 Okay, well, thanks very much Okay, so hopefully you can all see my slides if you ever stop seeing them. Let me know So I wanted to begin by thanking the organizers for creating and maintaining such a nice sense of community among our number three three community So especially in such a difficult time when people are feeling so isolated So I know that running such a seminar isn't easy, especially, you know waking up at ridiculous hours like Alina and Sydney where it's one in the morning two in the morning by the end And just the fact that they're showing up at the talks. They're awake. They're paying attention. They're asking questions They're leaving their video on You know, it's it's really a tremendous service. They're doing to the community, you know I mean tracking down elusive potential speakers who won't commit So I wanted to actually one reason I'm saying this is I want to talk more about community later But maybe to illustrate what sort of things these poor organizers had to deal with I wanted to start by telling you What happened in my case? So I gave them such a hard time So over a year ago Mike Bennett asked me to speak in the seminar and as you know as I kept putting this off And each time he got back to me I had like a some sort of really crazy excuse So you know that got crazier and crazier as time went on so I started out, you know I'm preparing a different talk I want to wait till I give that before thinking about giving another talk I'll get back to you and usually I say I'll get back to someone I do it But this time I must have been so ambivalent about it I you know I didn't get back and like the contact again and I'd say well, you know I really should go to some more of the seminars see what they're like before I decide or You know, I've been thinking about good ways for the community to make use of the existing technology I'm not convinced I get figured out the right way to do it I want to see how ants turns out and whether it's a good model for how to do online seminars and conferences But what I replied in December of 2020 was probably the strangest of all so I'll actually read it to you. I'll say So I wrote to Mike I'll probably eventually accept the invitation But I'd like to wait until after January 20th to decide To be perfectly honest. I'm worried there's going to be a civil war I'd like to wait until Biden is safely inaugurated and it's hard for me to plan anything before that Some part of me is thinking it's not just not a good use of my time to prepare a talk if the world is going to end before I give it So on January 6th, I was probably the only one whose reaction was yes Now the number three web seminar organizers won't think that I'm totally crazy so But maybe I'll add that I think that Um You know the problem well, so there are technological issues that make virtual talks difficult so for example, I tend to feed off the audience and If I have no idea what whether they're even there Um, you know, that's really hard and also my internet connection isn't very good So I have this this hundred foot ethernet cable because I didn't trust my wi-fi And I'm doing the slides on like on my television. So if you look at me glance to the side I am in fact watching tv, but I'm watching my slides on tv um But and I also think that in some sense online seminars capture all the bad things about math seminars And not a lot of the good things like you know, especially the free food Which I think is that you know is what attracts a lot of people But you know also the conversations before and afterwards Which I think are really the the most valued in a seminar So I think we want to you know rethink some of that and figure out what the best ways to do this are Because there are also a lot of really good things about the ability to you know To have an international audience and people can see speakers. They never would have You know otherwise seen or heard um So well, you know sort of an effort to get out of giving the talk I told mike I was interested in giving a maybe a more non-traditional talk But I completely understood if that doesn't fit in with what they're looking for But he was very encouraging despite all my efforts You know where I'm going to be giving a talk So let's get started. Um, so I'm going to take you on a quest To find cryptographically useful multi linear maps Um, but what I'm also going to do and I'm going to maybe fit it in a little bit during that But but maybe more at the end of the talk I wanted to share some of what I've learned In my adventures as a mathematician and as a cryptographer And trying to be both at the same time. Um, and maybe another way to say that is Things I wish that someone had told me sooner So in other words, I've made a lot of mistakes. I don't want you to make the same mistakes. So I'm going to maybe give a little bit of advice Okay, so the quest to find cryptographically useful multi linear maps. So it begins. Who's our cast of characters? Well, alice bob and a finite cyclic group So I'm going to start with something that many of you I think most of you probably already know diffie helman key agreement So g is our finite cyclic group And little g is a generator and most partly I'm doing this to establish some terminology So bob and I want to create a shared secret key that we're then going to use to encrypt and decrypt messages But we haven't met in advance and so to exchange anything So we have to somehow do this publicly through an insecure channel So I choose my secret little a bob chooses his secret little b Um, I take that my element of my my generator for my cyclic group I raise it to the power a bob raises his to the power b And we either send it to each other through the insecure channel or you've just broadcast it So I might you know broadcast it on the radio or publish it in the newspaper or whatever And then we now share a common secret Namely g to the power ab which I can compute because everybody knows g to the b and I raise it to my secret power and bob does the symmetric thing So we share that and why can't the adversary compute g to the ab? So this is establishing terminology. So the adversary we're going to call the jabberwock The jabberwock cannot compute g to the ab as long as the diffie helman problem is hard The diffie helman problem states find g to the ab given g g to the a and g to the b for random unknown a and b So in other words, so why is this secure such you know