For the first time, Viennese research groups are investigating encryption methods that also take into account future threats. © Markus Spiske on Unsplash

It is the nightmare of every company dealing with sensitive information: an encryption technology that was considered secure gets cracked and all of a sudden corporate communications are open to the eyes of the world. At a time when all communications are stored for years, there is a strong need for protection not only against current threats, but also against those of the future. This endeavour, which may seem paradoxical at first glance, is the field of research of cryptologist Daniel Slamanig from the Austrian Institute of Technology (AIT). In the context of a netidee SCIENCE grant from the Internet Foundation Austria (IPA) in cooperation with the Austrian Science Fund FWF, he is investigating encryption methods able to anticipate and act with foresight. His partner for the aptly named PROFET project is TU Wien (Vienna University of Technology). Encrypted messages have been known since ancient times. The so-called ”Caesar” cipher, in which each letter in a message is replaced by another letter of the alphabet, is now literally child's play. Nowadays, our daily life is permeated by complex cryptographic methods. In most cases, we remain unaware of them, as they run behind the scenes. There is communication in encrypted form not only between people but also between devices. Moreover, the number and possibilities of attackers are more diverse, computers can implement much more complex and elaborate coding procedures, and encryption is no longer just a military technology but also an important business factor – particularly these days, when companies have to switch to home-office regimes and guarantee secure data exchange between people working at home and their colleagues.

More than a game of cat and mouse

“For a long time, people have been developing encryption methods and were satisfied if no one was able to break the cipher in the here and now,” says principal investigator Slamanig. If a code was nevertheless cracked, they tried something new. This was the situation until the Second World War, when encryption methods had a significant influence on the course of the conflict. Today, the demands are much higher, as Slamanig explains: “The essential difference is that modern cryptography has developed in the science arena and is no longer a pure game of cat and mouse.” Nowadays, an encryption method is required to come with a mathematical proof that it is secure in models with particularly pessimistic premises. This begs the question of what happens to old encrypted data if the key is discovered at some point in the future. According to Daniel Slamanig we have known since the Snowden leaks that Internet traffic is siphoned off and stored at some points in the world, London being one of them. “Accordingly, some information must be protected for many decades to come and not just against current attacks,” he notes.

Keys can “forget”

The pivotal notion in this context is “forward security”, i.e. security that anticipates the future. This is particularly relevant for “asymmetrical” encryption methods. This common variant uses two separate keys: one is only used for encryption and can be public, the other is secret and is only used for decryption. The astonishing insight that something like that was even possible dates back to the 1970s. Today, asymmetric encryption is one of the most important procedures. Slamanig emphasizes that forward security could easily be achieved if keys were changed regularly. But this is a problem with asymmetric procedures, as updating the public key involves a lot of effort. One must ensure, for instance, that it cannot be forged. Slamanig sets out to solve this problem: “It is possible to use a constant public key for a very long time and update only the secret key in such a way that it can no longer be used to decrypt old data,” explains the researcher. The idea is to have a key that is able to “forget” how to decrypt certain things. “This can be finely tuned, so that a key can just forget how to decrypt a particular message, but still work for all other messages,” says the cryptologist. This is called “puncturable encryption”.

After the arrival of the quantum computer

Another major topic in cryptography is the spectre of a quantum computer capable of breaking all asymmetric encryption methods that are currently in use. By exploiting the phenomenon of quantum physical “entanglement”, which eludes our intuitive grasp, it is theoretically possible to build a computer that is so powerful that a substantial part of the asymmetric methods used to date would become obsolete at one fell swoop. At present we still do not know whether it will ever be possible to build a quantum computer that is “scalable”, or, in other words, that can be built and operated to any size and performance capacity. According to Slamanig, some experts doubt this, but the scientific cryptography community has at any rate been preparing intensively for such a scenario for some time. Possible candidate methods that could not be cracked even with quantum computers have been around since the 1970s. They come with various disadvantages that have prevented them from being widely used – but not all of these disadvantages are still valid today, says Slamanig.

International competition

The field has been experiencing an upswing since “NIST”, the US National Institute of Standards and Technology, announced a competition for quantum-secure encryption procedures – the term currently used is “post-quantum cryptography”. These competitions have a long tradition and usually result in the development of new procedures, which then become established as standards. The competition is currently running; Slamanig has reached the second round with an international team. “There's a lot of hype about the topic at the moment because many people have realized that in ten years’ time many things could look different,” notes Slamanig who emphasizes that there is increasing nervousness in industry about this. People want to be prepared. “What we want to offer is an encryption method with strong forward security in a post-quantum setting,” he says. This is a key goal of the present project, which started in 2019 and will run until 2022.


Personal details Daniel Slamanig is a cryptologist at the Center for Digital Safety & Security in Vienna, which is part of the Austrian Institute of Technology (AIT). His research is devoted to the foundations of public key cryptography and its application in cloud computing and the Internet of Things (IoT). He teaches modern cryptography at the Vienna University of Technology. In 2019, Slamanig received a netidee SCIENCE grant funded by the non-profit Internet Foundation Austria in cooperation with the FWF amounting to 325,000 euros.


Publications & contributions

Behzad Abdolmaleki, Sebastian Ramacher, Daniel Slamanig: Lift-and-Shift: Obtaining Simulation Extractable Subversion and Updatable SNARKs Generically, in: 27th ACM Conference on Computer and Communications Security - ACM CCS 2020 (pdf)
David Derler, Sebastian Ramacher, Daniel Slamanig, Christoph Striecks: I Want to Forget: Fine-Grained Encryption with Full Forward Secrecy in the Distributed Setting, in: IACR Cryptology ePrint Archive 2019 (pdf)
David Derler, Tibor Jager, Daniel Slamanig, Christoph Striecks: Bloom Filter Encryption and Applications to Efficient Forward-Secret 0-RTT Key Exchange. 37th Annual International Conference on the Theory and Applications of Cryptographic Techniques - EUROCRYPT 2018 (pdf)
Melissa Chase, David Derler, Steven Goldfeder, Claudio Orlandi, Sebastian Ramacher, Christian Rechberger, Daniel Slamanig, Greg Zaverucha: Post-Quantum Zero-Knowledge and Signatures from Symmetric-Key Primitives. 24th ACM Conference on Computer and Communications Security - ACM CCS 2017 (pdf)