Talks & Tutorials
Embedded Security: Challenges and Opportunities when Migrating to Post-Quantum Cryptography
With the advances in quantum computing, the threat to the widely deployed cryptographic algorithms becomes pressing. This will particularly impact the rapidly expanding (Industrial) Internet of Things ecosystem. Government regulations around the globe are urging the industry to start migrating today in order to ensure the long-term security of Industrial & IoT devices. However, this transition to PQC presents significant challenges which are often constrained by limited processing power and memory. Embedded security in IoT must adapt to accommodate PQC algorithms, which are generally more resource-intensive than classical counterparts (such as RSA and ECC). In this presentation I will outline which use-cases to migrate first, the main challenges in enabling such “crypto agility” and opportunities transitioning into this post-quantum cryptographic era from a applied research point of view.
Bio: Joppe W. Bos is a Technical Director and cryptographer at the Competence Center Crypto & Security (CCC&S) at NXP Semiconductors. Based in Belgium, he is the technical lead of the Post-Quantum Cryptography team. Previously, he was a post-doctoral researcher in the Cryptography Research Group at Microsoft Research, Redmond, USA. He obtained his PhD in Cryptology at EPFL, Lausanne, Switzerland in 2012. Joppe co-authored ML-KEM / CRYSTALS-Kyber: the new post-quantum cryptographic standard to be deployed world-wide, served as the Secretary for the IACR (2017 - 2022), is the co-editor of the IACR Cryptology ePrint Archive and one of the Editor-in-Chiefs for the IACR Communications in Cryptology.
Side-Channel and Fault Attacks on ML-KEM and ML-DSA
With the advent of quantum computing and the threat it poses to current public-key cryptographic systems, there is a pressing need for post-quantum cryptographic (PQC) solutions. The state-of-the-art in PQC is rapidly advancing from research to standardization, implementation, and deployment. In August 2024, the standards for the CRYSTALS-Kyber key encapsulation mechanism and the CRYSTALS-Dilithium digital signature algorithm were approved by NIST under the names ML-KEM and ML-DSA, respectively. The industry is now preparing for the transition to PQC algorithms.
However, converting a PQC algorithm into a secure and efficient implementation presents significant challenges. Among them is the need to protect against physical attacks such as side-channel analysis, which exploits timing variations, power consumption, or electromagnetic emissions to extract sensitive information, and fault analysis, which injects faults into cryptographic computations to recover secrets. In this talk, we will present recent side-channel and fault attacks on implementations of ML-KEM and ML-DSA, highlighting their vulnerabilities and implications for security.
Bio: Elena Dubrova received the Diploma Engineer degree in Computer Science from Technical University of Sofia, Bulgaria, in 1993, and Ph.D. degree in Computer Science from University of Victoria, B.C., Canada, in 1998. Since 2008 she has been a professor at the School of Electrical Engineering and Computer Science at the Royal Institute of Technology, Stockholm, Sweden. She has over 100 publications and 15 granted patents. Her work has been awarded prestigious prices such as IBM faculty partnership award for outstanding contributions to IBM research and development. She is a world's top 2% scientist according to the Stanford University ranking from 2020. Her research interests include hardware security, lightweight cryptography, logic synthesis, and multiple-valued logic.
Design pitfalls and challenges for security hardware accelerators
While traditional chips in bulk silicon technology are widely used for reliable and highly efficient systems, there are applications that call for devices in other technologies.
On the one hand, novel device technologies need to be re-evaluated with respect to potential threats and attacks, and how these can be faced with existing and novel security solutions and methods. On the other hand, emerging device technologies bring opportunities for building the secure systems of the future.
This talk gives an overview of advancements in security research on emerging device technologies.
Security challenges and opportunities in emerging device technologies
While traditional chips in bulk silicon technology are widely used for reliable and highly efficient systems, there are applications that call for devices in other technologies.
On the one hand, novel device technologies need to be re-evaluated with respect to potential threats and attacks, and how these can be faced with existing and novel security solutions and methods. On the other hand, emerging device technologies bring opportunities for building the secure systems of the future.
This talk gives an overview of advancements in security research on emerging device technologies.
AI and Physical attacks: Lessons learned and open questions
Cryptography is considered to be the cornerstone of secure systems, but its implementations are often vulnerable to physical attacks such as side-channel analysis (SCA) and fault injection. Those, so-called implementation attacks provide the best attack vector to embedded crypto implementations today.
