TAIPEI (Taiwan News) — Japan-trained cryptography professor Raylin Tso (左瑞麟) recently talked to Taiwan News about how cryptography has evolved in Taiwan and how cross-professional research collaboration can address the ever-evolving cyber threats to data.
Tapped to lead the establishment of National Chengchi University's (NCCU) information security center, Tso is now teaching at the Department of Computer Science as a distinguished professor and heading the master's program in Information Security. On Aug. 1, Tso stood on the stage at the launch ceremony of the Quantum Safe Migration Center in a new role as a consultant.
He expressed hope that the Quantum Safe Migration Center will serve as a catalyst for exchange and collaboration between academic institutions as an important step toward quantum-safe cybersecurity.
Tso's undergraduate work was in industrial engineering at Taiwan's Tsing Hua University. He got into cryptography, unexpectedly, in his graduate and post-graduate studies in Japan and returned to Taiwan in 2008 to teach at NCCU, which is known for its humanities and social sciences.
Tso said back then, the two main types of encryption used in cryptography were symmetric and asymmetric, and he opted for asymmetric encryption. "I later realized that cryptography involved not only encryption, decryption, and digital signatures but also various techniques for safeguarding privacy and personal information, such as zero-knowledge proofs (ZKP), secret sharing, blockchain, and homomorphic encryption," he said.
Twenty years ago, post-quantum cryptography (PQC) received less attention as quantum technologies seemed to be a pipe dream, and Japan had only a few scholars working on lattice-based cryptography. "It had changed until a decade later when quantum computer seemed to be possible and people realized its capability to crack public key encryption," Tso said.
Urgent action needed
Professor Tso explained the characteristics of quantum computers, which include incredibly fast computation speeds and proficiency in solving problems with periodic properties. Decades ago, researchers had already begun designing algorithms, anticipating that if quantum computers were successfully developed, they would have the capability to break some crucial mathematical problems.
Many of today's mainstream public-key cryptographic applications are based on these mathematical problems, such as integer factorization and discrete logarithm problems. These cryptographic methods are used in various fields, including financial transactions, mobile networks, and the Internet of Things, to ensure the security of secret information transmission, secure authentication, and identity verification.
"In the future, with the commercialization of quantum computers, they will have the potential to break more than 90% of public-key cryptographic systems," he said.
Taking the example of a central bank's digital signature, if it does not use public-key cryptographic techniques resistant to quantum computer attacks, digital signatures could be forged, potentially leading to counterfeiting of the central bank's digital currency. If traditional public-key cryptographic techniques are used, once a hacker obtains important information such as the private key and ciphertext, they could instantly decipher all encrypted information. This poses a significant threat to security, with far-reaching consequences, Tso warned.
There exists a divergence in perspectives between the academic and industry sectors regarding Information Security. The industry tends to prioritize immediacy, emphasizing the need to address current challenges and provide solutions and tools to combat issues like social engineering, ransomware, computer viruses, and more. However, the academic viewpoint is more forward-looking and long-term in nature. Scholars focus on in-depth research and pay attention to issues that need to be addressed in the next five to 10 years.
Professor Tso pointed out that when looking at the broader landscape of concerns, there are three main areas to consider. First is post-quantum cryptography, second is privacy protection, and third is the development of digital currencies.
Tso further elaborated on quantum security and emphasized its significance. He pointed out that the threat posed by quantum computers could emerge at any time. Therefore, it is essential to proactively address this issue before the advent of quantum computers. During this transitional period, we should consider gradually migrating data to encryption systems based on post-quantum cryptography. The purpose of doing so is to ensure that in the future when quantum computers might pose a threat to traditional encryption systems, our data remains secure.
Secondly, to enable accurate predictions by AI, we require vast amounts of data for analysis and training, he said. When AI intersects with information security, one widely discussed issue is privacy protection. As AI applications become increasingly pervasive, such as in healthcare, finance, social media, and more, ensuring that personal data is not misused or exposed becomes a significant challenge.
Thirdly, ensuring privacy in the development of digital currencies is a critical concern. With the rise of digital currencies like Bitcoin and Ethereum, countries worldwide are starting to prioritize the development of digital currencies and contemplating the issuance of their own Central Bank Digital Currencies (CBDCs). Taiwan is also in the process of planning and designing its CBDC.
Security is a focal point in the development of CBDCs, including considerations related to traceability and privacy protection. China announced the rollout of its digital currency during the Beijing Olympics, and places like South Korea, Japan, the European Union, and the United States are also progressing with their own digital currency initiatives. Concerns surrounding the security of digital currencies are actively being addressed through planning and research efforts in various countries.
Theory to practice
Tsao said there is a popular proverb at universities in Taiwan that goes, "Industry raising issues and academia providing solutions."
Tso highlighted that financial knowledge is a form of domain knowledge, and individuals with an information technology background may not necessarily understand the intricacies and requirements of the financial sector. Therefore, research related to financial issues should closely collaborate with the industry.
As an example, he mentioned the NCCU Information Security Center, which can leverage the expertise and resources of the NCCU College of Commerce and the Financial Technology Center to develop financial security systems or address cybersecurity issues related to financial technology effectively. This collaborative approach ensures that the solutions and systems developed align with the specific needs of the financial industry.
