Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
2019-08-26
Olof Magnusson and Mats Hurtig
HALMSTAD
UNIVERSITY
Post-Quantum Public Key
Cryptography for the Internet of
Things
ii
Acknowledgement
Looking into the cover of this thesis, there is nothing but two names associated
with it. The research would be harder to complete if we didn’t get valuable input
from numerous of people. We pestered some people, but they were only happy to
help. Thanks to Lidia Gridneva, Robin Kinnunen and Eric Järpe.
iv
Abstract
1 Introduction 1
1.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2 Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.3 Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2 Method 5
3 Previous work 7
4 Theory 9
4.1 Transport layer Security . . . . . . . . . . . . . . . . . . . . . . . . 9
4.1.1 Confidentiality . . . . . . . . . . . . . . . . . . . . . . . . . 9
4.1.2 Authentication and handshake . . . . . . . . . . . . . . . . 10
4.1.3 Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
4.1.4 WolfSSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
4.2 Lightweight encryption . . . . . . . . . . . . . . . . . . . . . . . . . 12
4.2.1 Symmetric block ciphers . . . . . . . . . . . . . . . . . . . . 12
4.2.2 Advanced Encryption Standard . . . . . . . . . . . . . . . . 12
4.3 NTRU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
4.3.1 Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
4.3.2 Key generation . . . . . . . . . . . . . . . . . . . . . . . . . 17
4.3.3 Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
4.3.4 Decryption . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
4.3.5 Security considerations . . . . . . . . . . . . . . . . . . . . . 18
4.4 Internet of Things . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
5 Experiment 22
5.1 Experiment set-up . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
5.1.1 Raspberry Pi . . . . . . . . . . . . . . . . . . . . . . . . . . 22
5.1.2 Temperature sensor . . . . . . . . . . . . . . . . . . . . . . 23
5.2 Implementation overview . . . . . . . . . . . . . . . . . . . . . . . . 24
5.3 Attack vectors towards the design . . . . . . . . . . . . . . . . . . . 28
6 Results 30
6.1 Key generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
6.2 Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
6.3 Decryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
vii
6.4 Practical implementation . . . . . . . . . . . . . . . . . . . . . . . . 39
7 Discussion 42
7.1 Lightweight encryption for IoT . . . . . . . . . . . . . . . . . . . . 42
7.2 Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
7.3 Result . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
8 Conclusion 48
viii
List of Figures
1 Illustration of classifications of symmetric and asymmetric crypto-
graphic algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2 Illustration of the sequence of operations for TLS communication
in a client-server model . . . . . . . . . . . . . . . . . . . . . . . . . 10
3 Illustration of how the Message Authentication Code is computed
at sender and verified at receiver . . . . . . . . . . . . . . . . . . . 11
4 Illustration of how the SubBytes step is formed using the bytes
(Ai,j ) and substitute the position in regards to the matrix B in the
non-linear S-box . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
5 Illustration of Shif tRows is performed with the bytes cyclically
shift A depending on the offset . . . . . . . . . . . . . . . . . . . . 13
6 Illustration of how the M ixColumns step is performed using the
new value of the column for converting the element in the matrix . 14
7 Illustration of how the AddRoundKey is performed using the round
K to each byte in the state matrix . . . . . . . . . . . . . . . . . . 15
8 Illustration of the design of the network and the cryptographic
structure in the embedded system . . . . . . . . . . . . . . . . . . . 22
9 Illustration of the Raspberry Pi used in the experiment . . . . . . . 23
10 Illustration of the temperature sensor used to record the ambient
temperature connected to the Raspberry Pi . . . . . . . . . . . . . 23
11 Diagram of the used methods within the NTRUEncrypt library . . 25
12 Illustration of the sequence of operations for TLS communication
with the extension of quantum-safe cryptography in a client-server
model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
13 Overview of the security domain for the application . . . . . . . . . 27
14 Illustration of the application implementation with different smart
sensors integrated . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
15 The implementation assumes that the devices itself are trusted and
only the network communication is considered not trusted. . . . . . 28
16 Analog and digital capture of 1-Wire communication between the
IoT-Device and temperature sensor . . . . . . . . . . . . . . . . . . 29
17 Histogram of key generation time series of tested NTRUEncrypt
parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
18 Trend diagram over key generation time in microseconds using dif-
ferent parameters for NTRUEncrypt relative to the server timestamp 32
19 Key generation with time in microseconds for all the NTRUEncrypt
parameters sorted from 112 to 256 bit security level . . . . . . . . . 33
ix
20 Histogram of encryption time series of tested NTRUEncrypt pa-
rameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
21 Trend diagram over encryption time in microseconds using different
parameters for NTRUEncrypt relative to the server timestamp . . . 35
22 Encryption time in microseconds for all the NTRUEncrypt param-
eters sorted from 112 to 256 bit security level . . . . . . . . . . . . 36
23 Histogram of decryption time series of tested NTRUEncrypt pa-
rameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
24 Trend diagram over decryption time in microseconds using different
parameters for NTRUEncrypt relative to the server timestamp . . . 38
25 Decryption time in microseconds for all the NTRUEncrypt param-
eters sorted by security level 112 to 256 bit security level . . . . . . 39
26 Comparison in average time for TLS handshake in milliseconds with
different cipher suites, where dark blue is with QSH enabled . . . . 40
x
List of Tables
1 Table over common network protocols used in smart homes . . . . . 21
2 Table over attributes of the temperature sensor used in the experiment 24
3 Statistical representation over standard deviation, max value, min
value, average and standard error of the tested TLS handshakes on
cipher suites with QSH enabled . . . . . . . . . . . . . . . . . . . . 41
xii
List of Abbreviations
1.1 Background
For centuries, civil decision makers have relied on the communication for the strate-
gical information exchange between the military lands headquarters and troops.
The problem was if the information occurred in the wrong hands, it could lead to
dangerous consequences. Further the military headquarters initiated to evaluate
techniques that could be used to secure the transmission of the information. A
more refined approach of codemaking were adapted to ensure communication by
implementing the most appropriate possible codes [1]. On the other hand, their
enemies tried revealing the codes to gain advantage in the upcoming battles. The
so called Scytale known as ”code of ancient Sparta” could be considered the first
predecessor of cryptography. This tool was utilized during the war between Sparta
and Athens (431-404 BC) and consisted of a leather strap tightly wrapped around
a rod. The message could be discovered only when the strap was around the rod of
the correct diameter. Without the rod, one can just identify a number of letters.
Aristotle was the person who managed to decipher Scytale, by means of move-
ments of the parchment until the length of the text was readable. The diameter
of the Scytale is therefore known.
