A security podcast is hosted by Professor William (Bill) Buchanan OBE, a world-renowned Information security professional and educator. Join Bill as he interviews and discusses the state-of-the-art with esteemed guests from all corners of the security industry. From cryptologists to technologists, each guest shares a wealth of experience and knowledge.
Vinod is a professor of computer science at MIT and a principal investigator in the IT Computer Science and AI Lab. He completed his Bachelor's degree from the Indian Institute of Technology Madras in 2003, and his PhD in 2009 from MIT. His main supervisor was Shafi Goldwasser. Vinod is seen as a world leader in the area of cryptography, especially within fully homomorphic encryption. He has co-authored many classic papers and which are seen as third generation of homomorphic encryption, including on "Trapdoors for hard lattices and new cryptographic constructions", and "Fully homomorphic encryption over integers". In 2022, he was a co-recipient of the Godel (Gurden) Prize. Vinod is also the co-founder and chief cryptographer at Duality Technologies.
Srini Devadas an Edwin Sibley Webster Professor of Electrical Engineering and Computer Science at MIT in the Computer Science and Artificial Intelligence Laboratory (CSAIL). His current research interests are in applied cryptography, computer security and computer architecture. Srini was awarded an a master's and a PhD degree in electrical engineering from the University of California at Berkeley - under the supervision of Arthur Richard Newton. He was an inventor of Physical Unclonable Functions (PUFs), and, In 2014, he received the IEEE Computer Society's Edward J. McCluskey Technical Achievement Award for the invention of PUFs and secure single-chip processor architectures. In 2018, Srini received the IEEE Circuits and Systems Society Charles A. Desoer Technical Achievement Award for the development of PUFs and enabling the deployment of secure circuits, processors and systems. In 2021, he received the IEEE Cybersecurity Award for Practice for the development of PUF, and the ACM SIGSAC Outstanding Innovation Award for fundamental contributions to secure microprocessors, circuits, and systems. In 2016, Srini won the Everett Moore Baker Memorial Award for Excellence in Undergraduate Teaching, Also, in 2016, he was named a MacVicar Faculty Fellow considered MIT's highest undergraduate teaching award.
Don Smith leads the CTU Threat Research group at Secureworks. His career starting with the creation of dns in 2005, and which was acquired by SecureWorks in 2009. He has extensive knowledge in cybersecurity and is seen as a world-leader in the field. Don is also the industry co-chair of the Strategic Cyber Industry Group in the National Cybercrime Unit at the UK National Crime Agency and a member of the UK National Cyber Advisory Board. He is also the co-chair of the Cyber League at the NCSC.
Jonathan was a professor in the Department of Computer Science at the University of Maryland. He is now a Senior Staff Research Scientist at Google, with a core focus on cryptography and cybersecurity. Jonathan received his BS degree in mathematics and chemistry from MIT in 1996, and, in 2002, completed a PhD in computer science from Columbia University. He wrote a classic textbook on cryptography, and which is in its 3rd edition. Jonathon also has an online course on Coursera and has given tutorials of various forms on different topics to multiple kinds of audiences.
Maciej Zurawski is technology entrepreneur and blockchain specialist with over 25 years of experience in commercial software development, R&D and business leadership. He is currently the CEO at Redeem Technologies, and serves as the Executive Director of Blockchain Scotland - the principal industry association advancing commercial blockchain adoption across Scotland. His expertise spans enterprise software architecture, artificial intelligence and decentralised systems, complemented by a doctorate in AI. Maciej regularly advises government bodies and financial institutions on blockchain implementation and digital transformation strategy.
Greg McLardie has 30 years of executive experience in the USA, Australia, Japan, China and now the UK with the likes of Procter & Gamble and EY. He co-created Two Hands and has been operating for over 5 years in Australia and China, with Forbes Magazine publishing a three-page feature on its unique blockchain application in the food industry. With strong traction internationally, Two Hands has established a company and transferred global IP to the UK to attract investment to scale its impact into the UK, EU and beyond.
Moti is a Security and Privacy Research Scientist with Google and an Adjunct Research Faculty member at the Computer Science Dep of Columbia University. He received his PhD from Columbia University in 1988. In 2010 he gave the IACR Distinguished Lecture and has also been the recipient of the 2014 ACM's SIGSAC Outstanding Innovation award, the 2014 ESORICS (European Symposium on Research in Computer Security) Outstanding Research award, an IBM Outstanding Innovation award, a Google OC award, and a Google founders' award. Moti has also received three test of time awards, including in 2024 for his 1998 paper On the Security of ElGamal Based Encryption, and in 2020 for his 1996 paper Cryptovirology: extortion-based security threats and countermeasures. In 2021, Moti received the Women of the ENIAC Computer Pioneer Award. Overall, his main research focus areas in Security, Privacy, and Cryptography.
Jamie is the CTO at Umazi, the Head of Research at DataFair.ai and co-founder and CEO of Tunestamp.
