Workshop of Europe's leading cryptographers takes place at IBM's Research Laboratory in Rüschlikon

English | Deutsch

Zurich, 28 November 2006—The instant, worldwide exchange of information is an integral part of today's global economy and society. But this flow of information can be forged, falsified, misappropriated, abused or deleted by unauthorized persons. To protect information from unauthorized access, it must therefore be encrypted. This is especially true for online banking, e-payments with credit cards, transmission of confidential data, and electronic voting via the Internet. Cryptography—the mathematical discipline of developing methods to encrypt data—is therefore becoming increasingly important.

Leading European cryptographers gathered recently to attend a workshop hosted by the Zurich Information Security Center (ZISC) held at IBM Research - Zurich (NYSE: IBM) to discuss the state of the art and future developments in this vital field. ZISC is a research collaboration between the Swiss Federal Institute of Technology (ETH Zurich), IBM Research - Zurich and other industrial partners to strengthen their role as global leaders in research and education in information security.

Although today's standardized cryptographic algorithms are considered secure, Arjen K. Lenstra of the ETH Lausanne emphasized that the availability of secure encryption not something we can take for granted. Crypographers must constantly challenge the available methods to identify vulnerabilities and develop ever more secure solutions. This is especially important as computer power continues to grow significantly and ICT systems become increasingly complex. The downside of such developments is that new vulnerabilities are constantly emerging as well.

Fortunately, today's cryptographers have a range of technically sophisticated tools at their disposal to assess such vulnerabilities. Some of these tools were discussed by Elisabeth Oswald of the Technical University of Bristol. When data is processed in integrated circuits based on conventional CMOS semiconductor technology, the electrical power consumed by the circuits is dependent on the computation being performed at any given time. Power consumption can be recorded by an external device attached to a smartcard, for example, that encrypts secret data. Complex analytical methods can then recognize certain patterns in the recorded data. Sophisticated inference processes allow researchers to obtain information about the encryption key and—in extreme cases—to decipher the secret data, thereby violating the system's security. In the case of bank cards, this of course is a highly alarming scenario. Cryptographers are now searching for suitable measures to protect security systems from such attacks. One possible solution is to overlay the data transmitted outside the system with random signals in order to make the data unreadable by unauthorized persons.

Bart Preneel of the Catholic University of Leuven described the work of cryptographers as a constant race to keep up with technical developments as well as with the ingenuity and criminal energy of hackers. In simplified terms, cryptographers use so-called hash functions to assign each data set a short, unique identification. This is useful, for example, when comparing two large, similar sets of data. The short hash values of, say, two extensive texts indicate whether they are very probably identical or definitely different. Hash values are also used to generate digital signatures. Recent progess in cryptanalysis has revealed weaknesses in several widely used hash functions. Although attacks on today's most powerful hash functions do not constitute an immediate danger, it is obvious that hash functions must still be improved considerably. Research to develop more robust hash functions is currently underway.

Considering that—in an extreme case—a global economic collapse could result if a commonly used cryptosystem were broken, it is not surprising that utmost priority is given to certifying cryptographic processes and products. To seek certification of a cryptographic product by the Federal Information Processing Standard (FIPS), the applicant must provide detailed verification that its product is impervious to manipulation. The certification process takes 12 months and the required documentation can easily exceed 15,000 pages, as illustrated by Tamas Visegrady of IBM Research - Zurich with concrete examples submitted by IBM. The currently highest security level (FIPS 140-2 level 4) has been attained by only a handful of cryptographic products, most of them from IBM.

Another major challenge to cryptographers is the conflicting requirements of various users. The comprehensive security of digital communication, for example, requires digital identification as well as encryption. In order to perform commercial transactions over the Internet, users must be able to trust that the declared sender of a given document is indeed the actual sender. This security is provided by a neutral organization that assigns digital certificates. The certificates commonly used today, however, contain much more information than necessary for a given transaction. E-commerce companies, for example, want as much information about their customers as possible in order to verify a customer's identity. Customers, in contrast, generally have a strong interest in protecting their privacy. A system called the Identity Mixer ("Idemix") has been developed at IBM Research - Zurich to address this dilemma, as was shown by Jan Camenisch. With the Idemix system, IBM researchers have developed an innovative security technology for online transactions that allows users to verify selected facts—such as access rights to a given online information service—without disclosing further personal information unnecessarily.

Not only is the global economy vitally dependent on the constant advancement of cryptography. Governments and the public sector are also increasingly significant users of secure information-processing methods. A particular case is that of electronic voting, which will become commonplace as soon as the appropriately trustworthy processes have been established. Such processes must not only record all votes cast, they must also ensure voters' anonymity as well as the confidentiality of the results until the election has been concluded. These requirements can be met by a sophisticated system based on asymmetrical encryption, stated Martin Hirt of ETH Zurich. He also showed capabilities—albeit still theoretical—to rule out election fraud such as the buying of votes, a security measure that is not provided by today's common practice of sending ballots by mail.

About the Zurich Information Security Center

The Zurich Information Security Center (ZISC) was founded in September 2003. The ZISC is collaboration between members of ETH Zurich and industry, with the aim of providing a coordinated program of state-of-the-art research and education in information security and establishing Zurich as a hotbed for research in that field. The ZISC has been driven forward originally by Jürg Nievergelt, Ueli Maurer, and Bernhard Plattner of ETH Zurich and Matthias Kaiserswerth, Michael Waidner, and later Günter Karjoth of IBM Research - Zurich. As part of this effort, ETH Zurich also created a faculty position dedicated to the objectives of the ZISC.