Internet of Things

Securing the Internet of Things in a

Quantum World
Chi Cheng, Rongxing Lu, Albrecht Petzoldt, and Tsuyoshi Takagi

Currently, we rely on Abstract standard. To achieve the aforementioned secu-

cryptographic algorithms rity goals for the IoT, these protocols use cryp-
such as elliptic curve cryp- Currently, we rely on cryptographic algorithms tographic primitives such as the Advanced
tosystems (ECCs) as basic such as elliptic curve cryptosystems (ECCs) as Encryption Standard (AES) for confidentiality and
building blocks to secure basic building blocks to secure the communi- integrity, and elliptic curve cryptosystems (ECCs),
cation in the IoT. However, public key schemes which include the Elliptic Curve Digital Signature
the communication in the like ECC can easily be broken by the upcoming Algorithm (ECDSA) for integrity and authentica-
Internet of Things. How- quantum computers. Due to recent advances in tion and the Elliptic Curve Diffie-Hellman (ECDH)
ever, public key schemes quantum computing, we should act now to pre- algorithm for exchanging keys used in AES [2].
like ECC can be easily pare the IoT for the quantum world. In this arti- However, recent advances in quantum com-
broken by the upcoming cle, we focus on the current state of the art and puting threaten the security of the current IoT
recent developments in the area of quantum-re- using these cryptographic schemes. Just as the
quantum computers. Due sistant cryptosystems for securing the IoT. We first security of Rivest, Shamir, and Adleman (RSA)
to recent advances in demonstrate the impacts of quantum comput- and Diffie-Hellman (DH) key exchange schemes
quantum computing, we ers on the security of the cryptographic schemes are based on the difficulty of solving some num-
should act now to make used today, and then give an overview of the rec- ber-theoretic problems such as integer factoriza-
the IoT be prepared for ommendations for cryptographic schemes that tion and discrete logarithms, the security of the
can be secure under the attacks of both classical ECC is based on the difficulty of solving the ellip-
the quantum world. and quantum computers. After that, we present tic curve discrete logarithm problem. As early as
the existing implementations of quantum-resistant 1994, mathematician Peter Shor of Bell Labora-
cryptographic schemes on constrained devices tories showed that quantum computers can solve
suitable for the IoT. Finally, we give an introduc- the integer factorization problem and the (elliptic
tion to ongoing projects for quantum-resistant curve) discrete logarithm problems in an efficient
schemes that will help develop future security way, sparking great research interest in quantum
solutions for the IoT. computing. Since then, quantum algorithms like
Grover’s search algorithm have been proposed,
Introduction which provide significant speedup for many prob-
The past decade has witnessed the steady devel- lems. Other examples include the quantum algo-
opment of the Internet of Things (IoT). As illustrat- rithms using the quantum Fourier transform, the
ed in Fig. 1, Gartner has estimated that by 2016 quantum walk for solving searching problems,
there will be 6.4 billion connected devices in use, and adiabatic quantum computing for optimi-
and this number is further expected to hit 20.8 zation problems. Besides that, much research
billion by 2020. The world population is believed is performed on how to design and build more
to reach 7.6 billion by 2020, which means that on powerful quantum computers with less resources
average each person in the world will have near- to implement these algorithms [3].
ly 3 connected devices. Since these connected It is still unclear when large-scale quantum
things, such as implantable medical devices and computers will come into existence, but more and
vehicles, play vital roles in our daily lives, strong more scientists believe that we only need to over-
security requirements for the IoT have become come significant engineering obstacles. Based on
a must. recent advances in quantum computing, some
Generally, the main security goals for the IoT scientists even claim that within 20 years our cur-
are confidentiality, integrity, and authentication rently used public key infrastructures will become
[1]. Confidentiality guarantees that sensitive infor- insecure because of the availability of large-scale
mation cannot be leaked to unauthorized entities, quantum computers [4].
while integrity prevents information from being Even though there are quantum secure
modified en route, and authentication ensures replacements for the cryptographic standards in
that the communicating entities are indeed those use today, it will take a long time for the transition
they declare to be. As shown in Fig. 2, important from currently used IoT systems to their quan-
communication protocols for the IoT include the tum-resistant counterparts. Regarding the fact that
IEEE 802.15.4 standard, the Constrained Applica- we are at the very beginning of the standardiza-
tion Protocol (CoAP), and the IPv6 over Low-pow- tion process for quantum resistant algorithms, and
er Wireless Personal Area Networks (6LoWPAN) research on their application in the IoT is limited,

Digital Object Identifier: Chi Cheng is with China University of Geosciences (Wuhan) and Kyushu University; Rongxing Lu is with the University of New Brunswick;
10.1109/MCOM.2017.1600522CM Albrecht Petzoldt and Tsuyoshi Takagi are with Kyushu University.