In today’s cryptographic systems, the similar methodology is used, but in-
stead of a leather strap wrapped around a stick, complex mathematical problems
are used to reduce the risk of unauthorized individuals being able to decipher
the message. The algorithms are usually categorized into two distinct parts as
symmetric and asymmetric keys encryption. Symmetric keys are algorithms that
deploy the same cryptographic key for both plaintext encryption and deciphering
the ciphertext. A shared secret code is utilized between two or more parties that
may be used to maintain a confidential information exchange [2]. The algorithms
DES, 3DES, Blowfish and AES (Rijndael) are some of the most common systems
based on this methodology. Asymmetric cryptography is based on the assumption
of using a pair keys: a public and a private key. With this consideration, the
algorithms use a different component of the keypair for the encryption, decryp-
tion or signature creation and signature verification. This approach is being used
by the cryptographic systems RSA, El-Gamal and cryptographic systems which
deploy the arithmetics of elliptical curves and finite fields. However, within the
1
Internet of Things (IoT), utilizing of these algorithms is challenging in the view of
the limited computational capacity.
The digitalization with Internet of Things have transformed the way people
and businesses interact with smart devices. Introduced more frequently in areas
of fleet management in transportation, health-care and smart-grids in the energy
sector [3]. IoT-devices is expected to reach 20 billion by 2020. While most of them
are consumer products, a significant amount of them is produced for business usage
[4]. Looking at the mobile industry’s product life-cycle, most devices stop receiving
support after only 3–5 years after release, including security related updates. This
potentially implies a large threat in the future by having a significant amounts of
vulnerable devices active and connected to the internet. It is of great interest to
research how post-quantum lightweight encryption protocol can be useful in the
context of IoT and their cohesion.
1.2 Problem
Industries and authorities view on digital development provides the foundation
for discussing its problems. Based on previous technical developments, there is no
coherent picture of whether lightweight protocols have the capacity for handling the
volume of data distributed in today’s network. Furthermore, the post-quantum
lightweight cryptographic algorithms have only been used for a few years and
many implementations are still in the development phase. There may be unknown
risks in applications that provide a window for potential attack vectors. It is
unclear today whether the lightweight protocols are the best or only a way to
overcome these problems, but they have a great potential for improving the security
properties of constrained devices with requirement of short response times.
The present work will commit to the problem of whether post-quantum light-
weight encryption protocols can be applied as a method for resource constrained
devices in IoT systems. This concerns vulnerabilities in the method and increased
security awareness as well risks taken during the implementation. The reason-
ing regarding the suitability considering the limitations for IoT systems will be
discussed. The work addresses:
2
1.3 Limitations
The first part of the work is a brief literature review over the lightweight crypto-
graphic protocols with the purpose to create an overview of the current landscape.
An experiment will be conducted to evaluate the post-quantum safe cryptographic
algorithm NTRUEncrypt with different security parameters in a smart home en-
vironment. Finally the thesis will show a more practical approach for a trusted
end-to-end communication with NTRUEncrypt and WolfSSL aggregated.
3
2 Method
The project begins with creating a review of the lightweight encryption and their
key parameters with a summary of IoT applications and protocols, for a greater
understanding of the landscape [5, 6]. An experiment will be conducted for evalu-
ating a lightweight post-quantum cryptographic protocol taking into consideration
the limitations on the chosen IoT device. The experiment will measure key gen-
eration, encryption and decryption times for different parameters of the NTRU-
Encrypt algorithm. In addition, the work presents a proof of concept combining
NTRUEncrypt and WolfSSL for a trusted end-to-end communication.
The data obtained through the experiment will be analysed and compared
to the available information to find patterns or signs of deviations from the es-
tablished norms. It is essential for the technology development and for a higher
understanding within the subject in association with Blooms taxonomy or ’knowl-
edge pyramid’ [7]. A literature review and analysis combined with an experiment
is chosen to evaluate the results by understanding relations, patterns and princi-
ples. Thus the knowledge acquired in this regard would lead to higher efficiency
and understanding in the fields of lightweight encryption and IoT [8].
There are some limitations to this methodology that need to be taken into
account. One of the problems with all the cryptographic projects are that the
cryptographic protocols are only relevant as long as the algorithms are proven
secure. The post-quantum cryptography competition by NIST is in today’s writing
in round two and the protocols are still in an initial state. The implemented
algorithm in this experiment could have vulnerabilities which have not yet been
discovered. Another problem with this method is that only one protocol will be
implemented in the experimental setup, which makes it possible for this project
to miss several protocols that could perform better. Thus the process of choosing
cryptographic algorithm is relevant and important.
Methods used in previous works can be problematic or even wrong to utilize
on the selected devices in the experiment. With implementing a post-quantum,
cryptographic protocol these methods would additionally allow for incorrect results
interpretation.
What distinguishes this work from previous research is the fact that it is first
conducted with a literature review of the lightweight encryption and its analysis
combined with an summary of IoT applications and protocols. Together with
an experimental implementation of selected protocols, it will prove the model in
function that may not be described in the literature yet. With this in mind,
the paper will reveal a higher understanding of the relationship between IoT and
lightweight encryption.
5
Among other methods like interviews or literature study, a literature review
combined with analysis and an experiment is chosen as more accurate and as it
gives a larger knowledge base. It combines several ways to gather information
and produces new results. Interviews could be useful in this type of project for
gathering the knowledge from the industry of describing which sort of information
the organizations keep in IoT environment and the need for the encryption level
in that area. This was not possible with the given limited time.
6
3 Previous work
The public interest in using the Internet for Things has in turn engaged many
researchers, the security and energy efficiency are facing the major challenges in
IoT. To address this, papers with significant contributions are presented below.
In [9], the authors define lightweight encryption importance in relation to IoT ad-
vancements. IoT devices are used in multitudes of application areas: health-care,
smart home, smart parking and smart grid. Smart applications are only beneficial
to users if the system can protect its security properties from cryptanalysist. Fur-
thermore, it is discussed that the conventional cryptography algorithm RSA is not
adaptable to constrained devices due to the high computation rate requirement.
In the article [10], authors present a secure IoT monitoring framework by intel-
ligent integration of video summary and image encryption. With the development
of a power-efficient system that can perform autonomous enough, it is possible to
collect the important data and take the necessary action accordingly. The exper-
iment demonstrates the framework can reduce bandwidth, storage, transmission
costs and time to analyze substantial amounts of data generated by the sensors.
In [11], a lightweight no-pairing ABE scheme based on elliptical curves encryption
is implemented to address security and privacy issues within IoT. The schedule
is based on ECDH theory instead of Bilinear Diffie-Hellman assumption, provid-
ing the ability to measure overhead and performing detailed analysis. Finally,
it appears that the schedule has a profound impact on the communication cost
and efficiency of a digital system. In [12], the authors have analyzed a different
type of existing protocols that is based on elliptic curve or bilinear pairing. The
new AHA protocol integrated with NTRUEncrypt public key system is introduced
for wireless networks. The result from the experiment shows that NTRUEncrypt
accomplishes the security requirement and imposes less computational time for
generating a public-key pair.
More initial studies [10, 11, 12], demonstrate how lightweight encryption can
be used in different application areas for securing the communication. The surveys
mention different type of attacks that are important to take into consideration.