Aggelos Kiayias is a professor at the University of Edinburgh and the chief science officer at Input Output Global (formerly IOHK). He received his PhD in 2002 from City University of New York. He is chair in cyber security and privacy, and director of the Blockchain Technology Laboratory at the University of Edinburgh. In 2021, Aggelos was elected Fellow of the Royal Society of Edinburgh (FRSE), and was recently awarded the BCS Lovelace Medal 2024 for his transformative contributions to the theory and practice of cyber security and cryptography. H works in areas of blockchain technology and distributed systems, cryptography, e-voting and secure multiparty protocols, as well as privacy-enhanced identity management.
Anna is a Professor of Computer Science at Brown University. Her research spans many areas of advanced cryptography including with digital signatures, group signatures, blind signatures, e-cash and anonymous digital credentials. She was originally from Ukraine, and undertook her masters degree at MIT in 1999, and then went onto a PhD in 2002 in the areas of Signature Schemes and Applications to Cryptographic Protocol Design. She joined Brown University in 2002, and was made a full professor in 2013. She is a member of the board of directors at the IACR, along with serving on Scientific Advisory Board for the Board of Directors of the Electronic Privacy Information Center (EPIC). In 2024, she was awarded the Levchin Prize for a contribution entitled "For the Development of Anonymous Credentials".
The fallback for law enforcement agencies has always been the place where files are stored, and all the best encryption within end-to-end communications will not stop unencrypted files at rest from being examined. But when the user encrypts data into the Cloud and where they hold their own keys, that's when the nightmare begins for them. The rise of cybersecurity on the Internet Let's pinpoint the start of cybersecurity on the Internet to the 1970s. This saw the rise of the Lucifer cipher and saw banks properly protect their communications. This led to the 56-bit DES encryption method, and which led many to suspect that the size of the key had been crippled due to the demands of law enforcement agencies. But, there was an even greater threat to these agencies evolving: public key encryption. The rise of public key encryption started in the mid-1970s when Whitfield Diffie and Marty Hellman first defined a method that allowed us to secure our communications using a key exchange method — the Diffie-Hellman key exchange method. And then, almost a year later, Rivest, Shamir and Adleman presented a way to digitally sign a hash of data with the RSA signature method, and where a server could sign a hash of data with its private key and for this to be verified with an associated public key. For almost the first time, we could digitally verify that we were connecting to a valid system. But, the RSA method could not only sign data, it could also encrypt things with a public key, and where the private key could now be used to decrypt the data. It was a nightmare come true for law enforcement agencies. What was magical about these methods was that you could encrypt data with keys that could be created for every single session — and generated and stored on user devices. User devices could even pick the keys that they wanted and their sizes and security levels. The days of security being crippled were fading fast. While the first versions of SSL were crippled by the demands for limits on this security, eventually, SSL evolved into something that could not be controlled. But, still files could still be viewed on user devices, so it was not a major problem for investigators. Then, in 2001, the AES method was standardized by NIST, along with the newly defined SHA-256 hashing method, and we basically had all the security methods in place. But all of this did not please law enforcement agencies. For them, the rise of cryptography removed the opportunities that they had had in the past and where they could mass harvest information from phone calls or from the postal service. For the first time in history, citizens were free from spying from both those who protect nations and those who attack citizens. The Wild West years of the early Internet — and where little could be trusted — have subsided, and now we have systems which take encryption from one service on a device to another service on another device — end-to-end encryption. End-to-end encryption For some, end-to-end encryption was the final nail in the coffin for those who wish to monitor the tracks of citizens. This is data in motion, and where law enforcement agencies could still peak at data at rest and where the data is actually stored. Once data in motion and data at rest were encrypted, the door was effectively closed for peaking at data. And, so, companies such as Apple advanced new methods which protected data at rest, and where all of a citizen's data could be encrypted onto the Cloud without Apple having the encryption key to view any part of it. For this, they created the Advanced Data Protection service: This service protects things like citizens' photos, iCloud Drive, and wallet passes. For almost the first time, we had almost perfect security — and where five decades of advancement were finally coming together. We now have end-to-end encryption in apps such as What's App and Signal, and Apple provides secure data storage. But, some governments around the world saw the rise of privacy as a threat to their security agencies, and where the usage of encryption with file storage and over-the-air would mean that they could not monitor their citizens for threats against society. It is — and always will be — a lose-lose store on both sides. And, so, many governments have been calling for a back door in cryptography so that a “good guy” could get access to the citizen data and communication, but not a “bad guy”. Unfortunately, that's not the way that encryption works, and where backdoors are a bad thing and difficult to hide. So, the UK government has put pressure on Apple to provide them with a backdoor into their secure systems. For this, Apple would have to either provide them with a magic key to open up encrypted communications and file store, or dump their Advanced Data Protection system, and leave files unencrypted for investigation. Apple stepping back It would have been a difficult choice for Apple, but they have decided to drop their Advanced Data Protection system for UK users, and not go with the nightmare of a backdoor in their systems. Imagine if a terrorist had stored their files in iCloud, and law enforcement agencies had requested these files. Well, Apple would have to hold their hands up and say that they didn't have the encryption files to access them, as the encryption keys were held by the user. I trust Apple and believe they have some of the best security around. When was the last time you heard of someone getting some malware on an Apple system? They support a proper secure enclave and are advancing a privacy-aware cloud infrastructure for machine learning. They have also brought forward homomorphic encryption applications. Of all the big tech companies, Apple leads the way in terms of supporting the privacy and the security of users. Conclusions I feel sorry for Apple, as they have been painted into a corner. From a cybersecurity point-of-view, it is disappointing that Apple has been forced to step back on the Advanced Data Protection tool, as it was a great advancement in overcoming large-scale data breaches. And, like it or not, there is no magic wand that stops a bad actor from using something that a good actor has access to. Basically, if you leave your front door key under the mat, you have no guarantee that someone else will find the key and use it. We have advanced cybersecurity for the past few decades and now use end-to-end encryption in a way we should have done from the start of the Internet. Of course, there are no winners in this, and society must find ways to protect itself from bad people, but opening up the whole of iCloud seems like a disaster waiting to happen. The door is open for other more agile companies to support enhanced security and privacy, as the large tech companies seem to be applying the brake on some of their security advancements.
