Community Research and Development Information Service - CORDIS


SAFEcrypto Report Summary

Project ID: 644729
Funded under: H2020-EU.2.1.1.

Periodic Reporting for period 1 - SAFEcrypto (Secure Architectures of Future Emerging Cryptography)

Reporting period: 2015-01-01 to 2016-06-30

Summary of the context and overall objectives of the project

SAFEcrypto will provide a new generation of practical, robust and physically secure post-quantum cryptographic solutions that ensure long-term security for future ICT systems, services and applications. Novel public-key cryptographic schemes (digital signatures, authentication, identity-based encryption (IBE), attribute-based encryption (ABE)) will be developed using lattice problems as the source of computational hardness.

The project will involve novel algorithmic and design optimisations, and implementations of the lattice-based cryptographic schemes addressing the cost, energy consumption, performance and physical robustness needs of resource-constrained applications, such as mobile and battery-operated devices, and of real-time applications, such as network security, satellite communications and cloud.

Currently a significant threat to cryptographic applications is that the devices on which they are implemented (e.g. processors, FPGAs, ASICs) leak sensitive information, which can be used to mount successful attacks to recover secret information. In SAFEcrypto the first comprehensive analysis and development of physical-attack resistant methodologies for lattice-based cryptographic hardware and software implementations will be undertaken and integrated into the novel architectures proposed.

Effective models for the management, storage and distribution of the keys utilised in the proposed schemes (as key sizes may be in the order of kilobytes or megabytes) will also be provided.

This project will deliver proof-of-concept demonstrators of the novel lattice-based public-key cryptographic schemes for three practical real-world case studies with real-time performance and low power consumption requirements. In comparison to current state-of-the-art implementations of conventional public-key cryptosystems (RSA-based and Elliptic Curve Cryptography (ECC)-based primitives), SAFEcrypto’s objective is to achieve a range of lattice-based architectures that provide comparable area costs, a 10-fold speed-up in throughput for real-time application scenarios, and a 5-fold reduction in energy consumption for low-power embedded and mobile applications.

SAFEcrypto brings together a consortium of four academic institutions, one research-intensive cyber-security SME and two multi-national security companies, providing a balance of expertise in theoretical cryptographic primitive construction, cryptographic architecture design and optimisation, side channel analysis and key management. The industry partners present excellent opportunities for commercialisation of the project results.

Participant organisation name Country
---------------------------------------------------- --------------
The Queen’s University of Belfast UK
Ruhr-Universität Bochum Germany
Università Della Svizzera Italiana Switzerland
INRIA France
Thales UK, Research and Technology UK
EMC Information Systems International Ltd Ireland
HWCommunications Ltd UK

Our primary concern in this project is long-term end-to-end security of systems and data, which we loosely define as a time span of 1–4 decades. In order to achieve this task, we must assure that implementations of cryptographic primitives available over this time line are (i) cryptographically secure, (ii) physically secure and (iii) efficient on a wide variety of (future) software and hardware platforms. The specific objectives of SAFEcrypto are:

1. To conduct a detailed vulnerability and risk assessment of the identified real-word case studies: 1) secure communications of networked space-based entities; 2) trusted components for critical communication applications; 3) privacy-preserving municipal data analytics. Identified threats and the conditions that must exist for the vulnerabilities to be exploited will be ranked and prioritized.

2. To derive at least one practical lattice-based cryptographic construction for each of the following primitives, digital signature, authentication, ABE and IBE, suitable for hardware and software implementation. These novel optimized constructions will provide substitutes for RSA and ECC-based primitives in a range of applications that require long-term security.

3. To design and implement hardware architectures for each of the proposed primitives (on FPGA and ASIC devices) that will fulfill the needs of a large variety of applications; this will include low cost and low energy implementations designed for constrained devices as well as high performance implementations.

4. To design and implement open-source software routines for each of the proposed primitives (on ARM and GPU devices). As in the case of hardware, the software implementations should fulfill the needs of a large variety of applications, ranging from low cost optimized implementations targeting small, embedded processors to high performance multi-core devices for servers.

5. To investigate physical attack-resistant design methodologies for lattice-based hardware and software implementations. At least four approaches will be proposed targeting 1) high-performance software platforms; 2) high-performance hardware platforms; 3) resource-constrained software platforms; 4) resource-constrained hardware platforms.

6. To develop effective models for the management, storage and distribution of keys for lattice-based post-quantum cryptography for use in key distribution protocols and key management infrastructures with at least one proposed approach demonstrated in one of the case studies.

