Summer School on real-world crypto and privacy in Šibenik 2022
This year’s Summer School on real-world crypto and privacy took place in Šibenik, Croatia June 13–17, 2022. The summer school was jointly organised by the Digital Security (DiS) group, Radboud University (The Netherlands), Max-Planck Institute for Security and Privacy (Germany), ETH Zurich Information Security and Privacy Center (Switzerland) and Faculty of Electrical Engineering and Computing, University of Zagreb (Croatia). We talked to school organisers and participants who shared their experiences on the Summer school and the CONCORDIA partnership.
Stjepan Picek, Radboud University, The Netherlands – member of the organising committee
Radboud is one of the members of the CONCORDIA stakeholder group and it recognizes the importance of educational/training activities, for which the successful partnership with CONCORDIA is essential. While the school is active from 2014 (with the exception off covid 19 years), every year we strive to provide better experience to the participants. To this end, CONCORDIA allowed us better exposure to students in the domain of security and organized a forum to discuss the relevance of networking. On the second day of this year’s Summer School CONCORDIA project was presented to the school participants.
Ante Derek, Faculty of Electrical Engineering and Computing, University of Zagreb, Croatia
FER has been the organiser of the school since its inception and now that FER is a full part of the CONCORDIA project, we are glad that this partnership was extended to the Summer school. Through the partnership we are able to support participation of our graduate students at the Summer school and expose them to cutting edge research in the fields of cryptography and security in general.
Petar Paradžik, Faculty of Electrical Engineering and Computing, University of Zagreb
After two years of postponement due to Covid-19, we have finally witnessed the 7th edition of Summer School on real-world crypto and privacy in Šibenik. This year, leading security researchers from various relevant fields gathered again, and each PhD student was able to find a talk that was closely related to their research topic. Topics included elliptic curve-based cryptography, symbolic analysis of security protocols, web-based privacy, post-quantum key exchange protocols, secure end-to-end messaging, secure machine learning, trusted execution environments, microarchitectural timing side-channel attacks, hardware trojans, Wi-Fi attacks, and security of low-end IoT devices. The most notable talks for me were the following.
Analysing Payment Protocols with Tamarin by David Basin, in which he talks about bypassing the PIN in non-Visa cards by using them for Visa transactions (check out the paper of the same name). This talk (and the paper) also demonstrated that symbolic protocol verification tools like Tamarin Prover are mature enough to be able to find novel attacks in a semi-automated manner.
Secure Messaging: the Good, the Bad and the Ugly by Kenny Paterson. I knew Signal was good, but I didn’t know that It should be a role model for others. I also knew Telegram was bad, but I didn’t know it was ugly. Telegram had a vulnerability where an attacker could manipulate the order of client messages in a sequence so that the resulting assembled message was interpreted differently by a server.
Countermeasures for Spectre – Promise and Reality by Yuval Yarom. How do all these Linux patches mitigate microarchitectural timing side-channel attacks targeting modern CPUs that perform branch prediction and other forms of speculative execution? Are they effective enough and how much of an impact do they have on performance? You could hear all about it and much more in this talk.
In addition to the standard lectures seven tutorials were held. These were particularly useful for the PhD students, as they were able to learn, among other things, how to use tools relevant to security research. One of these tools is a symbolic protocol verification tool called Tamarin Prover. The Tamarin Prover tutorial was the longest and lasted six hours. It was given by Professor Cas Cramers, one of the developers of the tool and a well-known researcher in the field.
Hedwig Körfgen, University of the Bundeswehr Munich
The first time after starting my PhD, I got the opportunity to join a summer school. Sibenik was recommended by my colleagues at Bundeswehr university Munich as world-class school with interesting speakers. Additionally, I had heard a lot about the great location. Working in the field of quantum cryptography with a background in physics, I wanted to get as much insights from other areas as possible. And my expectations were even exceeded!
The broad range of topics was very beneficial to get a broader picture of security, privacy and cryptography. I loved especially the combination of talks and hands-on tutorials. My key learnings are:
Formal verification of cryptographic protocols is important and elaborated tools are available. I had never given a thought about everyday credit card payments. I just assumed that the payment providers were aware of security issues. David Basin (ETH Zurich, Switzerland) gave a talk how to use the Tamarin prover to find security issues in payment protocols. The tutorial about Tamarin provided a hands on experience. Thanks to the summer school, I always think about verification when discussing new protocols in my work.
There is much more discussion about Hardware trojans than real-world experiences. In today’s global supply chain, the chips in a device have made a long journey from design to production. The possibility that some malevolent party changed the chips in the process is always somehow suggested in discussion if suppliers from certain countries can be trusted. Christof Paar (MPI Bochum, Germany) busted in his talk “How I Learned to Stop Worrying and Love Hardware Trojans” the myth of the omnipresent hardware trojans. The matching tutorial “Hardware Reverse Engineering” provided some exercises how reverse engineering of chips can be used to look for Hardware trojans.
Isogeny-based cryptography is like walking in Manhattan. Chloe Martindale (University of Bristol, UK) presented recent developments in the field of post-quantum cryptography. I will keep the Manhattan map in my mind as great visualization of graph walking.
My overall fazit: Five stars. This was my first summer school and I really enjoyed the atmosphere. I met many like-minded people from all over Europe and had great discussions about our research topics. The discussions with other PhD students as well as experienced researchers were very constructive and interesting. And I am sure, wherever I will attend another summer school or conference, I will meet friends from Real World Crypto and Privacy 2022.
(By Faculty of Electrical Engineering and Computing, University of Zagreb, Croatia)