diffie helman key agreement? Well, it's just a total you know, it's secure if the diffie helman problem is hard But that's just a totology. It says it's secure if it's secure, but that's that's what we have So you want to use a group in which you believe the diffie helman problem is hard Okay, so now there's the question. What if three people or three parties want to create a shared secret? And they want to do this with just one round of broadcasts. They don't want to have a lot of interaction Can this be done? So this was an open problem for a while And um, it was solved by Antoine jus in um the year two the paper in the year 2000 So three parties want to create a shared secret. What can they do? So I choose my secret little a bob chooses little b the Cheshire cat chooses little c And we broadcast g to the a g to the b g to the c respectively. Those are all now public Okay, so what what can we do at this part at this stage? Well, so now we make use of elliptic curves and pairings on elliptic curves like they pairings on elliptic curves so um Suppose that we have a pairing or a bilinear map From g cross so we have a map from g cross g to our target group. I'll call it g sub t t for target Um, so what properties do we want this map to have we want it to be officially computable And we wanted to have this bilinearity property which says that if you input g to the a and g to the b That's the same as if you pair g and g And took the output and raised it to the power a b for all integers a and b Okay, so we want so suppose we had such a thing And think in terms of something like a they pairing on a on the points on elliptic curve So then I claim that three of us um after this one broadcast all share Um, what happens when you pair g with g take the output and raise it to the power a b c And the reason I can compute that is I take the two public broadcasts that I see from bob and the shesher cat I input them I take the output and I raise it to my secret And bob does the symmetric thing and the shesher cat does the symmetric thing and we all can compute the shared secret And then the question is why can't you figure out the secret? Why can't The jabber walk figure out the secret and the answer is well the jabber walk can't compute this shared supposed secret If what we'll call the bilinear diffie helman problem is hard and the bilinear diffie helman problem says find the secret Find the shared um quantity given the public information So given g g to the a g to the b and g to the c for random unknown integers a b and c Between um one and the order of the group g Um, so again the security is just a totology. So this problem has been created to make this system secure Okay, so Antoine jus came up with this method Um for one round three party q agreement in the year 2000. He said well for the group g You want to use a cyclic subgroup of the group of points on elliptic curve over a finite field finite field of sufficiently large size And this bilinear map is going to come in a suitable way from a bay pairing on the elliptic curve Or what photographers call the tape pairing or tape? lictum bound pairing um, and so you might have to modify the bay pairing because um, you know to get the To get something suitable, but I'll leave that aside for the moment and there are actually other pairings that one can use um So maybe I'll say that the success of pairings and cryptography. I would say came about through curiosity Good communication between mathematicians and computer scientists and being open to opportunities So the idea that hey, you can use the bay pairing And do this this really cool thing that solves a problem in cryptography I think had to do with antoine being you know curious and open to opportunities Now in fact the bay pairing had been introducing to cryptography 10 years earlier And it was introduced in a way that showed that there was a destructive aspect to it. So this is um, what I'll call the m o v attack because it's named after meneses okamoto and van stone um, so in 1991 Um, they showed the destructive power and so just uh again for terminology So g and g sub t from now on are cyclic groups of the same prime order Um, and we're going to do it in such a way that if you Input g and g the output it's an element that we know of g sub t I wanted to be a generator which since we have a cyclic group of prime order just means it's not it's not the identity element in the group Now, of course, if it were the identity identity element in the group if e of g comma g were equal to one Then remember this bilinearity property. It would say that no matter what you input you input g to the g to the b You know, you're you're still going to get one So you'd have a pretty trivial Map and so you'd be sharing, you know your your secret sharing algorithm protocol Would always be giving you one and that's not giving you much of a secret So bilinear diffie helman problem would not be a hard problem in that case So it'd be a trivial problem. So you want this i'll call the non degeneracy property So you get a generator the group you don't get the identity element Okay, so this m o v attack Was used to show that the discrete log problem could be easy in certain cases So we're called the discrete log problem is that given your generator g and g to the a find a find the exponent Um, so manesas alcomoto and benstone showed that if your pairing Is efficiently computable and non degenerate and if the discrete log problem is easy in the target group Then the discrete log problem is easy in the group g that you started with and therefore the diffie helman problem would be easy Um, so why is that? Um, so how do we solve the discrete log problem in g? If we Know how to do it in g sub t. How do we use the pairing? Well We compute two Two things we input g and g and take the pairing to see what we get the e of g comma g And we pair g with g to the a Um, well when we pair g with g to the a that's the same as pairing g with g Taking the output and raising it to the a Um, and but we know how to solve the discrete log problem in g sub t So we can just now once we do compute this Um, we can solve the discrete log problem Solve for a and that tells us a and that solves the discrete log problem In the group g which was our goal So if the discrete log problem is easy over in g sub t Um, and we have an officially computable non degenerate pairing then the discrete log problem is easy in g Um, and