The Cyber-Security Excellence Hub in Estonia and South Moravia (Horizon Europe CHESS project), the Estonian Academy of Sciences and Cybernetica organised the Future Cryptography Conference in Tallinn on 21 May 2025. There were over 70 participants from universities, companies and public institutions, from Estonia and Czech Republic, but also Poland and the United States.
This time, the focus was on making cryptography and cryptographic products reliable. As Dan Bogdanov, Chief Scientific Officer at Cybernetica and member of the Estonian Academy of Sciences explained, it takes several steps to make new cryptography trustworthy.
First, new cryptography mostly comes from papers published by research. Peer review is the first layer of quality control. A published cryptographic scheme may have a formal proof, maybe even a machine-verifiable one. However, that will convince a limited number of people.
Second, a standardisation body may have an open competition or call for schemes. Multiple cryptographic schemes are submitted, and a larger group of researchers scrutinise the work. After several iterations and attempts to break them, some schemes are selected as standards and considered to be safe for all use. Again, proofs are compiled, and other (e.g., formal) methods are used to convince each other of the security.
Finally, a vendor implements a product following the standard. How can buyers be sure that the implementation is secure and made according to the best standards? Certification is the solution. A certification body requires large amounts of evidence on how the product was developed and, for higher levels of assurance, will also perform additional tests.
All this requires an ecosystem of researchers, standards bodies, certification bodies, vendors and buyers willing to require certified products. The Future Cryptography had all of them present.
Eric Vétillard (ENISA) and Miguel Bañon (ISO/IEC JTC 1/SC 27/WG 3) explained the new European policies on security certification are developing and what their impact will be.
Václav Matyáš (Masaryk University) highlighted the challenges of writing certification requirements for novel cryptography and Luís Brandão (NIST/Strativia) explained how NIST is tackling this in the US.
Fortunately, there are tools that make this work easier. Andreas Hülsing (Eindhoven University of Technology & SandboxAQ) introduced tools for machine-verifiable proofs and Petr Švenda (Masaryk University) showed the state of the art for dissecting a certified product to validate its claims.
There are also economic, collaborative and human aspects. Kristjan Krips (Cybernetica) presented a study on the resources needed to create a certification ecosystem and Kersti Piilma (Estonian Ministry of Defence) highlighted the critical need for certified products in a defence setting.
For more information about the presentations and videos, please look at the Future Conference Cryptography website https://futurecryptography.eu/