An article from 2017 [13], investigates the feasibility of implementing the NTRU-
Encrypt protocol in IoT endpoints. The authors implement the protocol on a
device based on 32-bit ARM CortexM0 architecture. The experiment compares
the performance of the algorithm configurations. The results from the experiments
indicate that NTRUEncrypt in fact provides a viable option towards securing IoT
endpoints. Another published article from 2017 describes a small number of vul-
nerabilities in the NTRUEncrypt algorithm [14]. Among them where timing and
cache attacks, however the authors also proposed countermeasures against these
7
attacks without significantly decreasing the performance on certain NTRUEncrypt
parameters.
In the recent years, scientific research has been done on quantum computers
that impose the ability to solve mathematical problems that are difficult to handle
with the conventional data processing [15]. The quantum computer optimizes Big-
O complexity asymptotically, meaning that if there is a quantum speedup for the
particular problem, this will be notified as N . The classical computer is using
O(N√ ) compared to the Grovers algorithm that imposes the ability to solve this
O( N ).
The previous work presents surveys and implementations with different light-
weight encryption protocols, showing different type of integrations with IoT. The
landscape indicates that the algorithms have a high potential, but the deficiency
of works in regards to implementations of quantum-safe lightweight protocols for
smart homes makes this research unique. For those companies that provide services
or products that constantly need to develop modern tools for the digitalization, it
becomes useful to show an overview of the discussed lightweight techniques with
their features. The experiment will prove the model in function to facilitate correct
valuable decisions for an implementation in the future.
8
4 Theory
This section presents theory needed for a greater understanding level of the exper-
imental set-up.
4.1.1 Confidentiality
Communication between two computers achieves confidentiality when the data is
protected from unauthorized access. Two distinct kind of cryptographic algorithms
used in digital systems, symmetric and asymmetric encryption to secure the com-
munication. Symmetric key are algorithms that are using a same cryptographic
key for both plaintext encryption and deciphering the ciphertext. In practice, a
secret is shared between two or more parties to maintain a private information ex-
change [2]. Asymmetric cryptography uses two different keys, one for encryption
(public) and one for decryption (private). Cryptographic systems which deploy the
usage of this arithmetic are RSA and elliptical curve [17], along with the NTRU
algorithm used in this thesis implementation. The particular disadvantage for the
asymmetric encryption occurs in such system where the public key is distributed
over the network and visualised by everyone. This requires larger key sizes to make
the cost of brute-force attacks on the private key not feasible but also increases
the computational cost compared to symmetric key algorithms. The asymmetric
9
algorithms is often only used for the key exchange whereas the symmetric algo-
rithm is implemented for the actual payload. The classifications of the encryption
technologies are shown in Figure 1.
10
cess encrypted with its private key for
the data transmission to the server.
4. The server examines if the certificate is valid with the confirmation that the
public key emerges from the private key to issue the digital signature. Finally, the
TLS communication can be established and illustrated more precisely in Figure
2. The symbols *+ are decisions depending on the agreement of cryptographic
standard and certificate to use between the two parties.
4.1.3 Integrity
To validate the integrity of the data transmitted over the channel, TLS uses Mes-
sage Authentication Code (MAC) for checking the messages and the authentica-
tion, ensuring that the integrity of the information has not been modified under
the transmission. As such, the sender and the receiver are in a need of sharing a
symmetric key K. Figure 3 illustrates this process when the sender is computing
the MAC algorithm encapsulated with the symmetric key, transmitted over the
channel to the receiver. Furthermore, the receiver validates the originality of the
message and inverts the computed function. The authenticity of the data can then
be guaranteed and the information to be trusted.
4.1.4 WolfSSL
WolfSSL is an integrated SSL library designated for embedded, RTOS and re-
source constrained systems, transcribed from ANSI C and commonly applied for
its royalty-free pricing and cross platform support. This includes client and server
SSL/TLS libraries, providing efficient solutions from TLS 1.2 to TLS 1.3. The
11
partnership between WolfSSL and Security innovation provides integration with
NTRUEncrypt and WolfSSL, allowing existing cipher suites to be complied to-
gether [18].
12
into a cipher code. Encryption is performed in 128 bit blocks of the type Rijn-
dael block cipher, wherein the 128 bits are structured as 16 bytes in a 4x4 byte
matrix and for each round the block is processed in four different steps [23]. The
initial phase of the algorithm is to SubstituteBytes, using the bytes (Ai,j ) in the
state array and substitute their position regards to (Bi,j ), in a non-linear S-box
shown in Figure 4. The substitution box deploy 8 bit from the S(Bi,j ), with the
multiplicative inverse in Galois field GF (2)[x]/(x8 + x4 + x3 + x + 1), providing
non-linearity in the cipher.
Figure 4: Illustration of how the SubBytes step is formed using the bytes (Ai,j ) and
substitute the position in regards to the matrix B in the non-linear S-box
However, the second step is the ShiftRows which implies that the bytes cycli-
cally shift depending on the offset. The following algorithm determines that the
first row stays however unchanged, the second row shifts one step, the third row
is shifted two steps and the last - three steps. Thus the important keypoint in
this operation is preventing columns to be encrypted independently as illustrated
in Figure 5.
Figure 5: Illustration of Shif tRows is performed with the bytes cyclically shift A de-
pending on the offset
The third step MixColumns defines the operation where the state columns are
combined with invertible linear transformation, using multiplication with a fixed
13
polynomial c(x) = 3x3 + x2 + x + 2 in the matrix under the following conditions
(0 ≤ j ≤ 3). The values in B are in turn left-multiplied, providing the new values
of the column in the state (1).
mixed
M0,j 2 3 1 1 M0,j
M mixed 1 2 3 1 M
1,j 1,j
mixed = × (1)
M 1 1 2 3 M2,j
2,j
mixed
M3,j 3 1 1 2 M3,j
The arguments in the algorithm are obtaining the four bytes as input and four
bytes as output, where the input bytes have an impact of the output bytes using
XOR operations to produce new columns [24]. Facilitating the new value of the
column can be accomplished by converting the element in the matrix (Ai,j ) ⊕
C(X) ⇒ (Bi,j ) as illustrated in Figure 6. Thus algorithm functions ShiftRows and
MixColumns, together make the diffusion in the cipher.
Figure 6: Illustration of how the M ixColumns step is performed using the new value of
the column for converting the element in the matrix
The last and the most vital step of the algorithm is the operation AddRound-
Key. It is constructed so that each of the subkeys is combined with the state. For
each round a subkey is derived from the main key utilizing Rijndael’s key schedule.
Further the subkey is used combined with either byte of the current state with the
subkey byte using bitwise XOR [24]. This algorithmic process can be illustrated
in Figure 7.
