Blogposts of Sofia Celi

<?xml version="1.0" encoding="utf-8"?> <rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"> <channel> <title>Blogposts of Sofia Celi</title> <description>Your latest posts</description> <link>http://claucece.github.io/</link> <item> <title>Breaking Post-Quantum Cryptography</title> <description>The breaking state of the week Let’s talk briefly about some attacks to post-quantum cryptography that were just announced: <h2 id="breaking-frodokem">Breaking FrodoKEM</h2> The paper <a href="https://eprint.iacr.org/2022/952">“When Frodo Flips: End-to-End Key Recovery on FrodoKEM via Rowhammer”</a> by Michael Fahr Jr. et al. uses the <a href="https://en.wikipedia.org/wiki/Row_hammer">Row hammer</a> security exploit to recover the private key material of the FrodoKEM scheme (it also uses decryption failure attacks). Row hammer allows flipping bits in DRAM by “hammering” rows of memory adjacent to some targeted memory location by repeated memory accesses. They use it in the attack by producing a “poisoned” key. While the paper uses FrodoKEM as an example, the attack can be theoretically executed in other lattice-based KEMs (with more likelihood to Kyber or Saber, and with more difficulty to NTRU). <h2 id="breaking-supersingular-isogeny-diffiehellman-sidh-protocol">Breaking Supersingular Isogeny Diffie–Hellman (SIDH) protocol</h2> <a href="https://eprint.iacr.org/2022/975">The paper by Wouter Castryck and Thomas Decru</a> presents a powerful key recovery attack on SIDH, and its instantiation SIKE. It is based on the “glue-and-split” <a href="https://www.mast.queensu.ca/~kani/papers/numgenl.pdf">theorem (Thm 2.6)</a> from 1997 from Ernst Kani and very much outperforms previous attack strategies. It can be used to both recover Bob’s or Alice’s private key. The attack allows for the recovery of a secret cyclic \(3^{b}\)-isogeny \(\phi : E_0 \rightarrow E\). Note that it assumes an initial input of \(\beta = 0\) and \(E_0 = E_{start}\), where the \(3^{\beta}\)-isogeny \(\tau : E_0 \rightarrow E_{start}\) for some \(\beta \geq 0\). \(E_{start} : y^{2} = x^{3} + x\) or \(E_{start} : y^{2} = x^{3} + 6x^{2} + x\), is one of the two commonly chosen base curves in SIDH/SIKE, with respective j-invariants 1728 and 287496. Following the <a href="https://eprint.iacr.org/2014/505.pdf">work by Kohel–Lauter–Petit–Tignol</a> and the <a href="https://arxiv.org/pdf/1910.03180.pdf">work of Love–Boneh</a>, all known ways to generate a supersingular base curve \(E_0/F_{p^{2}}\) in a trustless manner reveal an isogeny of the previous form (the \(3^{\beta}\) isogeny). In this case, the attack is very powerful as the secret isogeny will be revealed. But even when this is not the case (when using, for example, a trusted set-up or a base curve generated by Alice), the glue-and-split method still lowers security. In order to make the attack, an “auxiliary” cyclic \(c\)-isogeny \(\gamma: E_0 \rightarrow C\) to some codomain curve \(C\) (assuming \(c = 2a − 3b\)) is needed, with the idea of (efficiently) computing the image points \(P_c\) and \(Q_c\) under it. This is not trivial and for it is needed a factorization of an integer of size \(O(2^{a})\). Here is also needed the “special” nature of \(E_{start}\) which comes with an endomorphism \(2i\) satisfying \((2i)^{2} = −4\) (the previous stated options come with this). What essentially eventually is done is that the intermediate curves are found and with it the private key digit by digit: elliptic curves are “glued” into a Jacobian followed by \(a − \alpha1 − 2\) Richelot isogenies between Jacobians of genus-2 curves (where we also check if the last step “splits”). What I truly love about the paper is that this works even for base curves without a known path to \(E_{start}\). If \(c = 2a − 3b\) is smooth, then it remains possible to construct the auxiliary isogeny \(\gamma\). Note that the likeliness of finding a smooth c is very small, so this doesn’t seem to lead to a practical attack, but it might lower the security level of some parameter sets. But, does this mean that all is lost in isogeny-land? Not really. It does not affect CSIDH or SQISign. There could also be ways to counter the attack but I’ll defer until the authors publish the full paper. For a nicer explanation, read the <a href="https://ellipticnews.wordpress.com/2022/07/31/breaking-supersingular-isogeny-diffie-hellman-sidh/">blog post</a> of Galbraith or the <a href="https://twitter.com/kutasp/status/1553600601317072898">thread</a> of Péter Kutas. <h2 id="why-are-these-attacks-important">Why are these attacks important?</h2> Attacking cryptographic protocols is important in order to properly assess their security as, when deployed in real-world situations, they lower or enhance the security of users. What these two attacks have shown us is that the post-quantum field is still young: there are still classical and quantum attack avenues to explore, and still lots of implementation attacks that could be found. Migrating to post-quantum cryptography should not be treated lightly. We still don’t have complete data if the post-quantum schemes will work for every situation that the Internet is used for, and lots of time still needs to pass until we can call the field mature. Congratulations to the authors of these attacks! Finding attacks to schemes makes different fields more mature. </description> <pubDate>2022-07-31T00:00:00+00:00</pubDate> <link>http://claucece.github.io//2022/07/31/breaking-pqc.html</link> <guid isPermaLink="true">http://claucece.github.io//2022/07/31/breaking-pqc.html</guid> </item> <item> <title>Post-quantum Signatures</title> <description>The state of many signatures The algorithms to standardize of the Post-Quantum NIST standarisation process are out! We have: For Public-Key Encryption/KEMs: <ul> <li>CRYSTALS-KYBER</li> </ul> For Digital Signatures: <ul> <li>CRYSTALS-Dilithium</li> <li>Falcon</li> <li>SPHINCS+</li> </ul> With a note: “CRYSTALS-KYBER (key-establishment) and CRYSTALS-Dilithium (digital signatures) were both selected for their strong security and excellent performance, and NIST expects them to work well in most applications. Falcon will also be standardized by NIST since there may be use cases for which CRYSTALS-Dilithium signatures are too large. Additionally, SPHINCS+ will be standardized to avoid only relying on the security of lattices for signatures. NIST asks for public feedback on a version of SPHINCS+ with a lower number of maximum signatures.” NIST will also hold a new call for proposals for public key signatures: “NIST also plans to issue a new Call for Proposals for public-key (quantum-resistant) digital signature algorithms by the end of summer 2022. NIST is primarily looking to diversify its signature portfolio, so signature schemes that are not based on structured lattices are of greatest interest. NIST would like submissions for signature schemes that have short signatures and fast verification (e.g., UOV).” In this blog post, I’ll be not focusing on the post-quantum KEM, but rather on post-quantum signatures as this seems to be ‘long-road-ahead’ from both a migration perspective as from standardization. So, let’s explore what post-quantum signatures are available. <h2 id="the-zoo-of-signatures">The Zoo of Signatures</h2> <h3 id="the-lattices">The lattices</h3> Two of the “winners” of the post-quantum process are lattice-based: <ul> <li><a href="https://pq-crystals.org/dilithium/">Dilithium</a> follows the <a href="https://www.iacr.org/archive/asiacrypt2009/59120596/59120596.pdf">Lyubashevsky’s Fiat–Shamir</a> <a href="https://eprint.iacr.org/2011/537.pdf">with aborts framework</a>. Its security is based on the Module-LWE assumption.</li> <li><a href="https://falcon-sign.info/">Falcon</a> follows the <a href="https://eprint.iacr.org/2007/432">hash-and-sign framework of Gentry, Peikert and Vaikuntanathan</a> framework. Its security is based on the hardness of the SIS Problem over NTRU lattices.</li> </ul> Dilithium is considered to be “simpler to implement”, but has significant bigger sizes when compared with non-post-quantum signatures. Falcon, on the other hand, has better signing and verification times, and its parameters are smaller than Dilithium (though, they are bigger than non-post-quantum signatures). Falcon also uses constant-time floating point arithmetic, which could be difficult to implement. Falcon also does not provide, as it is, the <a href="https://ieeexplore.ieee.org/document/9519420">“beyond unforgeability”</a> security property. In terms of speed, they both seem to outperform implementations of non-post-quantum algorithms. While they both seem suitable for the ‘online’ signature of a TLS 1.3 handshake (the signature of the handshake), it is unclear if they will work for the whole certificate chain (which involves many other signatures that are generated in an “offline” manner but, sometimes, verified online). Even if we put the performance time’s of the operations aside, the transmission of long parameters as part of the certificate chain can have impact on the latency of TLS connections. We are unclear on how much that impact will be noticable for end-users and if there are mechanisms that we can use to prevent it (caching, supressing intermidiates, zero-knowledge-like proofs of the whole chain, etc.). Some notes around the matter can be found <a href="https://sofiaceli.com/PQNet-Workshop/tls.html">here</a> and <a href="https://sofiaceli.com/slides/PQC_KEMTLS.pdf">here</a>. For other protocols, they might fail. For DNSSEC, for example, public key and signatures sizes have to be small. From the two, only Falcon’s parameters fall within the size limit needed for DNSSEC, but leaves no room for shipping more than one key/signature at a time or extra payload. For an interesting research around the matter see <a href="https://www.sidnlabs.nl/downloads/7qGFW0DiOkov0vWyDK9qaK/de709198ac34477797b381f146639e27/Retrofitting_Post-Quantum_Cryptography_in_Internet_Protocols.pdf">‘Retrofitting Post-Quantum Cryptography in Internet Protocols: A Case Study of DNSSEC’</a> or some notes <a href="https://sofiaceli.com/PQNet-Workshop/dnssec.html">here</a>. There is a “simpler-to-implement” version of Falcon, <a href="https://eprint.iacr.org/2021/1486.pdf">Mitakaya</a>, which manages to avoid floating point arithmetic in one version. Recently, a very <a href="https://eprint.iacr.org/2022/785.pdf">interesting paper</a> has been proposed to reduce the size of lattice-based signatures by sampling according to a suitably chosen ellipsoidal discrete Gaussian rather than a spherical one. This technique reduces the signature size of Falcon by 30–40%. This technique seems very interesting and a very nice avenue of research. So, it seems like we might see in the future improvements to the lattice schemes. <h3 id="the-alternative-that-got-broken-and-some-news">The alternative that got broken and some news</h3> An interesting candidate that was part of the process was <a href="https://www.pqcrainbow.org/">‘Rainbow’</a>, which uses a multivariate approach. It is based on the Unbalanced Oil and Vinegar (UOV) scheme. The signature size was perfect for usage in DNSSEC (and TLS 1.3) but the public key size was not able to fit a DNS packet. Unfortunately, <a href="https://eprint.iacr.org/2022/214.pdf">Rainbow was broken</a>: the attack returns the private key after on average 53 hours (which is basically, one weekend). But there is another candidate from UOV schemes: <a href="https://eprint.iacr.org/2021/1144.pdf">MAYO</a>, which has very nice performance and sizes (bigger than non-postquantum-schemes though). This might be a nice contender in the future if its performance is improved. <h3 id="the-mpc-ones">The MPC ones</h3> <a href="https://microsoft.github.io/Picnic/">Picnic</a> was