Key Takeaways Jovanovic worked recently on NORX, a novel authenticated encryption algorithm with support for associated data and aims to provide high security levels, good performance in soft- and hardware, and some additional security features like an inherent resistance to timing side-channel attacks.

He also worked on an extension to Bitcoin and other blockchains called ByzCoin, which could increase Bitcoin's transaction throughput by up to two orders of magnitude. Due to the central role IT systems play in our society they are increasingly attacked by hackers, criminals, or other governments be it for cyber-crime, cyber-espionage, or just mischief.

IoT Systems are particuarly vulnerable. One exception is IKEA's Trådfri smart lighting platform which has a relatively decent security architecture.

To keep yourself secure use common best practices: install software updates as soon as they are available, enable full disk encryption, use strong per-service-unique passwords together with a password manager, activate 2-factor authentication whenever possible (for extra security use a Yubikey), and have multiple backups.

For mobile messaging use messengers with support for end-to-end encryption such as Signal/Wire/iMessage/Whatsapp. Try to use PGP/SMIME for email encryption whenever possible.

DotSecurity is a security conference for non-security developers. Some of the best hackers were present on April 21, 2017 in Paris to talk about the security principles, tools and practices that every developer should know.

In this interview, originally published on InfoQ France, Mathieu Bolla Talks to Philipp Jovanovic, a Cryptographer at École polytechnique fédérale de Lausanne (EPFL), About NORX, IoT Security and keeping yourself safe on-line, and Blockchain.

InfoQ: Hi Philipp, I'm Mathieu Bolla, software engineer at LesFurets.com, and responsible for our customer data security. You're a cryptographer at École polytechnique fédérale de Lausanne. Would you please introduce yourself in a few words?

Hi Mathieu, nice to meet you! I work as a postdoctoral researcher at EPFL's Decentralized and Distributed Systems (DEDIS) lab since 2015 where I collaborate with Bryan Ford and his team. Before that I did my PhD in cryptology at the University of Passau, Germany. My research interests broadly include applied cryptography, information security, and distributed and decentralized systems.

InfoQ: You worked recently on NORX, a candidate to CAESAR (Competition for Authenticated Encryption: Security, Applicability, and Robustness), which is expected to end by late December 2017. I understand it aims to simplify a developer's life by providing methods of encryption and authentication in a single shot, lowering the risks of combining two contradictory methods, for instance. Could you tell us more about NORX? Should we use it now, and to what end?

NORX is a novel authenticated encryption algorithm with support for associated data and aims to provide high security levels, good performance in soft- and hardware, and some additional security features like an inherent resistance to timing side-channel attacks. Our goal was to keep the the overall algorithm design as simple as possible to reduce the risk of accidentally overlooking security weaknesses which, as you can probably imagine, happen very easily. Although we are fairly confident that NORX is secure, we do not recommend its usage for anything but testing purposes currently. Instead we advise to wait for the conclusion of the CAESAR competition and in the meantime rely on current standard AEAD ciphers like AES-GCM or ChaCha20-Poly1305.

InfoQ: Once CAESAR picks a winner, do you expect it to become a standard? What impact can we expect, as developers? Do you see it replacing, e.g. HMAC over HTTPS messages as seen on some mainstream cloud services, that are a pain to implement correctly, and were sometimes proven unsafe?

Actually, CAESAR will not just pick a single winner among the remaining algorithms but instead will recommend a portfolio of ciphers categorized by their suitability for certain application scenarios, such as software, hardware, or resource-constrained devices. Once the competition has concluded, I hope that we will see a more widespread deployment of the final CAESAR portfolio replacing older AEAD constructions like AES-CBC+HMAC and AES-GCM. This shift will of course not happen over night but instead gradually over a longer period of time. As far as I am aware, there are no plans that the CAESAR winners are standardized by default, e.g., as in NIST's SHA3 competition. I hope, however, that organizations like the IETF's Crypto Forum Research Group (CFRG) will consider some of the CAESAR winners for standardization to further simplify adoption.

InfoQ: More generally speaking, what's your opinion on the state of information security, in a world where intelligence agencies are said to be spying on various targets, armies working on cyber attacks, and internet corporations facing highly advertised attacks from small groups or even individuals? Do you feel like the threat level has increased, or are we just becoming more aware of it, and its consequences?

