

Below, you can find some topics which are currently offered by our group as BSc as well as MSc theses. If you are interested, please contact the corresponding staff member. Students who are not yet in contact with one of our staff members and do not feel addressed by the topics listed below also have the possibility to send a general request for a thesis to the contact email address impsec+thesis@rub.de. In this case, please include a short cover letter (a few words about yourself, strengths/weaknesses, motivation,…) as well as your current transcript of records.
List
Analysis of Pre-Processing Techniques on Side-Channel Traces (BSc)
MOTIVATION
Performing a side-channel attack [1] in a lab is usually done under perfect measurement conditions leading to attacks that can be performed comparably easily. Attacking real-world devices usually comes with many pitfalls, e.g. more noise or misalignment of recorded traces that might make an attack unfeasible. Pre-Processing of raw traces can significantly increase the Signal-to-Noise ratio (SNR) and allows an attacker to successfully extract secret information. In addition, some techniques allow to reduce the amount of data, which can be important when using machine-learning approaches.
RESEARCH PROBLEM
There are some publications investigating the effect of specific pre-processing techniques on side-channel traces [2], but there is no information comparing the effect of different methods on a own dataset.
REQUIREMENTS
- Structured way of working
- C/C++ programming
- Basic knowledge in signal transformation
YOUR TASK
In this work you have to create a basic side-channel measurement setup and implement / simulate simple SCA countermeasures (e.g. add noise, misalign traces). Afterwards, you are supposed to implement different pre-processing techniques (e.g. Principal-Component Analysis, Discrete Wavelet Analysis, Filtering, …) and perform key-recovery attacks on those data.
CONTACT
If you are interested in this field of research, please contact Marvin Staib (marvin.staib@rub.de) and include a recent transcript of records.
LITERATURE
[1] P. Kocher und S. Francisco, „Differential Power Analysis“
[2] D. Oswald und C. Paar, „Improving Side-Channel Analysis with Optimal Pre-Processing“
Meet Your Needs: Automated Generation of Masked Circuits Tailored to Your Use Case
MOTIVATION
Following a divide-and-conquer approach, any unprotected hardware circuit can be transformed into a circuit thoroughly protected against side-channel attacks – fully automated. Tools [AGEMA] realizing this automation are powered by a library of composable hardware submodules [HPC2, HPC3, GHPC] – so called gadgets – which realize masked variants of logic gates and sub-circuits. The masking is then essentially performed by replacing components in the unprotected circuit by its masked counterpart. Different gadget realizations introduce different overhead into the design with respect to area, latency, and register stages. Up to now, different gadget realization have been mainly considered separately but no combination has been considered.
RESEARCH PROBLEM
It would be interesting to see if we can integrate an extension into AGEMA which – based on the circuit’s graph structure – finds a balanced design with respect to the use case’s requirements. Requirements given by an engineer could look like:
- There is a maximum latency which we can tolerate. Randomness then should be minimized regardless of the area overhead.
- Find a balanced design with respect to latency, area overhead and randomness requirements.
- The design should be as cheap as possible
REQUIREMENTS
- Structured way of working
- Having fun at creative thinking
- C/C++ programming
- Knowledge of graphs and graph algorithms is a plus
CONTACT
If this sounds interesting to you, please contact David Knichel (David.Knichel@rub.de).
LITERATURE
[AGEMA] https://eprint.iacr.org/2021/569
[HPC2] https://eprint.iacr.org/2022/507
[HPC3] https://eprint.iacr.org/2020/185
[GHPC] https://eprint.iacr.org/2021/247
Energy/Power Consumption of Cryptographic Primitives on a Prototype Chip (BSc)
MOTIVATION
Ever since the introduction of differential power in 1999, the cryptographic hardware community has been looking for countermeasures to protect embedded devices. The benefits as well as difficulties of masking as a countermeasure against side-channel analysis attacks, have been proven through several scientific articles and experimental investigations. Masked implementations can be made efficient towards a cost function like area, latency, or power consumption, and their security can be proven using abstractions such as the probing model.