116 0163-6804/17/$25.00 © 2017 IEEE IEEE Communications Magazine • February 2017

uthorized licensed use limited to: MKSSS CUMMINS COLLEGE OF ENGINEERING FOR WOMEN. Downloaded on December 07,2023 at 21:59:34 UTC from IEEE Xplore. Restrictions apply.
 it is urgent to make significant efforts in securing
IoT systems against possible attacks by quantum 22 3.00
Connected devices
computers. Therefore, no matter whether we can
Connected devices per person
predict the exact arrival time of large-scale quan-

Connected devices per person

Connected devices (billion)
tum computers, we should act now to prepare 17 2.25
IoT systems for the quantum world.
In this article, we focus on the current state of
the art and recent developments in the area of 11 1.50
quantum-resistant cryptosystems for securing the
IoT. The structure of this article is as follows. In
the next section we demonstrate the impacts of 6 0.75
large-scale quantum computers on the security of
the cryptographic schemes used today, and then
give an overview of the recommendations for 0 0.00
cryptographic schemes that can be secure under 2014 2015 2016 2020
attacks of both classical and quantum computers.
After that, we consider the implementations of Figure 1. Number of connected devices in the IoT.
quantum-resistant cryptographic schemes on con-
strained devices for the IoT. We give an introduc-
tion to ongoing projects and developments for
post quantum cryptography that will help develop Goals Confidentiality Integrity Authentication
the future security solutions for the IoT, and con-
clude this article.

Impact of Quantum Computers on

Current Cryptographic Algorithms
The existing cryptosystems used for securing the Communication IEEE
6LoWPAN COAP
IoT can be divided into two groups: symmetric protocols 802.15.4
and asymmetric (or public key) cryptosystems.
In a symmetric cryptosystem two parties share a
common secret key, which is then used to encrypt
and decrypt messages. On the other hand, an
asymmetric cryptosystem makes use of two keys:
a private key and a public key. Everybody can use
Cryptographic
the public key to encrypt messages, but only the AES ECDH ECDSA
primitives
owner of the private key can decrypt the cipher-
texts. In the context of signature schemes, the
private key is used to generate a signature for a Figure 2. Current cryptographic primitives for securing communication in the
document, while everyone can use the public key IoT.
to check the validity of the signature.
Currently, the most well-known example of a
symmetric cipher is the AES, which was selected further divided into SHA-256, SHA-384, and SHA-
and standardized in 2001 by the National Institute 512. According to NIST’s recommendation, we
of Standards and Technology (NIST) via a public also need to enlarge the output of hash functions
competition. AES allows messages to be encrypt- to prevent attacks using Grover’s algorithm.
ed with secret keys of length 128, 196, and 256 The impact of quantum attacks on the exist-
bits, which are denoted as AES-128, AES-196, and ing public key encryption and digital signature
AES-256, respectively. Among them, AES-128 is schemes is even more dramatic. The currently
the most widely deployed in securing the IoT. To used cryptographic schemes for these purpos-
date, the best known attack against AES is a brute es include RSA, the Digital Signature Algorithm
force search covering all possible keys. Since Gro- (DSA), DH key exchange, and ECC, whose secu-
ver’s algorithm speeds up this process dramatical- rity is based on the hardness of certain number
ly using quantum computers, the key size of AES theoretic problems such as integer factorization
needs to be doubled. That is, in order to achieve and solving (elliptic curve) discrete logarithms.
a security level of 128 bits against attacks with However, Shor’s algorithm can solve these prob-
quantum computers, we need an AES key size of lems very efficiently on a quantum computer,
256 bits. which makes all these classical schemes insecure
For a public key environment, hash func- as soon as large quantum computers arrive.
tions, public key encryption schemes, signature To summarize, quantum computers have a
schemes, and key exchange protocols are the great impact on the security of all cryptograph-
basic building blocks. A hash function is a map ic schemes used today. While for symmetric
that transforms data of arbitrary length to a hash schemes and hash functions, it is relatively easy to
value of small fixed length. Hereby, it should be prevent quantum attacks (increase key and output
difficult to find two different messages that map to sizes respectively), public key schemes like RSA
the same hash value (collision resistance). Today, and ECC are completely broken (Table 1).
the most widely used hash functions are SHA-2 Therefore, we need to develop new schemes
and SHA-3, which are members of the Secure for public key encryption and signatures whose
Hash Algorithm (SHA) family selected by NIST. security is based on mathematical problems not
Depending on the output length, SHA-2 can be affected by attacks using quantum computers. In