a candidate for standardisation that will no longer be considered in the NIST process. It is a non-interactive zero-knowledge proof of knowledge of a private key bound to the message being signed. Its security is based on the hash function and on the security of the LowMC block cipher. There has been a lot of research on its security, which has found <a href="https://eprint.iacr.org/2020/1034.pdf">several</a> <a href="https://eprint.iacr.org/2021/1345.pdf">weak points</a> (listing the ones I’ve read so far, but there are more). On the positive news: there is hope. Several variants of Picnic have been proposed that are based on AES. There is <a href="https://eprint.iacr.org/2019/781.pdf">BBQ</a>, <a href="https://eprint.iacr.org/2021/068.pdf">Banquet</a>, and <a href="https://eprint.iacr.org/2021/215.pdf">much</a> <a href="https://eprint.iacr.org/2021/692.pdf">more</a>. This very interesting area of research can also lead to a signature scheme with small public keys (as Picnic has). <h3 id="the-isogenies">The isogenies</h3> The security of isogeny schemes falls on the hardness of finding a path in the l-isogeny supersingular graph between two given vertices, which is said to be hard for both classical and quantum computers. The <a href="https://eprint.iacr.org/2014/505.pdf">KLPT algorithm</a> (from Kohel, Lauter, Petit and Tignol) solves the quaternion analog of this problem under the Deuring correspondence. Based on it, Galbraith, Petit and Silva gave the <a href="https://eprint.iacr.org/2016/1154.pdf">first theoretical signature scheme</a> related to isogeny graphs of supersingular elliptic curves. Building on the latter, <a href="https://eprint.iacr.org/2020/1240.pdf">SQISign</a> was proposed. The scheme has the best parameters of all the post-quantum schemes (mainly, they are small), but its performance is slow. Recently, there has been <a href="https://eprint.iacr.org/2022/234.pdf">efforts</a> to improve its performance. Isogeny-based cryptography is an active area of research. Interesting candidates might come from this area. <h3 id="hash-based">Hash-based</h3> There are two “types” here: schemes that maintain state (<a href="https://datatracker.ietf.org/doc/html/rfc8391">XMSS</a> or <a href="https://datatracker.ietf.org/doc/html/rfc8554">LMS</a>) and schemes that are state-less (<a href="https://sphincs.org/">SPHINCS+</a>). Both types use the same security assumption: security of the underlying hash function used. The reason why there are two types is that some applications might not be able to maintain state (and need <a href="https://csrc.nist.gov/publications/detail/sp/800-208/final">careful consideration</a> for doing so), and, hence, will benefit from using SPHINCS+. Nevertheless, SPHINCS+ has larger signature sizes. Great documentation of hash-based schemes can be found <a href="https://huelsing.net/wordpress/?page_id=165">here</a>. A table of comparison of sizes: <img src="/assets/comparison-pq-2.png" alt="Comparison" /> So, lots of avenues of research are still open for a post-quantum signature scheme that work on the protocols we use nowadays. Let the science begin! EDIT: Thank you Peter Schwabe, Andreas Hülsing, Gustavo Banegas and Carsten Baum for pointing out additions needed and fixes to be made. </description> <pubDate>2022-07-05T00:00:00+00:00</pubDate> <link>http://claucece.github.io//2022/07/05/pq-signatures.html</link> <guid isPermaLink="true">http://claucece.github.io//2022/07/05/pq-signatures.html</guid> </item> <item> <title>Loading times..</title> <description>Some loading thoughts Post-quantum cryptography is coming. Sometime soon, it has been said. There are many challenges in that area (some of them that we have outlined over <a href="https://blog.cloudflare.com/post-quantum-taxonomy/">here</a>). There is, however, a big question that still pokes in my head: if post-quantum cryptography may potentially slow our connections, how slow is too slow for end-users? In order, to answer this question, I first wanted to dig in into how fast websites should load in 2022. My findings seem to be that ‘every second counts’. Let’s see now why. <h2 id="faster-is-better-and-less-is-more">“Faster is better and less is more”</h2> In 2017, it was <a href="https://www.thinkwithgoogle.com/intl/en-ca/marketing-strategies/app-and-mobile/mobile-page-speed-new-industry-benchmarks/">reported that</a> “the average time it takes to fully load a mobile landing page is 22 seconds”. Yet, “53% of visits are abandoned if a mobile site takes longer than three seconds to load”. The reasons for this abandonment seem to vary, but it is still poignant to note that users still mainly remain on websites that load on the desktop rather than on mobile devices. Prior to analyzing why users leave websites, we first need to understand something: <ol> <li>A ‘slow’ website can be perceived as ‘fast’ by another user due to personal feelings or cultural perceptions.</li> <li>A ‘fast’ website can be ‘fast’ for a user, as it is on a fast network with a powerful device. The same ‘fast’ website can be perceived as ‘slow’ by someone on a slow network with a not-so-powerful device.</li> <li>A site can be perceived as loading ‘faster’ if content is progressively loaded.</li> <li>A site can be perceived as ‘loaded-fast’ but ‘slow’ to user-interaction on it.</li> </ol> “Historically, web performance has been measured with the <code class="language-plaintext highlighter-rouge">load</code> event. However, even though load is a well-defined moment in a page’s lifecycle, that moment doesn’t necessarily correspond with anything the user cares about. For example, a server could respond with a minimal page that “loads” immediately but then defers fetching content and displaying anything on the page until several seconds after the load event fires. While such a page might technically have a fast load time, that time would not correspond to how a user actually experiences the page loading.”, as noted <a href="https://web.dev/user-centric-performance-metrics/#types-of-metrics">here</a>. Rather that relying on <code class="language-plaintext highlighter-rouge">load</code>, there seems to be two main user-centered metrics to take into account: <ol> <li><a href="https://web.dev/lcp/">Largest Contentful Paint (LCP)</a>: measures perceived load speed as it marks the point in the page load timeline when the page’s main content has likely loaded.</li> <li><a href="https://web.dev/fcp/">First Contentful Paint</a>: measures perceived load speed as it marks the first point in the page load timeline when the user sees anything on the screen.</li> </ol> To provide a good user experience, sites should strive to have LCP of 2.5 seconds or less. This is roughly based on the research of <a href="https://dl.acm.org/doi/10.1145/1476589.1476628">Miller</a> and <a href="https://dl.acm.org/doi/10.1145/108844.108874">Card et al</a>: the amount of time a user will wait before losing focus is a range from roughly 0.3 to 3 seconds. Speed then continues to be a core vital for users to engage on a website or not. FCP needs to be fast as well (1.8 seconds or less.) as users need to be reassured that something is happening. Yet, <a href="https://www.thinkwithgoogle.com/intl/en-ca/marketing-strategies/app-and-mobile/mobile-page-speed-new-industry-benchmarks/">as reported by Google in 2017</a>, “for 70% of the pages we analyzed, it took nearly seven seconds for the visual content above the fold to display on the screen, and it took more than 10 seconds to fully load all visual content above and below the fold.” They also found that less is definitely better for website loading: “70% of pages were over 1MB, 36% over 2MB and 12% over 4MB. That’s enormous for a single mobile page, given that 1.49MB takes seven seconds to load using a fast 3G connection. One image in particular caught our attention: It weighed a whopping 16MB.” Given these metrics, even my site has bad loading times (as <a href="https://www.thinkwithgoogle.com/feature/testmysite/">tested here</a>): <img src="/assets/loading.png" alt="my site having bad user loading times" title="My loading times" /> <h2 id="does-tls-make-websites-slow-what-about-post-quantum">Does TLS make websites slow? What about post-quantum?</h2> So, let’s go back to the question. The reason why we need post-quantum cryptography is due to quantum computers arrival and the <a href="https://blog.cloudflare.com/quantum-solace-and-spectre/">threat to cryptography they pose</a>. Where are we going to mainly be using post-quantum cryptography? We will need to mainly incorporate it into TLS. The good new is that today TLS is fast. Usually, the process of communicating over an encrypted channel introduces additional costs due to the increases that asymmetric and symmetric cryptographic operations introduce. Modern hardware, though, has minimized these costs. The usage of resumption mechanisms, such as “zero round trip” (0-RTT), has minimized it as well (for more explanations around the matter, see <a href="https://istlsfastyet.com/">this article</a>). Does this mean that the same will happen when we migrate TLS to post-quantum cryptography? Potentially, no. It first depends on the type of post-quantum cryptography that will be used (lattices are faster than isogenies, for example). Second, it depends on if the newly introduced cryptography will cause extra round-trips at the network layer or not. And, third, it still debated how these extra costs will impact the user-centered metrics that we just outlined. So far, there has not been much research on the impact of post-quantum cryptography on end-users: will users see the web loading times that they have grown accustomed to degrade?, will users care if the loading time is slightly increased?, will it be more visible on the mobile experience? I’m now seeking to explore more on these questions, as well as the understanding of metrics that take the user experience into account, as <code class="language-plaintext highlighter-rouge">load</code> metrics seem to not be enough. </description> <pubDate>2022-03-12T00:00:00+00:00</pubDate> <link>http://claucece.github.io//2022/03/12/loading.html</link> <guid isPermaLink="true">http://claucece.github.io//2022/03/12/loading.html</guid> </item> <item> <title>Women in science groups</title> <description>Hear me as a woman. Have me as your sister. -Amanda Gorman Here, I’ll like to have this place to list some of the amazing women in science groups that help with supporting women, and creating inclusive and diverse environments. I’ll try to update this list regularly: <ul> <li><a href="https://www.ietf.org/about/groups/ietf-systers/">IETF Systers</a></li> <li><a href="https://www.wiqd.nl/">Women in Quantum Development</a></li> <li><a href="https://www.athenasangels.nl/en/angels-alerts">Angel Alerts</a></li> <li><a href="https://womeninnumbertheory.org/">Women in number theory</a></li> <li><a href="https://simons.berkeley.edu/workshops/women-theory">Women in Theory 2021</a></li> </ul> Soon, there will be a women in cryptography group ;) Some first-hand experiences of discrimination and their impacts: <ul> <li><a href="https://blog.qutech.nl/2022/03/08/i-didnt-know-that-we-allowed-whores-in-the-lab/">“I didn’t know that we allowed whores in the lab”</a> by Anne-Marije Zwerver</li> <li><a href="https://sites.google.com/site/numberlandadventures/">Alice’s Adventures in Numberland</a></li> <li><a href="https://www.youtube.com/watch?v=F469X3NJnys&amp;ab_channel=TAUVOD">The Consequences of Under representation in Cybersecurity</a> by Prof. Allison Bishop</li> </ul> </description> <pubDate>2022-03-09T00:00:00+00:00</pubDate> <link>http://claucece.github.io//2022/03/09/women-groups.html</link> <guid isPermaLink="true">http://claucece.github.io//2022/03/09/women-groups.html</guid> </item> <item> <title>1:1s