Welcome, everybody, to our workshop on the protection of long-lived systems. I will give the introductory talk. My name is Johannes Buchmann. I am a computer science professor at the Technische Universitat Darmstadt,

which is right here. Actually, the castle that you see in the back is part of our university. I would like to welcome you all. It is a great pleasure to see you all, that you came. And I would like to make some introductory remarks before we start with the individual talks.

So the topic of long-lived systems or protection of long-lived systems is a topic that I find personally, and a number of you who came from far, find important.

So typically, cybersecurity and cryptography in particular is about protection. For example, encryption. And when we talk about encryption, we say we protect confidentiality.

I will come back to this. But there is a question that we, I find, have not asked sufficiently intensively, namely, how long do we protect things?

And so this is the issue about quantifying security. So let me talk about the challenge a little bit. So I have shown this picture sometimes, and you may have, some of you may have seen it.

So there is this statement of Obama in 2015, where he is saying in the State of the Union address, tonight I'm launching a new precision medicine initiative to bring us closer to curing diseases like cancer and diabetes, and to give all of us access to the personalized information we need to keep ourselves and our family's health here.

Now this is about personalized information, and we have a picture on the other side that symbolizes an electronic health record.

And the issue is, if we protect this health record, and we will come to the protection goals in a minute, for how long do we have to keep this in an archive, and for how long do we have to protect this? So this requires long-term archiving, and there is a number of elementary protection goals, namely, integrity.

Now integrity is an interesting issue. Integrity typically refers to data not have been changed.

But obviously the question is, since when? So integrity is not a protection goal, sort of a static protection goal. So when we say the data have not been changed, since yesterday, and yesterday there was an adversary who changed the data to the worse, integrity means nothing.

So we really would like to know whether the data existed at time T0, when the data were archived.

Likewise, confidentiality. Now when we enter the data into the archive, then on the one side we have to protect the data in transit. Adversaries can get information about the data in transit, and we have to protect the data at rest.

Now there is, in addition to medical data, there is a number of other examples that we will hear about, and that we may discuss. Genomic databases, tax data, government secrets, and so forth.

And then there is cryptographic protection, which is typically signatures, and there is confidentiality protection by cryptography, which is typically encryption. But as you all know, the complexity-based cryptography may not provide long-term protection.

That is the reason why we study this. Here we see this paper, RSA paper, a method for obtaining digital signatures in public key crypto systems. And they say, in regards to the protection period, using 200 digits provides a margin of safety against future developments.

And if you look into the data, then you see this is not exactly true. So you see what we can factor today. So the record is this special 361 decimal digit number, which is more than 1024 pits.

And so in 2009, we could factor 2,232 digit numbers. In 2003, we were already pretty close. So there is no way that we can really protect data for the long term. And now the question is, how long will it take for bigger numbers to be factored?

One topic that interests us is the work offshore. So it will be able to break quantum computers. And then we had, earlier this year, we had this workshop in Fukuoka.

And NIST was there and was announcing post-quantum cryptography. I mean, they will have a call for the proposals of post-quantum cryptography.

And they were saying the following. The sky is falling, question mark, when will a quantum computer be built that breaks current crypto? And they were quoting Matteo Mariantoni. And he was saying, 15 years, $1 billion US, and a nuclear power plant to break RSA 2048.

This is his prediction. We will hear more about this perhaps, but this is the prediction to 15 years. So the question is, what do we do with long term protection? And you can see, I mean, this is also something I found a couple of days ago. Investors can now participate in the quantum computing revolution.

So it may very well be that there will be quantum computers soon. Now, we see and we will also have contributions about this. Long term protection is possible. So for example, if you may know this, and Denise will talk more about this,

it is possible to extend the validity of signatures. You can re-sign. So you use timestamps for this, and then you use sequences of timestamps to prolong the validity of an individual signature.

Yes, you start with some timestamp by time t0. And then shortly, so the green, so the red symbolizes the signature scheme becoming insecure over time.

So before this becomes insecure over time, then you replace it by new timestamps. However, you timestamp also the old timestamp. And it is logically very interesting. So I was giving a presentation in Lausanne a couple of weeks ago,

and we were discussing this and people did not believe this. They did not believe that you can extend this. But in fact, you can mathematically prove as long as you do it sufficiently early this works. So we can extend this. And then when you want to prove, then you take this timestamp and the sequence of previous timestamps and it works.