what that tells you what that told people at the time? Um, is that certain elliptic curves are not safe for elliptic curve cryptography because Um, they have officially computable bay pairings That take values in the multiplicative group of a finite field in which the discrete log problem Is too easy. So that said there are certain weak elliptic curves for elliptic curve cryptography Um, so this showed that pairings can be destructive In cryptography and it took a decade to realize that they could actually be used constructively and that was an twangiu Um in the year 2000 as I mentioned Um, so communication is important. I'd like to think that maybe if there'd been better communication between computer scientists and mathematicians, maybe Um, this could have been solved sooner. Maybe we would have seen the constructive Aspects appearing sooner. So I'll get back to this. Um, this topic later about communication Um, and I do want to mention that um at the same time as antoine ju was doing three-party q agreement Sakai Ogishi and kasahara came up with a method to do something Called identity based key agreement with no interaction, which is a really cool application of pairings on elliptic curves Um, and just um, I think just for lack of time. I won't show I know sometimes I show it's just two slides But um, maybe I'll leave that as an exercise or a go and um and look up their their their paper It's a very very elegant solution to this problem Um Okay, so we had two-party key agreement. We have three-party key agreement. What about four-party key agreement? So four parties want to establish a shared secret with one round of broadcasts Um, well, so this is an open question Um, well, so what happens if you just try to generalize antoine juice solution? So, um, so there's a paper of dan bonnet and myself from 2003 Um in which we tried to well basically we were trying to Do the same thing I'm trying to do in this talk was just to publicize the idea Of publicize this problem this open question so that someone could hopefully come up with a solution So we said look if you try to do what antoine's doing You want to generalize of a pairing so you want to have an efficiently computable map g cross g cross g and so on Let's say n times mapping to our target group g sub t So g g sub t cyclic groups of the same prime order With efficiently computable group operations and inverses And we want to have now this multi linearity property. So these are the multi linear maps that I mentioned In the title of the talk So here if you input g to the a1 up to g to the A sub n that should be the same as inputting g multiple times taking the output and raising it to the product a1 up to a sub n for all integers a sub i Okay, so if you have such a thing then I claim you can do one round multi-party key agreement So we all have we all choose our individual secrets. We don't tell anybody else we broadcast You know, we take the generator for our cyclic group and raise it to our secret broadcast that So now we have remember we had n inputs to our map And we have it now n plus one parties and I claim the n plus one parties share this quantity And the way I compute this quantity is I take all the broadcasts that I see which are all public And so I have access to them I plug them into my Multilinear map. I have my n inputs. I take the output and I raise it to my secret So just the same as we did as entwined juice solution To three party key agreement And everybody else does the same thing they take the broadcast that they see They input them they take the output and they raise it to their secret and because of the multi linearity property We all get the same value And that's you know a fine solution except then the question becomes do we have such maps? Um, well, I should say okay. What about security should be the most important thing for photography and security Um, so the adversary the Jabba what can't compute The shared value if the multi linear Diffie-Hillman problem is hard Where of course the multi linear Diffie-Hillman problem says find the shared secret given all the public inputs inputs for random unknown Values a1 up through a sub n minus 1 integers Um, okay, so that was the multi linear Diffie-Hillman problem Just reminding you of it at the top of this slide And I'll just point out so when n equals 1 this just reduces to the regular old multi linear Diffie-Hillman problem Is the regular old Diffie-Hillman problem where the map e is just the identity map on the group g So you have your one input your target group is the group g is the identity map It should look a lot like the Diffie-Hillman problem When n equals 2 the multi linear multi linear Diffie-Hillman problem is just the bi linear Diffie-Hillman problem That's it should be easy to see okay So in the same paper so this paper had a constructive side And sort of a destructive side or it had an optimistic and a pessimistic side So the optimistic side was that well, so if you have these nice multi linear maps you can do all sorts of nice things as I said You can do one round multi-party key agreement, but you could also do these other nice things that cryptographers were interested in And maybe I'll I'll point out that after that other people showed people working on something called code obfuscation or really more specifically indistinguishability obfuscation And cryptographic multi linear maps are closely connected to that So if you had cryptographic multi linear maps, you could do code obfuscation And that in turn has a lot of applications to a lot of different kinds Of encryption and is in some sense a holy grail of cryptographers Okay, so the pessimistic side so I sometimes think that you know computer scientists in collaborations between Computer scientists and mathematicians in cryptography. I think the computer scientists are often the optimists and the Mathematicians are the pessimists So we also proved in this paper that if you impose enough natural properties on the multi linear maps then Essentially the only possibilities you can have are the ones you already know namely in the case n equals one with the identity map and pairings on a billion varieties When with the case n equals two and so getting More than three parties to share a secret So there's a question. What do we mean by these natural properties? So the philosophy there is if a computer is going to be able to do this You expect that you're going to be dealing