7. To build hardware/software co-design proof-of-concept demonstrators to illustrate the feasibility of the lattice-based cryptographic hardware and software architectures in providing long-term security for the three case studies. In comparison to existing RSA and ECC-based public-key cryptosystems, the quantitative objective is to achieve a 10-fold speed-up in throughput for use-case 1 and 3, and a 5-fold reduction in energy consumption for use-case 2.

8. To disseminate project results and activities through relevant academic, industry and standardization initiatives and events, in order to ensure transfer of knowledge and impact and exploitability of the results.

Work performed from the beginning of the project to the end of the period covered by the report and main results achieved so far

The SAFEcrypto project commenced in January 2015. Of the main work packages, WP9 (Validation & Demonstration of Case Studies) was the only to start in January 2015, with WP3 (Vulnerability and Risk Analysis) and WP4 (Lattice-based Constructions) commencing in June 2015 and the remaining work packages began in September/October 2015.

A summary of significant SAFEcrypto achievements over the first 18 months of project execution include:
• The delivery of the case study specifications and requirements to be demonstrated within SAFEcrypto for:
1) Satellite Key Management;
2) Commercial Off-The-Shelf (COTS) in Public Safety Communication; and
3) Privacy-Preserving Municipal Data Analytics.
This is the first reported set of case studies outlining practical applications of quantum-safe cryptography. Also, the case studies 1 and 3 (Satellite Key Management and Municipal Data Analytics respectively)
have been selected as practical examples for study within the ETSI Industry Specification Group on Quantum Safe Cryptography (ISG QSC).

• A full risk and vulnerability analysis of the case studies has been published in deliverable D3.1.

• The key management aspects of the case studies have been enumerated in considerable detail in deliverable D8.1

• SAFEcrypto representation within the ETSI ISG QSC by both QUB and Thales UK. The project was invited to present at both the 3rd and 4th ETSI/IQC Workshops on Quantum-Safe Cryptography.
SAFEcrypto has also initiated formal liaison with the ISO SC27 committee.

• Strong participation in the US NIST Workshop on Cybersecurity in a Post-Quantum World, 2-3 April 2015, Maryland, US, in the form of a presentation provided by the Project Co-ordinator on ‘Practical
Lattice-based Digital Signature Schemes’, and a moderated panel discussion, led by Bob Griffin, EMC/RSA, and involving leading industry experts in the field.

• The publication of 9 international peer-reviewed papers (2 x IEEE/ACM journals, 7 conference papers) in top quartile journals and conferences in this research area with a stream of further publications in tow.

• Communication of the SAFEcrypto project to significant audiences via the BBC World Service Forum Programme on Codes and Ciphers, in February 2015, with an estimated 210M listeners worldwide, and the Global Grand Challenges Summit, co-organized by US National Academy of Engineering, UK Royal Academy of Engineering, and Chinese Academy of Engineering, and webcast live from Beijing in September 2015.

• A software reference implementation of the BLISS B - Bimodal Gaussian Lattice-Based Signature Scheme was released under an open source license on in September 2015.
A second implementation known as BLIZZRD has been released which reduces the precision of Gaussian samplers and improves the level of compression applied to signatures.
We also identified and corrected an implementation flaw in the StrongSwan BLISS IPsec implementation.

• A-state-of-the-art analysis of the physical security challenges relating to lattice-based cryptography implementations in hardware and software was published in deliverable D7.1.

• The efficiency of lattice-based digital signature schemes have been investigated and design optimizations proposed and published in deliverable D4.1.
An efficient lattice-based Authenticated Key Exchange scheme has been proposed in response to the case study requirements set out in D9.1.

• Efficient hardware architectures for lattice-based cryptosystems have been investigated and reported in deliverable D5.1. Investigation of standard lattices and ideal lattices continues along with the successful implementation of a lattice-based IBE scheme’s encryption and decryption primitives.

• Software requirements for lattice-based cryptosystems have been set out in deliverable D6.1

Progress beyond the state of the art and expected potential impact (including the socio-economic impact and the wider societal implications of the project so far)

In addition to our previously published work consisting of 2 journal papers and 7 conference papers, the SAFEcrypto project is currently breaking new ground in a number of areas:
• First Lattice-based Identity Based Encryption Implementation
We are working on a hardware / software co-design for the IBE scheme proposed by Ducas, Lyubashevsky and Prest (2014) [1]. Key generation will be done in software since this is unlikely to be time critical and because it is complex requiring Gram-Schimdt orthogonalisation. The encryption / decryption stages have been implemented on fpga already. This is the first practical implementation of an IBE scheme using lattice-based cryptography. We hope to characterize the performance of the scheme and publish the results in the coming months.

