Summer School
June 17–21, 2019

Šibenik, Croatia
   Summer School
   on real-world crypto and privacy
SCA workshop
This year's edition of the Summer Schol includes a special one-day (Tuesday) workshop on side-channel attacks and countermeasures. The workshop will be sponsored by the Technology Foundation TTW (project 13499 - TYPHOON) from the Dutch government.

The number of seats is limited for this workshop, so participants should register in advance by sending an email to (subject: SCA workshop registration).
Admission is on first-come first-serve basis. We will also maintain a waiting list.

*** This workshop is now at capacity. Participants who are interested in attending will be added to a waiting list. ****

List of currently confirmed speakers

  • Pedro Massolino, Radboud University, The Netherlands
  • Title: Isogeny based cryptography implementation for FPGA
    Abstract The National Institute of Standards and Technology (NIST) made a call at the end of 2017 for cryptosystems proposals that are resistant to quantum computers within a certain size. One interesting proposal named SIKE, because of it is very low bandwidth, is based on supersingular elliptic curves isogenies. This proposal is based on elliptic curve, which opens the possibility of reusability in pre-quantum elliptic curve cryptography.

    In this talk, I will show the project of a isogeny based co-processor for FPGAs. This design was made in a hardware/software codesign, this allows us to reuse the hardware parts in order to make a pre-quantum elliptic curve co-processor. The talk will focus on the design choices, the entire architecture inner workings, the problems found along the way and the results.

  • Stjepan Picek, TU Delft, The Netherlands
  • Title: Machine Learning and Side-channel Analysis
    Abstract: Recent years showed that machine learning techniques can be a powerful paradigm for side-channel attacks (SCA), especially profiling SCA. Still, despite all the success, we are limited in our understanding when and how to select appropriate machine learning techniques. Additionally, the results we can obtain are empirical and valid for specific cases where generalization is often difficult. In this talk, we discuss several well-known ML techniques, the results obtained, and their limitations. In the last part of the talk, we concentrate on deep learning techniques and potential benefits such techniques can bring to SCA.

  • Emmanuel Prouff, ANSSI, France
  • Title: Evaluating the Security of Implementations Against Side Channel Attacks
    Abstract: The resistance of a cryptographic implementation with regards to side-channel analysis is often quantified by measuring the success rate of a given attack using a given number of leakage observations. This approach cannot always be followed in practice, especially when the implementation includes some countermeasures that may render the attack too costly for an evaluation purpose, but not enough from a security point of view. An evaluator then faces the issue of estimating the success rate of an attack he cannot mount. The present presentation addresses this issue by presenting a methodology to estimate the success rate of high-level side-channel attacks targeting secure implementations

  • Joost Renes, Radboud University, The Netherlands
  • Title: Security on the Line: Modern Curve-based Cryptography
    Abstract: As quantum adversaries become more realistic, the need for post-quantum cryptography increases. In this talk I will give an overview of the developments of isogeny-based cryptography during the last four years, focusing on specific elements relating to my PhD thesis. We discuss the cryptographic properties of commutative (CSIDH) and non-commutative (SIKE) key exchange and their potential use in real-world systems.

  • Patrick Schaumont, Virginia Tech, USA
  • Title: Fault attacks on Embedded Software
    Abstract: Embedded software is developed under the assumption that hardware execution is always correct. Fault attacks break and exploit that assumption. Through the careful introduction of targeted faults, an adversary modifies the control-flow or data-flow integrity of software. The modified program execution is then analyzed and used as a source of information leakage, or as a mechanism for privilege escalation.

    Due to the increasing complexity of modern embedded systems, and due to the difficulty of guaranteeing correct hardware execution even under a weak adversary, fault attacks are a growing threat. We present a review on hardware-based fault attacks on software, with emphasis on the context of embedded systems.

    We present a detailed discussion of the anatomy of a fault attack, and we make a review of fault attack evaluation techniques. In the first part of the talk, we bring the perspective from the attacker, rather than the view of countermeasure development. In the second part of the talk, we discuss generic countermeasures against fault injection attacks, based on micro-architecture enhancements and software support.

  • Benjamin Smith, INRIA and École Polytechnique, France
  • Title: Smaller and faster public-key cryptosystems for IoT from genus-2 curves
    Abstract: The rise of the Internet of Things (IoT) means an exploding number of small connected devices are increasingly pervading every aspect of our daily lives. Securing these devices is extremely important, but it is also a great technical challenge: many of our state-of-the-art cryptographic algorithms are simply too "heavy" to run on devices with such limited computational and energy resources. This is especially true for asymmetric techniques like key exchange and digital signatures, which by their very nature require intensive algebraic computations. This talk will describe how the theory of Kummer varieties (classic objects in algebraic geometry) can yield significant improvements in speed and memory use of contemporary ECC protocols, making them practical on some low-end IoT devices. A concrete example of this is the qDSA signature scheme, which allows compact, low-memory, high-speed software for high-security key exchange and digital signatures on microcontrollers with very limited memory.

  • Gilles Van Assche, STMicroelectronics, Belgium
  • (Talk 1) Title: Power analysis of degree-2 round functions
    Abstract: Typical presentations and papers on side-channel attacks assume a structure highly influenced by the Rijndael/AES block cipher, with an 8-bit S-box applied to a message byte xored to a secret key byte. In this presentation, we discuss how to apply side-channel attacks to ciphers with a degree-2 round function. In particular, we illustrate this concretely with sponge-based designs used in keyed mode such as Keccak, Ketje, Keyak, Ascon, Gimli or Xoodoo.

    (Talk 2) Title: XKCP internals
    Abstract: In this presentation, we present the eXtended Keccak code package (XKCP) open-source software and more specifically how it is organized internally. The high-level cryptographic services are implemented in plain C, without any specific optimizations. The low-level services implement the permutations and the state input/output functions, for which we provide optimized code for different platforms. Another interesting topic to discuss is how the parallelism is exploited on modern processors with SIMD units, with potential applications to the implementation of some post-quantum schemes.
Tuesday, June 18th
Evaluating the Security of Implementations Against Side Channel Attacks – Emmanuel Prouff
(i) Power analysis of degree-2 round functions
(ii) XKCP internals – Gilles Van Assche
Fault attacks on Embedded Software – Patrick Schaumont
Coffee Break
Smaller and faster public-key cryptosystems for IoT from genus-2 curves – Ben Smith
Security on the Line: Modern Curve-based Cryptography – Joost Renes
Isogeny based cryptography implementation for FPGA – Pedro Massolino
Machine Learning and Side-channel Analysis – Stjepan Picek