with polynomials If you're dealing with polynomials, you're doing algebraic geometry And if you're doing algebraic geometry, well, you might expect that if you're doing something like these maps You might have, you know a system of gaoua, ever variant multi linear mod l maps for infinitely many primes l It somehow seemed like a natural thing, which is what happens of course was something like the vey pairing So at the time we did this, you know, there was just the vey pairing It had all these very natural properties that we know that the vey pairing on elliptic curves and abelian varieties have And we thought well, you know, those seem like very natural properties If you're going to come up with a mathematical solution, it's probably going to have these natural properties But so what are the grounds for optimism after that? Well So fortunately and many of the pairings that people came up with later to using pairing based cryptography Are actually not very natural to a mathematician and they wouldn't satisfy these natural properties that we had in the theorem um and another ground for optimism is that um, so so cryptographers can be extremely clever and come up with really clever solutions to things so in um in 2013 guard gentry and halevi Constructed what they call candidate multi linear maps, and I think of it more as approximate multi linear maps um using lattices that come from ideals in rings of integers of number fields um And so there are these sort of things that come that that sort of serve the same purpose as the multi linear maps that Dan and I were envisioning Without really, you know exactly satisfying the definition that we gave but you know, they In some ways work well to accomplish the applications that people were interested in So well, so the things that people proposed to use to solve some of these problems were then attacked and would turn out to be weak and People would then come up with new constructions. There'd be new attacks um, I think I believe it's still the case that all the constructions are still very inefficient and therefore not really practical yet um So far, I believe they're insecure when applied to multi party key agreement and they require a trusted third party um And I'll I'll mention here that Dan Bonet, Ted Chinberg and Akshay Venkatesh and I have a project in which we're working on Constructing cryptographically useful multi linear maps, and I think other people Are also doing that and I also wanted to publicize this in case other people have ideas I was thinking also in terms of things like topology. There may be you know places outside of algebraic geometry that one should look Um, but going back into my mathematician pessimist you're putting my mathematician pessimist hat on Um, well, so let's ask the question. How secure is pairing based cryptography? Well, so many new crypto systems are were being created using pairings and elliptic curves. I think if you google um It's a pairing based crypto lounge or something like that you get Um, I don't don't think it's still being maintained, but there are like hundreds of papers about pairing based cryptography People keep coming up at these new really nifty clever Um constructions whose security is often based on the presumed difficulty Of a problem in number theory. That's often a new problem That's just been created in order to get this new crypto system to be secure And to give you some examples of the types of problems and I don't really want you to necessarily look at these problems Or necessarily try to solve these problems Um, but to give you the you know an example of the sorts of things people are doing is you get these rather complicated problems like K bilinear diffie helmet exponent problem. So given a whole bunch of stuff you make a whole bunch of stuff public Is it still hard to compute this other thing or the diffie helmet inversion problem? If you have a multilinear map Um, can you find the appropriate thing? And then there's something like the decisional k bilinear diffie helmet exponent problem And certain cryptographers have told me stop talking about this this way You people will think these things are insecure. You're making fun of our problems You know, we don't want our problems to be made fun of but really I think what the point I want to make here The reason I put decisional in red. So a decisional problem is a problem um With with a yes or no answer And whatever I see decisional and pairings So a just you know a pairing based solution To a cryptography problem where the security is based on a decisional problem That's to me a red flag and the reason is the following um, so there's a well known problem been In cryptography called you I mentioned the diffie helmet problem. There's also the decisional version of that problem So the decisional version says Given g g to the a g to the b and h all in my group g Decide if h equals g to the ab so rather than finding g to the ab decide whether a given random element in g Is in fact g to the ab and It was known that decisional diffie helmet is easy with pairings I think this was pointed out to me by gehrhard fry around the same time as the mo v or maybe even a little bit before that He said hey, you know pairings are dangerous in cryptography Um because of this solution. So how would you solve decisional diffie helmet with pairings? Well, you pair g to the a and g to the b And separately you pair g and h and you compare them and I claim if they're equal Um, then you then you should output yes, and if they're not equal you should output no And so why is that well when you pair g to the a and g to the b? And use the bilinearity property you see you get e of G g to the ab but that's the same by the bilinearity property as what happens when you input g and g to the ab so um And it follows that h equals g to the ab if and only if e of if it only if this Equals e of g comma h. So if in other words if it only if this equals e of g comma h And so that justifies the statement So in other words, if you see a you know decisional diffie helmet problem is easy if you have a pairing And for me, that's you know that I always Yeah My ears perk up when I when somebody says here's a decision. Here's a a solution Just an interesting cryptography problem it uses pairings, but it's based on a decisional problem Oh alice. Sorry. Sorry to interrupt you, but there's a question from from e or vignan in the in the chat Igor