and management</title> <description>Why I love good 1:1s These days, I’ve been reflecting. Reflecting on the status of the world, research, and many other things. On the work side, I’ve been reflecting on how to properly run teams and how to make people be heard. I’m no expert on this and, while I do have some management and leadership experience, I have lots of things to learn. I have managed/lead 3 teams now of various sizes. My first experience with managing a team was a disaster: I failed in every way. But I’ve learned to do better. Here, I’ll like to share things that I’ve learned, books and advice that have helped me, and how to add diversity and inclusion into managing. What I will mostly like to focus in this blog post are 1:1s and why they are a central core to any team dynamic. I’ll be talking about my experience over the years as a member of the software community. Recently, I led (in a small way) a team of people that I absolutely loved. So here some of my reflections. <h2 id="11s">1:1s</h2> We all know that 1:1s are, we all have had them. But sometimes we don’t know what a good 1:1 is. For me, 1:1s are an opportunity to learn what are the successes, challenges and needs of a person. It is not a status update or reporting. It is the most vital process that a manager/lead must always held. I had once a manager/lead that wanted to cancel all their 1:1s in the team, or to reduce them to 15 minutes. They had too many other things to do and other important meetings to attend. I also had a leader that canceled all of our 1:1s. This leader first started by canceling our 1:1 by sending a note over chat; then, they cancel them by sending an email; then, they cancel by clicking ‘no’ to the video invitation; and, then, they just removed it with no notification from the calendar. These two examples, at least for me, are a big mistake. What these two examples said to me was: “I, as a manager/lead, do not value your work, and see no use in talking to you”. 1:1s are perhaps the most important meeting one can have in order to understand the health and the needs of a team. You cannot understand what a person needs from second-hand telling, assumptions or gossip. You need to go to the source to understand any need. And, yet, 1:1s are the types of meetings that are more likely to be canceled. Perhaps, the reason why they get canceled is that there is a misunderstanding of what they are for. 1:1s are not status or report meetings. Status can be the introduction or the framing, but not the core of the meeting. A healthy 1:1 is strategic: they must be valuable conversations. 1:1s are about moving information in such a way that that communication becomes helpful. If you, as a manager, expect to go to a 1:1 and that an employee just recites what they have been doing all week, then that meeting is useless. It is useless for the employee as not help has been given, it is just a repetition of a task. This is also the reason why I hate status reports. From “Managing Humans” by Michael Lopp: “My belief is that e-mail-based status reports are one of the clearest and best signs of managerial incompetence and laziness. There are always compelling reasons why you need to generate these weekly e-mails. We’re big enough that we need to cross-pollinate. It’s just 15 minutes of your time. Bullshit. The presence of rigid, e-mail-based status reports comes down to control, a lack of imagination, and a lack of trust in the organization. I want you to count the number of collaboration tools you use on a daily basis to do your job—not including e-mail. If you’re a software engineer, I’m guessing it’s a combination of version control, bug tracking, wikis, CRM, Slack, and/or project management software. All of these tools already automatically generate a significant amount of status regarding what has tactically gone down each week. When someone—my boss or someone who outranks me—asks for a status report, my first thought is, “I’m already generating piles of status on these various tools; why not just look at those?” Well, there’s a lot of noise in those tools. So write a report that takes out the noise—collaboration tools are built around reporting. The status information is out there. In what managerial textbook does it say it’s a good idea to distribute the task of figuring out what is going on to the people who are performing the work? That’s, like, your job. Well, what I really want is your high-level assessment of the week. Three things that are working, three things that aren’t, and what we’re going to do about it. OK, now we’re talking. I can do a strategic assessment of the week, but why don’t we just put that at the beginning of the one-on-one? That way when you have questions (and you will), we can have a big fat debate. But I’d like to have a record I can review later. Super, feel free to write down anything we talk about. Yes, status reports are a hot button for me. I’ve written hundreds of them and each time I’ve begun one, I start by thinking, “Why in the world do I feel like I’m performing an unnecessary act?” Status reports usually show up because a distant executive feels out of touch with part of his or her organization, and they believe getting everyone to efficiently document their week is going to help. It doesn’t. E-mailed status reports say one thing to 90 percent of the people who write them: “You don’t value my time.”” I whole-heartedly agree with the quoted text. When I go to 1:1s with people I mentor/lead/manage, I usually come prepared. I already know they have been working on <code class="language-plaintext highlighter-rouge">x</code> feature because I reviewed the PR or saw it. I already know they are interested in working on <code class="language-plaintext highlighter-rouge">x</code> because they said so in a team meeting or in a chat. I have ways to find the information of what they have been doing by looking at jira tickets, attending project meetings, reading git commits, opening the slides of their presentations, and more. And, even if I don’t have all the information, I trust my colleagues to do the right work. I don’t need to micromanage anyone and I don’t need them to repeat statuses for me. Those statuses found on jiras or more, though, provide me with valuable information to discuss in our 1:1. I usually write down the things I want to discuss in the 1:1s. They involve either coding together a solution, discussing the comments on a PR, figuring our together how to run a meeting, finding the strategy to move some work forward, and more. And, more importantly, they also involve finding opportunities. If a person casually says on chat or in a meeting that they are interested in <code class="language-plaintext highlighter-rouge">x</code> project, then, I usually try to dig more. How interested are they? Is there a paper around that project they would be interested in that I can share? Is there a person I can introduce them to? Is there a conference they can attend? A 1:1 is also the place for me to share information that they might not know. This might include the strategy of a project or the overall goals of a new line of projects that are coming. This is very important because in the absence of information, people start making up this information. And, worse, if they feel threatened, they make up information that amplifies their worst fears. So, it is important to state information clearly, especially, strategic one. 1:1 should be about creating meaningful conversations. And sometimes, it becomes a vent. Something went wrong and people needed to vent. That is ok, the job here is to listen and not to advice (yet). Let the vent pass, and then you can start finding solutions. But, if you don’t listen first, people will think you are not taking them seriously or that you are just there to shut them down. I have had these conversations and I have had to stay silent watching someone take it all out of their chest. But only when the vent is finished, one can start talking, because only then is all out. I have also vented in the past to managers and I think we all have had. The worst kind of 1:1 is, as Lopp says, the Disaster. “Here are some tips on recognizing and handling the Disaster: <ul> <li>The person you’re talking to isn’t him- or herself. As you’re sitting there weathering the Disaster, remember that you are experiencing an anomaly—a bizarre emotional version of the person that only shows up when they’re on the edge. The person you’re familiar with will show up . . . eventually.</li> <li>Shut up. Really. Your primary job during the Disaster is to defuse, and you start defusing by contributing absolutely nothing. If you’re a logical, reasonable management type, you’ll be tempted to ask clarifying questions—to try to shape the problem. Don’t. Be quiet. Let the emotion pass. Here’s why . . .</li> <li>It’s not about the issue anymore. You’re no longer experiencing the problem. You’re experiencing the employee’s emotional baggage regarding the problem. Sure, there’s the core issue, but that’s not what you’re currently observing. You’re seeing the extreme negative reaction to the issue, and that’s the first order of business.”</li> </ul> A disaster, though, is the result of poor management. “When your employee believes totally losing their shit is a productive strategy, it’s because they believe it’s the only option left for making anything change” (Lopp). And, most of the times, they believe is the last option they have. I have had two memorable disaster 1:1s. On the first, I failed to listen and I failed to see my mistake. The employee resigned and I felt terrible. I later apologized (not once, but at least five times on different occasions) and now we are good friends. On the second, I listened and provided support. I couldn’t solve his problem: getting a much-deserved raise, because it was out of my control. But I tried, and showed him how much I tried. A disaster 1:1 can be recovered, but one needs to listen and provide actual support. A disaster is usually the result of miscommunication, so: “when communications are down, listen hard, repeat everything, and assume nothing” (Lopp). 1:1s are also the time to understand what someone wants, what is their core motivation. Do they want to lead? Do they want to be a team player? Do they want to only do technical work? Not all people are you, and you will need to learn who they are. A good way I use for this is to understand what kind of jokes they like, what makes them tickle. This usually allows me to start understanding them, and makes for a great way to break any tension. 1:1s are also a place to understand the health of a team. If people are not talking about their important matters on their 1:1s, then, they don’t trust you. If you don’t actually listen to them, cancel their 1:1s, micromanage their work, and provide no support, people will not trust you. And people need to trust you. It is also very important to believe whomever you are managing. This doesn’t mean believing them blindly; but if they brought up a topic up in a 1:1 (a meeting that can be scary), then they actually felt like they needed to say something. Don’t treat it lightly and do believe them. This is especially important when talking about diversity and inclusion. I remember once I had the experience of having an idea and that a male member took credit for it. This is particularly important for me as a woman, as women are less recognized for the work they do and their contributions are usually diminished. I brought this to the attention of a manager who didn’t believe me and provided no support. There was no response plan and no prevention of recurrence. I lost my trust in that manager. Listen in 1:1s, understand your inner biases, seek to see other points of view, and take seriously instances where inclusion is being diminished. I actually really like managing because I like people and I’ve loved everyone I have mentored/lead/managed. I also see it as mental chess: trying to figure out what the next steps will be. But it is not an easy job: “my definition of a great manager is someone with whom you can make a connection no matter where you sit in the organization chart” (Lopp). Things I personally value in managers (and that I try to do when mentoring or leading): <ul> <li>Someone that knows what I’m doing, trusts that I do it well and that helps me if I get stuck.