmith's extraordinary abilities as a cryptographer I think are well known. So sometime later I was talking with a mathematician about a crypto system that person had published, which soon got broken. And I asked well why didn't you run it past Don Coppersmith before publishing it and he replied well of course I wasn't going to do that he would have just broken it. I wouldn't have gotten a paper. Well, so it'd be nice of getting things right were more important to publish in a paper. One more IBM story. A computer scientist there had solved a problem by doing an immensely complicated brute force computation. And he asked me if I knew a better way to solve it. So I thought about it and realized that what he wanted falls out immediately from something called the structure theorem for modules over principle ideal domain. You don't have to know what that means. He was happy, and it shortened the paper considerably, and he wanted to meet he wanted me to be a co author on the paper. Now I was completely horrified, because all I had contributed was something that I had learned when I was an undergraduate. So as far as I was concerned it wasn't at all deep and it would be embarrassing to put my name on the paper. Now in retrospect that was a clear mistake on my part. So the result had applications it was useful. And by working with people in other fields I hope that I've learned to become more open minded. In fact my most cited papers one of my least mathematically deep papers. So for mathematicians working with other cryptographers it can be helpful to know that being deep can be very different from being useful and being useful can be a good thing. Having a supportive community can be very important. So when I first moved into cryptography research, the cryptography community was very very supportive and a number of people helped me to make that transition. And I found that particularly young female computer scientists were especially supportive so in particular Jessica Staden invited me to be a visitor at the research labs where she worked and she came up with a problem for us to work on together and trader tracing. And we soon realized it would be helpful to have an expert in algebraic coding theory in the project and we were joined by Judy Walker. So I'm a great believer again in bringing in experts when we need specialized expertise. Okay, be curious and open to opportunities. So in the fall of 1995 I was visiting the Institute for Advanced Study in Princeton, New Jersey. And I felt like Cinderella, because they put me in a hard dark room in the attic of full hall with no air conditioning, and I arrived in a sweltering summer. I remember that the cord on the lamp was frayed and I was worried that I was going to get electrocuted. The desk chair fell over backwards if you lean back even just a little bit. And the room was almost impossible to find. So I was startled when one day, when I was feeling particularly sorry for myself, there was a knock on the door. So I felt like, you know, as Edgar Allen Poe said in the raven, who's that knocking at my door? I figured it must be someone who was lost. Well it turned out to be a grad student in computer science who trekked over from Princeton University and tracked me down to ask me questions about abelian varieties. So this was someone who was curious, open to opportunities and knew that it's worthwhile to talk with a specialist in the field. And that's how I met Dan Bonnet. So I want to use Diffie-Hillman key agreement as a starting point. Now if you don't want to hear anything technical, feel free to skip ahead maybe 10 or 15 minutes, 10 minutes, let's say in this talk. That's fine. Now at this point, you have a right to complain to me and say jargon, you're using jargon. So this slide starts with, let little G be a generator of a finite cyclic group capital G. Okay, if you don't know about finite cyclic groups, that's fine. I give you permission to think of little G as an integer. And when I say G to the A, that means take G to the power A and take its remainder and division by a large prime number. Or you can skip ahead and in the slide, in that talk. Okay, so Bob and I want to create a shared secret. So we have our own secrets. I have little A, Bob has little B, some numbers, integers. I broadcast or send G to the A, Bob sends or broadcast G to the B, and we share G to the A, B, which we can each compute by taking the broadcast that we've seen and raising to our secret number. We both get G to the A, B that way. So we share that value. And I claim that nobody else knows that value. So why can't the adversary compute G to the A, B? Well, the adversary in this case, the Jabberwock can't compute G to the A, B, as long as the Diffie-Hellman problem is hard. So the Diffie-Hellman problem is the problem, find G to the A, B, given G, G to the A, and G to the B for random unknown integers A and B in a certain interval. Okay. In a paper in 1999 that appeared in Asia Crip called Doing More with Fewer Bits, Broward, Pelican and Verhuil gave a variant of Diffie-Hellman that did more with fewer bits. The number of bits exchanged was a third of what happened in classical Diffie-Hellman for the same security. And shortly after that, Arjen Lenzter and Eric Verhuil came up with the XTR cryptosystem, which was an improvement on Broward, Pelican, Verhuil. So here is XTR, it flies, and they used a magpie. So why a magpie? Well, the X, of course, is short for ECS. So this is now XTR. XTR is the Dutch word for magpie. And XTR stands for Efficient Compact Subgroup Trace Representation, or does it? So their joke version was that it stands for elliptic curves still too risky, which as an elliptic curves person, I found, well, interesting. Well, a few years later, Carl Rubin and I came up with the Cayley cryptosystem, which we named after my