14
Figure 7: Illustration of how the AddRoundKey is performed using the round K to each
byte in the state matrix
4.3 NTRU
NTRU (N-Th Degree Truncated Polynomial Ring) is a Ring-based public key
cryptographic system developed by members from Brown University published in
1998 [25]. The cryptographic algorithm designed to offer the innovative secure
way of implementing the public key infrastructure compared to RSA and ellip-
tic curves. Furthermore, NTRUEncrypt is lattice-based cryptographic algorithm
which inhibits for quantum computers breaking the algorithm in polynomial time.
The cryptographic algorithm is one of the seventeen that passed the first round
in the NIST Post-Quantum standardisation competition which serves an indica-
tion that the system is robust against efforts from cryptanalysist to comprise its
security properties. Further in this section, the algorithmic structure and security
considerations will be presented of the NTRUEncrypt.
15
4.3.1 Algorithm
The fundamental definition for the implementation of NTRUEncrypt is specified
in [25, 13] and described as utilizing truncated polynomial over rings as seen in
(2).
Z[X]
R= (2)
XN − 1
NTRU depends on the parameters of three different integers (N, p, q). N is
representing the prime number in the Ring as possessing the degree N -1 (Non-
secret). The parameters p and q need to be relatively prime in the ring R so
gcd(N, q) = 1 and gcd(p, q) = 1. Note that the parameter q has to be selected to
be the larger modulo number with each coefficient reducing. The p is commonly
set to 3 ternary polynomial, and q is an integer number[ of q = 2k for efficiency
reason. These parameters are the most vital part of the Z X] ring as the truncated
polynomial a and b can explicitly be defined in the R by having integer data type
as in (3-4).
Z/qZ[X]
(5)
XN − 1
This can be defined into the ring R with the different polynomial a and b in
(6-7).
a(x) + b(x) = (a0 + b0 ) + . . . + (aN −1 + bN −1 )xN −1 (6)
16
4.3.2 Key generation
The key-generation algorithm is constructed so that the private key f and the
public key h are accomplished in three steps [13]. The first step generates the
random ternary polynomials F (x) and g(x). Suppose we construct f such as f =
1 + pF , where F is a polynomial coefficient in {−1, 0, 1}. This improves efficiency
in those terms that it is invertible and the TTP does not need to perform that
step of key generation. The inverse of polynomial f (x) (mod q) is computed for
fq (x) as the second step. Public key h(x) is then computed as (9).
4.3.3 Encryption
The encryption is deployed under the Shortest Vector Encryption Scheme, third
revision (SVES-3), to protect against the Chosen Ciphertexts Attacks (CCA) [26].
This is accomplished in four steps [13]. The message m transmitted, is an en-
coded ternary polynomial m(x) used to transform into a cipher message e. Then
generating a small polynomial called random blinding value t based on Blinding
Polynomial Generation Method (BPGM) in order to provide the plaintext aware-
ness [26]. This method is used to obscure the message in a similar way that El
Gamal uses random binding values for encrypting. The mask is computed in re-
gard to the means of Mask Generation Function (MGF) and t(x) ∗ h(x). Using
XOR operators on m(x) with the mask, creates the m´. The cipher text is then
computed in (10).
4.3.4 Decryption
Deciphering the message e, is accomplished using private polynomial f. The m
is retrieved in three steps [13]. Retrieving m´(x) is accomplished by quantifying
the expressions in (11-12). The second step, the received (t(x) ∗ h(x)) in (13)
is quantified. Finally the last step quantifies the mask using Mask Generation
Function (MGF) and r(x) ∗ h(x). Then m(x) can be retrieved in (14).
17
4.3.5 Security considerations
A security analysis over the recommended parameters within the NTRUEncrypt
has been specified in [27], describing the underlying problem for the cryptography
system as finding the shortest non-zero vector measured as N , in a given lattice
L (shortest vector problem, SVP) [28]. Finding the non-zero vector V so that
N (V ) = λ(L), generates the desirable output from the algorithm used.
L can be regarded as an integer lattice with distance ∥v∥2 , being the Euclidean
distance between the point IV and the origin. Then SVP is, for a given lattice L,
to find the shortest non-zero vector in V∗ ∈ L.
18
the quantum black box will have access to a subroutine to forming the unitary Uω
operator shown in (16).
{
Uω |x = −|x for x = ω, that is, f (x) = 1,
(16)
Uω |x = |x ̸ ω, that is, f (x) = 0.
for x =
To get more detailed explanation over the steps in the algorithm, let |s⟩ be
expressed as a quantum uniform superposition in (17).
1 ∑
N −1
|s⟩ = √ |x⟩ (17)
N x=0
Grover diffusion operator can then be defined in (18).
19
L1, can therefore be reduced as shown in (21).
qlr1 0 0
L1 = ∗ L1 0 (21)
∗ ∗ lr2
A meet-in-the-middle attack can therefore be performed by guessing a vector v
in L2 (22). Guessing correctly leads to that the vector is close to L1. Finding the
vectors in L1, when L1 is well reduced, resulting in discovering the short elements
of the chosen parameter of NTRUEncrypt [27].
[ ]
L2 = ∗ ∗ lr2 (22)
20
trolled locally and remotely via Internet, which makes them a part of IoT. One
can subdivide the IoT network into three layers.
Physical layer: is the bottom layer in the OSI model, integrated with actuators
sensors and RFID. The devices can be interconnected with each other and exchange
information to improve the capabilities of IoT. This can be done with identifying
electronic devices and recognize different patterns in the network.
Network layer: provides numerous units in a digital system to be able to ex-
change information. The network can be implemented using Quality of Service
(QoS), control and prioritize the traffic on the network. It is significant for the
dynamic network to be able to automatically identify changes and discover nodes.
Networks in smart homes are both wired and wireless, occasionally with several
protocol being used [36]. The most common protocol is 802.3 Ethernet for wired
networks and for wireless there are 802.11 Wi-Fi, Zigbee, Z-Wave, Bluetooth,
RFID and Radio frequencies of 433 and 868 MHz. Table 1 displays a comparison
of the common network protocols used in smart homes.
Application layer: is the top layer in the OSI-model (Open Systems Intercon-
nection) and is wherein the data is presented and generated for the physical device.
The layer is focusing on process-to-process communication in the network and de-
ploy services as: SMTFP, file transfer, web browsing and network data sharing
[37].
Frequency 2.4 Ghz & 5GHz 2.4 GHz 2.4GHz sub 1GHz
21
5 Experiment
In this chapter, the experiments’ implementation with technical details are pre-
sented.
Figure 8: Illustration of the design of the network and the cryptographic structure in
the embedded system
5.1.1 Raspberry Pi
In the experiment, two Raspberry Pi (3 Model B+) will act as a client and a server
respectively. The computer is running a Broadcom BCM2837B0 quad-core A53
(ARMv8) @ 1.4GHz with 1GB of RAM. One of the devices is shown in Figure 9.
