On blockchains, secure multi-party computation and the future of the Internet
Karim Eldefrawy is a Principal Computer Scientist at SRI International’s Computer Science Laboratory (CSL). Karim ‘s research interests are in cybersecurity and cryptography. SRI International talked to him about what kinds of technologies are needed to move the security asymmetry between enterprises and attackers. Karim also introduced us to some of the dichotomies on the field of privacy and the potential to resolve these.
“Let me show you the world”
We started our chat with a little background on Karim.
Karim: Back in the day, in Egypt, where I was born, my first real computer had a 100MHZ Pentium processor, which was already a big step from the older 386’s I used to played with while at friend’s houses. Connecting to the — then early — Internet, was a 14.4 baud US Robotics modem. A colleague of my uncle helped me learn how to use the computer. He set up a Netscape browser and a set of applications (and games) for me on that computer and finished the job attempting to dial into an internet service provider while uttering these words (in Arabic though):
“Let me show you the world”
Ironically enough, I didn’t see the world that day. We couldn’t get it to work the first time (the dial-up connection we got was too noisy); but eventually, I saw the world early morning the next day when phone-lines were less busy — in this case, a basic webpage.
This basic introduction to the Internet allowed me to begin my own journey.
The conversation carried on with Karim telling us about that journey.
Karim: I eventually moved to the U.S. to continue my studies and pursue a Ph.D. I spent 2002 as an intern at Cisco in San Jose where I learned a lot about networking. After my Ph.D. I spent six years at a research lab in Malibu, and in Jan 2017, I joined SRI International. SRI is one the few historically significant research labs left in the U.S. to offer me the freedom to do (what I consider) real research. Also, the history of California and SRImakes it special in the history of the Internet. SRI was one of the first four nodes that constituted what was the beginning of the Internet.
The Freedom to Explore
The connection to Silicon Valley was not lost on Karim, who noted that the early bulletin boards of the Internet came out of companies based in the state.
Karim: World class cryptographers and distributed systems researchers (among other CS disciplines) have come out of SRI International; SRI gave me a place to learn and grow.
Just being near world-class research groups in CSL and other divisions allows me to absorb their work — this is important as systems become more complex and connected.
I find that startups are not the same as research labs, and they should not be, as they serve a different purpose. Startups often conduct advanced development and engineering, not real research. Research to me means you have to take a risk and pursue a path that has an unknown outcome, otherwise, if you know it will work, I call that advanced engineering. A real research lab (in the spirit of the legendary Bell Labs) gives you the freedom to explore without the constraints of meeting investor expectations. Unfortunately for the U.S. (and the whole world) there ae not a lot of places left like Bell Labs. Universities are now the best option for researchers who want that freedom (apart from SRI and a handful of other places).
In my opinion, computer science is going through challenging times. At the core, this may be due to the differences between science, logic, and math. The early computer pioneers were logicians and mathematicians (e.g. Alan Turing and John von Neumman). Applying logic and mathematics can become very quickly hard the larger the computer systems and networks become. I am afraid that current trends indicate that computer science has lost its principles and is no longer as systematic as it was in the early days.
I taught undergrad and graduate courses from networking to security and applied cryptography at the University of California, Irvine. I enjoy teaching, but I find that often computer science education can be weak on math. The top universities are always going to create great graduates, but math is weak in the courses offered in the computer science curriculum in a lot of universities. My opinion is that (ideally) the sub-fields of computer science should strive for a level of rigor closer to math and logic, than to science. This becomes obviously challenging as systems grow and become more complex.
Things are now so complicated, and people have narrow views of computing — this may be why progress is slow.
People like to differentiate between theory and practice –Alan Turing, Jon von Neuman, and Claude Shannon, were pioneers — Shannon discovered information theory, but he was also a hardware developer and programmer and built with his own hands a mouse that could navigate a maze (it doesn’t get more applied than this); he could connect between those worlds.
“It is not a surprise (to me) that computer science eventually becomes difficult”
Karim: We have a challenge in our education system in the U.S. which could leave us behind the competition. Recent news and reports claimed that in China, high-school students are outpacing the U.S. students. We are in a rapidly changing world with lots of unknowns. We must understand that we need a theory, not just take data and analyze it without a guiding theory — ideally, an integrated approach. Not being guided by a theory in the long-term is like throwing darts in ad-hoc directions and in the dark. This approach will take the U.S. into a new level of competitiveness.
However, China may still have a competitive edge when it comes to data-driven technical developments (e.g., the current dominating model of machine learning) because of privacy laws. Machine Learning needs lots of data and the more you throw at it the more it learns, But privacy laws are (and should be I my view) restricting the access to and sharing of users’ information and now with distributed computing, there might be a case for the use of Machine Learning as it is more efficient, but it needs a good mathematical underpinning it.
The biggest issue is that the attackers typically don’t go after the algorithm they go after the keys, software and so on. The only way to build secure systems is to build them in a verifiable and predictable way.
The work of SRI’s Peter Norman and his collaborators on building a processor with solid security guarantees from the ground up (and with formal computer-aided verification thereof) is an illustration of what I am talking about. I think that the recent problems with airplane issues are a demonstration of how complex systems have become, and how hard it is to verify and certify them, and such airplane issues are a simpler version that did not consider security and motivated adversaries with malicious intent.