 Meine Damen und Herren, ich möchte Sie im Namen der Albert-Einstein-Gesellschaft und der Universität Bern ganz herzlich zu dieser ehrigen Zyklus der Einstein-Lexers begrüßen. Sie haben sicher alle schon realisiert, dass dieses Jahr die Mathematik an der Reihe ist. Und es wird ein Gebiet aus der Mathematik sein, das im Moment doch sehr, sehr, wie soll ich sagen, fast einem Hype gleichkommt. Vor allem die Politiker haben grossen Gefahren von der Digitalisierung und was man dem Volk macht, das digitalisiert werden muss und so in einer analogen Welt. Aber heute haben wir eine sehr gute Gelegenheit und morgen und übermorgen zumindest Aspekte dieses Trends zu hören und was man damit machen kann. Und freue mich, dass Sie alle gekommen sind. Wenn es Leute gibt, die das Stehen nicht aushalten können, gibt es einen Raum 201, wo Sie sitzen können, aber dann sind Sie leider nicht live dabei, sondern nur mit Übertragung, aber immerhin. Okay, dann möchte ich jetzt das Wort Frau Professor Trettere teilen, die die Referentin von dieser Lexers vorstellt. Before I start, let me first say to the people still standing, there are a few places scattered around and also places on the balcony if you want to sit down. Ladies and gentlemen, on behalf of the Mathematical Institute and the University of Bern, it is a great pleasure for me to welcome you to the Einstein Lectures 2019 and it is a great honor for me to introduce the 11th Einstein Lecturer, Professor Schaffi Goldwasser. She is one of the most distinguished computer scientists of our time, but in fact she started her career in a different subject, related but different. Born in New York, Schaffi was first torn between Literature and Mathematics and she decided for the letter, as you can guess. After her Bachelor in Mathematics in 79 at Carnegie Mellon University, she got her master's degree in 81 and her PhD in 84, both at the University of California at Berkeley under the supervision of Manuel Blum. Schaffi joined Faculty of MIT in 83. She became Professor of Computer Science and Applied Mathematics at the Weizmann Institute in Israel in 93 and in 97 she became the first RSA Professor in Electrical Engineering and Computer Science at MIT. Now in addition to these two professorships, which she still holds, in January 2018, she became Director of the Simmons Institute of the Theory of Computing at Berkeley. Schaffi Goldwasser's outstanding research in particular in Cryptography, Complexity Theory and Probabilistic Algorithms has earned her an impressive number of prizes. For example, starting with two Girdle Prizes in 93 and 2001 with Grace Murray Hopper Award of the Association for Computing Machinery, an RSA Award for Excellence in Mathematics, an ACM Athena Lecturer Award, a Benjamin Franklin Medal in Computer and Cognitive Science and an IEEE Immanuel R. Pure Award. And finally, jointly with Silvio Meccali in 2012, the ACM Turing Award, which is considered to be the Nobel Prize in Computer Science. Professor Goldwasser was honoured with many, many other distinctions. So, for example, she was a Plenary Speaker at the International Congress of Mathematicians in Beijing. She was elected member of several academies, the American Academy of Arts and Sciences, the National Academy of Science, the National Academy of Engineering, as well as a Fellow of the ACM. She was also elected to the Hall of Fame of the Digital Age by the Konrad Zuse Institute in Berlin. And she was awarded two honorary doctoral degrees. The first one in 2018 by her Alma Mater, Carnegie Mellon University, and the second one only recently in June 2019 by the University of Oxford. According to the Laudatio of the Turing Award, Schaffi's career does not only include many landmark papers, which have initiated entire subfields of computer science, but in fact all of us benefit from her theoretical work every day, most likely without noticing. For example, when we use secure authentication or payments over the Internet without transmission of sensitive data such as passwords or credit card numbers. And her work will become even more important for us in the future. For example, when it comes to the security of personal medical data. In view of all this, Schaffi was even invited to US Congress for a briefing on cryptography. We are immensely honoured that Schaffi Goldwasser accepted the invitation to give the Einstein Lectures 2019 in Bern and we are very much looking forward to them. Please Schaffi, thank you. So the title of my talk is the cryptographic lens, but the subtitle is really how do you go from basic mathematics to impact and deployment, which was really the subject of what the Congress was interested in, what is the impact of cryptography and we were interested in giving this talk in order to encourage dedication of funds for basic research, basic science, basic mathematics. Is it better now? No? It's not better? It is better. Okay, great. All right, so the subject of my talk is cryptography. So what is the most basic question in cryptography? The most basic question when we sort of just exchange between two parties and we usually call them either the sender and the receiver or Alice and Bob and she wants to send them a message, but there's someone listening on the line, which we'll usually call the adversary. So the traditional solution to this, which goes way back and doesn't start with the computer science obviously, is that Alice and Bob, they meet in advance and they decide on some secret key, secret key is some secret information, which will enable them sending these messages in some sort of encrypted form. So that's the basic problem of cryptography, secret communication. It's also a problem that's been very intertwined with the history of computer science, especially the foundations of computer science. And just to illustrate that before we start, there's actually two very famous figures, which are historically responsible, probably for the immersion of computer science in engineering departments and in mathematics departments. And that is Claude Shannon, who is very well known as the originator of information theory, but apparently this vapor of his that started information theory, a mathematical theory of communication system in 1949, came at the same time that he wrote another paper, which was the theory, a communication theory of secrecy systems, that is how to define properly what does it mean for a transmission system to achieve secrecy. Now his first paper is much better known, it came out ten years before the second one, because the second one was classified, but according to his testimony, the emergence of both information theory and this theory of secrecy came at the same time and the ideas are intertwined with each other. And the second person is Alan Turing, who is known to mathematicians and computer scientists as the inventor of the universal computing machine, but probably more well known to the public is the one who is responsible for breaking the German enigma machine. So both of these guys, one is responsible for the invention of the formal theory of information theory, the second one, the invention of the universal computing machine, so a machine that has general computation power, but they had basic interest in cryptography. In fact, they apparently also met each other during the war, because their interest in cryptography was really wartime research. So they were interested in building encryption systems and breaking encryption systems as part of the war effort. So this is where really, this is an historical bit, which is interesting from the point of view of someone who wants to research the history of computer science, but modern cryptography, which is the topic of this lecture and the topic also of my research, is really not just about fighting the bad guys, so it's not really a wartime effort, motivated body of research. It's something that takes place from when people are starting to understand that there's these computer networks, there's an ability to communicate, and that means that down the line we're going to need to be able to communicate secretly, we might be able to do commerce using computers and so forth. So in this lecture, I want to sort of convey three points. First of all, that this modern cryptography actually enables a lot of surprising abilities, and I will explain what I mean by that, which often seem paradoxical in the physical world. So if I define this problem to a mathematician who doesn't know about all these results, starting about 1976, you immediately can write down a proof of impossibility, and in fact there are proofs of impossibility to achieve what we know we can achieve, so there has to be a catch, and I will explain what the catch is in a minute. So first of all, it enables these abilities. Second of all, it has been a catalyst, besides the fact that it enables sort of to solve things which seem impossible to solve, it has also enabled some theoretical developments in Theoretic Computer