The University of Florida Department of Computer and Information Science and Engineering (CISE) associate professor Tom Shrimpton expresses his inadvertent passion for CS and his commitment to highlighting the importance of real-world practice in the areas of standard, popular protocol and hardware devices. His recent collaborative efforts in uncovering IEEE Standard Security Flaws further demonstrates his determination towards producing “good theory.” The well traveled professor discusses his long term research goals and hopes of his research being the catalyst that nudges other cryptographers to work on real-world problems.
Tell us a little about yourself.
I’m an associate professor in CISE, hired under the UF Rising to Preeminence program in 2015. I moved here from Portland (OR), where I was a professor off and on from 2004-2015. During that period, I spent 2.5 years in Switzerland — six months visiting EPFL (Lausanne, in the French-speaking part of CH), and two years at the Universita’ della Svizzera Italiana (Lugano, in the Italian-speaking part of CH). My research expertise is in cryptography, both its theory and practice.
As you might expect, I’m a huge math and science nerd. I’m also a total exercise junkie. My first job was being Prince Charming at Tokyo Disneyland (I went to high school in Japan), and my second job was at the NSA. I have a three year old son, and I’m pretty convinced that he hung the moon and stars in the sky.
What current projects are you most excited about?
My favorite projects are those that are directly driven by real-world practice —a standard, a popular protocol, a class of hardware devices— and which require the development of new formal abstractions and theory in order to analyze their security properties. I’ve had a number of projects like this: analyzing the TLS 1.2 record layer, the Intel hardware random-number generator, the NIST key-wrap standard, the IEEE P1735 standard for intellectual property protection, an ISO standard for authenticated encryption, and the PKCS#11 standard, to name a few. Most recently I’ve been very interested in what I call “API-centric cryptography”, a theme of research that aims to close the gap between what academic cryptographers formalize and prove things about, and the *real* cryptographic primitives that *real* software libraries present to applications via their APIs. A few of my papers have built upon individual instances of this gap, but recently I’ve come to appreciate the true scope of it. So I have a number of project ideas, ranging from user studies to deep theoretical work, that are just waiting for good students to run them! Part of this work also involves trying to incorporate difficulty-of-correct-implementation as a first-class security concern. The security goals that cryptographers develop (and, hence, serve as the goodness-measuring device for real constructions) implicitly assume that the cryptographic algorithms have been properly implemented, and treat these algorithms as “black-boxes” that take some input and provide some (correct) output. But in truth, implementation errors —or, at least, deviations from what the theory talks about— are quite often the source of problems in practice. Good crypto theory ought to provide algorithms that are easy to implement correctly, resilient to unanticipated usages, and should faithfully reflect what it is that real developers see (or want to see) when their applications make calls to libraries that provide cryptographic functionalities. My goal is to nudge the academic crypto community into producing more of this “good theory”.
What impact will your area of study within cryptography will have in the daily lives of individuals short-term and long-term?
By studying real-world artifacts, like standards and hardware security devices, I hope that my group’s work speaks directly about the security of services and devices that people use every day. For example, TLS is the dominant security protocol on the web, protecting connections to banks, social media sites, cloud storage, email services, etc. Our work has contributed significantly to understanding the security of TLS1.2 (the current version of the protocol) and TLS1.3 (soon to be rolled out broadly). At this point, cryptography is more or less “infrastructure”; it is woven into the fabric of our daily lives. If you use a mobile device, there are all sorts of cryptographic operations being performed by it: for secure storage of the data on the phone; for secure communication via cellular data (e.g. LTE), wi-fi (e.g. 802.11), Bluetooth, near-field communication (e.g. Apple pay); for secure web transactions within the mobile browser, and so on. If you use an ATM machine, if you pay for groceries with a credit card, you’re using cryptography. And the ubiquity of cryptography will only increase as the so-called “Internet of Things” becomes a reality.
How did you end up being a part of FICS Research?
I was recruited by Patrick Traynor and Kevin Butler. They were (still are!) highly respected members of the security community, and I liked them both personally. They convinced me that something big was happening at UF in terms of creating a top-tier security research group, and they were right!
Your work focuses on hash function, authenticated encryption schemes and other symmetric-key primitives how will your work help secure the advancing technology?
The primitives you list are the workhorses of cryptography, in that the are used everywhere, and do the bulk of the work in securing communications and data storage. Making these things fast, easy to implement (correctly) and deploy –while remaining provably secure in ever-changing threat models and unimagined use cases— is a big part of what I do.
What was your purpose behind choosing a career in Computer and Information Science and Engineering?
To be honest, I kind of fell into it! When I went to grad school for my PhD, I was working in statistical signal processing, which is an area of electrical engineering. While working and publishing in that area, I took some courses in algorithms and the theory of computation, and became intrigued with computer science. I found myself studying more and more CS theory, taking “CS-related” math courses, and finally struck up a relationship with Phil Rogaway —a massive figure in cryptography, and the person who ultimately became my PhD research advisor. So, all of my degrees are officially in electrical engineering, but CS is my passion.
What lasting impact would you like your research to have in this world?
I hope it makes the lives of standards bodies, security engineers and software developers easier. I hope it nudges other cryptographers to work on real-world problems, and not just theory with a thin veneer of practice wrapped around it. I hope it helps to frame the way we theoreticians think about the theory we produce, so that it is more practice-directed and easier to implement correctly. And I hope it inspires future women and men to join in!
If you could be a cartoon character for a week, who would you be?
Deadpool — basically indestructible with an irreverent sense of humor!
Who would play you in a movie of your life?
That depends on how it’s done. If it’s a serious movie, maybe Christian Bale or Daniel Day-Lewis. If it’s a funny movie, maybe Robert Downey, Jr. or Ryan Reynolds. In any case, it’s narrated by Morgan Freeman!
Which of the Seven Dwarfs is most like you?
Hmm… it’s a tie between Happy and Doc.
Would you rather be the best player on a horrible team or the worst player on a great team?
Worst player on a great team, hands down.