So in fact, there is even a request for comments 4998 that does this. However, the confidentiality is not clear because what happens is when you want to do this, then you send a hash of your document to the timestamp authority.

And when you send a hash of the document to the timestamp authority, the hash function may be compromised after a time, and then you may get information about that data. So this works, but it does not protect confidentiality. And you can see there is successful attacks against hash functions.

And we have to find some other solution here. Now there is this other question of can we prolong encryption? And I also discussed this several times with people. And first of all, they thought, yeah, you can re-encrypt. And the question is, can you really re-encrypt?

And well, I mean, the people here may be experts on this a little bit. And it is obviously not possible to re-encrypt. Why? Because when you have, you encrypt, yeah, you do encrypt, then the adversary may obtain the ciphertext,

and then the adversary may keep the ciphertext. So for the adversary, maybe the NSA. And there is this data center of the NSA, and there's big speculations going on about how big this data center is. And it is, well, I mean, if you look it up on Wikipedia,

you see that it has up to 140 terabytes for every person in the world. 140 terabytes. We don't exactly know. So what they in principle can do is this. They can in principle store the data now and encrypt them later.

So they just wait for 10 years. They just wait for 15 years. If it is relevant to them, I'm not saying, and this was sort of a controversial issue in several of the talks that I gave before, where people say they are not going to do this. I mean, store the data of every person in the world. This is not the issue. The issue is that what I would like to say is this.

This gives you a feeling for the size of this data center. And I think obviously these, and we have experts here who have a lot of experience with these services.

For example, we have the former president of the German Federal Office of Information Security. We'll give a talk later, and he can probably comment on this. Then after the Snowden thing, I was talking to the people of the German Federal Office of Information Security. What they were saying was they somehow expected this,

but they did not expect that this would happen to this extent. You may want to comment on this later. Anyway, so this is possible, and I think this may happen. So long-term confidentiality is a much bigger issue,

and what you can do, and we will also see a solution that we in Darmstadt together with our colleagues of NICT in Tokyo recently completed, that you can protect the data in transit by the one-time path. And you know that the one-time path is provably secure, so you find the ciphertext 5,000 years later,

and you cannot get any information from it. And then what we think is an interesting approach, and therefore we have also a rather big session on quantum cryptography,

in particular quantum key distribution. You combine it with a quantum key distribution, and you get information theoretic secrecy. So this is in principle possible, and there is many practical applications of this already, and we will hear about this.

Now it is very interesting to now compare this with data at rest. Can you do the same thing with data at rest? So you have your data in the archive. Can you use the one-time path? And well, the disadvantage is the one-time path has a key that is as big as the data to be protected.

So in this sense, when you try to protect data at rest using the one-time path, then you reduce the problem to itself. Then protecting 5,000 gigabytes is reduced to protecting 5,000 gigabytes.

No progress being made. So this is not possible. And it is very interesting, I find, it is very interesting that protection of data at rest and data at transit when it comes to long term is not the same thing.

In short term it is similar. And why is this similar? I personally find that the reason is encryption reduces the protection of, I mean, complexity-based encryption reduces the protection of large data to the protection of small data. This is it. And here it reduces the protection of large data to the protection of large data, which doesn't help.

So we have to think of something else. So proactive secret sharing is the solution. We will hear this and we will also have talks about this. But this is a totally different concept, secret sharing, as compared to encryption. There's no encryption involved anymore.

I'm not going into the details. All I'm saying, I'm sort of opening this so we have to share and then we have to renew the shares after a while and this is what we do. It may also happen, and we have experts from the quantum crypto community here,

it may also be true that if we have AAS, for example, 256, we expect that it is secure or protects for a kind of long time and we could combine this with other technologies. This is also something we don't know.

Okay, so this is a little bit of technology. So what are our challenges, really? And what I would like to, what we would like in Damsa to do is, we would like to start the discussion about long-term protection. And what I propose is that if those of you who have time after the talks are over on Tuesday,

that we gather on Tuesday afternoon for an hour and talk about the question, what is a good strategy to organize research regarding the protection of long-lived systems in the future?