Science, and some ideas that I would really, I would safely say that they are sort of intellectual leaps, and I will try to show a few of them, or at least one. And finally, I think in the future will definitely gives us a way to see how we can take advantage of all the big data availability that's out there, and the global connectivity, still maintaining our right to be left alone. So this is not my phrase, this is a phrase that Judge Brandeis is well known for, so this apparently when the first cameras were invented, the kind of cameras that you could take out of the studio, and you could take pictures of people in the street, he wrote a whole article saying what about our right to be left alone. So if you think about it today, that's a ridiculous concern because we have a lot more to worry about, but I guess my point is that using cryptographic methods to the extent, to the full extent possible you are, I believe that you will be able to take advantage of the fact that we have all this big data, and we can make a lot of progress with this data, and still maintain some right to be left alone. Most of the future will be, I will talk about in the lecture that will be on Wednesday. So most of my talk today will be dedicated to first and second bullets. Okay, so what are these surprising abilities that I am alluding to? So, which are paradoxical. So here is a laundry list. I don't really expect you to read them, I will go quickly through them, but it's really just to impress upon you that there is a big collection of things we can do, which if you thought about it a little bit as a mathematician and wrote down what is the wish list, you could also prove that you can't do it. So the first thing is that we are going to be able to have Isles and Bob from that first slide, who are sending secret messages to each other in the presence of an adversary to be able to do it without meeting a priori to exchange a secret key. So even though they never met, it will be possible for Isles to send something to Bob without the adversary knowing what she sends, but having Bob send it. Another thing, the example what you can do is you can contract sign. So two people can sign a contract so that I don't sign if and only if you sign. So we achieve some sort of simulatinity. Now we know that you cannot achieve some simulatinity, but in some sense we will do so. The third thing is you can generate random looking, pseudo random string. So you can generate a lot of string that looks like flips of a coin or is indistinguishable from flips of a coin. And again, this is using cryptography as kind of the key idea of where this is possible. You can verify the proof of a mathematical claim without learning the proof. So you can check the proof is correct without learning anything about the proof. Now that seems probably of dubious merit to those of you who are teachers of mathematics because you want the students also to understand what you're talking about. But in the context of cryptography and of the digital world, it actually means quite a bit. You can play digital games without referees. What I mean by that is, for example, you could define any game you want, and you could play it without a deck of cards or a coin or any kind of physical means just over communication network without need of a trusted party. You can retrieve information privately. Again, what I mean by that, which is something I'm on elaborate on, so I'll just say a word. I mean, suppose you want to access some public database, say you want to know flight cost or you want to travel from A to B, and you would like to know what the fastest route is. You could do so without them knowing what is it you are asking for. Again, it seems surprising. If you wrote this down, it's impossible, but we know how to do that. So I can make a request, I can get back the answer, and yet the database that I'm making the request from will not know what I'm asking for. What else can we do? We can do something called identity-based encryption, and that is Alice can send to Bob information just by knowing his name and nothing else. Again, it seems very strange that Bob because he knows his name plus something extra will be able to understand what Alice or anybody else is sending him. But Alice just has to know Bob's name in order to make this secret transmission. You can do something, it's called one-time programs, and you can even compute unencrypted data without decrypting it first. So this is a lot, okay? And it's just sort of a teaser for those of you who might ever be interested in studying modern cryptography. I think it's well worth it. But what I want to say is that probably the first impression is that she put everything on a slide and these things have nothing to do with each other. They seem very unrelated Tasks. And my claim is that they're all subject of modern cryptography. So there is something that's common among all these, besides the fact that I've worked on all of them, but me and other people. So the unifying theme, okay, is among all these list of things that can be done, is that there's a presence of an adversary. What do I mean by that? So there is some kind of an adversarial presence that is an integral part of the definition of each and every one of the problem on that list. So obviously we don't worry about privacy unless an adversary's presence is trying to listen. But who would be the adversary when we talk about generating random looking bits. The adversary might be someone trying to predict what the next bit is. Who's trying to distinguish these nonrandom bits from truly random bits. Or when you're proving a theorem without expressing the proof, just somebody who wants to verify the proof is correct. The adversary might be someone who wants to learn something about the proof and you don't want to teach them. And so forth. Every single one of these problems actually is embedded in it. This problem would not exist if there wasn't any adversary present. So the reason I'm dwelling on this is also because who this adversary is, determines the quality of what is an acceptable solution. Okay, so it could be that when the adversary is all powerful, some solutions will not be acceptable, because the adversary can break them. But if the adversary is bounded in some way, then we could solve problems which previously seemed impossible to solve. So remember I said that a lot of these problems are impossible to solve. That is the case if the adversary is all powerful. So our adversaries are going to be not all powerful. We're going to put some restriction on them. So in a minute I'll say what the restriction is. But I just want to say that in some sense, this idea that an adversary is present and you have to analyze the correctness of the system in the presence, being aware of who the adversary is, is could key to analyzing complex systems. Because if you sort of prove that your system works in the presence of a worst case adversary, then it takes care also of the kind of adversaries you would encounter. Okay, by the way, I don't like giving lectures when nobody asking a question. So if somebody is compelled to ask a question, you can raise your hand and I will answer it. Okay. Oh, there you go. Yes. Oh, that's a great question. So you're asking, can I send information with, so one simple solution is if I just send information all the time, and some of these times, this information is actually has content in it. But short of that, no. Not that I know of. That would require some computers which are different than the classical computers and the classical communication means. Okay, so what is the bound of the adversary that I will talk about in this talk and of modern cryptography. So we're not going to make an assumption on what the algorithm of the adversary is or what the strategy is. And we're not going to assume that this adversary is just random, is just sort of average case. It's going to be a worst case adversary. But we will assume that this adversary has computational bounds on it. So it doesn't count run forever. It has what we usually call polynomial time. It's an efficient adversary. So that means that it's every computer that you encounter is captured. But if the computer could run for exponential number of steps, then it might be able to break our system. But within a computer, which is efficiently bounded, which is polynomial time computation, which has a precise definition, doesn't matter, we will say that our solutions hold. Now, why do we bound ourselves? It would be nice to say that it's any adversary, because sometimes we can't solve it with any adversary. The reason we choose this kind of bound is because it's realistic, and it enables us great power. So it enables us the range of many applications. So some of you may have in your mind, what kind of computer? Are we talking about classical computer? Or these days is a lot of excitement with this idea of quantum computers. And for now, we're talking about