22
Figure 9: Illustration of the Raspberry Pi used in the experiment
Figure 10: Illustration of the temperature sensor used to record the ambient temperature
connected to the Raspberry Pi
23
Table 2: Table over attributes of the temperature sensor used in the experiment
Input Unique 1-Wire interface requires only one port pin for communication
Number of servicing 4
temperature sensors
24
internal state is leaked prior to a reseed. Instantiation of DRBG is done by using
following function (ntru_crypto_drbg_instantiate), with the given parameter set.
To find out how large buffer needed for the public and private keys, the function
(ntru_crypto_ntru_encrypt_keygen) is utilized, allocating the buffer of the (pub-
lic_key_len) to hold the private key, and a buffer of length (private_key_len).
The ntru_crypto_hmac_create_ctx sets the hash algorithm for the key used to
form the the digest key into the HMAC context as the md is the address for the
digest length. The process is more precisely defined in (23-24).
(( ) ( ))
HMAC(md) = H K ′ ⊕ ipad ∥ data H (K ′ ⊕ opad) ∥ md (23)
{
H (K) K is larger than block size
K′ = (24)
K otherwise
Figure 11: Diagram of the used methods within the NTRUEncrypt library
To generate the key-pair, the public-key length need to be set to the size of the
buffer given the public and private key, by calling the function ntru_crypto_encrypt
_keygen(). To find out how large the buffer for holding the DER-encoding of the
public key, the function is executed
ntru_crypto_ntru_encrypt_publicKey2SubjectP ublicKeyInf o
25
the X.509 cerficate. This will be encoded to retrieve the public key for encryption.
However, if the decoded SubjectPublicKeyInfo is succesfull, it will point to the
SubjectPublicKeyInfo field, otherwise NULL if the buffer gets exhausted. When
retrieving the public key from the certificate, it will be used to encrypt AES-128.
This is performed by the previous call ntru_crypto_ntru_encrypt(). The next
step is to uninstantiate the DRBG, to receive the ciphertext to encrypt it. The
same procedure needs to be performed with the encryption and decryption part for
the instantiating process. Presently, when the public-key is created from the cer-
tificate, it will be used to encrypt with AES-128 and to obtain the buffer needed to
store the ciphertext. To uninstantiate the DRBG, the following function is called
rc= ntru_crypto_drbg_uninstantiate(drbg).
26
The client and server application is built with Python3 using TCP connections
and a WolfSSL wrapper for Python. The wrapper uses C Foreign Function Inter-
face (CFFI) to directly call C functions in WolfSSL from Python. Using Python
provided a faster and easier workflow when testing and building the Python appli-
cations. Figure 13, shows the important features used in this implementation as
protocol, algorithm, programming language, platform, architecture and microar-
chitecture.
27
Figure 14: Illustration of the application implementation with different smart sensors
integrated
Figure 15: The implementation assumes that the devices itself are trusted and only the
network communication is considered not trusted.
28
Another attack vector that is easily overlooked is hardware security: it might be
possible to capture the information before the encryption occurs. Figure 16 shows
the actual DS18B20 temperature sensor reading, captured by a logic analyzer
connected to the 1-wire bus between the client RPI1 and the temperature sensor
chip.
Figure 16: Analog and digital capture of 1-Wire communication between the IoT-Device
and temperature sensor
29
6 Results
The performance evaluation of modified algorithms that use NTRUEncrypt is
shown in this section with a Raspberry Pi. The evaluation presents the time for
key generation, encryption and decryption parameter list for the NTRUEncrypt
library measured in microseconds. To indicate stability under equal conditions,
the tests are performed 10,000 times for each algorithm setting to find the true
distribution.
30
Figure 17: Histogram of key generation time series of tested NTRUEncrypt parameters
31
Time [µs]
0
0.5
1
1.5
2
2.5
3
3.5
4
4.5
5
ee
s4
0
·104
ee 1ep
s4 1
0
ee 1ep
s5 2
4
ee 1ep
RPI
s6 1
Server
5
ee 9ep
s4 1
3
ee 9ep
s4 1
4
ee 3ep
s4 1
4
ee 9ep
s6 1
1
ee 3ep
s7 1
6
32
ee 1ep
s5 1
8
ee 7ep
s5 1
9
ee 3ep
s6 1
7
ee 7ep
s8 1
ee 87e
s1 p1
08
NTRUEncrypt parameters
Figure 18: Trend diagram over key generation time in microseconds using different
·104
5
4.5
3
Time [µs]
2.5
1.5
0.5
0
1
1
2
s6 1
s6 1
s5 1
1
s1 p1
1
s1 p1
s1 p2
s1 p1
p1
ee 9ep
ee 3ep
ee 3ep
ee 1ep
ee 1ep
ee 1ep
ee 9ep
ee 3ep
ee 9ep
ee 1ep
ee 7ep
ee 7ep
ee 7ep
ee 87e
ee 43e
ee 87e
ee 71e
9e
5
9
0
08
49
s4
s4
s5
s4
s4
s4
s7
s5
s6
s8
s7
1
ee
NTRUEncrypt parameters
Figure 19: Key generation with time in microseconds for all the NTRUEncrypt param-
eters sorted from 112 to 256 bit security level
6.2 Encryption
Figure 20, shows the average encryption time for the Raspberry Pi, using open-
source metrics dashboard Grafana, where the x-axis shows the timestamp for en-
cryption in regards to the parameter sets on NTRUEncrypt. A representation
of averages can be shown in Figure 21, relative to the server timestamp. This
shows how long it takes for the Raspberry Pi to encrypt in regards to different
strength settings (bits), where the ees401ep2 parameter had the shortest time and
ees1499ep1 the longest time. When comparing the encryption samples to the se-
curity bits again in Figure 22, the fastest parameters of the key generation are in
33
addition the fastest when it comes to encryption. Interestingly, 112 bits ees401ep1
parameter is the slowest when encrypting but it were second fastest when generat-
ing keys. Ees449ep1 parameter were the second fastest when generating keys out
of the parameters with 128 bit but is the slowest when it comes to encryption. The
similar trend is observed for ees677ep1 and ees1087ep2 parameters which are both
the second fastest in the key generation but slowest when it came to decryption
for 128 bit and 192 bit, respectively.