RESEARCH PROBLEM
Your task is to measure the energy/power consumption of some protected and unprotected cryptographic primitives on a prototype chip. Please have a look at this paper [1].
REQUIREMENTS
- Structured way of working
- C/C++ programming
CONTACT
If you are interested, please contact Aein Rezaei Shahmirzadi (aein.rezaeishahmirzadi@rub.de).
LITERATURE
[1] https://ieeexplore.ieee.org/iel7/9145512/9154905/09154996.pdf
Efficient Side-Channel Secure Designs in Hardware Platforms
MOTIVATION
The rapid deployment of Internet of Things~(IoT) necessitates physical security in addition to analytical security of the underlying cryptographic primitives. This is due to the fact that in IoT scenarios the device is in hand and control of legitimate users who can play the role of an adversary. Among physical attacks, Side-Channel Analysis~(SCA) attacks are considered the most threatening attack vector, as often the device cannot detect if its physical characteristics are being measured, e.g., its power consumption. After the introduction of such attacks in the open literature, the relevant scientific communities have dedicated a considerable body of research to understand its foundations and the development of defeating mechanisms.
Due to their sound theoretical basis, masking countermeasures have absorbed the attention of the researchers at most. Based on secret-sharing schemes, the key-dependent intermediate values of the cipher are randomized by applying a masking countermeasure, usually done at the algorithmic level.
RESEARCH PROBLEM
The implementation of masking in hardware platforms is rather high in terms of area overhead, randomness complexity, and latency. It becomes even more challenging when higher order of security is desired. The goal of this work is to provide an efficient implementation of block ciphers at a lower cost.
REQUIREMENTS
- Structured way of working
- C/C++ programming
- Verilog/VHDL
CONTACT
If you are interested, please contact Aein Rezaei Shahmirzadi (aein.rezaeishahmirzadi@rub.de).
LITERATURE
[1] Re-Consolidating First-Order Masking Schemes – Nullifying Fresh Randomness
[2] Cryptanalysis of Efficient Masked Ciphers: Applications to Low Latency
[3] Second-Order Low-Randomness d+1 Hardware Sharing of the AES
PROLEAD_RP: Automated Hardware Security Evaluation under the Random Probing Model (MSc)
MOTIVATION
PROLEAD [PROLEAD] can fully automatically evaluate the security of a protected circuit against side-channel attacks. For this purpose, PROLEAD relies on the (robust) probing model [rob], which allows a simple security abstraction. Unfortunately, the probing model does not always cover the physical reality. For example, it does not consider all attacks. Therefore, we focus on more advanced leakage models, such as the random probing model [rnd].
RESEARCH PROBLEM
Since PROLEAD does not support the random probing model so far, it is your job to integrate this feature into the existing tool. Efficiency will be the most critical factor here. The aim is to be able to evaluate even larger circuits with this extension.
REQUIREMENTS
- Structured way of working
- Efficient C/C++ programming
- Fun with code optimization
CONTACT
If this sounds interesting to you, please contact Nicolai Müller (nicolai.mueller@rub.de).
LITERATURE
[PROLEAD] Paper: https://eprint.iacr.org/2022/965.pdf, Sourcecode: https://github.com/ChairImpSec/PROLEAD[rob] https://eprint.iacr.org/2017/711.pdf
[rnd] https://eprint.iacr.org/2020/786.pdf
Security Analysis of SCA-secure ECC in software (BSc)
MOTIVATION
In 2023, Batina et al. published an ECC implementation computing the X25519 key-exchange protocol on an Arm Cortex-M4 microcontroller which provides protection against various side-channel and fault attacks [1].
While the authors showed the security of their implementation with physical experiments, i.e. side-channel measurements, there is no formal proof of security and no verification tool was applied during the evaluation.
However, it was shown in various works, e.g. [2], that experimental evaluations cannot guarantee the security of a given design.