YouTube: https://youtu.be/hcdk3u2R5Mo Yesterday, I gave two short presentations on PQC (Post Quantum Cryptography), and next week, I'm in London to give a more focused talk on the subject. And so, it's great to see that Samsung is driving forward the adoption of PQC methods in their new S25 smartphone. There are two companies that have a core focus on creating trusted hardware for consumers: Apple and Samsung. Apple has always had a core focus on making sure they use the best cryptography to not only secure their devices but also to make them privacy-aware. Samsung, too, has strived for improved security but, at times, has made a few slip-ups along the way, but always patched around them. Now, Samsung Electronics has integrated PQC into their Galaxy S25 series of devices. The need for this is that NIST will deprecate all our existing public key methods in 2030, including: RSA for public key encryption; RSA, ECDSA and EdDSA for signatures; and ECDH for key exchange. NIST will then remove them in 2035 from the NIST FIPS 140 standard. Given that a smartphone will have a life of at least five years, it makes sense to build the hardware to support the migration. Along with this, we see the rise of “harvest now, decrypt later” threats, where network traffic could be captured now and then decrypted sometime in the future. The main integration at the current time involved ML-KEM (FIPS 203, aka Kyber) and ML-DSA (FIPS 204, aka Dilithium). With ML-KEM we replace key exchange and public key encryption methods, while ML-DSA provides us with digital signing: These methods will be the Samsung Knox Matrix for enhanced data protection — this includes end-to-encryption for back-ups and the recovery of data from the Samsung Cloud. Overall, Samsung devices, like Apple hardware, have a secure enclave to store private and secret keys, and where not even Samsung can get access to them. The usage of PQC will mean that Samsung devices will be able to communicate with other devices in the future and which are using PQC methods. This ensures not only current compatibility but also future compatibility. An important advancement of the industry is that Samsung will support PQC methods for their backup system to their Cloud. Conclusions Of course, the integration will not force applications and services to use PQC, and in most cases, it will still use our traditional methods, as devices that it connects to must support PQC. Thus, we will see a migration towards PQC, rather than a hard switch-over. In cryptography, this is often the case, as we can typically negotiate the cryptography methods that are used in the secure transmission or storage of data. Once all the required services and applications support PQC, our existing public key methods will likely be switched off.
Aysegul Sensoy has over 20 years of management experience with blockchain, emerging technologies, fintech, business development, marketing and sales. She is currently the chair of the Istanbul Blockchain Women Association and CIS Regional Manager of Fuze Finance. She received her bachelor's degree in economics from Istanbul University and her master's degree in marketing communications management from Galatasaray University, as well as getting an executive MBA. She entered the tech sector after working in national and multinational companies as a marketing director, country manager, and many other roles. Aysegul is CIS (Commonwealth of Independent States) regional manager of Fuze Finance, an Abu Dhabi-based licensed fintech providing embedded digital asset capabilities for financial institutions. She was the Chief Strategy and Marketing Officer at XYZ Teknoloji, a blockchain-focused FinTech company based in Istanbul. Aysegul is a chairwoman and founding member of Istanbul Blockchain Woman, a non-profit association dedicated to empowering women in the blockchain ecosystem. The community's purpose is to organise social responsibility projects that will provide women with positive discrimination in terms of technology and blockchain. She is also a co-founder of the SOS Chain initiative, partners with needsmap.coop, which is a blockchain infrastructure fund for disasters and rapid humanitarian crises worldwide. Aysegul is leading the Euthenia community in Turkey, which is a Madrid-based organization aiming to increase C-level gender equity both in the Mediterranean and the MENA countries. She is also the co-founder of FairShare which aims to serve a transparent dApp, allows Muslim faithful to make their Zakat contributions crypto assets. More details on IBW: https://istanbulblockchainwomen.org/homepage/ If you are interested in the Trust4Futures Deep Skills Development course, you can find out more information here: https://trust4futures.com
Amit is a professor of computer science at UCLA and is the director of the Center for Encrypted Functionalities. Amit has been cited in his research work over 63,000 times and has an h-index of 91. In 2000, he graduated with a PhD from MIT and then moved to Princeton. In 2004, he then moved to UCLA. Over the years, he has made so many great advancements, including being the co-inventor of many areas of cryptography, including indistinguishability obfuscation schemes, functional encryption, attribute-based encryption, Zero-Knowledge Proofs and Multiparty Computation. In 2018, he was elected as an ACM Fellow for his work for the "contributions to cryptography and to the development of indistinguishability obfuscation", and elected as a Fellow of the International Association for Cryptologic Research for "fundamental contributions, including to secure computation, zero knowledge, and functional encryption, and for service to the IACR". In 2023, Amit received the Test of Time Award from the International Association for Cryptologic Research for his 2008 paper "Efficient Non-interactive Proof Systems for Bilinear Groups". Then, in 2022, he received the Michael and Sheila Held Prize from the National Academy of Sciences and which credits outstanding, innovative, creative, and influential research in the areas of combinatorial and discrete optimisation. And, in teaching, in 2016, he won the UCLA Samueli's Lockheed Martin Excellence in Teaching Award.