would you like to unmute and ask? Yes. Uh, so as I understood, I'm sorry to interrupt as I understood, uh it is so you are trying to Design a protocol of one round exchange of some secret and some shared information and obviously for n plus one players and n round Protocol is trivial by just first exchanging pairs then increased by round by by one Is round my question is whether or not it's trivial to do it in two rounds Arbitrary money players Two rounds for arbitrary money You're off the top of my head at eight in the morning At the talk I I'd have I'm not sure I have to think that because for every problem Somebody cannot solve there is an easier problem. Somebody cannot solve And that might be the case here Okay, yeah, now I think probably some of the uh computer scientist cryptographers who thought of this could give you the answer off the top of their heads But yeah, I have to think about that later. So I think I'll put that aside. Well, in fact, somebody actually Responded to this question Daniel Bernstein that two round is known Yeah, Dan or and or Tanya and gives a reference Yes, it's okay. So in fact in this case, there is not an easier problem that you cannot solve Yeah, yeah, thanks for that. Yeah, so we have the luckily we had the right people in the audience Thank you. Thanks very much. Yeah. Thanks Dan and or Tanya Great. Yeah, thanks for the question Okay, um So one thing so one reason I'm giving this talk is that I want number theorists to be um well, so let me maybe um Looking at this slide for a cryptosystem whose security is based on the presumed difficulty of a number theory problem You know, we would have a lot of more confidence. I think in the security if the right people actually looked at the question um So we don't want to be in a situation where security relies on the assumption that the right mathematicians haven't looked at the problem Um, so at some point number the number theory community should be looking at these so-called hard problems On which these systems rely because a lot of them are number theory problems And preferably before these cryptosystems are deployed in the real world for example to secure our bank accounts or run medical devices or um You know things things in which our lives might depend. Um, so usually um, so I've been running a number of conferences to design to bring computer scientists and mathematicians together to try to solve cryptography problems And usually my goal is to encourage them to work together peaceably and my advice is my advice to mathematicians is immerse yourself in the cryptographic community So especially read cryptography papers go to cryptography conferences and talk to cryptographers But you know the more I do this the more I realize that there's something else that I really should be keeping in mind And maybe I'll give us a reminder That cryptographic security is essentially an adversarial situation So if the attackers and the people who are building the systems are too close Um, there can maybe be less incentive to seriously attack something either because you don't want to attack your friends Because there's pure pressure not to attack somebody else's baby or maybe you can't even get it published Because you know friends of the person whose baby it is who doesn't want their system attack So you might actually want to have separate venues for maybe mathematicians and computer scientists or attacks and Um, and you know the building systems because you know, there there are different pressures involved there that that may be important to keep in mind But you know, I I do worry that some of what's being done and some of what's being built is only secure because the right people haven't looked at it And so that's one reason I wanted to advertise in this community the number three community That there's all this stuff going on out there where people are saying this is secure And then maybe after 10 years to say well, nobody's broken it yet And I always you know raise my hand and say but that's because the right people haven't looked at it Have you sent it to so-and-so? Have you tried this or that? So um So what I actually so one thing I'd like to do for the remainder of the talk is um ask the community to maybe Take use the pandemic as an opportunity um, so an opportunity to maybe reevaluate our priorities improve what needs to be changed and probably also change some of the incentives um So something I wrote so last year I was asked to give a keynote talk at Eurocrypt Um, which was supposed to be in Zagreb although I ended up giving it on giving the talk online But I also had was asked to write Write up something so what I wrote in February of 2020 for the article associated with the talk was One of the things I said was many of the impediments to making full use of mathematics to solve cryptographic questions or social rather than technical Cultural differences between the fields can lead to obstacles and misunderstandings that delay the progress of science And I said that in the talk I plan to attempt to share some thoughts and ideas for how to move forward in constructive ways I hope that these suggestions that I give would also have wider applicability maybe to our daily lives Um, and that my more general goals come from a sense that we live in dangerous times The communication between people is breaking down Norms for social behavior are changing The value systems on which we base our decisions and our lives are being called into question And we sometimes wonder whether it makes sense to continue working as before when the problems of the world seems so weighty um And so in an effort to act locally while thinking globally What I plan to do in that talk and what I plan to do in this talk is to give some suggestions That I hope would not only help the cryptography and math communities to work together But maybe be more useful generally in working with others and in communicating across cultures. So um So what I wanted to do was, you know, encourage us to maybe reset think about where we should go from here I know that the organizers of this seminar are thinking about well, you know There are a lot of good things about having online seminars. How can we keep those after the pandemic? You know, if there is an end to the pandemic or what should we keep going? Do we want to continue to have such things? um But and I also wanted to maybe give some advice in the talk, but it's really