RESEARCH PROBLEM
The authors themselves encourage other researchers to evaluate their publicly available implementations to improve security.
Hence, your task is to apply the already developed toolbox for the evaluation of software implementations to prove the security of the given designs.
We will start with evaluating the side-channel resistance of the designs using PROLEAD_SW, a simulation-based tool for the evaluation of masked ARM binaries [2].
REQUIREMENTS
- Basic knowledge in cryptography, in particular ECC
- Basic knowledge in physical attacks and countermeasures
- Basic knowledge in C/C++ programming
- Structured and independent way of working
CONTACT
If this sounds interesting to you, please contact Nicolai Müller (nicolai.mueller@ruhr-uni-bochum.de).
LITERATURE
[1] Paper: https://eprint.iacr.org/2021/1003.pdf, Sourcecode: https://github.com/sca-secure-library-sca25519/sca25519
[2] Paper: https://eprint.iacr.org/2023/034.pdf, Sourcecode: https://github.com/ChairImpSec/PROLEAD
Practical EM Fault Injection on FPGA Implementations Using Commercial Pulse-Injection Equipment (BSc/MSc)
MOTIVATION
Fault injection offers a powerful tool for attacking cryptographic implementations and recovering secrets supposedly safely stored on-device. Here, injection techniques based on electromagnetic pulses penetrating an IC during computation (EM Fault Injection, EMFI) have proven to be both, cost-effective and very efficient.
RESEARCH PROBLEM
There exists only very sparse work on practical fault attacks on FPGAs during actual computation of a cryptographic algorithm. It is hence an interesting question to see if EMFI is a realistic threat in this scenario. Your task would be to utilize commercial equipment for EM-Pulse Injection (which we already have at our group) and perform practical EMFI attacks on different cipher implementations loaded onto an FPGA. If you are successful, there might be an opportunity to publish your work at a renowned security conference.
REQUIREMENTS
- Reliable and well organized.
- Fun at (though you definitely don’t need to be an expert in) hardware hacking like soldering, working with electronic components, understanding electronic circuits.
- Algorithmic programming (No one expects you to be a professional SW-Engineer, but you need to be able to realize functionality).
- Motivation to spend some time in our lab.
CONTACT
If this sounds like fun to you, please contact David Knichel (david.knichel@rub.de).
The impact of aging on the static power analysis attack (MSc)
MOTIVATION
The impact of aging on the security of cryptographic devices has already been investigated [1-3]. Although there are some countermeasures against it [4], this field still needs more investigation.
The authors of [2] have shown that aging can reduce the amount of static leakage in single-rail circuits, and at the end of that paper, they presume that the current balancing techniques are not the proper ones against aging.
RESEARCH PROBLEM
The defined task in this work is investigating the effect of aging on the static side channel leakage through the transistor level simulations (e.g., Hspice simulation) of some well-known countermeasures such as WDDL, iMDPL, etc. Based on the simulation results, while aging is inevitable, it is worthwhile to find a way to mitigate the effect of aging.
REQUIREMENTS
Electronic design knowledge (transistor level) to design new logical cells, structured working method, Familiarity with coding tools to analyze the result (i.e C/C++/C# programming, MATLAB), simulation tools (i.e Hspice, pspice, …).
CONTACT
If this sounds interesting to you, please contact Bijan Fadaeinia (bijan.fadaeinia@rub.de).
LITERATURE
[1] D. K. et al., „Device aging: A reliability and security concern,“ in European Test Symposium (ETS), 2018, pp. 1–10.
[2] N. Karimi, T. Moos, and A. Moradi, “Exploring the Effect of Device Aging on Static Power Analysis Attacks”, TCHES, vol. 2019, no. 3, pp. 233–256, May 2019.