</li> <li>Someone that does not hold my academic titles against me, and that knows that I’m technically capable (because women are often regarded as less technically capable than men).</li> <li>Someone that listens carefully, and specially listens to what I’m asking help for. Many times, one asks for help on one thing and it is assumed to be another.</li> <li>Someone that values inclusion, mental-health help, and diversity.</li> <li>Someone that works on their inner biases and learns about systematic discrimination.</li> <li>Someone that celebrates wins with me.</li> <li>Someone that tries to understand team members beyond work.</li> <li>Someone that finds a way to give feedback that I feel comfortable with.</li> </ul> Some resources that might help you: <ul> <li><a href="https://docs.google.com/spreadsheets/d/11DoQ-Bhvs5mfRwB0Bz6OHwoChhFVK7u_KqlbFgR-ezY/edit#gid=0">Interview Questions to ask as a candidate</a> by the great Sarai Rosenberg.</li> <li><a href="https://jvns.ca/blog/2013/12/30/questions-im-asking-in-interviews/">Questions I’m asking in interviews</a> by Julia Evans.</li> <li><a href="https://chelseatroy.com/2018/05/04/questions-for-prospective-managers/">Questions for Prospective Managers</a> by Chelsea Troy.</li> <li><a href="https://www.amazon.com/Managing-Humans-Humorous-Software-Engineering/dp/1430243147">Managing Humans</a> by Michael Lopp.</li> <li><a href="https://www.bookdepository.com/Management-3.0-Jurgen-Appelo/9780321712479?redirected=true&amp;utm_medium=Google&amp;utm_campaign=Base1&amp;utm_source=PT&amp;utm_content=Management-3.0&amp;selectCurrency=EUR&amp;w=AF7DAU9SF7XBYKA8V3Y4&amp;gclid=Cj0KCQiAmpyRBhC-ARIsABs2EAoEmWp7HB2p4BPv8dMtH24XJoMNkR1AGIi5yT9MlYasmnictgzvTRAaAqzzEALw_wcB">Management 3.0</a> by Jurgen Appelo</li> <li>The advice of a manager/lead/mentor you loved working with.</li> </ul> </description> <pubDate>2022-03-08T00:00:00+00:00</pubDate> <link>http://claucece.github.io//2022/03/08/management-one-one.html</link> <guid isPermaLink="true">http://claucece.github.io//2022/03/08/management-one-one.html</guid> </item> <item> <title>Understanding Modern Number Theory: Divisibility</title> <description>God may not play dice with the universe, but something strange is going on with the prime numbers. — Paul Erdos I always liked mathematics and logic. During my undergrad degree I spent hours devouring anything written by Wittgenstein, and finding about Cantor and Gödel (in contrast to my high school years in which I obsessed with Nietzsche and Camus, and even read the whole ‘Phenomenology of the Spirit’ by Hegel to see where Nietzsche was coming from)<a href="#foot1">[1]</a>. I also read anything from Jorge Luis Borges as his literature writing touch upon some mathematical concepts, while also deeply loving the way Borges writes. At the end, I studied them from a more philosophical perspective, as my degree was touching upon that, but I always dreamt on studying mathematics. Getting access to these books and articles from these authors and more was always difficult as I didn’t have any money to buy them, so I spent hours in public libraries reading them. Some books also never reached my country, Ecuador, so sometimes I had to find the only copy in the country that some professor had and ask them to lend them to me for a time. I remember that once I wanted to read an specific book by Derrida and I found that one professor had it but in it’s original french. My french is not the best but I succeeded in reading it, even when Derrida plays with the french language and basically deconstructs it. I’m also a woman, so sometimes I had to hide that I was reading something as ‘women are not supposed to read that’. Some weeks ago, I had a very nice call with Steven Galbraith, and my interest for mathematics got renewed. So I decided to do what I do best: find books and read them. The subsequent posts I will writing are the results of me reading ‘A Classical Introduction to Modern Number Theory’ by Kenneth Ireland and Michael Rosen, ‘An Introduction to the Theory of Numbers’ by Ivan Nevin, Herbert S. Zuckerman and Hugh L. Montgomery, and ‘Introduction to Automata Theory, Languages and Computation’ by John E. Hopcroft, Rajeev Motwani and Jeffrey D. Ullman. In the future, I’ll be also reading ‘Logical Foundations of Proof Complexity’ by Stephen Cook, ‘Solved and Unsolved Problems in Number Theory’ by Daniel Shanks, ‘The Arithmetic of Elliptic Curves’ and ‘Advanced Topics in the Arithmetic of Elliptic Curves’ by Joseph H. Silverman. As the book ‘A Classical Introduction to Modern Number Theory’ states, “L. Kronecker once remarked (speaking of mathematics generally) that God made the natural numbers and all the rest is the work of man”. Number Theory is precisely the study of natural numbers, also called the positive integers (although, some definitions begin the natural numbers with the ‘0’). Properties of these numbers have been studied for a very long time, and today we will be looking at divisibility. A number <code class="language-plaintext highlighter-rouge">a</code>, not zero, is said to divide another <code class="language-plaintext highlighter-rouge">b</code> if there is a number <code class="language-plaintext highlighter-rouge">c</code> such that <code class="language-plaintext highlighter-rouge">b = ac</code>. We write this: <code class="language-plaintext highlighter-rouge">a|b</code>. For example, <code class="language-plaintext highlighter-rouge">a = 3</code>, <code class="language-plaintext highlighter-rouge">b = 6</code>: <code class="language-plaintext highlighter-rouge">6 = 3 * 2</code>. This simple definition of division can be further examined by listing it’s properties: <ol> <li><code class="language-plaintext highlighter-rouge">a|b</code> implies <code class="language-plaintext highlighter-rouge">a|bc</code> for any integer <code class="language-plaintext highlighter-rouge">c</code>,</li> <li><code class="language-plaintext highlighter-rouge">a|b</code> and <code class="language-plaintext highlighter-rouge">b|c</code> imply <code class="language-plaintext highlighter-rouge">a|c</code>,</li> <li><code class="language-plaintext highlighter-rouge">a|b</code> and <code class="language-plaintext highlighter-rouge">a|c</code> imply <code class="language-plaintext highlighter-rouge">a|(bx + cy)</code> for any integers <code class="language-plaintext highlighter-rouge">x</code> and <code class="language-plaintext highlighter-rouge">y</code>,</li> <li><code class="language-plaintext highlighter-rouge">a|b</code> and <code class="language-plaintext highlighter-rouge">b|a</code> imply <code class="language-plaintext highlighter-rouge">a = ±b</code>,</li> <li><code class="language-plaintext highlighter-rouge">a|b</code>, <code class="language-plaintext highlighter-rouge">a &gt; 0</code>, <code class="language-plaintext highlighter-rouge">b &gt; 0</code>, imply <code class="language-plaintext highlighter-rouge">a ≤ b</code>,</li> <li>if <code class="language-plaintext highlighter-rouge">m ≠ 0</code>, <code class="language-plaintext highlighter-rouge">a|b</code> implies and is implied by <code class="language-plaintext highlighter-rouge">ma|mb</code>.</li> </ol> All of these properties are a theorem and should be proven, as they have already in the past. Why is a proof important? A proof is a inferential argument<a href="#foot2">[2]</a> showing that an assumption logically guarantees a conclusion. Sometimes just finding an example is enough to provide a proof of a theorem, for example: “there is a positive number that is not the sum of three squares” can be proven by noting that 7 is such a number. But other statements are harder to proof. In software programming, one might say that is enough to run a program to see that it works: but, most of the times, you cannot run a program on every possible input that will be given. That is why proofs are needed. There are many methods for providing a proof: direct proof, proof by contradiction, proof by contraposition, proof by construction, inductive proofs and more. Returning to the idea of divisibility: If we are given a number, it is tempting to factor it again until further factorization is impossible. Numbers that cannot be factored any further are called primes. An integer <code class="language-plaintext highlighter-rouge">p &gt; 1</code> is a prime number in case there is no divisor <code class="language-plaintext highlighter-rouge">d</code> of <code class="language-plaintext highlighter-rouge">p</code> satisfying <code class="language-plaintext highlighter-rouge">1 &lt; d &lt; p</code>. If an integer <code class="language-plaintext highlighter-rouge">a &gt; 1</code> is not a prime, it is called a composite. When one looks at primes one can ask: can every even number greater than 2 be written as the sum of two primes? This is known as the Goldbach conjecture, which has not yet been proven. This problem belongs to the ‘additive’ problems around primes, but we must look at another problem in the ‘multiplicative’ ones that has been proven: <h2>Theorem</h2> Every integer greater than 1 can be expressed as a product of primes. <h2>Proof</h2> If the given integer <code class="language-plaintext highlighter-rouge">n</code> is a prime, then the integer itself stands as a product with a single factor. If the given integer <code class="language-plaintext highlighter-rouge">n</code> is not a prime, then it can be factored into <code class="language-plaintext highlighter-rouge">n_1 * n_2</code>. If <code class="language-plaintext highlighter-rouge">n_1</code> is not a prime, then it can be factored into <code class="language-plaintext highlighter-rouge">n_3 * n_4</code>. The same for <code class="language-plaintext highlighter-rouge">n_2</code>. This process of writing each composite as a product of factors will end at some point when the factors are smaller than the composite itself, and each factor is an integer greater than 1. We can provide a proof by contradiction for this as well: <ul> <li>We rewrite the statement as ‘If an integer is greater than 1 then it can be expressed as a product of primes’.</li> <li>We construct the contradiction (“H and not C implies falsehood”): ‘If an integer is greater than 1 then it cannot be expressed as a product of primes’.</li> <li>Define <code class="language-plaintext highlighter-rouge">N = an integer greater than 1 that cannot be expressed as product of primes</code>. <code class="language-plaintext highlighter-rouge">N</code> cannot be a prime, as it will stand as a product with a single factor. Therefore <code class="language-plaintext highlighter-rouge">N = n*m</code>, where <code class="language-plaintext highlighter-rouge">n</code> and <code class="language-plaintext highlighter-rouge">m</code> are positive and smaller than <code class="language-plaintext highlighter-rouge">N</code>. As either <code class="language-plaintext highlighter-rouge">n</code> and <code class="language-plaintext highlighter-rouge">m</code> is bigger than 1, then it should be expressed as a product. This arrives to a contradiction.