classical computers. But sometimes from my talk, I will also talk about quantum. Essentially all the applications I discussed can be done today also if the adversary is a quantum computer. But you have to change the kind of mathematics you use in order to solve the problems. Okay, so let's give me, let me give you one example, what you can do. And with a little bit more detail. So I said that the first, the first example was that Alice and Bob can meet without sorry, they don't need to meet in order for Alice to send to Bob secret messages. So this is something called publicly cryptography. And I'll explain in a minute what is the essence of it, even though it's sort of a simple example, and I'm sure that anybody's a computer scientist has seen it, I will repeat it. It's a beautiful example. And before saying how it's done, let me say that it really is what powers all electronic commerce. So those of you who remember using Safari, maybe somebody still uses it. This comes up. This is Safari is using an encrypted connection. And so forth. So in order to be able to use browsers in a safe way, you need publicly cryptography. So publicly cryptography started with, you know, this is the problem, right? So they can't, we want them to, we want to address the case where it's not Alice and Bob, but it's Alice, let's say an Amazon. Okay, so Amazon isn't going to go and meet every Bob in exchange of secret key. You have to be able to talk to Amazon without meeting it in advance. So this is now a general electronic company. And what do we do? So in 1976, there's this very famous paper by Diffie and Helman. Diffie, I think, was a student of Berkeley Helman, a professor at Stanford, and they come up with the notion, not yet, they don't yet show how to do it, but they come up with some sort of blueprint of publicly cryptography. And that is that us and Amazon do not have to meet in advance in order to exchange a secret key. Their idea is the following. They say, wouldn't it be amazing if what we could realize is the following. We would have some sort of a pictorially a public lock. There will be a way to publish a digital lock. So a picture is a lock, but this will be a piece of information so that everyone can read it. And using this lock, they are able to take messages and lock them in a box, which is like encrypting them. However, only one party knows how to unlock this lock. And that means that they have the secret key. So in that picture of Alice and Bob or Alice and Amazon, Amazon will know a secret key, which will enable it to unlock messages that Bob put in. Okay, so this is nice for picture for children. But what do we mean really? And they got actually the Turing Award for it. Surprisingly much later than everybody else. But in any case, that's where the first idea shows up. They had tremendous Fortsight to understand that this Internet, at that time called the ARPANET, could be used 20 years down the line for electronic commerce, which is very insightful. Since there was nothing like that in site. People in universities and labs were exchanging email, but not the general public. So a year later, there is another paper by Reves Shamir Nadelman at MIT, who show how to realize this lock and key using a number theory. Okay, and I'll give you just a hint of how number theory comes into this picture. So they say, they, they say, let's look at the problem of factoring. So factoring, what I mean, I mean you have a number and you're looking for its prime factors. So for example, if the number is 35, it's trivial. It's five times seven. It's 221. It's quick for some people, 13 times 17. This is long from some humans. This, for me, definitely, I don't know about you. But a thousand digit number is essentially fast, you know, will take a thousand years for the fastest classical computer. Okay, even a quantum computer at this point cannot factor quickly such a number. And this is one of those was interesting about this problem in a minute we'll link it to cryptography. But what's kind of beautiful for the arc for the annals of mathematics in some sense is that this is one of those problems that was studied by Gauss and was kind of hailed as the most purest former mathematics that is totally useless. So is an endorsement. So, so this is a beautiful problem. It has no use in the real world and that's a good thing. It turns out, unfortunately, it does have a use, or fortunately, depending how you look at it. So there's this beautiful quote, the dignity of science itself seems to require that every possible means be explored for the solution of a problem so elegant. It is elegant. And furthermore, it's going to be very useful. Because what Reves Chamir and Adelman did, is they said the following. Let's do this. Bob, remember Bob is the one who's receiving the messages. What he's going to do is that he's going to choose a secret key first and then he will define a lock based on the secret key. So you first come up with the key and then the lock. What's the secret key? He says why don't you choose two large random prime numbers. So three and five but much larger, because three and five are not really large. And this is some problem that requires some mathematical work but can be done. So you can choose a large number that is prime and verify that it's prime. And then you take these two numbers and you take the product. So n is equal to the product of p times q. That's like the 35. This is the five times seven. And that's going to be your lock. And what they're saying is that if it's hard to go from the number to its prime factors, which turns out to be a hard problem, as I showed you in the previous slide, the fastest computer out there cannot perform this for large numbers, then we have realized a lock that everybody can tell. We can publish n. Everybody can look at n, but only Bob knows how to factor n. And now the question is, so that we have this asymmetry between lock and key, between Alice and Bob. And now the question is, how is Alice going to lock her message in a box using this n so that Bob can read it. This I haven't explained and I will not explain. But this is a very simple equation that essentially Alice will apply some transformation on the message, a mod n and Bob will be able to reverse this transformation and figure out what m is if he knows the factorization of p and q. Now, how does Alice know n? He publishes it in the Internet. Everybody knows n. They know how to send messages to Bob. Okay. So the point of this is we've moved away from impossibility because we said that the adversary is someone who doesn't have the computational power to factor number n into its prime factors. And now it's possible to do transformations which seem to be sort of one way. As far as everybody's concerned, going from the message to this encryption of the message. This is easy. However, going backwards is hard unless you know the factorization. Okay. So RSA really kind of cemented the transition of the Internet from primarily military to primarily commercial. So by enabling this public key encryption, where you don't have to meet in advance, it opened the door to worldwide communication, which maintains privacy and also authentication and so forth. Okay. Good. So that's not only an amazing intellectual victory, but it's also commercially. You know, if you think sort of about this invention, which is actually beautiful, but simple mathematically, it became a multi billion dollar industry and so forth. Okay. So. Meanwhile, just to quiet, those people are thinking about quantum computers in the physics world around the same time, Feynman, Richard Feynman, came up with envisioning a powerful quantum computer. So this envisioning wasn't that he built a computer. It was that he came up again with a theoretical model of operations on a quantum computer. And about 12 years later, Peter Schor from MIT, I think at the time he was in Bell Labs, said, OK, we have this RSA Algorithm, this algorithm that enables secret communication. It's based on the difficulty of factoring. Is it possible that on a quantum computer, we could factor? And he came up with a way to factor on a quantum computer. This was all theoretical. He said, if there was a quantum computer that we could realize using very a lot of quantum bits, whatever that means, and in an error corrected fashion, so there won't be errors in the computation, then we could actually factor in. And that would mean that we would be able to completely destroy electronic commerce as we see it. This was all on paper. And again, I think the best one out there is 11 times 13. So the best, the biggest number we know how to factor is 11 times 13. So in some sense, it's not a big worry, you know, in the sense of electronic commerce. Still around around 2017, all these companies, Google, Microsoft, IBM countries, China, especially, I think, maybe also in Europe, there's such a project, said that they have decided to try to build a quantum computer in scale. So