So we will make an announcement where we meet and where this happens. And Mazaira and I, we were talking about the question of having some sort of memorandum regarding the protection of long-lived systems as a result of this workshop.

Okay, so this is something I would like to do. And I find there is a number of further challenges. For example, I mean, this was just a protection of data in archive. Now what about the cloud?

Things become much more complicated. Now you need, in addition to the protection of integrity and confidentiality, you want privacy-friendly computing, verifiable computing. We will see this in the workshop. Now privacy-friendly computing means not only protecting the confidentiality but also allowing for operations in the cloud that do not conflict with privacy.

And even verifiable, knowing what the cloud is doing. And what about the Internet of Things? So we were also discussing this question, right? Now you have an archive and you can do all sorts of things.

But what about the Internet of Things? So if you have a pacemaker and the pacemaker sends data on a regular basis to some data station, do you want to do one-time pad encryption and quantum key distribution with the pacemaker? It's not so clear how to do this, right? So when it comes to small devices, it is really an issue how to do these things.

So this is only the start. I mean, the topic of archives is only the start, we find. So what I find, what the challenges are and what we should do,

and this is how we organized the workshop. So first of all, I would like to discuss with you, or we would like to discuss with you, the question, what are the requirements for long-term protection? I was discussing the following question in the research group recently.

People who are using WhatsApp have now the privilege of WhatsApp messages being encrypted. For how long would you like your WhatsApp messages to be encrypted?

So I was asking this question, suppose there is a website five years from now, where you can click on Johannes Buchmann, and then you can see all my WhatsApp messages from the previous years, no, no, from five years ago. Here are the WhatsApp messages of Johannes Buchmann from five years ago.

Would this be okay? I mean, this is not only me, this is also you. Imagine that there's five years from the website, and then on the website you see a list of all your messages, and then you can read them all, right? And then people are saying, five years, well, maybe no.

What about ten years? So this is what I mean, I mean, this is this challenge. So what do we mean by protection of long-lived systems? Sometimes people say, well, look, I mean, this is no problem, and if I send a password, passwords are obviously, if you change them sufficiently often, there's no need for long-lived protection, right?

I mean, it is gone and this is it. But maybe, I mean, well, we can discuss this. But messages, email messages, well, they are open anyway, I don't know. So I would like to really discuss this question of what are the requirements for how long,

what kind of information must be protected for how long with which level of security. And then we should study the classical cryptography solutions. I already discussed this a little bit. I said that signatures can be prolonged unless you do it too late.

You have to do it before the signature becomes insecure. If you do it later, it's too late. How do you predict when the signature becomes insecure?

How do you predict this? There could be a sudden break of RSA 2048. What do we do then? Anyway, so what can classical cryptography solutions achieve? This is our second session. Then I personally and many of my colleagues now find that we should join forces

together with the quantum cryptography people. Quantum cryptography has this advantage of being information theoretic secure in the following sense. Security is guaranteed as long as the laws of quantum mechanics are valid.

And we think that the laws of quantum mechanics will be valid for a little longer. And even if there is a follow up, for example, Newton mechanics is still OK in our world, in the normal world. So Newton mechanics is not wrong. Quantum mechanics will not be wrong.

And so there's a high guarantee in quantum cryptography solutions. However, they cannot do everything. So it is unclear and I think it is really impossible. I think Claude can comment on this a little bit. I think really digital signatures, as we want them, are hard to get from quantum cryptography.

Am I right or not? OK, good. So you see, this is what I want to know. So this combination interests us a lot.

And then finally, and this is the last thing, these are all solutions. But what about the models? When we model this, then we have to get time into our models. And there is not so many models yet. And we are in the process of discussing with several people to come up with models.

There is a number of experts here in the room who can say something about models. And so this is our session one, two, three, and four. And I would like to mention, and this is how I would like to conclude, we have a collaborative research center, which is on the bottom right, crossing. The German Research Foundation funds this collaborative research center.

Now we are 60 people working on this kind of issues. And one of the reasons why we have this workshop, we would like to have input and communication with the international scientific community about this topic because we take it very seriously. So with that, I would like to thank you very much for your attention.

And maybe there is some comments or remarks regarding this introduction. Okay, this is not the case.

Then I think we can start with session one. The chairman of session one is Masahide Zazaki from NICT in Tokyo. And I would like to turn it over.