34
1,600
RPI
Server
1,400
1,200
1,000
Time [µs]
800
600
400
200
0
1
1
1
s6 1
s6 1
s5 1
1
s1 p1
1
s1 p1
s1 p2
s1 p1
p1
ee 9ep
ee 3ep
ee 3ep
ee 1ep
ee 1ep
ee 1ep
ee 9ep
ee 3ep
ee 9ep
ee 1ep
ee 7ep
ee 7ep
ee 7ep
ee 87e
ee 43e
ee 87e
ee 71e
9e
5
9
0
08
49
s4
s4
s5
s4
s4
s4
s7
s5
s6
s8
s7
1
ee
NTRUEncrypt parameters
Figure 21: Trend diagram over encryption time in microseconds using different param-
eters for NTRUEncrypt relative to the server timestamp
35
1,600
1,400
1,200
800
600
400
200
0
1
1
2
s6 1
s6 1
s5 1
1
s1 p1
1
s1 p1
s1 p2
s1 p1
p1
ee 9ep
ee 3ep
ee 3ep
ee 1ep
ee 1ep
ee 1ep
ee 9ep
ee 3ep
ee 9ep
ee 1ep
ee 7ep
ee 7ep
ee 7ep
ee 87e
ee 43e
ee 87e
ee 71e
9e
5
9
0
08
49
s4
s4
s5
s4
s4
s4
s7
s5
s6
s8
s7
1
ee
NTRUEncrypt parameters
Figure 22: Encryption time in microseconds for all the NTRUEncrypt parameters sorted
from 112 to 256 bit security level
6.3 Decryption
Figure 23, shows the average decryption time for the device Raspberry Pi using
open-source metrics Grafana. The x-axis shows the timestamp for decryption in
regards to the parameter sets on NTRUEncrypt. A representation of averages can
be seen in Figure 24, relative to the server timestamp. This shows how long it
takes for the Raspberry Pi to decrypt in regards to different strength settings (bits),
where the parameter ees401ep2 had the shortest time and ees1499ep1 the longest
time. When comparing decryption samples based on security bits in Figure 25,
it is possible to observe the similarities between encryption and decryption times.
However, the times are overall slower for decryption compared to encryption.
36
Figure 23: Histogram of decryption time series of tested NTRUEncrypt parameters
37
RPI
2,500 Server
2,000
Time [µs]
1,500
1,000
500
0
1
1
1
s6 1
s6 1
s5 1
1
s1 p1
1
s1 p1
s1 p2
s1 p1
p1
ee 9ep
ee 3ep
ee 3ep
ee 1ep
ee 1ep
ee 1ep
ee 9ep
ee 3ep
ee 9ep
ee 1ep
ee 7ep
ee 7ep
ee 7ep
ee 87e
ee 43e
ee 87e
ee 71e
9e
5
9
0
08
49
s4
s4
s5
s4
s4
s4
s7
s5
s6
s8
s7
1
ee
NTRUEncrypt parameters
Figure 24: Trend diagram over decryption time in microseconds using different param-
eters for NTRUEncrypt relative to the server timestamp
Comparing at the three parts: key generation, encryption and decryption com-
bined, there is for each level of security, a clear best performer. For 112 bit, the best
performer is ees401ep2, which is the quickest in all three parts. At 128 bit there
are two that perform similarly ees439ep1 and ees443ep1. The 192 bit parameters
ees593ep1 and ees587ep1 performed best in the same security bit strength. For
256 bit, the best performer is ees743ep1. The conclusion from the test is that the
NTRUEncrypt performed well with high speed overall under the key generation,
encryption and decryption phases.
38
2,500
2,000
1,500
1,000
500
0
1
1
2
s6 1
s6 1
s5 1
1
s1 p1
1
s1 p1
s1 p2
s1 p1
p1
ee 9ep
ee 3ep
ee 3ep
ee 1ep
ee 1ep
ee 1ep
ee 9ep
ee 3ep
ee 9ep
ee 1ep
ee 7ep
ee 7ep
ee 7ep
ee 87e
ee 43e
ee 87e
ee 71e
9e
5
9
40
08
49
s4
s5
s4
s4
s4
s7
s5
s6
s8
s7
1
s
ee
NTRUEncrypt parameters
Figure 25: Decryption time in microseconds for all the NTRUEncrypt parameters sorted
by security level 112 to 256 bit security level
39
without QSH, the difference was not significant as the overhead of the extension
introduced only 4 milliseconds to the regular TLS handshake. The result shows
that the handshake with NTRUEncrypt is under 0.5 seconds and gives indicators
that it can be used in real environments for embedded devices.
136.56
A 138.92
284.5
B 286.59
Cipher suites
285.32
C 287.65
284.86
D 287.32
284.44
E 286.91
Figure 26: Comparison in average time for TLS handshake in milliseconds with different
cipher suites, where dark blue is with QSH enabled
The statistical test with N = 1000 handshake iterations for each cipher suite,
gives more accurate prediction of the samples in the observations. Table 3 presents
the standard deviation, max value, min value, average and standard error (stdp)
of the tested cipher suites with QSH enabled. The standard error test from the
1000 iterations, is proven to be relatively low and provides the knowledge that the
data is less spread in the sampling distribution.
40
Table 3: Statistical representation over standard deviation, max value, min value, aver-
age and standard error of the tested TLS handshakes on cipher suites with QSH enabled
41
7 Discussion
In this chapter, a discussion and analysis are presented based on reported literature
and results.
42
loss. NTRUEncrypt is the only model that fits this requirements under 1kB to
reduce network delay, as the 0.5kB is used for the hello message.
The application areas as manufacturing, healthcare, Internet of Things, Near
field communication (NFC) and Vehicle Communications (V2V) could have ben-
eficial advantage of NTRUEncrypt. The algorithms used in today’s landscape are
slow as RSA, especially with key generations for acceptable security standard. If
the key size expands in regards to the factor N, RSA decreases of the size N 3,
where NTRUEncrypt has the ability to decrease at N 2. RSA labs chief scientist
Ari Juels, stated 2011 that NTRU is considerably faster than RSA [44]. The result
has been shown in [45], with a comparison of advantages and disadvantages in re-
gards to NTRUEncrypt and RSA in the practical use. The time for key generation
was 200x faster and the time for encryption, decryption 3x and 30x times faster
respectively. The latest succesfull attempt for factorization of RSA (768 bits keys)
was made in 2009 [46]. One of the most sufficient keys recommendations given by
NIST occurred to be 2048 which even should be valid until 2030 [47]. Compared to
NTRUEncrypt where all the arithmetic is done in small numbers and low memory
usage, the high speed provides big advantage compared to the ordinary encryption
systems.
Looking at the industry’s product life-cycle, devices stop receiving support af-
ter only 3-5 years after release, including security related updates. This potentially
implies a large threat in the future by keeping significant amounts of vulnerable
devices active and connected to the internet. For business models, implementing
security features on IoT devices there is a challenge in several ways. The leading
factor is the initial cost with the development of the products, regarding the con-
straints of processing power and memory for the device [48]. To overcome these
constraints and maximise the profit, manufacturers may not choose to invest in
implementing security features. This work is addressing this problem, showing a
new application area of implementing a cryptographic algorithm that has a future
in the long term, when the quantum computers are more developed for solving
complex mathematical problems. The chosen protocol NTRUEncrypt, is safe as
long as the shortest vector problem has not been solved.