a quantum computer that can perform computations, which are better than what we can do on a classical computer. And I think that's the coin is the phrase, the coin is exhibits quantum supremacy. So it has some supremacy to classical computers. And at that time, when I was giving this lecture, I would always put up this cartoon and I'm only putting it now to show that maybe it's not relevant anymore. The cartoon is, how is your quantum computer prototype coming along? He says, great, the project exists in a simultaneous state of being both totally successful and not even started. He says, can I observe it? And he says, that's a tricky question. Because those of you who know something about quantum computing, you know, once you observe it, supposedly it disappears. However, you know, you probably have read, especially the physicists here that Google has come out with an announcement like two weeks ago, I think September 26. Saying that they have reached quantum supremacy. So they've built a computer that can consist of 54 qubits, which is a lot more than we've known how to do before. Again, this is not nowhere in the scale that we need to break the kind of encryption that's used. But this is getting to a place where one has to really take a serious look at it. In fact, in fact, the NSA and the NIST, this is National Institute of Standards, they started planning for post-quantum cryptography a few years back when this whole race became to build a quantum computer, saying, OK, let's say that in five years, ten years, quantum computers will be built that can factor the kind of integers we use. We don't want to be left without electronic commerce and without any privacy. What can we do? So interestingly enough, again, basic science in some sense comes to the rescue. So in 96 years before this question comes up, Aitai, was a researcher in IBM Research, is originally from Hungary, showed an entirely new form of cryptography. So rather than using that number, the problem of factoring N into two primes, the 35 into five and seven, he said, let's look at another problem, which is a hard problem to solve, OK? And it's a problem that comes from geometry, rather from number theory. And he proposed an encryption scheme based on that. It was extremely slow, extremely large keys and he proposed it for a theoretical reason. And the theoretical reason because it was, you can show some extra theoretical properties. It's hard on the average rather than the worst case. It's a parentheses just for those people who are interested in this. But my point more is that he invented it really for the theory question of whether you can get hardness on the average and it really took a little credit to the computer science world. They noticed that something interesting was happening and there has been a huge development from that time on till today coming up with new cryptographic schemes based on his original idea. And to our point, they all seem to be quantum resilient. So whereas quantum computers because of Schor's algorithm can break factoring if they were built to a sufficient extent, they could even break the kind of numbers used in practice. We know of no algorithm or no hint for an algorithm. At this point, as far as I know or anybody in the open literature knows, there's no quantum computer that can solve this problem that I introduced. It comes from geometry. So the question now is how do you replace all the things, all that laundry list that was based on sort of factoring type, number theory type mathematics by this mathematics. So it turns out not only that you can replace it but you can actually do more. So there's more capability that this kind of encryption that's built on on this geometry can do than the number theory type of cryptography. In particular for the mathematicians here I'm going to give a few slides here for a little bit more, have a little bit more of a technical idea and then we'll go back to a general story. So what is the problem that this new problem, that's not the factoring problem? So the problem now is this. It's called, it doesn't look like it's a geometry problem but it is actually coming, it's reducible to a geometric problem. So the problem is called learning with errors or short is learning with errors, LWE. And the problem can be described as a system of equations. So the secret here, whereas before the secret was 3 and 5, the two factors, the secret now is a vector, this should be an S, S1 sub Sn, a secret vector in Z, Qn. In other words, you have S1 through Sn are variables which assume a number between 1 to Q where Q is a prime. And the problem is this. Suppose I give you a bunch of equations in these variables, S1 through Sn. Here n is 4. But I don't tell you, of course, what the S is. I just tell you the coefficients of these equations and I tell you what it's equal to on the right-hand side. So if you are, you've taken a elementary course in linear algebra, you know that if I've given you the right-hand side, you could do Gaussian elimination and find out what S1 through S4 are. But I won't give you the solutions on the right-hand side. I will give you the solutions with some error. So the question is, I give you a bunch of equations, the coefficients. I give you solutions on the right-hand side with some noise. So each answer, there is some added noise to it in some range. And now I ask you, here is a system of noisy equations. Try to find the secret, these S's. Turns out that this is a hard problem. We don't know how to solve it. Not only we don't know how to solve it, it is, as I said, equivalent to this geometric problem from, it's called approximately the size of the shortest vector in a worst case integer lattice, whatever that means. And it has these properties of worst case to average like I want it. And the best known algorithm is exponential. So it's 2 to the n, where n is the number of variables to the dimension and slash or log n, that's not significant. And this is the best known classical algorithm and quantum algorithm. So we don't know how to do better than exponential. And the revolutionary part of this, in addition to the fact that it seems to be a candidate, a very strong candidate to replace in cryptography in a quantum age, where it to come, it also enables things we don't know how to do with regular encryption. And I'll show you a hint of what you can do with this type of encryption. Any questions? No? Okay. Not yet? Okay. So, for example, you can do the following. Again, suppose you had a computer program, this is on the left, very simple program. If X, the program takes three variables as input, X1, X2 and X3, these are zero one variables. And you say if X3 is equal to zero stop, halt. Otherwise, you output X1 plus X2. It's a very, very simple program, okay? Turns out that this program, as well as any program that you write, even though it doesn't look like it, can be rewritten as what we call circuit. It's sort of a sequence of operate circles, which are all either taking a sum or a product, okay? So you could write any program with complicated procedure calls, if, then, loops and so forth, as essentially take the input variables and perform a sequence of multiplications in addition on them, okay? So what, what does this have to do with cryptography? Well, for a second now, let's assume that you are not given X1, X2 and X3, but you are given the encryption of X1, the encryption of X2 and the encryption of X3. So one thing, and you wanna solve this, you wanna run this program. How can you run this program? You could decrypt, but what if you don't have a way to decrypt? Can you run this program, only having the encrypted value? So, there is this concept that was asked, this is a question that was asked by Rivest and Shamir and I think, or Rez and Adelman and their two, so many, many years ago, 30 and more years ago, and they asked, is there a way to do something called homomorphic encryption? What's homomorphic encryption? It will be the kind of encryption where even though these values are encrypted, I'm able to come up with the encryption of the sum, okay? And this value now is encrypted, this one, and I can come up with encryption of the product. So is it possible, just having the encrypted inputs to come up with encrypted output without decrypting it, okay? So, they asked the question and the answer was that they didn't know an answer. It was an open question for a long time. In fact, RSA cannot provide it, for a while we had encryption schemes where they could do one operation, they either could do times or you could do plus, but you can't do both operation. So you wouldn't be able to run a full program if you only had the encrypted values. And in 2008, Gentry, who's a student at Stanford at the time, that is PhD thesis, came up with a new encryption method where you could do these, you could take sums and products. In other words, it's nothing to add this. You can from these to come up, compute this, and from these