important. I thought to point out um You know as louis carol said about a different alice. She generally gave herself very good advice Though she very seldom followed it So I'm not claiming that I'm any good at following my own advice I make lots of mistakes and I'm hoping that what I learned from my own mistakes is going to help You know, hopefully some people in the audience to not make quite so many. So getting it right. What do I? mean So this slide what's going on in this slide? Well, so people remember stories and so what I'm going to do is to tell you a few stories And this slide is to remind me of a story um So some of you may be old enough to remember to recognize some of these things So I first learned about computers in the 1970s when I cross registered for a course at mit Where I learned Fortran using punch cards. So that's what you see on the left This is for those of you who haven't seen these things. I should maybe point out. This is very much not to scale this slide But there's the punch the the machine is is on the lower left and I don't even remember anymore Which where the cards went in and then you punch them and then they come out um But after I took that course I took harvard's introductory computer course And that's what's this is reminding me in the right um Where among other things I learned to program the pdp8 and the pdp11 and machine language and assembly language Um, and I still have my great pdp11 programming card because I knew how useful that would be someday um, which of course, you know, this is this is Nonsense, you know, I've never used this You know, I I guess I was wondering how much you could sell this for on ebay. I have my I still have my my nifty pdp11 programming card and I actually looked it up and somebody was asking five thousand dollars for their pdp11 programming card So the ants, you know, so the moral of the story is never throw anything out um Okay, but what so Did so once this course in the end totally useless for me? Well, no because one thing I learned was not that I didn't want to be a computer scientist and another thing was that I learned how computer scientists were being trained at the time Um, so for example, some of the quizzes consisted of the following We were told write a short program in 10 minutes Where you're allowed to make some large number of mistakes I don't remember whether it was like seven or eight mistakes in like a 10 line program and I thought this was totally unreasonable because for one thing the way I would do this is I would sit down for 10 minutes Figure out the right way to do the program And then I could very quickly code it up. You know, maybe in two minutes But you know, if you're doing the arithmetic, that's 12 minutes and they You know pencils down after 10 minutes and you get zero points if you do it that way And you know, I didn't like getting zero points. So I thought this was terribly unfair And I also didn't see the point in writing a computer program with mistakes You know computers if anything is where things should be right, you know, if you're going to have a medical device That's in which your life depends You know the fact that it works most of the time. Well, you know, I have very bad luck I knew I was going to be the time that it didn't work So, you know a computer program, it seemed to me should be 100 correct It's not just, you know, let's feed in a bunch of values and if you know Nine tenths of the time it works will give the person an A And you know for the homework assignments or work the same way you'd have to write some big program The other students would spend, you know, half an hour writing the program and 17 hours debugging I could, you know, sit about sit there sit down Think for an hour Come up with the right way to do it spend half an hour coding and much less time debugging But that wasn't what they were being trained to do So there was a whole generation of computer programmers Who in my view were being taught to not care if it's right as long as it's close enough um So one reason I became a mathematician is that mathematicians care if it's right And um, this is something I'm reminded of almost every day now The university of california anyone who's had any financial dealings with the university of california Even if you don't work there if you gave a talk there and you had to give your social security number Or your bank account information in order to get paid an honorarium by the university of california Your personal and banking information is now for sale on the dark web Thanks to a recent data breach And my university directed us to a video in which the head of cyber security at ucsd Said he had accumulated more than a decade of free credit monitoring because his own personal data Had been breached so many times mostly because he did a lot of work for the federal government So if you think about that if you stop and think about that that's not so good. That's not how things should be And as I was preparing the talk, you know, there's there's more and more stuff going on So there's you know, the colonial pipeline reasons some people couldn't Build their cars with gas on the east coast So this article says, you know, actually there was an audit three years ago that found atrocious information management practices A patchwork of poorly secured systems And if you I don't know if you can read the bottom of the slide The author of the audit told the associated press in this I quote here I mean an eighth grader could have hacked into that system um And I'm reminded of this computer course that I took as an undergrad and the idea that Fast and dirty is better than slow and careful When I think of the issue of publishing and competitive conference proceedings versus publishing in journals And this is you know in the past was a big difference between computer science and mathematics. So the math community I'm concerned has started to borrow this idea of deadlines and page limits from the computer science community And I wanted to say that I'm not convinced that research that gets done under tight deadlines and page limits With short time windows for referees is better for society Then research is done carefully and correctly that referees have times to check with some back and forth between referees and authors So it's I think it's important to get things right And I think it's better for science and for the profession of published papers are