7.2 Method
The literature review was based on the work that dealt with quantum-safe light-
weight encryption for smart home in particular, which provides the knowledge of
the techniques for the smart-home context. This approach of the work remains a
good choice as the paper focuses on an implementation, rather than just research
about how the technology works theoretically. Furthermore, it is possible to obtain
relevant theoretical information about lightweight encryption with help of a survey
43
regarding throughput, transparency and other properties. With an experiment, it
gives a more practical understanding about the cryptographic algorithm with its
advantages and disadvantages. Documentation for the implementation has been
received from the official NTRUEncrypt and WolfSSL and together with an ap-
plication domain the experiment could be proved to be practicable. The strength
and weakness of the chosen method in relation to the purpose are shown on the
example of the smart home and IoT concept, illustrating how the NTRUEncrypt,
WolfSSL operate simultaneously and providing stability of the algorithm under
controlled equal conditions. The weakness is the scope of the cryptography land-
scape, there are many variables to take into considerations when implementing an
algorithm for critical applications. If there should be more time available, this
thesis would also more particularly investigate the algorithm settings on NTRU-
Encrypt in a greater scale and normalise the result. However, this work shows an
application area in the context of smart homes, how to potentially implement the
algorithm for securing the application layer in embedded systems.
7.3 Result
The experiment shows the performance evaluation of the NTRUEncrypt: key gen-
eration, encryption and decryption with various parameters of the algorithm ob-
tained with the RP3. The data analysis of the parameters using open source met-
rics dashboard Grafana presents how consistent the algorithm was during these
tests. One of the conclusions that rises from the tests is that there is a possibility
for the developer to chose different variants for implementation to make the en-
cryption suitable with different products in a network. This leads to the decision
on which parameter to recommend in a embedded system. Starting with 128-
bits security the ees443ep1 parameter is the most promising one, the ees443ep1
parameter is using the hash function SHA-256 compared to ees433ep1 parameter
which is using SHA-1. For 192-bits, the ees587ep1 parameter, and the ees743ep1
parameter can be used with high confidence with 256-bits security. The reasoning
behind this argument is the security as good as its speed and providing enough
entropy and minimize the risk of decryption failure.
Comparing the evaluation result for the different parameters with [13], the
result from the NTRUEncrypt library is similar. However, there are some key
differences: the authors perform their tests on an ARM Cortex M0 microprocessor
while this work focuses on ARM Cortex v8. The device is more constrained but
not as commonly used in smart homes as ARMv8.
The implementation presents a quantum-safe lightweight encryption algorithm
for securing the application layer in smart homes. This implementation, provides
less computation time and another level of security for transmitting the data. With
44
the developments of an application domain, this client and server model with ci-
pher suite NTRU743ep1-AES128-SHA-256 provides a faster handshake compared
to the other algorithms tested. The given implementation increased the level of se-
curity for the handshake process using quantum-safe forward secrecy and security.
The solution presented in this thesis, gives good guidelines on how to use NTRU-
Encrypt with WolfSSL in the future, securing information in small embedded
systems. The use-case scenarios for this model are water quality reader, temper-
ature sensor, humidity sensor and IP-camera, regular products that are used for
home automation. Moreover, critical sensors as measuring heart-rate, sleep activ-
ity and body temperature should also benefit from this technology, both in terms
of security and performance. The increasing health care possibilities that elderly
and disabled people can be monitored by numerous of devices, makes it critical to
maintain the integrity and confidentiality of information to ensuring the patient
health. It is important that the information sent between the patient and health
care company is not blocked, stolen or to say the least manipulated. In smart
homes, there is a general problem because the encryption algorithm available is
computationally intensive and likely not used. The problem has been around for a
long time and it is necessary to think of smart homes in a larger perspective. The
abstract interpretation which this method implements, using the client-to-server
model, provides the ability to secure fast information exchange between the smart
homes and intuitions in the future.
It is harder to compare the result with our tested cipher suite NTRU743ep1-
AES128-SHA-256, since it have not been tested before. Comparing with [49], it
shows however that NTRUEncrypt is significantly faster compared to the authors
result since it took 4.5-20 seconds for the initial handshaking process. Even though
the authors performed the tests on Raspberry Pi 2, it is still possible to draw
the conclusions however that NTRUEncrypt perform better than the standards
available in terms of the handshake.
Speed records with NTRUEncrypt [50], shows that AES is approximately 20
times faster than a NTRUEncrypt implementation. The result has demonstrated
it in regards to the encryption and decryption time of this experiment. This means
that replacing RSA with NTRUEncrypt completely is not the optimal solution.
Using only one algorithm for the whole system is not either the solution, in the
case that it can introduce potential attack windows using the same arithmetic for
the entire cryptographic system. Using two fast encryption algorithms combined,
could be the solution as in the case of NTRUEncrypt.
Compared to different cryptographic systems, NTRUEncrypt is characterized
by a flexibility imposing requirements on the coefficients f, g, t, m and release the
requirements q > p(6N + 1), and reduce q considerably. With this tradeoff on the
value q, it is important to discuss the opportunities with larger value of q, where
45
there is a higher chance for successfully encrypting the ciphertext. With decreasing
the value on q, there is a higher chance for a decryption failure. An attacker can
in this particular case, learn these decryption failures and discover information.
The possibility of choosing q is important for a security level of N bits, achieving
a decryption failure of (2−N ). The findings in [27], show however that the Hybrid
attack needs 2(272) operations to the NTRU743 parameter set. Motivations behind
the certain choices of parameter settings and handshaking steps is the fact that it
provides protection against a certain type of vulnerability that otherwise could be
exploited.
The various algorithmic settings of the NTRUEncrypt rely on many variables
such as hash function and key sizes to be properly assigned for quantum-search
based speedups. The parameter set of ees401ep2, ees439ep1 utilizes the hash
algorithm SHA-1 and provides opportunities for an attack via Grover’s algorithm.
This could be replaced with a higher security as SHA-256. However, this will
decrease the speed of the particular algorithm. The NTRUEncrypt parameter that
has the best characteristics in this thesis is the NTRU743ep1 for the Raspberry
Pi. The parameter kept consistent good performance in the conducted tests and
became the optimal choice for the implementation.
46
8 Conclusion
The cryptodesign implemented in this thesis represents the client-to-server com-
munication, where the NTRUEncrypt is used as the key exchange algorithm. The
actual payload from the various of sensors could then be encrypted by using AES,
because the known fact that AES has been proven 20 times faster data encryption
time than NTRUEncrypt. The result shows that it is possible to implement a
quantum-safe lightweight encryption algorithm for securing the application layer
for smart homes, where in this case the handshake information between the client
and server could not be eavesdropped by a malicious actor. The additional exten-
sion QSH, provides quantum security and quantum forward secrecy with minimal
overhead. With the developments of an application domain, the client and server
communication is built upon Python3 using TCP connections and a WolfSSL
wrapper for Python. The result from the suggested model provides a faster way
comparing to the ordinary encryption options that the market is referred to, and
at the same time provides increased security for the embedded systems with the
help of a quantum safe algorithm for the digital information exchange. The un-
derlying architecture of the design, gives the information however the components
do not give any form of obstacle, but provides a possibility to scale up and use
more smart interactions.