[3]M. Toufiq Hasan Anik, B. Fadaeinia, A. Moradi and N. Karimi, „On the Impact of Aging on Power Analysis Attacks Targeting Power-Equalized Cryptographic Circuits,“ 2021 26th Asia and South Pacific Design Automation Conference (ASP-DAC), 2021, pp. 414-420
[4] B. Fadaeinia, M. T. Hasan Anik, N. Karimi and A. Moradi, „Masked SABL: A Long Lasting Side-Channel Protection Design Methodology,“ in IEEE Access, vol. 9, pp. 90455-90464, 2021, doi: 10.1109/ACCESS.2021.3090752
Practicality of Asynchronous Logic in Masked Circuits (BSc)
MOTIVATION
Countermeasures against side-channel attacks on hardware devices are continuously developed and provide some level of security, but also introduce significant area overhead and increase latency. Research tries to reduce unwanted side effects while maintaining security goals. The recent work by Simões et. al [STM] introduces a scheme that replaces register stages with asynchronous latches, which follow a handshake protocol based on the dual-rail state of intermediate signals. The authors present a serialized S-box implementation with self-timed masking that computes four S-box outputs in a single clock cycle, resulting in a trade-off between latency and used clock cycles.
RESEARCH PROBLEM
Self-timed masking suffers from a slow handshake mechanism between asynchronous latches, which increases further for high logic depths. Thus, the bandwidth of the scheme is reduced such that a synchronous setting might be more practical. Your task is to examine the practicality of the asynchronous scheme vs. a traditional synchronous implementation and to elaborate on the underlying conditions.
REQUIREMENTS
- Structured way of working
- Verilog/VHDL
CONTACT
If this sounds interesting to you, please contact Daniel Lammers (daniel.lammers@rub.de).
LITERATURE
[STM] https://eprint.iacr.org/2022/641
PROLEAD_SW: Extending automated leakage detection of ARM binaries (BSc)
MOTIVATION
Masking provides us with a sound theoretical foundation to secure cryptographic implementations against side-channel attacks.
Unfortunately, applying masking naivley does not lead to the desired security level.
The reasons are many time micro-architectural effects that can reduce the security drastically.
PROLEAD_SW help designers detect such effects. It is a probing-based leakage detection tool for ARM binaries
RESEARCH PROBLEM
While PROLEAD_SW covers many effects we would like to further extend the tool to be aware of more subtle micro-architectural leakages.
Your tasks is to increase the detectable effects that PROLEAD_SW can handle. This can include for example:
- extending PROLEAD_SW with a floating point unit (FPU)
- make PROLEAD_SW speculative execution aware
- possibility to handle control-flow effects
We are not limited to that list and not every point above needs to be addressed.
REQUIREMENTS
- Structured way of working
- Efficient C/C++ programming
- Basic knowledge of ARM assembly
CONTACT
If this sounds interesting to you, please contact Jannik Zeitschner (jannik.zeitschner@rub.de).
LITERATURE
[MIRACLE]: https://eprint.iacr.org/2021/261.pdf
Threshold Implementations in Software: Achieving Higher-Order Security (BSc)
MOTIVATION
While masking lays the basis for generating resilient implementations against side-channel adversaries, care has to be taken which properties need to be fulfilled to guarantee practical security.
The authors of [1] present extended masking properties based on Threshold Implementation to handle micro-architectural effects on the algorithmic level.
With those notions applied to the assembly level of multiple implementations they are able to practically show the resilience of their notion against micro-architectual effects.
RESEARCH PROBLEM
While the concept in [1] seems to be promising in providing practical first-order secure schemes, no second order design was presented.
This rises the question how applicable this scheme is for higher orders.
Your task is apply the scheme to second order and evaluate how to secure the presented implementations, respectively what the limit of the presented masking properties are.
REQUIREMENTS
- Structured way of working
- Good knowledge of ARM assembly
CONTACT
If this sounds interesting to you, please contact Jannik Zeitschner (jannik.zeitschner@rub.de).
LITERATURE
[TI in Software]: https://eprint.iacr.org/2022/1546.pdf