In that case, cross-functional collaboration is needed to solve the issue and that is what NCCU's information security center is about to do. Professors from the school's business academy, FinTech Research Center, and Information Security Center teamed up to develop a system catering to the needs of local financial institutions, Tso said.
Central bankers around the world have been working on their own digital currencies and crypto security, including China, South Korea, Japan, the E.U., and the U.S. The Taiwanese government also began discussing whether to develop its own digital version of the NTD or to go digitalized.
Against this backdrop, he said that NCCU was commissioned by the National Science and Technology Council (NSTC) to plan comprehensively from architectural design to security construction and analysis. The development of digital currency is a primary focus within this framework.
Tso emphasized that while different countries may use different construction methods for their CBDC, the fundamental security features of digital currencies are essentially the same: tamper-proof, non-reusable, non-traceable, and capable of being used in power outages or offline situations.
Professor Tso emphasized a crucial point that the biggest issue in cybersecurity ultimately comes down to people. Individual cybersecurity awareness and education are paramount for protecting against cybersecurity threats. Even if a company has robust cybersecurity equipment and protective measures in place, if its employees lack cybersecurity awareness, they can be easily deceived, rendering those protective measures ineffective.
"This is akin to having a safe or vault but forgetting to lock it, having excellent security at home but leaving the door unlocked when going out, or opening the door to strangers without verifying their identity – all of which can lead to security vulnerabilities," he said.
In the early days, the industry didn't place a particular emphasis on cryptography. However, with the rise of blockchain technology, once-niche technologies like cryptography gradually gained recognition, and the demand for talent in this field increased. Nowadays, one of the primary tasks for academia is to cultivate cybersecurity and cryptography talent. Additionally, some cybersecurity companies have the capability to independently develop related equipment.
The technologies possessed by academia can be applied practically to these devices, such as Hardware Security Modules (HSMs) or hardware encryptors, Tso said. This technology transfer and collaboration help enhance the performance and security of cybersecurity equipment while also promoting knowledge sharing and technological innovation between academia and industry. For academia, true success lies in seeing their technology put into practice. If academia can participate in the research and design of future central bank digital currencies, participants may find it even more rewarding than publishing numerous papers.
Professor Tso also mentioned another National Science Council project that combines blockchain and financial technology to extend into new cybersecurity issues. Currently, most of the cryptographic techniques related to financial technology are non-post-quantum, which means they can be vulnerable to attacks by quantum computers. This includes technologies like Ring Signatures used in cryptocurrencies like Monero, Stealth Addresses, and Commitment Schemes. Exploring how to upgrade these technologies into post-quantum versions is an important research topic worth investigating.
Role of NCCU's information security center
In the field of post-quantum cryptography, Taiwan indeed boasts several teams that have achieved outstanding accomplishments in various directions, Tso said. These include Professor Yang Bo-yin's (楊柏因) team at Academia Sinica, focusing on research related to post-quantum digital signatures and encryption standards; Professor Fan Chun-i's (范俊逸) team at National Sun Yat-sen University, specializing in attribute-based encryption research; and NCCU, which has made significant contributions in the area of blockchain privacy protection technology and has its own post-quantum financial cybersecurity research team.
Tso emphasized the importance of collaboration within academia. Instead of working in isolation, these teams should strengthen their cooperation. Each team possesses its own expertise, and through collaboration and knowledge exchange, they can better address complex cybersecurity challenges and advance the development of post-quantum cryptography and cybersecurity technologies. This interdisciplinary cooperation is instrumental in promoting innovation and enhancing Taiwan's international competitiveness in the field of cybersecurity.
The plan for the NCCU Information Security Center has just been approved. According to the requirements of the National Science Council, it must be established within a year and outline its development directions, including plans for the next three to five years. This encompasses research, industry-academic collaboration, funding sources, and other aspects of the plan. Notably, the plan for the NCCU Information Security Center sets it apart as one of the few schools that are not members of the Taiwan Information Security Center (TWISC) under the council.
The center places a strong emphasis on three key areas: post-quantum cryptography, the integration of AI with cybersecurity, and the implementation of Zero Trust Architecture. These areas of focus align with NCCU's distinct expertise, particularly in the intersection of cybersecurity and financial technology, he said.
Regarding future talent development plans, Tso pointed out that NCCU currently has several professors engaged in related research, including topics such as post-quantum cryptography. This includes himself, Assistant Professor Tseng Yi-fan (曾一凡) from the Department of Computer Science, and Assistant Professor Sun Shih-sheng (孫士勝), who is a newly appointed faculty member. As a result, students have the opportunity to join these professors' research laboratories and participate in relevant research activities. NCCU established the "Master's Program in Information Security" and the "Graduate Institute of Information Security" in August 2022, anchoring cybersecurity education within the university's academic framework to cultivate future cybersecurity professionals.
Tso expressed that the founders of Chelpis have many forward-looking and ambitious ideas. Indeed, every university has its own expertise, and through the platform provided by the Quantum-Safe Migration Center (QSMC), everyone can collaborate, exchange, and share their academic research achievements. In the future, he looks forward to the collaboration between NCCU and the QSMC, hoping that both parties can establish a long-term and deep partnership, contributing together to the development of post-quantum cryptography in Taiwan.