to compute this. And his new encryption scheme is based on this geometry problem or this learning with error problem. So not only that it's quantum resilient, but it also allows to do things we didn't know how to do before. Now why this is important, we'll see later in the talk. But even intellectually, it's sort of an amazing feat that you are able to compute on encrypted data without decrypting. But just compute, compute, compute and at the end get an encrypted answer. So if those of you are going to be asleep at the end of my talk, let me just give you, because it goes to the end. If you could do that, I could sort of give a cloud, a very powerful cloud possibly, or another remote computer, I could put my encrypted data and they could do all the very complicated computation there on the encrypted data and send me the encrypted result. So it would save on me having a very powerful computer if another remote computer could do that. And today this is more and more the case where we have these fancy machine learning algorithms where you need a tremendous amount of computing power in order to run them and it would be nice to be able to run them by having someone else run it on your data without providing your data in the process. Okay, back to my cryptography talk. What time is it? Okay, we have time. So, yeah? Okay, so in some sense basic research, from 20, 30 years ago is actually going to save us from a problem like this quantum computers we never thought we're gonna have and this I tried to convince the Congress of, I don't know if it much success, but in any case I'm a firm believer in the sport of basic research. It never ceases to amaze me. Okay, so I talked about the fact that we can enable things which are surprising. I showed you one example. Now let's talk about the second bullet which I said that there's some notions that have come up and techniques that led to a series of intellectual leaps. So what do I mean by that? What I mean by that is, so this is a very compact slide. I don't really expect people to internalize it all, but let me just give some highlights here. So what I've done here is I put some, in the circles here, there's some primitives, cryptographic primitives that have been developed for purpose of cryptography. And in the lines here are some developments that happen in computer science as a result. So for example, there's something called zero-knowledge proofs, which I'll talk about next, which has led to some concept called probabilistic proof system, and that has led to these three red, really I think, big achievements in computer science, and I'll talk about some of them. Some things like delegating computation to the cloud, and another thing is, in fact today, how to verify quantum supremacy by a classical computer. We will get to it soon. But this is not the only thing. There's a way to generate pseudo- and non-umbergenerator. Again, if you believe that there is a problem like learning with errors that's hard, or factoring integers, which is hard, and this has led to a sequence of papers to come up with lower bounds, or the impossibility of proving certain lower bounds by certain methods. There's something called hardcore bitproofs, oblivious transfer, which has really made a tremendous amount of progress in algorithmic coding theory, being able to come up with explicit codes, which achieve less decoding bound, and linear rate codes with sublinear decoding, and then the techniques for showing average case hardness, from worst case hardness, has led to a whole bunch of research, which essentially I would, if I had to explain sort of in two minutes, is a way to verify properties of large objects by local checks. So let's say you have a large graph or a large system, and you would like to verify that this graph is three-calorable. So, those of you know what that means, so I can color the nodes in the graph in color, so that there's no edge that has the same two colors. How can you test that without looking at all the colors, so there are ways to do local checks to, not for three coloring, but for a lot of other problems without having to read the entire graph? And I credit a lot of these methods to methods that originated because you wanted to show that some cryptosystem was hard to break on the average. In any case, I will, this is really more for specialists, this slide. So let's go back to the general point, which is I claim that there are some ideas from cryptography that have developed applications completely outside of cryptography, and I'll tell you a little bit about them and they're in this thread. Okay, so I'm gonna talk about proofs all of a sudden. We're switching gears. There's no more Alice and Bob. Actually, they will show up next slide. But right now, we talk about proofs. So everybody has these famous Provers, you know, Amy Noter and Gaus and Pythagoras, and when I give this talk to high school children, when they think about a proof, at least in the United States, I don't know what you guys prove here, but they think about Pythagoras, you know, and they think about geometric proofs, right? So they think about this idea, that they're axioms and then they're deductions and you write it down and then QED. The point being is that there is this famous Prover that we all admire and then there are these proofs that can be checked line by line and at the end, either that's correct or you found a mistake, okay? And it could be written down in a book. What about in computer science? So the kind of proofs I'm gonna be talking about, I wanna make explicit the fact that there's someone who's proving the theorem and there's someone who's verifying the theorem. And I wanna think of these as two algorithms. There's somebody who wrote the proof down, which I call the Prover, Alice again, and there's someone who's verifying that the proof is correct. So we wanna sort of make explicit the job of the verifierers because always people know about the Provers, all these famous people, but we wanna say also Verification is an explicit procedure. And usually there's a claim and then you send the proof along. So he's important. He checks the proof, he accepts it or rejects it. So the computer science aspect is that what is the difference anyway between this Prover and the verifier? The difference is gonna be, is that the job of the Prover may be very hard. Maybe know something we don't know or maybe has more computational power, but if we focus on the verifier, all we care for now for a few slides is that the verification is efficient procedure. So efficient meaning, let's say polynomial time, again, can be done by a realizable computer. And we want to prove our two properties, completeness and soundness, completeness meaning that the Prover should be able to convince the verifier of correct claims. So should be able to prove things that need to be proven. And soundness is that it should not be able to prove to make this guy accept unless the claim was correct. So that seems like the most basic thing you want to improve. You are able to prove theorems using your system and you should not be able to convince me of incorrect statements. Great. So, what are the type of claims that I'm talking about in this computer science talk in this computer science world? Here are some examples. For example, I may claim that n, you remember that n, is a product of two primes. So here is an example where the verifier fies bounded, he doesn't know how to factor, so how can he, maybe it's more than two primes, okay? And the Prover maybe is the one who actually took the primes and multiplied them together. So he has the proof. What is it in another example of a theorem? The vote of an electronic election was tallied correctly. So let's say everybody voted by encrypted vote say, and then you want to prove that the vote was tallied correctly. Another example is let's say a tax return form is compliant with the rules. So suppose you want to prove that. So you give the tax return form, you give the rules, even though it doesn't seem like it, you could capture this with mathematics, assuming that there's a program that checks these things. And then you want to prove that they claim that this particular tax return is compliant with the rules. And I know the password, for example, for my account, without giving you the password, or contract is valid. So as you notice, all the examples that I chose have in it some thing interesting, which is it's the kind of statements I might want to be able to convince you of without giving you the easy proof. What do I mean by the easy proof? The easy proof would be to give you the tax return form or to give you the votes of everybody in the population or to give the password. And then you could check. But is there any way to accomplish that without giving you sort of this easy proof? Or in particular, let's look at this problem. I claim n is a product of two primes. I definitely can send you the primes and you can multiply p times