IEEE Communications Magazine • February 2017 117

uthorized licensed use limited to: MKSSS CUMMINS COLLEGE OF ENGINEERING FOR WOMEN. Downloaded on December 07,2023 at 21:59:34 UTC from IEEE Xplore. Restrictions apply.
 Algorithms Purpose Impact nature schemes is the need to record informa-
tion about previously signed messages, which is
AES Symmetric encryption Double the key size called “state.” This can lead to problems when
signatures are generated on several devices since
SHA-2, SHA-3 Hash functions Enlarge the output these devices have to be synchronized after each
signature generation. To avoid this, a stateless
Public key encryption hash-based signature scheme called SPHINCS
RSA, ECC Insecure
and signature has been proposed, which can be described as a
multi-tree version of XMSS [8].
DH, ECDH Key exchange Insecure
The European research group PQCRYPTO
Table 1. Impact of large-scale quantum computers. has given initial recommendations with specific
parameters for quantum-resistant schemes, and
we summarize their results in Table 2.
Purpose Type Candidate algorithms The security of multivariate polynomial-based
cryptosystems is based on the difficulty of solv-
Symmetric encryption Symmetric ciphers AES-256, Salsa20 ing a system of multivariate quadratic (degree 2)
equations over a finite field, which is proved to
Code-based McEliece with binary Goppa be an NP-hard problem. Depending on the field
Public key encryption
Lattice-based NTRUEncrypt
size used in the system, the multivariate polynomi-
al-based schemes can be divided into small field
Hash-based XMSS, SPHINCS-256 ones, which include signature schemes such as
Unbalanced Oil and Vinegar (UOV), Rainbow,
Public-key signature Multivariate-based Rainbow, TTS, HFEv- and TTS, and big field ones such as Hidden Field
Equations (HFE) [6]. As a variant of HFE, the
Lattice-based GPV, GLP, BLISS HFEv- scheme is very useful due to its efficien-
Table 2. Initial recommendations for quantum-resistant algorithms. cy and ability to produce the shortest signatures
among all existing multivariate polynomial-based
schemes.
the next section we give an overview of the exist- Previously, lattices were regarded as an import-
ing candidates for this purpose. ant tool in breaking cryptographic schemes.
However, starting with Ajtai’s pioneering work
Initial Recommendations for on using lattices to construct cryptographic sys-
tems, numerous works have been done in this
Quantum-Resistant Algorithms area [9]. In 1998, Hoffstein, Pipher, and Silverman
To address the challenges in securing the IoT in proposed NTRUEncrypt (also known as NTRU),
the quantum world, we first need to know which a lattice-based public key encryption algorithm
kind of cryptographic primitives can be secure that has attracted a lot of attention due to its effi-
under the attacks of both classical and large- ciency and compact keys. Currently, the security
scale quantum computers. According to NIST of lattice-based cryptosystems mainly depends
[4], widely accepted quantum-resistant public on the hardness of two problems: the short inte-
key cryptosystems include hash-based signatures, ger solution (SIS) problem and the learning with
code-based cryptosystems, multivariate polyno- errors (LWE) problem, as well as their correspond-
mial-based cryptosystems, and lattice-based cryp- ing variants over rings, the ring-SIS problem and
tosystems. The other recommendations given in the ring-LWE problem. The advantage of cryp-
[4] are based on the difficulty of the isogenies tosystems based on the ring-SIS problem and
problem over supersingular elliptic curves and the ring-LWE problem is that they are more efficient
conjugacy search problem in braid groups. and significantly reduce the key size compared
The first code-based cryptosystem was pro- to schemes based on the non-ring versions of the
posed by McEliece in 1978 and is a public key corresponding problems. Stele and and Steinfeld
encryption scheme based on an error correcting have proposed a variant of NTRUEncrypt, which
code called Goppa code. The basic idea of the can be proven to be secure under the ring-LWE
McEliece scheme can be described as follows: A assumption. Another hot topic in lattice-based
message is encrypted into a codeword with some cryptography is the design of lattice-based sig-
added errors, and only the private key holder nature schemes, which include schemes based
can remove the errors and recover the original on preimage sampleable functions such as GPV,
message. After nearly four decades, the McEliece schemes based on the decisional ring-LWE prob-
scheme has withstood all proposed attacks [5, 6]. lem such as GLP, and schemes based on the ring-
In particular, there is no quantum attack known SIS problem such as BLISS.
that breaks the McEliece cryptosystem.
The construction of hash-based signatures Quantum-Resistant
employs only hash functions, and therefore min-
imizes the security requirements for building Cryptographic Schemes on
digital signature schemes. The first hash-based Constrained Devices and Networks
signature scheme was proposed by Merkle, who
used a binary hash tree to construct the signa- The IoT cannot become reality without the help
tures. The Extended Merkle Signature Scheme of various kinds of constrained devices, which
(XMSS) is an improved version of Merkle’s sig- not only help us collect and gather information
nature scheme, which reduces the signature size from nature, our households, and factories, but
and requires weaker security assumptions [7]. also process and even act on this information. As
A common requirement of the hash-based sig- defined in [10], constrained devices refer to small