cat Cayley. Now if you have a cat named Cayley, now I use the Scott's Gaelic spelling for Cayley. If I use the Irish spelling, it wouldn't have had the DH. So it wouldn't have had the Diffie-Hellman at the end. But if you have the DH at the end, it's crying out to be an acronym for something with Diffie-Hellman in it. So the Cayley cryptosystem is compact efficient, improves on loop, so loop can be viewed as a forerunner of XTR. It was a luca-based cryptosystem and improves on Diffie-Hellman. And I was a consultant for the television show Numbers. It's a wonderful thing about being cryptography. You can come up with these cute names and acronyms. And in one episode, they had something on cryptography and they asked me for something to put on the blackboard to have in the background of the scene. So I gave them the equations for the Cayley cryptosystem. And here you can see the word Cayley in the middle of this slide and the equations for the Cayley cryptosystem are all around it. So when that aired, over 12 million viewers saw the name of my cat Cayley flash across their TV screens, which is probably about maybe 12 million times the number of people who would ordinarily read one of my math papers. Okay, well, we also came up with a mathematical explanation for what was really behind the luca-based cryptosystems in XTR and Cayley. And we called that tourist-based cryptography because it relied on the mathematics of something called algebraic tori, not to be confused with complex tori that some of you know from elliptic curve theory. So Luke XTR and Cayley can be viewed as compression and decompression algorithms. So you might say that they do more with fewer bits. Now, what a couple of people pointed out to me is that there's a flip side to that, which is that if you're not, if you're only using some of the bits, then those other bits weren't really giving you security. So in some sense, it's telling you that maybe the security that you thought you had, you didn't really have, the security wasn't as good as we thought. Now, this doesn't have an effect on the security of Diffie-Hellman over prime fields, but it's somewhat relevant for Diffie-Hellman over extension fields of composite degree. And interestingly, usually in public cryptography, if you have something over finite fields, then there's an analog for elliptic curves that usually comes later. In this case, actually, the elliptic curve version came first. So the finite field version is the tourist-based cryptography. We had an elliptic curve or a billion varieties version that was inspired by a paper of Stephen Galbraith on super singular or a billion varieties in cryptography. Okay, what if three parties want to create a shared secret? Well, that was solved by Antoine Jou in a paper in the year 2000. So the three of us each have our own private secrets. We have our broadcasts. And if we have a map that takes two inputs and has this bilinearity property, so if we take two elements of our group G to the A and G to the B, and those are our two inputs into the function, then if what we get is the same as what you get when you input G and G, take the output and raise it to the power AB. So I'm going to call that the bilinearity property. If you have that bilinearity property, then Bob, the Cheshire Cat, and I have something that we can all compute. We have a shared secret. And it's this thing, what happens when you input G and G, and then take the output, raise it to the power ABC, and then we can each compute by taking the two broadcasts that we receive inputting those into the function and raising to our secret power. And that's because of the bilinearity property, which says that you can pull out the exponents and get this. Okay, so we share this value. Why can't the JavaWalk compute it? The JavaWalk cannot compute it if the bilinear Diffy-Hellman problem is hard, and that's where the bilinear Diffy-Hellman problem says, find the supposed secret information given the public information. So it's basically a tautology that the security depends on the bilinear Diffy-Hellman problem. And Antoine Jou, when he proposed this, proposed using taking the group to be the group of points on elliptic curve and taking the bilinear map to be a map coming from a vape herring or a tape herring on elliptic curve. And it's believed the bilinear Diffy-Hellman problem is hard in that setting. And I'll say that vape herrings had been around for a long time and were well known to number theorists in the field, number theorists who look at elliptic curves. And perhaps if more mathematicians had been involved more heavily in cryptography, some of this might have happened sooner. I will say that a decade earlier, parings on elliptic curves were used in a destructive way. The MOV attack due to Manez's Okamoto and Van Stone was a way to attack the decisional Diffy-Hellman problem. But then it took another 10 years to use it in that constructive way. And at the same time, also in 2000, Sakai Ogishi and Kasahara came up independently with a method to do identity-based key agreement with no interaction, also using parings on elliptic curves. So actually no broadcasts. And so that was the origins of paring-based cryptography can be viewed as those two papers from the year 2000. Sakai Ogishi, Kasahara and Antoine Jou's paper. Now, after that, there were many new cryptosystems that were created using parings on elliptic curves. Their security was often based on new hard problems. So in addition to bilinear Diffy-Hellman, often one had to come up with other problems that were presumed to be hard. The security of the new systems were based on them. So it's important for mathematicians to scrutinize these new hard problems because they're basically number three problems in some sense and try to solve them so that we have a better idea of