This lecture summary is part of the Lecture Series on HPI Research in the summer term (SoSe) 2024 and describes the presentation by Prof Anja Lehmann from July 2nd, 2024 at the Hasso Plattner Institute in Potsdam.

An overview about the research on Cryptography and Privacy by Prof. Dr. Anja Lehmann

Since 2020 Prof. Lehmann is head of chair of Cybersecurity – Identity Management at Hasso Plattner Institute Potsdam. Her work specifically addresses the area of Cryptography and privacy, where she is designing and analysing cryptographic protocols with provable security guarantees  with a focus on privacy enhancing technologies [1,2]. Prof. Lehmann holds a PhD in cryptography from the Darmstadt University of Technology (2010) and has been a researcher in the Security and Privacy group of IBM Research Zurich, where she was involved in various EU Projects. Additionally, to her research at HPI, she is part of numerous steering and program committees and speaking at conferences and summer schools [1].

A. Goal and Background of Cryptography and Privacy Research

Cryptography originally referred to the art of encrypting messages to make them unreadable to anyone but the intended recipient. Modern cryptography has evolved from an art to a science, characterised by systematic design and provable security. It encompasses various techniques beyond simple encryption, including secure communication protocols used in many applications.

Modern cryptography is based on three main principles. First, the formal security definition involves defining the meaning of security with detailed goals to enable formal analyses. The second principle describes and builds a systematic and public design of cryptographic protocols. This approach relies on well-understood components and follows Kerckhoff's principle, which states that the security is based on the secrecy of the key, not the system. Finally, provable security focuses on providing formal proofs of the security of a construction by reducing it to well-studied assumptions, such as hard mathematical problems. This helps to provide very strong security.

Essentially, modern cryptography is unbreakable if the assumptions are held, no mistakes are made, and within the specified model. The problem is that systems implementing these cryptographic techniques are not due to various vulnerabilities such as human error, implementation flaws, and the potential for better cryptanalysis techniques or the advent of quantum computers. Even if the underlying cryptography is strong, practical implementations may have weaknesses that can be exploited. To address these weaknesses, the primary goal is to ensure secure communication over insecure channels and to protect data from unauthorised access.

Cryptographic research is important for developing more secure protocols and improving existing methods. Therefore, Prof. Lehman and her research group focus on applied cryptography. This includes the definition, development, and analysis of systems that are resistant to manipulation and unauthorised use. In addition, they design new provably secure cryptographic protocols or analyse existing ones. Important questions are how to provide functionality in a data-minimising and privacy-preserving way in technologies, and how to make cryptography accessible to end-users in password-based cryptography. Their research methodology is outlined below (Fig 1).

Fig 1: Applied Cryptography as a Research Field: The systematic approach to applied cryptography with the definition, development and analysis of systems (protocols) that are resistant to manipulation and unauthorised usage (reproduced from [3])

B. Privacy-Enhancing Authentication

Authentication is one of the very basic goals of modern cryptography, for which it is abundantly used everywhere in the modern (digital) world. It aims towards proving the origin of information, and the fact that it has not been tampered with. In its core essence, the problem of authentication is solved using modern cryptography employing a combination of digital signatures being unforgeable without knowledge of the signer’s secret key, and a certificate issued from a trusted authority establishing context for the information to authenticate.

Whilst this combination of techniques allows for successful and secure authentication, it comes with the downside of being highly verbose. On usage, the certificate reveals all information about the user it contains to the verifier, even if such a reveal might not be necessary for the task at hand. Additionally, authentication of the same user under the same key pair can be linked and connected through publicly available information.

Anonymous Credentials - Basics

The need for the ability to authenticate without full identification, that is without revealing all information about one's identity, led to the proposal of anonymous credentials.

Just like with normal authentication, a user is assigned a certificate from a trusted issuer. The validity of this certificate can be verified against the public key of the issuing instance. However, a user can now choose to only reveal a specific set of attributes with every usage of the certificate. Despite such a redaction of information, the certificate can still be verified under the issuer’s public key, and therefore be judged with regards to its validity. Furthermore, presented credentials with reduced information can in no way be used to trace back to the original certificate.

There are a number of other attributes of anonymous credentials which further aim towards reducing information leakage and traceability, like multi-show unlinkability requiring the inability of the verifier to tell whether multiple presentations of credentials belong to the same user.

Anonymous Credentials - Theoretical Background

The implementation of anonymous credentials is based on two fundamental building blocks.