In this talk, I will discuss several aspects of SCA on crypto implementations and its interactions with AI. We will evaluate the impact of AI-assisted SCA on implementations of post-quantum cryptography. Next, we will see how SCA threatens not just crypto implementations but also those of commercial neural networks.
In the end, we identify some avenues for future research.
Bio: Lejla Batina is a professor in the Digital security group at the Radboud University in Nijmegen, the Netherlands. She is a senior member of IEEE and an Editorial board member of top journals in security, such as ACM Transactions on Embedded Computing Systems. She has coauthored above 180 refereed articles on topics of secure cryptographic implementations and embedded systems security. She was a program co-chair of conferences such as CHES 2014, ACM WiSec 2021 and ACNS2024 and she co-organized (as general chair) IACR flagship conferences such as EUROCRYPT (2020-2021) and Real-world crypto symposium (RWC) 2022. Her research group at Radboud consists of 10+ researchers and 12 Ph.D. students have so far graduated under her supervision.
Automated Verification of Physical Security Properties
Physical implementation attacks, such as passive Side-Channel Analysis (SCA) and active Fault-Injection Analysis (FIA), pose significant threats to physical cryptographic implementations. The growing complexity of modern Integrated Circuits (ICs) demands considerable expertise in hardware design and security to develop and integrate effective countermeasures.
Leveraging formal security specifications and adversary models, automated pre-silicon verification can optimize development cycles, enhance quality, and support the creation of secure cryptographic implementations.
This presentation will explore various security properties related to active, passive, and combined physical implementation attacks. We will then discuss the use of Binary Decision Diagrams (BDDs) and Multi-Terminal Decision Diagrams (MTBDDs) as efficient data structures for automating the security verification of these properties. Finally, we will evaluate different automated security verification tools, highlighting their strengths and limitations for verifying physical security properties.
Bio: Pascal Sasdrich is a tenured faculty research group leader at Ruhr-University Bochum (RUB), Germany. His junior research group on the topic of "Computer-Aided Verification of Physical Security Properties (CAVE)" is funded by the Deutsche Forschungsgemeinschaft (DFG, German Research Foundation) through the Emmy Noether Programme (ENP). Before joining RUB, he was a hardware security engineering at Rambus. He received his PhD in 2018 on the topic of "Cryptographic Hardware Agility for Physical Protection" from Ruhr-University Bochum, Germany. His research interests broadly cover the field of Computer-Aided Security Engineering with a recent focus on automated formal verification of physical security properties.
Designing cryptographic algorithms with physical attack resistance in mind
Countermeasures against physical attacks (such as side-channel and fault analysis) often introduce overhead in terms of execution time and silicon area/code size. Moreover, implementing these protections correctly is challenging, and errors or oversights can compromise security. To address this, designers are increasingly considering physical attack resistance while building new ciphers.
In this talk, we explore design strategies for symmetric cryptographic algorithms that influence their robustness against leakage. We begin by looking at building blocks that exhibit inherent masking-friendly properties. Next, we discuss cryptographic modes that help reduce the attack surface of certain physical attacks or prevent them entirely.
Bio: I received my Bachelor and M.Sc. degree in Mathematics from the University of Milano, Italy. I got my Ph.D. degree from the University of Milano, Italy in 2018 with a thesis titled "Analysis of cryptographic algorithms against theoretical and implementation attacks" under the supervision of dr. Stelvio Cimato, dr. Gille Van Assche, and prof. ir. Joan Daemen. In October 2015, I joined STMicroelectronics, Italy where I worked as cryptographer in the Security Roadmap until February 2022, developing hardware accelerators for public-key cryptography. In January 2021, I joined the Digital Security (DiS) group at Radboud University as postdoctoral researcher. From January 2025, I am assistant professor in the Digital Security (DiS) group at Radboud University.
Deep Learning-based Side-channel Analysis: Trends and Challenges
Side-channel attacks (SCAs) have represented a realistic and serious threat to the security of embedded devices for almost three decades. Various attacks and targets they can be applied to have been introduced, and while the area of side-channel attacks and their mitigations is very well-researched, there are still important open questions.
Deep learning-based side-channel attacks (DLSCA) entered the field in recent years with the promise of more competitive performance and enlarged attackers' capabilities compared to other techniques. Breaking targets protected with countermeasures even with a few attack traces and the relaxations on the pre-processing requirements makes DLSCA a powerful option.