q over c if it's equal to n and check if they're primes, which is easy to do for a large computer. And you accept if the equation works out, if n is equal to pq. Now the question is, is there n, but after this interaction, the verifier knows that n is a product of two primes, but he also knows the primes. So you can ask a simple question. Is there any other way? Is there any way to check that n is equal to p times q without knowing what p and q are? Doesn't seem like it to begin with. But that's exactly the topic of zero knowledge proofs. In a minute I'll show you how. So this is a paper of mine with Silvio and Charlie Rakov and this is me. Anyway, this is the paper and this is what we got the Turing Award for, Silvio and I, plus some other things that Charlie didn't do. So in any case, so the idea is going to be this. We will demonstrate so the prover will demonstrate to the verifier that he knows a proof. So he's not going to give him the proof, but he shows that he knows a proof. Now if he knows it, he must exist. So how will he do that? He will do that by solving, again this is a general recipe, by solving randomly generated difficult challenges, which are easy if you know the proof. So there is some sort of recipe how you take a classical proof, like the kind like Pythagoras Theorem and you convert it to a bunch of mathematical challenges, random ones, and you pose these and the verifier can do that. He takes the statement actually of the theorem, converts it to a bunch of challenges and he asks the prover. Can you solve this one? He solves it. Can you solve this one? He solves it. Can you solve this one? He solves it. If these are the kind of challenges, which are impossible to solve, unless you know the classical proof, it convinces him that he must know a classical proof. If he cannot solve one of these challenges, he means he doesn't know the proof and therefore it may not exist, so I reject. So this is sort of a blueprint. The whole question is, how do you convert a classical theorem into a sequence of mathematical challenges of this sort? Question? Okay. Yeah? No. Okay. And this, for example, will enable access authorization without fear of identity theft, because you could imagine that if I am trying to convince Amazon that I am the right user and I know the password and Amazon asks me questions that I can answer, then they say, oh, it's Shafi. We let her access her user credit card and so forth. Okay, but how do you do it? So as I said before, the main idea behind zero knowledge proofs is she will say, I will prove that I could prove it if I felt like it. Okay? So how do you prove that you can do something if you feel like it, but you don't do it? So now I go to my slides that work for high school audience and I think that not only for high school audience, this is the way this thing should be shown to everyone. And here's an example. So first of all, I just want to say that I lied a little bit. It's not going to be like those proofs you write in a book. What will happen is that Alice and Bob are going to ask questions and answers back and forth. So they're not going to write it down, but the prover has to be present while you are verifying this proof. And secondly, there will be use of randomness. So it will be very important that these challenges that the verifier is generating are random challenges. And therefore it will be very important for this one that verifies the proof to be able to toss coins. All right. So here is an example. Doesn't look like mathematics, which is good, this hour of night. And here is what Alice is trying to prove to Bob. She claims that there is... Bob is colorblind. Apparently it's true that men are more colorblind than women. But he is able to toss coins. And he can do everything else besides look at distinguished colors. And she can tell colors and she claims she wants to prove to him that there exists the notion of two colors. And that there are two colors on this page. Okay. He can't see the difference. Looks to him as a monochromatic. So she is going to do it as follows. So this is a theorem of sorts. Okay. There are two colors on this page. How do you do it? The idea is very similar to what you'll do with math. Okay. So what happens is the following. First thing what Bob does is he looks at this page and he tosses a coin. If he comes up heads, he takes this page home. And he took it with red on top and green on the bottom. If he comes up heads, he doesn't do anything different. He gives it back to Alice. If he comes up tails, he flips it, the page heads up. So if there were two colors, green is going to be on top now and red on the bottom. Okay. Here he flips. And let's say that he came up tails, so he flipped. So before it was red on top, now it's green on top. Now she doesn't see the outcome of his coin toss, but she gets the message back, which is this new page, either flipped or unflipped. And what she's supposed to do now, so he sends her the page, and what she's supposed to do now is to tell him what color is on the top. Now if she can see color, that's not a problem, right? So she sees now it's green or if it was red, it's red, and she tells him what the color is. Okay. In a sense, what is she doing? She's telling him what coin he flipped. So if he flipped heads, she will have to say red. If he flipped tails, she will have to say green, right? Because this is exactly how he decided whether to flip or not to flip. Now, if Alice is wrong, he immediately rejects the claim. He says, I flipped the page or I didn't flip the page and you have no idea what you're talking about. I reject. But if she's correct, what do we know? We know that maybe he was lucky. Okay. And the chance he was lucky to name the right color is a half. Because he flipped the coin and this just means that she was able to guess the outcome of his coin flip. So they do it again. They do it again. He flips the coin, he sends the page, she sends the color. What is the chance now that Alice manages to guess twice the outcome of the Bob's coin? It was a half the first time, half the second time, the chance of twice is a quarter. If we do this 100 times, the chance that he can guess the sequence of her coins, if there's really not green and red, if there's green and red, he can always say 100% of the time. But if she's a damn liar and it's all one color, the chance that he catches her is like one minus one into the 100. With really almost probability one, he will catch a mistake and reject. So I claim that two things. Wait a second. This side is not what I wanted to claim. No. Okay, okay. I claim that this satisfies completeness and soundness. If there are two colors, Bob will always accept. So it can always prove to him that there are two colors, if there are two. But if there's only one color, the probability, as I said, of the 100 iterations that he will eject is extremely high. Furthermore, the interesting part here is the following. Bob has not conveyed, sorry, Alice has not conveyed to Bob the ability of telling green from red. In fact, she's told him nothing, except the outcome of the coins, which he already knew. All she's convinced him that she is able to tell red from green. So she had the computational power, the ability to tell green from red. And therefore he believes that she has that power and there is a green and red on this page. So if we think about in terms of the view of Bob, what he saw is a page and a coin. A page and a coin. A page and a coin. What does that give him? Nothing that he didn't know before. This is the idea behind Xero Nudge Proof. Essentially, we converted the ability to tell green from red into a sequence of challenges that she is able to solve. Of course, with a color and a page, it's kind of easy to see why. But what about in math? So I did put this up here. I don't know if I should or shouldn't, especially since the math got confused. So I guess I shouldn't, it's a hint. But what I was going to show here is how, for example, she can convince him that she knows a solution to this quadratic equation mod N. And the reason that's an interesting computation is because he turns out that the ability to solve these kind of quadratic equation can be used in order to factor N. So if N was a hard problem, also the ability to solve these kind of equations is hard. And Alice can prove to Bob that she knows how to solve these equations and therefore she knows how to factor. And she can do that in such a way that at the end he will believe that she knows how to solve it, but he will not know. So unfortunately he's got mangled. But essentially there are two equations which she presents to him. I mean, and she asks, and she tells him she can solve both equations, she can tell him what r is and she can tell him what r times x is and he can choose which equations he wants to see the solution of. And either one of these equations gives him nothing, but if she can solve both equations, it means that she can solve the equation