Due to the central role IT systems play in our society, I guess it is no surprise that they are increasingly attacked by hackers, criminals, or other governments be it for cyber-crime, cyber-espionage, or just mischief. I think it can be expected that this trend will continue thanks to various developments like lowered barriers to acquire hacking-tools and tutorials on the Internet, a seemingly increasing lucrativeness of cyber-crime, governments all around the world upgrading their cyber-offensive and surveillance capabilities, and an increasing pace at which new technologies are being developed and thrown, often prematurely, on the market. Although the situation seems to be grim, there is hope nonetheless. Just to give an example: a while ago IKEA released its Trådfri smart lighting platform which apparently has a fairly decent security architecture. At a first glance it might come as a surprise that of all companies, it is IKEA that points the way of the importance to invest in good security design for IoT products. On a second thought, however, IKEA's decision becomes easily comprehensible: by not squeezing the last bit of revenue out of their IoT product, IKEA reduces the risk of their devices being hacked on a large scale which could force the company to do a costly product recall and might damage its image substantially. Thanks to this decision, the world is likely spared from experiencing a Trådfri-botnet with a gazillion IoT light bulbs against which the Mirai-botnet would be a bad joke. I think it would be great if more (and especially IoT) companies would follow IKEA's lead on that front. This small story highlights yet another important point: investing in the security education of designers and developers is crucial, as new IT products have to be always designed with security in mind. Retroactively patching security into a product basically never works. Finally, I believe that raising the awareness for security matters in the general population, i.e., on the end user level, is another important topic we have to keep working on.

InfoQ: As an individual, and developer, what threats do you expect to become prevalent this year? We hear a lot about ransomware, phishing attacks, zombie IoT, but these seem technically avoidable. How do you protect yourself, and from what kind of threats?

The threats you are mentioning might theoretically be avoidable, yes, but we are not living in a perfect world and thus have to expect that mistakes in the design, deployment, and usage of IT systems will be made in the days to come. It shouldn't come as a big surprise that, also in 2017, it is very likely that we will see our fair share of cyber-attacks, probably expanding to the next generation of computerized products like connected cars, medical devices, and augmented- and virtual-reality systems. For the protection of my own devices and data, I use fairly common best practices: install software updates as soon as they are available, enable full disk encryption, use strong per-service-unique passwords together with a password manager, activate 2-factor authentication whenever possible (for extra security use a Yubikey), and have multiple (of course encrypted) backups. For mobile messaging I exclusively rely on messengers with support for end-to-end encryption such as Signal/Wire/iMessage/Whatsapp. I also try to use PGP/SMIME for email encryption whenever possible. Finally, always be thoughtful on which links in your emails and other messages you click, as more than 91% of cyber-attacks start with a fraudulent message.

InfoQ: I see you also worked on the blockchain, more specifically ByzCoin, an extension to Bitcoin and other blockchains. You benchmarked a maximum throughput somewhere in between Paypal and VISA, which is a great enhancement over the approximate 7 transactions per second achieved by current Bitcoin implementation. Do you think yours will gain traction, and will it make cryptocurrencies more stable and mainstream?

It would be certainly great if a cryptocurrency like Bitcoin would adopt ByzCoin as it would not only drastically increase Bitcoin's performance but also its security. We already reached out to the Bitcoin community on multiple occasions asking whether they would be interested to collaborate on a ByzCoin adoption, but, unfortunately, there seems not to be much interest at the moment. To be fair, though, transitioning to ByzCoin would be only a first step in solving some (albeit very important) problems Bitcoin and other cryptocurrencies are currently facing. Such a step would, however, also increase the urgency with which some other challenges would be needed to addressed. For example, ByzCoin could increase Bitcoin's transaction throughput by up to two orders of magnitude (to ~700 TPS) which would also ramp-up storage requirements drastically. Consequently, only well-equipped nodes would be able to continue maintaining the blockchain, which would further centralize Bitcoin. The energy-wasting proof-of-work mining mechanism is yet another critical issue that needs to be solved in order to re-democratize cryptocurrencies and prepare them for the mainstream.

InfoQ: You mention in your paper it's possible to extend other blockchains. If I think about Ethereum, I imagine your work may allow it to handle a larger base of smart contracts, at a higher transaction rate than is possible for now. Is this the only limiting factor to what can be implemented over something like Ethereum? Do you think your work has already set a hard limit, or is there still room for improvement?

ByzCoin could certainly help Ethereum in the way you mentioned but it also has its limitations in the sense that it can only scale to a certain extent as its performance would start degrading if the consensus group grows beyond a certain size. So there is still room for improvement, and in fact, our team (and in particular Eleftherios Kokoris-Kogias, one of our PhD students) is currently working on a system that, besides solving the storage problems mentioned above, enables secure horizontal scaling of cryptocurrencies, which means that the system's throughput could increase linearly to the number of consensus group members.

InfoQ: Now, a look in to the future. Recently, you worked on NORX for CAESAR competition, then on the blockchain. So what's next? Can you tell us what projects you're working on for the year to come? What's hot in the cryptography labs?