118 IEEE Communications Magazine • February 2017

uthorized licensed use limited to: MKSSS CUMMINS COLLEGE OF ENGINEERING FOR WOMEN. Downloaded on December 07,2023 at 21:59:34 UTC from IEEE Xplore. Restrictions apply.
 devices with limited resources in CPU, memory, Key size Key size Signature Time sign @32 MHz
and power. These limited resources bring spe- Schemes
private (kB) public (kB) size (bit) (ms) verify
cial challenges for the cryptographic schemes
used to secure constrained devices in the IoT. BLISS 2 7 7,680 329 88
Since some of these devices may be used for
decades, we should make them secure against enTTS 12.7 229.5 704 66.9 962.2
long-term attacks. ECC with appropriate param-
eters is regarded as a solution to this problem. Rainbow 95.4 132.7 632 257.1 288.0
However, devices using ECC become insecure as Table 3. Performance and parameters of BLISS, Rainbow, and enTTS (128-bit
soon as quantum computers appear. Therefore, security).
the design and implementation of quantum-resis-
tant cryptographic algorithms for constrained IoT
devices are of vital importance. CoAP. Furthermore, in [15] only the key exchange
Lattice-based and multivariate polynomi- scheme is quantum resistant. Therefore, another
al-based algorithms have shown their efficiency interesting problem is the performance of both
in providing quantum-resistant security for con- TLS and DTLS if all the components are replaced
strained devices. In [11] the signature scheme by the aforementioned quantum-resistant cryp-
BLISS is implemented on a 32-bit ARM Cor- tographic schemes.
tex-M4F microcontroller with 1024 kB flash
memory, taking 35.3 ms for signing and 6 ms for Ongoing Projects and Developments
verification to achieve 128-bit security. In [12], the We summarize ongoing projects and develop-
implementations of a ring-LWE-based encryption ments that will help develop the future secu-
scheme, RLWEenc, and BLISS are conducted on rity solutions for the IoT. The research on
an Atmel ATxmega128A1 microcontroller, which quantum-resistant cryptography, which is known
is equipped with an 8-bit CPU running at 32 MHz as “post-quantum cryptography,” is active, and
and a 128-kB flash memory. Specifically, in order has attracted much attention from government,
to achieve security levels higher than 156 bits, it industry, and academia. Two recent announce-
takes 68 ms for Ring-LWE encryption and 18.8 ms ments by the U.S. National Security Agency (NSA)
for decryption. For 128-bit security, BLISS needs and NIST have indicated the increasing necessity
329 ms for signing and 88 ms for verification. for transitions to quantum-resistant schemes [4].
For multivariate polynomial-based crypto- In August 2015, NSA declared its plan to turn to
systems, in [13] implementations of enhanced quantum-resistant algorithms on its website. Just
TTS (enTTS) and Rainbow are also done on an recently, at PQCrypto 2016, a leading conference
8-bit Atmel ATxmega128A1 microcontroller. It is for post-quantum cryptography held in February
shown that the enTTS needs 66.9 ms for signing 2016, NIST announced its plan for a public call
and 962.2 ms for verification, respectively, for a for quantum-resistant schemes, leading the way to
128-bit security level. At the same time, for Rain- new public key standards.
bow it costs 257.1 ms for signing and 288.0 ms The European Commission has also promoted
for verification. Since the two implementations in the research on post-quantum cryptosystems. A
[12, 13] are done on the same 8-bit microcontrol- European research group, PQCRYPTO, has been
ler, we list their results in Table 3, which compares funded by the European Union Horizon 2020
the different implementations regarding key and project, and is conducting research on post-quan-
signature sizes as well as the running times for sig- tum cryptography for small devices, the Inter-
nature generation and verification (for a security net, and the cloud. Another project supported
level of 128 bits). by Horizon 2020 is SAFEcrypto, which focuses
The Transport Layer Security (TLS) protocol on practical and physically secure post-quantum
provides a good solution for Internet security, cryptographic solutions in protecting satellite and
achieving both confidentiality and authentica- public safety communication systems, as well as
tion. Meanwhile, CoAP, which is safeguarded by preserving the privacy of data collected by the
the Datagram Transport Layer Security (DTLS) government.
protocol, has been designed for the IoT, espe- Besides that, a research project called Crypto-
cially for constrained devices. Just as TLS is MathCREST, which is supported by the Japan Sci-
designed to secure applications based on the ence and Technology Agency, aims to study the
Transmission Control Protocol (TCP), DTLS is mathematical problems underlying the security of
based on the User Datagram Protocol (UDP). post-quantum cryptography, and implement cryp-
In [14], the authors have optimized the imple- tosystems based on these problems to evaluate
mentation of DTLS over CoAP for the IoT. Their their performance in the real world.
implementations are based on ECC and con-
ducted on a platform named MagoNode, which Conclusion
features the Atmel Atmega128RFA1 with a 2.4 Recent advances in quantum computing have
GHz low-power transceiver for the IEEE 802.15.4 demonstrated the urgency of developing quan-
standard. tum-resistant algorithms for securing communi-
However, both TLS and DTLS need to be cation in the IoT. In this article, we have shown
updated to resist attacks using quantum com- the impacts of large-scale quantum computers
puters. The work in [15] moved forward toward on the security of the cryptographic schemes
this goal by providing ciphersuites for TLS, in widely used today, followed by an overview of
which the security of the key exchange proto- the recommendations for cryptographic schemes
col is based on the ring-LWE problem. Thus, an that can be secure under the attacks of both
intriguing problem is whether the latticed-based classical and quantum computers. After that, the
key exchange schemes work well for DTLS over recent implementations of quantum-resistant cryp-