</li> </ul> Canonically, this can be worded as: <center> Every positive integer n &gt; 1 can be represented in exactly one way as a product of prime powers: </center> <img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/22f8cf10ecd16a6f7dc6d97338d84be9c369a3f7" /> The representation of <code class="language-plaintext highlighter-rouge">n</code> as a product of primes is called the canonical factoring of <code class="language-plaintext highlighter-rouge">n</code> into prime powers. Gauss was the first to provide a proof for this, and it is defined as the fundamental theorem of arithmetic. Notably in algebraic number theory, unique factorization fails to hold. An example of this can be easily seen in this example: Let’s consider <code class="language-plaintext highlighter-rouge">S</code> the class of positive integers (2, 4, 6, 8, 10…) and only those. <code class="language-plaintext highlighter-rouge">S</code> is a multiplicative system in that the product of any two elements on it is found on <code class="language-plaintext highlighter-rouge">S</code> as well. Then <code class="language-plaintext highlighter-rouge">8 = 4 * 2</code> is a “composite”, as the factors exist in the group; on the contrary, <code class="language-plaintext highlighter-rouge">10</code> is a “prime” as there are no factors on <code class="language-plaintext highlighter-rouge">S</code> that factor it. The number 60 has two factorings into “primes”: <code class="language-plaintext highlighter-rouge">60 = 2 * 30</code> and <code class="language-plaintext highlighter-rouge">60 = 6 * 10</code>. Factorization is, therefore, not unique in this case. This can be extended to other classes as well. This is an small summary of reading the first chapters of the listed books. Up next, we will look more at unique factorization, the binomial theorem. We will also look at Finite Automata on a different post. <h2 id="fascinating-things-i-learned">Fascinating things I learned</h2> If <code class="language-plaintext highlighter-rouge">g</code> is the greatest common divisor of <code class="language-plaintext highlighter-rouge">b</code> and <code class="language-plaintext highlighter-rouge">c</code>, then there exists integers <code class="language-plaintext highlighter-rouge">x_0</code> and <code class="language-plaintext highlighter-rouge">y_0</code> such that <code class="language-plaintext highlighter-rouge">g = (b, c) = bx_0 + cy_0</code>, which means that the g.c.d of two integers <code class="language-plaintext highlighter-rouge">b</code> and <code class="language-plaintext highlighter-rouge">c</code> is expressible as a linear combination of <code class="language-plaintext highlighter-rouge">b</code> and <code class="language-plaintext highlighter-rouge">c</code> with integral multipliers <code class="language-plaintext highlighter-rouge">x_0</code> and <code class="language-plaintext highlighter-rouge">y_0</code>. This is simply beautiful. <hr /> [1] My high school was a really catholic opus-dei one, and we were forbidden of reading anything Nietzsche-Sartre-Camus-Marx-like. As a rebel I was, I read them all. [2] As defined by Aristotle by either using induction or deduction. Pierce provided a third type of inference 'abduction'. </description> <pubDate>2021-03-05T00:00:00+00:00</pubDate> <link>http://claucece.github.io//2021/03/05/unique-factorization.html</link> <guid isPermaLink="true">http://claucece.github.io//2021/03/05/unique-factorization.html</guid> </item> <item> <title>KEMTLS and Cloudflare: designing and implementing for the real world</title> <description>Running post-quantum experiments This article has also been posted to <a href="https://thomwiggers.nl/talk/post-quantum-tls-without-handshake-signatures-at-rwc-2021/">Thom Wiggers’s blog</a>. Fundamentally, the Transport Layer Security protocol (TLS), which secures most of the Internet connections, has mainly been a key exchange authenticated by digital signatures<a href="#foot1">[1]</a>. Even though it has undergone major changes since 1994, when SSL 1.0 was introduced by Netscape, it’s main mechanism has remained the same. The key exchange that is used was first based on RSA and later on (elliptic curve) Diffie-Hellman. The signatures used for authentication have almost always been RSA-based, though in recent years other kinds of signatures have been adopted, mainly ECDSA and Ed25519. This recent change to elliptic curve cryptography at both at a key exchange and signature level has resulted in considerable speed and bandwidth benefits in comparison to classic Diffie-Hellman and RSA. TLS is the main protocol that protects the connections we use everyday. It is everywhere: it is used when we buy products online, when we register for a newsletter or when we access any kind of website. But, with the imminent threat of <a href="https://blog.cloudflare.com/securing-the-post-quantum-world/">the arrival of quantum computers</a> (a threat that seems to be getting closer and closer), we need to reconsider again the future of TLS. <a href="https://blog.cloudflare.com/the-tls-post-quantum-experiment/">A wide-scale post-quantum experiment</a> was carried out by Cloudflare and Google: two post-quantum key exchanges were integrated into Cloudflare’s TLS stack and deployed at their edge servers and in Chrome Canary clients. The goal of that experiment was to evaluate the performance and feasibility of deployment of two post-quantum key exchanges in TLS. Similar experiments have been proposed for introducing post-quantum algorithms into the TLS handshake itself. Unfortunately it seems infeasible to replace both the key exchange and signature with post-quantum primitives as post-quantum cryptographic primitives are bigger, or slower (or both) than their predecessors. The proposed algorithms under consideration in the <a href="https://csrc.nist.gov/Projects/post-quantum-cryptography/round-3-submissions">NIST post-quantum standardization process</a> use larger mathematical objects than what is used for elliptic curves, traditional Diffie-Hellman or RSA. As a result, the size of public keys, signatures and key exchange material is much bigger than those from elliptic curves, Diffie-Hellman or RSA. How can we solve this problem? How can we use post-quantum algorithms as part of the TLS handshake without making the material too big to be transmitted? In this blogpost, we will introduce a new mechanism for making this happen, explain how it can be integrated into the TLS 1.3 handshake and talk about implementation details. The key observation in this mechanism is that, while post-quantum algorithms have bigger communication size than their predecessors, post-quantum key exchanges have somewhat smaller sizes than post-quantum signatures, so we can try to replace signatures with key exchanges in some places to save space. We will only focus on the TLS 1.3 handshake as it is the TLS version that should be currently used. <h2 id="the-past-experiments-making-the-traditional-tls-13-handshake-post-quantum">The past experiments: making the traditional TLS 1.3 handshake post-quantum</h2> <a href="https://tools.ietf.org/html/rfc8446">TLS 1.3</a> was introduced in August 2018 with many security and performance improvements (notably, having only one round-trip to complete the handshake). But TLS 1.3 is designed for a world with classical computers, and some of its functionalities will be broken by quantum computers when they arrive. The primary goals of TLS 1.3 are to provide authentication (the server side of the channel is always authenticated, the client side is optionally authenticated), confidentiality and integrity by using a handshake protocol and a record protocol. The handshake protocol, the one of interest for us today, establishes the cryptographic parameters for securing and authenticating a connection. It can be thought of as of having three main phases, as defined in <a href="https://tools.ietf.org/html/rfc8446">RFC8446</a>: <ul> <li> The Parameter Negotiation phase (referred to as ‘Server Parameters’ in RFC8446), which establishes some handshake parameters (whether the client is authenticated, application-layer protocol support, etc). </li> <li> The Key Exchange phase, which establishes shared keying material and selects the cryptographic parameters to be used. Everything after this phase will be encrypted. </li> <li> The Authentication phase, which authenticates the server (and, optionally, the client) and provides key confirmation and handshake integrity. </li> </ul> The main idea of past experiments that introduced post-quantum algorithms into the handshake of TLS 1.3 was to use them in place of classical algorithms by advertising them as part of the <a href="https://tools.ietf.org/html/rfc8446#section-4.2.7">supported groups</a> (an extension used by the client to indicate which named groups -Elliptic Curve Groups, Finite Field Groups- it supports for key exchange) and <a href="https://tools.ietf.org/html/rfc8446#section-4.2.8">key share</a> (an extension which contains the endpoint’s cryptographic parameters) extensions, and, therefore, establishing with them the negotiated connection parameters. Key encapsulation mechanisms (KEMs) are an abstraction of the basic key exchange primitive and were used to generate the shared secrets. In the case of using a <a href="https://tools.ietf.org/html/rfc8446#section-4.2.11">pre-shared key</a>, its symmetric algorithms can be easily replaced by post-quantum KEMs, as well; and, in the case of password-authenticated TLS, there has been some <a href="https://eprint.iacr.org/2017/1192.pdf">proposed ideas</a> on how to use post-quantum algorithms with them. <img src="/images/tls.png" alt="TLS and PQKEMs" /> Most of the above ideas only provide what is often defined as ‘transitional security’, as its main focus is providing quantum-resistant confidentiality, but do not take into account quantum-resistant authentication. The idea of using post-quantum signatures for TLS authentication is possible, but the sizes of post-quantum signatures are larger than traditional ones. Furthermore, it is worth noting that using <a href="https://csrc.nist.gov/Presentations/2019/the-2nd-round-of-the-nist-pqc-standardization-proc">post-quantum signatures is much heavier than using post-quantum KEMs</a>. We can estimate the impact of such a replacement on network traffic by simply looking at the sum of the cryptographic objects that are transmitted during the handshake. In a typical TLS 1.3 handshake using elliptic curve X25519 and RSA-2048, such a handshake would transmit 1376 bytes corresponding to: the public keys for key exchange, the certificate, the signature of the handshake, and the certificate chain. If we were to replace X25519 by the post-quantum KEM <a href="https://pq-crystals.org/kyber/">Kyber512</a> and RSA by the post-quantum signature <a href="https://pq-crystals.org/dilithium/">Dilithium II</a>, two of the more efficient proposals, the size of the transmitted data would increase to 10036<a href="#foot2">[2]</a> bytes. This increase is mostly due to the size of the post-quantum signature algorithm. The question then is: how can we achieve full post-quantum security and create a handshake that is efficient to be used? <h1 id="a-more-efficient-proposal-kemtls">A more efficient proposal: KEMTLS</h1> There is a long history of other mechanisms, besides signatures, being used for authentication. Modern protocols, such as the Signal protocol, the Noise framework or WireGuard, rely on key exchange mechanisms for authentication, which are somewhat unsuitable for the TLS 1.3 case as they expect the long-term key material to be known in advance by the interested parties. The <a href="https://eprint.iacr.org/2015/978.pdf">OPTLS proposal</a> by Krawczyk and Wee authenticates the TLS handshake without signatures by using a non-interactive key exchange (NIKE). However, the only somewhat