polished and correct and the literature is reliable And I'm concerned that we're moving away from that I think if you want people to trust scientists the scientists had better be doing the right thing But I will say on the other hand the math community does need to get us act together So when the authors supply camera ready copy for an accepted paper and it takes three years to get the page proofs for it You know, it's not clear why it should take three years to put something online when you have camera ready copy And I'm talking about the memoirs of the ams for example So if we were to look for how should these problems be solved You might say well the ams should be thinking about this. This is a you know, big solution You know, can we get fast publication with correct well written papers? Can we have the best of all worlds? But I'm wondering whether the ams is maybe getting too large to solve some of these problems We might want to try some of them on more local level for example in the community of number theorists And I will say the journal algebra number three does seem to be much faster And I'm wondering if that would be a good model for how to do publishing right Maybe people who know more about that can Can say more And we also want to change the reward system. So this is going back to what I meant About incentives change the reward system. So good editing editing and refereeing are appropriately rewarded rewarded Um, so for example, maybe we should have awards for good referees so people could put this on their cv and say I won an award for you know top 10 referees for You know journal algebra number 30 Um And another way in which we shouldn't necessarily be emulating the computer scientists or maybe for that matter scientists in general Is in the hype. So we want you know, we again we we want people to trust us. We have to earn that trust um So I served on a campus white committee who's you know, one of whose points are maybe the main point was to ensure fairness and evaluating faculty across the campus And I was amazed at the level of hype and in some cases actually downright dishonesty Where bad behavior we get rewarded and people who do the right thing would be punished So you need to change the incentives and incentivize people to be honest And this is something funding agencies like Guessing there may be some people from funding agencies In the audience and universities should think about and solve But mathematicians I think have a useful role to play because we understand true and false and what constitutes proof and what doesn't um So i'm also a great believer in using experts So for example, so I think that I told there are some you know students and postdocs in the audience But I think this is also probably actually for everyone So send preprints to the experts for their feedback before making the public If you have a question that you Need to know the answer to and you've tried your heart to solve and it can't Ask the experts And if there's a problem that needs to be solved and this was you know part of the Idea of having conferences to solve problems in cryptography get the experts involved find out who the right people are Who should be solving this so i'm not saying people should believe the experts So you should always verify things for yourself. I'm saying you should spend more time listening to people who know what they're talking about Rather than people who don't so I maybe to give you a story an example So a number of theorists, I know created a cryptosystem that turned out to be weak And I asked him whether he thought about running it passed down coppersmith before publishing it And this is many years ago and he replied well, why would I do that? He just would have broken it Um, so I worry that the desire or the need to get a paper published is distorting some of our values Um, and maybe on a lighter note, um, you know Someone recently wrote in facebook that he didn't understand the meaning of a phrase in a paper that a certain mathematician had published many years ago And I was going to reply. Well, why don't you just ask him what he meant? Um, but rather than getting into a discussion about why you know, but why you didn't do that I decided to be more fun and more efficient to just mail email the author myself and say, what did you mean by this phrase? And this led to a very delightful email exchange with this famous mathematician So my advice is be curious and open to opportunities Um, you know, I think especially during the pandemic just, you know, the idea maybe we should be Yeah, any any good excuse to contact someone and see how they're doing during the pandemic Um is actually can be a good thing to do But of course do your homework first don't ask a question that you could have answered on your own You don't want to waste anybody else's time Um, but you know, I'll I'll point out just because I think it's a timely thing You know, I often see people who have knowledge expertise or experience Who are passed over in favor of people with less knowledge Experience and expertise, you know, if you look at facebook, you see people talking about all sorts of things They know nothing about and I know I'm not the only one who finds it frustrating You know when people don't listen to me and they choose instead to listen to people with less experience or expertise, so So communication I want to emphasize the importance of listening So if you're curious, you'll talk less you'll listen more You learn a lot more by listening than by talking. This is in you know, in some sense One of the most important things pieces of advice I can give people nowadays Um So listen more If you want to know something ask questions listen carefully to the answers. So be curious Um, listen to others listen to different points of view So maybe I'll tell another story. So one nice thing about cryptography Is that you get to name cryptosystems? In memory of her cat. So here's my cat Kaylee and If you have a cat whose last name ends with dh, obviously it's asking for a cryptosystem To be named after it. So compact efficient improves on luke and improves on dippy helman. That's what Kaylee stands for And there's Kaylee Now I was surprised to learn that some Computers some cryptographers refer to it as the dead cat cryptosystem. I'm sure no one here will ever do that It's also my most widely seen work since this episode of numbers in which You can see Kaylee on