whether these cryptosystems are actually secure. Okay, what if four parties want to create a shared secret with one round of broadcast? Open question. So Dan Bonnet and I considered that question in a paper that appeared in 2003. We said that if you have a function where instead of the bilinearity property and instead of having two inputs, you have N inputs. And you have this, you replace bilinearity with multi-linearity. So it's a direct generalization. So you have your N inputs coming from your group. Your inputs are G to the power a1 up to G to the power aN. And you want the value that you get when you input those to be the same as if you inputted G N times, took the output and raised it to this product, product of a1 up through aN. So that's the multi-linearity property. So if you had such a function, then N plus one parties could create a shared secret key. So we have our secrets, we have our broadcasts. And I claim we share this value. The way we each compute it is we take the N broadcast that we see. Those are our N inputs to our N valued function. To our function with N inputs. We take the output, we raise it to our own secret. And by the multi-linearity property, we all get the same value. And the reason it's secure, the reason the Jabberwock doesn't know this value. Well, it's secure if the multi-linear Diffie-Hellman problem is a hard problem. So what's the multi-linear Diffie-Hellman problem saying? Well, surprise, surprise. It says that it's a problem of finding the secret information, the shared information, given the public information. So assuming the existence of such multi-linear maps, which we didn't know how to construct if you have more than two inputs, we could construct all sorts of nice things. But we might have, we had to add some other hard problems, some other problems that we hoped are hard problems in some cases, not just the multi-linear Diffie-Hellman problem. But there's a dark side to our paper. And the dark side is, well, the vape herring has lots of lovely properties, lovely from a mathematician's point of view. So it has these very natural properties. And if you impose enough of these properties on your multi-linear maps, then we can prove that you're not going to end up with anything really other than a variant of something you already knew. So in the case when n equals 1, you have the identity map. That's classical Diffie-Hellman. When you have two inputs, you have parings on elliptic curves or a billion varieties. That's paring-based cryptography. And that would be basically all you would get. But the good news is that as people were doing paring-based cryptography, they came up with more and more parings that were useful to use, that were efficient and seemed to work well. And they didn't necessarily have mathematically natural properties. So they may have made mathematicians cringe in some cases, but they were useful. So being mathematically beautiful isn't necessarily the right criterion to use. Being useful is perhaps more important. And another good sign was that in 2013, Garn, Gentry, and Halevi constructed what they called candidate multi-linear maps. And I think of it as approximate multi-linear maps. So they didn't fall strictly within the framework that Dan and I had envisioned. But they, you know, they're useful. They seemed like they would be useful. And they were constructed using lattices that come from number three. And since then they've alternately been attacks and new constructions. And there are a number of, well, I'd say it's still an open problem to come up with multi-linear maps when you have more than two inputs. And one, you know, there are a number of groups working on this. One group consists of me and Dan Bonnet, Ted Chinberg, Akshay Venkatesh, where we're trying to use ideas from algebraic geometry. Finding a solution might involve bringing together diverse groups of people, like in our group, from far-flung communities that mathematicians, computer scientists, engineers, and helping them to play well together. So working with others. Well, so I mentioned community. Now, the first semester long programs and cryptography that I remember were in the fall of 2006. There were two competing programs, one at IPAM in Los Angeles and one at the Fields Institute in Toronto. And I think they happened at the same time because of the failure of communication. And in the end, most of the mathematicians went to the Fields Institute and most of the computer scientists went to IPAM. And I went to IPAM partly because it was near home, but also mostly because I wanted to interact with computer scientists. But I did find that many days it felt as if I was the only one there. So it was quiet and peaceful, especially in the evenings, but there wasn't the sense of community that I had experienced at math programs at other research institutes. So it used to be the case that if you were, say, a senior mathematician who was given funding to attend a math conference, you felt an obligation to attend the entire conference and interact with junior colleagues and make yourself generally useful and available. And if you were invited to a semester long program, you tried to come for as much as you could of the semester long program and show up at lectures. Now, for cryptography conferences, and I think increasingly at math conferences, it's accepted that people might fly in just before their own talk and leave soon after it and only talk with their collaborators. Now, I think that maybe the people who say, we have too many conferences and it's better for the environment if we didn't travel so much have a point, not to mention that we may not be able to travel for a while. So maybe fewer conferences, but once we start having them again, stay at them longer, build a sense of community. So I think it's useful to have semester long