Time:

TBA, Sunday, September 14, 2025

Location:

TBA

Speaker:

• Fatemeh Ganji, Worcester Polytechnic Institute, USA

Abstract:

Secure multiparty computation (MPC) enables distrustful parties to jointly compute on their private inputs without disclosing anything besides the results. The cryptography community has known about practical and general-purpose implementations of MPC protocols for 30 years. Thanks to its immense impact on the field of cryptography, MPC continues to gain momentum. MPC has gained traction internationally over the past decade, owing to tremendous improvement in the performance of garbled circuit (GC) and secret-sharing protocols with available highly mature, open-source tools. Regarding the implementation maturity, especially for outsourced processing, these MPC paradigms have reached real-world deployment and market-ready levels.

As a prime example, given mature applications of GC and secret-sharing, it is not surprising that neural network (NN) applications have started adopting privacy-preserving techniques, as demonstrated in major stakeholders' publications and products. MPC-supported NNs are racing toward more efficient implementation and becoming practical by combining advancements in hardware/software design and progress achieved in MPC protocols, e.g., online/offline settings, to reduce communication costs.

Despite their theoretical soundness, MPC implementations in software and/or hardware can be vulnerable to attacks, as recent attacks targeting protocol implementations show. The devastating consequences of such attacks are clear: MPC-supported schemes intended for use in privacy/security-critical domains are no longer privacy-preserving and secure. This is understudied in the literature, although many implementation frameworks are open-source, paving the way for further research.

This tutorial highlights the importance of protecting MPC implementations against multiple attacks (see Figure 1). We focus on backdoor attacks, side-channel analysis (SCA), and fault attacks. Concretely, we will cover the following: (a) an introduction to privacy-preserving techniques, including differential privacy, trusted processors, and cryptographic approaches, where MPC and fully-homomorphic encryption are the most common approaches; (b) side-channel attacks against MPC implementations; (c) a taxonomy of MPC protocols used in private training and private inference tasks; (d) fault attacks against MPC-supported NNs; (e) potential countermeasure in MPC-supported NNs to protect them against side-channel and fault attack; (f) a taxonomy of state-of-the-art backdoor attacks against NNs; (g) MPC for protecting NNs against backdoor attacks and its challenges; (h) other novel applications of MPC implementations and their security; (i) a summary of open problems and future research directions. For the first time, this tutorial systematizes the knowledge of the reported results on various vulnerabilities in MPC-supported NNs and MPC protocols themselves, published in several papers at high-tier security conferences in the last few years. The ultimate goal of this tutorial is to bring the attention of our community to the vulnerabilities in protocol implementations beyond the usual targets discussed in side-channel and fault attack-related literature.

Requirements/Prerequisites:

The proposed tutorial is suitable for graduate students, academic researchers, industry practitioners, and government researchers working in the areas of hardware security, applied cryptography, and physical attacks. In particular, it would be most appealing to researchers working on the implementation security and privacy- preserving technologies. The general CHES community should also be interested in the proposed tutorial. We will provide motivation and background in privacy-preserving techniques for newcomers to this topic. For the more experienced, the tutorial will give a summary of the current state-of-the-art attacks, countermeasures, the challenges remaining, and promising new initiatives. Based on prior experience, we expect this tutorial to attract at least 50 participants.

Time:

TBA, Sunday, September 14, 2025

Location:

TBA

Speaker:

• Amin Abdulrahman, Max Planck Institute for Security and Privacy, Germany
• Matthias J. Kannwischer, Chelpis Quantum Corp., Taiwan

Abstract:

In the development of high-performance cryptographic software, handwritten assembly code is often used to achieve the highest performance. However, manually optimizing the assembly code can be time-consuming, error-prone, and degrades the maintainability of the code. To address this challenge, the tool SLOTHY (presented at CHES 2024 [1]) can be used to turn a clean and readable assembly implementation into microarchitecture specific, high-performance code. Doing so, the tool considers instruction scheduling, register allocation, and software pipelining simultaneously by constructing and solving a constraint programming problem which reflects the properties of the target. It is even capable of aiding with migrating full cryptographic libraries between microarchitectures [2].