efficient construction for a post-quantum NIKE is CSIDH, the security of which is the subject of ongoing debate. But, we can build on this idea by using KEMs for authentication. KEMTLS, the current proposed experiment, replaces the handshake signature by a post-quantum KEM key exchange. It was designed and introduced by Peter Schwabe, Douglas Stebila and Thom Wiggers in the publication <a href="https://thomwiggers.nl/publication/kemtls/kemtls.pdf">‘Post-Quantum TLS Without Handshake Signatures’</a>. KEMTLS, therefore, achieves the same goals as TLS 1.3 (authentication, confidentiality and integrity) in the face of quantum computers. One small difference compared to the TLS 1.3 handshake is that KEMTLS allows the client to send encrypted application data since the second client-to-server TLS message flow when client authentication is not required, and in the third client-to-server TLS message flow when mutual authentication is required. Note that with TLS 1.3 the server is able to send encrypted and authenticated application data in its first response message (although, in most uses of TLS 1.3, this feature is not actually used). With KEMTLS, then, when client authentication is not required, the client is able to send its first encrypted application data after the same amount of handshake round trips as in TLS 1.3. Intuitively, the handshake signature in TLS 1.3 proves possession of the private key corresponding to the public key certified in the TLS 1.3 server certificate. For these signature schemes, this is the straightforward way to prove possession; but it’s also possible to make such proof through key exchanges. By carefully considering the key derivation sequence, only the server holding the private key that corresponds to the certified public key can decrypt any messages sent by the client to the server. Therefore, implicit authentication is fulfilled. It is worth noting that KEMTLS still relies on signatures by certificate authorities to authenticate the long-term KEM keys. As said, KEMTLS’ application data transmitted during the handshake is implicitly, rather than explicitly authenticated (as in TLS 1.3), and has slightly weaker downgrade resilience and forward secrecy; but full downgrade resilience and forward secrecy is achieved once the KEMTLS handshake completes. <div class="post-box"> <img src="/images/traditional_tls.png" alt="TLS 1.3 Handshake" style="height:700px;" /> <img src="/images/pq_tls.png" alt="KEMTLS Handshake" style="height:600px;" /> </div> Comparison of both handshakes: Classic TLS 1.3 one (left), KEMTLS one (right) By replacing the handshake signature by a KEM key exchange, we reduce the size of the data transmitted in the example handshake using Kyber512 and Dilithium II to 8344 bytes, a significant reduction. Even for algorithms, such the NTRU-assumption based KEM NTRU and signature algorithm Falcon, that have a less-pronounced size gap, we still reduce bytes. KEM operations are typically computationally much lighter than signing operations as well, which makes the reduction even more significant. KEMTLS was presented at ACM CCS 2020. You can read more about its details in the <a href="https://thomwiggers.nl/publication/kemtls/kemtls.pdf">paper</a>. It was initially implemented in the <a href="https://github.com/thomwiggers/kemtls-experiment">RustTLS library</a> by Thom Wiggers using optimized C/assembly implementations of the post-quantum algorithms provided by the <a href="https://github.com/PQClean/PQClean">PQClean</a> and <a href="https://openquantumsafe.org/">Open Quantum Safe</a> projects. <h2 id="cloudflare-and-kemtls-the-implementation">Cloudflare and KEMTLS: the implementation</h2> As part of our effort to show that TLS can be completely post-quantum safe, we implemented the full KEMTLS handshake over the Golang’s TLS 1.3 suite. The implementation was done in several steps: <ul> <li>We first needed to clone our own version of Golang, so we could add different post-quantum algorithms to it. You can find our own version <a href="https://github.com/cloudflare/go/">here</a>. This code gets constantly updated with every release of Golang, following <a href="https://github.com/cloudflare/go/wiki/Starting-out">these steps</a>.</li> <li>We needed to implement post-quantum algorithms in Golang, which we did in our own cryptographic library <a href="https://github.com/cloudflare/circl/tree/master/kem">CIRCL</a>.</li> <li>As we cannot force Certificate Authorities to use certificates with long-term post-quantum KEM keys, we decided to use <a href="https://blog.cloudflare.com/keyless-delegation/">Delegated Credentials</a>. A delegated credential is a short-lasting key that the certificate’s owner has delegated for use in TLS 1.3. Therefore, they can be used for having post-quantum KEM keys. See its implementation in our Golang code <a href="https://github.com/cloudflare/go/tree/cf-delegated-credentials">here</a>.</li> <li>We implemented mutual auth (client and server authentication) KEMTLS by using Delegated Credentials for the authentication process. See its implementation in our Golang code <a href="https://github.com/cloudflare/go/tree/cf-pq-kemtls">here</a>. You can also check this <a href="https://github.com/cloudflare/go/blob/cf-pq-kemtls/src/crypto/tls/delegated_credentials_test.go#L774">test</a> for an overview of how it works.</li> </ul> Implementing KEMTLS was a straightforward process, although it did require changes to the way Golang handles a TLS 1.3 handshake and how the key schedule works. A “regular” TLS 1.3 handshake in Golang (from the server perspective) looks like this: <img src="/images/golang_tls.png" alt="Implemented Golang TLS 1.3 Handshake" style="height:600px;" /> We had to interrupt at the point that the server sends the Certificate (<code class="language-plaintext highlighter-rouge">sendServerCertificate()</code>) in order to send the KEMTLS specific messages. In the same way, we had to add the appropriate KEM TLS messages to the client’s handshake. And, as we did not want to change so much the way Golang handles TLS 1.3, we only added one new constant to the configuration that can be used by a server in order to ask for the Client’s Certificate (the constant is <code class="language-plaintext highlighter-rouge">serverConfig.ClientAuth = RequestClientKEMCert</code>). The implementation is easy to work with: if a delegated credential or a certificate has a public key of a supported post-quantum KEM algorithms, the handshake will proceed with KEMTLS. If the server requests for a Client KEMTLS Certificate, the handshake will use client KEMTLS authentication. <h2 id="running-the-experiment">Running the Experiment</h2> So, what is next? What is next is to take the code we have produced and run it in the actual Cloudflare infrastructure to measure how efficiently it works. <h2 id="thanks">Thanks</h2> Many thanks to everyone involved in the project: Chris Wood, Armando Faz-Hernández, Thom Wiggers, Bas Westerbaan, Peter Wu, Peter Schwabe, Goutam Tamvada, Douglas Stebila, Thibault Meunier, and the whole Cloudflare cryptography team. <hr /> [1] It is worth noting that the RSA key transport in TLS ≤1.2 has the server only authenticated by RSA public key encryption, although the server's RSA public key is certified using RSA signatures by Certificate Authorities. [2] These numbers, as it is noted in the paper, are based on the round-2 submissions </description> <pubDate>2021-01-10T00:00:00+00:00</pubDate> <link>http://claucece.github.io//2021/01/10/cf-kemtls.html</link> <guid isPermaLink="true">http://claucece.github.io//2021/01/10/cf-kemtls.html</guid> </item> <item> <title>Post-quantum Cryptography and running experiments with it at Cloudflare</title> <description>Because quantum cats have 7 lives Today, I’m speaking at Cloudflare CFTV (<a href="https://cloudflare.tv/event/5G46CmInDoEyAFmk9Ewi3O">Cloudflare TV</a>), with my colleague Armando Faz Hernández. This is very exciting as the talks given there are always of an extremely good quality. This is happening as part of my ongoing work with Cloudflare where I have been part of many amazing projects since I started some months ago (see this <a href="https://twitter.com/claucece/status/1336432849365446658">tweet</a> for an idea). The talk will be around the state of post-quantum cryptography and will be in Spanish (which is something you don’t see around at cryptography talks). But, most excitingly, we will be talking about an ongoing experiment we are running at Cloudflare: Post-quantum KEMs in TLS 1.3. So, what is the PQ KEM TLS experiment? Basically, it is an experiment that will run on Cloudflare to gather measurements on using PQ KEMs as part of a TLS 1.3 connection. A KEM, in this case, is a Key Encapsulation Mechanism used to achieve server and/or client authentication without the usage of digital signatures. This is due to the fact that signatures in a post-quantum setting have larger sizes than the alternative KEMs. Part of the experiment is also making as few changes as possible to the TLS 1.3 handshake. As we are unable to make changes to Certificate Authorities at the moment, we will be using <a href="https://tools.ietf.org/html/draft-ietf-tls-subcerts-03">Delegated Credentials</a> as an alternative. KEM TLS achieves, therefore, a TLS handshake that provides full post-quantum security. We will be presenting this work at Real World Crypto 2021. On the talk, we will give an overview of the experiment and we will also discuss what post-quantum cryptography is and came to be. I’ll leave some additional resources: <h3 id="what-is-post-quantum-cryptography">What is Post-Quantum Cryptography?</h3> <ul> <li><a href="https://scienceishere.libsyn.com/science-is-here-7-post-quantum-cryptography-with-tanja-lange">Post-quantum cryptography with Tanja Lange</a>: Barry Fitzgerald speaks with Tanja Lange.</li> <li><a href="https://www.youtube.com/watch?v=-LlkJZJ5DMQ">PQCHacks</a> by Daniel Bernstein and Tanja Lange.</li> <li><a href="https://www.youtube.com/watch?v=ZCmnQR3_qWg">The year in post-quantum crypto</a> by Daniel Bernstein and Tanja Lange.</li> </ul> <h3 id="the-flavors-of-post-quantum-cryptography">The flavors of Post-Quantum Cryptography</h3> <ul> <li><a href="https://www.youtube.com/watch?v=EqRsel-rXac">Code-Based Cryptography</a> by Tanja Lange.</li> <li><a href="https://media.ccc.de/v/34c3-9075-latticehacks">Lattice Hacks</a> by Daniel Bernstein, Tanja Lange and Nadia Heninger.</li> <li><a href="https://www.youtube.com/watch?v=MG6g04R_Ims">Lattice-based cryptography</a> by Phong Nguyen.</li> <li><a href="https://www.youtube.com/watch?v=qkqtsnXTMQM">Hashed-based signatures</a> by Andreas Hülsing.</li> <li><a href="https://www.youtube.com/watch?v=AoE-uQinzqU">Isogeny-based cryptography: past, present, and future</a> by David Jao.</li> <li><a href="https://www.youtube.com/watch?v=FrM6zAuI7-4">State of Art of MPKC</a> by Jintai Ding.</li> <li><a href="https://eprint.iacr.org/2019/1321">Supersingular isogeny key exchange for beginners</a> by Craig Costello.</li> </ul> <h3 id="nist-competition">NIST Competition</h3> <ul> <li><a href="https://csrc.nist.gov/Projects/post-quantum-cryptography/round-3-submissions">Round 3 Submissions</a>.</li> </ul> <h3 id="experiments">Experiments</h3> <ul> <li><a href="https://www.cs.umd.edu/~dml/papers/pqc_nist19.pdf">Measuring TLS key exchange with post-quantum KEM</a> by Krzysztof Kwiatkowski, Nick Sullivan, Adam Langley, Dave Levin, Alan Mislove.</li> </ul> <h3 id="pq-kem-tls">PQ KEM TLS</h3> <ul> <li>The paper: <a href="https://thomwiggers.nl/publication/kemtls/kemtls.pdf">Post-Quantum TLS Without Handshake Signatures</a> by Peter Schwabe, Douglas Stebila and Thom Wiggers.</li> <li>Episode at CryptographyFM: <a href="https://www.cryptography.fm/1">Post-Quantum TLS With KEMs Instead of Signatures!