programs with week-long workshops as a lot of these institutes have so that people who can't stay for the full program can still attend some of the workshops. Now, things have changed over time. So this semester, I was visiting the Simons Institute for the Theory of Computing in Berkeley where I'm supposed to be for the whole semester. And I would say there truly was a sense of community there. And in fact, when the Bay Area went on lockdown halfway through the semester and everything closed down, it was kind of amazing that that sense of community has continued. So not only did the lectures and workshops go online, which is something the Simons Institute was already very good at doing, but so did the board game night. And new social activities sprang up, like an online cooking class of all things. And I wanted to thank Shafi Goldwasser and the staff for creating and maintaining that really good sense of community. So I've been running a series of conferences and workshops to bring together computer scientists and mathematicians to work on cryptography problems of common interest and especially questions on fully homomorphic encryption and questions about multi-linear maps. And I've learned a lot about how to get people from different communities to work together well and to be able to solve problems together. And that's partly the things that I'm telling you here are often things I've learned from that. I wanted to tell you the story about how I started working on lattice-based cryptography. So in the spring of 2011, I learned about a DARPA initiative on fully homomorphic encryption. Now, the DARPA program had already started and there were all sorts of interesting and fun people who were on board already. Now, I looked up the call for proposals and it had strongly emphasized the mathematical foundations. And I asked around and it turned out that there were no mathematicians on the project who were working on the mathematics. So I thought, well, I'm someone with a strong math background and I have experience working with photographers. So I thought to myself, I should be on this project. But then it dawned on me that the mathematics of fully homomorphic encryption is lattices. And at that time, I didn't know a lot about lattices. But remember, I'm someone who believes in bringing in the experts and I was visiting the Mathematical Sciences Research Institute in Berkeley and Hendrick Lenster was also there and he's an expert on lattices. So I started bugging Hendrick with questions and we made progress in some problems and I ended up being added to the DARPA project. So they'd actually run out of money, but mathematicians are cheap. It's easy to add another mathematician or add a mathematician. And it also had the nice advantage that the meetings were often in very nice locations. So Hendrick and I proposed using certain lattices with newly orthogonal bases for fully homomorphic encryption in order to get more efficient decryption. And at some point, Daniela Michiencio reminded us about an algorithm of Craig Gentry and Mike Zidlo. And that led us to the cryptanalytic aspects of lattices of symmetry, which led to a long and interesting collaboration with Hendrick Lenster on lattices. So it's kind of, I kind of feel that my life has been like Alice in Wonderland, sort of hopping from one adventure to another. Okay, communication. So let me tell you a story. Dan Bonnet, Carl Rubin and I were working on a paper which was about composite order groups to use in pairing-based cryptography. Now, Dan wasn't being as responsive as I wanted him to be. And eventually he explained to me that his highest priority is always the paper with the next deadline. So if I wanted him to work on something, I had to give him a deadline. Well, I think a few years later, Victor Miller and Neil Koblitz asked me to contribute an article to a special issue of the Journal of Number Theory. I think it was on the occasion of the 25th anniversary of elliptic curve cryptography. Now they said there wasn't really a precise deadline yet, maybe late spring or summer. And then later on they said, well, you know, the earliest would be in the fall. So these were not strict computer science deadlines. They were flaky mathematician deadlines. So in October, I asked Neil for a firm deadline that I could tell to Dan. Neil said, well, we could say the end of October, but that's clearly too soon. So let's say something big like in a few weeks. Well, I didn't think that would work on Dan. So I told Dan we have a deadline of October 31st. Well, he worked really, really hard on that paper. Now, on October 31st, we ran into a small obstacle for which we needed a little bit more time if we wanted to deal with it in the right way. But Dan said, look, we have a deadline. The paper's good enough. Submit, submit. Well, knowing that we didn't really have an October 31st deadline, I told Dan that I had asked the editors for an extension and they gave us an extra 24 hours. Well, in those 24 hours, we easily fixed the problem and we were able to submit a polished paper. So I must admit to this day, I felt terribly guilty for misleading Dan. Now, he doesn't know this story, so please don't tell him. But the point of the story is that different cultures have different ways of doing things and it's important to communicate clearly and understand where the other person is coming from. So relationships are negotiations. Now, over the years, I've observed a number of disagreements in the cryptography community. Now, I'm a problem solver. I like to try to solve problems. That's one reason I like doing cryptography and computer science and things. So I tried to understand where everyone was coming from, what went wrong, what people could have done to either avoid the conflict or make things better. And I realized that many of