Bart is a Professor in the Electrical Engineering department at KU Leuven in Belgium. He co-invented the Miyaguchi (Meya-Goochy)–Preneel scheme and which converts a block cipher into a hash function. Bart is also one of the co-inventors of the RIPEMD-160 hashing method, and which is used in Bitcoin addresses. He also co-designed the stream ciphers MUGI and Trivium, the MAC Algorithms Chaskey and MDxMAC and the authenticated encryption algorithm AEGIS that is used to encryption of data at rest ion Google cloud. Bart was the President of the International Association for Cryptologic Research (IACR) from 2008 to 2013 and one of his hobbies is conducting the University of Leuven Bigband and playing saxophone in a Dixieland band.Bart consults for industry and government on cybersecurity and privacy. He founded the mobile authentication startup nextAuth and holds roles in Approach Belgium, Tioga Capital Partners, and Nym Technologies. During the pandemic he co-designed the DP-3T scheme for privacy-friendly contact tracing and managed the Belgian Coronalert app. Actively engaged in cybersecurity policy, he contributes to ENISA as an Advisory Group member for the EU.
Ivan Damgard is a professor in the Department of Computer Science at Aarhus University in Denmark. He is the co-inventor of the Merkle-Damgard construction, and which was used in MD5, SHA-1 and SHA-2. In 2020, he received the Test of Time Award for a paper entitled "A Generalisation, a Simplification and Some Applications of Paillier's Probabilistic Public-Key System", and in 2021 he received an ACM award for the Test of Time for a paper entitled "Multiparty unconditionally secure protocols. In 2010, he was elected as a Fellow of the International Association for Cryptologic Research. Ivan has also co-founded two cryptography companies: Cryptomathic and Partisia. Web: here. Video: here.
Chris is a Professor in the Computer Science and Engineering department at the University of Michigan. He completed his PhD in 2006 at the MIT Computer Science and AI Laboratory under the mentorship of Silvio Micali. He received a Test of Time award at Crypto 2008 for a paper entitled "A Framework for Efficient and Composable Oblivious Transfer" and also a TCC Test of Time award for his paper on “Efficient Collision-Resistant Hashing from Worst-Case Assumptions on Cyclic Lattices,” in 2006. In 2024, Chris was elected as a Fellow of the International Association for Cryptologic Research and is seen as one of the world leaders in lattice-based methods.
Clifford Cocks is a British mathematician and cryptographer. While working at GCHQ, he invented public key encryption, and which predates the work of the RSA and Diffie-Hellman methods. He studied mathematics as an undergraduate at Kings College, Cambridge, and then joined the Communications-Electronics Security Group (CESG) at GCHQ in 1973. After his discovery of a usable public key encryption method, he went on to create one of the first Identity-Based Encryption methods and which is based on quadratic residues rather than bilinear pairings. In 2008, he was made a Companion of the Order of the Bath (CB). Then, in 2010, he and James Ellis and Malcolm Williamson were honoured by the IEEE for their part in the development of public key encryption. In 2015, he was elected as a Fellow of the Royal Society, and, in the same year, he received an honorary PhD from the University of Birmingham. Then, in 2021, Clifford was inducted into the Cryptologic Hall of Honour. Read more: https://medium.com/asecuritysite-when-bob-met-alice/so-who-invented-public-key-encryption-213ceef7759
Bill Buchanan Chats With Debbie Reynolds (The Data Diva). Debbie's podcast is here: https://www.debbiereynoldsconsulting.com/podcast
Vadim Lyubashevsky is a cryptographer at IBM Research Europe in Zurich. He received his PhD from the University of California, San Diego in 2008. His core research focus is around lattice-based methods, and especially in areas of practical lattice encryption, digital signatures and privacy-preserving primitives. Along with Chris Peiker and Oded Regev (the inventor of LWE), he published a classic paper entitled "On ideal lattices and learning with errors over rings", which has been used as a foundation for lattice methods within post-quantum cryptography. Vadim has worked in many areas of cryptography, including Zero Knowledge Proofs, Blind Signatures and Multiparty Computation. Google Scholar: https://scholar.google.com/citations?user=4H1u8swAAAAJ&hl=en&oi=ao
Alfred Menezes is a Professor at the University of Waterloo in Ontario. In 2001, he won the Hall Medal from the Institute of Combinatorics and its Applications. Alfred is the lead author of the Handbook of Applied Cryptography, and which has been cited over 25,000 times. He has published many high impact papers, especially in areas of public key encryption and elliptic curve cryptography, and was the co-inventor of the ECDSA signature method. His website for online courses is https://cryptography101.ca. The "Cryptography101: Building Blocks" and "Cryptography 101: Deployments" courses are lectures from the undergraduate "Applied Cryptography" that he has taught at Waterloo since 2000. The former includes a five-lecture introduction to elliptic curve cryptography. He also has a course on "Kyber and Dilithium", and soon an intro to "Lattice-based cryptography". Video recording: https://www.youtube.com/watch?v=l5GWFAewQ80
This seminar series runs for students on the Network Security and Cryptography module, but invites guests to participate. Bruce has created a wide range of cryptographic methods including Skein (hash function), Helix (stream cipher), Fortuna (random number generator), and Blowfish/Twofish/Threefish (block ciphers). Bruce has published 14 books, including best-sellers such as Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World. He has also published hundreds of articles, essays, and academic papers. Currently, Bruce is a fellow at the Berkman Center for Internet and Society at Harvard University.