IEEE Communications Magazine • February 2017 119

uthorized licensed use limited to: MKSSS CUMMINS COLLEGE OF ENGINEERING FOR WOMEN. Downloaded on December 07,2023 at 21:59:34 UTC from IEEE Xplore. Restrictions apply.
 tographic schemes for constrained devices have [11] T. Oder et al., “Beyond ECDSA and RSA: Lattice-Based
The research on quan- Digital Signatures on Constrained Devices,” 51st Annual
been introduced. Although ongoing projects are ACM Design Automation Conf. 2014, San Francisco, CA,
tum resistant cryptog- taking steps to develop new quantum-resistant June 1–5, 2014.
raphy, which is known security solutions for the IoT, more work is need- [12] T. Pöppelmann, T. Oder, and T. Güneysu, “High-Perfor-
ed to prepare the IoT system for the quantum mance Ideal Lattice-Based Cryptography on ATxmega 8-Bit
as “post-quantum Microcontrollers,” Progress in Cryptology-LATINCRYPT 2015,
world. Springer, 2015, pp. 346–65.
cryptography,” is active [13] P. Czypek et al., “Efficient Implementations of MQPKS on
Acknowledgments Constrained Devices,” Cryptographic Hardware and Embed-
and has attracted much ded Systems 2012, Springer, 2012, pp. 374–89.
The work presented in this article was support-
[14] A. Capossele et al., “Security as a CoAP Resource: An Opti-
attention from govern- ed in part by the National Natural Science Foun- mized DTLS Implementation for the IoT,” 2015 IEEE ICC,
ment, industry, and dation of China under Grant nos. 61301166, 2015, pp. 549–54.
61672029, 61363069, and 61662016, the Fun- [15] J. Bos et al., “Post-Quantum Key Exchange for the TLS Pro-
academia. Two recent damental Research Funds for the Central Univer- tocol from the Ring Learning with Errors Problem,” 2015
IEEE Symp. Security and Privacy, 2015, pp. 553–70.
announcements by the sities, China University of Geosciences (Wuhan)
(Grant Nos. CUGL150831, CUGL150416), and Biographies
U.S. National Security
the JSPS KAKENHI, Grant Nos. 26.04347 and Chi Cheng [M’15] ([email protected]) received his B.S.
Agency and NIST have 15F15350. and M.S. degrees in mathematics from Hubei University in 2003
indicated the increasing and 2006, respectively, and his Ph.D. degree in information
References and communication engineering from Huazhong University of
necessity for transitions [1] S. Sicari et al., “Security, Privacy and Trust in Internet of Science and Technology in 2013. He is currently an associate
Things: The Road Ahead,” Computer Networks, vol. 76, professor in the School of Computer Science, China Univer-
to quantum-resistant 2015, pp. 146–64. sity of Geosciences, Wuhan, China, and a JSPS postdoctoral
[2] J. Granjal, E. Monteiro, and J. Silva, “Security for the Inter- researcher at Kyushu University, Japan. His research interests
schemes. net of Things: A Survey of Existing Protocols and Open include applied cryptography and network security.
Research Issues,” IEEE Commun. Surveys & Tutorials, vol. 17,
