Summer School
June 13–17, 2022

Šibenik, Croatia
   Summer School
   on real-world crypto and privacy
School speakers

List of (currently) confirmed school speakers


  • Diego Aranha, Aarhus University, Denmark
    Title: Efficient software implementation of curve-based cryptography
    Abstract: We present techniques for the efficient implementation of curve-based cryptography in software, targeting modern Intel and Arm CPUs. The techniques will range from finite fields to curve arithmetic formulas, and will demonstrate how state-of-the-art performance can be obtained while observing requirements for constant-time execution. The scope will be somewhat generic, but the main ideas will be illustrated with the GLS254 binary elliptic curve.

  • David Basin , ETH, Switzerland
    Title: Analyzing Payment Protocols with Tamarin
    Abstract: (Joint work with Jorge Toro Pozo and Ralf Sasse) This talk will survey recent work on applying the Tamarin Tool, a Security Protocol Model-Checker, to EMV payment protocols. Using Tamarin, we have uncovered numerous severe flaws that allow attackers to bypass the PIN on Visa cards, and more recently Mastercard credit cards. In other words, the PIN on most of the world's credit cards is useless and a thief who gains access to your credit cards can make high-value purcases with them without further authentication. To show that these flaws are exploitable, we have built attack tools that illustrate how you can literally rob the bank with a security protocol model-checker. We also discuss improvements that avoid these problems.

  • Battista Biggio, University of Cagliari, Italy
    Title: Machine Learning (for) Security: Lessons Learned and Future Challenges
    Abstract: In this talk, I will briefly review some recent advancements in the area of machine learning security with a critical focus on the main factors which are hindering progress in this field. These include the lack of an underlying, systematic and scalable framework to properly evaluate machine-learning models under adversarial and out-of-distribution scenarios, along with suitable tools for easing their debugging. The latter may be helpful to unveil flaws in the evaluation process, as well as the presence of potential dataset biases and spurious features learned during training. I will finally report concrete examples of what our laboratory has been recently working on to enable a first step towards overcoming these limitations, in the context of Android and Windows malware detection.

  • Boris Köpf , Microsoft Research Cambridge, UK
    Title: Hardware-software Contracts for Secure Speculation
    Abstract: Attacks such as Spectre and Meltdown use a combination of speculative execution and shared microarchitectural state to leak information across security domains. Defeating them without massive performance overheads requires careful co-design of software and hardware. In this talk I will present a principled approach to this problem, based on hardware-software contracts for secure speculation, and on techniques that enable testing of software and hardware against them.

  • Chloe Martindale , University of Bristol, UK
    Title: Elliptic-curve and isogeny-based cryptography
    Abstract: We will give an introduction to the classical elliptic-curve cryptography which is widely used across the internet, for example in the Signal Protocol. We will then discuss briefly the dangers of relying solely on non-quantum-safe cryptography before giving an introduction to isogeny-based cryptography. Isogeny-based cryptography builds naturally on elliptic-curve cryptography but is believed to be resistant to the looming threat of quantum computers.

  • Thyla van der Merwe , ETH, Switzerland
    Title: How Private is Web Browsing, Anyway?
    Abstract: With a slew of new techniques aimed at enhancing privacy on the Web, including DNS-over-HTTPS (DoH), Encrypted Client Hello (ECH), and privacy-preserving mechanisms such as CRLite, we aim to answer the question: “How private is regular Web browsing, anyway?”. This talk will cover the details of the mechanisms listed above and will (hopefully!) discuss results regarding the effectiveness of these mechanisms in the wild, looking at usage, deployment challenges, and the resulting connection privacy coverage achieved in day-to-day Web browsing. How far away are we from a fully private Web? Or will this be forever beyond our reach?

  • Clémentine Maurice, CNRS, CRIStAL, France
    Title: Micro-architectural attacks: from CPU to browser
    Abstract: Hardware is often considered as an abstract layer that behaves correctly, just executing instructions and outputing a result. However, the internal state of the hardware leaks information about the programs that are executing, paving the way for covert or side-channel attacks. Many micro-architecural components can be used for such attacks; in particular, the CPU cache has been a target highly studied in the last years.
    In this lecture, we will first cover the basics of micro-architectural attacks: what type of attacks can be performed, how, and in which conditions. We will then focus on how to mount these attacks from web browsers. Indeed, micro-architectural attacks require precisely monitoring low-level hardware features. In contrast, browsers only provide high-level sandboxed languages with a limited set of functions. Porting these attacks to the web thus exposes a series of challenges.

  • Christof Paar, MPI, Germany
    Title: How I Learned to Stop Worrying and Love Hardware Trojans
    Abstract: For more than a decade, hardware Trojans have been discussed by the scientific community and in industry. Cryptographic backdoors, which can be viewed a variant of Trojans, play also an important role in the current political discussion, e.g., can foreign made computer hardware such as 5G equipment be trusted? In this lecture we’ll discuss some of the (many) aspects of this fascinating field of research.
    We will start with discussing attack vectors for introducing hardware Trojans. The introduction will also summarize some of the reported cases of cryptographic backdoors and put them in a political context. In the first technical part of the lecture, we will introduce ways of designing stealthy hardware Trojans on ICs and FPGAs, that is, manipulations that are extremely difficult to detect. Subsequently, we will give an example how to use such stealthy alterations for manipulations of crypto algorithms on the architecture level.
    In the second main part of the lecture, we will discuss netlist reverse engineering, which is an important method for both detecting and injection Trojans in integrated circuits. We show that both automated and human inspection play an important role in hardware reverse engineering. We describe a comprehensive study in we observed a number of engineers analyzing netlists, which gives important insights in this process. As a second case study, we describe DANA (Dataflow-based Netlist Analysis), a set of algorithms for automatically detecting functional modules in large, unknown netlist. We show that DANA is especially suited for detecting cryptographic primitives.

