Current students


Section: Computer Science and Engineering

Major Research topic:
Hardware implementation of post-quantum cryptographic algorithms for the IoT

Embedded systems are usually characterized by a reduced computational power and narrow-band communication channels, and are most threatened by active and passive attackers which can easily gain physical access to them. Consequentially, future-proof, lightweight, and efficient asymmetric encryption is required in order to guarantee confidentiality, endpoint authentication, message authenticity and non-repudiability transmission properties.

In the light of current advancements in quantum computing, quantum-resistant (post-quantum) cryptosystems are being selected in the current NIST standardization effort [1]. Such innovative cryptosystems are typically more demanding than pre-quantum ones, and require engineering efforts going beyond a pure-software implementation alone on low resources platforms.

A substantial engineering effort is thus to be directed at understanding which cryptographic schemes yield the best performance figures, such as throughput and latency, while being among the ones proven secure by public cryptanalysis.

Almost all the public-key encryption and key-establishment post-quantum cryptoschemes can be classified by the underlying mathematical foundations in code-based and lattice-based families.
The class of algorithms based on error correction codes feature a security proved by several years of cryptanalysis at the expense of large asymmetric keys. Quasi-cyclic variants allow a consistent reduction of both private and public key length [2], crucial peculiarity for memory constrained devices, requiring just few KB of non-volatile flash memory and RAM.
Lattice-based schemes in comparison relay on the short integer solution (SIS) and learning with error (LWE) problems and provide competitive performance [3], but the underlying prime modular arithmetic implies stringent computational requirements, difficult to achieve even with custom hardware designs.

As a consequence of this taxonomy, some arithmetic primitives are shared between different algorithms belonging to the same class, such as the binary matrix invertion operation in McEliece and Niederreiter code-based cryptoschemes.
These arithmetic blocks can be reused in different cryptographic implementations and further optimized by exploiting pipeline architectures and multiple forms of available parallelism through customized silicon designs.

As area occupation and power consumption are two key factors, the engineering of hardware implementations may follow two different directions: the development of a dedicated cryptographic module, allowing better performance but requiring more silicon area, or the implementation of most computationally demanding tasks by means of an instruction set extension.
In the first case the resulting peripheral will be memory mapped onto the system bus, offloading the processor of the entire cryptographic procedure and exposing just the necessary registers to configure and start the required computation. This choice is preferable in cases where weak constraints on area are present, such as Internet-of-Things platforms and U2F authentication devices.
The other alternative is characterized by a hybrid execution scheme, leaving to the software logic the orchestration of the main algorithm and offloading just the most computationally intense procedures to dedicated components. This category can include smart or ID cards.

Regardeless of the choice, the development must proceed considering all the state-of-the-art side channel countermeasurements against active and passive attackers, in order to deal with simple and differential power analysis, timing attacks and fault attacks.

To determine the most promising candidates, an in depth analysis of the post-quantum NIST cryptoschemes has to be conducted, implementing each one of them both in software and hardware on a reference embedded microcontroller target. Hence, major slowdowns caused by the limits of simple processor microarchitectures can be effectively revealed, giving a better perspective on viable solutions.

Initially the research effort will focus on the thoroughly study of all the used cryptographic primitives, analysing their structure and composing operations, thus being able to identify the similarities.
Taking advantage of the discovered information and evaluating all the possible tradeoffs, the most efficient architecture suitable for this kind of operations will be generated, along with a dedicated or shared architecture for each primitive.

The results of the exploration of the design space will be evaluated considering metrics such as the required area, the overall energy efficiency of each solution, the exact performance figure to be expected and the eventual compliance with the requirement bars imposed by existing protocols, highlighting the best engineering tradeoff for each different type of embedded system devices, ranging from smart cards to single board computers.
The outcome of this investigation will end up in a substantial advancement to the current state-of-the-art knowledge of the engineering of post-quantum primitives.

[1] NIST Computer Security Research Center 2019.
      Post-Quantum Cryptography PQC
[2] M. Baldi, A. Barenghi, F. Chiaraluce, G. Pelosi, P. Santini. 2020.
      LEDAcrypt: Low-dEnsity parity-check coDe-bAsed cryptographic systems (Specification revision 3.0).
[3] C. Peikert. 2016.
      A Decade of Lattice Cryptography. Found. Trends Theor. Comput. Sci. 10, 4 (03 2016), 283–424.