</a> by Douglas Stebila and Thom Wiggers.</li> </ul> </description> <pubDate>2020-12-10T00:00:00+00:00</pubDate> <link>http://claucece.github.io//2020/12/10/pq-kem-tls.html</link> <guid isPermaLink="true">http://claucece.github.io//2020/12/10/pq-kem-tls.html</guid> </item> <item> <title>Domestic Abuse</title> <description>“I didn’t realize I was being abused. I thought I was being strong with a complicated person.” — Evan Rachel Wood <div class="disclaimer"> **Disclaimer** This blog post is for people that identify as woman that are being domestically abused or were abused. It is not for anyone's personal gain or gossip. But if you want to help stop domentic abuse (in the way I think I can, at least), see the 'Some Extra Flavors' section at the end of this post. </div> Yesterday, I watched many videos of Evan Rachel Wood <a href="#references">[1]</a> where she recounts her experiences with the domestic abuse she suffered in hands of a man she can’t name. In a way, this inspired me to write this blog post and to also recount my own story of domestic abuse in the hands of a man I too can’t name (and won’t name, as I see no reason). I also wanted to write this blog post to list all the myths that we as society have created to justify domestic physical, sexual and emotional abuse perpetrated towards people who identify as women. Note, of course, that this is not isolated to heterosexual couples, but to any kind of relationships. Note, of course, that men or other genders can also be domestically abused; but it is more uncommon. Nevertheless, it should be taken into account the experiences they suffered. Domestic abuse towards women have a big toll in our society and send shock waves to future generations. It is not isolated to the woman who was abused, but also to her immediate relationships and to her children. The effects that it create on women are big and serious. I, for example, developed generalized anxiety disorder (sometimes having 20 panic attacks a day), clinical depression, depersonalization disorder and gastritis. All of these disorders disappeared (or where diminished) when I cut the abuse, as in, from the beginning, my body was telling me that the situation I was part of was not ok. But my mind was clearly failing to catch up. Note also that the amount of abuse that a woman receives can be exacerbated if she is Latin American, African, Asian or a descent from those, in the hands of a white man. As with everything, abuse has intersectionality. A domestic abuser can use systemic racism to enhance the control and abuse over their partner. I, as a Latin American woman, surely know about this. Why, we ask ourselves, do we allow abuse to happen. Perhaps, because we have created a mythology used to justify the abusive men. Perhaps, because we don’t want to see it. Perhaps, because we think that people are incapable of such things. You might ask, and with some sort of reason, why if the abuse of a woman is so severe, she doesn’t leave the relationship. Probably, because she can’t, as the abuser holds economic, political or social power towards her, as so happens many times in relationships. But, also, because we, as human beings, are empathetic and want to help other people. I think this was my case. It took my years to realize I was being domestically abused (even when I knew I was physically abused), because, I, as Rachel Wood, thought that “I was being strong with a complicated person”. I thought I was being helpful with a person in need. I thought I was saving a depressive human. Truth is: no matter how much I helped this person, no matter how much I annihilated my individual or self in the process, no matter how much love I showed, it was never enough. Because the sense of self-entitleness and privilege of an abuser is never satisfied. It is not on you, it is on them. Chronic mistreatment gets people to doubt themselves. An abusive partner will deny your experience of abuse by any means: he will pluck your reality and replace it with his. He will make you feel crazy. He will beat you, and justify it as it was your problem or that you caused it. He will try to convince others that you are irrational. It is a process of identity invasion, so “never believe a man’s claim that he has to harm his partner in order to protect her; only abusers think this way” <a href="#references">[2]</a>. A domestic abuser will also feel entitled to your whole existence. You should: 1. help him at work, 2. attend any emotional need, 3. sexually satisfy him, and 4. never criticize him. The worst experiences of abuse I had on this relationship were precisely when I dared to criticize this man. I was accused so many times of making him ‘suicidal’ that I stop explaining what my needs were because I feared he might commit suicide. Truth is he never did. And I later found out that this was a tactic he used with many women. These sentences do not mean that we should obliterate the fact that someone might be sharing with us their depressive thoughts; but if they are used to justify abuse, then, they are not ok. One of the basic human rights domestic abusers will take away from you is the right to be angry. No matter how badly he treats you, he believes that your voice shouldn’t rise, your blood shouldn’t boil, and that you shouldn’t strike back. He doesn’t have a problem with anger (as anger is sometimes used to justify abuse), he has a problem with his partner’s anger. Why does he hate anger? Because he believes he is beyond criticism or because there is power in anger. In my case, for example, on one instance, he pushed me away to a wall in front of a colleague because I failed to listen to him while he was talking (I was, in truth, distracted). I was supposed to listen to him every time he spoke. If I dared to speak my anger, he will physically or sexually punish me. And furthermore, he will say that he was the victim of my mistreatment, even if to this day I have scars of his physical abuse. Perhaps, one of the most horrible things that women experience while being abused is the backlash in hands of others. I remember being supremely judged by other women who used to be close friends with this man, and who expected me to either change this man, or use me as an escape goat to perhaps project their own anger. What I learned from this is that we shouldn’t judge the abused woman because she fails our expectations of 1. leaving the abusive partner, 2. standing up to him, 3. defending others, 4. be a moral compass. I think abused woman have enough on their plate while being abused as to also be policed by others expectations. I think we should help abused women; but if what they do fails our expectations, then maybe the best thing is to move along and shut up. I, luckily, got away from that relationship because if I didn’t I think I will be death by now. I couldn’t keep going anymore and my mental state was failing me. It was hard to get away. But I had a big amount of friends that helped me. So, you too can get away if you are in an abusive relationship. But you will need a plan for your physical safety and maybe for your children safety. As this blog post notes <a href="#references">[3]</a>: “It is important to remember that leaving abuse is a three part stage where deciding to leave and leaving are not separate stages from the preparation stage. Survivors can never really relax for the rest of their lives. They will forever have to look back at their previous life and make sure their tracks are covered”. While not being the perfect book, it is also good to read ‘Why does he do that?’ by Lundy Bancroft <a href="#references">[2]</a> (which this blog post takes inspiration from). A friend of mine recommended me this book when I was being abused, and, in a way, opened my eyes. Remember that getting away from a partner that is an abuser is never easy. To this day, I get stalked and harassed by the man I left. It is a constant battle; but remember that you took the step of getting away, and that, in itself, is the biggest victory. I will proceed to talk about the myths we create to justify abuse towards women and to list resources that you can use to get help if you are in an abusive relationship. Note that this is not an extensive list, and some things might not be extremely accurate. This are only some of my thoughts that take inspiration from the Bancroft book. <h2 id="myths">Myths</h2> 1. He was abused as a child and that makes him abusive I was too sexually abused as a child, and my father was an alcoholic that abandoned us. Has that make me abusive? No. As Bancroft recalls: “I have sometimes said to a client: “If you are so in touch with your feelings from your abusive childhood, then you should know what abuse feels like. You should be able to remember how miserable it was to be cut down to nothing, to be put in fear, to be told that the abuse is your own fault. You should be less likely to abuse a woman, not more so, from having been through it.” Once I make this point, he generally stops mentioning his terrible childhood; he only wants to draw attention to it if it’s an excuse to stay the same, not if it’s a reason to change”.” <a href="#references">[2]</a> Being abused as a child does not create adult abusers; but is can be used as an excuse. 2. He has a previous partner that mistreated him and now he has a problem with women as a result An abusive man will try to always complain about his ex-partner, specially, if she stood up to him. But one bad relationship does not make a person abusive. Generalizing one situation to the wholeness of women is controlling and misguided in itself. If it is an excuse to mistreat you, then it is a distortion. My abusive ex-partner had a very bad relationship with the ex-partner right before me. But, later I found out that he too abused her (and to many others as well). Then, he does not have a problem with women, he has a problem with women that he abused and that later stood up to him. 3. He has as a mental disease or mood disorder that causes the abuse Mental illnesses don’t cause abusiveness. Many abusers report that when they beat their partner they are very aware of what they are doing, as they often don’t hit the body parts of the partner that others will be able to see (and, therefore, expose him). They don’t loose control because of a mental disease; they are very much in control. 4. He suffers from low self-esteem As Bancroft tells: “An abused woman tends to pour precious energy into supporting her abusive partner and massaging his ego, hoping against hope that if he is kept well stroked his next explosion might not happen” <a href="#references">[2]</a>. An abusive man can use low self-esteem to get favours from people around him, and to use as a shield when he is questioned/criticised. They problem is not that they have low self-esteem, but that they use this thinking to control and manipulate others around him. And, most importantly, to manipulate and control their partner. 