The first one are Zero-Knowledge proofs. Such proofs aim towards proving a statement without revealing any information besides the validity. In the context of authentication, such a proof might aim towards showing membership in a specific group without revealing anything about the user but the fact that he is indeed a member.

The second building block are signatures allowing for efficient zero-knowledge proofs, therefore making real-world application of zero-knowledge proofs for anonymous credentials feasible.

Both of these building blocks do indeed already exist, however, as of today, they are not widely used in practice, and deployment in real-world protocols ranges from limited to basically non-existent.

Anonymous Credentials - In Practice & Academic Work

At HPI, Prof. Lehmann and the Cybersecurity – Identity Management chair are working on creating real-word applicable protocols for anonymous credentials.

One of the real-world applications is Vehicle-to-Vehicle(V2V) authentication. In such a setting, vehicles exchange gathered information with surrounding vehicles, requiring all properties of anonymous credentials. Only legitimate vehicles should be allowed to exchange messages, and drivers/vehicles should not be trackable by a specific and unique identifier. If deemed necessary however, a sender's identity should be available to a controlling instance.

The Identify Management chair is currently working on the problem of anonymous, privacy preserving credentials in V2V communication. To do so, multiple challenges need to be solved, like the fact that V2V communication bandwidth is highly limited (300 bytes), therefore requiring custom tailored signature solutions to fit this threshold. Furthermore, anonymous signatures suffer from the issue that, when the underlying messages are already potentially identifying (like sensor data from a car), the anonymity of the sender can not be guaranteed. Therefore, the chair also worked on encryption for V2V communication. The approach based on authenticated encryption solves this challenge by only allowing valid vehicles to decrypt messages, denying eavesdropping attacks, and guaranteeing authentication and confidentiality alike [4]. 

C. Password-based Cryptography

The second big research topic at Prof. Lehmann’s chair deals with the question of password-based cryptography. This topic is motivated by one of the very fundamental questions of cryptography: how are users able to securely store and manage cryptographic keys? The question directly stems from Kerckhoff's principle, stating the security of a cryptographic system to be solely dependent on the secrecy of the key, and not on the secrecy of the system itself. With this comes the direct realisation, that without a secure way to store and manage keys, cryptographic security can not be achieved.

Issues with classic Password-based Cryptography

In the context of human usable keys, passwords may initially seem highly suited, as they are memorizable, but changeable at will. However, systems reliant on the integrity of user passwords are often threatened by server compromise, endangering the secrecy of stored password hashes. Following from this the passwords are also at risk via brute force attacks, and significant password re-use across different services.

“Modern” Solutions to Password-based Cryptography

Modern cryptography can be used as an approach to tackle insecurities that come with password based authentication. Invented in the 1990’, the asymmetric password authenticated key exchange (aPAKE) can be used to securely authenticate a password between a client and a server, by not sharing the actual password with the server during the login. Instead, both parties (client and server) provide their information (a password for the client, a password file for the server) to the cryptographic system, in which a session key is generated and returned to both entities on success.

Due to patent issues, the first widely usable aPAKE protocol Secure Remote Password (SRP) was only released in 1998. Due to its unconventional usage of cryptographic building blocks, SRP could not be considered provenly secure for a long time. Prof. Lehmann’s chair at the HPI managed to release a novel security proof for SRP(6a) in 2024 [5], proving security for a protocol widely used in everyday appliances.

To tackle the still prevalent issue of insecure servers, the chair further researched the question of distributed password-based authentication. To do this, a multi-server setting was proposed, where in principle, information about the password is shared between n servers, and the successful infiltration of n-1 servers does not reveal anything about a key derived from the password, which is used for the authentication [6].

The aforementioned solutions to problems with password-based security allow for the secure usage of passwords, enabling a very user friendly approach to security, and therefore unifying the call for both security and usability.

D. On the Moral Side of Cryptography and a glimpse into the past and current  "Crypto War"

In the 1980s the increase and fast development in technology called for the development of robust cryptographic systems to safeguard privacy. In civil society several movements such as the Cypherpunk Manifesto in 1993 [7] emphasised privacy as a fundamental human right and that its necessity to defend. Organisations such as the Electronic Frontier Foundation (EFF) [8], founded in 1990, and the Chaos Computer Club (CCC) [9], established in 1981, played significant roles in advocating for digital privacy. The conflict between governmental surveillance and the right not to be surveilled is a critical issue and an essential part of the concept of "Crypto War".