After this tutorial, participants should (1) be familiarized with the workflow of using SLOTHY, (2) be able to extend and apply the tool to their own workloads, and (3) have a mental model of its operation. In order to do so, we will provide a technical introduction, followed by a hands-on tutorial, with the participants working through examples from the domain of post-quantum cryptography — using important subroutines of the NIST-standardized ML-KEM & ML-DSA — as well as the increasingly relevant Keccak permutation.

As a representative example, we target the Arm Cortex-A55, which is a popular efficiency core for many mobile devices such as smartphones and tablets and an interesting optimization-target due to its Neon SIMD-unit. Especially in the case of the Keccak permutation, starting from a hybrid SIMD/scalar implementation will allow us to demonstrate the convenience and utility of SLOTHY as the hardness of manual optimization is intuitively understandable.

We will provide instructions for the participants to run the optimized code in qemu and evaluate its performance for the aforementioned processor using mca from the LLVM toolchain. Setup instructions, including a Dockerfile for frictionless installation, will be provided to the participants in advance.

1. Amin Abdulrahman, Hanno Becker, Matthias J. Kannwischer, and Fabien Klein. “Fast and Clean: Auditable high-performance assembly via constraint solving”. In: IACR Transactions on Cryptographic Hardware and Embedded Systems 2024.1 (Dec. 2023), pp. 87–132.
   URL: https://tches.iacr.org/index.php/TCHES/article/view/11241.
2. Amin Abdulrahman, Matthias J. Kannwischer, and Thing-Han Lim. “Enabling Microarchitec- tural Agility: Taking ML-KEM & ML-DSA from Cortex-M4 to M7 with SLOTHY”. In: Pro- ceedings of the 20th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2025, Hanoi, August 25–29, 2025. Accepted with minor revision. ACM, 2025.
   URL: https://eprint.iacr.org/2025/366.

Requirements/Prerequisites:

Researchers or practitioners from the domain of cryptographic engineering, low-level software development, or quality assurance.

Time:

TBA, Sunday, September 14, 2025

Location:

TBA

Speaker:

• Stjepan Picek, Radboud University, Netherlands
• Shivam Bhasin, Nanyang Technological University, Singapore

Abstract:

Edge-based Machine Learning (EdgeML) represents a transformative convergence of edge computing — enabled by Internet of Things (IoT) devices — and machine learning (ML) or deep learning (DL). This integration fuels a wide array of intelligent applications, including healthcare monitoring, virtual assistants, autonomous vehicles, precision agriculture, and smart manufacturing. A major advantage of EdgeML lies in its improved security and privacy: by processing data locally, it avoids sending raw information to centralized cloud servers. However, this proximity to users and physical accessibility also makes edge devices particularly vulnerable to a distinct class of threats — physical attacks on deployed ML/DL models.

This tutorial explores the evolving landscape of security threats unique to EdgeML, with a particular focus on physical attack vectors. We begin with a broad overview of security and privacy challenges in machine learning, including adversarial attacks, data poisoning, backdoor attacks, and membership inference. This context sets the stage for a deeper dive into three increasingly relevant physical attack techniques: side-channel attacks, cold boot attacks, and fault injection attacks.