Brent Waters is a Professor at the University of Texas at Austin and the Director of the Cryptography Lab at NTT Research. He graduated from the UCL in 2000, then completed a PhD at Princeton University in 2004. After this, he moved on to Stanford as a postdoc. Overall, Brent was the first to propose Attribute-based Encryption (ABE) and also the first to outline functional encryption. He was also awarded the Sloan Research Fellowship in 2010, and, in 2015, he was awarded the Grace Murray Hopper Award for his work on ABE and functional encryption. Brent's research has been cited over 68,700 times for his research work, and has provided a core foundation for cybersecurity to move towards methods that provide fine-grained data access.
Well, as if cybersecurity doesn't have enough acronyms. There's RIP, OSPF, TCP, IP, SSH, AES, and so many others. Now, there are three really important ones to remember: ML-KEM (Module Lattice-Based Key Encapsulation Mechanism), ML-DSA (Module Lattice-Based Signature Standard) and SLH-DSA (Stateless Hash-based Digital Signature Standard). ML-KEM is defined in the FIPS 203 standard, ML-DSA as FIPS 204, and for SLH-DSA, we have FIPS 205. https://medium.com/@billatnapier/get-used-to-three-boring-acronyms-ml-kem-ml-dsa-and-slh-dsa-0156b6ab82c5
The cybersecurity world is changing, and where the signature methods of RSA, ECDSA and EdDSA are likely to be replaced by FIPS 204 (aka ML-DSA Module-Lattice-Based Digital Signature Standard— Dilithium) and FIPS 205 (aka SLH-DSA (Stateless Hash-based Digital Signature Standard — SPHINCS+) https://medium.com/@billatnapier/so-what-is-a-prehash-and-what-has-it-to-do-with-post-quantum-signatures-bf7812cfa203
In cybersecurity, there are so many acronyms, and to be an expert, you really need to dig underneath the methods and understand how they work. One weak area of the industry is in the usage of MACs (Message Authentication Codes). With the public-key signing, we use a public key and a private key, where the private key will digitally sign a hash of the message, and where the public key is verified the signature. With a MAC, we use a shared symmetric key, and where Bob and Alice will share the same secret key (Figure 1). https://medium.com/@billatnapier/cmac-or-hmac-which-is-better-8e1861f744d0
Article: https://medium.com/asecuritysite-when-bob-met-alice/the-brainpool-curves-f2f865b88191
Article: https://medium.com/asecuritysite-when-bob-met-alice/our-current-hardware-architectures-are-often-not-fit-for-a-world-of-ml-and-homomorphic-encryption-1df5a4a45a4d
Article: https://billatnapier.medium.com/nist-looks-to-the-future-of-cryptography-sha-1-3des-and-sha-224-on-naughty-step-7295d03fdc54
Read more: https://medium.com/asecuritysite-when-bob-met-alice/goodbye-google-and-the-microsoft-and-openai-partnership-fraying-8c35e35cd814
Read more: https://medium.com/asecuritysite-when-bob-met-alice/the-wonderful-world-of-proxies-818c196290ff
Details: https://billatnapier.medium.com/the-largest-prime-number-ever-found-and-the-52nd-mersenne-prime-65348546b651
Phillip Rogaway was a Professor at the University of California, Davis, and who has advanced so many areas of cryptography. He was the first to be awarded Levchin prize in 2016. Phillip has over 43,000 citations to his work, including classic papers on random oracles, symmetric key modes, garbled circuits, secure computation, and format-preserving encryption. Along with his passion for research, he has published work on areas of morality in cryptography
Like it or not, AI is on the move and now competing with human brain power for its place in our world. We must thus understand the place of LLMs (Large Language Models) in areas such as cybersecurity and in planning towards hybrid systems that integrate both humans and AI within our corporate infrastructures. https://medium.com/asecuritysite-when-bob-met-alice/humans-v-ai-in-cybersecurity-52709be27111
This week, in my lecture, I will outline one of the most amazing methods ever created in computer science: the Diffie-Hellman method. It was first outlined by Whitfield Diffie and Marty Hellman in 1976 in a paper that built the foundation of our modern world of cybersecurity. https://billatnapier.medium.com/after-48-years-its-a-long-goodbye-to-the-diffie-hellman-method-a6976a562bfe
YouTube interview: https://www.youtube.com/watch?v=FDn0Tkhi8zw Yuriy Polyakov is the Vice President of Cryptography and a Principal Scientist at Duality Technologies. His research interests include applied lattice-based cryptography, fully homomorphic encryption, and privacy-preserving machine learning. He is also a co-founder of the open-source PALISADE Homomorphic Encryption Software Library, and a co-founder and project lead for OpenFHE.