Together with the performance evaluation of different algorithmic settings on
NTRUEncrypt regarding key generation, encryption and decryption, the method
shows durability for the device to produce the operations on a consistent level and
gives a visual representation of the suitability for the algorithm for the embedded
devices. Finally, it is shown that post-quantum lightweight encryption can be
viewed as a new approach to secure the information transfer in a smart home in
the future.
It is suggested for future work and research to test the practical model in more
constrained environments, with more diverse measurements and develop general
methods for managing Internet of Things. It is also of interest to test the model
in other application areas as NFC, V2V and Manufacturing.
48
References
[1] S. Pincock, Codebreaker: The History of Codes and Ciphers. Walker, 1 ed.,
2016. isbn: 978-0802715470.
49
[12] R. Chen and D. Peng, “A novel ntru-based handover authentication scheme
for wireless networks,” IEEE Communications Letters, vol. 22, no. 3,
pp. 586–589, 2018.
[13] O. M. Guillen, T. Pöppelmann, J. M. B. Mera, E. F. Bongenaar, G. Sigl,
and J. Sepulveda, “Towards post-quantum security for iot endpoints with
ntru,” in Proceedings of the Conference on Design, Automation & Test in
Europe, DATE ’17, (3001 Leuven, Belgium, Belgium), pp. 698–703,
European Design and Automation Association, 2017.
[14] J. Sepulveda, A. Zankl, and O. Mischke, “Cache attacks and
countermeasures for ntruencrypt on mpsocs: Post-quantum resistance for
the iot,” in 2017 30th IEEE International System-on-Chip Conference
(SOCC), pp. 120–125, Sep. 2017.
[15] L. Chen, S. Jordan, Y.-K. Liu, D. Moody, R. Peralta, R. Perlner, and
D. Smith-Tone, “Report on post-quantum cryptography,” tech. rep., US
Department of Commerce, National Institute of Standards and Technology,
2016.
[16] T. Dierks and E. Rescorla, “The transport layer security (tls) protocol
version 1.2,” tech. rep., 2008.
[17] M. G. Zapata, “Secure ad hoc on-demand distance vector routing,” ACM
SIGMOBILE Mobile Computing and Communications Review, vol. 6, no. 3,
pp. 106–107, 2002.
[18] wolfSSL Inc, “wolfssl.” https://github.com/wolfSSL/wolfssl, 2019.
[19] T. Eisenbarth, S. Kumar, C. Paar, A. Poschmann, and L. Uhsadel, “A
survey of lightweight-cryptography implementations,” IEEE Design Test of
Computers, vol. 24, no. 6, pp. 522–533, 2007.
[20] G. Hatzivasilis, K. Fysarakis, I. Papaefstathiou, and C. Manifavas, “A
review of lightweight block ciphers,” Journal of Cryptographic Engineering,
vol. 8, no. 2, pp. 141–184, 2018.
[21] J. Hoffstein, J. C. Pipher, J. H. Silverman, and J. H. Silverman, An
introduction to mathematical cryptography, vol. 1. Springer, 2008.
[22] J. Daemen and V. Rijmen, The design of Rijndael: AES-the advanced
encryption standard. 2013.
[23] A. M. Abdullah, “Advanced encryption standard (aes) algorithm to encrypt
and decrypt data,” Cryptography and Network Security, 2017.
50
[24] C. Paar and J. Pelzl, Understanding cryptography: a textbook for students
and practitioners. Springer Science & Business Media, 2009.
[25] J. Hoffstein, J. Pipher, and J. H. Silverman, “International algorithmic
number theory symposium,” pp. 267–288, Springer, 1998.
[26] W. Whyte, “Implementation aspects of ntruencrypt version 3.1”, consortium
for efficient embedded security,” tech. rep., Securityinnovation, 2015.
[27] J. Hoffstein, J. Pipher, J. M. Schanck, J. H. Silverman, W. Whyte, and
Z. Zhang, “Choosing parameters for ntruencrypt,” in Cryptographers’ Track
at the RSA Conference, pp. 3–18, Springer, 2017.
[28] O. Regev, “Lattice-based cryptography,” in Annual International Cryptology
Conference, pp. 131–141, Springer, 2006.
[29] D. J. Bernstein, C. Chuengsatiansup, T. Lange, and C. van Vredendaal,
“Ntru prime: reducing attack surface at low cost,” in International
Conference on Selected Areas in Cryptography, pp. 235–260, Springer, 2017.
[30] D. Micciancio, “Lattice-based cryptography,” Encyclopedia of Cryptography
and Security, pp. 713–715, 2011.
[31] P. Kwiat, J. Mitchell, P. Schwindt, and A. White, “Grover’s search
algorithm: an optical approach,” Journal of Modern Optics, vol. 47, no. 2-3,
pp. 257–266, 2000.
[32] S. R. Fluhrer, “Quantum cryptanalysis of ntru.,” IACR Cryptology ePrint
Archive, vol. 2015, p. 676, 2015.
[33] H. Wang, Z. Ma, and C. Ma, “An efficient quantum meet-in-the-middle
attack against ntru-2005,” Chinese Science Bulletin, vol. 58, no. 28-29,
pp. 3514–3518, 2013.
[34] K. Ashton et al., “That ‘internet of things’ thing,” RFID journal, vol. 22,
no. 7, pp. 97–114, 2009.
[35] M. R. Alam, M. B. I. Reaz, and M. A. M. Ali, “A review of smart
homes—past, present, and future,” IEEE Transactions on Systems, Man,
and Cybernetics, Part C (Applications and Reviews), vol. 42, pp. 1190–1203,
Nov 2012.
[36] M. Kuzlu, M. Pipattanasomporn, and S. Rahman, “Review of
communication technologies for smart homes/building applications,” in 2015
IEEE Innovative Smart Grid Technologies - Asia (ISGT ASIA), pp. 1–6,
Nov 2015.
51
[37] V. Karagiannis, P. Chatzimisios, F. Vazquez-Gallego, and J. Alonso-Zarate,
“A survey on application layer protocols for the internet of things,”
Transaction on IoT and Cloud computing, vol. 3, no. 1, pp. 11–17, 2015.
[44] E. Messmer, “Meet the fastest public-key algorithm few have even heard of,”
tech. rep., Networkworld, 2018.
[45] X. Shen, Z. Du, and R. Chen, “Research on ntru algorithm for mobile java
security,” in 2009 International Conference on Scalable Computing and
Communications; Eighth International Conference on Embedded Computing,
pp. 366–369, IEEE, 2009.
[47] E. Barker and Q. Dang, “Nist special publication 800-57 part 3 revision,”
NIST, Tech. Rep, 2015.
52
[48] D. Pishva*, “Iot: Their conveniences, security challenges and possible
solutions,” Advances in Science, Technology and Engineering Systems
Journal, vol. 2, no. 3, pp. 1211–1217, 2017.
53
Olof Magnusson received his BSc
degree from The Institute of
Computer Science and Engineering at
Halmstad University in 2018. His
research interests include:
Cryptography, Blockchain and
Embedded systems.