no. 3, 2015, pp. 1294–1312. Rongxing Lu ([email protected]) has been an assistant professor at
[3] T. Monz et al., “Realization of a Scalable Shor Algorithm,” the Faculty of Computer Science, University of New Brunswick,
Science, vol. 351, no. 6277, 2016, pp. 1068–70. Canada, since August 2016. Before that, he worked as an assistant
[4] NIST, Report on Post-Quantum Cryptography, NISTIR 8105 professor at the School of Electrical and Electronic Engineering,
DRAFT; http://csrc.nist.gov/publications/drafts/nistir-8105/ Nanyang Technological University, Singapore, from May 2013 to
nistir_8105_draft.pdf, accessed Oct. 4, 2016. August 2016. His research interests include applied cryptography,
[5] A. Daniel et al., “Initial Recommendations of Long-Term privacy enhancing technologies, and IoT-big data security and pri-
Secure Post-Quantum Systems”; http://pqcrypto.eu.org/ vacy. He currently serves as the Secretary of IEEE ComSoc CIS-TC.
docs/initial-recommendations.pdf, accessed Oct. 4, 2016.
[6] J. Buchmann et al., “Post-Quantum Cryptography: State Albrecht Petzoldt ([email protected]) received a
of the Art,” The New Codebreakers, Springer, 2016, pp. Diploma in mathematics from FAU Erlangen-Nürnberg in 2008, and
88–108. a Ph.D. in computer science in 2013 at the Technical University of
[7] J. Buchmann, E. Dahmen, and A. Hülsing, “XMSS-A Practical Darmstadt (TU Darmstadt), Germany. He is currently working as
Forward Secure Signature Scheme Based on Minimal Secu- a Japan Society for the Promotion of Science (JSPS) postdoctoral
rity Assumptions,” Post-Quantum Cryptography, Springer, researcher at Kyushu University. His main research interests are mul-
2011, pp. 117–29. tivariate cryptography and post-quantum digital signature schemes.
[8] D. J. Bernstein et al., “SPHINCS: Practical Stateless Hash-
Based Signatures,” Advances in Cryptology--EUROCRYPT Tsuyoshi Takagi ([email protected]) received his B.Sc.
2015, Springer, 2015, pp. 368–97. and M.Sc. degrees in mathematics from Nagoya University in
[9] C. Peikert, “A Decade of Lattice Cryptography,” Cryptolo- 1993 and 1995, respectively, and his Ph.D. from TU Darmstadt
gy ePrint Archive, Rep. 2015/939, 2015, http://eprint.iacr. in 2001. He is currently a professor in the Institute of Mathe-
org/2015/939.pdf, accessed Oct. 4, 2016, 2016. matics for Industry at Kyushu University. His current research
[10] C. Bormann et al., “Terminology for Constrained-Node interests are information security and cryptography. He has
Networks,” IETF RFC 7228, DOI 10.17487/RFC7228, May received the DOCOMO Mobile Science Award in 2013, IEICE
2014; http://www.rfc-editor.org/info/rfc7228, accessed Achievement Award in 2013, and JSPS Prize in 2014, and is a
Oct. 4, 2016. Program Chair of PQCrypto 2016.

120 IEEE Communications Magazine • February 2017

uthorized licensed use limited to: MKSSS CUMMINS COLLEGE OF ENGINEERING FOR WOMEN. Downloaded on December 07,2023 at 21:59:34 UTC from IEEE Xplore. Restrictions apply.