the blackboard and the equations for the cryptosystem all around it I think that was viewed by over 12 million people But so what's the story so a computer scientist wanted to implement The Kaylee cryptosystem and he claimed he was a really good person to do that now that he was the only the right expert So Kaylee uses finite fields with q to the six elements where q was a large prime power Thank you drew For the putting the link in the chat So I asked him about his mathematical background and he told me he had a very strong background in algebra number three But eventually he told me that the Kaylee algorithm had to be wrong and we talked for a while and we kept going in circles And finally I asked him Okay, the finite field with four elements tell me what you know about that And it became clear that he thought that the finite field with four elements was the same as the integer's modular four He didn't realize the integer's modular four is not a field So one thing I want to say is clear communication is important, especially with people in a different field or a different culture So if I ask, you know, what did I learn from this? What should I have done differently? Probably I should have listened more carefully I shouldn't have tried to read his mind or assume that I knew what he meant when he said he had a certain type of background Rather than just going on about finite fields assuming he he understood I shouldn't have been annoyed with him. I'll get to a slide that says be curious not furious. I think this is maybe an appropriate time to mention that And also he wasn't the person with the right expertise and probably shouldn't have been implementing Kaylee But I probably should have been more curious and open to opportunities Here's my slide be so be curious and not furious. I think and I should give credit where credit is due so There's a marvelous book by dorthy helman and martin helman the same helman of diffie helman Um about how to solve all the problems of the world by being well Actually, the the phrase they use was get curious not furious And that's actually a really useful piece of advice. So I credit, uh, you know Important to give credit in the right place and this is uh, who I credit with that Brilliant idea and I suggest that everybody read their book about relationships So it did solve improve their marriage. It will bring about world peace and uh, it's actually a very good book Okay, so in terms of communicating After observing conflicts for a while both inside the cryptology community and also in the number theory community and elsewhere I realized that a lot of the conflicts that I had been seeing over the years come from failures of communication So especially in thinking that you can read somebody else's mind um And maybe I'll give One more story So a number theorist was telling A number of people that he had found a mistake in a theorem in a certain number three books So now people all the people in the audience who wrote number three books are cringing because they don't know if I'm talking about their book um And I asked did you tell the author? In case the author was compiling a rada And he said no, he wouldn't react well to my telling him about a mistake in his book You know people take that personally And I replied that from what I knew of this author. I didn't think that would be the case that I but in any case I thought he had a professional obligation to tell the author You know, it's not his job to read minds And if I remember correctly, he did eventually contact the author and he told me that it did go, okay Um, then he you know, he took it well, but even if the author had behaved unprofessionally There's still a professional obligation to inform him Okay, I think I'm running out of time. So I'm going to very briefly say For the sake of the environment and to build community I was wondering whether we should have and this is maybe something we could discuss in the Q&A Have fewer conferences and instead make better use of long-term programs So I found a great sense of community in semester-long programs at research institutes And they can have week-long workshops in them that would bring people who can't come for the whole semester But I think it's a good way to build community Which I think is an important thing to do right now given the state of the world that we live in And I do want to get to this slide which You know, if I had to put together All the advice I've given people over the years that I wish They remember, you know, if I look at what Goes wrong, I can say well, they didn't follow one of the things on this list. So Mostly the thing to remember is two words behave professionally Ask yourself, is this professional? Is this ethical? Is this legal? You know, like ghosting and bailing are not professional behavior. That's something to remember For example, put in place good and transparent practices and policies and hold people accountable So I'm a great believer in transparency and accountability Train people in best ways to referee papers and hiring and promotion admitting students and teaching And make the rules of the game clear Don't change the rules in the middle of the game and ensure everyone Has an equal opportunity to play the game and win and this is you know, an example would be in hiring Where they're often the secret rules. There's an inner circle that knows the rules And they know which rules they can break and get away with and the inner circle has an advantage So in hiring There are the secret criteria and the real criteria for the job, you know, or And there's the one that you make public and they should be the same Okay, and I'm definitely running out of time. So I'll just remind you that we're all on the same boat It's a small world will depend on each other and I really like pictures of boats And that So this phrasing is due to Shahad Sharif again giving credit where creditors do the kindness as a superpower So right now, I know there are a lot of people in our community suffering from the pandemic So I've heard from you know students and postdocs and untenured faculty and I know people with children have You know been very hard hit people at high risk for cove it because of age and medical reasons Given the stress everyone is under It's it's especially important to be kind and If I want any time for questions, I think I better stop there. So this is the time for you to ask me some questions