Examples for governmental efforts to provide cryptographic technology but with a way to have still access to the information encrypted if needed, are NSA's Clipper Chip [10] or the Crypto AG scandal [11], revealed in 2020, uncovered how the CIA and BND used a Swiss company as a backdoor for espionage. During that time, cryptographic practices were  highly regulated by governments, with keys over 40 bits classified as munitions, restricting their export. However, Phil Zimmermann's creation of Pretty Good Privacy (PGP) [12,13] in 1991 and his strategy of printing the source code enabled the circumvention of these export restrictions, leading to easier export of cryptographic technologies.

From 1990 to 2013, trust in government led to minimal use of encryption. However, in 2013 Edward Snowden's revelations [14] exposed extensive global surveillance programs, showing how governments are exploiting cryptographic standards and insertion of backdoors for access. Phil Rogaway's paper [15] explores the ethical dimensions of cryptography and underscores its role as a political tool. Today, approximately 90% of internet traffic is encrypted, although some platforms such as Telegram remain exceptions.

Currently new regulations and initiatives from governing bodies are working on paths for encryption as well as governmental influence and ability to use technology surveillance for crime detection. Recent EU regulations, such as the 2022 chat control initiative [16], mandate screening for messages before sending under the aim to combat sex crimes and terrorism,  which could pose significant privacy risks [17]. Particularly in cases such as large governmental initiatives the cryptographic community is actively engaging, writing letters and participating in technical advisory boards to address these issues [18-20], which is not always easy.

E. Summary

The lecture first outlined the history of cryptography. Over time, the "art" of encryption has developed into a science that enables secure communication via insecure channels. Today it is based on formal security definitions, systematic protocol designs and verifiable security. Although the underlying cryptography is often considered unbreakable, implementation errors and new threats such as quantum computers can create vulnerabilities.

Prof. Lehmann's research aims to address such vulnerabilities by developing secure communication protocols and privacy-friendly authentication methods.

One of her focuses is on password-based cryptography (PBC), which addresses threats such as server compromise and password reuse. Another is on Privacy-Enhancing Technologies (PET), i.e. anonymous authorizations that allow users to authenticate themselves without fully revealing their identity. This is done on the basis of zero-knowledge evidence and allows only specific attributes to be disclosed with each use, without enabling traceability to the original certificate.

In addition to technical research, Lehmann also emphasises the social and ethical aspects of cryptography. The conflict between the state's interest in surveillance and the right to privacy is a key issue, especially in the era of "crypto wars". Historical examples such as the NSA's Clipper chip and the Crypto AG scandal show how state actors have tried to gain access to encrypted information. Edward Snowden's revelations revealed extensive and global surveillance programs and showed how governments exploited cryptographic standards.

Cryptography is a challenging field of research. It solves real-world problems with elegant mathematics and complexity theory. The research community is committed to addressing moral issues of societal impact and responsibility, including political and legal hurdles such as chat control proposals in the EU that could pose a threat to privacy.

Prof. Lehmann's research emphasises the need for robust cryptographic solutions to ensure privacy in the digital era, combining technical innovation with ethical considerations.

G. References

[1] Hasso-Plattner-Institut, "Anja Lehmann," 2024. [Online]. Available: https://hpi.de/lehmann/team/anja-lehmann.html. [Accessed: 15-Jul-2024]​ (Hasso Plattner Institut)​​ (Hasso Plattner Institut)​​ (Hasso Plattner Institut)​.

[2] Hasso-Plattner-Institut, "Recent Publications," 2024. [Online]. Available: https://hpi.de/lehmann/publications.html. [Accessed: 15-Jul-2024]​ (Hasso Plattner Institut)​​ (Hasso Plattner Institut)​.