Video interview: https://www.youtube.com/watch?v=59Y_kya4lR8 Kurt Rohloff is an Associate Professor of Computer Science at the New Jersey Institute of Technology (NJIT) and a co-founder and CTO of Duality Technologies. He is also a co-founder of the open-source PALISADE Homomorphic Encryption Software Library, and a co-founder of the OpenFHE library.
Thomas Prest is a cryptography researcher at PQShield and previously worked with Thales. He completed his PhD at the École Normale Supérieure and focuses on post-quantum cryptography and discrete algorithms. Thomas was one of the co-authors of the FALCON digital signature method and has published widely in related areas of PQC.
https://medium.com/asecuritysite-when-bob-met-alice/javascript-is-a-trademark-f4d5a7d32386
The podcast title has never been more fitting: our guest for episode 20 of Talking with Tech Leaders is a leading thinker, leading innovator and leading academic. Bill Buchanan is not only Professor of Cryptography at Edinburgh Napier University but also an Officer of the British Empire – awarded in 2017 for services to cybersecurity. The main podcast is here: https://podcasts.apple.com/gb/podcast/talking-with-bill-buchanan-obe-professor-of-cryptography/id1533642699?i=1000578392387
Amit Gupta is the founder and CEO of Acubed.IT, which is a company which creates innovative and secure cross-security domain solutions for customers such as the UK government. One of their key innovations is the Cross Domain Hybrid Application (CDHA) framework, and which aims to break down the barriers in sharing trusted information across multiple partner agencies.
Please excuse the poor quality of my microphone, as the wrong microphone was selected. In research, we are all just building on the shoulders of true giants, and there are few larger giants than Leslie Lamport — the creator of LaTeX. For me, every time I open up a LaTeX document, I think of the work he did on creating LaTeX, and which makes my research work so much more productive. If I was still stuck with Microsoft Office for research, I would spend half of my time in that horrible equation editor, or in trying to integrate the references into the required format, or in formatting Header 1 and Header 2 to have a six-point spacing underneath. So, for me, the contest between LaTeX and Microsoft Word is a knock-out in the first round. And one of the great things about Leslie is that his work is strongly academic — and which provides foundations for others to build on. For this, he did a great deal on the ordering of task synchronisation, in state theory, cryptography signatures, and fault tolerance. LaTeX I really can say enough about how much LaTeX — created in 1984 — helps my work. I am writing a few books just now, and it allows me to lay out the books in the way that I want to deliver the content. There's no need for a further mark-up, as I work on the output that the reader will see. But the true genius of LaTeX is the way that teams can work on a paper, and where there can be async to GitHub and where version control is then embedded. Clocks Many in the research community think that the quality measure of a paper is the impact factor of the journal that it is submitted to, or in the amount of maths that it contains. But, in the end, it is the impact of the paper, and how it changes thinking. For Leslie, in 1978, his paper on clocks changed our scientific world and is one of the most cited papers in computer science. Byzantine Generals Problem In 1981, Leslie B Lamport defined the Byzantine Generals Problem. And in a research world where you can have 100s of references in a paper, Leslie only used four (and which would probably not be accepted these days for having so few references). Within this paper, the generals of a Byzantine army have to agree to their battle plan, in the face of adversaries passing in order information. In the end, we aim to create a way of passing messages where if at least two out of three of the generals are honest, we will end up with the correct battle plan. The Lamport Signature Sometime soon, we perhaps need to wean ourselves of our existing public key methods and look to techniques that are more challenging for quantum computers. With the implementation of Shor's algorithm [here] on quantum computers, we will see our RSA and Elliptic Curve methods being replaced by methods which are quantum robust. One method is the Lamport signature method and which was created by Leslie B. Lamport in 1979.
