Silver Bullet Talks with Matthew Green

7 M atthew Green, an assistant research professor at the Johns Hopkins Information Security Institute, talks about the difference between theoretical and applied cryptography, blogs, and back doors. You've spent a lot of time straddling the gap between academia and the corporate world. Can you explain the difference between theoretical and applied cryptography? It turns out, and I was surprised by this, that a lot of people who do applied crypto, meaning they write software and do things with cryptography in the real world, don't seem to like theory very much— and vice versa! Academic cryptography researchers don't spend a lot of time up to their elbows in code, and that gap has started to become a problem for the software world. If you're in academia, learning about crypto and getting excited about it, how do you make the transition to applied crypto? I would advise that you look at real systems—there are tons of them and tons of code as well, especially in the open source area. We use major protocols for all kinds of things, but nobody has poked at them academically. There's a wealth of stuff that you can explore and get published, so start doing it. Your blog made a splash recently when you got a takedown request from a misguided dean. Tell us about the controversy first, and then the actual content. There's not much to tell. I was contacted by a reporter from Pro-Publica who had some background questions about encryption for me. I thought, " Wow, this guy seems convinced that the NSA is spying on us all. I hope he doesn't write an article saying that I'm the one who's saying that. " I tried to be very careful, and then one day, I look in The New York Times, and there's this huge article about how the NSA is spying on us all and specifically how they're breaking our cryptography by inserting bad standards and putting back doors into products. It was all well sourced and amazing, so I wrote a blog post fleshing out what was in there, making clear I'd never seen any classified documents—you can read it at blog. cryptographyengineering.com. The post was just to put some meat on the bones and state that we didn't know too much yet. I linked to The New York Times article, grabbed an image off The Guardian, and that was it. …