6. Abuse is as bad for the man who is doing it as it is for his partner. They are both victims As Bancroft notes: “Abusers get over the pain of the abuse incidents far, far faster than their partners do. Certainly abusing one’s partner is not a healthy lifestyle, but the negative effects don’t hold a candle to the emotional and physical pain, loss of freedom, self-blame, and numerous other shadows that abuse casts over the life of its female target. Unlike alcoholics or addicts, abusive men don’t “hit bottom.” They can continue abusing for twenty or thirty years, and their careers remain successful, their health stays normal, their friendships endure. Abusers actually tend to benefit in many ways from their controlling behaviors.” I think the quote from Bancroft explains this enough. <h2 id="resources">Resources</h2> If you are a person identifying as a woman in an abusive relationship, seek help. Trust in a close friend that will understand (and not judge) your experience and create a plan to leave that abusive relationship. You can also follow these accounts for help (thanks to awesome @RisuToInu!): <ul> <li>@nnedv</li> <li>@RefugeCharity</li> <li>@OSPASafeEscape</li> <li>@live_life_safe</li> <li>@SEAresource</li> </ul> <h2 id="some-extra-flavors">Some Extra Flavors</h2> I’ve been thinking on creating a group (maybe for research/implementation, etc.) to talk about how digital tools are used to enhance domestic abused (stalking, installing spyware, etc.), what we can do to help it and stop it. If you are interested, ping me up ;) <h2 id="references">References</h2> <ol> <li>“Evan Rachel Wood on Surviving an Abusive Relationship” by SELF, Oct 30, 2019. Available <a href="https://www.youtube.com/watch?v=juK9c8zgUvU&amp;t=38s">here</a>.</li> <li>“Why does he do that?” by Lundy Bancroft, Putnam’s Sons, New York, 2002.</li> <li>“Resources for Domestic Abuse Survivors” by Security Trash Panda, July 24, 2019. Available <a href="https://trashpanda.blog/2019/07/24/resources-for-domestic-abuse-survivors/">here</a>.</li> </ol> </description> <pubDate>2020-06-06T00:00:00+00:00</pubDate> <link>http://claucece.github.io//2020/06/06/abuse.html</link> <guid isPermaLink="true">http://claucece.github.io//2020/06/06/abuse.html</guid> </item> <item> <title>Programming language design and compilers: where to start?</title> <description>So you want to get into design, kid? Over the past months, I have gotten more and more interested on how programming languages are designed, why such decisions are made, and the compiler role into this. I think that I started getting interested because of a current research around Golang’s compiler, and I got amazed by the amount of beauty that designing a language can create. Lurking into Golang’s archive and talks <a href="#references">[1]</a>, I stumbled upon two very interesting papers that influenced their design. Those papers are “Hints on Programming Language Design” <a href="#references">[2]</a> by C. A. R. Hoare and “Everything You’ve Wanted to Know about Programming Languages but Have Been Afraid to Ask” <a href="#references">[3]</a> by C. A. R. Hoare, as well. Those two papers inspired me to reach to other sources so I can learn about programming language design, which, as Hoare says should “help the programmer in the practice of his (probably, ‘their’, sic) art”. Of course, a big portion of programming languages and their use is the design of the compiler that the programming language uses or at least an understanding how it behaves. So in this blogpost, we will also list resources for learning compiler design. The resources that are going to be listed here are the result of a tweet I sent from my personal account <a href="#references">[4]</a>. Lots of very interesting answers were made from people who have actually designed the programming languages that we use everyday. So, in order to make that thread more useful, I’ll list them nicely here. Note that I have not yet read all of these books, so the small review that accompanies the resources on the list is based on other people’s opinions or the result of me skimming over them. I’ll eventually make blogposts of the ones I read ;) <h1 id="programming-language-design">Programming language design</h1> <h3 id="books">Books</h3> <ul> <li>The one and only Structure and Interpretation of Computer Programs (SICP) or the Wizard Book by Harold Abelson and Gerald Jay Sussman with Julie Sussman. A must book that every programmer should read, as it teaches the fundamental principles of computer programming. A book recommended by basically everyone.</li> <li>Programming Language Pragmatics by Michael Lee Scott. The book I’m currently reading which explains why programming languages work. A book super recommended as well.</li> <li>Practical Foundations for Programming Languages (Second Edition) by Robert Harper <a href="#references">[5]</a>, as recommended by Eric Christopher (@echristo). As the author states, “a comprehensive framework for formulating and analyzing a broad range of ideas in programming languages”. It is worth also checking the website which contains lots of supplementary materials.</li> <li>Types and Programming Languages by Benjamin C. Pierce, as recommended by Shriram Krishnamurthi (@ShriramKMurthi) and @1stSV_97. It is a comprehensive introduction both to type systems in computer science and to the basic theory of programming language.</li> <li>Essentials of Programming Languages by Daniel P. Friedman, Mitchell Wand, and Christopher T. Haynes , as recommended by Shriram Krishnamurthi (@ShriramKMurthi). A deep, working understanding of the essential concepts of programming languages. This will be my next book to read. People say that the first edition is the best one ;)</li> <li>Programming Languages: Application and Interpretation <a href="#references">[6]</a> by Shriram Krishnamurthi himself. I’m very eager to read this book, so expect a review.</li> <li>Crafting Interpreters by Bob Nystrom (@munificentbob) <a href="#references">[7]</a>, as recommended by @mostlysafe. It focuses on learning everything you need to actually implement a scripting language.</li> <li>The Design and Evolution of C++ by Bjarne Stroustrup (the inventor of C++), as recommended by Shafik Yaghmour (@shafikyaghmour). As the recommender refers, it gives “a solid understanding of why trade-offs are made” in the language. This book obviously focuses on the decisions made during the development of the C++ programming language; but it also gives insights on the object-oriented programming philosophy.</li> <li>Implementation of Functional Programming Language by Simon Peyton Jones <a href="#references">[8]</a>, as recommended by @MarisaVeryMoe. This book is out of print but you can find its entirety in PDF form. An excellent book for anyone interested in functional programming.</li> <li>The Elements of Computing Systems: Building a Modern Computer from First Principles by Noam Nisan and Shimon Schocken, as recommended by Lars Tackmann (@ltackmann). This book does not only focuses on programming language design but of all applied computer science.</li> </ul> <h3 id="courses">Courses</h3> As Jeff Dean states (@JeffDean), after reading enough books, it is always worth checking the reading list of different graduate courses. Here just two suggested: <ul> <li>‘Implementation of Programming Languages’ (CSE 501) from the ‘Paul G. Allen School of Computer Science &amp; Engineering. It is a must to check the reading papers for this course.</li> <li>‘Concepts of Programming Languages’ (CSE 505) from the ‘Paul G. Allen School of Computer Science &amp; Engineering. It is a must to check the reading papers for this course.</li> </ul> <h1 id="compiler-design">Compiler design</h1> <h3 id="books-1">Books</h3> <ul> <li>Engineering a Compiler by Keith Cooper and Linda Torczon, as recommended by John Regehr (@johnregehr). It covers the important techniques for constructing a modern compiler.</li> <li>Building an Optimizing Compiler by Bob Morgan, as recommended by Eric Christopher (@echristo). It provides a high level design for a thorough optimizer, code generator, scheduler and register allocator for a generic modern RISC processor.</li> <li>The GCC list of compiler books <a href="#references">[9]</a>. The list of compiler books by default, with enough review for you to make a choice.</li> <li>Modern Compiler Implement in ML by Andrew W. Appel, as recommended by @xandkar. A book that describes all phases of a modern compiler.</li> </ul> <h1 id="conferences-to-attend">Conferences to attend</h1> Something that helped me on my cryptography journey was to attend conferences. I’ll like to start to do that as well for PL, so these are the conferences that seem like a must to attend: <ul> <li>History of Programming Languages (HOPL) <a href="#references">[10]</a>. It’s fourth edition is happening on 2021, and it is a MUST to attend. It is also very nice to check the papers presented over the past editions.</li> <li>ACM SIGPLAN Symposium on Principles of Programming Languages (POPL) <a href="#references">[11]</a>. A conference to discuss aspects of programming languages.</li> <li>ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI) <a href="#references">[12]</a>. A conference not only about design but also about implementation. I’m very excited to attend this year, so expect a blogpost about it.</li> <li>ACM SIGPLAN International Conference on Functional Programming (ICFP) <a href="#references">[13]</a>. For those who love functional programming.</li> <li>ACM SIGPLAN Object-Oriented Programming, Systems, Languages &amp; Applications (OOPSLA) <a href="#references">[14]</a>. For those who love object-oriented programming.</li> </ul> <h1 id="to-follow">To follow</h1> I often find useful to follow people and read their thoughts. Note that, often times, these places are personal, so don’t only expect ‘computer science’ stuff, and treat them nicely. <ul> <li>For computer science and amazing thoughts: the blog of Robert Harper <a href="#references">[15]</a>.</li> <li>For LLVM and compilers: the blog of John Regehr <a href="#references">[16]</a>.</li> <li>For C++, C#, Diversity and much more amazing content: the website of Patricia Aas <a href="#references">[17]</a>.</li> </ul> Basically, that is it. I’ll like to thank the amazing people that gave me recommendations and whose work inspire me to continue on the journey (they are everywhere mentioned on this blogpost). I hope it does for you, as well. <h1 id="references">References</h1> <ol> <li>“Go” by Rob Pike, Mar 18, 2015. Available <a href="https://inst.eecs.berkeley.edu/~cs294-101/sp15/slides/Go.pdf">here</a>.</li> <li>“Hints on programming language design” by C. A. R. Hoare, Dec, 1973. Available <a href="https://www.cs.yale.edu/flint/cs428/doc/HintsPL.pdf">here</a>.</li> <li>“Everything You’ve Wanted to Know about Programming Languages but Have Been Afraid to Ask” by C. A. R. Hoare, Dec, 1973. Available <a href="https://www.cs.ox.ac.uk/files/6156/H78%20-%20Everything.pdf">here</a>.</li> <li>Tweet sent by Sofía Celi. Available <a href="https://twitter.com/claucece/status/1262586891775414272">here</a>.</li> <li>Available <a href="https://www.cs.cmu.edu/~rwh/pfpl/index.html">here</a>.</li> <li>The website is <a href="https://www.plai.org/">here</a>.</li> <li>Available <a href="https://craftinginterpreters.com/">here</a>.</li> <li>Available <a href="https://www.microsoft.com/en-us/research/publication/the-implementation-of-functional-programming-languages/">here</a>.</li> <li>Available <a href="https://gcc.gnu.org/wiki/ListOfCompilerBooks">here</a>.</li> <li>Read about it <a href="https://en.wikipedia.org/wiki/History_of_Programming_Languages">here</a>.</li> <li>Its 2021 website. Available <a href="https://popl21.sigplan.org/">here</a>.</li> <li>Its 2020 website. Available <a href="https://conf.researchr.org/home/pldi-2020">here</a>.</li> <li>Its 2020 website: Available <a href="https://icfp19.sigplan.org/home/icfp-2020">here</a>.</li> <li>Read about it <a href="https://en.wikipedia.org/wiki/OOPSLA">here</a>.</li> <li>Available <a href="https://existentialtype.wordpress.com/">here</a>.</li> <li>Available <a href="https://blog.regehr.org/">here</a>.</li> <li>Available <a href="https://patricia.no/">here</a>.</li> </ol> </description> <pubDate>2020-06-05T00:00:00+00:00</pubDate> <link>http://claucece.github.io//2020/06/05/programming-language-design-and-compilers.html</link> <guid isPermaLink="true">http://claucece.github.io//2020/06/05/programming-language-design-and-compilers.html</guid> </item> </channel> </rss>

CINXE.COM

Blogposts of Sofia Celi