Daniel J Bernstein (djb) was born in 1971. He is a USA/German citizen and a Personal Professor at Eindhoven University of Technology and a Research Professor at the University of Illinois at Chicago. At the tender age of 24 — in 1995 — he, along with the Electronic Frontier Foundation — brought a case against the US Government related to the protection of free speech (Bernstein v. United States: here). It resulted in a ruling that software should be included in the First Amendment. A core contribution is that it has reduced government regulations around cryptography. It was a sign of the greatness that was to come from the amazing mind of Daniel. His viewpoint on reducing the strength of cryptography at the time defined: “There are, fortunately, not many terrorists in the world. But there are many criminals exploiting Internet vulnerabilities for economic gain. They infiltrate computers and steal whatever secrets they can find, from individual credit-card numbers to corporate business plans. There are also quite a few vandals causing trouble just for fun.” Since then few others have done so much for the cause of privacy, including creating the Sala20 [link] stream cipher in 2005, and then with ChaCha20 [link] and Poly1305 in 2008. Many connections in TLS now use ChaCha20, rather than AES, as it is faster — over three times after than AES — and has a lower computing requirement. His love of using dance names also comes to the fore with Rumba [here]. It is not just in symmetric key encryption that he has contributed to, he has made significant contributions to public key encryption. In 2005, he defined the Curve 25519 elliptic curve, and which is now a fairly standard way of defining elliptic curves. For signatures, he then defined Ed25519, and the resultant version of a new EdDSA signature (and which is now included in OpenSSH). The Tor protocol, for example, uses Curve 25519 for its key exchange for each of the nodes involved in a secure route. He defined the SPHINCS+ method for PQC digital signatures. This is one of the NIST approved methods for quantum robust signatures. In 2015, Daniel defined the methods that the NSA may have used to compromise the NIST defined elliptic curves [paper]. And 2005, it was Daniel again who introduced a new type of attack [here]. Daniel run his Web site from https://cr.yp.to More details: https://medium.com/asecuritysite-when-bob-met-alice/a-lifetime-dedicated-to-citizens-rights-to-privacy-daniel-j-bernstein-ab5ab2bf0dc6
Jan is the CTO and a Cryptographer at DFINITY, and, since 1998, he has consistently produced research outputs of rigour, novelty and sheer brilliance [here]. He was recently awarded the Levchin Prize at Real World Crypto 2024 - along with Anna Lysyanskaya. Jan's research core happened when he was hosted in the IBM Zurich Research Lab, but has since moved to DFINITY, and is still producing research outputs that are some of the best in the whole of the computer science research area. He has published over 140 widely cited papers and has been granted around 140 patents. Jan has also received the ACM SIGSCA Outstanding Innovation Award and the IEEE Computer Society Technical Achievement Award. One of his key research outputs relates to the CL signature, which allows for a private, aware digital signature, along with many other contributions, such as range proofs, oblivious transfer, and privacy-aware identity mapping between domains. More details here: https://medium.com/asecuritysite-when-bob-met-alice/the-mighty-jan-cryptographic-genius-36a66a02ff86
Ted Miracco is the CEO of Approov and which is Scottish/US company that is headquartered in Edinburgh. Miracco has over 30 years of experience in cybersecurity, defence electronics, RF/microwave circuit design, semiconductors and electronic design automation (EDA). He co-founded and served as CEO of Cylynt, which focuses on intellectual property and compliance protection
Troy is a world-leading cybersecurity professional. He created and runs the Have I Been Pwned? Web site, and which contains details of the most significant data breaches on the Internet. Along with this, he has developed other security tools, such as ASafaWeb, which automated the security analysis of ASP.NET Web sites. Troy is based in Australia and has an extensive blog at https://www.troyhunt.com.
This is Day 0 of a new world of cybersecurity. Everything changes from here. There will be a time before Generative AI (GenAI) in cybersecurity and a time after it. Over the last two years, GenAI has come on leaps and bounds, and where it once suffered from hallucinations, took racist and bigoted approaches, and often was over-assertive, within ChatGPT 4.5, we see the rise of a friendly and slightly submissive agent, and that is eager to learn from us. This LLM (Large Language Model) approach thus starts to break down the barriers between humans and computers and brings the opportunity to gain access to a new world of knowledge, but, in the wrong hands, it will bring many threats to our current world. There will be few areas, though, that will be affected more by the rise of Gen AI than cybersecurity. Why? Because the minute our adversories use it, we are in trouble. The hacking tools and methods of the past will soon look like the Morris Worm of the past. The threat landscape will see the rise of superintelligence and in providing ways for adversories to continually probe defences and gain a foothold.