  • Kenny Paterson, ETH, Switzerland Title: Secure Messaging: The Good, the Bad and the Ugly
    Abstract: In this talk we will take a look at how cryptography is used in Signal, Telegram and Bridgefy, comparing and contrasting their different approaches to building secure messaging services.

  • Patrick Schaumont , Worcester Polytechnic Institute, USA
    Title: Tools and Methods for Pre-silicon Analysis of Secure Hardware
    Abstract: This talk will introduce the main concepts of pre-silicon analysis for secure hardware design, and show how conventional design automation can be applied for security-oriented design tasks. Traditional hardware designers use simulation to verify a hardware design, and they use area- and timing analysis to decide if the design meets the performance objectives. Secure hardware designers are interested in the security properties of the design such as its side-channel leakage and fault injection response, in addition to correctness and performance. Addressing these security-related constraints in a pre-silicon context, before hardware implementation, can save significant effort towards debugging the physical implementation. The talk will review techniques for side-channel leakage assessment and root-cause analysis of secure hardware and secure embedded software.

  • Gene Tsudik, University of California, Irvine, USA
    Title: Securing Low-End IoT Devices against Bricking Attacks
    Abstract: Embedded (aka smart or IoT) devices are increasingly popular and becoming ubiquitous. Unsurprisingly, they are also attractive attack targets for exploits and malware. Low-end embedded devices, designed with strict cost, size, and energy limitations, are especially challenging to secure, given their lack of resources to implement sophisticated security services, available on higher-end computing devices. To this end, several small Roots-of-Trust (RoTs) were proposed to enable services, such as remote verification of device’s software state and run-time integrity. We first overview the history and state-of-the-art in these RoT-s and compare purely hardware-based, software-based and hybrid RoT techniques, highlighting their respective advantages and limitations, as well as distinguishing them from higher-end Trusted Execution Environments (TEEs), e.g., SGX or TrustZone.
    All prior RoTs operate reactively: they can prove whether a desired action (e.g., software update or program execution) was performed on a specific device. However, they can not guarantee that a desired action will be performed, since malware controlling the device can trivially block access to the RoT by ignoring/discarding received commands and other trigger events. This is an important problem because it allows malware to effectively “brick” or incapacitate a potentially huge number of (possibly mission-critical) devices.
    Though recent work made progress in terms of incorporating more active behavior atop existing RoTs, much of it relies on extensive hardware support in the form of TEEs, which are generally too costly for low-end devices. In this work, we set out to systematically design a minimal active RoT for low-end MCU-s. We begin with three questions: (1) What functionality is required to guarantee actions in the presence of malware? (2) How to implement this efficiently? and (3) What are the security benefits of such an active RoT architecture? We then design, implement, formally verify, and evaluate GAROTA : Generalized Active Root-Of-Trust Architecture. We believe that GAROTA is the first clean-slate design of an active RoT for low-end MCU-s. We show how GAROTA guarantees that even a fully software-compromised low-end MCU performs a desired action. We demonstrate its practicality by implementing GAROTA in the context of three types of applications where actions are triggered by: sensing hardware, network events and timers. We also formally specify and verify GAROTA functionality and properties.

  • Mathy Vanhoef , KU Leuven, Belgium
    Title: Recent Wi-Fi attacks and defenses: general lessons learned and open problems
    Abstract: This presentation explains the core ideas behind recent Wi-Fi attacks and how they might also apply to buggy implementations of other protocols. I will also discuss newly standardized Wi-Fi defenses as well as open challenges.
    First, I will give a recap of the key reinstallation attack (KRACK) against WPA2, where flaws in the state machine allow an adversary to induce nonce reuse. Second, side-channel flaws in WPA3 are described, where I will also explain a technique to exploit timing side-channels with a high accuracy even over a noisy wired or wireless network. Third, I will briefly touch upon weaknesses on how fragmented frames are processed in encrypted Wi-Fi networks.
    I will then discuss four recently standardized defenses: beacon protection, operating channel validation, opportunistic encryption in public Wi-Fi networks, and the new SAE-PK protocol where the Wi-Fi password encodes a fingerprint of the network's public key. The goal of these defenses will be explained, as well as how these goals are achieved, and I will touch upon some limitations of these defenses. The presentation concludes with open challenges in Wi-Fi security.

  • Ingrid Verbauwhede, KU Leuven, Belgium
    Title: The search for randomness: essential for security
    Abstract: Embedded security and cryptographic security protocols rely on hardware roots of trust. Quality randomness and entropy is an essential one in embedded context. Designers assume that cryptographic keys, random initial values, nonces, freshness, masks, hardware isolation, or secure storage is simply available to them.
    At the same time, electronics shrink: sensor nodes, IOT devics, smart devices are becoming more and more available. Adding security and cryptography to these often very resource constraint devices is a challenge. Especially providing good quality secure keys and quality random numbers is difficult in an embedded context.
    This presentation will focus design methods for hardware roots of trustor and more specifically on Physically Unclonable Functions (PUFs) and True Random Number Generators (TRNG), two essential roots of trust. Both design and attacks will be covered.