


The Cryptography Group at Aarhus Universityby Ronald Cramer The Cryptography Group at Aarhus University specializes in research of solutions of so called cryptographic protocols. While Cryptography historically is merely about transporting data securely from A to B, the widespread use of computers in today's society poses new challenges to data security solutions based on cryptography. This goes far beyond virus protection and the like. In fact we need secure implementations of quite complicated tasks that were earlier handled by exchange of paper documents. Examples of this are electronic commerce and payments, electronic elections, etc. In this way, cryptography has become an enabling technology that underpins, for instance, the security of countless homebanking systems across the world. The Cryptography Group at Aarhus University specializes in research of solutions of this kind, so called cryptographic protocols. This can be based on public key cryptography such as RSA, but may also be based on security that is unbreakable, for instance using secure channels protected by quantum cryptography. When modern cryptography started, in the 70s and early 80s, there was a large gap between theory and practice: whereas solutions did exist that could be analyzed and security proved rigorously, these constructions were way too inefficient for commercial use; on the other hand, no good analysis methods were known for the systems that practitioners were happy with. One of our main goals in the Aarhus crypto group is to contribute to bridging this gap and provide efficient constructions that are also provable. Several of our results, for instance in design of digital signatures and public key encryption schemes are in this direction. Often our research is conducted in close collaboration with other international universities and research labs. We mention here briefly a couple of concrete lines of research that we have been involved in recently. The first of these is centred around secure electronic implementation of elections. Any election procedure needs to ensure that only people authorized to vote can actually do so, that the results correctly reflects the votes cast, that the privacy of voters is protected, and finally that the result can be verified after the election is over. Particularly the last two concerns may appear to be contradictory: if we can verify that all votes are counted and no one voted twice, it may seem to be necessary that each vote is linked to an individual voter, and so privacy would be violated. Fortunately, this is not the case: votes can be cast in encrypted form, after which all votes are combined to form an encryption of the result, which can the be decrypted and made public. But since this can take place without decrypting any single vote, privacy can still be protected. Several of us have contributed to this area recently, for instance in designing protocols that scale well to large elections, or in providing formal security proofs for election protocols. Through our cooperation with Cryptomathic, an Aarhus based company in security, we are involved in an EU supported project 'EVote' that aims at making such systems commercially available. In a more general direction, we have also been active in design of general multiparty computation: an election may be seen as a game where a number of players (the voters) have inputs (how they want to vote) and we wish to compute some function on the inputs (the result of the election) securely, ie, the result must be correct and we must protect privacy of the inputs. It is in fact possible to compute any desired function in this way, and one of our main goals has been to provide as efficient as possible solutions of this general type. A second trend goes towards providing socalled unconditional security: despite progress in the analysis of practical systems, all such schemes in use today are ultimately based on the assumption that certain problems, for instance factoring large integers, are difficult to solve for an attacker. Unfortunately, we do not know with certainty that any concrete problem really is sufficiently hard. One way to solve these problems is to use quantum communication: we send information encoded in the state of very small physical systems, typically single elementary particles are used. The behaviour of so small systems is governed by quantum physics, and this has some unexpected consequences: information sent in this way cannot be eavesdropped without damaging the information sent in such a way that this can be detected by the receiver. By exploiting this fact properly, we can build channels with security that no amount of computing power can break. These facts have been known since the early 1980s, and the first experimental implementation is from 1990. In collaboration with the Physics Department in Aarhus, we have built a fully operational quantum cryptography prototype and analyzed its security against realistic attacks. The research group in Cryptography at Aarhus University consists of the following members: head of group Ivan Damgard, senior researchers Ronald Cramer and Louis Salvail , and PhD students Jesper Buus Nielsen, Mads Jurik, Maciej Koprowski, Jens Groth, Kasper Dupont, Kirill Morozow and Jesus Fernandez. Links: Please contact: 