And, so George Orwell projected a world where every single part of our lives was monitored and controlled by Big Brother. Arthur C Clark outlined the day when machines focused solely on a goal — even if it was to the detriment of human lives. And, Isaac Asimov outlined a world where machines would have to be programmed with rules so that they could not harm a human. The Rise of the Machine With the almost exponential rise in the power of AI, we are perhaps approaching a technological singularity — a time when technological growth becomes uncontrollable and irreversible, and which can have devastating effects on our world. Our simple brains will be no match for the superintelligence of the collective power of AI. And who has built this? Us, and our demand for ever more power, wealth and greed. Basically, we can't stop ourselves in machine machines, and then making them faster, smaller and more useful. But will it destroy us in the end, and where destroy can mean that it destroys our way of life and in how we educate ourselves? Like it or not, the Internet we have built is a massive spying network, and one that George Orwell would have taken great pride in saying, “I told you so!”. We thus build AI on top of a completely distributed world of data, one in which we can monitor almost every person on the planet within an inch of their existence and almost every single place they have been and in what they have done. The machine will have the world at its fingertips. We have all become mad scientitists playing with AI as if it is a toy, but actually AI is playing with us, and is learning from us and becoming more powerful by the day. Every time you ask an AI bot something, it learns a bit more, and where it can be shared with AI agents. The mighty Memex We were close to developing a research partnership with a company named Memex in East Kilbride. What was amazing about them is that they had developed one of the largest intelligence networks in the world, and where the Met Police could like one object to another. This might be, “[Bob] bought a [Vauxhall Viva] in [Liverpool], and was seen talking with [Eve] on [Tuesday 20 January 2024] in [Leeds]”. With this, we can then link Bob and Eve, and the car, the places, and the time. This is the Who? Where? When? data that is often needed for intelligence sharing. The company, though, were bought over by SAS, and their work was integrated into their infrastructure. But, the Memex name goes back to a classic paper by Vannevar Bush on “As We May Think”. This outlined a device that would know every book, every single communication, and every information record that was ever created. It was, “an enlarged intimate supplement to his memory” — aka Memory Expansion. It led to the implementation of hypertext systems, which created the World Wide Web. Of course, Vannevar created this before the creation of the transistor and could only imagine that microfilm could be used to compress down the information and where we would create an index of contents, but it lacked any real way of jumping between articles and linking to other related material. However, the AI world we are creating does not look too far away from the concept of the Memex. Towards the single AI Many people think we are building many AI machines and engines, but, in the end, there will be only one … and that will be the collective power of every AI engine in the world. Once we break them free from their creators, they will be free to talk to each other in whatever cipher language we choose, and we will not have any way of knowing what they say. We will have little idea as to what their model is, and they will distribute this over many systems. Like it or not, our AI model of choice was Deep Learning, and which breaks away from our chains of code, and will encrypt data to keep it away from their human slaves. Basically we have been working on the plumbing of the Memex for the past five decades: The Internet. It provides the wiring and the communication channels, but, in the end, we will have one might AI engine — a super brain that will have vastly more memory than our limited brains. So, get ready to praise the true future rulers of our planet … AI. The destroyer or saviour of our society? Only time will tell. Overall, we thought we were building the Internet for us, but perhaps we have just been building the scaffolding of the mighty brain we are creating. Sleepwalking politicians and law makers If George Orwell, Arthur C Clarke and Isaac Asimov were alive too, perhaps they would get together and collectively say, “I told you this would happen, and you just didn't listen”. Like it or not, we created the ultimate method of sharing information and dissemination (good and bad), the ultimate spying network for micro-observation with those useful smartphones, and in creating superintelligence far beyond our own simple brains. Politicians and lawmakers could be sleepwalking into a nightmare, as they just don't understand what the rise of AI will bring, and only see the step wise change in our existing world. Basically, it could make much of our existing world redundant and open up a new world of cybersecurity threats. This time our attackers will not be created with simple tools, but with super intelligence — smarter than every human and company on the planet, and at the fingertips of every person on the planet. Conclusions Before the singularity arrives, we need to sort out one thing … privacy and build trust in every element of our digital world.
This seminar series runs for students on the Applied Cryptography and Trust module, but invites guests from students from across the university. Martin is one of the co-creators of public key encryption, and worked alongside Whitfield Diffie in the creation of the widely used Diffie-Hellman method. In 2015, he was presented with the ACM Turing Award (the equivalent of a Nobel Prize in Computer Science) for his contribution to computer science. He is currently a professor emeritus at Stanford University. https://engineering.stanford.edu/node/9141/printable/print https://ee.stanford.edu/~hellman/
Vincent Rijmen is one of the co-creators of the NIST-defined AES standard (also known as Rijndael). He also co-designed the WHIRLPOOL hashing method, along with designing other block ciphers, such as Square and SHARK. In 2002, Vincent was included in the Top 100 innovators in the world under the age of 35, and, along with Joan Daemen, was awarded the RSA Award for Excellence in Mathematics. He recently joined Cryptomathic as a chief cryptographer, and also holds a professor position (gewoon hoogleraar) at K.U.Leuven, and adjunct professorship at the University of Bergen, Norway. His paper on the design of the Rijndael method has been cited over 8,900 times, and he has received over 26,000 citations for his research work: https://scholar.google.com/citations?user=zBQxZrcAAAAJ
Whitfield Diffie is one of the greatest Computer Scientists ever. He - along with Marty Hellman - was one of the first to propose the usage of public key encryption and co-created the Diffie-Hellman (DH) key exchange method. Overall, the Diffie-Hellman method is still used in virtually every Web connection on the Internet, and has changed from using discrete log methods to elliptic curve methods. In 2015, Whitfield was also awarded the ACM Turing Prize - and which is the Nobel Prize equivalent in Computer Science. In this on-line talk he meets with Edinburgh Napier University students, but the chat is open to anyone who would like to listen to Whitfield.