Despite such results, challenges remain. This talk starts with a brief overview of results in the last few years. Next, we concentrate on two challenges. First, we discuss the role of explainability in DLSCA and how to achieve it. Next, we consider the challenge of unsupervised DLSCA. While efforts span already six years, even the state-of-the-art results leave much to be desired.
Finally, we conclude the talk by briefly discussing several more challenges.
Bio: Stjepan Picek is an associate professor at Radboud University, The Netherlands. His research interests are security/cryptography, machine learning, and evolutionary computation. Prior to the associate professor position, Stjepan was an assistant professor at TU Delft, and a postdoctoral researcher at MIT, USA and KU Leuven, Belgium. Stjepan finished his PhD in 2015 with a topic on cryptology and evolutionary computation techniques. Stjepan also has several years of experience working in industry and government. Up to now, Stjepan has given more than 30 invited talks and published more than 150 refereed papers. He is a program committee member and reviewer for a number of conferences and journals, and a member of several professional societies. His work has been featured in the mainstream media and on popular technology blogs.
Tutorial: Hypothesis testing for leakage assessment in side channel analysis
While the current standard cryptographic algorithms are secure against known mathematical attacks, practice shows that hardware and software implementations are susceptible to physical attacks. A significant number of studies show how to recover secrets by monitoring the algorithm's execution using side channel attacks.
Ensuring the security of modern cryptographic implementations is challenging due to their complexity, aggressive time-to-market demands, and the variety of known attacks. Leakage assessment seeks evidence of sensitive data dependencies (leaks) in the traces measured from the physical device. Detecting side-channel leaks is of considerable interest to developers of secure cryptographic implementations and several methods such as correlation analysis, F-statistics or mutual information have gained popularity. Among these, Test Vector Leakage Assessment (TVLA) is one of the most popular methods for leakage assessment due to its simplicity and relative effectiveness. Based on hypothesis testing it is the most common nonspecific test. However, ensuring a meaningful interpretation or drawing appropriate conclusions of the test outcome is less intuitive.
The goal of this tutorial is to give participants a solid technical understanding of what hypothesis testing is and how it is used for leakage assessment. Participants will perform hands-on leakage detection tests and draw appropriate conclusions from the data. We will discuss common pitfalls and strategies such as bootstrapping to improve the accuracy of our results and unravel the mystery of the magic number of 4.5 and learn how to interpret p-values.
The tutorial is rich in hands-on exercises via interactive Jupiter notebooks and data sets. We start with some simple examples using simulated data such that participants grasp the mechanics of hypothesis testing and move from there to real power traces. A first version of this tutorial was given at Summer School on real-world in 2023, and the material is available here. In this second version of the tutorial, we have more diverse trace sets and we clarify additional fundamental concepts such as: effect size and power of a test.
Tutorial: Cryptographic Hardware Optimization for ASIC
Cryptographic hardware uses specialized computation structures dedicated to the execution of a single or a few cryptographic algorithms. Through specialization, hardware achieves higher performance, lower power consumption, and lower silicon cost compared to equivalent cryptographic software implementations. The difference in efficiency can be orders of magnitude. Yet, while the performance benefits of hardware are well understood, the cryptographic engineering community is generally unfamiliar with the process of mapping algorithms to hardware structures. For example, reference implementations of new cryptographic standards are more commonly found in software than in hardware. With the advent of open-source hardware design tools, and especially open-source ASIC design tools, a great opportunity exists for a culture of hardware engineering in the cryptographic community. The potential gains of cryptographic implementations in efficiency, in scope, and in innovation are simply too big to ignore the hardware design domain.
The objective of this tutorial is to introduce a standard open-source ASIC design flow using cryptographic hardware design examples. Tutorial attendees will learn specifically about techniques for high performance, and techniques for low area. In each case, attendees will target the OpenROAD ASIC design flow for Google Skywater 130nm standard cells.
In this design process, the attendees will learn how to analyze the tool output, and how to make meaningful design decisions towards high performance or low area in hardware.
- Transform a C reference implementation to RTL hardware, without the magic of a compiler or a high-level synthesis tool.
- Understand common RTL design transformations for high performance in hardware: pipelining, unfolding, and retiming.
- Understand common RTL design transformations for low area in hardware: multiplexing and bitserial design.
The participants should be able to open an SSH terminal connection and run X clients remotely. That means their computer should run an X server as well. On Linux, this will be as easy as ssh -Y username@remote_server_ip. On Windows, we recommend the use of MobaXterm which provides everything. On Mac, they can do ssh as with Linux but they also should run XQuartz.