• Masking Scheme for Ring-LWE Encryption
We are investigating the physical security of lattice-based encryption schemes such as ring-based learning with errors and assessing their vulnerability to side-channel analysis. A novel masking scheme has been developed to protect the ring-LWE encryption stage from differential power analysis. We are testing this approach prior to publication.

• Authenticated Key Exchange for LBC
We are about to publish a novel and highly efficient authenticated key exchange scheme for lattice-based cryptography (Del Pino, Lyubashevsky, Pointcheval 2016)[2].

• Efficient Implementation of Gaussian Samplers in Hardware
We are investigating efficient hardware architectures for various Gaussian sampling schemes. This is a key hardware block for LBC implementations operating over standard and ideal lattices. Some schemes lend themselves to parallel / pipelined hardware architectures where gate count is not an issue. Other schemes operate well with restricted logic but more memory resources. This work will be published in the coming months.

• Enhanced LBC Key Management Architectures
Our review of existing key management architectures and their suitability for the three case studies used in the project has led to the identification of gaps and further work needed to integrate underlying LBC technology. To date the community has focused its attention on the Transport Layer Security service (TLS). Although TLS is important our case studies have identified the need for other security services, for example, IPsec and DTLS. In addition, key management protocols such as PKIX (on which TLS relies) and KMIP will require changes. SAFEcrypto will specify these new requirements and prototype them as necessary.

The socio-economic impact of SAFEcrypto is still some way off although a clear pathway is now emerging. In August 2016 the US National Institute of Standards and Technology (NIST) announced the need for a quantum resistant cryptographic suite ( As NIST prepares for the transition to a post quantum cryptographic suite B, urging organisations that build systems and infrastructures that require long-term security to consider this transition in their product architectures and designs; the SAFEcrypto project will provide proof-of-concept demonstrators of schemes for three practical real-world case studies with long-term security requirements, in the application areas of satellite communications, network security and cloud computing. Our goal is to affirm lattice-based cryptography as an effective replacement for traditional number-theoretic public-key cryptography, by demonstrating that it can address the needs of resource-constrained embedded applications, such as mobile and battery-operated devices, and of real-time high performance applications for cloud and network management infrastructures. There can be no doubt that the SAFEcrypto project is well placed to contribute valuable technology to this process, accelerate progress and ultimately exploit the commercial opportunities opened up by this transition.

Note that lattice-based cryptography is not the only option when considering quantum resistant cryptosystems. The ETSI Industry Specification Group investigating Quantum-Safe Cryptography (QSC) are carrying out an analysis of all possible post-quantum cryptographic candidate technologies. In their first publication [3] the ETSI QSC group state that, “There are a small number of lattice- and code-based key establishment schemes that should be considered in more detail: Lattice-based schemes offer good security, fast key generation for forward security and the flexibility to provide key agreement, key transport and key pre-distribution schemes”. They continue, “There is much more choice for authentication schemes where lattices, multivariate systems and hash trees all look likely to provide secure signature schemes: Lattice-based signature schemes provide good options for general purpose applications and there are many different proposals to choose from. Key pre-distribution schemes are able to provide mutual authentication in peer-to-peer communications with very low overhead”. SAFEcrypto project partners are directly supporting the work of the ETSI QSC group and have taken responsibility for further analysis of lattice–based digital signature schemes. We can conclude from this independent report that lattice-based cryptosystems are presently well placed to provide a new generation of practical, robust and physically secure post-quantum cryptographic solutions that ensure long-term security for future ICT systems, services and applications. The SAFEcrypto project remains on course to achieve its objectives in full and deliver significant impact at macro and societal levels by delivering well-implemented, innovative technology which will fundamentally underpin the digital rights of citizens across Europe for many decades to come.

[1] Léo Ducas, Vadim Lyubashevsky, Thomas Prest:
Efficient Identity-Based Encryption over NTRU Lattices. ASIACRYPT 2014: 22-41

[2] Rafaël Del Pino, Vadim Lyubashevsky, David Pointcheval:
The Whole is Less than the Sum of its Parts: Constructing More Efficient Lattice-Based AKEs. SCN 2016

[3] ETSI GR QSC 001 v1.1.1 (2016-07): Quantum-safe algorithmic framework.

Related information

Record Number: 192931 / Last updated on: 2016-12-15