First, we examine side-channel attacks, which leverage unintentional information leakage — such as timing discrepancies, power fluctuations, and electromagnetic emissions — to infer sensitive properties of ML models. These models are often proprietary and may encode confidential training data. We demonstrate how attackers can reverse-engineer model architectures, hyperparameters, and weights using side-channel signals. Such attacks have been validated on microcontrollers, FPGAs, GPUs, and commercial ML accelerators. This part of the tutorial will cover real-world case studies, assess attack practicality, and identify parameters most at risk. We also discuss existing countermeasures and highlight open research challenges in defending ML models against side-channel threats. Next, we turn to cold boot attacks, which exploit data remnants left in memory after a system reboot or power cycle. These attacks are especially concerning for AI accelerators like the Intel Neural Compute Stick 2 (NCS2), which are increasingly used in edge applications. Despite support for model encryption, we show how an attacker can retrieve model weights and architecture with high accuracy by performing cold boot attacks on an NCS2 connected to a Raspberry Pi — using only inexpensive equipment. This section illustrates the limitations of software-only defenses and emphasizes the importance of hardware-aware security design. Finally, we explore fault injection attacks, where adversaries deliberately induce errors in a model’s execution via voltage glitches, clock manipulations, or laser-based disturbances. These faults can lead to untargeted misclassifications, targeted outputs, or even full model extraction. While neural networks often show resilience to minor disturbances, our studies indicate that corrupting even a single bit in a large model can significantly degrade accuracy. We also discuss both local and remote variants of these attacks and explore how fault injection can act as a precursor to broader compromises, including model stealing.

Throughout the tutorial, we will not only analyze these attacks in depth but also present practical mitigation strategies from a training and deployment perspective, especially in scenarios where hardware modification is impractical. Our goal is to equip researchers and practitioners with the knowledge needed to secure EdgeML deployments against emerging physical threats, and to inspire future work in building more robust and trustworthy AI systems at the edge.

Requirements/Prerequisites:

We anticipate an audience of researchers and practitioners from academia, industry, and government with interests in hardware security, embedded systems, machine learning security, and privacy, looking to understand the practical security challenges in EdgeML.

Time:

TBA, Sunday, September 14, 2025

Location:

TBA

Speaker:

• Tobias Oder, Alter Solutions Deutschland GmbH, Germany

Abstract:

This tutorial introduces the participants to the specific challenges that engineers in the automotive industry face when they are tasked with securing vehicles or vehicle components (ECUs). The tutorial covers the basics regarding architectural design of modern vehicles, including vehicle topology as well as platforms that are used within the vehicle. Furthermore, this tutorial discusses the specific threats in automotive security as well as the state-of-the-art tech stack that is used to protect vehicles from those threats. Since a lot of cyber security activities are driven by regulatory requirements, this tutorial also includes an overview of the most important ones — UNECE R 155 and ISO21434.

Architectures

This segment will explore various ECU architectures, highlighting their roles, interactions, and security implications within modern vehicles.

In-Vehicle Networks

This section will address the security of in-vehicle networks such as CAN, LIN, and FlexRay. Participants will learn about techniques to prevent unauthorized access and data manipulation, ensuring the integrity and reliability of in-vehicle communications.

Vehicle Interfaces and Communication Protocols

This topic will examine the security considerations for vehicle interfaces and communication protocols, including V2G (Vehicle-to-Grid) communications, ensuring the integrity and confidentiality of data exchanged between vehicles and infrastructure.

Relevant Threats

This segment will discuss common threats faced by connected and autonomous vehicles, such as remote hacking, data breaches, and unauthorized access, providing a comprehensive understanding of the security landscape.

Typical Security Controls

This part will be a deep dive into typical security controls for vehicles, like:

• Secure Debug
• Secure Update
• Secure Diagnosis
• Secure Onboard Communication
• Secure Boot
• Domain Separation
• The use of Hardware Security Modules

Regulations

This section will cover the regulatory landscape governing automotive security, focusing on key regulations and standards such as UNECE R 155 and ISO/SAE 21434. Participants will understand the implications of these regulations for manufacturers, suppliers, and other stakeholders in the automotive ecosystem.

Future Challenges

Finally, we will give an outlook of which topics will become more relevant in the upcoming years:

• Crypto Agility
• Autonomous Vehicles
• AI in Vehicles

Requirements/Prerequisites:

This tutorial will be interesting for the following target audience:

• Researchers with a focus on applied cryptography, cryptographic protocols, security architectures, or embedded system hardening
• Researchers who want to get a better understanding of real-world challenges
• Engineers and decision makers from the automotive industry
• Engineers and decision makers from supplier industries (semiconductor industry, for instance)
• Engineers and decision makers from industries facing similar challenges (medical devices, rail, aviation, etc.)