Cryptology is the science that studies mathematical techniques in order to provide secrecy, authenticity and related properties for digital information. It also allows to establish trust relationships over open networks and enables the collaboration of mutually distrusting...
Cryptology is the science that studies mathematical techniques in order to provide secrecy, authenticity and related properties for digital information. It also allows to establish trust relationships over open networks and enables the collaboration of mutually distrusting parties towards achieving a common goal. Cryptology is a fundamental enabler for security, privacy and trust and it is strategic for realizing the Digital Agenda for Europe. Today cryptographic techniques are widely deployed at the core of computer and network security, and for applications such as digital identification and digital signatures, digital rights management systems, content retrieval, and tamper detection. However, there are a number of important challenges that are not addressed by the current state-of-the-art deployed cryptography. In addition, the threat model for our networks is evolving: cyberphysical systems are spreading and our critical infrastructures are increasingly connected; both require robust and long-term protection. There is also a growing understanding that ubiquitous protection of data using cryptographic algorithms and the distributing trust using cryptographic protocols, can play an important role in effectively reducing and managing the cybersecurity risks.
Europe is playing a leading role in the area of cryptology. The International Association of Cryptologic Research (IACR, 1600 members) organizes 3 flagship conferences each year with high quality contributions; one of these is held in Europe. European researchers play a very strong role in the workshops FSE (Fast Software Encryption), PKC (Public Key Cryptography), and CHES (Cryptographic Hardware and Embedded Systems). European successes in the area of cryptology include the AES, SHA-3, UMTS/3GPP, the smart card industry, and the NESSIE IST project. The Networks of Excellence ECRYPT (2004-2008) and ECRYPT II (2008-2013) have been recognized internationally for their contributions towards integrating cryptographic research in Europe. In spite of these efforts, the fast evolutions in the field and the growing need for cryptographic solutions require a strategic approach to bring together academia, industry and governmental stakeholders in order to develop a roadmap and foresight studies and to further build the community as discussed below.
In summary, there are major challenges for academic research and there is a substantial gap between the technologies and tools that are available today and that will be developed in the next five years and the current deployments in industry, that are between ten and twenty years old. There are major challenges with the security of the implementations that have been deployed. Finally, there is a very large potential for complex cryptographic techniques that allow for searching in and operating on encrypted data, proving statements about encrypted data without revealing it, and avoiding single points of failure through distributed architectures. These gaps need to be bridged to a focused action that brings together all key players, resulting in awareness and training, a research agenda, standardization and deployment.
The goal of this CSA is to strengthen European excellence in the area of cryptology and to build on the Network of Excellence ECRYPT and ECRYPT II to achieve a durable integration and structuring of the European cryptography community, involving academia, industry, government actors and defence agencies.
The ECRYPT-CSA project started in March 2015 and is set to run for 36 months. During the first reporting period, corresponding to the first 18 months of the project, the main focus was on the organization of 7 workshops in WP 1-2-3 and 3 workshops in WP4. The output of the work performed in RP1 is the production of the 10 corresponding white papers. A public website, blog and Twitter account were set up for external communication and an internal communication infrastructure including SVN and mailing lists was put in place.
The methodology adopted by WP1-4 is to organize workshops on the specific topics that we have identified. The workshops brought together a spectrum of key players in the area in particular experts from academia and industry.
WP1 – Symmetric Key (TASK 1.1 Authenticated encryption, TASK 1.2 Ultra low energy/power cryptography, TASK 1.3 White Box Cryptography)
WP2 - Public Key and Protocols (TASK 2.1 Tools for asymmetric cryptanalysis, TASK 2.2 Computing on Encrypted Data, TASK 2.3 Cryptographic protocols for small devices, TASK 2.4 Tools for Security modelling and proofs)
WP3 - Secure and Efficient Implementations (TASK 3.1 Cryptocurrencies, TASK 3.2 Security evaluation of implementations)
WP4 - Core application areas driven by industry/government needs (TASK 4.1 Post-Snowden crypto for the Internet, TASK 4.2 Privacy Enhancing Technologies, TASK 4.3 Cryptographic standards and evaluations)
WP5 - Standardization:
- Identified key players in cryptology standardization (including ISO, NIST, IETF) and in EU research projects in cryptology (PQCRYPTO, SAFEcrypto) and established contact with them.
- Consultation and update of the Algorithms and Key Length and Parameters document (D5.2); this is particularly important since ENISA has decided to not publish a new version in 2016.
- Coordination of input to ISO, NIST, and IETF on hot topics such as authenticated encryption, lightweight cryptology, postquantum cryptology, elliptic curve cryptology.
In terms of creating a community and developing a research agenda, ECRYPT-CSA has reached its goals in each of the three technical work packages (WP1-2-3).
In terms of application areas (WP4), the work on post-Snowden crypto was clearly important in managing to identify new research challenges that arise from changing threat models. The project has discussed these challenges at a large number of venues, both oriented towards academia (Eurocrypt, Symposium on Access control Models and Technologies, IEEE QRS) as in more policy- and industry-oriented fora (ISSE, Infosecurity, European Parliament).
In terms of standardization, there are coordination efforts at the level of ISO and NIST (both are dealing with lightweight crypto and postquantum crypto), IETF (TLS and secure channels) and ETSI (postquantum crypto). Overall the main concern is that standardization is strongly driven by the key US players (large US corporations and the US government) as well as NIST; Europe has the know-how to contribute, but the political will seems to be lacking to develop strong and open European standards for cryptology.
More info: http://www.ecrypt.eu.org/csa/.