the conflicts came from reading other people's minds and ascribing bad motives to them. And from assuming that others could read your mind and know what you're thinking and why you're angry with them. So when I was first asked to review a cryptography paper for a conference proceeding, I refereed it the way I would in math paper. And when I sent my report to the person who had asked me to review the paper, he said, oh, that deadline already passed a long time ago. Your review is too late to be helpful. So at that time, I didn't realize that in his field, reviews need to be quick and there are deadlines for the reviews. And it occurred to him that I didn't know that and that he should tell me what the deadline was. So he thought, you know, everybody knew that. Everyone knew what conferences was and knew when the deadline was. So clear communication is important, especially with people in a different field or a different culture. So I've talked about being curious and open to opportunities. In particular, be curious and not furious. And here I should credit Dorothy Hellman and Martin Hellman. Their wording was actually get curious, not furious. And I highly recommend their book, A New Map for Relationships, Creating True Love at Home and Peace on the Planet, in which they say that by getting curious and not furious, you can not only improve your personal relationships and your work relationships, but you can also have peace on earth. So I believe you can still download this free online. So relationships and negotiations not ultimatums, as I said, it's a useful thing to keep in mind. Now I would like to emphasize the importance of listening. And I can't really emphasize this enough. I think the world would be a lot better if people talked less and listened more. So you learn a lot more by listening than by talking. So a lot of us have been on committees where we kind of wish that people would talk less, listen more and learn from the other people around them. So in particular, listen to advice with an open mind. You don't necessarily have to follow it. But you can ask yourself, what can I learn from this? So for everything that happens, good or bad, I find it constructive to ask myself, what can I learn from this? Everything I read on the internet, rather than getting furious, getting angry with it, I think, but is there something useful I can take away from it? So sometimes people ask me for advice. Sometimes they give advice I'm not asked for and I'm trying to learn not to do that. But when you're invited for an hour talk, I figure, okay, I can give you some advice. So the advice I give when people ask me for it is, well, many problems could be avoided if people simply behave professionally. So we like to think of our colleagues as being our friends. But it's important to remember that we have a professional relationship with our coworkers and we have an obligation to behave professionally. So sometimes it's useful to think, am I behaving professionally? Is this a professional way to behave? Put in place good practices and policies. Hold people accountable. Train people and best practices. So this includes for hiring and promotion, for teaching, for choosing students, for choosing interns. And something that I find very important is make the rules of the game clear. Don't change the rules in the middle of the game and ensure that everyone has an equal opportunity to play the game and win. So an example of this is in hiring, where the public criteria given in the job ad can sometimes be quite different from the secret criteria or the real criteria for the job. And the people in the right circles know the real criteria and have an advantage. So I've actually seen this a lot. And if you want more stories about this, I would send you to my Alice's Adventures in Numberland website, in which I tell some more stories. So in general, what I advise people is to keep in mind that people need to see problems getting fixed so that they can trust that if they bring these problems to the attention of people in authority, the things will get better rather than getting worse. And also, senior people need to step in when there's a problem. So when the leaders in the field don't step in to do the right thing, everyone sees that and it can be demoralizing, especially for the junior people. So I'm glad that various communities, including the IACR, are thinking about a number of these issues. Given the stress that everyone is under now, it's especially important to be kind. So a friend and colleague of mine, Shahed Sharif, pointed out to me that kindness is a superpower. I was on a campus-wide committee that read large numbers of teaching evaluations and I learned that what students think of their teachers depends a lot on how kind the teachers are. Now, as a teacher, I'm very strict and I wondered why the students didn't seem to appreciate it. And didn't they know I was doing it for their own good and this showed how much I cared? But I found that if I walked into the classroom having made a conscious commitment to be kind, magically, the students were happy. Now, I was just as strict as before. Being kind did not mean letting them get away with something or being less strict or giving higher grades. But the students could tell that I wanted them to meet high standards because I cared about them. Anything we can do to make our communities more humane will make us happier and healthier. So we're all in the same boat. It's a small world. We're all dependent on each other. And I really like pictures of boats and I do hope we'll be allowed to go to the ocean again someday soon. So remember to eat well, get enough sleep, and stay healthy and safe. And many thanks to my current funders. And I look forward to seeing many of you at the live streaming session for the Q&A. Thanks very much.