Workshop on Cryptographic protocols for small devices

May 13, 2016, Vienna, Austria

ECRYPT-CSA Workshop on Cryptographic protocols for small devices

Thursday, May 12

There will be a common dinner at 7pm in the Restaurant Schubert.

Friday, May 13

9:30-10:00Welcome & Coffee
Session 1: Industry
10:00-10:45Oscar Garcia Morchon (Philips)Lightweight primitives and security architectures for the IoT
10:45-11:30Thomas Plos (NXP)Public-key cryptography on small devices from a product point of view
11:30-13:00Lunch & Coffee
Session 2: Implementation
13:00-13:45Ingrid Verbauwhede (KU Leuven and UCLA)Communication - computation trade-off for low power/low energy cryptographic protocols
13:45-14:30Nele Mentens (KU Leuven)Hardware architectures for Elliptic Curve Cryptography
Session 3: Protocols
15:00-15:45Vadim Lyubashevsky (IBM)Directions in Practical Lattice Cryptography
15:45-16:30Leo Ducas (CWI)What you should know on Lattice-based Cryptography to implement it

Abstracts and slides

Lightweight primitives and security architectures for the IoT (Oscar Garcia-Morchon) [download slides]

Secure Internet communications face conflicting demands: advances in (quantum) computers require stronger, quantum-resistant algorithms, while at the same time the Internet of Things demands better-performing protocols in particular regarding communication overhead, timing, and energy; and finally, communication links usually depend on a single root-of-trust, e.g., a certification authority, a single point-of-failure that is too big of a risk for future systems. In this talk, we describe our work on the HIMMO scheme , its operational properties, and the security of the scheme. Then, we describe how HIMMO can be applied to improve the security in the Internet and Internet of Things. In particular, we describe how it enables the easy management of credentials and establishment of pairwise keys in IoT scenarios . We further describe how it can be integrated in TLS, either in the DTLS-PSK mode enabling very lightweight key establishment and authentication of client and server, ideal for IoT deployments or combined with public-keys introducing a hybrid architecture in which HIMMO TTPs serve as trust infrastructure to efficiently certify and verify public-keys.

Public-key cryptography on small devices from a product point of view (Thomas Plos) [download slides]

This talk will deal with product-related aspects of public-key cryptography (PKC) on small devices. The technological progress of the last decades allows realizing products with more and more functionality that fulfil the given energy, power consumption and cost requirements. This includes also the implementation of PKC on small devices. Based on the requirements of a product the corresponding architecture can be derived. Requirements might not only be purely technical but also relate to other aspects like product re-use, compliance to standards or product certification.

Communication - computation trade-off for low power/low energy cryptographic protocols (Ingrid Verbauwhede) [download slides]

Intelligent things, medical devices, vehicles and factories, all part of cyberphysical systems, will only be secure if we can build devices that can perform the mathematically demanding cryptographic operations and protocols in an energy efficient way. Moreover, the protocols rely on a communication strategy between Alice and Bob. This communication strategy is not for free and also requires energy for radio transmission and reception.
Depending on the protocol (public-key based versus symmetric key) and depending on the radio communication strategy (Zigbee, WIFI, Bluetooth) one can dominate over the other. This trade-off between communication and computation cost is the focus of this presentation. It will be illustrated with several examples. This presentation is based on the overview paper available from IACR eprint.

Hardware architectures for Elliptic Curve Cryptography (Nele Mentens) [download slides]

This presentation focuses on light-weight hardware design for Elliptic Curve Cryptography (ECC). First, the differences in technology and design optimization between ASICs, FPGAs and microprocessors are presented. Further, an overview is given of the implications of these differences on the design methodology of area-efficient ECC implementations on ASIC and FPGA. This includes design choices to be made for the datapath, the storage of variables and the control logic.

Directions in Practical Lattice Cryptography (Vadim Lyubashevsky) [download slides]

Abstract. Modern lattice cryptography has its roots in the very strong hardness guarantees of the SIS and LWE problems. Unfortunately, building schemes that satisfy the preconditions required for those guarantees leads to parameters that are not ideal for practical applications. It therefore becomes necessary to understand which properties of SIS and LWE are crucial, and which may just be artifacts that don't play a role in actual security. In this talk, I will describe how today's schemes get constructed, what hardness assumptions they use, and how these hardness assumption relate to the theoretical worst-case hardness of SIS and LWE.

What you should know on Lattice-based Cryptography to implement it (Leo Ducas)

The apparent simplicity of the vanilla of LWE encryption as described in the work of Regev ---and its ring variant by Lyubashevsky, Peikert and Regev--- hides numerous complications when it come to the actual design and implementation of a concrete scheme. Nevertheless, the proofs of worst-case hardness are definitely attracting features, and if feasible, we could desire concrete schemes to benefit from such a strong theoretical arguments.
In this talk, we wish to clarify few key points that suffer from widespread misconceptions leading to bad design choices. For example, we propose arbitrages between the theoretical Gaussian distribution needed for the asymptotic worst-case hardness proof to go through and the required simplicity of a sampling algorithm to achieve resistance to timing and cache attacks. But we discuss other aspects often not considered in either theoretical nor implementation work, as the potential for backdoors, or the ability of an attack that break all instances for the price of one, and how to tackle those serious security issues. Special care required to build CCA secure schemes from lattice will also be reminded.
As an example of our general conclusions, we present the key exchange protocol Newhope and its performances (Joint work with Erdem Alkim, Thomas Pöppelmann and Peter Schwabe). If time permits, we shall also give an overview of upcoming practical improvements of Lattice-based Cryptography, exploiting lattice-codes, to increase error tolerance of a scheme and therefore increase its security and/or efficiency.