y equal to x squared. Okay, anyway. I won't, especially since equation got confused. So it's exactly the same as this coloring, but translated to mathematics. And in fact, it's more general than just these two problems. It turns out that this is a general mechanism where you can convert any classical proof into a sequence of questions and answers. Where he can ask questions, she will give him answers. For this he needs to toss coins. For this she has to be able to answer. And it will be true that if the claim is true, there exists an algorithm for her to make him accept. And if the claim is false, he will reject with high probability. Regardless of how powerful she is. So just one point to make, and that is that we have actually changed the notion of original proof. So classical proofs, there's no error. You know, it's either true or false. Here we are allowing a very small error, exponentially small, that it's possible that he, that she will get extremely lucky. She'll be able to answer all his questions, like in the case of the page. She will always be able to predict his coins. And he will accept an incorrect theorem. But it's gonna be very small and we can make that probability exponentially small. So it's a new definition of what we mean. It's an interactive probabilistic proof. There's interaction and there's some small chance of error. But you can control it and prove how small it is. Question? So this is a new notion of proof. And it's a new, yes, yes. Okay, so you're saying when you write the paper, it's not an interaction. So, good question. Wait. Okay. But this is a beginning. In the beginning this was not about papers. This was about interaction in a cryptographic system. But good question. Turns out today we have more mathematics than enables you even to do something you couldn't do before when you write the paper. Okay? There's still a probability of error and so forth. But we'll get there in a minute. But in terms of zero knowledge, so in that example, it's clear that you're not learning anything besides the page and the coin toss. More generally, zero knowledge will, the definition, not a formal definition, but essentially definition says that whenever the claim is true, for every verifier, even if he was adversarial, even if he was not an honest verifier and he was trying to sneakily find out information from you, whatever they can compute after the interaction is what they could have computed before the interaction. So zero knowledge means that after the interaction, you'll believe the claim is true with high probability, but you will not be able to compute anything new. Like you could not compute a password and so forth. Okay? So that's sort of a definition and can be shown for general theorems. So what have been the consequences of this? So for cryptography, it was first very quickly observed by Fiat and Shamir that it can be turned into a password method into sort of a password where you could sort of verify who the person is without even storing their password. Just by the ability to answer questions means that they must know the password. And then he was used as a tool for transforming protocols from adversaries to malicious, from curious adversaries to malicious, never mind. Maybe more interesting is some recent uses, which really seem very unusual. So there was a paper in 2014 by some physicists in Princeton, who apparently were having lunch in the cafeteria and they were talking about nuclear disarmament and the fact that why would the US and Russia at the time maybe 2014 is exactly, not exactly at the time, but in any case, believe each other when they are disarming a nuclear warhead because they don't wanna show each other the technology and somebody from the computer science department who was actually a student, a colleague of mine, said, you know, it sounds like what you need is a zero knowledge proof. How do you know that what's being disarmed is a nuclear warhead without looking at the technology? And indeed they wrote a whole paper about nuclear disarmament and zero knowledge. And not only did they wrote this paper in Princeton and there was a whole big project in MIT showing that their paper wasn't right and so forth. Not in the sense that there was a mistake but the axioms there were not satisfied. Another thing you can do with zero knowledge that people have shown is have application for forensics. So suppose there is a crime scene and some evidence, some DNA and then you want to, you have suspects in a crime and you wanna check whether their DNA matches the crime DNA. But they don't wanna give you their DNA. Is there any way to check that the forensics on the crime scene is not equal to the forensics of a suspect without getting the suspects data? So again, it turns out there is a way to in some sort of zero knowledge check that these two pieces of information, your DNA and the suspect and the crime is not the same. And this requires of course sort of using sort of whatever accepted algorithm is for getting a fingerprint from your DNA for the purpose of forensics. More going down to earth, there's a company called Zero Cash where they do cryptocurrency but it protects the privacy of the transactions the anonymity of whoever doing the transactions. So those, I'm sure all of you have heard about Bitcoin and maybe Ethereum, Zero Cash is an added feature that they also protect the privacy of the transactions. And it's using zero knowledge. You verify that the transactions are valid without giving information about the content. Another thing, this is a paper of mine recently is that you can come up with a practical system actually for proving compliance with surveillance orders. So what do I mean here? So I'm sure the same is in Switzerland and all over the world. In the US, the system for getting surveillance requests, let's say you wanna go to Facebook or Google and you wanna say that you would like to get access to someone digital transactions who's expected to be a criminal. The FBI can request a surveillance order from a judge. So this is not the FISA court, just a judge, federal judge. And then if it's okay, so this judge will go to the company and tell them that it's authorized surveillance. I'm being cold, but I won't answer. Let me just turn it off, sorry. Okay. So the question is how do you make sure that this is always accountable since these surveillance orders are done in secrecy, right? You don't want the criminals to know that they're being wiretapped. And so again, there's a system of regulations and then there's a system of requests and you wanna say that this is compatible with the regulations. And also you want to check that when there are these reports, the Google, Facebook and so forth, they publish every year about how many surveillance orders they were requested. You wanna check that these reports are accurate and maybe you wanna know why, what kind of crime is being pursued. So there are many things you might wanna know about these surveillance orders, which you don't have any way to tell unless you have a way to verify some information without actually looking at the order in the clear. Okay. So there's a lot of potential for the future and given if people read the news, this whole thing about verifying public tax return from the compliant, that is compliant with the rules without knowing which taxes paid to whom might be a very interesting case to deal with. This is all of course under the assumption you can automate what a tax accountant does. You can automate a lot of these court proceedings so that you can actually use the kind of procedures we have so that we can verify in zero knowledge. Okay, so I said that this actually led to some things beyond cryptography. So what type of things? So the fact that you can decouple correctness from knowledge of the proof means that you can start asking new questions about proof, because this is a novelty, right? The fact that correctness doesn't mean that you have to know the proof. So what are the type of things and this will get to your question in a minute about this writing in a book? What are the type of things that people have asked? They've asked a lot of questions in the last 25 years. And for example, so here's a little bit of jargon, unfortunately, you could ask whether these type of proofs are more expressible, are more expressive than classical proof. So let's think about in general that a proof is a, we can think of it, any claim is an equation. And the proof is setting variables, figuring out whether this equation is true or false. So if you think about the proof is a bunch of variables for letters and you think of this as a bunch of variables that have to be instantiated, so you check the proof correct, okay? So we have a class in computer science called NP, which is all those problems that you can express the problem as, or checking the problem is, checking whether there exists a solution to the equation. And classical proof obviously is good