[3] Anja Lehmann, "LSHPI Lehmann CryptoPrivacy" presented in the Lecture Series on HPI Research SoSe 2024, Potsdam, 02.07.2024. [Online]. Available: moodle.hpi.de/pluginfile.php/52874/mod_resource/content/0/LSHPI_Lehmann_CryptoPrivacy.pdf [Accessed: 15-Jul-2024]

[4] Camenisch, J., Drijvers, M., Lehmann, A., Neven, G., Towa, P.: Zone Encryption with Anonymous Authentication for V2V Communication. IEEE EuroS&P. pp. 405–424 (2020), Available: https://hpi.de/lehmann/publications/Document/anja.lehmann/2020-v2v.pdf/715aba6f09a64dae83df43f8fa9e6259.html?tx_extbibsonomycsl_publicationlist%5Baction%5D=download&cHash=61e23cd703371c4b5d9e05fd2fc7dd1d

[5] Anja Lehmann & Dennis Dayanikli, Provable Security Analysis of the Secure Remote Password Protocol, IEEE CSF, 2024, Available: https://hpi.de/lehmann/publications/Document/anja.lehmann/2023-srp.pdf/87430875546ab141b9f1b9c20fc46722.html?tx_extbibsonomycsl_publicationlist%5Baction%5D=download&cHash=b4b717b77bc49ec4659b4a1317e5e294

[6] Baum, C., Frederiksen, T., Hesse, J., Lehmann, A., Yanai, A.: PESTO: Proactively Secure Distributed Single Sign-On, or How to Trust a Hacked Server. IEEE EuroS&P. pp. 587–606 (2020). Available: https://hpi.de/lehmann/publications/Document/anja.lehmann/2020_pesto.pdf/3a35455eeebce6f4b3b97e447910d8cd.html?tx_extbibsonomycsl_publicationlist%5Baction%5D=download&cHash=c06912d30f0f4181a6e1881e7c5eb031

[7] E. Hughes, "A Cypherpunk’s Manifesto," 1993. [Online]. Available: https://www.activism.net/cypherpunk/manifesto.html. [Accessed: 15-Jul-2024].

[8] Electronic Frontier Foundation, "Electronic Frontier Foundation," n.d. [Online]. Available: https://www.eff.org/. [Accessed: 15-Jul-2024].

[9] Chaos Computer Club, "Chaos Computer Club," n.d. [Online]. Available: https://www.ccc.de/. [Accessed:15-Jul-2024].

[10] Electronic Privacy Information Center, "Clipper Chip," n.d. [Online]. Available: https://archive.epic.org/crypto/clipper/. [Accessed: 15-Jul-2024].

[11] G. Miller and Washington Post Team, "The CIA’s Secret Communications Operation," 2020. [Online]. Available: https://www.washingtonpost.com/graphics/2020/world/national-security/cia-crypto-encryption-machines-espionage/. [Accessed:15-Jul-2024].

[12] C. Heinrich, "Pretty Good Privacy (PGP)," in H. C. A. van Tilborg, Ed., Encyclopedia of Cryptography and Security. Boston, MA: Springer, 2005. [Online]. Available: https://doi.org/10.1007/0-387-23483-7_310. [Accessed: 15-Jul-2024].

[13] P. Zimmermann, "Background," n.d. [Online]. Available: https://www.philzimmermann.com/EN/background/index.html. [Accessed: 15-Jul-2024].

[14] The Guardian, "The NSA Files: Decoded," 2013. [Online]. Available: https://www.theguardian.com/world/interactive/2013/nov/01/snowden-nsa-files-surveillance-revelations-decoded. [Accessed: 15-Jul-2024].

[15] P. Rogaway, The Moral Character of Cryptographic Work, 2015, Department of Computer Science, University of California, Davis, USA [Online]. Available: https://eprint.iacr.org/2015/1162.pdf. [Accessed: 15-Jul-2024].

[16] European Commission, "COM/2022/209 final," 2022. [Online]. Available: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=COM%3A2022%3A209%3AFIN. [Accessed: 15-Jul-2024].

[17] J. Reda, "Stellungnahme von Julia Reda," n.d. [Online]. Available: https://www.bundestag.de/resource/blob/949082/b5ef0605247abdfa8f64af1d833c81f9/Stellungnahme-Reda-ENG.pdf. [Accessed: 15-Jul-2024].

[18] Max-Planck-Institut, "Max-Planck-Institut," n.d. [Online]. Available: https://nce.mpi-sp.org/index.php/s/cG88cptFdaDNyRr. [Accessed: 15-Jul-2024].

[19] Open Letter on EIDAS Regulation, "EIDAS Regulation," 2023. [Online]. Available: https://eidas-open-letter.org/statement-23-11-2023.pdf. [Accessed: 15-Jul-2024].

[20] EU Digital Identity Wallet, "Issue #200," n.d. [Online]. Available: https://github.com/eu-digital-identity-wallet/eudi-doc-architecture-and-reference-framework/issues/200. [Accessed: 15-Jul-2024].