enough for that because you write down the proof and then you show the proof would be the values of X1 and so forth that satisfy the equation. But there are other classes, which is how do you check that there is no assignment to the variables that satisfies the equation? Do you try all possible settings of the variables that's in exponential numbers, if these are zero, one, even two to the n. So we don't know how to do this with a fast, short proof. Exponential is too long for us. How about checking whether there's exactly these many solutions or something more interesting like for all X1, there exists an X2, such a for all X3 and so forth. These are type of statements that we don't know how to write down as short proof of those statements, okay? However, it turns out that with interactive proofs, okay? You can. So there is a way to verify a statement of this nature, even though you are polynomial time bounded, so you are an efficient verifier of these statements. So essentially all of these classes can be done by a verifier who's still stupid or polynomial time, can toss the coins and uses algebra and arithmetization and so forth of the statements, but can be done. Another question, which leads to your, is is there some other way, except interaction and randomness, any other form of proof? I mean, if we have moved already from the writing down to classical proof, 100% correct, and we're allowing a probability of error, maybe there's something else we can do. So, indeed, here's a paper that I wrote, which seems a bit strange to begin with, and the idea is with Benoar, Killian and Wigderson in 88, and the idea is, you know, it's so much fun with one prover, let's add another one. Okay, so now it seems, why is one better than two? If one prover knows the proof, why do we need two? Because what we're gonna do is we're gonna separate these two provers in two separate rooms for a minute, too. Let's just say that there are two provers, but they can't see the questions the verifier is asking from one and from the other. And what that enables is, for the one who's verifying the correctness is to check consistency of the answers. Now, this ability of checking consistency of the answers turns out to be a tremendous ability. It enables us to prove even more theorems, like non-dismistical exponential time, but more interestingly, it enables us to do things efficiently. So we can take theorems, and whereas in the past we had to read the entire proof, and it was a long proof, we can read very little, and that will come back to your question about what if I wrote it in a book, and how would we translate this interactive proof idea to writing it down in a book, okay? So the crux of the idea is here. So let's just think about these two provers. Suppose the theorem that we want to prove is here one, two, three, four, five, six equations. These are zero ones, and they answer either one or zero. And I claim that there's a solution for 99% of the equations, okay? The prover claims that. So one way to verify it is, just give me the solution to all the equations, check if 99% of them are correct. How long is that proof? It's essentially, there's nine variables here. I have to give you all the nine variables, right? Is there any faster way? Can I check that these six equations are satisfied without actually checking every single one of them? Using this two-prover mechanism. So here's a way to do it. What the verifier does is he chooses a random equation. One of these six, let's say he chose this one. He goes to the first prover and he says, hey, give me the three variables that solve this. And the prover gives him the value of x1, x4, and x7. And then he goes to the second one, he says, give me the value of the variable, let's say a random variable in this equation, x4. If the x4 that he gave him was the same as the x4 here, it means at least those two answers are consistent. But it could be that essentially it's not clear what would be the strategy of this guy, because he doesn't know which equation you're trying to satisfy. If it's not true that 99% are satisfiable. It's too much for this. Believe me, okay? That what happens here is that whereas, if there was only a single prover, he could have to give you all the variables. When there are two provers, it's just a constant number of values that you need to read from the proof. And this in turn can be translated to something that's called probabilistically checkable proofs, which are long proofs, where you don't have to read the entire proof. But if there's an error anywhere in the proof, let's say one page in the proof has a mistake in it, it's a new way to write these proofs, sort of a new way to code these proofs. So if there was an error on one page, it will propagate through the book or through the pages of the proof. And if you pick a random, a few pages, constant number of pages at random, you will surely find the mistake. So this is the answer to your question, assuming that you're understood it correctly, and that there is a new way to verify proofs, so you don't have to read the whole thing. You only have to read a constant number of pages. There's a probability of mistake. Okay, so there's some chance you will not find a page with a mistake, but there is very close to one probability that you will find a mistake if one exists. All right. What did I wanna say? So, remember, we talked about quantum computing, and I said that Google now says that they have built this quantum supreme computer. An interesting question arises, and that is, how do you verify that's correct? So, by definition, if they are able to come up with something that exhibits quantum supremacy, I can't do it classically. So how do they verify that they actually do the computation correctly? So this is a question that came up, actually people doing quantum computing, when they saw this interactive proof business, they were saying maybe, if it's possible to prove to a much weaker verifier, okay? Statements, maybe it's possible to consider a quantum computer, so as quantum, and a classical verifier that is able to check the correctness of the quantum computation without having to recompute it. Without even learning the proof. And it turns out that, in fact, there is a way to do so by adding sort of an interactive proof, and this is a theorem that's very new, this Omeela Madev, she's a student of Umich Bazirani in Berkeley, and she shows how classical computers can verify computation of quantum computers. Again, if a certain problem is hard to break or hard to solve for quantum computing. So there'll be some way to encrypt your challenges so that the quantum computation will not know in some sense what you're asking and will be caught in a mistake unless the computation was done correctly. Very interesting and actually very relevant today, given the progress that we have. I am almost done. I know that I just wanted to say that it's not only for quantum computing, but there's, I mentioned cloud computing earlier. When I started in this field, there were no personal computers, but once they appeared, you stored everything on these type of storage devices. These days people talk about small computers, large Clouds, and your data is moving to the cloud, right? And not only the data, but also computation. So the computation will be done in the cloud. So a very clear question there is, who guarantees that the cloud is computing the answers correctly? I mean, the whole point is that you don't have the power to do these computations. So how do you check? And there's a clear application of what I've talked about to sort of this trust-but-check paradigm where this cloud will also prove that they computed correctly the program and it's in fact gonna be an interactive proof, which will make it very, very efficient to check by very weak computers, that the computation that the cloud did was done properly and they're not just cheating you or making a mistake. And there's been a lot of progress in this, how to delegate computation to the cloud. In fact, it's not just theory. There's lots and lots of system papers. It's a superbuilding system of the system that is able to check the validity of computation done elsewhere. So, I think I'm about to end. I'll skip this and I'll just say that I've told you a little bit about consequences of basic research in cryptography, electronic commerce, this quantum computing. We didn't talk about cryptocurrency. We talked about zero knowledge. It enables anonymous cryptocurrency, a cloud computing, this new definition for NP. And the next frontier I think is machine learning, safe machine learning. I'll talk about that on Wednesday. For those of you still have the strength to listen to me on Wednesday. And at least one thing should be clear that whatever physical intuition you have for what can be done, I think it's not always true. So using mathematics, using this adversary who's computationally bounded, you could do a lot more. Thank you.